| Message ID | 20230517150408.3411044-2-peterx@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1213766vqo;
Wed, 17 May 2023 08:16:06 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ48oB0Ah+/fkwoG1LaTZf5TKH6Sr/b7EgaoBUpThVuBrnCPpDx+ge3ccFnH9pDJxUiRwWZU
X-Received: by 2002:a17:90a:b292:b0:24d:fb21:3d7c with SMTP id
c18-20020a17090ab29200b0024dfb213d7cmr40287545pjr.30.1684336565889;
Wed, 17 May 2023 08:16:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684336565; cv=none;
d=google.com; s=arc-20160816;
b=AmXt71//ozjFlGrN26az1i2HPmxR5dhQV3wxnivuS/6Wcwb7B4u/8NTsBXFaiHavYd
ZS2X7qAabCLHsQ0Y7aza7gGnK+pVYYFSlHgFWhS/ImusYOPjrIJLBE45GRO4NcxsE4yc
M71Ib5mCCmtMp1LycinIXT444/Joj3k1k/evhWIMSfqX1E7POkTE+eMVh8h3ea6bW4Aw
QKtLIG7WEWYdibG7ExnVWHzQeyC72mL0jGw4XxVJJnboX1FLFeubzuUCjwzIOA0pl5af
3FeSU321angyhUZRr6xNZg6gK52jcFzLGcSgAKr7IeHXAn9qBLa63oaL53FIZQ04Lpzq
PV0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=5R80nbUZwWFiHdR78rMDNlvBGteEPIxCifWqkv+jAN8=;
b=HaRr2VysVRtVHt+rGQKM4e3kdIisd779PBbQpW9NRVl2qDoz4g9HyitXAYPZM3Tujg
EelnxURBTgdicu/o+LGDWELnhmkyrbi6ss5awbNTl+BlBSc5MeLVGLeC9Ew1FGMTgbMv
Cm/F+IQTiZjk6PpalqU2E1O6YQsvexSiq4F33SPODUQlYM3BvkZ2xdNbnq8Pwx7yi2ka
AH1Os1Qy/12KuehyOFmvcgoK3VsAYStC7XBBVtiSXMZyWWPI7nzIMlpyVkoQhR6kqsAa
z34xR1cuBVnsIh9mVXjaqdylkCNZfNgh4KG4AFXM84gqxCl4oNklWxriv0jEgSmIidcS
nbsQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=AVvl6WpR;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
jj9-20020a170903048900b001a6d08dc834si19847803plb.22.2023.05.17.08.15.52;
Wed, 17 May 2023 08:16:05 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=AVvl6WpR;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231989AbjEQPGw (ORCPT <rfc822;abdi.embedded@gmail.com>
+ 99 others); Wed, 17 May 2023 11:06:52 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60942 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231966AbjEQPG1 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 17 May 2023 11:06:27 -0400
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3BBF7A5D3
for <linux-kernel@vger.kernel.org>;
Wed, 17 May 2023 08:05:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1684335856;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=5R80nbUZwWFiHdR78rMDNlvBGteEPIxCifWqkv+jAN8=;
b=AVvl6WpRLnQ3H8wtsI401rmZ1NvYbvOboWkKsRRSx/wZy6WUDjiuGM6nNx1IqK0oDoCVql
EfkIYHivwHkkc3Qe5ZwJgmhLxzDGt/tQOEJat4IsHwwWB0+opCwFVJQI/QxEurdLc+lOWq
HOCMrCEA2WkoOBFR1mff3ZhX35C1TeE=
Received: from mail-qk1-f200.google.com (mail-qk1-f200.google.com
[209.85.222.200]) by relay.mimecast.com with ESMTP with STARTTLS
(version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
us-mta-192-xI2Sxs1qPwu4pWcRJCDoVg-1; Wed, 17 May 2023 11:04:14 -0400
X-MC-Unique: xI2Sxs1qPwu4pWcRJCDoVg-1
Received: by mail-qk1-f200.google.com with SMTP id
af79cd13be357-74faf5008bbso3251585a.0
for <linux-kernel@vger.kernel.org>;
