LKML Archive on lore.kernel.org
 help / Atom feed
* [PATCH 0/1] userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
@ 2018-12-06 21:20 Andrea Arcangeli
  2018-12-06 21:20 ` [PATCH 1/1] " Andrea Arcangeli
  0 siblings, 1 reply; 5+ messages in thread
From: Andrea Arcangeli @ 2018-12-06 21:20 UTC (permalink / raw)
  To: Andrew Morton
  Cc: linux-mm, linux-kernel, Hugh Dickins, Mike Rapoport,
	Mike Kravetz, Jann Horn, Peter Xu, Dr. David Alan Gilbert

Hello,

The juxtaposition with the other bugchecks didn't make it apparent
that the this WARN_ON was one line too soon.

An app trying to unregister a not-yet-registered range will trigger an
_harmless_ false positive WARN_ON. No real app would do that so it
went unnoticed during testing.

This should be applied on top of 29ec90660d68 ("userfaultfd:
shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas") to shut off
the false positive warning.

Thanks,
Andrea

Andrea Arcangeli (1):
  userfaultfd: check VM_MAYWRITE was set after verifying the uffd is
    registered

 fs/userfaultfd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)


^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/1] userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
  2018-12-06 21:20 [PATCH 0/1] userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered Andrea Arcangeli
@ 2018-12-06 21:20 ` " Andrea Arcangeli
  2018-12-06 21:32   ` Mike Rapoport
                     ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Andrea Arcangeli @ 2018-12-06 21:20 UTC (permalink / raw)
  To: Andrew Morton
  Cc: linux-mm, linux-kernel, Hugh Dickins, Mike Rapoport,
	Mike Kravetz, Jann Horn, Peter Xu, Dr. David Alan Gilbert

Calling UFFDIO_UNREGISTER on virtual ranges not yet registered in uffd
could trigger an harmless false positive WARN_ON. Check the vma is
already registered before checking VM_MAYWRITE to shut off the
false positive warning.

Cc: <stable@vger.kernel.org>
Fixes: 29ec90660d68 ("userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas")
Reported-by: syzbot+06c7092e7d71218a2c16@syzkaller.appspotmail.com
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
---
 fs/userfaultfd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index cd58939dc977..7a85e609fc27 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -1566,7 +1566,6 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
 		cond_resched();
 
 		BUG_ON(!vma_can_userfault(vma));
-		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
 
 		/*
 		 * Nothing to do: this vma is already registered into this
@@ -1575,6 +1574,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
 		if (!vma->vm_userfaultfd_ctx.ctx)
 			goto skip;
 
+		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
+
 		if (vma->vm_start > start)
 			start = vma->vm_start;
 		vma_end = min(end, vma->vm_end);

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
  2018-12-06 21:20 ` [PATCH 1/1] " Andrea Arcangeli
@ 2018-12-06 21:32   ` Mike Rapoport
  2018-12-06 22:07   ` Hugh Dickins
  2018-12-07  3:43   ` Peter Xu
  2 siblings, 0 replies; 5+ messages in thread
From: Mike Rapoport @ 2018-12-06 21:32 UTC (permalink / raw)
  To: Andrea Arcangeli
  Cc: Andrew Morton, linux-mm, linux-kernel, Hugh Dickins,
	Mike Rapoport, Mike Kravetz, Jann Horn, Peter Xu,
	Dr. David Alan Gilbert

On Thu, Dec 06, 2018 at 04:20:28PM -0500, Andrea Arcangeli wrote:
> Calling UFFDIO_UNREGISTER on virtual ranges not yet registered in uffd
> could trigger an harmless false positive WARN_ON. Check the vma is
> already registered before checking VM_MAYWRITE to shut off the
> false positive warning.
> 
> Cc: <stable@vger.kernel.org>
> Fixes: 29ec90660d68 ("userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas")
> Reported-by: syzbot+06c7092e7d71218a2c16@syzkaller.appspotmail.com
> Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>

Acked-by: Mike Rapoport <rppt@linux.ibm.com>

> ---
>  fs/userfaultfd.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> index cd58939dc977..7a85e609fc27 100644
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -1566,7 +1566,6 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
>  		cond_resched();
> 
>  		BUG_ON(!vma_can_userfault(vma));
> -		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
> 
>  		/*
>  		 * Nothing to do: this vma is already registered into this
> @@ -1575,6 +1574,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
>  		if (!vma->vm_userfaultfd_ctx.ctx)
>  			goto skip;
> 
> +		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
> +
>  		if (vma->vm_start > start)
>  			start = vma->vm_start;
>  		vma_end = min(end, vma->vm_end);
> 

-- 
Sincerely yours,
Mike.


