[v8,00/21] Avoid MAP_FIXED gap exposure

Message ID	20240830040101.822209-1-Liam.Howlett@oracle.com (mailing list archive)
Headers	show Return-Path: <owner-linux-mm@kvack.org> From: "Liam R. Howlett" <Liam.Howlett@oracle.com> To: Andrew Morton <akpm@linux-foundation.org> Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Suren Baghdasaryan <surenb@google.com>, Lorenzo Stoakes <lorenzo.stoakes@oracle.com>, Matthew Wilcox <willy@infradead.org>, Vlastimil Babka <vbabka@suse.cz>, sidhartha.kumar@oracle.com, Bert Karwatzki <spasswolf@web.de>, Jiri Olsa <olsajiri@gmail.com>, Kees Cook <kees@kernel.org>, "Paul E . McKenney" <paulmck@kernel.org>, Jeff Xu <jeffxu@chromium.org>, "Liam R. Howlett" <Liam.Howlett@oracle.com> Subject: [PATCH v8 00/21] Avoid MAP_FIXED gap exposure Date: Fri, 30 Aug 2024 00:00:40 -0400 Message-ID: <20240830040101.822209-1-Liam.Howlett@oracle.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 Sender: owner-linux-mm@kvack.org Precedence: bulk
Series	Avoid MAP_FIXED gap exposure \| expand [v8,00/21] Avoid MAP_FIXED gap exposure [v8,01/21] mm/vma: Correctly position vma_iterator in __split_vma() [v8,02/21] mm/vma: Introduce abort_munmap_vmas() [v8,03/21] mm/vma: Introduce vmi_complete_munmap_vmas() [v8,04/21] mm/vma: Extract the gathering of vmas from do_vmi_align_munmap() [v8,05/21] mm/vma: Introduce vma_munmap_struct for use in munmap operations [v8,06/21] mm/vma: Change munmap to use vma_munmap_struct() for accounting and surrounding vmas [v8,07/21] mm/vma: Extract validate_mm() from vma_complete() [v8,08/21] mm/vma: Inline munmap operation in mmap_region() [v8,09/21] mm/vma: Expand mmap_region() munmap call [v8,10/21] mm/vma: Support vma == NULL in init_vma_munmap() [v8,11/21] mm/mmap: Reposition vma iterator in mmap_region() [v8,12/21] mm/vma: Track start and end for munmap in vma_munmap_struct [v8,13/21] mm: Clean up unmap_region() argument list [v8,14/21] mm/mmap: Avoid zeroing vma tree in mmap_region() [v8,15/21] mm: Change failure of MAP_FIXED to restoring the gap on failure [v8,16/21] mm/mmap: Use PHYS_PFN in mmap_region() [v8,17/21] mm/mmap: Use vms accounted pages in mmap_region() [v8,18/21] ipc/shm, mm: Drop do_vma_munmap() [v8,19/21] mm: Move may_expand_vm() check in mmap_region() [v8,20/21] mm/vma: Drop incorrect comment from vms_gather_munmap_vmas() [v8,21/21] mm/vma.h: Optimise vma_munmap_struct

Message ID

20240830040101.822209-1-Liam.Howlett@oracle.com (mailing list archive)

