From: Mike Rapoport <rppt@linux.vnet.ibm.com>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>,
syzbot <syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com>,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
viro@zeniv.linux.org.uk
Subject: Re: kernel BUG at fs/userfaultfd.c:LINE! (2)
Date: Wed, 18 Jul 2018 10:12:31 +0300 [thread overview]
Message-ID: <20180718071230.GA4302@rapoport-lnx> (raw)
In-Reply-To: <20180717192806.GI75957@gmail.com>
On Tue, Jul 17, 2018 at 12:28:06PM -0700, Eric Biggers wrote:
> [+Cc userfaultfd developers and linux-mm]
>
> The reproducer hits the BUG_ON() in userfaultfd_release():
>
> BUG_ON(!!vma->vm_userfaultfd_ctx.ctx ^
> !!(vma->vm_flags & (VM_UFFD_MISSING | VM_UFFD_WP)));
Thanks for the CC.
The fix is below.
--
Sincerely yours,
Mike.
From 3711b6a72abe3796b2b97fdba8eadd995b29f195 Mon Sep 17 00:00:00 2001
From: Mike Rapoport <rppt@linux.vnet.ibm.com>
Date: Wed, 18 Jul 2018 09:45:54 +0300
Subject: [PATCH] userfaultfd: remove uffd flags from vma->vm_flags if
UFFD_EVENT_FORK fails
The fix in commit 0cbb4b4f4c44 ("userfaultfd: clear the
vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") cleared the
vma->vm_userfaultfd_ctx but kept userfaultfd flags in vma->vm_flags that
were copied from the parent process VMA.
As the result, there is an inconsistency between the values of
vma->vm_userfaultfd_ctx.ctx and vma->vm_flags which triggers BUG_ON in
userfaultfd_release().
Clearing the uffd flags from vma->vm_flags in case of UFFD_EVENT_FORK
failure resolves the issue.
Signed-off-by: Mike Rapoport <rppt@linux.vnet.ibm.com>
Reported-by: syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Eric Biggers <ebiggers3@gmail.com>
Cc: stable@vger.kernel.org
---
fs/userfaultfd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 594d192b2331..bad9cea37f12 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -633,8 +633,10 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
/* the various vma->vm_userfaultfd_ctx still points to it */
down_write(&mm->mmap_sem);
for (vma = mm->mmap; vma; vma = vma->vm_next)
- if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx)
+ if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
+ vma->vm_flags &= ~(VM_UFFD_WP | VM_UFFD_MISSING);
+ }
up_write(&mm->mmap_sem);
userfaultfd_ctx_put(release_new_ctx);
--
2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: Mike Rapoport <rppt@linux.vnet.ibm.com>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>,
syzbot <syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com>,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
viro@zeniv.linux.org.uk
Subject: Re: kernel BUG at fs/userfaultfd.c:LINE! (2)
Date: Wed, 18 Jul 2018 10:12:31 +0300 [thread overview]
Message-ID: <20180718071230.GA4302@rapoport-lnx> (raw)
In-Reply-To: <20180717192806.GI75957@gmail.com>
On Tue, Jul 17, 2018 at 12:28:06PM -0700, Eric Biggers wrote:
> [+Cc userfaultfd developers and linux-mm]
>
> The reproducer hits the BUG_ON() in userfaultfd_release():
>
> BUG_ON(!!vma->vm_userfaultfd_ctx.ctx ^
> !!(vma->vm_flags & (VM_UFFD_MISSING | VM_UFFD_WP)));
Thanks for the CC.
The fix is below.
--
Sincerely yours,
Mike.
>From 3711b6a72abe3796b2b97fdba8eadd995b29f195 Mon Sep 17 00:00:00 2001
From: Mike Rapoport <rppt@linux.vnet.ibm.com>
Date: Wed, 18 Jul 2018 09:45:54 +0300
Subject: [PATCH] userfaultfd: remove uffd flags from vma->vm_flags if
UFFD_EVENT_FORK fails
The fix in commit 0cbb4b4f4c44 ("userfaultfd: clear the
vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails") cleared the
vma->vm_userfaultfd_ctx but kept userfaultfd flags in vma->vm_flags that
were copied from the parent process VMA.
As the result, there is an inconsistency between the values of
vma->vm_userfaultfd_ctx.ctx and vma->vm_flags which triggers BUG_ON in
userfaultfd_release().
Clearing the uffd flags from vma->vm_flags in case of UFFD_EVENT_FORK
failure resolves the issue.
Signed-off-by: Mike Rapoport <rppt@linux.vnet.ibm.com>
Reported-by: syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Eric Biggers <ebiggers3@gmail.com>
Cc: stable@vger.kernel.org
---
fs/userfaultfd.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index 594d192b2331..bad9cea37f12 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -633,8 +633,10 @@ static void userfaultfd_event_wait_completion(struct userfaultfd_ctx *ctx,
/* the various vma->vm_userfaultfd_ctx still points to it */
down_write(&mm->mmap_sem);
for (vma = mm->mmap; vma; vma = vma->vm_next)
- if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx)
+ if (vma->vm_userfaultfd_ctx.ctx == release_new_ctx) {
vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
+ vma->vm_flags &= ~(VM_UFFD_WP | VM_UFFD_MISSING);
+ }
up_write(&mm->mmap_sem);
userfaultfd_ctx_put(release_new_ctx);
--
2.7.4
WARNING: multiple messages have this Message-ID (diff)
From: Mike Rapoport <rppt@linux.vnet.ibm.com>
To: Eric Biggers <ebiggers3@gmail.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>,
syzbot <syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com>,
linux-mm@kvack.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
viro@zeniv.linux.org.uk
Subject: Re: kernel BUG at fs/userfaultfd.c:LINE! (2)
Date: Wed, 18 Jul 2018 10:12:31 +0300 [thread overview]
Message-ID: <20180718071230.GA4302@rapoport-lnx> (raw)
In-Reply-To: <20180717192806.GI75957@gmail.com>
On Tue, Jul 17, 2018 at 12:28:06PM -0700, Eric Biggers wrote:
> [+Cc userfaultfd developers and linux-mm]
>
> The reproducer hits the BUG_ON() in userfaultfd_release():
>
> BUG_ON(!!vma->vm_userfaultfd_ctx.ctx ^
> !!(vma->vm_flags & (VM_UFFD_MISSING | VM_UFFD_WP)));
Thanks for the CC.
The fix is below.
--
Sincerely yours,
Mike.
next prev parent reply other threads:[~2018-07-18 7:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-16 0:19 kernel BUG at fs/userfaultfd.c:LINE! (2) syzbot
2018-07-17 19:28 ` Eric Biggers
2018-07-18 7:12 ` Mike Rapoport [this message]
2018-07-18 7:12 ` Mike Rapoport
2018-07-18 7:12 ` Mike Rapoport
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180718071230.GA4302@rapoport-lnx \
--to=rppt@linux.vnet.ibm.com \
--cc=aarcange@redhat.com \
--cc=ebiggers3@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=syzbot+121be635a7a35ddb7dcb@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.