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
  2018-12-06 21:20 ` [PATCH 1/1] " Andrea Arcangeli
  2018-12-06 21:32   ` Mike Rapoport
@ 2018-12-06 22:07   ` Hugh Dickins
  2018-12-07  3:43   ` Peter Xu
  2 siblings, 0 replies; 5+ messages in thread
From: Hugh Dickins @ 2018-12-06 22:07 UTC (permalink / raw)
  To: Andrea Arcangeli
  Cc: Andrew Morton, linux-mm, linux-kernel, Hugh Dickins,
	Mike Rapoport, Mike Kravetz, Jann Horn, Peter Xu,
	Dr. David Alan Gilbert

On Thu, 6 Dec 2018, Andrea Arcangeli wrote:

> Calling UFFDIO_UNREGISTER on virtual ranges not yet registered in uffd
> could trigger an harmless false positive WARN_ON. Check the vma is
> already registered before checking VM_MAYWRITE to shut off the
> false positive warning.
> 
> Cc: <stable@vger.kernel.org>
> Fixes: 29ec90660d68 ("userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas")
> Reported-by: syzbot+06c7092e7d71218a2c16@syzkaller.appspotmail.com
> Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>

Acked-by: Hugh Dickins <hughd@google.com>

> ---
>  fs/userfaultfd.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> index cd58939dc977..7a85e609fc27 100644
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -1566,7 +1566,6 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
>  		cond_resched();
>  
>  		BUG_ON(!vma_can_userfault(vma));
> -		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
>  
>  		/*
>  		 * Nothing to do: this vma is already registered into this
> @@ -1575,6 +1574,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
>  		if (!vma->vm_userfaultfd_ctx.ctx)
>  			goto skip;
>  
> +		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
> +
>  		if (vma->vm_start > start)
>  			start = vma->vm_start;
>  		vma_end = min(end, vma->vm_end);
> 

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/1] userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered
  2018-12-06 21:20 ` [PATCH 1/1] " Andrea Arcangeli
  2018-12-06 21:32   ` Mike Rapoport
  2018-12-06 22:07   ` Hugh Dickins
@ 2018-12-07  3:43   ` Peter Xu
  2 siblings, 0 replies; 5+ messages in thread
From: Peter Xu @ 2018-12-07  3:43 UTC (permalink / raw)
  To: Andrea Arcangeli
  Cc: Andrew Morton, linux-mm, linux-kernel, Hugh Dickins,
	Mike Rapoport, Mike Kravetz, Jann Horn, Dr. David Alan Gilbert

On Thu, Dec 06, 2018 at 04:20:28PM -0500, Andrea Arcangeli wrote:
> Calling UFFDIO_UNREGISTER on virtual ranges not yet registered in uffd
> could trigger an harmless false positive WARN_ON. Check the vma is
> already registered before checking VM_MAYWRITE to shut off the
> false positive warning.
> 
> Cc: <stable@vger.kernel.org>
> Fixes: 29ec90660d68 ("userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas")
> Reported-by: syzbot+06c7092e7d71218a2c16@syzkaller.appspotmail.com
> Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
> ---
>  fs/userfaultfd.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
> index cd58939dc977..7a85e609fc27 100644
> --- a/fs/userfaultfd.c
> +++ b/fs/userfaultfd.c
> @@ -1566,7 +1566,6 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
>  		cond_resched();
>  
>  		BUG_ON(!vma_can_userfault(vma));
> -		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
>  
>  		/*
>  		 * Nothing to do: this vma is already registered into this

Maybe we want to fix this comment too some day:

		/*
		 * Nothing to do: this vma is already registered into this
		 * userfaultfd and with the right tracking mode too.
		 */

But I don't think it's anything urgent since it's clear it means the
other way round and it can potentially be touched up in any further
cleanup/fixes of uffd.

Acked-by: Peter Xu <peterx@redhat.com>

> @@ -1575,6 +1574,8 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx,
>  		if (!vma->vm_userfaultfd_ctx.ctx)
>  			goto skip;
>  
> +		WARN_ON(!(vma->vm_flags & VM_MAYWRITE));
> +
>  		if (vma->vm_start > start)
>  			start = vma->vm_start;
>  		vma_end = min(end, vma->vm_end);

Thanks,

-- 
Peter Xu

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-06 21:20 [PATCH 0/1] userfaultfd: check VM_MAYWRITE was set after verifying the uffd is registered Andrea Arcangeli
2018-12-06 21:20 ` [PATCH 1/1] " Andrea Arcangeli
2018-12-06 21:32   ` Mike Rapoport
2018-12-06 22:07   ` Hugh Dickins
2018-12-07  3:43   ` Peter Xu

LKML Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/lkml/0 lkml/git/0.git
	git clone --mirror https://lore.kernel.org/lkml/1 lkml/git/1.git
	git clone --mirror https://lore.kernel.org/lkml/2 lkml/git/2.git
	git clone --mirror https://lore.kernel.org/lkml/3 lkml/git/3.git
	git clone --mirror https://lore.kernel.org/lkml/4 lkml/git/4.git
	git clone --mirror https://lore.kernel.org/lkml/5 lkml/git/5.git
	git clone --mirror https://lore.kernel.org/lkml/6 lkml/git/6.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 lkml lkml/ https://lore.kernel.org/lkml \
		linux-kernel@vger.kernel.org linux-kernel@archiver.kernel.org
	public-inbox-index lkml


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-kernel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox