From patchwork Thu Dec 22 18:12:51 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Catalin Marinas <catalin.marinas@arm.com>
X-Patchwork-Id: 13080209
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7C653C4167B
	for <linux-mm@archiver.kernel.org>; Thu, 22 Dec 2022 18:13:06 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 1C584940009; Thu, 22 Dec 2022 13:13:06 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 176A0940007; Thu, 22 Dec 2022 13:13:06 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0190B940009; Thu, 22 Dec 2022 13:13:05 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id E6A8F940007
	for <linux-mm@kvack.org>; Thu, 22 Dec 2022 13:13:05 -0500 (EST)
Received: from smtpin17.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id ADE041C5B72
	for <linux-mm@kvack.org>; Thu, 22 Dec 2022 18:13:05 +0000 (UTC)
X-FDA: 80270738730.17.E196999
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
	by imf27.hostedemail.com (Postfix) with ESMTP id 0F61240005
	for <linux-mm@kvack.org>; Thu, 22 Dec 2022 18:13:03 +0000 (UTC)
Authentication-Results: imf27.hostedemail.com;
	dkim=none;
	spf=pass (imf27.hostedemail.com: domain of cmarinas@kernel.org designates
 145.40.68.75 as permitted sender) smtp.mailfrom=cmarinas@kernel.org;
	dmarc=fail reason="SPF not aligned (relaxed),
 No valid DKIM" header.from=arm.com (policy=none)
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1671732784; a=rsa-sha256;
	cv=none;
	b=uJtyP5TmcmdICVG54vXpjdcfc93PH3fpydFxYGYHNpXqmKYw6OEzobYGJnq6bjMLLIiIBo
	sdbo+nRnmPqh9u3PyVNTiadD4ykjM1CJP7XIk95mwP0j4YDtzd8pA+vPwFns8yn2HnjA72
	nVNr5/VOdPUcuSGhss/jOXB2whjRpMs=
ARC-Authentication-Results: i=1;
	imf27.hostedemail.com;
	dkim=none;
	spf=pass (imf27.hostedemail.com: domain of cmarinas@kernel.org designates
 145.40.68.75 as permitted sender) smtp.mailfrom=cmarinas@kernel.org;
	dmarc=fail reason="SPF not aligned (relaxed),
 No valid DKIM" header.from=arm.com (policy=none)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1671732784;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=QW4JdNpEbbZJWqNEVosRJ7HV3MsVnvtur3nFXaW4hUg=;
	b=jEFb2Lnw4/SR9gxsGjgS7sVCLyYwQ4gWoGQVSMu+MBQUfo+pvB2zSqo3smIPh3Od/WxCbK
	cBp4y5LR7vRI+088JLiIDcLhF39D5FntHG3cVbXYiDxqi5n/wqEM2YwY7wVAGhayT1IA4b
	ZfzgDNL+ButHGtL1eNyV1MmrBRj4IYs=