Wed, 17 May 2023 08:04:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1684335853; x=1686927853;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=5R80nbUZwWFiHdR78rMDNlvBGteEPIxCifWqkv+jAN8=;
b=JkfFNt00JO34QH8j0nTKbzmg+o9W9nhve2QkghLXaV2MRyTk3x+992q5bYjXeiQibx
cpEMLoE8/o26DYs758qLFu2Rwyf2+hlV4Lx4SCIkpPwq24+7sER5n0ZW5iNWJhYINTAn
MxrhTu8Q04yE8m6gDVuco3nLQyJM6hGfPl7q7nT/5AoYbRQAuorTnMYIV2dIPwMbb9s4
GmTosN2WaW4B44buK1XUQWie5EXlbj0RMzilII5R6qXDX3BDp2IRnhwM/CmGTdeLpgg2
Z9ZQfmBbt8guRCihUshtqkQ+HSZLDGS4f3tITfUkmVfjovHFTGyLOpQQzFZmt8wghQso
sRXw==
X-Gm-Message-State: AC+VfDzyBQDvlQR27xxC60OrDlNgfpEHAc/Iu6Bo11f6hde9hIy8dODl
bQ/uLCe54/OeJ3S2IoCczVyh5zWr6FsUnc5ioRd/1Mb5hH6nOGMECG361Qvzcj9+nImWSyb2ZVL
mw6gmDaZH8YDiKw4O6+X5AE0BbFgIQy+QIu1x/xhPuT+WEyB4KBNQif+cHT/H5Q2GhNilIyoruK
XZKjEbQw==
X-Received: by 2002:a05:6214:cc8:b0:623:5678:1285 with SMTP id
8-20020a0562140cc800b0062356781285mr5664678qvx.2.1684335852882;
Wed, 17 May 2023 08:04:12 -0700 (PDT)
X-Received: by 2002:a05:6214:cc8:b0:623:5678:1285 with SMTP id
8-20020a0562140cc800b0062356781285mr5664630qvx.2.1684335852517;
Wed, 17 May 2023 08:04:12 -0700 (PDT)
Received: from x1n.. (bras-base-aurron9127w-grc-62-70-24-86-62.dsl.bell.ca.
[70.24.86.62])
by smtp.gmail.com with ESMTPSA id
u10-20020a05620a120a00b0074d4cf8f9fcsm661141qkj.107.2023.05.17.08.04.10
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 17 May 2023 08:04:11 -0700 (PDT)
From: Peter Xu <peterx@redhat.com>
To: linux-kernel@vger.kernel.org, linux-mm@kvack.org
Cc: Lorenzo Stoakes <lstoakes@gmail.com>,
Andrew Morton <akpm@linux-foundation.org>,
"Liam R . Howlett" <Liam.Howlett@oracle.com>,
Mark Rutland <mark.rutland@arm.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Mike Rapoport <rppt@kernel.org>, peterx@redhat.com,
Alexander Viro <viro@zeniv.linux.org.uk>,
linux-stable <stable@vger.kernel.org>
Subject: [PATCH 1/2] mm/uffd: Fix vma operation where start addr cuts part of
vma
Date: Wed, 17 May 2023 11:04:07 -0400
Message-Id: <20230517150408.3411044-2-peterx@redhat.com>
X-Mailer: git-send-email 2.39.1
In-Reply-To: <20230517150408.3411044-1-peterx@redhat.com>
References: <20230517150408.3411044-1-peterx@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE,
RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1766154898817500421?=
X-GMAIL-MSGID: =?utf-8?q?1766154898817500421?=
|
| Series |
mm/uffd: Fix vma merge/split
|
|
Commit Message
Peter Xu
May 17, 2023, 3:04 p.m. UTC
It seems vma merging with uffd paths is broken with either
register/unregister, where right now we can feed wrong parameters to
vma_merge() and it's found by recent patch which moved asserts upwards in
vma_merge() by Lorenzo Stoakes:
https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/
The problem is in the current code base we didn't fixup "prev" for the case
where "start" address can be within the "prev" vma section. In that case
we should have "prev" points to the current vma rather than the previous
one when feeding to vma_merge().
