From patchwork Wed Jul 4 12:11:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michal Hocko X-Patchwork-Id: 10506735 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 49D85603D7 for ; Wed, 4 Jul 2018 12:11:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3481428D95 for ; Wed, 4 Jul 2018 12:11:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2630E28E3E; Wed, 4 Jul 2018 12:11:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2207928E3F for ; Wed, 4 Jul 2018 12:11:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 09F906B0007; Wed, 4 Jul 2018 08:11:12 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 04E786B0008; Wed, 4 Jul 2018 08:11:11 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E322C6B000A; Wed, 4 Jul 2018 08:11:11 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pg0-f71.google.com (mail-pg0-f71.google.com [74.125.83.71]) by kanga.kvack.org (Postfix) with ESMTP id 9F54F6B0007 for ; Wed, 4 Jul 2018 08:11:11 -0400 (EDT) Received: by mail-pg0-f71.google.com with SMTP id d10-v6so2356773pgv.8 for ; Wed, 04 Jul 2018 05:11:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:date:from:to :cc:subject:message-id:references:mime-version:content-disposition :in-reply-to:user-agent; bh=hsbCxrnbN2r6LVI23WnuZhPA6f4M1PudCtzfFdPk8+o=; b=Pwd0HKijR/ogGdoqsiYHWviayDslLmrFbUWZiACyTAe41jeJ+/vpDXd+EKy54T2M+K 2dj+3sboiSyodYVLRQqkR3We2bnMV8rTUJBN875h/jviiHF4HAOqQuGP/dYMBZyCMHmd wRKjUeq0YzoodGXQuY9QqchNTZuMwZg3eO0pj5/SBzsuoFAiJsdXLGXhB6IDI4RUpbvn BvG9H+UkIyNdqQQPDR6cPEpw84UWhqnCemewvCzzo4ZUD7Q+VWqQBOEeX4xvyJTdOFwc XmkA3yqffNgBLwIp9MafnMBvhkGLvrdfwnKTQQ1A1rwTtq7cCKQfWsN2FxJXB8sWLQL1 7ZXA== X-Original-Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning mhocko@kernel.org does not designate 195.135.220.15 as permitted sender) smtp.mailfrom=mhocko@kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org X-Gm-Message-State: APt69E3y1wBilTuK6uApjGpF/P+vPAyhvqUfJSXnDHj+bJWlEwdp7Zr8 RS9a5abN440Jy6s781NaStnxUrDZYGEs8bG6mlakoOrhi+BvXCfTAG/a7Rs7yBaQuLHvZKdLMF4 zU70Ii+wUl3a5kRjJS6JBl2wm8Rz1BFGeS2FaLRRqAnuRa8xCfkGx+uqlfIk0ZmE= X-Received: by 2002:a63:a042:: with SMTP id u2-v6mr1694613pgn.80.1530706271314; Wed, 04 Jul 2018 05:11:11 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeVfGc1F+kkHvwulr6YCHGJYN4WmBjf+lLMlvz5RovbuEeWe40RxRl79Zf1L2g2U06nSyRc X-Received: by 2002:a63:a042:: with SMTP id u2-v6mr1694553pgn.80.1530706270352; Wed, 04 Jul 2018 05:11:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530706270; cv=none; d=google.com; s=arc-20160816; b=sDGWlffhr2Gk6gg1fLG1V6li1d9gbTy3lAlTro55o7FDEtTP17mGDi3j6QFGK3fxF6 EX+jKNNP/+4FEAMbNkwAy7zSw4ARUexVGwLMKBDC7ykJfwv+6fDdz4hFa/okQCr4frh2 ++wHnHipC/iyUg2p/j919qijRlXsp7FZWUdRLakNxVkB7c0FBdYv5wuz3onHtiu9LAX6 SidJoLmNy7fbfR2zKDm+aLL1nJyoFY0Jayj4sEwVCg6H58WTbldcdmv3vT8m6hGxUkA+ HvF6zV26B7sIVTOZIbua1xp2z/n885sYqR0PGLZS1JRszwKj6u3uVr/PRsnoZ/FjhkeV 5AGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:cc:to:from:date:arc-authentication-results; bh=hsbCxrnbN2r6LVI23WnuZhPA6f4M1PudCtzfFdPk8+o=; b=NNjdfFk5FWlmv//xkd6cUPPbSujevtl0b6fmi3liT/GRavgMO9WuzhPEPQdCwXdO8V zigPXqiGHqsFlhpZ1SNDTxINNhMNfgYKVWbAKCXpJdYJnzfgXOmmjsPxZ6g0QrYCJeVU a14nQVQQCN45WPhcqJbjXoMV89m2da/kLKOmnmutiaLXPb9jufQE0AhiNVglwHq2QCSM z03m1IK+7HmR5vUopC9eCg/7L9p1Zqs6UjgiY6tREz5hKu3U5pyT84ppn+nci362gMyI 1AVtBTuRB7twn3YQgvXwVBWbzMqWAYA6lu73mQ4vIDNDOFWlNfF4+H7XlhVLaCGP916M Wqdw== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning mhocko@kernel.org does not designate 195.135.220.15 as permitted sender) smtp.mailfrom=mhocko@kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15]) by mx.google.com with ESMTPS id x10-v6si3288214pln.427.2018.07.04.05.11.