Headers

From: "Liam R. Howlett" <Liam.Howlett@oracle.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        Suren Baghdasaryan <surenb@google.com>,
        Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
        Matthew Wilcox <willy@infradead.org>,
 Vlastimil Babka <vbabka@suse.cz>,
        sidhartha.kumar@oracle.com, Bert Karwatzki <spasswolf@web.de>,
        Jiri Olsa <olsajiri@gmail.com>, Kees Cook <kees@kernel.org>,
        "Paul E . McKenney" <paulmck@kernel.org>,
        Jeff Xu <jeffxu@chromium.org>,
        "Liam R. Howlett" <Liam.Howlett@oracle.com>
Subject: [PATCH v8 00/21] Avoid MAP_FIXED gap exposure
Date: Fri, 30 Aug 2024 00:00:40 -0400
Message-ID: <20240830040101.822209-1-Liam.Howlett@oracle.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 
 wGych3WZCi/xX7yzBWk8C8NwtlW2AX1lRfwfvjY9gxhSD+RBaClUfmA7rHst/RBBqX4TbJU6HO7CnxKYXkNjs8g/pvadKxhwxsBlKwvN66AOmnipq7nQHf4OtCEV2ThnD2c1y2cohRlu5GH8Ur1GPVQAblQ/4pzKQg6kXprg0Cn5MNOfPoWkoAGCv6JEWv+n/3BX55a7S8zQ44+OF8IZxCfsqCa+8FWtuox3Yt2rRx3eJFacbzYEWEJyHIYG4aSD1YCPg5M9JPX6T/VJ1BuHaH+ov4cJVBfMN3pP2gLL/iXPUYnX99DRXvW0vmnQ3ZGxd6/Prs64VFXNCIxDgJZeL6Ouzq4rzVEnPNZStNnHC4QgdVKH2tY/tkQaxB6GwNkIyp5OLMtfZQLIX790nhC5cKa31UrVv+WWbKNPj7WMYe+yYQzNdliqhCXjWL1p0j04JVcCz/7Dxu8rcPp63qC0ABSUlWB4kAzjl1nr23J3wiVSJPD4c8qX9E0T9I+omegvjyt2crVXD+8wRufxFeV3ZTADQ6YGIUkVLA8bay2/r2/IS0KAZU87yHpCRZVCv5yNNBjfNI7mVA0Fu3HIUAAlzlCv0O2Yyni3r6VW0ILLBCyx/gzl7XR5hSvnY6HnxWoxGaOr2vyytbhoPngSyM27by2ihmT1THsZkCK2w9OOi8dpNdUkVbsDZQ/f28PVrp0guRk94WJDU39ba2ToodBjmAzJE7wQ15+CNGvC297ecCenGjwCjiBopinp5FPtPpbpkOjWyw056SYzT8EK+rzznE/sTO3KM8rbBvIUz3Y1N01Q8v4Fu1pFW39pHjQaXAYFFvCibjQlb1X4ff0rOM1lS5iTEeFCchee4dhKTm2aJK0XiZTcgFmS00CAZiH0geKD6ws8CdHZiuATG+JVR0qOhfS7jK44eELTxxJEjgZYYEyNx+ZacVy2PAPoKemMfmZGrEIfoPOxdN78e/adc1uVU4bKyK1VozL9DLMRk1ANnqJtI5/j87waBEvygNvrNyxgFu5wz44XPmG2J4RkfwIOXuC/AjBir1OK2lN+ukXFUJQshNi2DpezAPAR4yLUPasgKm44QYfhMYaiEw/rjk1OvXuoEDAdgC+fE0As8uOuZ2Dbc3NTU/f5uqqK28SP2njzeuuamuGZbWT2D5ttfvWnAY+LcYJCQujZpHooK8Imbs8JYgQSfeVJ6r+FKRNewRhF5FuEsLhg70GmRWV3oJZVfgWysD7yu4Qw+cfsFlGcO34c1k/cAc2ipKPMxGNNUb5FSahg2+L8aHT87fdJDll1lBC5RpaBHcIAqy+/sY4aLV9h3ndNtkhnjjME02g4c6KrxEdJNB2Rx5fs5SbO3w5IdRELjYGUs9vv5oyMEzoWwhi09JNXlP0o/OW9xGOKf6pqB1A/+RWp2x+LOzgYvmnVHcDUYPHJYedQgscFdRmHAUxf33CaNA/XE8cMqXlylIIdzCt2OzopcJt0jrV93QPYwv/f1ts7rbvvdPNconF22rGGQqqP0/LH+hNyEQ5liVmgDl9QKpHDZ0IboY0UIYRwITwIoY5akceajJbGf/dpHhc5fu4nysvHZA7MN835fU99
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-ExternalHop-MessageData-0: 
	aCrKLPwHQ7XBQtV3+wtCcEgZk6XySXKprLsyuS50avWVhNlTWm+0juE3hhuhRwvBC3NnxEsL/mGqsiCks5D7P0Yi5Gg8MW97CKfjwGL0/RHQpOAU6bqJo2A8gEuyXx8iQo0vnjlHMtDUVAmPMjtN1IagkbEFaW8G3dqEV0OJy+UlfJqlPybSOiOTGX8KAQ0XVX3J8MG//OSQ5NWEvSfTmOKwFkkTCN7vJGI9E1v/Ciwt9AnHXS5xd3Dr9Q3uOT5vP8UVH8daho40z4GRHqSEHyhKNBP5uCbM8hdB1ztsQUXAU+EuXdnQ6j4vPjNHglZfVKIh3oLBXQpi4GpUdauKNGFiQETuhlFaERWnzmAySY6r7jK47LmzTHCotSsNuGY8E+x8EUZ7K7nhbOFyyB5iRAqidpYjPgsvjccLjhTzlzsNlKtIZwgjetCjlwrFptqAdCuEOXjKMgvtgmN7hw/cMu1dMBMXAg2H9rdsnnLl9otcYh9bvgSGccz6q4BUGQsImw9VK12JbVUoIbjq1F80aETSfNAAJs3Gmv5kTIPRCdRk+KFagbhE+9AwTqB+Yo886x29qSUdCdfagubdZeZmbL1AXyG+eDD01lHHJwNJZyw=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 88ea3e84-6fc7-49dc-a6bd-08dcc8a85f14