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ams.source.kernel.org (Postfix) with ESMTPS id A7738B81F31;
	Thu, 22 Dec 2022 18:13:02 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id DE896C433F1;
	Thu, 22 Dec 2022 18:12:59 +0000 (UTC)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Will Deacon <will@kernel.org>,
	Seth Jenkins <sethjenkins@google.com>
Cc: Eric Biederman <ebiederm@xmission.com>,
	Kees Cook <keescook@chromium.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-arm-kernel@lists.infradead.org,
	linux-mm@kvack.org
Subject: [PATCH 3/3] arm64: mte: Avoid the racy walk of the vma list during
 core dump
Date: Thu, 22 Dec 2022 18:12:51 +0000
Message-Id: <20221222181251.1345752-4-catalin.marinas@arm.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20221222181251.1345752-1-catalin.marinas@arm.com>
References: <20221222181251.1345752-1-catalin.marinas@arm.com>
MIME-Version: 1.0
X-Rspam-User: 
X-Rspamd-Queue-Id: 0F61240005
X-Rspamd-Server: rspam01
X-Stat-Signature: ekgzwif3egu6yirti5a6sqthpgdq7f6f
X-HE-Tag: 1671732783-871726
X-HE-Meta: 
 U2FsdGVkX1+8akkmtAysrZw2yfSlNh1aYVQpYgAY2St8DY+WIvvj2YheVZKKk7Ed6BXJwOkb5JhH8iJZ9+vK6YbbfydGz4dP2d6wfAb3m79BO2GOBTn5vAOHMBa3jR7WKUh63sta3x4SKOp/Sxj/WI8j/PhwmR8dhV++dlsE/WF71x7ZzPjsEAx84zFH5FDL9ztYMF2v9WzQpPaHLFUMZF0CrX6BEFyJwsvkusB1gCwpndHitKEhuPCC/Q9nxZrIQ6Pi68ZRM82Lc+EVdROF9i087BvcfFeGk5BLCC/zpnEITsT3X/Yh5UeYrVWoFUjHYya+dpNYC1P3rl+TVYFEeJMmTGqISOOnGFmuN43jsMoMMirr0RhlXYr7gFdG3oGz+Xg2U4AkUxFuGUL/Rf8K3R/aUEuoXpc/keIgunEqJDdj77Whzg8mVK5Y7EuICWej5WGelqdAMT462LV6GTuCcDxWxBSKTuMdWs41udFYRpptL5PD9cIEqDX3Ay89iHTCRT+8VlRgSSjNJageO++2Pm5EoUpPtHlBR3Rhxzn80PiZ028bLaGiniYpyLNAfmmCK2LSRNgaOY5pilWEnAeEnbnmlt5h8Wk+lLwyCs2PyAY2KGNjh1a9Kh2oD4K//rIA8fgOgc3f0/Ye5Xdza0THdbsik3PsJpFY8QGv1XV0C+JBBT728IjdYpp3JjSb2WVpa3xqxZxfJ0trxs4k2r8wy+cZqfs2+MGV61P9Syg2F7LKPBSztxERoEJIeLTVAkqPDExD1GFAeTLUPSgScBJGs5gUvOgieLDw3uVc31wP3izho5h74t9evOXURezZyAOVXvu0Xd5LzSvwccLHbkM9esV9YhZzddwPO2yZb9Ls8uc/kkfseVoAPjWvz50SmPC8pNasZef3M1hfSRi7uC8xHnpMXCK698sbr3Tc6OdXvItJVMzZ2Lc91/WVxgfiRxM8rNl6stoJopBa0crdEXh
 PVEsUnWU
 aaQuYxQ6ZnSgvf++MT4heXZGlUVqeaAsV4RbGtL7I7OXxXX3dy/twfE8JLn/Vs4Bu1BpHRzA9Tqo1zh+lybZEp44H81BjXYfgjtg/R9omp8R+aOEgXOTAnDjJ3zXCJ6EvkNJFEovGNa7WOs+JRJpni3uoHIe6gpx7JNoXF54XvtC1VXCck/1deuh/aL6FBW+zezm2
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

