From patchwork Fri Jul  6 09:02:17 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michal Hocko <mhocko@kernel.org>
X-Patchwork-Id: 10511133
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	35675600CA for <patchwork-linux-mm@patchwork.kernel.org>;
	Fri,  6 Jul 2018 09:02:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 22E772858A
	for <patchwork-linux-mm@patchwork.kernel.org>;
	Fri,  6 Jul 2018 09:02:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 167912858D; Fri,  6 Jul 2018 09:02:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 441DC2858A
	for <patchwork-linux-mm@patchwork.kernel.org>;
	Fri,  6 Jul 2018 09:02:23 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 11F896B0010; Fri,  6 Jul 2018 05:02:22 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0A8E06B0266; Fri,  6 Jul 2018 05:02:22 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id F007A6B0269; Fri,  6 Jul 2018 05:02:21 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com
	[209.85.208.70])
	by kanga.kvack.org (Postfix) with ESMTP id 916B16B0010
	for <linux-mm@kvack.org>; Fri,  6 Jul 2018 05:02:21 -0400 (EDT)
Received: by mail-ed1-f70.google.com with SMTP id r9-v6so642853edh.14
	for <linux-mm@kvack.org>; Fri, 06 Jul 2018 02:02:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-original-authentication-results:x-gm-message-state:date:from:to
	:cc:subject:message-id:references:mime-version:content-disposition
	:in-reply-to:user-agent;
	bh=h4ZmuD7Fsao9p/N0wT71u0/JsMkNa86ijBPUFxiICsU=;
	b=tvoI0KZV+fCNwvB94AvoR125iKVRXQemOtBWEWCG2wyYUC0d/aG436t+x44kK/jG56
	dzXGdrB8aStvA2fEe0DpRTsrNINXtmRthvEOe+5wTPuko/iHRZUuNS0y9Af0AEPJVcYR
	uuPbvjtDl7uRv5Z7EgKe2H/owno+fs1pi/ev51QU1RQ467utvTntWsQ4tPAPUezJC24l
	xjV1VLfmBrDduK+/hcmKu05guUWtCwAYfs9iIJI/viUeArcJYS1EYw+mIIACnywAWk+k
	35iJiOwU8tsNUhqWfUjGMJkIghcfCrIovXslB3aYlar/oPgX+e6g+BaUeiQXJwX2/EIE
	whHQ==
X-Original-Authentication-Results: mx.google.com;
	spf=softfail (google.com: domain of
	transitioning mhocko@kernel.org does not designate
	195.135.220.15 as permitted sender)
	smtp.mailfrom=mhocko@kernel.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
X-Gm-Message-State: APt69E3vYnQxoeIfgHN/9GTMIcEbxPTaSVflQathXqX5Q/20RJ76w4Nf
	BjFL1beqMO17J7VvDbn/ToKhBI0X/62EyIaN4mU0QuouRQ4UJC7t9tx4CY4MSqAkaUf9t/4mZBX
	QLwZ31pNtSTeCCtGFvcyawMX66d+mGVB8zi7HPSW2Mg60ghOtm8af+Ko9ICr7oiY=
X-Received: by 2002:a50:8e06:: with SMTP id
	6-v6mr9734529edw.101.1530867741051;
	Fri, 06 Jul 2018 02:02:21 -0700 (PDT)
X-Google-Smtp-Source: 
 AAOMgpfXYOjQze+khsxUDsGzvZJTw7Q+M8SOZ72QHwnUICPATT+knKi4YBquCWtqcDbnetIN9uc7
X-Received: by 2002:a50:8e06:: with SMTP id
	6-v6mr9734470edw.101.1530867740256;
	Fri, 06 Jul 2018 02:02:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530867740; cv=none;
	d=google.com; s=arc-20160816;
	b=SWikjKMtH3EYTenA3HLZdXAGhYnarTAVDlA060H3hDsj9MuXL8rQ9FfvZFyVLPD89d
	f8J0M0vNk8SgDgdu7Xlv3pInVivIqmHP7uwBZu5YuZhF6LyEH7E53nOLhFdmtTNTKdnh
	f7lCD4BZ5xzMEcBQ39pGY43D0l3OHmUYSsedx3KN7k/VFt6fHhxfmg3poeFvNfwPeleW
	SZ0/uSv/SeZQ3zNZ9ZVFtsB2aMWHVnB02ccYS3KCJaDUjjBhRkuFwezoXyNygYCjB/oE
	iLpkG0cRHyS9zyhblLBAaDrlHDU135FdK8gBUnhPWgsYxJFfy8C5OFVgsDeBK9OVsudm
	HAAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
	s=arc-20160816;
	h=user-agent:in-reply-to:content-disposition:mime-version:references
	:message-id:subject:cc:to:from:date:arc-authentication-results;
	bh=h4ZmuD7Fsao9p/N0wT71u0/JsMkNa86ijBPUFxiICsU=;
	b=nnAizGtzPE+gmiv3d5LzJMXLN+kWiEZgol9aU5tcgEw7329xWmFf61TeYKOekk6UD6
	qUcOCZxIrtISPOGwvcNSdknnmthgP5URqb74u41HyeYAgZv67OaoeBFZRplNkXh3hw7C
	D0Y8z7cXi5F1mMOMKf7961V8s/O2q2NhyQJzel/kyNYHt+zEAGwi9mNf5392phBqG5Rw
	kydKW/88lhRGAa4sarsSZYja64FiM+thPI1l7EB+I1FTW1pHXXC2Ofz/t6yLDUfEbD1S
	jKtSo2eByyj+5r0aQS2syBZanPyOh7QrhbjqXOuR2av9Bm8uUpxGV+9s79l4sRU9hrg6
	5B3A==
ARC-Authentication-Results: i=1; mx.google.com;
	spf=softfail (google.com: domain of transitioning mhocko@kernel.org
	does not designate 195.135.220.15 as permitted sender)
	smtp.mailfrom=mhocko@kernel.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from mx1.suse.de (mx2.suse.de. [195.135.220.15])
	by mx.google.com with ESMTPS id
	p21-v6si8192193edm.136.2018.07.06.02.02.20 for <linux-mm@kvack.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 06 Jul 2018 02:02:20 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning
	mhocko@kernel.org does not designate 195.135.220.15 as
	permitted sender) client-ip=195.135.220.15;
Authentication-Results: mx.google.com;
	spf=softfail (google.com: domain of transitioning mhocko@kernel.org
	does not designate 195.135.220.15 as permitted sender)
	smtp.mailfrom=mhocko@kernel.org;
	dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.220.254])
	by mx1.suse.de (Postfix) with ESMTP id 64492ACDB;
	Fri,  6 Jul 2018 09:02:19 +0000 (UTC)
Date: Fri, 6 Jul 2018 11:02:17 +0200
From: Michal Hocko <mhocko@kernel.org>
To: Oscar Salvador <osalvador@techadventures.net>
Cc: kbuild test robot <lkp@intel.com>, kbuild-all@01.org,
	Zi Yan <zi.yan@cs.rutgers.edu>,
	Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
	syzbot <syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com>,
	akpm@linux-foundation.org, aneesh.kumar@linux.vnet.ibm.com,
	dan.j.williams@intel.com, kirill.shutemov@linux.intel.com,
	linux-mm@kvack.org, mst@redhat.com, syzkaller-bugs@googlegroups.com,
	viro@zeniv.linux.org.uk, ying.huang@intel.com
Subject: Re: [PATCH] mm: do not bug_on on incorrect lenght in __mm_populate
Message-ID: <20180706090217.GI32658@dhcp22.suse.cz>
References: <20180706053545.GD32658@dhcp22.suse.cz>
	<201807061427.cYcp5ef9%fengguang.wu@intel.com>
	<20180706082348.GB8235@techadventures.net>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20180706082348.GB8235@techadventures.net>
User-Agent: Mutt/1.10.0 (2018-05-17)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

