Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp4664913rdb;
        Fri, 15 Sep 2023 08:44:45 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGk2ldeShl8mHXWt+hGs60mluUa0L+FlXRyAqXDkn8E6rV7CRCg2hR/Clnti+C61RVEAk0x
X-Received: by 2002:a05:6a20:914e:b0:15a:3eaa:b7ea with SMTP id x14-20020a056a20914e00b0015a3eaab7eamr2594600pzc.5.1694792684679;
        Fri, 15 Sep 2023 08:44:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1694792684; cv=none;
        d=google.com; s=arc-20160816;
        b=QWtMg7F9pKObH0TfbCE5FIjIEkHzILEFRd8zxLGrEKQiG4OPLOxVWd++TulglqT51a
         ZjQUQCzuPezI8YKeys3tPZYIelJ/YkpuIrYk2BfyNf/yatJV+8P3TQRNA1DX1nGeGVz+
         RSAd5Tr2y9gwSqMLcjXcIbA3Y/pIF24BLWKAMGL7IZK8/ITqQZZUcXpwwdk+QjRsRQ5s
         HsoeZ+HYnwVFykwGVf0WorX0D0q3SiCOvNnaNMTf935bhRL3ParPXi67dQ5p14N/S7jF
         IfnahBXS7yjClKY1JM0EmVP1OBAvrKh3ovXtkv/AMTGj+lazwTOuga1AuBdh9OycrGPx
         zaTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=TKd8P1ObZVIt5Y+naauSBYNI9NKQ+uh5MAJBtM9jGKY=;
        fh=cBT4429+6tJepvgu75JufkPgs8E6vK1itL7YoDQm8H0=;
        b=T/qMLyLYvJN1vEqcSiNB+JkQKHqKqfoR8Am1o1oBoVhb6jhzpKGcwhcj7KgA2GBD0h
         VXTSHCJptoNijY4Yc92sXA1x22PY+cRjfuf7o4D5HZMtQWQ0nYrLgd+VBSRdte11tpTJ
         u9xGiFNfGQAwNTM41aUEktG5npWc+tAlHg5pkLV527K8nz6yg00T9HAkLa5mQC+emr/C
         YIbwMyFdtNTt07mMZF2LZtpLcPq4NHFAHvzjEWN9Q1eH5zDT4eErKRnJaXyglo+46iuF
         k00NhVk5kMbUjb0ZhaJpeF6YOLSQiDnKHe4HgniAhvu/r/V27vkKEqK0RIRPYJ3iCxf1
         BhHA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@hefring-com.20230601.gappssmtp.com header.s=20230601 header.b=ChGQuaYb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32])
        by mx.google.com with ESMTPS id bw16-20020a056a00409000b0068fcae723easi3503189pfb.368.2023.09.15.08.44.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 15 Sep 2023 08:44:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@hefring-com.20230601.gappssmtp.com header.s=20230601 header.b=ChGQuaYb;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by agentk.vger.email (Postfix) with ESMTP id 4742C82B3BB5;
	Fri, 15 Sep 2023 08:44:12 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236179AbjIOPnm (ORCPT <rfc822;benlin170369@gmail.com>
        + 99 others); Fri, 15 Sep 2023 11:43:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37290 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236208AbjIOPnQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 15 Sep 2023 11:43:16 -0400
Received: from mail-ua1-x92a.google.com (mail-ua1-x92a.google.com [IPv6:2607:f8b0:4864:20::92a])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F28432121
        for <linux-kernel@vger.kernel.org>; Fri, 15 Sep 2023 08:43:00 -0700 (PDT)
Received: by mail-ua1-x92a.google.com with SMTP id a1e0cc1a2514c-7a7b44d3ea0so823044241.2
        for <linux-kernel@vger.kernel.org>; Fri, 15 Sep 2023 08:43:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=hefring-com.20230601.gappssmtp.com; s=20230601; t=1694792580; x=1695397380; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=TKd8P1ObZVIt5Y+naauSBYNI9NKQ+uh5MAJBtM9jGKY=;
        b=ChGQuaYbixpDRysTiLUTV3BB52ca14ZtMmvlJfm0PKI5OGPSZM+NtYLkOE7ITAXwuB
         xxytnXamzbIbpAonoiM4Sse13kSJcPuyGCZK73RzAmEqYNGxD0jMJfdewd8lBoHzqxFC
         G98PBU8aQCKwPgfdhSYvvwDlcLy/TVv4baEMdgKd/IgGW0EJFvSP6ikZpuvLUHYYol61
         GrdtgY2lzfgCLEtrc9ZPSkEE7KPsYcksQigzNtV/PHEFbqcwEUj5hM7/Xp9U9QrL3/kq
         q12Sm1+wOnESB+NnLzwYBRHLXzX/Zkj2OXJDNh0T4z4O/ruIE51ytjA72YItJMBx/bPt
         sfkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1694792580; x=1695397380;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=TKd8P1ObZVIt5Y+naauSBYNI9NKQ+uh5MAJBtM9jGKY=;
        b=Ef9DGLL4VW/s03G/Ft0DuaxsywNwOtFdmlbplTs2WDvGRB2i5ZZk8VRUl6SA0M6kCA
         BrOotlCGkbXoe6CjzpMkoUHYLO80WlJCssCRwYheIDeiBNML1ms+VDsdJ1PTkKIjb1gV
         i2dRa10sczByaPgyoGsSaT+Xg2/1rVyD8Eg5aP/iP4M6+hl3J1AODOxKaeIwUP23JTWZ
         BNEXm+Es/MGXthlYilteW7DY8CvwJsQ5SXCeK2mCQkjvvFA83+m+IEvvGONdqM1wuHB+
         czN73iIUeH4lC5BrUjdOMUqywlqR36QGSdTM5KjCNIR8Zmz2fQGmmrD63WenuBuWo+1X
         A1Cg==
X-Gm-Message-State: AOJu0YzZqpEhdSR2SKMUdrNQnYxD7SoqPIykuJkEjB52IKhkQN8kWKuZ
        xxpIbNPmXv8YGE2BkBR6Yza0Iw==
X-Received: by 2002:a67:f148:0:b0:44e:98ad:43db with SMTP id t8-20020a67f148000000b0044e98ad43dbmr1910546vsm.7.1694792580101;
        Fri, 15 Sep 2023 08:43:00 -0700 (PDT)
Received: from dell-precision-5540 ([50.212.55.89])
        by smtp.gmail.com with ESMTPSA id oh1-20020a056214438100b0064cb3358338sm1222855qvb.110.2023.09.15.08.42.58
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 15 Sep 2023 08:42:59 -0700 (PDT)
Date:   Fri, 15 Sep 2023 11:42:51 -0400
From:   Ben Wolsieffer <ben.wolsieffer@hefring.com>
To:     Andrew Morton <akpm@linux-foundation.org>
Cc:     linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        Greg Ungerer <gerg@uclinux.org>,
        Oleg Nesterov <oleg@redhat.com>,
        Giulio Benetti <giulio.benetti@benettiengineering.com>
Subject: Re: [PATCH] proc: nommu: /proc/<pid>/maps: release mmap read lock
Message-ID: <ZQR7eyCU2cXXaseD@dell-precision-5540>
References: <20230914163019.4050530-2-ben.wolsieffer@hefring.com>
 <20230914100203.e5905ee145b7cb580c8df9c4@linux-foundation.org>
 <ZQNDHXyl8c6YZ4Q6@dell-precision-5540>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZQNDHXyl8c6YZ4Q6@dell-precision-5540>
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Fri, 15 Sep 2023 08:44:12 -0700 (PDT)

