lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20201216204252.vh3zadk4ghbzufqz@revolver>
Date:   Wed, 16 Dec 2020 15:42:52 -0500
From:   "Liam R. Howlett" <Liam.Howlett@...cle.com>
To:     David Hildenbrand <david@...hat.com>
Cc:     linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        Andrew Morton <akpm@...gle.com>,
        "kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>,
        Rik van Riel <riel@...riel.com>
Subject: Re: [PATCH v2] mm/mmap: Don't unlock VMAs in remap_file_pages()


Thank you for looking at this.  I appreciate the scrutiny.

* David Hildenbrand <david@...hat.com> [201216 09:58]:
> On 15.12.20 16:54, Liam R. Howlett wrote:
> > do_mmap() will unlock the necessary VMAs.  There is also a bug in the
> > loop which will evaluate as false and not unlock any VMAs anyways.
> 
> If there is a BUG, do we have a Fixes: tag? Also

The bug would never show up as it is masked by do_mmap() unlocking the
necessary range.  Although there is a bug in this code, the code does
not cause an issue as it won't execute so should I have a Fixes tag?
The code works and what I've done is remove a chunk of code that never
runs.

> 
> 1. Can we fix the bug separately first?

I think it is safer to remove unexecuted code than enable it and then
remove it.

> 2. Can we have a better description on what the bug actually is
> "evaluate as false"? What is the result of the bug?

The bug is in the for loop test expression that I removed in the patch.
Here is the long explaination of why the loop has never run.


Line 2982: if (start + size <= start
Line 2983: 	goto out;

size is positive.

Line 2992: vma = find_vma(mm, start);
Look up the first VMA which satisfies start < vm_end

Line 2997: if (start < vma->vm_start)
Line 2998: 	goto out;

So now vma->vm_start >= start.
If vma->vm_start > start, then there are no VMAs in that area, otherwise
it would have been returned by find_vma().
So we can say that vma->vm_start == start.

Line 3033: for (tmp = vma; tmp->vm_start >= start + size;
Line 3034:                 tmp = tmp->vm_next) {
This is the for loop with the error in the test expression.

tmp->vm_start == start which cannot be >= (start + size).

I believe the intention was to loop through vmas in the range of start
to (start + size) and unlock them.


The result of the bug is no VMA is unlocked in this fuction.  But that
doesn't matter as they are unlocked later in the call chain - which is
why this code works as intended.


> 
> CCing some people that might know if this is actually a sane change.
> Skimming over do_mmap(), it's not immediately clear to me that
> "do_mmap() will unlock the necessary VMAs".

Ah, yes.  That is understandable.

do_mmap() L1583 -> mmap_region() L1752 -> munmap_vma_range() ->
do_munmap() -> __do_munmap() loop at 2891 to unlock the range.

Would you like me to add this call chain to the changelog?

> 
> > 
> > Signed-off-by: Liam R. Howlett <Liam.Howlett@...cle.com>
> > ---
> >  mm/mmap.c | 18 +-----------------
> >  1 file changed, 1 insertion(+), 17 deletions(-)
> > 
> > diff --git a/mm/mmap.c b/mm/mmap.c
> > index 5c8b4485860de..f7fecb77f84fd 100644
> > --- a/mm/mmap.c
> > +++ b/mm/mmap.c
> > @@ -3025,25 +3025,9 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
> >  
> >  	flags &= MAP_NONBLOCK;
> >  	flags |= MAP_SHARED | MAP_FIXED | MAP_POPULATE;
> > -	if (vma->vm_flags & VM_LOCKED) {
> > -		struct vm_area_struct *tmp;
> > +	if (vma->vm_flags & VM_LOCKED)
> >  		flags |= MAP_LOCKED;
> >  
> > -		/* drop PG_Mlocked flag for over-mapped range */
> > -		for (tmp = vma; tmp->vm_start >= start + size;
         This should probably be less than ---^

> > -				tmp = tmp->vm_next) {
> > -			/*
> > -			 * Split pmd and munlock page on the border
> > -			 * of the range.
> > -			 */
> > -			vma_adjust_trans_huge(tmp, start, start + size, 0);
> > -
> > -			munlock_vma_pages_range(tmp,
> > -					max(tmp->vm_start, start),
> > -					min(tmp->vm_end, start + size));
> > -		}
> > -	}
> > -
> >  	file = get_file(vma->vm_file);
> >  	ret = do_mmap(vma->vm_file, start, size,
> >  			prot, flags, pgoff, &populate, NULL);
> > 
> 
> 
> -- 
> Thanks,
> 
> David / dhildenb
> 
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