[PATCH 0/2] mm/uffd: Fix vma check

[PATCH 0/2] mm/uffd: Fix vma check

[Peter Xu]

I just got time to have a closer look on the uffd-wp triggering of the
warning here:

https://lore.kernel.org/all/YzeR+R6b4bwBlBHh@x1n/T/#u

It turns out to be a wrong check on vma, and with the fix attached we
should be able to remove the ugly macro checks.  Sorry for the bothersome.

Please have a look, thanks.

Peter Xu (2):
  mm/uffd: Fix vma check on userfault for wp
  Revert "mm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in"

 include/linux/userfaultfd_k.h | 6 +++---
 mm/hugetlb.c                  | 4 ----
 mm/memory.c                   | 2 --
 mm/mprotect.c                 | 2 --
 4 files changed, 3 insertions(+), 11 deletions(-)

-- 
2.37.3

[PATCH 1/2] mm/uffd: Fix vma check on userfault for wp

[Peter Xu]

We used to have a report that pte-marker code can be reached even when
uffd-wp is not compiled in for file memories, here:

https://lore.kernel.org/all/YzeR+R6b4bwBlBHh@x1n/T/#u

I just got time to revisit this and found that the root cause is we simply
messed up with the vma check, so that for !PTE_MARKER_UFFD_WP system, we
will allow UFFDIO_REGISTER of MINOR & WP upon shmem as the check was wrong:

    if (vm_flags & VM_UFFD_MINOR)
        return is_vm_hugetlb_page(vma) || vma_is_shmem(vma);

Where we'll allow anything to pass on shmem as long as minor mode is
requested.

Axel did it right when introducing minor mode but I messed it up in
b1f9e876862d when moving code around.  Fix it.

Cc: Axel Rasmussen <axelrasmussen@google.com>
Fixes: b1f9e876862d ("mm/uffd: enable write protection for shmem & hugetlbfs")
Signed-off-by: Peter Xu <peterx@redhat.com>
---
 include/linux/userfaultfd_k.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/linux/userfaultfd_k.h b/include/linux/userfaultfd_k.h
index f07e6998bb68..9df0b9a762cc 100644
--- a/include/linux/userfaultfd_k.h
+++ b/include/linux/userfaultfd_k.h
@@ -146,9 +146,9 @@ static inline bool userfaultfd_armed(struct vm_area_struct *vma)
 static inline bool vma_can_userfault(struct vm_area_struct *vma,
 				     unsigned long vm_flags)
 {
-	if (vm_flags & VM_UFFD_MINOR)
-		return is_vm_hugetlb_page(vma) || vma_is_shmem(vma);
-
+	if ((vm_flags & VM_UFFD_MINOR) &&
+	    (!is_vm_hugetlb_page(vma) && !vma_is_shmem(vma)))
+		return false;
 #ifndef CONFIG_PTE_MARKER_UFFD_WP
 	/*
 	 * If user requested uffd-wp but not enabled pte markers for
-- 
2.37.3

[PATCH 2/2] Revert "mm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in"

[Peter Xu]

With previous patch to fix the registration, we'll be safe to remove the
macro hacks now.

