From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC43DC433DF for ; Thu, 9 Jul 2020 10:53:21 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id AC08B2074B for ; Thu, 9 Jul 2020 10:53:21 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org AC08B2074B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 38FA26B0002; Thu, 9 Jul 2020 06:53:21 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 340AD6B0003; Thu, 9 Jul 2020 06:53:21 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 22D726B0005; Thu, 9 Jul 2020 06:53:21 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0145.hostedemail.com [216.40.44.145]) by kanga.kvack.org (Postfix) with ESMTP id 0806A6B0002 for ; Thu, 9 Jul 2020 06:53:21 -0400 (EDT) Received: from smtpin01.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 7463E82499B9 for ; Thu, 9 Jul 2020 10:53:20 +0000 (UTC) X-FDA: 77018225760.01.water29_120b9cf26ec5 Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251]) by smtpin01.hostedemail.com (Postfix) with ESMTP id 38749400020D31CE for ; Thu, 9 Jul 2020 10:53:20 +0000 (UTC) X-HE-Tag: water29_120b9cf26ec5 X-Filterd-Recvd-Size: 4271 Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by imf02.hostedemail.com (Postfix) with ESMTP for ; Thu, 9 Jul 2020 10:53:19 +0000 (UTC) IronPort-SDR: a4ZJDE+u26/xawYeB1fLPzNiA87HjGRNXHWFRjao1t9dGS5QEYKXuLZWUcSafYeoggM9U+zsSL d0qEEahrZTwQ== X-IronPort-AV: E=McAfee;i="6000,8403,9676"; a="166068943" X-IronPort-AV: E=Sophos;i="5.75,331,1589266800"; d="scan'208";a="166068943" X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Jul 2020 03:53:17 -0700 IronPort-SDR: P4hWY/sye1VYuLTzDCkFtKV52yM7tKk5/vXcJpES3ptC2WS01pmaVpqjBuZ+rp+5rbNRAgTcIZ 5oWMsWZ+jzpw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.75,331,1589266800"; d="scan'208";a="323208484" Received: from black.fi.intel.com ([10.237.72.28]) by FMSMGA003.fm.intel.com with ESMTP; 09 Jul 2020 03:53:15 -0700 Received: by black.fi.intel.com (Postfix, from userid 1000) id 9D3E01EA; Thu, 9 Jul 2020 13:53:14 +0300 (EEST) From: "Kirill A. Shutemov" To: Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, "Kirill A. Shutemov" , Jann Horn , stable@vger.kernel.org, Yang Shi , Vlastimil Babka , Oleg Nesterov , Matthew Wilcox Subject: [PATCH] mm: Close race between munmap() and expand_upwards()/downwards() Date: Thu, 9 Jul 2020 13:53:09 +0300 Message-Id: <20200709105309.42495-1-kirill.shutemov@linux.intel.com> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-Rspamd-Queue-Id: 38749400020D31CE X-Spamd-Result: default: False [0.00 / 100.00] X-Rspamd-Server: rspam05 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: VMA with VM_GROWSDOWN or VM_GROWSUP flag set can change their size under mmap_read_lock(). It can lead to race with __do_munmap(): Thread A Thread B __do_munmap() detach_vmas_to_be_unmapped() mmap_write_downgrade() expand_downwards() vma->vm_start =3D address; // The VMA now overlaps with // VMAs detached by the Thread A // page fault populates expanded part // of the VMA unmap_region() // Zaps pagetables partly // populated by Thread B Similar race exists for expand_upwards(). The fix is to avoid downgrading mmap_lock in __do_munmap() if detached VMAs are next to VM_GROWSDOWN or VM_GROWSUP VMA. Signed-off-by: Kirill A. Shutemov Reported-by: Jann Horn Fixes: dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap") Cc: # 4.20 Cc: Yang Shi Cc: Vlastimil Babka Cc: Oleg Nesterov Cc: Matthew Wilcox --- mm/mmap.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/mm/mmap.c b/mm/mmap.c index 59a4682ebf3f..71df4b36b42a 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2620,7 +2620,7 @@ static void unmap_region(struct mm_struct *mm, * Create a list of vma's touched by the unmap, removing them from the m= m's * vma list as we go.. */ -static void +static bool detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *= vma, struct vm_area_struct *prev, unsigned long end) { @@ -2645,6 +2645,17 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, s= truct vm_area_struct *vma, =20 /* Kill the cache */ vmacache_invalidate(mm); + + /* + * Do not downgrade mmap_sem if we are next to VM_GROWSDOWN or + * VM_GROWSUP VMA. Such VMAs can change their size under + * down_read(mmap_sem) and collide with the VMA we are about to unmap. + */ + if (vma && (vma->vm_flags & VM_GROWSDOWN)) + return false; + if (prev && (prev->vm_flags & VM_GROWSUP)) + return false; + return true; } =20 /* @@ -2825,7 +2836,8 @@ int __do_munmap(struct mm_struct *mm, unsigned long= start, size_t len, } =20 /* Detach vmas from rbtree */ - detach_vmas_to_be_unmapped(mm, vma, prev, end); + if (!detach_vmas_to_be_unmapped(mm, vma, prev, end)) + downgrade =3D false; =20 if (downgrade) mmap_write_downgrade(mm); --=20 2.26.2