This patch will eliminate the report and make sure vma_merge() calls will
become legal again.
One thing to mention is that the "Fixes: 29417d292bd0" below is there only
to help explain where the warning can start to trigger, the real commit to
fix should be 69dbe6daf104. Commit 29417d292bd0 helps us to identify the
issue, but unfortunately we may want to keep it in Fixes too just to ease
kernel backporters for easier tracking.
Cc: Lorenzo Stoakes <lstoakes@gmail.com>
Cc: Mike Rapoport (IBM) <rppt@kernel.org>
Cc: Liam R. Howlett <Liam.Howlett@oracle.com>
Reported-by: Mark Rutland <mark.rutland@arm.com>
Fixes: 29417d292bd0 ("mm/mmap/vma_merge: always check invariants")
Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs")
Closes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Peter Xu <peterx@redhat.com>
---
fs/userfaultfd.c | 5 +++++
1 file changed, 5 insertions(+)
Comments
On Wed, May 17, 2023 at 11:04:07AM -0400, Peter Xu wrote: > It seems vma merging with uffd paths is broken with either > register/unregister, where right now we can feed wrong parameters to > vma_merge() and it's found by recent patch which moved asserts upwards in > vma_merge() by Lorenzo Stoakes: > > https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ > > The problem is in the current code base we didn't fixup "prev" for the case > where "start" address can be within the "prev" vma section. In that case > we should have "prev" points to the current vma rather than the previous > one when feeding to vma_merge(). This doesn't seem quite correct, perhaps - "where start is contained within vma but not clamped to its start. We need to convert this into case 4 which permits subdivision of prev by assigning vma to prev. As we loop, each subsequent VMA will be clamped to the start." > > This patch will eliminate the report and make sure vma_merge() calls will > become legal again. > > One thing to mention is that the "Fixes: 29417d292bd0" below is there only > to help explain where the warning can start to trigger, the real commit to > fix should be 69dbe6daf104. Commit 29417d292bd0 helps us to identify the > issue, but unfortunately we may want to keep it in Fixes too just to ease > kernel backporters for easier tracking. > > Cc: Lorenzo Stoakes <lstoakes@gmail.com> > Cc: Mike Rapoport (IBM) <rppt@kernel.org> > Cc: Liam R. Howlett <Liam.Howlett@oracle.com> > Reported-by: Mark Rutland <mark.rutland@arm.com> > Fixes: 29417d292bd0 ("mm/mmap/vma_merge: always check invariants") > Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs") > Closes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ > Cc: linux-stable <stable@vger.kernel.org> > Signed-off-by: Peter Xu <peterx@redhat.com> > --- > fs/userfaultfd.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > index 0fd96d6e39ce..17c8c345dac4 100644 > --- a/fs/userfaultfd.c > +++ b/fs/userfaultfd.c > @@ -1459,6 +1459,8 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, > > vma_iter_set(&vmi, start); > prev = vma_prev(&vmi); > + if (vma->vm_start < start) > + prev = vma; > > ret = 0; > for_each_vma_range(vmi, vma, end) { > @@ -1625,6 +1627,9 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, > > vma_iter_set(&vmi, start); > prev = vma_prev(&vmi); > + if (vma->vm_start < start) > + prev = vma; > + > ret = 0; > for_each_vma_range(vmi, vma, end) { > cond_resched(); > -- > 2.39.1 > Other than that looks good:- Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com>
* Peter Xu <peterx@redhat.com> [230517 11:04]: > It seems vma merging with uffd paths is broken with either > register/unregister, where right now we can feed wrong parameters to > vma_merge() and it's found by recent patch which moved asserts upwards in > vma_merge() by Lorenzo Stoakes: > > https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ > > The problem is in the current code base we didn't fixup "prev" for the case > where "start" address can be within the "prev" vma section. In that case > we should have "prev" points to the current vma rather than the previous > one when feeding to vma_merge(). > > This patch will eliminate the report and make sure vma_merge() calls will > become legal again. > > One thing to mention is that the "Fixes: 29417d292bd0" below is there only > to help explain where the warning can start to trigger, the real commit