Re: KASAN: use-after-free Read in __do_page_fault

2017-11-02 Thread Andrea Arcangeli
On Wed, Nov 01, 2017 at 08:26:24AM -0700, Linus Torvalds wrote: > On Tue, Oct 31, 2017 at 12:13 PM, Andrea Arcangeli > wrote: > > > > The problematic path for the return to userland (get_user_pages > > returns to kernel) is this one: > > > > if (return_to_userland) {

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-02 Thread Andrea Arcangeli
On Wed, Nov 01, 2017 at 08:26:24AM -0700, Linus Torvalds wrote: > On Tue, Oct 31, 2017 at 12:13 PM, Andrea Arcangeli > wrote: > > > > The problematic path for the return to userland (get_user_pages > > returns to kernel) is this one: > > > > if (return_to_userland) { > >

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-02 Thread Laurent Dufour
Hi Vlastimil, Sorry for the late answer I got a few day off. On 31/10/2017 14:57, Vlastimil Babka wrote: > +CC Andrea, Thorsten, Linus > > On 10/31/2017 02:20 PM, Vlastimil Babka wrote: >> On 10/31/2017 01:42 PM, Dmitry Vyukov wrote: My vm_area_struct is 192 bytes, could be your layout is

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-02 Thread Laurent Dufour
Hi Vlastimil, Sorry for the late answer I got a few day off. On 31/10/2017 14:57, Vlastimil Babka wrote: > +CC Andrea, Thorsten, Linus > > On 10/31/2017 02:20 PM, Vlastimil Babka wrote: >> On 10/31/2017 01:42 PM, Dmitry Vyukov wrote: My vm_area_struct is 192 bytes, could be your layout is

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-01 Thread Linus Torvalds
On Tue, Oct 31, 2017 at 12:13 PM, Andrea Arcangeli wrote: > > The problematic path for the return to userland (get_user_pages > returns to kernel) is this one: > > if (return_to_userland) { > if (signal_pending(current) && >

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-01 Thread Linus Torvalds
On Tue, Oct 31, 2017 at 12:13 PM, Andrea Arcangeli wrote: > > The problematic path for the return to userland (get_user_pages > returns to kernel) is this one: > > if (return_to_userland) { > if (signal_pending(current) && >

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-01 Thread Vlastimil Babka
On 11/01/2017 11:17 AM, Andrea Arcangeli wrote: > On Wed, Nov 01, 2017 at 08:42:57AM +0100, Vlastimil Babka wrote: >> The vma should be pinned by mmap_sem, but handle_userfault() will in some >> scenarios release it and then acquire again, so when we return to > > In the above message and

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-01 Thread Vlastimil Babka
On 11/01/2017 11:17 AM, Andrea Arcangeli wrote: > On Wed, Nov 01, 2017 at 08:42:57AM +0100, Vlastimil Babka wrote: >> The vma should be pinned by mmap_sem, but handle_userfault() will in some >> scenarios release it and then acquire again, so when we return to > > In the above message and

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-01 Thread Andrea Arcangeli
On Wed, Nov 01, 2017 at 08:42:57AM +0100, Vlastimil Babka wrote: > The vma should be pinned by mmap_sem, but handle_userfault() will in some > scenarios release it and then acquire again, so when we return to In the above message and especially in the below comment, I would suggest to take the

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-01 Thread Andrea Arcangeli
On Wed, Nov 01, 2017 at 08:42:57AM +0100, Vlastimil Babka wrote: > The vma should be pinned by mmap_sem, but handle_userfault() will in some > scenarios release it and then acquire again, so when we return to In the above message and especially in the below comment, I would suggest to take the

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-01 Thread Vlastimil Babka
On 10/31/2017 08:15 PM, Andrea Arcangeli wrote: > On Tue, Oct 31, 2017 at 03:28:26PM +0100, Vlastimil Babka wrote: >> Hmm that could indeed work, Dmitry can you try the patch below? >> But it still seems rather fragile so I'd hope Andrea can do it more >> robust, or at least make sure that we

Re: KASAN: use-after-free Read in __do_page_fault

2017-11-01 Thread Vlastimil Babka
On 10/31/2017 08:15 PM, Andrea Arcangeli wrote: > On Tue, Oct 31, 2017 at 03:28:26PM +0100, Vlastimil Babka wrote: >> Hmm that could indeed work, Dmitry can you try the patch below? >> But it still seems rather fragile so I'd hope Andrea can do it more >> robust, or at least make sure that we

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Andrea Arcangeli
On Tue, Oct 31, 2017 at 03:28:26PM +0100, Vlastimil Babka wrote: > Hmm that could indeed work, Dmitry can you try the patch below? > But it still seems rather fragile so I'd hope Andrea can do it more > robust, or at least make sure that we don't reintroduce this kind of > problem in the future

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Andrea Arcangeli
On Tue, Oct 31, 2017 at 03:28:26PM +0100, Vlastimil Babka wrote: > Hmm that could indeed work, Dmitry can you try the patch below? > But it still seems rather fragile so I'd hope Andrea can do it more > robust, or at least make sure that we don't reintroduce this kind of > problem in the future

