From: Matthew Wilcox <willy@infradead.org>
To: Mike Rapoport <rppt@kernel.org>
Cc: Kees Cook <keescook@chromium.org>,
Dmitry Vyukov <dvyukov@google.com>,
syzbot <syzbot+b904a1de3ec43711eba5@syzkaller.appspotmail.com>,
Jordy Zomer <jordy@pwning.systems>,
akpm@linux-foundation.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] WARNING: refcount bug in sys_memfd_secret
Date: Sun, 24 Oct 2021 11:57:02 +0100 [thread overview]
Message-ID: <YXU7/iRjf9v77gon@casper.infradead.org> (raw)
In-Reply-To: <YXTxN5skPPFPvScP@kernel.org>
On Sun, Oct 24, 2021 at 08:37:59AM +0300, Mike Rapoport wrote:
> On Sat, Oct 23, 2021 at 11:46:18PM +0100, Matthew Wilcox wrote:
> > On Sat, Oct 23, 2021 at 10:03:11AM -0700, Kees Cook wrote:
> > > On October 23, 2021 8:27:28 AM PDT, Mike Rapoport <rppt@kernel.org> wrote:
> > > >and my first reaction was to send a revert the untested commit 110860541f44
> > > >("mm/secretmem: use refcount_t instead of atomic_t").
> >
> > I think you should. This isn't a real problem.
>
> Do you mean that creation of 4 billion of file descriptors is not feasible?
On a sufficiently large machine, it is. But then we have the same
problem with other atomic_t. If you really care, just check whether
secretmem_users has gone negative, and return -ENFILE. It doesn't
even have to be all that exact; you've got 2 billion values of slop
to use before you hit the wrap from negative to 0 which is the actual
problem.
ie this:
+++ b/mm/secretmem.c
@@ -203,6 +203,8 @@ SYSCALL_DEFINE1(memfd_secret, unsigned int, flags)
if (flags & ~(SECRETMEM_FLAGS_MASK | O_CLOEXEC))
return -EINVAL;
+ if (atomic_read(&secretmem_users) < 0)
+ return -ENFILE;
fd = get_unused_fd_flags(flags & O_CLOEXEC);
if (fd < 0)
Also, why does secretmem depend on !EMBEDDED?
config EMBEDDED
bool "Embedded system"
select EXPERT
help
This option should be enabled if compiling the kernel for
an embedded system so certain expert options are available
for configuration.
This is the only Kconfig option that depends on !EMBEDDED. It's usually
used to avoid showing questions. It means that my allmodconfig build
*doesn't* build secretmem, which is surely not what you wanted.
+++ b/mm/Kconfig
@@ -892,7 +892,7 @@ config IO_MAPPING
bool
config SECRETMEM
- def_bool ARCH_HAS_SET_DIRECT_MAP && !EMBEDDED
+ def_bool ARCH_HAS_SET_DIRECT_MAP
source "mm/damon/Kconfig"
next prev parent reply other threads:[~2021-10-24 10:59 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-22 15:02 [syzbot] WARNING: refcount bug in sys_memfd_secret syzbot
2021-10-22 15:07 ` Dmitry Vyukov
2021-10-22 16:25 ` Jordy Zomer
2021-10-22 16:29 ` Dmitry Vyukov
2021-10-22 16:39 ` Jordy Zomer
2021-10-23 15:27 ` Mike Rapoport
2021-10-23 17:03 ` Kees Cook
2021-10-23 22:46 ` Matthew Wilcox
2021-10-24 5:37 ` Mike Rapoport
2021-10-24 7:07 ` Dmitry Vyukov
2021-10-24 10:57 ` Matthew Wilcox [this message]
2021-10-24 15:31 ` Mike Rapoport
2021-10-23 12:02 ` syzbot
2021-10-23 22:31 ` syzbot
2021-11-24 13:47 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YXU7/iRjf9v77gon@casper.infradead.org \
--to=willy@infradead.org \
--cc=akpm@linux-foundation.org \
--cc=dvyukov@google.com \
--cc=jordy@pwning.systems \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=rppt@kernel.org \
--cc=syzbot+b904a1de3ec43711eba5@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).