to > fix should be 69dbe6daf104. Commit 29417d292bd0 helps us to identify the > issue, but unfortunately we may want to keep it in Fixes too just to ease > kernel backporters for easier tracking. > > Cc: Lorenzo Stoakes <lstoakes@gmail.com> > Cc: Mike Rapoport (IBM) <rppt@kernel.org> > Cc: Liam R. Howlett <Liam.Howlett@oracle.com> > Reported-by: Mark Rutland <mark.rutland@arm.com> > Fixes: 29417d292bd0 ("mm/mmap/vma_merge: always check invariants") > Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs") > Closes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ > Cc: linux-stable <stable@vger.kernel.org> > Signed-off-by: Peter Xu <peterx@redhat.com> Reviewed-by: Liam R. Howlett <Liam.Howlett@oracle.com> > --- > fs/userfaultfd.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > index 0fd96d6e39ce..17c8c345dac4 100644 > --- a/fs/userfaultfd.c > +++ b/fs/userfaultfd.c > @@ -1459,6 +1459,8 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, > > vma_iter_set(&vmi, start); > prev = vma_prev(&vmi); > + if (vma->vm_start < start) > + prev = vma; > > ret = 0; > for_each_vma_range(vmi, vma, end) { > @@ -1625,6 +1627,9 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, > > vma_iter_set(&vmi, start); > prev = vma_prev(&vmi); > + if (vma->vm_start < start) > + prev = vma; > + > ret = 0; > for_each_vma_range(vmi, vma, end) { > cond_resched(); > -- > 2.39.1 >
On Wed, May 17, 2023 at 06:20:55PM +0100, Lorenzo Stoakes wrote: > On Wed, May 17, 2023 at 11:04:07AM -0400, Peter Xu wrote: > > It seems vma merging with uffd paths is broken with either > > register/unregister, where right now we can feed wrong parameters to > > vma_merge() and it's found by recent patch which moved asserts upwards in > > vma_merge() by Lorenzo Stoakes: > > > > https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ > > > > The problem is in the current code base we didn't fixup "prev" for the case > > where "start" address can be within the "prev" vma section. In that case > > we should have "prev" points to the current vma rather than the previous > > one when feeding to vma_merge(). > > This doesn't seem quite correct, perhaps - "where start is contained within vma > but not clamped to its start. We need to convert this into case 4 which permits > subdivision of prev by assigning vma to prev. As we loop, each subsequent VMA > will be clamped to the start." I think it covers more than case 4 - it can also be case 0 where no merge will happen? > > > > > This patch will eliminate the report and make sure vma_merge() calls will > > become legal again. > > > > One thing to mention is that the "Fixes: 29417d292bd0" below is there only > > to help explain where the warning can start to trigger, the real commit to > > fix should be 69dbe6daf104. Commit 29417d292bd0 helps us to identify the > > issue, but unfortunately we may want to keep it in Fixes too just to ease > > kernel backporters for easier tracking. > > > > Cc: Lorenzo Stoakes <lstoakes@gmail.com> > > Cc: Mike Rapoport (IBM) <rppt@kernel.org> > > Cc: Liam R. Howlett <Liam.Howlett@oracle.com> > > Reported-by: Mark Rutland <mark.rutland@arm.com> > > Fixes: 29417d292bd0 ("mm/mmap/vma_merge: always check invariants") > > Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs") > > Closes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ > > Cc: linux-stable <stable@vger.kernel.org> > > Signed-off-by: Peter Xu <peterx@redhat.com> > > --- > > fs/userfaultfd.c | 5 +++++ > > 1 file changed, 5 insertions(+) > > > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > > index 0fd96d6e39ce..17c8c345dac4 100644 > > --- a/fs/userfaultfd.c > > +++ b/fs/userfaultfd.c > > @@ -1459,6 +1459,8 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, > > > > vma_iter_set(&vmi, start); > > prev = vma_prev(&vmi); > > + if (vma->vm_start < start) > > + prev = vma; > > > > ret = 0; > > for_each_vma_range(vmi, vma, end) { > > @@ -1625,6 +1627,9 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, > > > > vma_iter_set(&vmi, start); > > prev = vma_prev(&vmi); > > + if (vma->vm_start < start) > > + prev = vma; > > + > > ret = 0; > > for_each_vma_range(vmi, vma, end) { > > cond_resched(); > > -- > > 2.39.1 > > > > Other than that looks good:- > > Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com> Thanks to both on the quick reviews!
