From patchwork Wed Apr 28 18:01:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Axel Rasmussen X-Patchwork-Id: 12229891 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-26.3 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT,USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BAED0C433B4 for ; Wed, 28 Apr 2021 18:01:34 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 0CAB460FE8 for ; Wed, 28 Apr 2021 18:01:33 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 0CAB460FE8 Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 5D6266B0070; Wed, 28 Apr 2021 14:01:33 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 586796B0071; Wed, 28 Apr 2021 14:01:33 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 44DE68D0001; Wed, 28 Apr 2021 14:01:33 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0089.hostedemail.com [216.40.44.89]) by kanga.kvack.org (Postfix) with ESMTP id 27E3F6B0070 for ; Wed, 28 Apr 2021 14:01:33 -0400 (EDT) Received: from smtpin08.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id D3433181AF5C6 for ; Wed, 28 Apr 2021 18:01:32 +0000 (UTC) X-FDA: 78082543224.08.F97EA44 Received: from mail-qk1-f202.google.com (mail-qk1-f202.google.com [209.85.222.202]) by imf04.hostedemail.com (Postfix) with ESMTP id BF8F7782 for ; Wed, 28 Apr 2021 18:01:27 +0000 (UTC) Received: by mail-qk1-f202.google.com with SMTP id l19-20020a37f5130000b02902e3dc23dc92so22130198qkk.15 for ; Wed, 28 Apr 2021 11:01:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=nf8i5zc/CF74bPP2ccA5udCaSNmHZYeuQlI0W716jnY=; b=HKG1evztST1oyuQsk7u0HTBIeKZoVDWVDIphqea7uW3br0SFbKO8xX4AEbjbA97tg9 bYQ8PYvw0YmkXElXeR0MuH/5Xr9FoyTUUm098WeRi1+9FBNA5NS+tYYvHOOSvYOh6T1V vtpFlhisjl6TuLCxitRSb8aA6A/04ee6TJq1htNwhP/seMTW9XvvzDKPktJeUtppDQT3 onMwRslSMIN0NTInxzBZSu2BEK1VmnQlQjAEAoHGuW8pNPb1D+NZoxJ+rwycstttffjI fz1hjox625joRSOcz4lP/OwLFn3NMieOLouW1rBHqO3Cxy4Jsc9Hgv1m8v1kBfIe4VyL DsHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=nf8i5zc/CF74bPP2ccA5udCaSNmHZYeuQlI0W716jnY=; b=UqfBHEASVbLy2/XamdW90OIcHhO6KpdlNAiw/Vb+dZmdgpKMFfxRW0jKbkaSPf6GJb Rcvj+H+mmK5Ul/NuLWzDpIULyCqt4RuZjZ/X1nh/FfyEgq7WBoWGjd3PrkqFhI0rlFtR sQaLRiBx6t5cegQXexT1mGtGrvP1O+YN/MiZpTKt1qk5CXjpT6+wehH9H+sGdw1ZLHQ4 eH3FHh5g3P2ZdJdshKcF/BxPa2kT5Dn9k+acKvdVxsISytaOMueO4YQAFYwJGcAFJkYN Yud760wb0TbDA+qkVAO7GQvaIhKbWxxxjFzrxPvEWutSYjQ9KjqBFI9Cotl+jqR3259Q wWug== X-Gm-Message-State: AOAM530emAZSkkxDwDfm5+xY4MQTo52npW7yWFx+cDXXYvuzdwxpAdWH b3gtB7CfrJv0gRIBRBVLvEoZyxA4wZzEAE2rqCm2 X-Google-Smtp-Source: ABdhPJzsD0nTdGceEOL3UE6Ru96fIeoOZ7OkQlhmlKn4qnc+6fUXsrzld5XqhSB5tzg8EnOmjF2eZHL7mAroh2t8RaMJ X-Received: from ajr0.svl.corp.google.com ([2620:15c:2cd:203:ed44:e19a:52ee:e8cc]) (user=axelrasmussen job=sendgmr) by 2002:ad4:54c5:: with SMTP id j5mr23475834qvx.4.1619632890610; Wed, 28 Apr 2021 11:01:30 -0700 (PDT) Date: Wed, 28 Apr 2021 11:01:09 -0700 Message-Id: <20210428180109.293606-1-axelrasmussen@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.31.1.498.g6c1eba8ee3d-goog Subject: [PATCH] userfaultfd: release page in error path to avoid BUG_ON From: Axel Rasmussen To: Andrea Arcangeli , Andrew Morton , Hugh Dickins , Peter Xu Cc: Axel Rasmussen , Lokesh Gidra , linux-mm@kvack.org, linux-kernel@vger.kernel.org X-Rspamd-Queue-Id: BF8F7782 X-Stat-Signature: ycrq49ixhxs9a4jdac75a76j5oa8z6pm X-Rspamd-Server: rspam02 Received-SPF: none (flex--axelrasmussen.bounces.google.com>: No applicable sender policy available) receiver=imf04; identity=mailfrom; envelope-from="<3-qKJYA0KCHEPmTagPhbjhhTcVddVaT.RdbaXcjm-bbZkPRZ.dgV@flex--axelrasmussen.bounces.google.com>"; helo=mail-qk1-f202.google.com; client-ip=209.85.222.202 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1619632887-308950 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Consider the following sequence of events (described from the point of view of the commit that introduced the bug - see "Fixes:" below): 1. Userspace issues a UFFD ioctl, which ends up calling into shmem_mcopy_atomic_pte(). We successfully account the blocks, we shmem_alloc_page(), but then the copy_from_user() fails. We return -EFAULT. We don't release the page we allocated. 2. Our caller detects this error code, tries the copy_from_user() after dropping the mmap_sem, and retries, calling back into shmem_mcopy_atomic_pte(). 3. Meanwhile, let's say another process filled up the tmpfs being used. 4. So shmem_mcopy_atomic_pte() fails to account blocks this time, and immediately returns - without releasing the page. This triggers a BUG_ON in our caller, which asserts that the page should always be consumed, unless -EFAULT is returned. (Later on in the commit history, -EFAULT became -ENOENT, mmap_sem became mmap_lock, and shmem_inode_acct_block() was added.) A malicious user (even an unprivileged one) could trigger this intentionally without too much trouble. To fix this, detect if we have a "dangling" page when accounting fails, and if so, release it before returning. Fixes: cb658a453b93 ("userfaultfd: shmem: avoid leaking blocks and used blocks in UFFDIO_COPY") Reported-by: Hugh Dickins Signed-off-by: Axel Rasmussen --- mm/shmem.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/mm/shmem.c b/mm/shmem.c index 26c76b13ad23..46766c9d7151 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2375,8 +2375,19 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, pgoff_t offset, max_off; ret = -ENOMEM; - if (!shmem_inode_acct_block(inode, 1)) + if (!shmem_inode_acct_block(inode, 1)) { + /* + * We may have got a page, returned -ENOENT triggering a retry, + * and now we find ourselves with -ENOMEM. Release the page, to + * avoid a BUG_ON in our caller. + */ + if (unlikely(*pagep)) { + unlock_page(*pagep); + put_page(*pagep); + *pagep = NULL; + } goto out; + } if (!*pagep) { page = shmem_alloc_page(gfp, info, pgoff);