The MTE coredump code in arch/arm64/kernel/elfcore.c iterates over the
vma list without the mmap_lock held. This can race with another process
or userfaultfd concurrently modifying the vma list. Change the
for_each_mte_vma macro and its callers to instead use the vma snapshot
taken by dump_vma_snapshot() and stored in the cprm object.

Fixes: 6dd8b1a0b6cb ("arm64: mte: Dump the MTE tags in the core file")
Cc: <stable@vger.kernel.org> # 5.18.x
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Reported-by: Seth Jenkins <sethjenkins@google.com>
Suggested-by: Seth Jenkins <sethjenkins@google.com>
Cc: Will Deacon <will@kernel.org>
---
 arch/arm64/kernel/elfcore.c | 56 +++++++++++++++++--------------------
 1 file changed, 26 insertions(+), 30 deletions(-)

diff --git a/arch/arm64/kernel/elfcore.c b/arch/arm64/kernel/elfcore.c
index b2388f15223e..662a61e5e75e 100644
--- a/arch/arm64/kernel/elfcore.c
+++ b/arch/arm64/kernel/elfcore.c
@@ -8,28 +8,27 @@
 #include <asm/cpufeature.h>
 #include <asm/mte.h>
 
-#define for_each_mte_vma(vmi, vma)					\
+#define for_each_mte_vma(cprm, i, m)					\
 	if (system_supports_mte())					\
-		for_each_vma(vmi, vma)					\
-			if (vma->vm_flags & VM_MTE)
+		for (i = 0, m = cprm->vma_meta;				\
+		     i < cprm->vma_count;				\
+		     i++, m = cprm->vma_meta + i)			\
+			if (m->flags & VM_MTE)
 
-static unsigned long mte_vma_tag_dump_size(struct vm_area_struct *vma)
+static unsigned long mte_vma_tag_dump_size(struct core_vma_metadata *m)
 {
-	if (vma->vm_flags & VM_DONTDUMP)
-		return 0;
-
-	return vma_pages(vma) * MTE_PAGE_TAG_STORAGE;
+	return (m->dump_size >> PAGE_SHIFT) * MTE_PAGE_TAG_STORAGE;
 }
 
 /* Derived from dump_user_range(); start/end must be page-aligned */
 static int mte_dump_tag_range(struct coredump_params *cprm,
-			      unsigned long start, unsigned long end)
+			      unsigned long start, unsigned long len)
 {
 	int ret = 1;
 	unsigned long addr;
 	void *tags = NULL;
 
-	for (addr = start; addr < end; addr += PAGE_SIZE) {
+	for (addr = start; addr < start + len; addr += PAGE_SIZE) {
 		struct page *page = get_dump_page(addr);
 
 		/*
@@ -78,11 +77,11 @@ static int mte_dump_tag_range(struct coredump_params *cprm,
 
 Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm)
 {
-	struct vm_area_struct *vma;
+	int i;
+	struct core_vma_metadata *m;
 	int vma_count = 0;
-	VMA_ITERATOR(vmi, current->mm, 0);
 
-	for_each_mte_vma(vmi, vma)
+	for_each_mte_vma(cprm, i, m)
 		vma_count++;
 
 	return vma_count;
@@ -90,18 +89,18 @@ Elf_Half elf_core_extra_phdrs(struct coredump_params *cprm)
 
 int elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset)
 {
-	struct vm_area_struct *vma;
-	VMA_ITERATOR(vmi, current->mm, 0);
+	int i;
+	struct core_vma_metadata *m;
 
-	for_each_mte_vma(vmi, vma) {
+	for_each_mte_vma(cprm, i, m) {
 		struct elf_phdr phdr;
 
 		phdr.p_type = PT_AARCH64_MEMTAG_MTE;
 		phdr.p_offset = offset;
-		phdr.p_vaddr = vma->vm_start;
+		phdr.p_vaddr = m->start;
 		phdr.p_paddr = 0;
-		phdr.p_filesz = mte_vma_tag_dump_size(vma);
-		phdr.p_memsz = vma->vm_end - vma->vm_start;
+		phdr.p_filesz = mte_vma_tag_dump_size(m);
+		phdr.p_memsz = m->end - m->start;
 		offset += phdr.p_filesz;
 		phdr.p_flags = 0;
 		phdr.p_align = 0;
@@ -115,26 +114,23 @@ int elf_core_write_extra_phdrs(struct coredump_params *cprm, loff_t offset)
 
 size_t elf_core_extra_data_size(struct coredump_params *cprm)
 {
-	struct vm_area_struct *vma;
+	int i;
+	struct core_vma_metadata *m;
 	size_t data_size = 0;
-	VMA_ITERATOR(vmi, current->mm, 0);
 
-	for_each_mte_vma(vmi, vma)
-		data_size += mte_vma_tag_dump_size(vma);
+	for_each_mte_vma(cprm, i, m)
+		data_size += mte_vma_tag_dump_size(m);
 
 	return data_size;
 }
 
 int elf_core_write_extra_data(struct coredump_params *cprm)
 {
-	struct vm_area_struct *vma;
-	VMA_ITERATOR(vmi, current->mm, 0);
-
-	for_each_mte_vma(vmi, vma) {
-		if (vma->vm_flags & VM_DONTDUMP)
-			continue;
+	int i;
+	struct core_vma_metadata *m;
 
-		if (!mte_dump_tag_range(cprm, vma->vm_start, vma->vm_end))
+	for_each_mte_vma(cprm, i, m) {
+		if (!mte_dump_tag_range(cprm, m->start, m->dump_size))
 			return 0;
 	}