From patchwork Mon Aug 12 16:42:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jann Horn X-Patchwork-Id: 13760846 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53B48C3DA7F for ; Mon, 12 Aug 2024 16:48:35 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D9E186B009A; Mon, 12 Aug 2024 12:48:34 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D4E396B009E; Mon, 12 Aug 2024 12:48:34 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BEE4D6B009F; Mon, 12 Aug 2024 12:48:34 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id 9C0506B009A for ; Mon, 12 Aug 2024 12:48:34 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 36B6B1402D9 for ; Mon, 12 Aug 2024 16:48:34 +0000 (UTC) X-FDA: 82444176948.01.9350941 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by imf11.hostedemail.com (Postfix) with ESMTP id 4BAF840026 for ; Mon, 12 Aug 2024 16:48:32 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=rcvBN9st; spf=pass (imf11.hostedemail.com: domain of jannh@google.com designates 209.85.128.49 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1723481242; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=8W8rradjiBfJ1L/FzBWBc+HwrX/CzWtseLosahIJT/4=; b=wiwg1c93LGRg3upIcWlR9+gZG3ZyLqvWww1xKwse41tlCj1dsbZpV9gc33B9V+v+ECsczZ rPVoE3CedhC5hAH9BrLemfn18gP9fkQQzbw04P3bNnYk7cpePMWdtcMhiLYA1Nv3jcz4Qy uBjGpcBINMZX9AnX6VBO/eX1Y267Yek= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1723481242; a=rsa-sha256; cv=none; b=lzMXMRF/YKO71iFUXyLoQh4de27goNWdTUIcZbCDl4olxcr13DaK3WUgf3jv+yTMvGYbsz m6nuGSggyEZBGzT9XemeOIm3TdLqboYGP9TRtwQd+tPN1iUXu0A9KcIMXRT5hHfTUp6KlJ y5G15+KXIRvREVWXOIHwlo6py05f3Z0= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=rcvBN9st; spf=pass (imf11.hostedemail.com: domain of jannh@google.com designates 209.85.128.49 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-427fc9834deso625e9.0 for ; Mon, 12 Aug 2024 09:48:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1723481311; x=1724086111; darn=kvack.org; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:from:to:cc:subject:date:message-id:reply-to; bh=8W8rradjiBfJ1L/FzBWBc+HwrX/CzWtseLosahIJT/4=; b=rcvBN9stBKMB2vadDLhmj3yerGAdh/ACyI8dip71V89tD0Te6yA0w0d2mM1NXO7nn3 mA7vbLthKZtHHay2mobXm7N0zvZE6pA8Nc5/RScf5M/tOWBlalqZPoU4Nwkzt5vgGXZE U93+9RqFzDxsKsLCOgBlmw7uNyMyoc/t6xSiyhol4TVm53QYtHMA8qQRufHvJd15nEK5 y7Z6KpplIaKVzjgDsZKYUd/ONRTws+CkzgSCJbLN9g/GA9TPUoIS2zcvU0KAg/DDi6Pz YqePfA/FFT7f4Hlgk9kWlzVB5XMGKgruZ44nzVHGi2mbDFmOJT5NMnIQI3oGfUC1yn+4 6PKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723481311; x=1724086111; h=cc:to:content-transfer-encoding:mime-version:message-id:date :subject:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8W8rradjiBfJ1L/FzBWBc+HwrX/CzWtseLosahIJT/4=; b=PXXnHJadyHDdP/55IjShL1ImnBp5XHTL0R93vIS2oYtvB1q8DrXCTt6VSU5zHPx1Ke Ps6O4Lkx4OqvR/OjU+90OxrayH2eJS0zF1lYX0myKHDxyRGFJdqI0dYQpZ1N4ehTqrmh UWPRv85kABh2ctQ9OQ4JJwdfwCLyKG7THetXkmcCmdfBhUlHl+zuFUOsaHRg0veI6h12 PPY+53Buy/VAeP8b/cOhUpy/uD/GRbuOftiVR1hcgqBgk1nS3bkKdcNwIXgwVLXRbpna jvjpllUcotQ+ctDMO+VTeSMWLfRqWKdpNvCsHC/hpywdcdNLtlb9wt8ZTgG0jWfk7MOi CvdQ== X-Gm-Message-State: AOJu0Yzn8kt2wvnP9ZaGWk3i0ml92d5rksm1c4PDdpSbOY4yLlfaUo2N jYek7yn82zBKzaqIDr82tv3JpyMyJRm+KkyvjwhoOA0rN0mtjRH3NwJelpwyZH1IgRoyAkM0mEN m8AJN X-Google-Smtp-Source: AGHT+IHIWeGWnY8VcPSgXUJ/jzNWHCgruo+91eEPaXNqAV8WlrWy31snbJsf5esDSgYw/oHR4ZoreA== X-Received: by 2002:a05:600c:b8f:b0:426:5d89:896d with SMTP id 5b1f17b1804b1-429c827daeamr2869335e9.1.1723480960022; Mon, 12 Aug 2024 09:42:40 -0700 (PDT) Received: from localhost ([2a00:79e0:9d:4:731e:4844:d154:4cec]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429c775c2b1sm110862315e9.42.2024.08.12.09.42.