On Fri 06-07-18 10:23:48, Oscar Salvador wrote:
> On Fri, Jul 06, 2018 at 03:50:53PM +0800, kbuild test robot wrote:
> > Hi Michal,
> > 
> > I love your patch! Yet something to improve:
> > 
> > [auto build test ERROR on linus/master]
> > [also build test ERROR on v4.18-rc3 next-20180705]
> > [if your patch is applied to the wrong git tree, please drop us a note to help improve the system]
> > 
> > url:    https://github.com/0day-ci/linux/commits/Michal-Hocko/mm-do-not-bug_on-on-incorrect-lenght-in-__mm_populate/20180706-134850
> > config: x86_64-randconfig-x015-201826 (attached as .config)
> > compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
> > reproduce:
> >         # save the attached .config to linux build tree
> >         make ARCH=x86_64 
> > 
> > All errors (new ones prefixed by >>):
> > 
> >    mm/mmap.c: In function 'do_brk_flags':
> > >> mm/mmap.c:2936:16: error: 'len' redeclared as different kind of symbol
> >      unsigned long len;
> >                    ^~~
> >    mm/mmap.c:2932:59: note: previous definition of 'len' was here
> >     static int do_brk_flags(unsigned long addr, unsigned long len, unsigned long flags, struct list_head *uf)
> 
> Somehow I missed that.
> Maybe some remains from yesterday.
> 
> The local variable "len" must be dropped.