X-MS-Exchange-CrossTenant-AuthSource: DS0PR10MB7933.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Aug 2024 04:01:05.6628
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 mQAXk1/PHl+Rsa5htqiJ/FwMp2ZGJVhjjIFkHGRfrZYKw+NNCbQDVg2JadD/fO/Yt3QKvFWXaerX/Rw2YNVFQg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CYXPR10MB7949
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-08-30_02,2024-08-29_02,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0
 spamscore=0 suspectscore=0
 mlxlogscore=999 malwarescore=0 bulkscore=0 phishscore=0 mlxscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2407110000
 definitions=main-2408300028
X-Proofpoint-GUID: qcw__-AfEBcpGPNXlgcAYpJlU30m9sJg
X-Proofpoint-ORIG-GUID: qcw__-AfEBcpGPNXlgcAYpJlU30m9sJg
X-Rspam-User: 
X-Stat-Signature: ptx9ghq6iupdijo3im4h3iyopx5n3d8c
X-Rspamd-Queue-Id: 73BF11A000C
X-Rspamd-Server: rspam11
X-HE-Tag: 1724990481-216978
X-HE-Meta: 
 U2FsdGVkX18lWvNnDPNe9wDblrR4CGxR2hUWyrva6OCPwqrpmdytaqn1AWmI5Sst+iYX6uzsTqIUJDpXS2Xd4idBohJc62duYpymrON+mU57vho728vb0AKcycj8ah5GSa5rSLD8amG45oPVq2va9whmyD2meVq5DGEIsNQ8AOk3AfI34IcLp0GtviHz29vJhiA9mRqV2OIrsEMGNNZymVrWgWlz25JTm7gkj+9VchRYe274EanYMvsPUBcIWaB63qZoam2fUyUdTg6TLuZWMS5XCn7s4kW9jtVDkzmwmTzV+U+v330q8pA0jBixbBJT5yEFgNKaDXVhXylALfQe3DvXHpy2lJf0F6KvTN7Zm5UreVvqbawp8AHtYxMXhkMvtNyCH//1vhO2TiDSh20ngeigxINKp8FYFoiuoORhryNC0aiYLFjYsOPAC+DTv41weaUfJFdGk83wEZNvk+cNdhJr+YGuOWfIPMdsFM1mU10xKnIdMkHPLGoV5Ab+ktaXNzuZ0vgbX1WoIYA2KfaE/E+PfIW9QDQlmADQkMEsY+C+Yhn5c00DOhh3Vn5mGnGAyuPhYqbO6XsyzznN+SG57+j1UWvgPcXEZAKdnDVj39EeftmIyHIvxACFTyH+sO8LDjNFPHfQtzIaagiifQwtQmlLmkQz5vDWi2uBgBIqAQmrmzK4s4e2OViIwOSlY62TXdz2mHnz+1gHAY8XYBvXXEqAoa5Ei+4RP/98QubTsndc7eOlUFtadtpU73IorFuMzxbcB0ukJlbx17j5+xeoDu+zrVVn1vtwIpwJCtxnQallxDRs43Hv7o6EcbqlQQ9PCpw0yjiOhQYFefAxMBsbaU6UpCIYlPwgQv6HLUNFkn3KSIi4oVaInER81yKQmrEzMxTuliGQDTjBRLsnklabxo2ikFem9O8wrtWJ3qK7XAnSP21lBhXCH5cXwN3skmWcA5as7sp5UhBQk5wP6cm
 g93slVC1
 /ihEGDmCzTSpGMMLa5NQ1qiwV8ygBsu9wXWNZEagoLbjcu+wL3qKyGUxN1fWeoRErtLB3jfV9TADRhiNRzAcIpwsPbu46dz3222EDrIVYicV9LRKJZljA+lCDIkt4hbmqeQaAW1sw5IrlWWOIgUAOCqI4sCt1CDVFZ1ZxIx2Z7iIOg4PSfntvEzcgrueV3o3CMBpaCY9W6qRUx1vwQkkTMfWqiyZDf0/dDcxuKC/d7A6MZvT+711jtcj30S+n+p73bj9Q9EDnfd1njeK9xi7OCuoFtLVeE7kDsXyBpQPhqvQ55/fLsVzpMiX4TH2aM17ZqJ+vEMap5750IYJ/6tLsjvFNrt7/cTwHUz3zLjA9mSXEoGAHk8Q88xLRGQJ7Ny7d9pAsC4ASXcnQG8eYzCtvG4snFeC5Adz7FN88+yNthwZ49xB8vNRi4BLfem2RwpHOGjIMVPYtrOyLcTRfUlNzrzsOAGm89XBu7LLrU+u5Hj+WgKX/xfgM4xH778IFKeXO/RtlQGc15ko8QoABgmsX9Bp9KM/ctKveQ2R+aeYCKVUBiFC526lHswqao/FVPZOolqfYdM++31LYlcY=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Series