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 04 Jul 2018 05:11:10 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning mhocko@kernel.org does not designate 195.135.220.15 as permitted sender) client-ip=195.135.220.15; Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning mhocko@kernel.org does not designate 195.135.220.15 as permitted sender) smtp.mailfrom=mhocko@kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 20BE9AD52; Wed, 4 Jul 2018 12:11:08 +0000 (UTC) Date: Wed, 4 Jul 2018 14:11:07 +0200 From: Michal Hocko To: Zi Yan Cc: Tetsuo Handa , syzbot , akpm@linux-foundation.org, aneesh.kumar@linux.vnet.ibm.com, dan.j.williams@intel.com, kirill.shutemov@linux.intel.com, linux-mm@kvack.org, mst@redhat.com, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk, ying.huang@intel.com Subject: Re: kernel BUG at mm/gup.c:LINE! Message-ID: <20180704121107.GL22503@dhcp22.suse.cz> References: <000000000000fe4b15057024bacd@google.com> <20180704111731.GJ22503@dhcp22.suse.cz> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.0 (2018-05-17) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP On Wed 04-07-18 07:48:27, Zi Yan wrote: > On 4 Jul 2018, at 7:17, Michal Hocko wrote: > > > On Wed 04-07-18 19:01:51, Tetsuo Handa wrote: > >> +Michal Hocko > >> > >> On 2018/07/04 13:19, syzbot wrote: > >>> Hello, > >>> > >>> syzbot found the following crash on: > >>> > >>> HEAD commit: d3bc0e67f852 Merge tag 'for-4.18-rc2-tag' of git://git.ker.. > >>> git tree: upstream > >>> console output: https://syzkaller.appspot.com/x/log.txt?x=1000077c400000 > >>> kernel config: https://syzkaller.appspot.com/x/.config?x=a63be0c83e84d370 > >>> dashboard link: https://syzkaller.appspot.com/bug?extid=5dcb560fe12aa5091c06 > >>> compiler: gcc (GCC) 8.0.1 20180413 (experimental) > >>> userspace arch: i386 > >>> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=158577a2400000 > >> > >> Here is C reproducer made from syz reproducer. mlockall(MCL_FUTURE) is involved. > >> > >> This problem is triggerable by an unprivileged user. > >> Shows different result on x86_64 (crash) and x86_32 (stall). > >> > >> ------------------------------------------------------------ > >> /* Need to compile using "-m32" option if host is 64bit. */ > >> #include > >> #include > >> #include > >> #include > >> #include > >> int uselib(const char *library); > >> > >> int main(int argc, char *argv[]) > >> { > >> int fd = open("file", O_WRONLY | O_CREAT, 0644); > >> write(fd, "\x7f\x45\x4c\x46\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" > >> "\x00\x06\x00\xca\x3f\x8b\xca\x00\x00\x00\x00\x38\x00\x00\x00\x00\x00" > >> "\x00\xf7\xff\xff\xff\xff\xff\xff\x1f\x00\x02\x00\x00\x00\x00\x00\x00" > >> "\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf8\x7b" > >> "\x66\xff\x00\x00\x05\x00\x00\x00\x76\x86\x00\x00\x00\x00\x00\x00\x00" > >> "\x00\x00\x00\x31\x0f\xf3\xee\xc1\xb0\x00\x0c\x08\x53\x55\xbe\x88\x47" > >> "\xc2\x2e\x30\xf5\x62\x82\xc6\x2c\x95\x72\x3f\x06\x8f\xe4\x2d\x27\x96" > >> "\xcc", 