From patchwork Wed Apr 28 23:08:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Axel Rasmussen X-Patchwork-Id: 12230217 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-26.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3771DC433ED for ; Wed, 28 Apr 2021 23:09:05 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id B7DED6113D for ; Wed, 28 Apr 2021 23:09:04 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B7DED6113D Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id B43866B006C; Wed, 28 Apr 2021 19:09:03 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B143F6B006E; Wed, 28 Apr 2021 19:09:03 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 6CED16B0070; Wed, 28 Apr 2021 19:09:03 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0161.hostedemail.com [216.40.44.161]) by kanga.kvack.org (Postfix) with ESMTP id 434E06B006C for ; Wed, 28 Apr 2021 19:09:03 -0400 (EDT) Received: from smtpin36.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id E89DD8249980 for ; Wed, 28 Apr 2021 23:09:02 +0000 (UTC) X-FDA: 78083318124.36.3C86583 Received: from mail-qt1-f201.google.com (mail-qt1-f201.google.com [209.85.160.201]) by imf19.hostedemail.com (Postfix) with ESMTP id 90D9690009F4 for ; Wed, 28 Apr 2021 23:08:32 +0000 (UTC) Received: by mail-qt1-f201.google.com with SMTP id r20-20020ac85c940000b02901bac34fa2eeso4335990qta.11 for ; Wed, 28 Apr 2021 16:09:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=i1GiJbmx4c6CwH/DZDMM7LMoubeTmN2YjmWg8BjfUo4=; b=t6dEc0kYwYtucEIA0MfNTqRIaZQdQr5TRyZEyQ+l4esJqNuNymiL+THr1F91O0RlLa KXnWLbGLzMSgUG1QrnFRtffehJ5493CxwfktVlLKb3/Fk2O1rBVSLiocksWe+gCX6sLm 6GGPvkQBg5fwRJfCJ6sfvvydK1aVGcSUMhZvtCidXFWW638mbynyZ1wNQsF+16CoyD+/ 6Wa2hkPL3YcWaIeR0Jxhy8JLLOD2tuVgiaCv0RU+DZRy5RCV5uVsA+9zWCVIuByNG6DP Iq7IAVrn6M9w3BWKwW6f9VVEWg8CMHmtnFudx9AGZYE6UPzDzvliuUNtqMaSwgjWbSig ptrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=i1GiJbmx4c6CwH/DZDMM7LMoubeTmN2YjmWg8BjfUo4=; b=dQaAqPwEalJOlWvee3ABcZ3MMKYMWYgbKFJLYAVfp6WAyIi47YZfnnNZ1YjVw26Jp1 LKd13cwRXygnbYaSYZXOXmtCjq3lFCZoNkqP6OPBU2/DnBAcsCfk+/x4fiFH9QE0n2We ko7um+PciGavZtZKFhLkFQPpLqic4ESiV1ovb5K1OMOKmV+txLX5MYNWxpDu0mhmhUED 0LN8868xbuNTnbA4Ucnp+TWsfytqPDlaMcuLVyK+XznrAE9yGpxqTeU2R2X5jmaoe4Y4 8CfPl1p5syNlmXJ+PP7Dyzqoh9hz1mwINw3jnkXWf3x9QC0tvdf1VOjab7bEeiTPXnp0 2lwQ== X-Gm-Message-State: AOAM531jHDMto4rQjIqhyPvlwTnnRMDRC6yEc8pLW/57+Cx0YfuoEWkn ADoqndi3MFxBBESiA2JOiJ2TwOGSDLbYtoNFmKO/ X-Google-Smtp-Source: ABdhPJyUP7JxteYpJxt8ZDYt5abz9mFFKsb5Bqpj0SvGj2jW49PdVtIfkMUN5AUTE4HZGrOQonJJIi320UBsR0xOGPhp X-Received: from ajr0.svl.corp.google.com ([2620:15c:2cd:203:ed44:e19a:52ee:e8cc]) (user=axelrasmussen job=sendgmr) by 2002:a0c:ebc9:: with SMTP id k9mr32020308qvq.32.1619651341988; Wed, 28 Apr 2021 16:09:01 -0700 (PDT) Date: Wed, 28 Apr 2021 16:08:58 -0700 In-Reply-To: <20210428180109.293606-1-axelrasmussen@google.com> Message-Id: <20210428230858.348400-1-axelrasmussen@google.com> Mime-Version: 1.0 References: <20210428180109.293606-1-axelrasmussen@google.com> X-Mailer: git-send-email 2.31.1.498.g6c1eba8ee3d-goog Subject: [PATCH v2] userfaultfd: release page in error path to avoid BUG_ON From: Axel Rasmussen To: Andrea Arcangeli , Andrew Morton , Hugh Dickins , Peter Xu Cc: Axel Rasmussen , Lokesh Gidra , linux-mm@kvack.org, linux-kernel@vger.kernel.org X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 90D9690009F4 X-Stat-Signature: uhd5oyjs7z3f98jeucrgjhgpmohn9b8i Received-SPF: none (flex--axelrasmussen.bounces.google.com>: No applicable sender policy available) receiver=imf19; identity=mailfrom; envelope-from="<3DeuJYA0KCBYwJ07DwE8GEE092AA270.yA8749GJ-886Hwy6.AD2@flex--axelrasmussen.bounces.google.com>"; helo=mail-qt1-f201.google.com; client-ip=209.85.160.201 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1619651312-920030 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Consider the following sequence of events: 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mfill_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -ENOENT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_lock, and retries, calling back into shmem_mfill_atomic_pte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmem_mfill_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -ENOENT is returned. To fix this, detect if we have such a "dangling" page when accounting fails, and if so, release it before returning. Fixes: cb658a453b93 ("userfaultfd: shmem: avoid leaking blocks and used blocks in UFFDIO_COPY") Reported-by: Hugh Dickins Signed-off-by: Axel Rasmussen Acked-by: Hugh Dickins Reviewed-by: Peter Xu --- mm/shmem.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/mm/shmem.c b/mm/shmem.c index 26c76b13ad23..8def03d3f32a 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2375,8 +2375,18 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, pgoff_t offset, max_off; ret = -ENOMEM; - if (!shmem_inode_acct_block(inode, 1)) + if (!shmem_inode_acct_block(inode, 1)) { + /* + * We may have got a page, returned -ENOENT triggering a retry, + * and now we find ourselves with -ENOMEM. Release the page, to + * avoid a BUG_ON in our caller. + */ + if (unlikely(*pagep)) { + put_page(*pagep); + *pagep = NULL; + } goto out; + } if (!*pagep) { page = shmem_alloc_page(gfp, info, pgoff);