From patchwork Wed Oct 16 15:07:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13838577 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53F81D2A526 for ; Wed, 16 Oct 2024 15:08:08 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A71536B0093; Wed, 16 Oct 2024 11:08:07 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 9AB2A6B0095; Wed, 16 Oct 2024 11:08:07 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7FE0D6B0096; Wed, 16 Oct 2024 11:08:07 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 5ECE56B0093 for ; Wed, 16 Oct 2024 11:08:07 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id D5D84160642 for ; Wed, 16 Oct 2024 15:07:55 +0000 (UTC) X-FDA: 82679795394.07.CD40CB0 Received: from mail-lf1-f50.google.com (mail-lf1-f50.google.com [209.85.167.50]) by imf20.hostedemail.com (Postfix) with ESMTP id 0EF961C0025 for ; Wed, 16 Oct 2024 15:07:53 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=rRgGDXDk; spf=pass (imf20.hostedemail.com: domain of jannh@google.com designates 209.85.167.50 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729091237; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=1PslRAyiixMy05hfv+pu0elRVVKFMTwH/kHV4AZcAZs=; b=cU97dSN9GlAuSUtwIXifClLmu7ttsOQNfiY/Y1OuRpc0I/KgUKSu9Fpza3b0cxDbBzUBbd 1jnzpX4AJMNoZnssqehXzVFoYw700U6nX5x2Uo/NP6mXJ62Y9QJD8DNoTesrmqcHZlRRpb Bhs7FFMsD2JbW46X9dFq2yBMXiyKnm4= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=rRgGDXDk; spf=pass (imf20.hostedemail.com: domain of jannh@google.com designates 209.85.167.50 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729091237; a=rsa-sha256; cv=none; b=0kQRaD5AT0Pnmbj44UDr04FHFdXk8VlBxe2SGG891NznzabduOzjBUC6wTcUTyzJTC8WvX 0FC5niEBxrXHggnSpY4nFholRx40cAgGjG1YsMIrFQoSL+J9NwDTuMqGMMgZhdbrnjodbu cp3axIZC2odujRX2pQbiXSXM62GOXHE= Received: by mail-lf1-f50.google.com with SMTP id 2adb3069b0e04-539e66ba398so22129e87.0 for ; Wed, 16 Oct 2024 08:08:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1729091283; x=1729696083; darn=kvack.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=1PslRAyiixMy05hfv+pu0elRVVKFMTwH/kHV4AZcAZs=; b=rRgGDXDkeqMpZtFui/Rw47O3DX6cND4v0I7+LPIVgYurXxbr6drYyLa81FsCQ+mQIQ WVh1+OuzTvSfshi2uC/Lzv1FieWlys1JR/N2rhTcuuzegv8WjUhdN9F5P+mF6yjvZuJH BX9tg1B8m11EXql9KRh4OXEyiZBrNMjTzS+B1jD1bLxYdqAUWyskyTIyB/7DCb3UPOiF PveIHgUoMVb+SDUcGWufR6pyNrrL5M+Mnk2ZADnmDXvKkH5LGnRU0cFCdZ2H2wDBJirm ClIYsc8/+UKEoheSdwe/Ruxr1iiIBsNpxM4UMTbAc+QmYK5MC8Kwb+45EQriAf6dP43p +ylw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729091283; x=1729696083; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1PslRAyiixMy05hfv+pu0elRVVKFMTwH/kHV4AZcAZs=; b=MRLNczhxlkRigHO8hFXyIunDa4s/CW9cMNzKjQUI4m+3NOB0x++fI+p54JuPZ316Lg TUGgQmHA3EgVKGdvrhahR/zP9z1x+SSDQGQOh7ufDlgmL3PHBzYWnMI+tBChoZW4r3RI E3yInbM35d2kF8p+npkaUTu+XiIHVfN8Bsl6xQKE9GZJW51mNTvK1ki/e4taNe7MYk6u PKM8SB+v0ld1sQaDlT5Q/ifFKj4W2iNHt8VojOKjqZSDQJOYe/UaptRUa1fYxBh/fOIV 0keGHCrYhO0IuKk/FhPt4ozmRjndgjDL5l3oQz9dxXCVQMMs5Il4gOn3nCUrA1IqjOiw St+A== X-Gm-Message-State: AOJu0YxqUzray2ub/tyJqsAwA/IxB6lXiZo6HRzXcwClA2N1KUPX2AA8 rD5VZob8ZAHB7jyeNAp7PInqZvah2WM7hO0dQ/gn81RSRWgBhhBsjKmyFDYDSA== X-Google-Smtp-Source: AGHT+IE8qTbydoevA3YP8CtQdUFEfTyV1QlrGPTvMKHOFRvsY7d+9Jz+6u+5/v+W/grEx7Z43cy5Wg== X-Received: by 2002:a05:6512:1092:b0:539:d0c4:5b53 with SMTP id 2adb3069b0e04-53a04d026a5mr642432e87.4.1729091282178; Wed, 16 Oct 2024 08:08:02 -0700 (PDT) Received: from localhost ([2a00:79e0:9d:4:a496:e3cd:3667:2787]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4313f6c767csm52155285e9.48.2024.10.16.08.07.