On 01/24, Andrii Nakryiko wrote: > We use map->freeze_mutex to prevent races between map_freeze() and > memory mapping BPF map contents with writable permissions. The way we > naively do this means we'll hold freeze_mutex for entire duration of all > the mm and VMA manipulations, which is completely unnecessary. This can > potentially also lead to deadlocks, as reported by syzbot in [0]. > > So, instead, hold freeze_mutex only during writeability checks, bump > (proactively) "write active" count for the map, unlock the mutex and > proceed with mmap logic. And only if something went wrong during mmap > logic, then undo that "write active" counter increment. > > Note, instead of checking VM_MAYWRITE we check VM_WRITE before and after > mmaping, because we also have a logic that unsets VM_MAYWRITE > forcefully, if VM_WRITE is not set. So VM_MAYWRITE could be set early on > for read-only mmaping, but it won't be afterwards. VM_WRITE is > a consistent way to detect writable mmaping in our implementation. > > [0] https://lore.kernel.org/bpf/678dcbc9.050a0220.303755.0066.GAE@xxxxxxxxxx/ > > Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY") > Reported-by: syzbot+4dc041c686b7c816a71e@xxxxxxxxxxxxxxxxxxxxxxxxx > Signed-off-by: Andrii Nakryiko <andrii@xxxxxxxxxx> Acked-by: Stanislav Fomichev <sdf@xxxxxxxxxxx>
