* Jann Horn <jannh@xxxxxxxxxx> [210804 10:42]: > On Wed, Aug 4, 2021 at 1:07 AM Liam Howlett <liam.howlett@xxxxxxxxxx> wrote: > > * Luigi Rizzo <lrizzo@xxxxxxxxxx> [210803 17:49]: > > > On Tue, Aug 3, 2021 at 6:08 PM Jason Gunthorpe <jgg@xxxxxxxx> wrote: > > > > > > > > On Sat, Jul 31, 2021 at 10:53:41AM -0700, Luigi Rizzo wrote: > > > > > find_vma() and variants need protection when used. > > > > > This patch adds mmap_assert_lock() calls in the functions. > > > > > > > > > > To make sure the invariant is satisfied, we also need to add a > > > > > mmap_read_loc() around the get_user_pages_remote() call in > > > > > get_arg_page(). The lock is not strictly necessary because the mm > > > > > has been newly created, but the extra cost is limited because > > > > > the same mutex was also acquired shortly before in __bprm_mm_init(), > > > > > so it is hot and uncontended. > > > > > > > > > > Signed-off-by: Luigi Rizzo <lrizzo@xxxxxxxxxx> > > > > > fs/exec.c | 2 ++ > > > > > mm/mmap.c | 2 ++ > > > > > 2 files changed, 4 insertions(+) > > > > > > > > > > diff --git a/fs/exec.c b/fs/exec.c > > > > > index 38f63451b928..ac7603e985b4 100644 > > > > > +++ b/fs/exec.c > > > > > @@ -217,8 +217,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos, > > > > > * We are doing an exec(). 'current' is the process > > > > > * doing the exec and bprm->mm is the new process's mm. > > > > > */ > > > > > + mmap_read_lock(bprm->mm); > > > > > ret = get_user_pages_remote(bprm->mm, pos, 1, gup_flags, > > > > > &page, NULL, NULL); > > > > > + mmap_read_unlock(bprm->mm); > > > > > if (ret <= 0) > > > > > return NULL; > > > > > > > > Wasn't Jann Horn working on something like this too? > > > > > > > > https://lore.kernel.org/linux-mm/20201016225713.1971256-1-jannh@xxxxxxxxxx/ > > > > > > > > IIRC it was very tricky here, are you sure it is OK to obtain this lock > > > > here? > > > > > > I cannot comment on Jann's patch series but no other thread knows > > > about this mm at this point in the code so the lock is definitely > > > safe to acquire (shortly before there was also a write lock acquired > > > on the same mm, in the same conditions). > > > > If there is no other code that knows about this mm, then does one need > > the lock at all? Is this just to satisfy the new check you added? > > > > If you want to make this change, I would suggest writing it in a way to > > ensure the call to expand_downwards() in the same function also holds > > the lock. I believe this is technically required as well? What do you > > think? > > The call to expand_downwards() takes a VMA pointer as argument, and > the mmap lock is the only thing that normally prevents concurrent > freeing of VMA structs. Taking a lock there would be of limited utility - either > the lock is not necessary because nobody else can access the MM, or > the lock is insufficient because someone could have freed the VMA > pointer before the lock was taken. So I think that taking a lock > around the expand_downwards() call would just be obfuscating things, > unless you specifically want to prevent concurrent *reads* while > concurrent *writes* are impossible. Good point on the VMA being passed in, that certainly points to your previous patch being a better approach. That resolves my questions around the patch. > > Since I haven't sent a new version of my old series for almost a year, > I think it'd be fine to take Luigi's patch for now, and undo it at a > later point when/if we want to actually use proper locking here > because we're worried about concurrent access to the MM.
