lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <33023080-9e11-475e-a199-b7ff1e655c57@lucifer.local>
Date: Tue, 20 Feb 2024 22:10:13 +0000
From: Lorenzo Stoakes <lstoakes@...il.com>
To: Yajun Deng <yajun.deng@...ux.dev>
Cc: akpm@...ux-foundation.org, Liam.Howlett@...cle.com, linux-mm@...ck.org,
	linux-kernel@...r.kernel.org, vbabka@...e.cz
Subject: Re: [PATCH] mm/mmap: Add case 9 in vma_merge()

On Tue, Feb 20, 2024 at 09:00:15PM +0000, Lorenzo Stoakes wrote:
> On Tue, Feb 20, 2024 at 11:00:30AM +0800, Yajun Deng wrote:
> >
> > On 2024/2/19 07:03, Lorenzo Stoakes wrote:
> [snip]
> >
> > Yes, it's not a merge case. I label this to make it easier to understand.
>
> OK, I guess I have to be more explicit + less soft here to avoid confusion
> as you seem not to be paying attention to what I have said - We can't have
> this in the patch, full stop.
>
> I (+ Liam) have already explained above as to why, but to emphasise - each
> case number refers to a merge case consistently throughout. Arbitrarily
> adding a new case label to describe one of the many early exit conditions
> proactively HURTS understanding.
>
> >
> > > >    *                    PPNNNNNNNNNN       PPPPPPPPPPCC
> > > >    *    mmap, brk or    case 4 below       case 5 below
> > > >    *    mremap move:
> > > > @@ -890,6 +890,9 @@ static struct vm_area_struct
> > > >   	if (vm_flags & VM_SPECIAL)
> > > >   		return NULL;
> > > >
> > > > +	if (prev && end < prev->vm_end) /* case 9 */
> > > > +		return NULL;
> > > > +
> > > I need to get back into vma_merge() head space, but I don't actually think
> > > a caller that's behaving correctly should ever do this. I know the ASCII
> > > diagram above lists it as a thing that can happen, but I think we
> > > implicitly avoid this from the way we invoke callers. Either prev == vma as
> > > per vma_merge_extend(), or the loops that invoke vma_merge_new_vma()
> > > wouldn't permit this to occur.
> > No, it will actually happen. That's why I submitted this patch.
>
> You aren't explaining any situation where this would happen. As Liam says,
> this is something you have to provide.
>
> I have taken a moment to look into this and I am afraid I don't feel this
> patch makes sense.
>
> Firstly, let's assume you're right and we can reach this function with end
> < prev->vm_end:
>
> 1. curr will be NULL as find_vma_intersection(mm, prev->vm_end, end) will
>    always find nothing since end < prev->vm_end.
>
> 2. We discover next by using vma_lookup(mm, end). This will always be NULL
>    since no VMA starts at end (it is < prev->vm_end so within prev).
>
> 3. Therefore next will always be NULL.
>
> 4. Therefore the only situation in which the function would proceed is that
>    checked in the 'if (prev)' block, but that checks whether addr ==
>    prev->vm_end, but since end < prev->vm_end, it can't [we explicitly
>    check for addr >= end in a VM_WARN_ON()].

OK I say below about feel fre to embarrass me if I am mistaken, but I can
go ahead and do embarrass myself directly :)

Apologies - the above is not correct, vma_lookup() doesn't look for an
exact match so will assign next = prev in this scenario.

However the vm_pgoff check will cause this case to fail also.

>
> Therefore - we will always abort in this case, and your early check is
> really not that useful - it's not something that is likely to come up
> (actually I don't think that it can come up, we'll come on to that), and so
> being very slightly delayed in exiting is not a great gain.
>
> You are then also introducing a fairly useless branch for everybody else
> for - if it even exists - a very rare scenario. I do not think this is a
> good RoI.
>
> As to whether this can happen - I have dug a bit into callers:
>
> 1. vma_merge_extend() always specifies vma->vm_end as the start explicitly
>    to extend the VMA so this scenario isn't possible.
>
> 2. Both callers of vma_merge_new_vma() are trying to insert a new VMA and
>    explicitly look for a prev VMA and thus should never trigger this
>    scenario.
>
> This leaves vma_modify(), and again I can't see a case where prev would not
> actually be the previous VMA, with start/end set accordingly.
>
> I am happy to be corrected/embarrassed if I'm missed something out here
> (vma_merge() is a great function for creating confusion + causing unlikely
> scenarios), so please do provide details of such a case if you can find
> one.

Also, I discovered that I can *ahem* reliably reproduce this scenario, so
apologies, you were right to say it can arise (but it would have been
useful for you to give details!)

I can repro it in mprotect_fixup(), quite reliably, so it might be worth
digging into why this scenario is happening.

>
> TL;DR:
>
> - The case 9 stuff is completely wrong.
> - I do not think this patch is useful even if the scenario you describe
>   arises.
> - I can't see how the scenario you describe could arise.
>
> So overall, unless you can provide compelling evidence for both this
> scenario actually occurring in practice AND the need for an early exit,
> this patch is a no-go.
>
> In addition, if you were to find such, you'd really really need to beef out
> the commit message, which is far too short, and frankly incorrect at this
> point - if you perform a branch which 99.9999% of the time is not taken,
> you are not 'reducing unnecessary operations' you are creating them.
>
> If you could find compelling evidence to support this patch and send this
> as a v2 then I'd consider it, but for the patch in its current form:
>
> NACK.

I'll stick with the NACK (though slightly less assuredly), as the case 9
stuff has to go, that is the real bugbear here for me. It's more review
feedback, but the commit message needs beefing up in any case too.

I'm still not hugely convinced this is a worthwhile early exit, since we
don't treat any other 'can't merge' case specially here.

I think the more interesting thing to do here is to figure out why
mprotect_fix() (or perhaps others) is even trying the merge under these
circumstances.

Again as I said in the first reply, thanks for your efforts looking at
this! The nacking + such is simply an effort to ensure we are being
extremely careful around this highly delicate function.

Thanks, Lorenzo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