| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8935c95a-674e-44be-b5cc-dc5154a8db41@lucifer.local>
Date: Thu, 13 Nov 2025 10:45:37 +0000
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: Matthew Wilcox <willy@...radead.org>
Cc: "Liam R. Howlett" <Liam.Howlett@...cle.com>,
Andrew Morton <akpm@...ux-foundation.org>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, Suren Baghdasaryan <surenb@...gle.com>,
Vlastimil Babka <vbabka@...e.cz>,
Shakeel Butt <shakeel.butt@...ux.dev>, Jann Horn <jannh@...gle.com>,
stable@...r.kernel.org,
syzbot+131f9eb2b5807573275c@...kaller.appspotmail.com,
"Paul E . McKenney" <paulmck@...nel.org>
Subject: Re: [PATCH] mm/mmap_lock: Reset maple state on lock_vma_under_rcu()
retry
On Thu, Nov 13, 2025 at 12:04:19AM +0000, Matthew Wilcox wrote:
> On Wed, Nov 12, 2025 at 03:06:38PM +0000, Lorenzo Stoakes wrote:
> > > Any time the rcu read lock is dropped, the maple state must be
> > > invalidated. Resetting the address and state to MA_START is the safest
> > > course of action, which will result in the next operation starting from
> > > the top of the tree.
> >
> > Since we all missed it I do wonder if we need some super clear comment
> > saying 'hey if you drop + re-acquire RCU lock you MUST revalidate mas state
> > by doing 'blah'.
>
> I mean, this really isn't an RCU thing. This is also bad:
>
> spin_lock(a);
> p = *q;
> spin_unlock(a);
> spin_lock(a);
> b = *p;
>
> p could have been freed while you didn't hold lock a. Detecting this
> kind of thing needs compiler assistence (ie Rust) to let you know that
> you don't have the right to do that any more.
Right but in your example the use of the pointers is _realy clear_. In the
mas situation, the pointers are embedded in the helper struct, there's a
state machine, etc. so it's harder to catch this.
There's already a state machine embedded in it, and I think the confusing
bit, at least for me, was a line of thinking like - 'oh there's all this
logic that figures out what's going on and if there's an error rewalks and
etc. - so it'll handle this case too'.
Obviously, very much wrong.
Generally I wonder if, when dealing with VMAs, we shouldn't just use the
VMA iterator anyway? Whenever I see 'naked' mas stuff I'm always a little
confused as to why.
>
> > I think one source of confusion for me with maple tree operations is - what
> > to do if we are in a position where some kind of reset is needed?
> >
> > So even if I'd realised 'aha we need to reset this' it wouldn't be obvious
> > to me that we ought to set to the address.
>
> I think that's a separate problem.
Sure but I think there's a broader issue around confusion arising around
mas state and when we need to do one thing or another, there were a number
of issues that arose in the past where people got confused about what to do
with vma iterator state.
I think it's a difficult problem - we're both trying to abstract stuff
here but also retain performance, which is a trade-off.
>
> > > +++ b/mm/mmap_lock.c
> > > @@ -257,6 +257,7 @@ struct vm_area_struct *lock_vma_under_rcu(struct mm_struct *mm,
> > > if (PTR_ERR(vma) == -EAGAIN) {
> > > count_vm_vma_lock_event(VMA_LOCK_MISS);
> > > /* The area was replaced with another one */
> > > + mas_set(&mas, address);
> >
> > I wonder if we could detect that the RCU lock was released (+ reacquired) in
> > mas_walk() in a debug mode, like CONFIG_VM_DEBUG_MAPLE_TREE?
>
> Dropping and reacquiring the RCU read lock should have been a big red
> flag. I didn't have time to review the patches, but if I had, I would
I think if you have 3 mm developers who all work with VMAs all the time
missing this, that's a signal that something is confusing here :)
So the issue is we all thought dropping the RCU lock would be OK, and
mas_walk(...) would 'somehow' do the right thing. See above for why I think
perhaps that happened.
> have suggested passing the mas down to the routine that drops the rcu
> read lock so it can be invalidated before dropping the readlock.
>
This would require changing vma_start_read(), which is called by both
lock_vma_under_rcu() and lock_next_vma().
We could make them consistent and have lock_vma_under_rcu() do something
like:
VMA_ITERATOR(vmi, mm, address);
...
rcu_read_lock();
vma = vma_start_read(&vmi);
And have vma_start_read() handle the:
if (!vma) {
rcu_read_unlock();
goto inval;
}
Case we have in lock_vma_under_rcu() now.
We'd need to keep:
vma = vma_next(vmi);
if (!vma)
return NULL;
In lock_next_vma().
Then you could have:
err:
/* Reset so state is valid if reused. */
vmi_iter_reset(vmi);
rcu_read_unlock();
In vma_start_read().
Assuming any/all of this is correct :)
I _think_ based on what Liam said in other sub-thread the reset should work
here (perhaps not quite maximally efficient).
If we risk perhaps relying on the optimiser to help us or hope no real perf
impact perhaps we could do both by also having the 'set address' bit happen
in lock_vma_under_rcu() also e.g.:
VMA_ITERATOR(vmi, mm, address);
...
retry:
rcu_read_lock();
vma_iter_set(&vmi, address);
vma = vma_start_read(&vmi);
Let me know if any of this is sane... :)
Cheers, Lorenzo
Powered by blists - more mailing lists