* Re: [PATCH] mm: mmap: Fix general protection fault in unlink_file_vma()
@ 2020-10-08 7:17 linmiaohe
2020-10-09 4:23 ` Andrew Morton
0 siblings, 1 reply; 6+ messages in thread
From: linmiaohe @ 2020-10-08 7:17 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-mm, linux-kernel
Andrew Morton <akpm@linux-foundation.org> wrote:
> On Wed, 16 Sep 2020 05:07:33 -0400 Miaohe Lin <linmiaohe@huawei.com> wrote:
>
>> The syzbot reported the below general protection fault:
>>
>> general protection fault, probably for non-canonical address
>> 0xe00eeaee0000003b: 0000 [#1] PREEMPT SMP KASAN
>> KASAN: maybe wild-memory-access in range
>> [0x00777770000001d8-0x00777770000001df]
>> CPU: 1 PID: 10488 Comm: syz-executor721 Not tainted
>> 5.9.0-rc3-syzkaller #0
>> Trace:
>> free_pgtables+0x1b3/0x2f0 mm/memory.c:415
>> exit_mmap+0x2c0/0x530 mm/mmap.c:3184
>> __mmput+0x122/0x470 kernel/fork.c:1076
>>
>> It's because the ->mmap() callback can change vma->vm_file and fput
>> the original file. But the commit d70cec898324 ("mm: mmap: merge vma
>> after
>> call_mmap() if possible") failed to catch this case and always fput()
>> the original file, hence add an extra fput().
>>
>> ...
>>
>> --- a/mm/mmap.c
>> +++ b/mm/mmap.c
>> @@ -1815,7 +1815,11 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
>> merge = vma_merge(mm, prev, vma->vm_start, vma->vm_end, vma->vm_flags,
>> NULL, vma->vm_file, vma->vm_pgoff, NULL, NULL_VM_UFFD_CTX);
>> if (merge) {
>> - fput(file);
>> + /* ->mmap() can change vma->vm_file and fput the original file. So
>> + * fput the vma->vm_file here or we would add an extra fput for file
>> + * and cause general protection fault ultimately.
>> + */
>> + fput(vma->vm_file);
>> vm_area_free(vma);
>> vma = merge;
>> /* Update vm_flags and possible addr to pick up the change. We
>> don't
>
>What about the case where this code block does its `goto unmap_writable'?
>
> /* Once vma denies write, undo our temporary denial count */
> if (file) {
>unmap_writable:
> if (vm_flags & VM_SHARED)
> mapping_unmap_writable(file->f_mapping);
> if (vm_flags & VM_DENYWRITE)
> allow_write_access(file);
> }
> file = vma->vm_file;
>
>is this using the correct file? I think it is, but please do check.
>
Many thanks for your reply.
Yes, I think so too. We do deny_write_access and mapping_map_writable on @file, so we should undo all of this on @file.
Since @file is unchanged over the second vma_merge() time, we'are using the correct @file to undo our temporary denial count.
But how should I check this explicitly ? I can't find out a way to do this. Could you please figure it out for me?
Thanks again.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] mm: mmap: Fix general protection fault in unlink_file_vma()
2020-10-08 7:17 [PATCH] mm: mmap: Fix general protection fault in unlink_file_vma() linmiaohe
@ 2020-10-09 4:23 ` Andrew Morton
0 siblings, 0 replies; 6+ messages in thread
From: Andrew Morton @ 2020-10-09 4:23 UTC (permalink / raw)
To: linmiaohe; +Cc: linux-mm, linux-kernel
On Thu, 8 Oct 2020 07:17:18 +0000 linmiaohe <linmiaohe@huawei.com> wrote:
> Andrew Morton <akpm@linux-foundation.org> wrote:
> > On Wed, 16 Sep 2020 05:07:33 -0400 Miaohe Lin <linmiaohe@huawei.com> wrote:
> >
> >> The syzbot reported the below general protection fault:
> >>
> >> general protection fault, probably for non-canonical address
> >> 0xe00eeaee0000003b: 0000 [#1] PREEMPT SMP KASAN
> >> KASAN: maybe wild-memory-access in range
> >> [0x00777770000001d8-0x00777770000001df]
> >> CPU: 1 PID: 10488 Comm: syz-executor721 Not tainted
> >> 5.9.0-rc3-syzkaller #0
> >> Trace:
> >> free_pgtables+0x1b3/0x2f0 mm/memory.c:415
> >> exit_mmap+0x2c0/0x530 mm/mmap.c:3184
> >> __mmput+0x122/0x470 kernel/fork.c:1076
> >>
> >> It's because the ->mmap() callback can change vma->vm_file and fput
> >> the original file. But the commit d70cec898324 ("mm: mmap: merge vma
> >> after
> >> call_mmap() if possible") failed to catch this case and always fput()
> >> the original file, hence add an extra fput().
