From patchwork Sun Apr 30 15:07:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lorenzo Stoakes X-Patchwork-Id: 13227211 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id A2A1BC77B60 for ; Sun, 30 Apr 2023 15:07:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id ACEFE6B0072; Sun, 30 Apr 2023 11:07:15 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id A7F666B0074; Sun, 30 Apr 2023 11:07:15 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 946DE6B0075; Sun, 30 Apr 2023 11:07:15 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 85C576B0072 for ; Sun, 30 Apr 2023 11:07:15 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 5F1DC1A0480 for ; Sun, 30 Apr 2023 15:07:15 +0000 (UTC) X-FDA: 80738385630.23.B75BF50 Received: from mail-wm1-f46.google.com (mail-wm1-f46.google.com [209.85.128.46]) by imf17.hostedemail.com (Postfix) with ESMTP id 272A24001B for ; Sun, 30 Apr 2023 15:07:11 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20221208 header.b=WOO4BOE5; spf=pass (imf17.hostedemail.com: domain of lstoakes@gmail.com designates 209.85.128.46 as permitted sender) smtp.mailfrom=lstoakes@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1682867232; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=uNA2K0rH9MrgxL3yIvI8k+E30Kvr7zSXTQ5c9EZm7oQ=; b=tX3hdIf+H87sBuL1Igd8YbLxOfWulgu+1+x1XAjLwUp81OTtM5n/uWoFxr7D628UoPCvEN Ad1DyWlkdKNwwQ2oeN5EbzNlrdpKpQi5HZ9X75PBTJHcOvM+0ijHZQkpgI/5bmwCppc2HG jeK1Mxjeo72WQwx7eMwkC3wswixzQZo= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20221208 header.b=WOO4BOE5; spf=pass (imf17.hostedemail.com: domain of lstoakes@gmail.com designates 209.85.128.46 as permitted sender) smtp.mailfrom=lstoakes@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1682867232; a=rsa-sha256; cv=none; b=Srg1p7aRPa1iib8fvlYjpSar6yUE8QveXSRuG5Iz1gHmyOhOKpI8wa6rfP03qMsncGyaig z+Ftj+6aWr7OA3GQ6kpi/zYOj3geGlYGMfV0qZNtvNuLpcvimS4qOWXbFT7QiH0Anvc489 jOrPAnL16tqietie3DsUxQs5G3eoJKM= Received: by mail-wm1-f46.google.com with SMTP id 5b1f17b1804b1-3f195b164c4so8834885e9.1 for ; Sun, 30 Apr 2023 08:07:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682867230; x=1685459230; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=uNA2K0rH9MrgxL3yIvI8k+E30Kvr7zSXTQ5c9EZm7oQ=; b=WOO4BOE5x9yHSm0Xq67hB0jdZqg5yPqQjCzbYps62+Ktq7YkvEkEBl9otVSyaqIy2X 1nAQH9lVg6rCWXG0BvAy8cZDNNY+S/UaRJccPPL/Dnz6uAUrstmThjGlDylSB4aHEt4f M6ABPYHf9W3HKExAOZR+FDZeItqZeoWmHzvRYLvWIE4CVdkLJgJG80aY7/c/NPn24w5V 8mNSQ87Stvpeduu8FdCSkBQslVw2jF6XCny4fkEmNAaCtWFzBzt2tXa4f6k0yQ7S5m/P wL18L8kiyXN2Ia1iy5XQURbnREp+XiyDU29f7Lb16IWrFNy0Ec0794RDyt38ET8hqzhD 5jng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682867230; x=1685459230; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uNA2K0rH9MrgxL3yIvI8k+E30Kvr7zSXTQ5c9EZm7oQ=; b=SWGn3t0aMxiCVUUa/KjOcmkArpxhjgouotf1+q22GscxLlyU7dw78gPy/b4z7HK0X9 