| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <36db7016-98d6-2c6b-110b-b2481fd480ac@i-love.sakura.ne.jp>
Date: Thu, 16 Jul 2020 22:41:14 +0900
From: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
To: Michal Hocko <mhocko@...nel.org>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Arve Hjonnevag <arve@...roid.com>,
Todd Kjos <tkjos@...roid.com>,
Martijn Coenen <maco@...roid.com>,
Joel Fernandes <joel@...lfernandes.org>,
Christian Brauner <christian@...uner.io>,
syzbot <syzbot+e5344baa319c9a96edec@...kaller.appspotmail.com>,
acme@...nel.org, alexander.shishkin@...ux.intel.com,
jolsa@...hat.com, linux-kernel@...r.kernel.org,
mark.rutland@....com, mingo@...hat.com, namhyung@...nel.org,
peterz@...radead.org, syzkaller-bugs@...glegroups.com,
"open list:ANDROID DRIVERS" <devel@...verdev.osuosl.org>,
linux-mm <linux-mm@...ck.org>
Subject: Re: [PATCH] binder: Don't use mmput() from shrinker function.
On 2020/07/16 17:35, Michal Hocko wrote:
> On Thu 16-07-20 08:36:52, Tetsuo Handa wrote:
>> syzbot is reporting that mmput() from shrinker function has a risk of
>> deadlock [1]. Don't start synchronous teardown of mm when called from
>> shrinker function.
>
> Please add the actual lock dependency to the changelog.
>
> Anyway is this deadlock real? Mayve I have missed some details but the
> call graph points to these two paths.
> uprobe_mmap do_shrink_slab
> uprobes_mmap_hash #lock
> install_breakpoint binder_shrink_scan
> set_swbp binder_alloc_free_page
> uprobe_write_opcode __mmput
> update_ref_ctr uprobe_clear_state
> mutex_lock(&delayed_uprobe_lock) mutex_lock(&delayed_uprobe_lock);
> allocation -> reclaim
>
static int update_ref_ctr(struct uprobe *uprobe, struct mm_struct *mm, short d) {
mutex_lock(&delayed_uprobe_lock);
ret = delayed_uprobe_add(uprobe, mm1) {
du = kzalloc(sizeof(*du), GFP_KERNEL) {
do_shrink_slab() {
binder_shrink_scan() {
binder_alloc_free_page() {
mmget_not_zero(mm2);
mmput(mm2) {
__mmput(mm2) {
uprobe_clear_state(mm2) {
mutex_lock(&delayed_uprobe_lock);
delayed_uprobe_remove(NULL, mm2);
mutex_unlock(&delayed_uprobe_lock);
}
}
}
}
}
}
}
}
mutex_unlock(&delayed_uprobe_lock);
}
> But in order for this to happen the shrinker would have to do the last
> put on the mm. But mm cannot go away from under uprobe_mmap so those two
> paths cannot race with each other.
and mm1 != mm2 is possible, isn't it?
>
> Unless I am missing something this is a false positive. I do not mind
> using mmput_async from the shrinker as a workaround but the changelog
> should be explicit about the fact.
>
binder_alloc_free_page() is already using mmput_async() 14 lines later.
It just took 18 months to hit this race for the third time, for it is
quite difficult to let the owner of mm2 to call mmput(mm2) between
binder_alloc_free_page() calls mmget_not_zero(mm2) and mmput(mm2).
The reason I added you is to see whether we can do
void mmput(struct mm_struct *mm)
{
might_sleep();
+ /* Calling mmput() from shrinker context can deadlock. */
+ WARN_ON(current->flags & PF_MEMALLOC);
if (atomic_dec_and_test(&mm->mm_users))
__mmput(mm);
}
in order to catch this bug easier.
Powered by blists - more mailing lists