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 12 Aug 2024 09:42:39 -0700 (PDT) From: Jann Horn Subject: [PATCH 0/2] userfaultfd: fix races around pmd_trans_huge() check Date: Mon, 12 Aug 2024 18:42:15 +0200 Message-Id: <20240812-uffd-thp-flip-fix-v1-0-4fc1db7ccdd0@google.com> MIME-Version: 1.0 X-B4-Tracking: v=1; b=H4sIAGc7umYC/x2MSwqAMAwFryJZG2iKgnoVceEnsQFRaVUE8e4GN wMz8N4DiaNygiZ7IPKlSbfVhPIMxtCvM6NO5uCdL1xFHk+RCY+woyxq0Bu9k5qEqKShBtvtkS3 /n233vh8+buAUYwAAAA== To: Andrew Morton , Pavel Emelyanov , Andrea Arcangeli , Hugh Dickins Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Jann Horn , stable@vger.kernel.org X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1723480955; l=1348; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=TmxIX5hjJkq4wPh3iSXY1tz8QGNGETs9QyEuazJFNKU=; b=SYVIM0dXpOuaBFmfew0dZcfaQ+wJ/cNblzbj8USk3qwigNnGDB+zs4mcZYu8VvyVtvHWjADY3 GUpkxlqeQHkC2YWDR6oOWImtLhppIn32/lWmXQKh3ZrzEtHBMayptaM X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= X-Stat-Signature: bcdegfzqjake59b1c1oxo1fcmoatmqdi X-Rspamd-Queue-Id: 4BAF840026 X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1723481312-214740 X-HE-Meta: U2FsdGVkX1/VjDk/Q8TFU2WVcnfvGuN+rZYwRnWGpNRC22FNPpCvOTtklgyEQtzKicFJdCoRmRCIvw9i4HEaKdUsYJFEBzEXYJ4QJaF6N3uk2yrkitIu66hImZXdHLfH2YOaALC/HTQYtIGQLlWFG5LdbdKzH9gjflVl4OowEQUdvigQCGKp/m+Uh4kKgKu+hKbUQKGnwm59cZC3bmyGNI0URFewM+aRtmz+lbLhUUnlLqFZu1i2sldY7B5CBhxFvDruZ0F4dQJuiuUA9dvK57yLsoiV0NRrB52005O3bvqCNma409oe//7PoBcRRk4tgm7PlJlC9grq8okMJwiQH7rIBYOHjhpOFm7iP3aFu12XqbvoZ4wlTa1Yd9loAJgNLmYbFoFXZB8Q/gNEiMOb8nOtOOIy0UoPaf6fQHixz7Veolv5d5HOmSYbH24R98ulFTwRMC3XXf1jqRFGCg3lya5N6yeoCE7w/SzL6DH//FCeBXDY49RlnvMt4Ys7Be9tOfufQO3OP8E6nTjKtVsE2UmHqiGmNJPWANvYMmoHKRywG5N2++ifwy9S7R1q4u1zHxEvovoxxukQxjAbu3Ydpfl4zBQdTjTDQWpdegQAqmO0OCKqB/l+orP9eKWPO207OGMvpfrSIWV0hyAIHfizxEGWuPl18y9/PaPE8C2U1NtcIbrvT65H7HXIfetQYhZxHCgmJ+ojwO+IgpNkgvsYS/WSaaYE19vT/USCUc7P7NPsC9+4MI6irCMX47NhDX8tkrcOy8thMLfNklG0wb6kAmpWIAFQdPYP74yjrmy2WtSKZ93k4BJktP4HDhzO+Ix/FIK5nNtVKKMuGrsGJnpp0Z5t+qZKJJXDLM1gWpYLFG89PxqcoBV1lbBVbE0ovK8ME+7J1kjoCBg9VNR7Qwo0BwJfdj6lVp4esEDEG1jnaZgnPVuv7jsuhnzPMW468X/TZ5/4cCmltrz3awWzhpl e0FQX/Ls SOYej0sa5JKlcrb3hf77GE8RMcl5FDN6W2Fngm8hnTadRBRdcClifMDYNTl60+0vT2yXdQ9yJkZf8CvSFVdzPDKHJeVUlg8qrxkAomIoCHVn8kDoKG9BcxarIyBTW25rqpWhtxpaCC5WBQ4Sps0m0PsFqT2ZKc0C9WggRkyDvj1HRJjrIliV0DswBgo4Le948zO0kQDo2GSy6+idIJEQdnpl83OZg4P/e1NtCufayEAviiXV3jr9vAbRXm0+Fw06X9TMbtle8Ct15PkPLvwM5atr4SnXmvHEnt/xksY24zLHH+3O4JtW8quDOhzC4UGe99DWvdUprMfMYWi7Of2V6v58A+w== X-Bogosity: Ham, tests=bogofilter, spamicity=0.001338, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: The pmd_trans_huge() code in mfill_atomic() is wrong in two different ways depending on kernel version: 1. The pmd_trans_huge() check is racy and can lead to a BUG_ON() (if you hit the right two race windows) - I've tested this in a kernel build with some extra mdelay() calls. See the commit message for a description of the race scenario. On older kernels (before 6.5), I think the same bug can even theoretically lead to accessing transhuge page contents as a page table if you hit the right 5 narrow race windows (I haven't tested this case). 2. On newer kernels (>=6.5), for shmem mappings, khugepaged is allowed to yank page tables out from under us (though I haven't tested that), so I think the BUG_ON() checks in mfill_atomic() are just wrong. I decided to write two separate fixes for these, so that the first fix can be backported to kernels affected by the first bug. Signed-off-by: Jann Horn --- Jann Horn (2): userfaultfd: Fix pmd_trans_huge() recheck race userfaultfd: Don't BUG_ON() if khugepaged yanks our page table mm/userfaultfd.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) --- base-commit: d4560686726f7a357922f300fc81f5964be8df04 change-id: 20240812-uffd-thp-flip-fix-20f91f1151b9