kJbeMx+8BF5/X+KJKkDAX3p1ghHu8GNwlsec7i6tP/cVSoPenR5V0C/KZLKww7SLSx4o LERia/nlU/ipACMms8/Y/359Nu2xyGf03Xoh4RzO7Nn6U0LqxUSOdsapKfQ5J5UdlV5I 9yPU17orxAVzUmruH85BlmwgXQrnDh5e7xUchL06harZCYlqKGLyD+dFnGifk70/+Ck4 iaZyHITNuxrajaSqfZtOuEm/eI94DsVOEUxOCsO6NaIjAhikGsXPQTHLtEyltlhvEn4N P9Og== X-Gm-Message-State: AC+VfDxcppgOoIu3X37ibqa0wc2a3Pj9UHdctsG2XQUhjmZ2LSAr34kg Ov2TqbhMt1CpF3tYB/Cvd3L+i2bmIfR1lA== X-Google-Smtp-Source: ACHHUZ5/IozSCusmdfxGH7uvDSUaBwy3WgSuCJRJJFZGuVqOysQEqEbLKdRuVFcC+hm0B2NPYB2DGQ== X-Received: by 2002:a05:600c:22d0:b0:3f1:7a57:45cd with SMTP id 16-20020a05600c22d000b003f17a5745cdmr8210516wmg.28.1682867230079; Sun, 30 Apr 2023 08:07:10 -0700 (PDT) Received: from lucifer.home ([2a00:23c5:dc8c:8701:1663:9a35:5a7b:1d76]) by smtp.googlemail.com with ESMTPSA id l18-20020a05600c4f1200b003f07ef4e3e0sm43019311wmq.0.2023.04.30.08.07.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Apr 2023 08:07:09 -0700 (PDT) From: Lorenzo Stoakes To: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrew Morton Cc: "Liam R . Howlett" , oliver.sang@intel.com, Mel Gorman , stable@vger.kernel.org, Lorenzo Stoakes Subject: [PATCH v2] mm/mempolicy: Correctly update prev when policy is equal on mbind Date: Sun, 30 Apr 2023 16:07:07 +0100 Message-Id: <83f1d612acb519d777bebf7f3359317c4e7f4265.1682866629.git.lstoakes@gmail.com> X-Mailer: git-send-email 2.40.1 MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 272A24001B X-Stat-Signature: uicgs9bm5knahc3sjge5ohcwsj4sqrfh X-HE-Tag: 1682867231-558223 X-HE-Meta: U2FsdGVkX19uIUt0ixnD9Hq7U/kVSToAHOgPZv+Fk2f39R4jzr3gORSgzvoDfBUtg4ueI3Hjn2QtYlBLXBY/y92p+ykKCeSNK7129fwKCqNe64O5sJNXZITbNiyq4XG7zyxz33pD4fXskRN2ldDDisVsPmco6CEy3FCdDMKJ2dxdwuG6CYJJjQiJiZTxZt8Gcj6kteRXmtNJmh2IWZggganGiq0Deaig4/v+fc+12Wyu08N/AKxDmbyY4GbYWsX542Iv54rq3j+vYxk7YzejB91shmHXZo3HhgQF2RqjU9OEBppmhUSaAqDF/M7Ot/ARNqtfr9Vnr3IS7ICsSWwE8jyK92qLH5dwyZBhHDuM66mUN9Cd0SlwUXyaRarRh3w5tLl4zZcN09/Kh5YAnUNvnQNYKyQBvFM5AzwhVvpEZyV8hDgPIS8hwDU1bW5YcsjUKoQpDzO/6CXlEkEizYKgtNp2isnCBCdAdFmDWoKODXkGdwErbG1TfbJbZ/xRa5TPlxWvATaCnXdJy4DADLfIGBar2Sebgd9yhFiLPPSAVaBmnHE7wbZgEptr/TBRjsFv8H4QKyKZAjkibOt0iem7EApvdbi0z7/uJZx4TrLXE8FyWqyeXMN1kTeIM6TmU6qb+PjmIFgWo2ceUza23MJ1FbKRlfcFTle27A4RjxGfjyCogIxo9T5D75AMosrFLJDX/Jr6AmgXuTra6U06QR56REC1DoGvK56PJ/eAP7oqdfc5ZeAPi38HC5PBHn8HmPNnUDhDiEXCCY7kdusB46JaJcH3DSjUnuUBUmLg3q4LTO+t5i+fLl6QeYGQFnGJ02OAHkzK2/RiTbRPuulF6Ni2Xu1TXH/8CD8KfAL8m6Yg0DbucfneDM+a1AvGRCFvr7Rzekec1QX5HEjO+s62gZy+RyH7C2zTsO+En/q3fKvF1GVY35eK3oNRxp+TmeuLussyzTbLgJ9fKREHCN/lhEd aVULd3NZ zbNSkYDJCBZNVnD/MEQKL/YPMCIZfKIH88KvFEFaS64Txt/8SkGOZO4IAJ8GdSvVT3fFc9qJa6JZQHHdX3lT7mOG3DoK1U5bPM4SLVq/IAL18siw6j6PrQ2A277O/g61EfoB++RTuLb6J0gu1OTDrYjxs3IyGtLFqWOXY2N7uAp6N9b77+b50lZZt7NJtjPlLVHrBMts6ZHwpa5ThaaUdvzUaNtwWOGg5yGR1GgDZCjI7aic9oEHty04BPPy4/LNWtmsDMpFknQ2L0BbxF6ZhyCxxksmALiK/54NKLMM3n2W+8i3tapvjkh4KBi2quV2GEyb6nwBH/MhLnuiaObSrK/AEg7Iy5NBm34Df7iiNF6RS0BP3wNxQjgYzGj6rVTxQpnkO+g3N8705kHYFm8f/EET5ZJtujglJTibh4Jj3qTFv6F6GwiCxrWzWKAg2YCNrUX0oi4tjUxh0P/C7APFCcYRWag== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The refactoring in commit f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator") introduces a subtle bug which arises when attempting to apply a new NUMA policy across a range of VMAs in mbind_range(). The refactoring passes a **prev pointer to keep track of the previous VMA in order to reduce duplication, and in all but one case it keeps this correctly updated. The bug arises when a VMA within the specified range has an equivalent policy as determined by mpol_equal() - which unlike other cases, does not update prev. This can result in a situation where, later in the iteration, a VMA is found whose policy does need to change. At this point, vma_merge() is invoked with prev pointing to a VMA which is before the previous VMA. Since vma_merge() discovers the curr VMA by looking for the one immediately after prev, it will now be in a situation where this VMA is incorrect and the merge will not proceed correctly. This is checked in the VM_WARN_ON() invariant case with end > curr->vm_end, which, if a merge is possible, results in a warning (if CONFIG_DEBUG_VM is specified). I note that vma_merge() performs these invariant checks only after merge_prev/merge_next are checked, which is debatable as it hides this issue if no merge is possible even though a buggy situation has arisen. The solution is simply to update the prev pointer even when policies are equal. This caused a bug to arise in the 6.2.y stable tree, and this patch resolves this bug. Reported-by: kernel test robot Link: https://lore.kernel.org/oe-lkp/202304292203.44ddeff6-oliver.sang@intel.com Fixes: f4e9e0e69468 ("mm/mempolicy: fix use-after-free of VMA iterator") Signed-off-by: Lorenzo Stoakes Cc: --- v2: updated to correctly cc the stable list :) v1: https://lore.kernel.org/all/db42467a692d78c654ec5c1953329401bd8a9c34.1682859234.git.lstoakes@gmail.com mm/mempolicy.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.40.1 diff --git a/mm/mempolicy.c b/mm/mempolicy.c index 2068b594dc88..1756389a0609 100644 --- a/mm/mempolicy.c +++ b/mm/mempolicy.c @@ -808,8 +808,10 @@ static int mbind_range(struct vma_iterator *vmi, struct vm_area_struct *vma, vmstart = vma->vm_start; } - if (mpol_equal(vma_policy(vma), new_pol)) + if (mpol_equal(vma_policy(vma), new_pol)) { + *prev = vma; return 0; + } pgoff = vma->vm_pgoff + ((vmstart - vma->vm_start) >> PAGE_SHIFT); merged = vma_merge(vmi, vma->vm_mm, *prev, vmstart, vmend, vma->vm_flags,