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 16 Oct 2024 08:08:00 -0700 (PDT) From: Jann Horn Date: Wed, 16 Oct 2024 17:07:53 +0200 Subject: [PATCH fix 6.12] mm: mark mas allocation in vms_abort_munmap_vmas as __GFP_NOFAIL MIME-Version: 1.0 Message-Id: <20241016-fix-munmap-abort-v1-1-601c94b2240d@google.com> X-B4-Tracking: v=1; b=H4sIAMjWD2cC/x2MQQ6DMAwEvxL5XKPYqXLgK6gH05riAwElLaqE+ HstbjPS7B7QtJo26MMBVXdrthYXugV4zlLeivZyB458p0gZJ/vh8i2LbCjjWj/IKcUxU0osAj7 bqnpzXQ7gFHJHDI/z/AO5lIbdbAAAAA== To: Andrew Morton , "Liam R. Howlett" , Lorenzo Stoakes , Vlastimil Babka Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1729091278; l=6984; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=Z+aAA1YVFXtBl05pU5c/121QeHDESV8r/TbdfNXoPb8=; b=qOgRxn5GRAhrrVyL6Of2U5YlGDeq3PvmgjTLpJnUdsaVm1Mv/uWaa0L7e7IRhHGHA2+O2jMEA CnDYlXRiESIAh0wpolV7ehPyIeM3AfZcdn8XGhZ+LlBi4c8JS88iXzl X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= X-Rspam-User: X-Stat-Signature: 381wegefmkxfrkmtnmbst51mm7ruxio3 X-Rspamd-Queue-Id: 0EF961C0025 X-Rspamd-Server: rspam11 X-HE-Tag: 1729091273-657463 X-HE-Meta: U2FsdGVkX1+I7n6C+flKzSD1bRC8BOvIoSr6Q0+7O5Q4DKXo9/Toq0jB2aEt5WxHfugzS/HU6WHGDmX5ai3+c7ydP1uHbvh2/5pm3HN9oBpxbFkfM59Hbvn05HwqEnG0yybLc2UyfHtjRVdw+c1/LHuRToI+IrrZG8p72LOBKFT3sXUYbMRCkMOhPe6NrFu35PAfVcIUd99L7qGH/DARHsGUZmrd3R9GwgB5S62gMRvgbZx3Ou9GYENBzWacC0cW+dqi4960PEkzmRvzqFqKkjsmTJ8R9L0aSbuqMch3/rOVgnCvLSGcB5nSOC8VSrvy+gqct7UBLzIw336xr13n7eapPLeoqHL0aroJ3kM/arFRSwyFiEBZu32pbaqLtvuhErC/PrKRhuLJEA5RQgIa/bYqMBHAFJWRW3yVWdc6PC3M+jN4nfG6+rkuj7KJBw5GppNyeuZNO0zu8KMF6DLCHeGhU8w+7QmU+tLF+ohOGB72WA0yWQUYCdxGPmpuTDYCOzbwXcVX1w/Lnxd1uDVCzeKzSvehTmkDCTZLxNQWPYDsqJvYla8emaGk7PFrmMHwRnIBMJzPTrdJlw2Nji75djkfMyj8K3uqf9cUeEK3mCS9A3rSpmcL77KtCKqaIykpMUnlJ8C5KYKAGJ3uNIrjG2561q6z2v9BAzWTvPrIl1b5ezxwn/8bSlZkBhNdid5aTj7TFWwjMjisRWk9jlts4k3GD0kte5+fbu5AWs5ZjeN0E35Af5wsaon9CQuBbCDxGbD2n5YtEhx07GNFwn8lwtaBy68Mu6V2LdeYcXRXAeFkSwf3AkIzlQeOSo36kNxwbf1/HKItLyFZ+WbBGMNEBK9uvs5T97bNss6SaksCtoAOUnQkbiRmtDLkGQoj1fuY8RqM1XoRO+HL8Qw/gyS/7rQn5CeiK7t2VXCbXVNgs/sYn5DoOo/vacqXTBhTqry5WVqFEUmHUaefaZI6dYe ABtvw5YG Q1n6CSHTv4lDfGz3Zzk/H/5sFtwRuGpbeWrjzvkNfc8eWvPDVmZXaa8Vj3TU5mTfGQnWFT8HEU44U5B5eGm7tkOC528LmNMa8iBJR3vBRSol44MvyuDN/tvBZojzSv4kZAS3pQ/Gjkmru+spOStVjEZz+VM8itG2W5/Pm0DaFii1Ocf28oIaJkWCR/GBOcc8l7/q44qnKg8p6GNoLSMqPZb0IVPNL/M3ZRX/k6RzkJp6wPohWnE2VQxHo4V8b3L3VoapItWY1Rk5GmvVYvp6cXhWJ+r5avcMuPoVkQ12wC2vPPdnjVNQmiieQZReq4lq3n3QSNXQstgm7z6efBcrCp0QveFHK/xha+cJ6TqjcKbjJQEi9c3lVDEtDrQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000007, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: vms_abort_munmap_vmas() is a recovery path where, on entry, some VMAs have already been torn down halfway (in a way we can't undo) but are still present in the maple tree. At this point, we *must* remove the VMAs from the VMA tree, otherwise we get UAF. Because removing VMA tree nodes can require memory allocation, the existing code has an error path which tries to handle this by reattaching the VMAs; but that can't be done safely. A nicer way to fix it would probably be to preallocate enough maple tree nodes for the removal before the point of no return, or something like that; but for now, fix it the easy and kinda ugly way, by marking this allocation __GFP_NOFAIL. Fixes: 4f87153e82c4 ("mm: change failure of MAP_FIXED to restoring the gap on failure") Signed-off-by: Jann Horn Reviewed-by: Liam R. Howlett