Signed-off-by: Peter Xu <peterx@redhat.com>
---
 mm/hugetlb.c  | 4 ----
 mm/memory.c   | 2 --
 mm/mprotect.c | 2 --
 3 files changed, 8 deletions(-)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 1a7dc7b2e16c..b2fcb27f268a 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -5124,7 +5124,6 @@ static void __unmap_hugepage_range(struct mmu_gather *tlb, struct vm_area_struct
 		 * unmapped and its refcount is dropped, so just clear pte here.
 		 */
 		if (unlikely(!pte_present(pte))) {
-#ifdef CONFIG_PTE_MARKER_UFFD_WP
 			/*
 			 * If the pte was wr-protected by uffd-wp in any of the
 			 * swap forms, meanwhile the caller does not want to
@@ -5136,7 +5135,6 @@ static void __unmap_hugepage_range(struct mmu_gather *tlb, struct vm_area_struct
 				set_huge_pte_at(mm, address, ptep,
 						make_pte_marker(PTE_MARKER_UFFD_WP));
 			else
-#endif
 				huge_pte_clear(mm, address, ptep, sz);
 			spin_unlock(ptl);
 			continue;
@@ -5165,13 +5163,11 @@ static void __unmap_hugepage_range(struct mmu_gather *tlb, struct vm_area_struct
 		tlb_remove_huge_tlb_entry(h, tlb, ptep, address);
 		if (huge_pte_dirty(pte))
 			set_page_dirty(page);
-#ifdef CONFIG_PTE_MARKER_UFFD_WP
 		/* Leave a uffd-wp pte marker if needed */
 		if (huge_pte_uffd_wp(pte) &&
 		    !(zap_flags & ZAP_FLAG_DROP_MARKER))
 			set_huge_pte_at(mm, address, ptep,
 					make_pte_marker(PTE_MARKER_UFFD_WP));
-#endif
 		hugetlb_count_sub(pages_per_huge_page(h), mm);
 		page_remove_rmap(page, vma, true);
 
diff --git a/mm/memory.c b/mm/memory.c
index 8e72f703ed99..25b12d1a7db0 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1393,12 +1393,10 @@ zap_install_uffd_wp_if_needed(struct vm_area_struct *vma,
 			      unsigned long addr, pte_t *pte,
 			      struct zap_details *details, pte_t pteval)
 {
-#ifdef CONFIG_PTE_MARKER_UFFD_WP
 	if (zap_drop_file_uffd_wp(details))
 		return;
 
 	pte_install_uffd_wp_if_needed(vma, addr, pte, pteval);
-#endif
 }
 
 static unsigned long zap_pte_range(struct mmu_gather *tlb,
diff --git a/mm/mprotect.c b/mm/mprotect.c
index 99762403cc8f..8d770855b591 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -267,7 +267,6 @@ static unsigned long change_pte_range(struct mmu_gather *tlb,
 		} else {
 			/* It must be an none page, or what else?.. */
 			WARN_ON_ONCE(!pte_none(oldpte));
-#ifdef CONFIG_PTE_MARKER_UFFD_WP
 			if (unlikely(uffd_wp && !vma_is_anonymous(vma))) {
 				/*
 				 * For file-backed mem, we need to be able to
@@ -279,7 +278,6 @@ static unsigned long change_pte_range(struct mmu_gather *tlb,
 					   make_pte_marker(PTE_MARKER_UFFD_WP));
 				pages++;
 			}
-#endif
 		}
 	} while (pte++, addr += PAGE_SIZE, addr != end);
 	arch_leave_lazy_mmu_mode();
-- 
2.37.3

Re: [PATCH 1/2] mm/uffd: Fix vma check on userfault for wp

[Peter Xu]

On Mon, Oct 24, 2022 at 03:33:35PM -0400, Peter Xu wrote:
> We used to have a report that pte-marker code can be reached even when
> uffd-wp is not compiled in for file memories, here:
> 
> https://lore.kernel.org/all/YzeR+R6b4bwBlBHh@x1n/T/#u
> 
> I just got time to revisit this and found that the root cause is we simply
> messed up with the vma check, so that for !PTE_MARKER_UFFD_WP system, we
> will allow UFFDIO_REGISTER of MINOR & WP upon shmem as the check was wrong:
> 
>     if (vm_flags & VM_UFFD_MINOR)
>         return is_vm_hugetlb_page(vma) || vma_is_shmem(vma);
> 
> Where we'll allow anything to pass on shmem as long as minor mode is
> requested.
> 
> Axel did it right when introducing minor mode but I messed it up in
> b1f9e876862d when moving code around.  Fix it.
> 
> Cc: Axel Rasmussen <axelrasmussen@google.com>
> Fixes: b1f9e876862d ("mm/uffd: enable write protection for shmem & hugetlbfs")

Should also have had:

Cc: stable@vger.kernel.org

> Signed-off-by: Peter Xu <peterx@redhat.com>

-- 
Peter Xu