On Thu, Sep 14, 2023 at 01:30:08PM -0400, Ben Wolsieffer wrote:
> On Thu, Sep 14, 2023 at 10:02:03AM -0700, Andrew Morton wrote:
> > On Thu, 14 Sep 2023 12:30:20 -0400 Ben Wolsieffer <ben.wolsieffer@hefring.com> wrote:
> > 
> > > The no-MMU implementation of /proc/<pid>/map doesn't normally release
> > > the mmap read lock, because it uses !IS_ERR_OR_NULL(_vml) to determine
> > > whether to release the lock. Since _vml is NULL when the end of the
> > > mappings is reached, the lock is not released.
> > > 
> > 
> > Thanks.  Is this bug demonstrable from userspace?  If so, how?
> 
> Yes, run "cat /proc/1/maps" twice. You should observe that the
> second run hangs.
 
Hi Andrew,

I apologize because I realized I provided an incorrect reproducer for
this bug. I responded from what I remembered of this bug (I originally
wrote the patch over a year ago) and did not test it.

Reading /proc/1/maps twice doesn't reproduce the bug because it only
takes the read lock, which can be taken multiple times and therefore
doesn't show any problem if the lock isn't released. Instead, you need
to perform some operation that attempts to take the write lock after
reading /proc/<pid>/maps. To actually reproduce the bug, compile the
following code as 'proc_maps_bug':

#include <stdio.h>
#include <unistd.h>
#include <sys/mman.h>

int main(int argc, char *argv[]) {
        void *buf;
        sleep(1);
        buf = mmap(NULL, 4096, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
        puts("mmap returned");
        return 0;
}

Then, run:

  ./proc_maps_bug &; cat /proc/$!/maps; fg

Without this patch, mmap() will hang and the command will never
complete.

Additionally, it turns out you cannot reproduce this bug on recent
kernels because 0c563f148043 ("proc: remove VMA rbtree use from nommu")
introduces a second bug that completely breaks /proc/<pid>/maps and
prevents the locking bug from being triggered. I will have a second
patch for that soon.

Thanks, Ben