Acked-by: Vlastimil Babka Reviewed-by: Lorenzo Stoakes --- This can be tested with the following reproducer (on a kernel built with CONFIG_KASAN=y, CONFIG_FAILSLAB=y, CONFIG_FAULT_INJECTION_DEBUG_FS=y, with the reproducer running as root): ``` typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) static void write_file(char *name, char *buf) { int fd = open(name, O_WRONLY); if (fd == -1) err(1, "unable to open for writing: %s", name); if (SYSCHK(write(fd, buf, strlen(buf))) != strlen(buf)) errx(1, "write %s", name); SYSCHK(close(fd)); } int main(void) { // make a large area with a bunch of VMAs char *area = SYSCHK(mmap(NULL, AREA_SIZE, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)); for (int off=0; off dump_stack_lvl+0x80/0xa0 should_fail_ex+0x4d3/0x5c0 [...] should_failslab+0xc7/0x130 kmem_cache_alloc_noprof+0x73/0x3a0 [...] mas_alloc_nodes+0x3a3/0x690 mas_nomem+0xaa/0x1d0 mas_store_gfp+0x515/0xa80 [...] mmap_region+0xa96/0x2590 [...] do_mmap+0x71e/0xfe0 [...] vm_mmap_pgoff+0x17a/0x2f0 [...] ksys_mmap_pgoff+0x2ee/0x460 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] mmap: unmap-fail: (607) Unable to abort munmap() operation ================================================================== BUG: KASAN: slab-use-after-free in dec_usb_memory_use_count+0x365/0x430 Read of size 8 at addr ffff88810e9ba8b8 by task unmap-fail/607 CPU: 3 UID: 0 PID: 607 Comm: unmap-fail Not tainted 6.12.0-rc3-00013-geca631b8fe80 #518 [...] Call Trace: dump_stack_lvl+0x66/0xa0 print_report+0xce/0x670 [...] kasan_report+0xf7/0x130 [...] dec_usb_memory_use_count+0x365/0x430 remove_vma+0x76/0x120 vms_complete_munmap_vmas+0x447/0x750 do_vmi_align_munmap+0x4b9/0x700 [...] do_vmi_munmap+0x164/0x2e0 __vm_munmap+0x128/0x2a0 [...] __x64_sys_munmap+0x59/0x80 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] Allocated by task 607: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_kmalloc+0xaa/0xb0 usbdev_mmap+0x1a0/0xaf0 mmap_region+0xf6e/0x2590 do_mmap+0x71e/0xfe0 vm_mmap_pgoff+0x17a/0x2f0 ksys_mmap_pgoff+0x2ee/0x460 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 607: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x4f/0x70 kfree+0x148/0x450 vms_clean_up_area+0x188/0x220 mmap_region+0xf1b/0x2590 do_mmap+0x71e/0xfe0 vm_mmap_pgoff+0x17a/0x2f0 ksys_mmap_pgoff+0x2ee/0x460 do_syscall_64+0x68/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e [...] ================================================================== ``` --- mm/vma.h | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) --- base-commit: eca631b8fe808748d7585059c4307005ca5c5820 change-id: 20241016-fix-munmap-abort-2330b61332aa diff --git a/mm/vma.h b/mm/vma.h index 819f994cf727..ebd78f1577f3 100644 --- a/mm/vma.h +++ b/mm/vma.h @@ -241,15 +241,9 @@ static inline void vms_abort_munmap_vmas(struct vma_munmap_struct *vms, * failure method of leaving a gap where the MAP_FIXED mapping failed. */ mas_set_range(mas, vms->start, vms->end - 1); - if (unlikely(mas_store_gfp(mas, NULL, GFP_KERNEL))) { - pr_warn_once("%s: (%d) Unable to abort munmap() operation\n", - current->comm, current->pid); - /* Leaving vmas detached and in-tree may hamper recovery */ - reattach_vmas(mas_detach); - } else { - /* Clean up the insertion of the unfortunate gap */ - vms_complete_munmap_vmas(vms, mas_detach); - } + mas_store_gfp(mas, NULL, GFP_KERNEL|__GFP_NOFAIL); + /* Clean up the insertion of the unfortunate gap */ + vms_complete_munmap_vmas(vms, mas_detach); } int