> >>
>
> ...
>
> >
> >is this using the correct file? I think it is, but please do check.
> >
>
> Many thanks for your reply.
>
> Yes, I think so too. We do deny_write_access and mapping_map_writable on @file, so we should undo all of this on @file.
> Since @file is unchanged over the second vma_merge() time, we'are using the correct @file to undo our temporary denial count.
>
> But how should I check this explicitly ? I can't find out a way to do this. Could you please figure it out for me?
I meant "please check (review) the code as it now is", not "please add
a check" ;)
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] mm: mmap: Fix general protection fault in unlink_file_vma()
@ 2020-10-09 6:39 linmiaohe
0 siblings, 0 replies; 6+ messages in thread
From: linmiaohe @ 2020-10-09 6:39 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-mm, linux-kernel
Andrew Morton <akpm@linux-foundation.org> wrote:
> On Thu, 8 Oct 2020 07:17:18 +0000 linmiaohe <linmiaohe@huawei.com> wrote:
>
>> Andrew Morton <akpm@linux-foundation.org> wrote:
>> > On Wed, 16 Sep 2020 05:07:33 -0400 Miaohe Lin <linmiaohe@huawei.com> wrote:
>> >
>> >> The syzbot reported the below general protection fault:
>>
>> >
>> >is this using the correct file? I think it is, but please do check.
>> >
>>
>> Many thanks for your reply.
>>
>> Yes, I think so too. We do deny_write_access and mapping_map_writable on @file, so we should undo all of this on @file.
>> Since @file is unchanged over the second vma_merge() time, we'are using the correct @file to undo our temporary denial count.
>>
>> But how should I check this explicitly ? I can't find out a way to do this. Could you please figure it out for me?
>
>I meant "please check (review) the code as it now is", not "please add a check" ;)
>
Oh, I see. I have reviewed the code carefully. The @file should be right one as I explained in previous email. ;)
Have a good day! ^_^
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] mm: mmap: Fix general protection fault in unlink_file_vma()
2020-09-16 9:07 Miaohe Lin
@ 2020-10-07 19:04 ` Andrew Morton
0 siblings, 0 replies; 6+ messages in thread
From: Andrew Morton @ 2020-10-07 19:04 UTC (permalink / raw)
To: Miaohe Lin; +Cc: linux-mm, linux-kernel
On Wed, 16 Sep 2020 05:07:33 -0400 Miaohe Lin <linmiaohe@huawei.com> wrote:
> The syzbot reported the below general protection fault:
>
> general protection fault, probably for non-canonical address
> 0xe00eeaee0000003b: 0000 [#1] PREEMPT SMP KASAN
> KASAN: maybe wild-memory-access in range
> [0x00777770000001d8-0x00777770000001df]
> CPU: 1 PID: 10488 Comm: syz-executor721 Not tainted 5.9.0-rc3-syzkaller #0
> RIP: 0010:unlink_file_vma+0x57/0xb0 mm/mmap.c:164
> Code: 4c 8b a5 a0 00 00 00 4d 85 e4 74 4e e8 92 d7 cd ff 49 8d bc 24
> d8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c
> 02 00 75 3d 4d 8b b4 24 d8 01 00 00 4d 8d 6e 78 4c 89 ef e8
> RSP: 0018:ffffc9000ac0f9b0 EFLAGS: 00010202
> RAX: dffffc0000000000 RBX: ffff88800010ceb0 RCX: ffffffff81592421
> RDX: 000eeeee0000003b RSI: ffffffff81a6736e RDI: 00777770000001d8
> RBP: ffff88800010ceb0 R08: 0000000000000001 R09: ffff88801291a50f
> R10: ffffed10025234a1 R11: 0000000000000001 R12: 0077777000000000
> R13: 00007f1eea0da000 R14: 00007f1eea0d9000 R15: 0000000000000000
> FS: 0000000000000000(0000) GS:ffff8880ae700000(0000)
> knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f1eea11a9d0 CR3: 000000000007e000 CR4: 00000000001506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> free_pgtables+0x1b3/0x2f0 mm/memory.c:415
> exit_mmap+0x2c0/0x530 mm/mmap.c:3184
> __mmput+0x122/0x470 kernel/fork.c:1076
> mmput+0x53/0x60 kernel/fork.c:1097
> exit_mm kernel/exit.c:483 [inline]
> do_exit+0xa8b/0x29f0 kernel/exit.c:793
> do_group_exit+0x125/0x310 kernel/exit.c:903
> get_signal+0x428/0x1f00 kernel/signal.c:2757
> arch_do_signal+0x82/0x2520 arch/x86/kernel/signal.c:811
> exit_to_user_mode_loop kernel/entry/common.c:136 [inline]
> exit_to_user_mode_prepare+0x1ae/0x200 kernel/entry/common.c:167
> syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:242
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> It's because the ->mmap() callback can change vma->vm_file and fput the
> original file. But the commit d70cec898324 ("mm: mmap: merge vma after
> call_mmap() if possible") failed to catch this case and always fput() the
> original file, hence add an extra fput().
>
> ...
>
> --- a/mm/mmap.c
> +++ b/mm/mmap.c
> @@ -1815,7 +1815,11 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
> merge = vma_merge(mm, prev, vma->vm_start, vma->vm_end, vma->vm_flags,
> NULL, vma->vm_file, vma->vm_pgoff, NULL, NULL_VM_UFFD_CTX);
> if (merge) {
> - fput(file);
> + /* ->mmap() can change vma->vm_file and fput the original file. So
> + * fput the vma->vm_file here or we would add an extra fput for file
> + * and cause general protection fault ultimately.
> + */
> + fput(vma->vm_file);
> vm_area_free(vma);
> vma = merge;
> /* Update vm_flags and possible addr to pick up the change. We don't
What about the case where this code block does its `goto unmap_writable'?
/* Once vma denies write, undo our temporary denial count */
if (file) {
unmap_writable:
if (vm_flags & VM_SHARED)
mapping_unmap_writable(file->f_mapping);
if (vm_flags & VM_DENYWRITE)
allow_write_access(file);
}
file = vma->vm_file;
is this using the correct file? I think it is, but please do check.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] mm: mmap: Fix general protection fault in unlink_file_vma()
@ 2020-10-07 2:51 linmiaohe
0 siblings, 0 replies; 6+ messages in thread
From: linmiaohe @ 2020-10-07 2:51 UTC (permalink / raw)
To: akpm; +Cc: linux-mm, linux-kernel
Friendly ping.
> The syzbot reported the below general protection fault:
>
> general protection fault, probably for non-canonical address
> 0xe00eeaee0000003b: 0000 [#1] PREEMPT SMP KASAN
> KASAN: maybe wild-memory-access in range [0x00777770000001d8-0x00777770000001df]
> CPU: 1 PID: 10488 Comm: syz-executor721 Not tainted 5.9.0-rc3-syzkaller #0
>
> It's because the ->mmap() callback can change vma->vm_file and fput the original file. But the commit d70cec898324 ("mm: mmap: merge vma after
> call_mmap() if possible") failed to catch this case and always fput() the original file, hence add an extra fput().
>
> [ Thanks Hillf for pointing this extra fput() out. ]
>
> @@ -1815,7 +1815,11 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
> merge = vma_merge(mm, prev, vma->vm_start, vma->vm_end, vma->vm_flags,
> NULL, vma->vm_file, vma->vm_pgoff, NULL, NULL_VM_UFFD_CTX);
> if (merge) {
> - fput(file);
> + /* ->mmap() can change vma->vm_file and fput the original file. So
> + * fput the vma->vm_file here or we would add an extra fput for file
> + * and cause general protection fault ultimately.
