From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3552FC3DA78 for ; Tue, 17 Jan 2023 19:13:29 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A049C6B0071; Tue, 17 Jan 2023 14:13:28 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 98DE66B0073; Tue, 17 Jan 2023 14:13:28 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 82F3B6B0074; Tue, 17 Jan 2023 14:13:28 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 6AF6B6B0071 for ; Tue, 17 Jan 2023 14:13:28 -0500 (EST) Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 44F04806C1 for ; Tue, 17 Jan 2023 19:13:28 +0000 (UTC) X-FDA: 80365239696.06.31B186B Received: from mail-io1-f48.google.com (mail-io1-f48.google.com [209.85.166.48]) by imf24.hostedemail.com (Postfix) with ESMTP id B6E0E180012 for ; Tue, 17 Jan 2023 19:13:26 +0000 (UTC) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=M82Qd6AI; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf24.hostedemail.com: domain of jannh@google.com designates 209.85.166.48 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1673982806; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=33Ncea+r49M0JFeF3LtrfUuUT4g5hGuOl0GtEnc7zfw=; b=SCyR5nRcGUlLyfZaqB7R4RT7dC/qetN4ntopQIv1BAsPHBBenByleQc0QSdjEIH13Zx20N Ku26E6sqN+Na+KO9UzPAMgRkBsXsIpCYKXFOHNG35r1/Cr5TfAxhqB+U3BrJHWNHrwAlqs AqeqZFtK1GIfy/jIgmPRAhFQrBPNcPE= ARC-Authentication-Results: i=1; imf24.hostedemail.com; dkim=pass header.d=google.com header.s=20210112 header.b=M82Qd6AI; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf24.hostedemail.com: domain of jannh@google.com designates 209.85.166.48 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1673982806; a=rsa-sha256; cv=none; b=gdVNmVfdLjYXH0wwnBS39N0HlMhHnIeJRyBJvMRndUXBjQt41dNAS1OLI88ClzuKwVlTgA Zdrot8Ah4duzbF3Wtx8hL2IRzaFu9Sla3I/aOYYrhd8Xq58hDsyLc+z2nJJs1pg70i+YVz EaegXYcOf7SkpX8OWPe89O/j5UCQpnA= Received: by mail-io1-f48.google.com with SMTP id n85so7708262iod.7 for ; Tue, 17 Jan 2023 11:13:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=33Ncea+r49M0JFeF3LtrfUuUT4g5hGuOl0GtEnc7zfw=; b=M82Qd6AI0hYaULrWAi7eXudgqNOdBArrqWl8NUWMhweZ1mgAI2BOdntQuu6w6SxKp3 uPJGFLbnFvsoOAWbhlp5NMRCHg+Ij7ymAgzX0aOEZfRkK1FUl2Sw7+1qzFBooxTHNDFH QwP5WpHzLvBQvF6ibc3RcXcXxlP0nI86XHv6uJSb+9THDwwqwYrQ5yeOi9sTFLXgYRRW ucAECxKZmfng297NPeMfRzYIf4RRtEH/TGcdtzC4B45Z7WI2Rn9YTRlrTOKIM3kJaq0P Vgk2T1bWc1Hp06NcNbnlU8lfB32azU1uJViZMnpHy9r0yXJ2JHPoMOPAq+kDhSVl3qrN 7/LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=33Ncea+r49M0JFeF3LtrfUuUT4g5hGuOl0GtEnc7zfw=; b=JHXKkb5cW0Igw8s/VUcVzFxFuO6Zz7zUlHqwPynmMglf9qqqo6bUuQG7RSeygVIfHM 5tdNOxS8yD56nt9wRFb7ZYnmhyzH5PgJgUQhGi6x3sYp+7qUYwETLymzJEr7xZRseEcM a2ehr5QWLpuvZvsp5R5oxeIFIINrp9wgm6zeqeZo1dquc6WhChrfpFSY0oL0yyOWMULZ E+2yx6FZzXNc85aW0b3yu4QiDwLXuX9pe52hmH/Ce0LwTpJpb2gaJfpySeQxAcVO9lc3 +BaYqof5L84yvGv7W4U7pFbIy9y2vzAYp37m8HBZpQiMo+mrWQgI9uQtb2rorHMID+3V IH6g== X-Gm-Message-State: AFqh2krmTbjcPPf7f6sAAFLxMJwWZZNSr36CsO8sWVzJJTkZwkenWNut yyx+0ajc05QjVbIQKg6uctBg8g9YCNCSbLU1e37Fqg== X-Google-Smtp-Source: AMrXdXsDLyLv3tnBqT3yJqNdPKtwS3NIDmj8Ad2h0WWLOnTb1J4nJmCvaMK3XkzXh05XxIo4fWEHMFhVoNhEqk6Lc5Q= X-Received: by 2002:a5d:945a:0:b0:6e3:2350:744c with SMTP id x26-20020a5d945a000000b006e32350744cmr199633ior.2.1673982805815; Tue, 17 Jan 2023 11:13:25 -0800 (PST) MIME-Version: 1.0 References: <20230111133351.807024-1-jannh@google.com> In-Reply-To: <20230111133351.807024-1-jannh@google.com> From: Jann Horn Date: Tue, 17 Jan 2023 20:12:49 +0100 Message-ID: Subject: Re: [PATCH] mm/khugepaged: Fix ->anon_vma race To: Andrew Morton Cc: "Kirill A. Shutemov" , "Zach O'Keefe" , linux-kernel@vger.kernel.org, David Hildenbrand , Yang Shi , linux-mm@kvack.org Content-Type: text/plain; charset="UTF-8" X-Rspam-User: X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: B6E0E180012 X-Stat-Signature: mdmm3huz1ntkfbuskncgrtjzxt6mefnp X-HE-Tag: 1673982806-879648 X-HE-Meta: U2FsdGVkX19uKkM1cTc/S2p1x25PJA9LyhDtCI4t+GOKIkEYywRDCBvfFyBKiTwectzoPazH3x3C0MGkJd4B/2kyNfwIzEW0EMrvjL3TMwwei6bqrodJLlH9H99QZH+Z3Czfc2dN6J/bazuSVeoQUbn0dB4566osQfKxSNTBhGLShjJKNyZgQyZbQyPvVK0s/kSr0TAjMxz2MINEIRA4qHYyn5UHupnm15DqDIdIRzPMCi0UT/ve0W3MjcFBzh3GKYJF1zE+1/QlPy2zEtSicG6WdiFXsOZRmqAK1xp60iCO+Rpuq7flu941WRUDJU94l19JtM5PcB0cfAnmzttll+awJFURWAmTL69rxZ7rZvCpCu/iC10xw3LkYw0R5rDup6IFyJ00Dykino7hDhc1dPjD2dFILdXW2kkXR3swGB2+T06CIRviBFFrfVPlOEzqvE33TkcKGkB1/M/74JmKvoytgP6zLQ9VSL33zHEOe6YAS9qm6jRNYYH44RKNVOfZDb/HzqZ1DlDm0uYRNk20yIjAD9GeTk2spPiLyZ9fzfT+UBL5dZanCGZC9xTgNNLfHrb7+xREYF7NrlcN0EhI9UTkwotwpnv+/N/pqISwsDS89/anJPfSCmEENGOtiMKJgqHXRDRbRak6EEXynQ8R/0yby6T0fvdZbf0UUmdRyXpQ1wxsFYIrzPWw3/UsGzoKl4riSfJeoWPj9no3cmCl21WhiRhw8N09GsDM+D2kAshiycjsXyMMPd1MRJTyhNu9fb7iaop+Q6kwROu4cUzNxLgZBIt0ul3J2TmiokbF2zhf4/xRjJ4p+loRQjk8uDU+CFObTlI0xXr4JJRG9KMb1BcShsL6vH5VVxJVwPBhNqUUE52kio0WeQpPmrd/TtW0PfY2JLiBPUnen6xgLYFUf6FjeAvGRvTJIzaRT7yX43yPPzNqD+zDlL/CLiJyol8KB8F2TMYCCQ5v1FNeNK4 FxAfA7Pq Z71MwdxvafOp3QzAHu+xnHNVVrpwbkxoAUgvZuwY9BU0wHhqo1Ln+l+Tuqg== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, Jan 11, 2023 at 2:33 PM Jann Horn wrote: > If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires > it to be locked. retract_page_tables() bails out if an ->anon_vma is > attached, but does this check before holding the mmap lock (as the comment > above the check explains). @akpm please replace the commit message with the following, and maybe also add a "Link:" entry pointing to https://lore.kernel.org/linux-mm/CAG48ez3434wZBKFFbdx4M9j6eUwSUVPd4dxhzW_k_POneSDF+A@mail.gmail.com/ for the reproducer. If an ->anon_vma is attached to the VMA, collapse_and_free_pmd() requires it to be locked. Page table traversal is allowed under any one of the mmap lock, the anon_vma lock (if the VMA is associated with an anon_vma), and the mapping lock (if the VMA is associated with a mapping); and so to be able to remove page tables, we must hold all three of them. retract_page_tables() bails out if an ->anon_vma is attached, but does this check before holding the mmap lock (as the comment above the check explains). If we racily merge an existing ->anon_vma (shared with a child process) from a neighboring VMA, subsequent rmap traversals on pages belonging to the child will be able to see the page tables that we are concurrently removing while assuming that nothing else can access them. Repeat the ->anon_vma check once we hold the mmap lock to ensure that there really is no concurrent page table access. Hitting this bug causes a lockdep warning in collapse_and_free_pmd(), in the line "lockdep_assert_held_write(&vma->anon_vma->root->rwsem)". It can also lead to use-after-free access.