Of course. This is what it looks like when you post patches in hurry
before leaving. Mea culpa. Sorry about that. Refreshed

From a845417a45a873585b04bbeb9a27b43883c4008f Mon Sep 17 00:00:00 2001
From: Michal Hocko <mhocko@suse.com>
Date: Wed, 4 Jul 2018 15:16:54 +0200
Subject: [PATCH] mm: do not bug_on on incorrect lenght in __mm_populate

syzbot has noticed that a specially crafted library can easily hit
VM_BUG_ON in __mm_populate
localhost login: [   81.210241] emacs (9634) used greatest stack depth: 10416 bytes left
[  140.099935] ------------[ cut here ]------------
[  140.101904] kernel BUG at mm/gup.c:1242!
[  140.103572] invalid opcode: 0000 [#1] SMP
[  140.105220] CPU: 2 PID: 9667 Comm: a.out Not tainted 4.18.0-rc3 #644
[  140.107762] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 05/19/2017
[  140.112000] RIP: 0010:__mm_populate+0x1e2/0x1f0
[  140.113875] Code: 55 d0 65 48 33 14 25 28 00 00 00 89 d8 75 21 48 83 c4 20 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 75 18 f1 ff 0f 0b e8 6e 18 f1 ff <0f> 0b 31 db eb c9 e8 93 06 e0 ff 0f 1f 00 55 48 89 e5 53 48 89 fb
[  140.121403] RSP: 0018:ffffc90000dffd78 EFLAGS: 00010293
[  140.123516] RAX: ffff8801366c63c0 RBX: 000000007bf81000 RCX: ffffffff813e4ee2
[  140.126352] RDX: 0000000000000000 RSI: 0000000000007676 RDI: 000000007bf81000
[  140.129236] RBP: ffffc90000dffdc0 R08: 0000000000000000 R09: 0000000000000000
[  140.132110] R10: ffff880135895c80 R11: 0000000000000000 R12: 0000000000007676
[  140.134955] R13: 0000000000008000 R14: 0000000000000000 R15: 0000000000007676
[  140.137785] FS:  0000000000000000(0000) GS:ffff88013a680000(0063) knlGS:00000000f7db9700
[  140.140998] CS:  0010 DS: 002b ES: 002b CR0: 0000000080050033
[  140.143303] CR2: 00000000f7ea56e0 CR3: 0000000134674004 CR4: 00000000000606e0
[  140.145906] Call Trace:
[  140.146728]  vm_brk_flags+0xc3/0x100
[  140.147830]  vm_brk+0x1f/0x30
[  140.148714]  load_elf_library+0x281/0x2e0
[  140.149875]  __ia32_sys_uselib+0x170/0x1e0
[  140.151028]  ? copy_overflow+0x30/0x30
[  140.152105]  ? __ia32_sys_uselib+0x170/0x1e0
[  140.153301]  do_fast_syscall_32+0xca/0x420
[  140.154455]  entry_SYSENTER_compat+0x70/0x7f

The reason is that the length of the new brk is not page aligned when
we try to populate the it. There is no reason to bug on that though.
do_brk_flags already aligns the length properly so the mapping is
expanded as it should. All we need is to tell mm_populate about it.
Besides that there is absolutely no reason to to bug_on in the first
place. The worst thing that could happen is that the last page wouldn't
get populated and that is far from putting system into an inconsistent
state.

