From patchwork Thu Nov 16 20:15:45 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Xu X-Patchwork-Id: 13458259 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id AA93FC47071 for ; Thu, 16 Nov 2023 20:15:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2A9AF6B0492; Thu, 16 Nov 2023 15:15:57 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2584D6B046F; Thu, 16 Nov 2023 15:15:57 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 0D2946B0492; Thu, 16 Nov 2023 15:15:57 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id E99476B0464 for ; Thu, 16 Nov 2023 15:15:56 -0500 (EST) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id C369D1A0D0A for ; Thu, 16 Nov 2023 20:15:56 +0000 (UTC) X-FDA: 81464923512.28.168FBD0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf04.hostedemail.com (Postfix) with ESMTP id A8D6F40008 for ; Thu, 16 Nov 2023 20:15:54 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=OONXwb8M; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf04.hostedemail.com: domain of peterx@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=peterx@redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1700165754; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=K5Hs9QdfwrjJDDWeQ9cxEQGj2Q5OwzhPOjdAfeINdzY=; b=mm+WuhX/i5/13fKZcy/GXzSBZ0paqwJjdIuCiuSDo4u4AsFYd21nZNpLaXjL//v3suBl1G u4/DSvUX3AMuz9aqG2GGcOXxAz0/NEctSTnQ0O5Ydy/fayz0PCsV5dlWebf0Vl6dHYKk74 mjI+mFETea4sApzIB1OvmTUyAbtREpo= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=OONXwb8M; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf04.hostedemail.com: domain of peterx@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=peterx@redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1700165754; a=rsa-sha256; cv=none; b=nDJYMeEKY4oShkmWM86Y2lBDCA1kt9GZpNEBXYMwxVmZtUiKvwyGMpiIXriaKHs5dlK2RX DeYIUbqZMByUxlvMPmrDPp8rS+C3+r4QOOVrENDdfj0HQFHf8HKBXNVeouBAALDrf7DwyZ bjeuvm87aMc2hOuSuyC07q72Rwm7uPY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1700165753; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=K5Hs9QdfwrjJDDWeQ9cxEQGj2Q5OwzhPOjdAfeINdzY=; b=OONXwb8MAFG1fQGCj4GhIQkwyqvNBxOAilJvZyYbWD+rE1tM+WltWHNmNQtb0VaaUbjDYF D/MKsXrwo7/2ogFgav0fheq+azQuGknIJPtgfh6uOXgWgjSaSWxBvhnRpMY3sNefDRzhci Oj8g99CeV0WZQhTsgBQtI3KF1SJ+h8E= Received: from mail-qv1-f71.google.com (mail-qv1-f71.google.com [209.85.219.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-122-ONJfOif8OS-tOpPCE1iqeA-1; Thu, 16 Nov 2023 15:15:52 -0500 X-MC-Unique: ONJfOif8OS-tOpPCE1iqeA-1 Received: by mail-qv1-f71.google.com with SMTP id 6a1803df08f44-66ffa15d354so3241406d6.0 for ; Thu, 16 Nov 2023 12:15:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700165752; x=1700770552; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=K5Hs9QdfwrjJDDWeQ9cxEQGj2Q5OwzhPOjdAfeINdzY=; b=RZlQm/1+KZdkT3UiSNsCNMPk45XMk3KZv2gOFT7iwKarQ+5b9Yt8Ln8wOjxmxZsvSj g53FDy96rQvMa0IDwk8qHNpdKcd5IWRdhXhmzgT1jJSImftRbMKPZyTepEmYrDKNjfsv