| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 17 Dec 2020 11:05:56 +0100
From: David Hildenbrand <david@...hat.com>
To: "Liam R. Howlett" <Liam.Howlett@...cle.com>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, Andrew Morton <akpm@...gle.com>,
"kirill.shutemov@...ux.intel.com" <kirill.shutemov@...ux.intel.com>,
Rik van Riel <riel@...riel.com>
Subject: Re: [PATCH v2] mm/mmap: Don't unlock VMAs in remap_file_pages()
On 16.12.20 21:42, Liam R. Howlett wrote:
>
> Thank you for looking at this. I appreciate the scrutiny.
>
> * David Hildenbrand <david@...hat.com> [201216 09:58]:
>> On 15.12.20 16:54, Liam R. Howlett wrote:
>>> do_mmap() will unlock the necessary VMAs. There is also a bug in the
>>> loop which will evaluate as false and not unlock any VMAs anyways.
>>
>> If there is a BUG, do we have a Fixes: tag? Also
>
> The bug would never show up as it is masked by do_mmap() unlocking the
> necessary range. Although there is a bug in this code, the code does
> not cause an issue as it won't execute so should I have a Fixes tag?
> The code works and what I've done is remove a chunk of code that never
> runs.
>
Ok I see. The use of "bug" here is misleading. The unnecessary code is
simply not doing what it promised to do without doing any harm.
>>
>> 1. Can we fix the bug separately first?
>
> I think it is safer to remove unexecuted code than enable it and then
> remove it.
I agree, as it is not actually a bug.
>
>> 2. Can we have a better description on what the bug actually is
>> "evaluate as false"? What is the result of the bug?
>
> The bug is in the for loop test expression that I removed in the patch.
> Here is the long explaination of why the loop has never run.
>
>
> Line 2982: if (start + size <= start
> Line 2983: goto out;
>
> size is positive.
>
> Line 2992: vma = find_vma(mm, start);
> Look up the first VMA which satisfies start < vm_end
>
> Line 2997: if (start < vma->vm_start)
> Line 2998: goto out;
>
> So now vma->vm_start >= start.
> If vma->vm_start > start, then there are no VMAs in that area, otherwise
> it would have been returned by find_vma().
> So we can say that vma->vm_start == start.
>
> Line 3033: for (tmp = vma; tmp->vm_start >= start + size;
> Line 3034: tmp = tmp->vm_next) {
> This is the for loop with the error in the test expression.
>
> tmp->vm_start == start which cannot be >= (start + size).
>
> I believe the intention was to loop through vmas in the range of start
> to (start + size) and unlock them.
>
>
> The result of the bug is no VMA is unlocked in this fuction. But that
> doesn't matter as they are unlocked later in the call chain - which is
> why this code works as intended.
>
Thanks for clarifying!
>
>>
>> CCing some people that might know if this is actually a sane change.
>> Skimming over do_mmap(), it's not immediately clear to me that
>> "do_mmap() will unlock the necessary VMAs".
>
> Ah, yes. That is understandable.
>
> do_mmap() L1583 -> mmap_region() L1752 -> munmap_vma_range() ->
> do_munmap() -> __do_munmap() loop at 2891 to unlock the range.
>
> Would you like me to add this call chain to the changelog?
Yes please, in a simplified form.
I suggest something like the following patch description:
"do_mmap(MAP_FIXED) will already unlock pages via munmap_vma_range(). We
can remove the superfluous manual unlocking in remap_file_pages().
Note that the manual unlocking is even incorrect, as it might miss
unlocking some pages - no harm done.
"
--
Thanks,
David / dhildenb
Powered by blists - more mailing lists