From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 563E7C433F5
	for <linux-mm@archiver.kernel.org>; Tue, 15 Feb 2022 23:03:08 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id CE08A6B0078; Tue, 15 Feb 2022 18:03:07 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C927B6B007B; Tue, 15 Feb 2022 18:03:07 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id B2FA16B007D; Tue, 15 Feb 2022 18:03:07 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (relay.hostedemail.com [64.99.140.28])
	by kanga.kvack.org (Postfix) with ESMTP id A143C6B0078
	for <linux-mm@kvack.org>; Tue, 15 Feb 2022 18:03:07 -0500 (EST)
Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 76D9A23805
	for <linux-mm@kvack.org>; Tue, 15 Feb 2022 23:03:07 +0000 (UTC)
X-FDA: 79146541614.05.1509919
Received: from mail-yb1-f182.google.com (mail-yb1-f182.google.com [209.85.219.182])
	by imf22.hostedemail.com (Postfix) with ESMTP id 0E7B5C0002
	for <linux-mm@kvack.org>; Tue, 15 Feb 2022 23:03:06 +0000 (UTC)
Received: by mail-yb1-f182.google.com with SMTP id l125so708079ybl.4
        for <linux-mm@kvack.org>; Tue, 15 Feb 2022 15:03:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=gjy1DWGz7XMDH1BVnGlNmPqU6Y1sHqvEGxu0Y9G5LwE=;
        b=YAfAKx8GfcP8pKWJ/+OaPew1pdZLZ3ylsnE/dzBsOpm4cp915NUYmh7icmSDjFfOUd
         ha5chsYk5oiJYANFAhOqhGgV6nMVs8G1lXG4P6zVHNtKdlM18pZitMDO0kPBa85PSTNx
         C/1aMzhLjFLNx3mzKbQfVYvryIbhkD1vSk71+yGZh3BItb86gNOvR9el5KbQuPBD7kfZ
         MVKR9q6TIsa6/+BNqnJOjzx0DZsezswCva3Ux0+hKNWk5cVWPEG4yItC5mdZQnkIC1Ob
         sV2HBPa3OQEsn2Vwf+W4Qi1rkDDkipKFtE9k1CYS0iH8x/jUaDmEHT6FR4UO+9Gu8YD6
         XTFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=gjy1DWGz7XMDH1BVnGlNmPqU6Y1sHqvEGxu0Y9G5LwE=;
        b=7FILP5Wvl3HIr9BrOmLbse+zQhFWPhGVspZzkdMjHv3pL+3H1/YeDjNJwwHs3r5S7R
         juqhyuNjYj5HodjDvlNM6tbpcvRUD71SfPq9d/YnNhJ0gHzF2LaJfBEM/l9x9dUV5Zlj
         Uaiww/t8ebxPc5k6QvOrbwl08z1x0k7c4JOSqU1FHZOV1PK6Kb0LOA5ieYlvLglJGi5n
         YIaJjvJJux39HTsoVnKXn4hNFCnDOpqzmbHMvGXRTSKZfZgMm5Vc/fNkaigvPB7o9Clh
         eWmL48CE82sO3NGgxWhHPBWl20rYI4DnJqhFxLpNt0qQTtjx/1DwsucC5ZEsExxsJLIH
         JUnQ==
X-Gm-Message-State: AOAM5314PKmsrbm/hLTpSIVd/wxnE+IM8NWhvdgrdlRbknHVV284Er6X
	ovfuKCfauZ5sW8UF6N/UOhPVO8nyO932obmbMgNZZQ==
X-Google-Smtp-Source: ABdhPJykiMCp30Odec40+14zv3WXjkPoENl8LW4sTu4ek5T7KdyJtPD50P2tLUjGN5PeTlwWXMBw153pV9Bs2F/Hrv0=
X-Received: by 2002:a0d:ca57:: with SMTP id m84mr1138094ywd.293.1644966185851;
 Tue, 15 Feb 2022 15:03:05 -0800 (PST)
MIME-Version: 1.0
References: <20220211013032.623763-1-surenb@google.com> <YgvONKdZ2T0PB2/0@dhcp22.suse.cz>
 <YgwDa6rMHRdRTnzB@dhcp22.suse.cz> <YgwHhTN4P5yyZqBz@dhcp22.suse.cz>
In-Reply-To: <YgwHhTN4P5yyZqBz@dhcp22.suse.cz>
From: Suren Baghdasaryan <surenb@google.com>
Date: Tue, 15 Feb 2022 15:02:54 -0800
Message-ID: <CAJuCfpGG9zwbvfH5UZkt6cG=woeO0RGE7QxjEpXn=gFhiaDdmQ@mail.gmail.com>
Subject: Re: [PATCH v3 1/1] mm: fix use-after-free when anon vma name is used
 after vma is freed
To: Michal Hocko <mhocko@suse.com>
Cc: Andrew Morton <akpm@linux-foundation.org>, Colin Cross <ccross@google.com>, 
	Sumit Semwal <sumit.semwal@linaro.org>, Dave Hansen <dave.hansen@intel.com>, 
	Kees Cook <keescook@chromium.org>, Matthew Wilcox <willy@infradead.org>, 
	"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, Vlastimil Babka <vbabka@suse.cz>, 
	Johannes Weiner <hannes@cmpxchg.org>, "Eric W. Biederman" <ebiederm@xmission.com>, 
	Christian Brauner <brauner@kernel.org>, legion@kernel.org, ran.xiaokai@zte.com.cn, 
	sashal@kernel.org, Chris Hyser <chris.hyser@oracle.com>, 
	Davidlohr Bueso <dave@stgolabs.net>, Peter Collingbourne <pcc@google.com>, caoxiaofeng@yulong.com, 
	David Hildenbrand <david@redhat.com>, Cyrill Gorcunov <gorcunov@gmail.com>, linux-mm <linux-mm@kvack.org>, 
	LKML <linux-kernel@vger.kernel.org>, kernel-team <kernel-team@android.com>, 
	syzbot+aa7b3d4b35f9dc46a366@syzkaller.appspotmail.com
Content-Type: text/plain; charset="UTF-8"
Authentication-Results: imf22.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=YAfAKx8G;
	dmarc=pass (policy=reject) header.from=google.com;
	spf=pass (imf22.hostedemail.com: domain of surenb@google.com designates 209.85.219.182 as permitted sender) smtp.mailfrom=surenb@google.com
X-Rspam-User: 
X-Rspamd-Server: rspam10
X-Rspamd-Queue-Id: 0E7B5C0002
X-Stat-Signature: fup375u13mhcm5tr1aaxam4cgtfoqr33
X-HE-Tag: 1644966186-198560
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Feb 15, 2022 at 12:05 PM Michal Hocko <mhocko@suse.com> wrote:
>
> One thing I was considering is to check agains ref counte overflo (a
> deep process chain with many vmas could grow really high. ref_count
> interface doesn't provide any easy way to check for overflows as far as
> I could see from a quick glance so I gave up there but the logic would
> be really straightforward. We just create a new anon_vma_name with the same
> content and use it when duplicating if the usage grow really
> (arbitrarily) high.

I went over proposed changes. I see a couple small required fixes
(resetting the name to NULL seems to be missing and I think
dup_vma_anon_name needs some tweaking) but overall quite
straight-forward. I'll post a separate patch to do this refactoring.
The original patch is fixing the UAF issue, so I don't want to mix it
with refactoring. Please let me know if you see an issue with
separating it that way.
Thanks,
Suren.


> --
> Michal Hocko
> SUSE Labs