Fix the issue by moving the length sanitization code from do_brk_flags
up to vm_brk_flags. The only other caller of do_brk_flags is brk syscall
entry and it makes sure to provide the proper length so t here is no need
for sanitation and so we can use do_brk_flags without it.

Also remove the bogus BUG_ONs.

Reported-by: syzbot <syzbot+5dcb560fe12aa5091c06@syzkaller.appspotmail.com>
[osalvador: fix up vm_brk_flags s@request@len@]
Tested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: stable
Signed-off-by: Michal Hocko <mhocko@suse.com>
---
 mm/gup.c  |  2 --
 mm/mmap.c | 29 ++++++++++++-----------------
 2 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/mm/gup.c b/mm/gup.c
index b70d7ba7cc13..fc5f98069f4e 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -1238,8 +1238,6 @@ int __mm_populate(unsigned long start, unsigned long len, int ignore_errors)
 	int locked = 0;
 	long ret = 0;
 
-	VM_BUG_ON(start & ~PAGE_MASK);
-	VM_BUG_ON(len != PAGE_ALIGN(len));
 	end = start + len;
 
 	for (nstart = start; nstart < end; nstart = nend) {
diff --git a/mm/mmap.c b/mm/mmap.c
index d1eb87ef4b1a..5801b5f0a634 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -186,8 +186,8 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
 	return next;
 }
 
-static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf);
-
+static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags,
+		struct list_head *uf);
 SYSCALL_DEFINE1(brk, unsigned long, brk)
 {
 	unsigned long retval;
@@ -245,7 +245,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
 		goto out;
 
 	/* Ok, looks good - let it rip. */
-	if (do_brk(oldbrk, newbrk-oldbrk, &uf) < 0)
+	if (do_brk_flags(oldbrk, newbrk-oldbrk, 0, &uf) < 0)
 		goto out;
 
 set_brk:
@@ -2929,21 +2929,14 @@ static inline void verify_mm_writelocked(struct mm_struct *mm)
  *  anonymous maps.  eventually we may be able to do some
  *  brk-specific accounting here.
  */
-static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long flags, struct list_head *uf)
+static int do_brk_flags(unsigned long addr, unsigned long len, unsigned long flags, struct list_head *uf)
 {
 	struct mm_struct *mm = current->mm;
 	struct vm_area_struct *vma, *prev;
-	unsigned long len;
 	struct rb_node **rb_link, *rb_parent;
 	pgoff_t pgoff = addr >> PAGE_SHIFT;
 	int error;
 
-	len = PAGE_ALIGN(request);
-	if (len < request)
-		return -ENOMEM;
-	if (!len)
-		return 0;
-
 	/* Until we need other flags, refuse anything except VM_EXEC. */
 	if ((flags & (~VM_EXEC)) != 0)
 		return -EINVAL;
@@ -3015,18 +3008,20 @@ static int do_brk_flags(unsigned long addr, unsigned long request, unsigned long
 	return 0;
 }
 
-static int do_brk(unsigned long addr, unsigned long len, struct list_head *uf)
-{
-	return do_brk_flags(addr, len, 0, uf);
-}
-
-int vm_brk_flags(unsigned long addr, unsigned long len, unsigned long flags)
+int vm_brk_flags(unsigned long addr, unsigned long request, unsigned long flags)
 {
 	struct mm_struct *mm = current->mm;
+	unsigned long len;
 	int ret;
 	bool populate;
 	LIST_HEAD(uf);
 
+	len = PAGE_ALIGN(request);
+	if (len < request)
+		return -ENOMEM;
+	if (!len)
+		return 0;
+
 	if (down_write_killable(&mm->mmap_sem))
 		return -EINTR;