Avoid MAP_FIXED gap exposure | expand

Message

Liam R. Howlett Aug. 30, 2024, 4 a.m. UTC

It is now possible to walk the vma tree using the rcu read locks and is
beneficial to do so to reduce lock contention.  Doing so while a
MAP_FIXED mapping is executing means that a reader may see a gap in the
vma tree that should never logically exist - and does not when using the
mmap lock in read mode.  The temporal gap exists because mmap_region()
calls munmap() prior to installing the new mapping.

This patch set stops rcu readers from seeing the temporal gap by
splitting up the munmap() function into two parts.  The first part
prepares the vma tree for modifications by doing the necessary splits
and tracks the vmas marked for removal in a side tree.  The second part
completes the munmapping of the vmas after the vma tree has been
overwritten (either by a MAP_FIXED replacement vma or by a NULL in the
munmap() case).

Please note that rcu walkers will still be able to see a temporary state
of split vmas that may be in the process of being removed, but the
temporal gap will not be exposed.  vma_start_write() are called on both
parts of the split vma, so this state is detectable.

If existing vmas have a vm_ops->close(), then they will be called prior
to mapping the new vmas (and ptes are cleared out).  Without calling
->close(), hugetlbfs tests fail (hugemmap06 specifically) due to
resources still being marked as 'busy'.  Unfortunately, calling the
corresponding ->open() may not restore the state of the vmas, so it is
safer to keep the existing failure scenario where a gap is inserted and
never replaced.  The failure scenario is in its own patch (0015) for
traceability.

RFC: https://lore.kernel.org/linux-mm/20240531163217.1584450-1-Liam.Howlett@oracle.com/
v1: https://lore.kernel.org/linux-mm/20240611180200.711239-1-Liam.Howlett@oracle.com/
v2: https://lore.kernel.org/all/20240625191145.3382793-1-Liam.Howlett@oracle.com/
v3: https://lore.kernel.org/linux-mm/20240704182718.2653918-1-Liam.Howlett@oracle.com/
v4: https://lore.kernel.org/linux-mm/20240710192250.4114783-1-Liam.Howlett@oracle.com/
v5: https://lore.kernel.org/linux-mm/20240717200709.1552558-1-Liam.Howlett@oracle.com/
v6: https://lore.kernel.org/all/20240820235730.2852400-1-Liam.Howlett@oracle.com/
v7: https://lore.kernel.org/all/20240822192543.3359552-1-Liam.Howlett@oracle.com/

Changes since v7:

This is all the patches I've sent for v7 fixups plus the return code for
mseal().  The incorrect return code was introduced in an earlier patch
and then modified (still incorrectly) later, so this version will
hopefully bisect cleanly.