On Wed, May 17, 2023 at 02:37:41PM -0400, Peter Xu wrote: > On Wed, May 17, 2023 at 06:20:55PM +0100, Lorenzo Stoakes wrote: > > On Wed, May 17, 2023 at 11:04:07AM -0400, Peter Xu wrote: > > > It seems vma merging with uffd paths is broken with either > > > register/unregister, where right now we can feed wrong parameters to > > > vma_merge() and it's found by recent patch which moved asserts upwards in > > > vma_merge() by Lorenzo Stoakes: > > > > > > https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ > > > > > > The problem is in the current code base we didn't fixup "prev" for the case > > > where "start" address can be within the "prev" vma section. In that case > > > we should have "prev" points to the current vma rather than the previous > > > one when feeding to vma_merge(). > > > > This doesn't seem quite correct, perhaps - "where start is contained within vma > > but not clamped to its start. We need to convert this into case 4 which permits > > subdivision of prev by assigning vma to prev. As we loop, each subsequent VMA > > will be clamped to the start." > > I think it covers more than case 4 - it can also be case 0 where no merge > will happen? Ugh please let's not call a case that doesn't merge by a number :P but sure of course it might also not merge. > > > > > > > > > This patch will eliminate the report and make sure vma_merge() calls will > > > become legal again. > > > > > > One thing to mention is that the "Fixes: 29417d292bd0" below is there only > > > to help explain where the warning can start to trigger, the real commit to > > > fix should be 69dbe6daf104. Commit 29417d292bd0 helps us to identify the > > > issue, but unfortunately we may want to keep it in Fixes too just to ease > > > kernel backporters for easier tracking. > > > > > > Cc: Lorenzo Stoakes <lstoakes@gmail.com> > > > Cc: Mike Rapoport (IBM) <rppt@kernel.org> > > > Cc: Liam R. Howlett <Liam.Howlett@oracle.com> > > > Reported-by: Mark Rutland <mark.rutland@arm.com> > > > Fixes: 29417d292bd0 ("mm/mmap/vma_merge: always check invariants") > > > Fixes: 69dbe6daf104 ("userfaultfd: use maple tree iterator to iterate VMAs") > > > Closes: https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ > > > Cc: linux-stable <stable@vger.kernel.org> > > > Signed-off-by: Peter Xu <peterx@redhat.com> > > > --- > > > fs/userfaultfd.c | 5 +++++ > > > 1 file changed, 5 insertions(+) > > > > > > diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c > > > index 0fd96d6e39ce..17c8c345dac4 100644 > > > --- a/fs/userfaultfd.c > > > +++ b/fs/userfaultfd.c > > > @@ -1459,6 +1459,8 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, > > > > > > vma_iter_set(&vmi, start); > > > prev = vma_prev(&vmi); > > > + if (vma->vm_start < start) > > > + prev = vma; > > > > > > ret = 0; > > > for_each_vma_range(vmi, vma, end) { > > > @@ -1625,6 +1627,9 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, > > > > > > vma_iter_set(&vmi, start); > > > prev = vma_prev(&vmi); > > > + if (vma->vm_start < start) > > > + prev = vma; > > > + > > > ret = 0; > > > for_each_vma_range(vmi, vma, end) { > > > cond_resched(); > > > -- > > > 2.39.1 > > > > > > > Other than that looks good:- > > > > Reviewed-by: Lorenzo Stoakes <lstoakes@gmail.com> > > Thanks to both on the quick reviews! No problem! > > -- > Peter Xu >
On Wed, May 17, 2023 at 07:40:59PM +0100, Lorenzo Stoakes wrote: > On Wed, May 17, 2023 at 02:37:41PM -0400, Peter Xu wrote: > > On Wed, May 17, 2023 at 06:20:55PM +0100, Lorenzo Stoakes wrote: > > > On Wed, May 17, 2023 at 11:04:07AM -0400, Peter Xu wrote: > > > > It seems vma merging with uffd paths is broken with either > > > > register/unregister, where right now we can feed wrong parameters to > > > > vma_merge() and it's found by recent patch which moved asserts upwards in > > > > vma_merge() by Lorenzo Stoakes: > > > > > > > > https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ > > > > > > > > The problem is in the