From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D00C9C433F5 for ; Mon, 18 Oct 2021 22:15:28 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 775F16113D for ; Mon, 18 Oct 2021 22:15:28 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 775F16113D Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 1DCAA6B006C; Mon, 18 Oct 2021 18:15:28 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 13E9F900004; Mon, 18 Oct 2021 18:15:28 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 006366B0072; Mon, 18 Oct 2021 18:15:27 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0171.hostedemail.com [216.40.44.171]) by kanga.kvack.org (Postfix) with ESMTP id E6AA46B006C for ; Mon, 18 Oct 2021 18:15:27 -0400 (EDT) Received: from smtpin39.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id B11FA3209B for ; Mon, 18 Oct 2021 22:15:27 +0000 (UTC) X-FDA: 78710965494.39.351420D Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf08.hostedemail.com (Postfix) with ESMTP id 5732330000AA for ; Mon, 18 Oct 2021 22:15:24 +0000 (UTC) Received: by mail.kernel.org (Postfix) with ESMTPSA id 54FE960F57; Mon, 18 Oct 2021 22:15:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org; s=korg; t=1634595326; bh=Qh3cL2hpltSfSLG9YVQ1P6hvrN7nTImK0OB36heMILA=; h=Date:From:To:Subject:In-Reply-To:From; b=GAKA8zwzkGlDwYZof4xZKLCz2kiGeJ6uM75LhR+MsRLi/1UOvO4bcN0iMrGaVYAy1 O8BLCOCCO9HbvdJhs5byruPBpIbKZVJloyRV0jzR3/zTIojKXCTcLPkjQKlWiwPmoo /yWTES2y8kV8sRnhhNMdNo2Vdeu+O/aW1Qr1KiP4= Date: Mon, 18 Oct 2021 15:15:25 -0700 From: Andrew Morton To: aarcange@redhat.com, akpm@linux-foundation.org, linux-mm@kvack.org, liwang@redhat.com, mm-commits@vger.kernel.org, namit@vmware.com, peterx@redhat.com, stable@vger.kernel.org, torvalds@linux-foundation.org Subject: [patch 02/19] userfaultfd: fix a race between writeprotect and exit_mmap() Message-ID: <20211018221525.vqm6hS1Ya%akpm@linux-foundation.org> In-Reply-To: <20211018151438.f2246e2656c041b6753a8bdd@linux-foundation.org> User-Agent: s-nail v14.8.16 X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 5732330000AA X-Stat-Signature: pijcdxin4unytousnwaqcz5w5usezabo Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=linux-foundation.org header.s=korg header.b=GAKA8zwz; dmarc=none; spf=pass (imf08.hostedemail.com: domain of akpm@linux-foundation.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=akpm@linux-foundation.org X-HE-Tag: 1634595324-942734 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Nadav Amit Subject: userfaultfd: fix a race between writeprotect and exit_mmap() A race is possible when a process exits, its VMAs are removed by exit_mmap() and at the same time userfaultfd_writeprotect() is called. The race was detected by KASAN on a development kernel, but it appears to be possible on vanilla kernels as well. Use mmget_not_zero() to prevent the race as done in other userfaultfd operations. Link: https://lkml.kernel.org/r/20210921200247.25749-1-namit@vmware.com Fixes: 63b2d4174c4ad ("userfaultfd: wp: add the writeprotect API to userfaultfd ioctl") Signed-off-by: Nadav Amit Tested-by: Li Wang Reviewed-by: Peter Xu Cc: Andrea Arcangeli Cc: Signed-off-by: Andrew Morton --- fs/userfaultfd.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- a/fs/userfaultfd.c~userfaultfd-fix-a-race-between-writeprotect-and-exit_mmap +++ a/fs/userfaultfd.c @@ -1827,9 +1827,15 @@ static int userfaultfd_writeprotect(stru if (mode_wp && mode_dontwake) return -EINVAL; - ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start, - uffdio_wp.range.len, mode_wp, - &ctx->mmap_changing); + if (mmget_not_zero(ctx->mm)) { + ret = mwriteprotect_range(ctx->mm, uffdio_wp.range.start, + uffdio_wp.range.len, mode_wp, + &ctx->mmap_changing); + mmput(ctx->mm); + } else { + return -ESRCH; + } + if (ret) return ret; _