RCKO1Jnoecu/ustPCjrhRwIb8+G52PWWATTYkHSHSVX2QFjHsU+HitbCGnmQgiFj6P5S VhZI7BL1CebZaRwv3aO3Pim+PBsNTsRUp4YoMeWdtiw12rR24zZMDJRTutMtftM23sJB OYuWrxl+4UgREhY5OKHKFMOup70P2jMWZl9IVEpC1hsYMvRY6Ou3p0Ol5yX9xO/XlDEB IBWA== X-Gm-Message-State: AOJu0YwZIPq3Ciu4wX7qZDmR3fh0f84gM84X0iSuEqBiLGDrT4FFoevG SNN0xBkXaQ2mAQmefMMfXZqymXCICN3w5psAm09Zq/VSmRIhRVmdBEBPclj30mFcxGJcLf7FERt nKX1AvV1YC5bpZuHR0zKW+e+0jOzwBYniGpILqBwOAu3/8zOdcak10axqGtewjA0owZQE X-Received: by 2002:a05:620a:4687:b0:76d:9234:1db4 with SMTP id bq7-20020a05620a468700b0076d92341db4mr10712161qkb.7.1700165751949; Thu, 16 Nov 2023 12:15:51 -0800 (PST) X-Google-Smtp-Source: AGHT+IGmDFvQLKh+9k0oT4EBKFDQfAkcZ4rcK4Q8PBCrNJ52LzF+uNq5CMglTWczZ0GdgxJefrjWuw== X-Received: by 2002:a05:620a:4687:b0:76d:9234:1db4 with SMTP id bq7-20020a05620a468700b0076d92341db4mr10712123qkb.7.1700165751543; Thu, 16 Nov 2023 12:15:51 -0800 (PST) Received: from x1n.redhat.com (cpe688f2e2cb7c3-cm688f2e2cb7c0.cpe.net.cable.rogers.com. [99.254.121.117]) by smtp.gmail.com with ESMTPSA id b19-20020a05620a271300b007659935ce64sm65524qkp.71.2023.11.16.12.15.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Nov 2023 12:15:50 -0800 (PST) From: Peter Xu To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: peterx@redhat.com, Muhammad Usama Anjum , Andrew Morton , David Hildenbrand , Andrei Vagin , syzbot+e94c5aaf7890901ebf9b@syzkaller.appspotmail.com Subject: [PATCH 1/3] mm/pagemap: Fix ioctl(PAGEMAP_SCAN) on vma check Date: Thu, 16 Nov 2023 15:15:45 -0500 Message-ID: <20231116201547.536857-2-peterx@redhat.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231116201547.536857-1-peterx@redhat.com> References: <20231116201547.536857-1-peterx@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Rspam-User: X-Rspamd-Server: rspam12 X-Rspamd-Queue-Id: A8D6F40008 X-Stat-Signature: dtjo6aofepy1ocdh787qtxpt1449ppp4 X-HE-Tag: 1700165754-480712 X-HE-Meta: U2FsdGVkX18lhARArOAza0nLhmqvp0rxAV+RvhCkfYY6aOv0NmxFdo0evqeJxagHvsPXXctI41jsBTsr+HwD2KMe7PYLGquwiwFZ9Sg9paEyM5/G5kLf89m9kRBbf0CjdJJDidMryR9PLp0dF+t2AJX4YNcGFygTm3xdpZKEV69YP92O9VwFUAjKy/xL4OFKpnBKnN3ysNlb8sLV1J+jXi0wrsA5jyCm3v+1n3mN3xM4TM9KDY1CNJvWBkwZzGORrutM5CcYKZXGmgtCId71Pcsmm0yOqAKVmeJhElH3AHQqzpantqQrbcEd46ZtCQP9/2qIPclR84eKWrJxaDwncQ7vY9GWqU2yNy8vn4uUh78R9LPHRXQGlwBwViujFM8AOzFajUSLvHxO/lD3ir0vEVWaEX4DryupTYsU4LbByjIYQiULxOJOWlF6uxfGuoA+G4QZAPvGzHN0tIgzrgt09eVXhdwhCsDn8AJh1HV5zintknLfHNhEocWTB9ZX6dv4hONvG0ukiuHGMsEcqkx/h0rFmEIzPixjtKVXS+6pFDPolp+AWXB7i8y/71K0bXJikBoyRVASMNF8S9gTwGpmdL0jjRzmjRcYrEP9AotkKgck+BS7mfmeZ2f6IjxwS3B6ZmUgaOMQZmbveDLJE4d0FboJgNHA9B79SMzLSn2as4sCPnlRGLvtighU7J7C6xXOtcPFWa1+qvwfvjLpqAXE46c8bhqrnTkGWmT1IoYk254kDuozjosuA8VoRLV9glzalX+cjpPHgRc0IXcZyFUgBgZYcJbfQu5cfvRj5QM+A9xHS6J8pMjCVYwrtZeh8Zdw439e/KKOo6zmf12NmKI+ZLYhLK2xUD/Gu8FTdzwFckeaV5WwzNodsFWuBJBzzcRYXjvosItHU6Vlh1vDeAfbz659HHTblw1Uwc2wyiCVNJ0A3zq9EcbNvNwfy7LghxtqVQsB4ZyXTMb01+/TdO2 EVdz85Jm