current code base we didn't fixup "prev" for the case > > > > where "start" address can be within the "prev" vma section. In that case > > > > we should have "prev" points to the current vma rather than the previous > > > > one when feeding to vma_merge(). > > > > > > This doesn't seem quite correct, perhaps - "where start is contained within vma > > > but not clamped to its start. We need to convert this into case 4 which permits > > > subdivision of prev by assigning vma to prev. As we loop, each subsequent VMA > > > will be clamped to the start." > > > > I think it covers more than case 4 - it can also be case 0 where no merge > > will happen? > > Ugh please let's not call a case that doesn't merge by a number :P but sure of > course it might also not merge. To me the original paragraph was still fine. But if you prefer your version (which I'm perfectly fine either way if you'd like to spell out what cases it'll trigger), it'll be: It's possible that "start" is contained within vma but not clamped to its start. We need to convert this into either "cannot merge" case or "can merge" case 4 which permits subdivision of prev by assigning vma to prev. As we loop, each subsequent VMA will be clamped to the start. Does that look good to you? Thanks,
On Wed, May 17, 2023 at 02:54:39PM -0400, Peter Xu wrote: > On Wed, May 17, 2023 at 07:40:59PM +0100, Lorenzo Stoakes wrote: > > On Wed, May 17, 2023 at 02:37:41PM -0400, Peter Xu wrote: > > > On Wed, May 17, 2023 at 06:20:55PM +0100, Lorenzo Stoakes wrote: > > > > On Wed, May 17, 2023 at 11:04:07AM -0400, Peter Xu wrote: > > > > > It seems vma merging with uffd paths is broken with either > > > > > register/unregister, where right now we can feed wrong parameters to > > > > > vma_merge() and it's found by recent patch which moved asserts upwards in > > > > > vma_merge() by Lorenzo Stoakes: > > > > > > > > > > https://lore.kernel.org/all/ZFunF7DmMdK05MoF@FVFF77S0Q05N.cambridge.arm.com/ > > > > > > > > > > The problem is in the current code base we didn't fixup "prev" for the case > > > > > where "start" address can be within the "prev" vma section. In that case > > > > > we should have "prev" points to the current vma rather than the previous > > > > > one when feeding to vma_merge(). > > > > > > > > This doesn't seem quite correct, perhaps - "where start is contained within vma > > > > but not clamped to its start. We need to convert this into case 4 which permits > > > > subdivision of prev by assigning vma to prev. As we loop, each subsequent VMA > > > > will be clamped to the start." > > > > > > I think it covers more than case 4 - it can also be case 0 where no merge > > > will happen? > > > > Ugh please let's not call a case that doesn't merge by a number :P but sure of > > course it might also not merge. > > To me the original paragraph was still fine. But if you prefer your version > (which I'm perfectly fine either way if you'd like to spell out what cases > it'll trigger), it'll be: > > It's possible that "start" is contained within vma but not clamped to its > start. We need to convert this into either "cannot merge" case or "can > merge" case 4 which permits subdivision of prev by assigning vma to > prev. As we loop, each subsequent VMA will be clamped to the start. > > Does that look good to you? > Looks good to me, thanks for taking the time! > Thanks, > > -- > Peter Xu >
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 0fd96d6e39ce..17c8c345dac4 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1459,6 +1459,8 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, vma_iter_set(&vmi, start); prev = vma_prev(&vmi); + if (vma->vm_start < start) + prev = vma; ret = 0; for_each_vma_range(vmi, vma, end) { @@ -1625,6 +1627,9 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, vma_iter_set(&vmi, start); prev = vma_prev(&vmi); + if (vma->vm_start < start) + prev = vma; + ret = 0; for_each_vma_range(vmi, vma, end) { cond_resched();