> + */
> + fput(vma->vm_file);
> vm_area_free(vma);
> vma = merge;
> /* Update vm_flags and possible addr to pick up the change. We don't
> --
> 2.19.1
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH] mm: mmap: Fix general protection fault in unlink_file_vma()
@ 2020-09-16 9:07 Miaohe Lin
2020-10-07 19:04 ` Andrew Morton
0 siblings, 1 reply; 6+ messages in thread
From: Miaohe Lin @ 2020-09-16 9:07 UTC (permalink / raw)
To: akpm; +Cc: linux-mm, linux-kernel, linmiaohe
The syzbot reported the below general protection fault:
general protection fault, probably for non-canonical address
0xe00eeaee0000003b: 0000 [#1] PREEMPT SMP KASAN
KASAN: maybe wild-memory-access in range
[0x00777770000001d8-0x00777770000001df]
CPU: 1 PID: 10488 Comm: syz-executor721 Not tainted 5.9.0-rc3-syzkaller #0
RIP: 0010:unlink_file_vma+0x57/0xb0 mm/mmap.c:164
Code: 4c 8b a5 a0 00 00 00 4d 85 e4 74 4e e8 92 d7 cd ff 49 8d bc 24
d8 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c
02 00 75 3d 4d 8b b4 24 d8 01 00 00 4d 8d 6e 78 4c 89 ef e8
RSP: 0018:ffffc9000ac0f9b0 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88800010ceb0 RCX: ffffffff81592421
RDX: 000eeeee0000003b RSI: ffffffff81a6736e RDI: 00777770000001d8
RBP: ffff88800010ceb0 R08: 0000000000000001 R09: ffff88801291a50f
R10: ffffed10025234a1 R11: 0000000000000001 R12: 0077777000000000
R13: 00007f1eea0da000 R14: 00007f1eea0d9000 R15: 0000000000000000
FS: 0000000000000000(0000) GS:ffff8880ae700000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1eea11a9d0 CR3: 000000000007e000 CR4: 00000000001506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
free_pgtables+0x1b3/0x2f0 mm/memory.c:415
exit_mmap+0x2c0/0x530 mm/mmap.c:3184
__mmput+0x122/0x470 kernel/fork.c:1076
mmput+0x53/0x60 kernel/fork.c:1097
exit_mm kernel/exit.c:483 [inline]
do_exit+0xa8b/0x29f0 kernel/exit.c:793
do_group_exit+0x125/0x310 kernel/exit.c:903
get_signal+0x428/0x1f00 kernel/signal.c:2757
arch_do_signal+0x82/0x2520 arch/x86/kernel/signal.c:811
exit_to_user_mode_loop kernel/entry/common.c:136 [inline]
exit_to_user_mode_prepare+0x1ae/0x200 kernel/entry/common.c:167
syscall_exit_to_user_mode+0x7e/0x2e0 kernel/entry/common.c:242
entry_SYSCALL_64_after_hwframe+0x44/0xa9
It's because the ->mmap() callback can change vma->vm_file and fput the
original file. But the commit d70cec898324 ("mm: mmap: merge vma after
call_mmap() if possible") failed to catch this case and always fput() the
original file, hence add an extra fput().
[ Thanks Hillf for pointing this extra fput() out. ]
Fixes: d70cec898324 ("mm: mmap: merge vma after call_mmap() if possible")
Reported-by: syzbot+c5d5a51dcbb558ca0cb5@syzkaller.appspotmail.com
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
---
mm/mmap.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/mm/mmap.c b/mm/mmap.c
index e3a1c1b48909..37c985850dc6 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1815,7 +1815,11 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
merge = vma_merge(mm, prev, vma->vm_start, vma->vm_end, vma->vm_flags,
NULL, vma->vm_file, vma->vm_pgoff, NULL, NULL_VM_UFFD_CTX);
if (merge) {
- fput(file);
+ /* ->mmap() can change vma->vm_file and fput the original file. So
+ * fput the vma->vm_file here or we would add an extra fput for file
+ * and cause general protection fault ultimately.
+ */
+ fput(vma->vm_file);
vm_area_free(vma);
vma = merge;
/* Update vm_flags and possible addr to pick up the change. We don't
--
2.19.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2020-10-09 6:39 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-08 7:17 [PATCH] mm: mmap: Fix general protection fault in unlink_file_vma() linmiaohe
2020-10-09 4:23 ` Andrew Morton
-- strict thread matches above, loose matches on Subject: below --
2020-10-09 6:39 linmiaohe
2020-10-07 2:51 linmiaohe
2020-09-16 9:07 Miaohe Lin
2020-10-07 19:04 ` Andrew Morton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).