lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bc9e3cc3-26b8-41ad-b791-10ba61edc1c2@lucifer.local>
Date: Tue, 20 Feb 2024 21:00:15 +0000
From: Lorenzo Stoakes <lstoakes@...il.com>
To: Yajun Deng <yajun.deng@...ux.dev>
Cc: akpm@...ux-foundation.org, Liam.Howlett@...cle.com, linux-mm@...ck.org,
	linux-kernel@...r.kernel.org, vbabka@...e.cz
Subject: Re: [PATCH] mm/mmap: Add case 9 in vma_merge()

On Tue, Feb 20, 2024 at 11:00:30AM +0800, Yajun Deng wrote:
>
> On 2024/2/19 07:03, Lorenzo Stoakes wrote:
[snip]
>
> Yes, it's not a merge case. I label this to make it easier to understand.

OK, I guess I have to be more explicit + less soft here to avoid confusion
as you seem not to be paying attention to what I have said - We can't have
this in the patch, full stop.

I (+ Liam) have already explained above as to why, but to emphasise - each
case number refers to a merge case consistently throughout. Arbitrarily
adding a new case label to describe one of the many early exit conditions
proactively HURTS understanding.

>
> > >    *                    PPNNNNNNNNNN       PPPPPPPPPPCC
> > >    *    mmap, brk or    case 4 below       case 5 below
> > >    *    mremap move:
> > > @@ -890,6 +890,9 @@ static struct vm_area_struct
> > >   	if (vm_flags & VM_SPECIAL)
> > >   		return NULL;
> > >
> > > +	if (prev && end < prev->vm_end) /* case 9 */
> > > +		return NULL;
> > > +
> > I need to get back into vma_merge() head space, but I don't actually think
> > a caller that's behaving correctly should ever do this. I know the ASCII
> > diagram above lists it as a thing that can happen, but I think we
> > implicitly avoid this from the way we invoke callers. Either prev == vma as
> > per vma_merge_extend(), or the loops that invoke vma_merge_new_vma()
> > wouldn't permit this to occur.
> No, it will actually happen. That's why I submitted this patch.

You aren't explaining any situation where this would happen. As Liam says,
this is something you have to provide.

I have taken a moment to look into this and I am afraid I don't feel this
patch makes sense.

Firstly, let's assume you're right and we can reach this function with end
< prev->vm_end:

1. curr will be NULL as find_vma_intersection(mm, prev->vm_end, end) will
   always find nothing since end < prev->vm_end.

2. We discover next by using vma_lookup(mm, end). This will always be NULL
   since no VMA starts at end (it is < prev->vm_end so within prev).

3. Therefore next will always be NULL.

4. Therefore the only situation in which the function would proceed is that
   checked in the 'if (prev)' block, but that checks whether addr ==
   prev->vm_end, but since end < prev->vm_end, it can't [we explicitly
   check for addr >= end in a VM_WARN_ON()].

Therefore - we will always abort in this case, and your early check is
really not that useful - it's not something that is likely to come up
(actually I don't think that it can come up, we'll come on to that), and so
being very slightly delayed in exiting is not a great gain.

You are then also introducing a fairly useless branch for everybody else
for - if it even exists - a very rare scenario. I do not think this is a
good RoI.

As to whether this can happen - I have dug a bit into callers:

1. vma_merge_extend() always specifies vma->vm_end as the start explicitly
   to extend the VMA so this scenario isn't possible.

2. Both callers of vma_merge_new_vma() are trying to insert a new VMA and
   explicitly look for a prev VMA and thus should never trigger this
   scenario.

This leaves vma_modify(), and again I can't see a case where prev would not
actually be the previous VMA, with start/end set accordingly.

I am happy to be corrected/embarrassed if I'm missed something out here
(vma_merge() is a great function for creating confusion + causing unlikely
scenarios), so please do provide details of such a case if you can find
one.

TL;DR:

- The case 9 stuff is completely wrong.
- I do not think this patch is useful even if the scenario you describe
  arises.
- I can't see how the scenario you describe could arise.

So overall, unless you can provide compelling evidence for both this
scenario actually occurring in practice AND the need for an early exit,
this patch is a no-go.

In addition, if you were to find such, you'd really really need to beef out
the commit message, which is far too short, and frankly incorrect at this
point - if you perform a branch which 99.9999% of the time is not taken,
you are not 'reducing unnecessary operations' you are creating them.

If you could find compelling evidence to support this patch and send this
as a v2 then I'd consider it, but for the patch in its current form:

NACK.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