IY/Q3LnwJ3tz6G5kVP53JRbzk/Q2ZWlbQZCFRhlh1d1/fFdGw4XtqYtVqyk1HQWdIfsdUu4VSmXIsBgMyLYVyK1b+cZ/5Pm14UYtlr1YUiwhEx7nhNjS8y0lqbhHe9bejYnvBcp1oOKZtoI7jbIDmU80UbBZcxmWTrouR+SN465M5xGjB2n/iE5TNyEkUX944ehLkHfH4rA4YC7TlKBVMWt/q1n2sjMWBOXCSQlS7Xv21Deoc0Q60TLYVB60rfz+AmjkCLEyVNzwlEjVp6opZaQeQTDFTLM8n+l6Lr49QrSk9VDlkK7LYuYQRCmPs/ebkZS4RfDQDgoVxuRwfeMHL+97GTZZ9h/0JHYvVnWEDVO5QAb7O2DYzRp/CzVehh6kojvwmACLaigtSkXAAkFPBq0HhYjlsbwHTNvUS1UG4XUHFR8n1D7VDJ+QZhopyl7VX44gvT9tH8dbgz5DgCyEf7PKSGk+x+EF91D+pTVhjnfAM3L4JfbenzzOg5+8tbWRfZ2Fo7EWN/+boHDrxIGaqRQc4uaH2LEf8+5k7wtLA6GbJNMB8z8FMBKHc4rVQAcSvepCyLTdK1GSoCBI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The new ioctl(PAGEMAP_SCAN) relies on vma wr-protect capability provided by userfault, however in the vma test it didn't explicitly require the vma to have wr-protect function enabled, even if PM_SCAN_WP_MATCHING flag is set. It means the pagemap code can now apply uffd-wp bit to a page in the vma even if not registered to userfaultfd at all. Then in whatever way as long as the pte got written and page fault resolved, we'll apply the write bit even if uffd-wp bit is set. We'll see a pte that has both UFFD_WP and WRITE bit set. Anything later that looks up the pte for uffd-wp bit will trigger the warning: WARNING: CPU: 1 PID: 5071 at arch/x86/include/asm/pgtable.h:403 pte_uffd_wp arch/x86/include/asm/pgtable.h:403 [inline] Fix it by doing proper check over the vma attributes when PM_SCAN_WP_MATCHING is specified. Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") Reported-by: syzbot+e94c5aaf7890901ebf9b@syzkaller.appspotmail.com Signed-off-by: Peter Xu Reviewed-by: David Hildenbrand Reviewed-by: Andrei Vagin Reviewed-by: Muhammad Usama Anjum --- fs/proc/task_mmu.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c index 51e0ec658457..e91085d79926 100644 --- a/fs/proc/task_mmu.c +++ b/fs/proc/task_mmu.c @@ -1994,15 +1994,31 @@ static int pagemap_scan_test_walk(unsigned long start, unsigned long end, struct pagemap_scan_private *p = walk->private; struct vm_area_struct *vma = walk->vma; unsigned long vma_category = 0; + bool wp_allowed = userfaultfd_wp_async(vma) && + userfaultfd_wp_use_markers(vma); - if (userfaultfd_wp_async(vma) && userfaultfd_wp_use_markers(vma)) - vma_category |= PAGE_IS_WPALLOWED; - else if (p->arg.flags & PM_SCAN_CHECK_WPASYNC) - return -EPERM; + if (!wp_allowed) { + /* User requested explicit failure over wp-async capability */ + if (p->arg.flags & PM_SCAN_CHECK_WPASYNC) + return -EPERM; + /* + * User requires wr-protect, and allows silently skipping + * unsupported vmas. + */ + if (p->arg.flags & PM_SCAN_WP_MATCHING) + return 1; + /* + * Then the request doesn't involve wr-protects at all, + * fall through to the rest checks, and allow vma walk. + */ + } if (vma->vm_flags & VM_PFNMAP) return 1; + if (wp_allowed) + vma_category |= PAGE_IS_WPALLOWED; + if (vma->vm_flags & VM_SOFTDIRTY) vma_category |= PAGE_IS_SOFT_DIRTY;