From: Andrea Arcangeli <aarcange@redhat.com>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Kefeng Wang <wangkefeng.wang@huawei.com>,
Michal Hocko <mhocko@suse.com>, linux-mm <linux-mm@kvack.org>,
Peter Xu <peterx@redhat.com>, Mike Rapoport <rppt@linux.ibm.com>,
Jann Horn <jannh@google.com>, Jason Gunthorpe <jgg@mellanox.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [BUG] kernel BUG at fs/userfaultfd.c:385 after 04f5866e41fb
Date: Mon, 19 Aug 2019 12:05:17 -0400 [thread overview]
Message-ID: <20190819160517.GG31518@redhat.com> (raw)
In-Reply-To: <20190814154101.GF11595@redhat.com>
On Wed, Aug 14, 2019 at 05:41:02PM +0200, Oleg Nesterov wrote:
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -880,6 +880,7 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
> /* len == 0 means wake all */
> struct userfaultfd_wake_range range = { .len = 0, };
> unsigned long new_flags;
> + bool xxx;
>
> WRITE_ONCE(ctx->released, true);
>
> @@ -895,8 +896,7 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
> * taking the mmap_sem for writing.
> */
> down_write(&mm->mmap_sem);
> - if (!mmget_still_valid(mm))
> - goto skip_mm;
> + xxx = mmget_still_valid(mm);
> prev = NULL;
> for (vma = mm->mmap; vma; vma = vma->vm_next) {
> cond_resched();
> @@ -907,19 +907,20 @@ static int userfaultfd_release(struct inode *inode, struct file *file)
> continue;
> }
> new_flags = vma->vm_flags & ~(VM_UFFD_MISSING | VM_UFFD_WP);
> - prev = vma_merge(mm, prev, vma->vm_start, vma->vm_end,
> - new_flags, vma->anon_vma,
> - vma->vm_file, vma->vm_pgoff,
> - vma_policy(vma),
> - NULL_VM_UFFD_CTX);
> - if (prev)
> - vma = prev;
> - else
> - prev = vma;
> + if (xxx) {
> + prev = vma_merge(mm, prev, vma->vm_start, vma->vm_end,
> + new_flags, vma->anon_vma,
> + vma->vm_file, vma->vm_pgoff,
> + vma_policy(vma),
> + NULL_VM_UFFD_CTX);
> + if (prev)
> + vma = prev;
> + else
> + prev = vma;
> + }
> vma->vm_flags = new_flags;
> vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
> }
> -skip_mm:
> up_write(&mm->mmap_sem);
> mmput(mm);
> wakeup:
The proposed fix looks correct, can you resend in a way that can be merged?
What happens is there are 4 threads, the uffdio copy with NULL source
address is just to induce more thread creation, then one thread does
UFFDIO_COPY with source in the uffd region so it blocks in
handle_userfault inside UFFDIO_COPY. When one of the threads then does
the illegal instruction the core dump starts. The core dump wakes the
userfault and the copy-user in UFFDIO_COPY is being retried after
userfaultfd_release already run because one of the other threads
already went through do_exit. It's a bit strange that the file that
was opened by the ioctl() syscall gets released and its
file->private_data destroyed before the ioctl syscall has a chance to
return to userland.
Anyway the same race condition can still happen for a rogue page fault
that is happening when the core dump start so the above fix is needed
anyway.
next prev parent reply other threads:[~2019-08-19 16:05 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-13 9:08 [BUG] kernel BUG at fs/userfaultfd.c:385 after 04f5866e41fb Kefeng Wang
2019-08-14 13:53 ` Michal Hocko
2019-08-14 14:45 ` Kefeng Wang
2019-08-14 15:10 ` Oleg Nesterov
2019-08-14 15:41 ` Oleg Nesterov
2019-08-15 2:21 ` Kefeng Wang
2019-08-15 9:54 ` Oleg Nesterov
2019-08-16 10:37 ` Kefeng Wang
2019-08-19 12:48 ` Oleg Nesterov
2019-08-19 16:05 ` Andrea Arcangeli [this message]
2019-08-20 15:59 ` Oleg Nesterov
2019-08-20 16:15 ` Andrea Arcangeli
[not found] ` <73d7b5b1-a88c-5fca-ba16-be214c2524a4@I-love.SAKURA.ne.jp>
2019-08-20 16:09 ` Oleg Nesterov
2019-08-20 16:02 ` [PATCH] userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx Oleg Nesterov
2019-08-20 16:05 ` Andrea Arcangeli
2019-08-21 0:53 ` Kefeng Wang
2019-08-27 16:33 ` [BUG] kernel BUG at fs/userfaultfd.c:385 after 04f5866e41fb Oleg Nesterov
2019-08-27 17:14 ` Andrea Arcangeli
2019-08-28 14:25 ` Oleg Nesterov
2019-08-29 12:05 ` Andrea Arcangeli
2019-08-30 16:49 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190819160517.GG31518@redhat.com \
--to=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=jannh@google.com \
--cc=jgg@mellanox.com \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=oleg@redhat.com \
--cc=peterx@redhat.com \
--cc=rppt@linux.ibm.com \
--cc=wangkefeng.wang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.