120); > >> fchmod(fd, 0755); > >> close(fd); > >> mlockall(MCL_FUTURE); /* Removing this line avoids the bug. */ > >> uselib("file"); > >> return 0; > >> } > >> ------------------------------------------------------------ > >> > >> ------------------------------------------------------------ > >> CentOS Linux 7 (Core) > >> Kernel 4.18.0-rc3 on an x86_64 > >> > >> localhost login: [ 81.210241] emacs (9634) used greatest stack depth: 10416 bytes left > >> [ 140.099935] ------------[ cut here ]------------ > >> [ 140.101904] kernel BUG at mm/gup.c:1242! > > > > Is this > > VM_BUG_ON(len != PAGE_ALIGN(len)); > > in __mm_populate? I do not really get why we should VM_BUG_ON when the > > len is not page aligned to be honest. The library is probably containing > > some funky setup but if we simply cannot round up to the next PAGE_SIZE > > boundary then we should probably just error out and fail. This is an > > area I am really familiar with so I cannot really judge. > > A strange thing is that __mm_populate() is only called by do_mlock() from mm/mlock.c, > which makes len PAGE_ALIGN already. That VM_BUG_ON should not be triggered. Not really. vm_brk_flags does call mm_populate for mlocked brk which is the case for mlockall. I do not see any len sanitization in that path. Well do_brk_flags does the roundup. I think we should simply remove the bug on and round up there. mm_populate is an internal API and we should trust our callers. Anyway, the minimum fix seems to be the following (untested): diff --git a/mm/mmap.c b/mm/mmap.c index 9859cd4e19b9..56ad19cf2aea 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -186,8 +186,8 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma) return next; } -static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf); - +static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags, + struct list_head *uf); SYSCALL_DEFINE1(brk, unsigned long, brk) { unsigned long retval; @@ -245,7 +245,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) goto out; /* Ok, looks good - let it rip. */ - if (do_brk(oldbrk, newbrk-oldbrk, &uf) < 0) + if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0) goto out; set_brk: @@ -2939,12 +2939,6 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long pgoff_t pgoff = addr >> PAGE_SHIFT; int error; - len = PAGE_ALIGN(request); - if (len < request) - return -ENOMEM; - if (!len) - return 0; - /* Until we need other flags, refuse anything except VM_EXEC. */ if ((flags & (~VM_EXEC)) != 0) return -EINVAL; @@ -3016,18 +3010,20 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long return 0; } -static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf) -{ - return do_brk_flags(addr, len, 0, uf); -} - -int vm_brk_flags(unsigned long addr, unsigned long len, unsigned long flags) +int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags) { struct mm_struct *mm = current->mm; + unsigned long len; int ret; bool populate; LIST_HEAD(uf); + len = PAGE_ALIGN(request); + if (len < request) + return -ENOMEM; + if (!len) + return 0; + if (down_write_killable(&mm->mmap_sem)) return -EINTR;