- Fixed return type of vms_gather_munmap_vmas() to -ENOMEM or -EPERM
- Passed through error returned from vms_gather_munmap_vmas() in
  mmap_region() - Thanks Jeff
- Added review tag on last patch - Thanks Lorenzo
- Added #ifdef CONFIG_MMU to vma.h where necessary - Thanks Lorenzo,
  Bert, and Geert
- Fix null pointer dereference in vms_abort_munmap_vmas() - Thanks Dan

Liam R. Howlett (21):
  mm/vma: Correctly position vma_iterator in __split_vma()
  mm/vma: Introduce abort_munmap_vmas()
  mm/vma: Introduce vmi_complete_munmap_vmas()
  mm/vma: Extract the gathering of vmas from do_vmi_align_munmap()
  mm/vma: Introduce vma_munmap_struct for use in munmap operations
  mm/vma: Change munmap to use vma_munmap_struct() for accounting and
    surrounding vmas
  mm/vma: Extract validate_mm() from vma_complete()
  mm/vma: Inline munmap operation in mmap_region()
  mm/vma: Expand mmap_region() munmap call
  mm/vma: Support vma == NULL in init_vma_munmap()
  mm/mmap: Reposition vma iterator in mmap_region()
  mm/vma: Track start and end for munmap in vma_munmap_struct
  mm: Clean up unmap_region() argument list
  mm/mmap: Avoid zeroing vma tree in mmap_region()
  mm: Change failure of MAP_FIXED to restoring the gap on failure
  mm/mmap: Use PHYS_PFN in mmap_region()
  mm/mmap: Use vms accounted pages in mmap_region()
  ipc/shm, mm: Drop do_vma_munmap()
  mm: Move may_expand_vm() check in mmap_region()
  mm/vma: Drop incorrect comment from vms_gather_munmap_vmas()
  mm/vma.h: Optimise vma_munmap_struct

 include/linux/mm.h |   6 +-
 ipc/shm.c          |   8 +-
 mm/mmap.c          | 140 +++++++++---------
 mm/vma.c           | 362 +++++++++++++++++++++++++++------------------
 mm/vma.h           | 168 ++++++++++++++++++---
 5 files changed, 434 insertions(+), 250 deletions(-)

Comments

Jeff Xu Aug. 30, 2024, 4:05 p.m. UTC | #1

Hi Liam

On Thu, Aug 29, 2024 at 9:01 PM Liam R. Howlett <Liam.Howlett@oracle.com> wrote:
>
> Changes since v7:
>
> This is all the patches I've sent for v7 fixups plus the return code for
> mseal().  The incorrect return code was introduced in an earlier patch
> and then modified (still incorrectly) later, so this version will
> hopefully bisect cleanly.
>
> - Fixed return type of vms_gather_munmap_vmas() to -ENOMEM or -EPERM
> - Passed through error returned from vms_gather_munmap_vmas() in
>   mmap_region() - Thanks Jeff

I would think it is cleaner to fix the original commit directly
instead of as part of a large patch series, no ?  If not possible,
maybe mm-unstable should apply my fix first then you can refactor
based on that ?

-Jeff

Liam R. Howlett Aug. 30, 2024, 5:07 p.m. UTC | #2

* Jeff Xu <jeffxu@chromium.org> [240830 12:06]:
> Hi Liam
> 
> On Thu, Aug 29, 2024 at 9:01 PM Liam R. Howlett <Liam.Howlett@oracle.com> wrote:
> >
> > Changes since v7:
> >
> > This is all the patches I've sent for v7 fixups plus the return code for
> > mseal().  The incorrect return code was introduced in an earlier patch
> > and then modified (still incorrectly) later, so this version will
> > hopefully bisect cleanly.
> >
> > - Fixed return type of vms_gather_munmap_vmas() to -ENOMEM or -EPERM
> > - Passed through error returned from vms_gather_munmap_vmas() in
> >   mmap_region() - Thanks Jeff
> 
> I would think it is cleaner to fix the original commit directly
> instead of as part of a large patch series, no ?  If not possible,
> maybe mm-unstable should apply my fix first then you can refactor
> based on that ?

No, it is not.  These patches are not up stream, so the fixes line will
be stale before it is even available.  No one is affected except the
mm-unstable branch and linux-next.  Patches to commits that are not
upstream can change, and almost always do with fixes like this.

What I have done here is to fix the series so that each patch will keep
passing the mseal() tests.  That way, if there is an issue with mseal(),
it can be git bisected to find the problem without finding a fixed
problem.

If your fix was put into mm-unstable, all linux-next branches would have
an intermittent bug present on bisection, and waiting to respin the
patches means they miss out on testing time.

This is why we squash fixes into patches during development, or ask akpm
to do so by replying to the broken patch.  Andrew prefers not resending
large patch sets because something may be missed, so for smaller changes
they are sent with a request to squash them on his side.

In this case, there would have been 3 or 4 patches that needed to be
updated (two changed, two with merge issues I believe), so I sent a v8
because the alternative would have been confusing.

Thanks,
Liam