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Andrea Arcangeli
On Tue, Oct 31, 2017 at 08:37:47AM -0700, Linus Torvalds wrote: > Yes. Accessing "vma" after calling "handle_mm_fault()" is a bug. An > unfortunate issue with userfaultfd. > > The suggested fix to simply look up pkey beforehand seems sane and simple. Agreed. > > But sadly, from a quick check,

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Andrea Arcangeli
On Tue, Oct 31, 2017 at 08:37:47AM -0700, Linus Torvalds wrote: > Yes. Accessing "vma" after calling "handle_mm_fault()" is a bug. An > unfortunate issue with userfaultfd. > > The suggested fix to simply look up pkey beforehand seems sane and simple. Agreed. > > But sadly, from a quick check,

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Linus Torvalds
On Tue, Oct 31, 2017 at 6:57 AM, Vlastimil Babka wrote: > > However, __do_page_fault() only expects that mmap_sem to be released > when handle_mm_fault() returns with VM_FAULT_RETRY. It doesn't expect it > to be released and then acquired again, because then vma can be indeed >

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Linus Torvalds
On Tue, Oct 31, 2017 at 6:57 AM, Vlastimil Babka wrote: > > However, __do_page_fault() only expects that mmap_sem to be released > when handle_mm_fault() returns with VM_FAULT_RETRY. It doesn't expect it > to be released and then acquired again, because then vma can be indeed > gone. Yes.

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Vlastimil Babka
On 10/31/2017 03:11 PM, Kirill A. Shutemov wrote: > On Tue, Oct 31, 2017 at 02:57:58PM +0100, Vlastimil Babka wrote: >> +CC Andrea, Thorsten, Linus >> >> On 10/31/2017 02:20 PM, Vlastimil Babka wrote: >>> On 10/31/2017 01:42 PM, Dmitry Vyukov wrote: > My vm_area_struct is 192 bytes, could be

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Vlastimil Babka
On 10/31/2017 03:11 PM, Kirill A. Shutemov wrote: > On Tue, Oct 31, 2017 at 02:57:58PM +0100, Vlastimil Babka wrote: >> +CC Andrea, Thorsten, Linus >> >> On 10/31/2017 02:20 PM, Vlastimil Babka wrote: >>> On 10/31/2017 01:42 PM, Dmitry Vyukov wrote: > My vm_area_struct is 192 bytes, could be

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Kirill A. Shutemov
On Tue, Oct 31, 2017 at 02:57:58PM +0100, Vlastimil Babka wrote: > +CC Andrea, Thorsten, Linus > > On 10/31/2017 02:20 PM, Vlastimil Babka wrote: > > On 10/31/2017 01:42 PM, Dmitry Vyukov wrote: > >>> My vm_area_struct is 192 bytes, could be your layout is different due to > >>> .config. At

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Kirill A. Shutemov
On Tue, Oct 31, 2017 at 02:57:58PM +0100, Vlastimil Babka wrote: > +CC Andrea, Thorsten, Linus > > On 10/31/2017 02:20 PM, Vlastimil Babka wrote: > > On 10/31/2017 01:42 PM, Dmitry Vyukov wrote: > >>> My vm_area_struct is 192 bytes, could be your layout is different due to > >>> .config. At

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Vlastimil Babka
+CC Andrea, Thorsten, Linus On 10/31/2017 02:20 PM, Vlastimil Babka wrote: > On 10/31/2017 01:42 PM, Dmitry Vyukov wrote: >>> My vm_area_struct is 192 bytes, could be your layout is different due to >>> .config. At offset 80 I have vma->vm_flags. That is checked by >>> __do_page_fault(), but only

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Vlastimil Babka
+CC Andrea, Thorsten, Linus On 10/31/2017 02:20 PM, Vlastimil Babka wrote: > On 10/31/2017 01:42 PM, Dmitry Vyukov wrote: >>> My vm_area_struct is 192 bytes, could be your layout is different due to >>> .config. At offset 80 I have vma->vm_flags. That is checked by >>> __do_page_fault(), but only

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Vlastimil Babka
On 10/31/2017 01:42 PM, Dmitry Vyukov wrote: >> My vm_area_struct is 192 bytes, could be your layout is different due to >> .config. At offset 80 I have vma->vm_flags. That is checked by >> __do_page_fault(), but only after vma->vm_start (offset 0). Of course, >> reordering is possible. > > > It

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Vlastimil Babka
On 10/31/2017 01:42 PM, Dmitry Vyukov wrote: >> My vm_area_struct is 192 bytes, could be your layout is different due to >> .config. At offset 80 I have vma->vm_flags. That is checked by >> __do_page_fault(), but only after vma->vm_start (offset 0). Of course, >> reordering is possible. > > > It

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Dmitry Vyukov
On Tue, Oct 31, 2017 at 3:00 PM, Vlastimil Babka wrote: > On 10/30/2017 08:15 PM, Dmitry Vyukov wrote: >> On Mon, Oct 30, 2017 at 10:12 PM, syzbot >> >> wrote: >>> Hello, >>> >>> syzkaller hit the following

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Dmitry Vyukov
On Tue, Oct 31, 2017 at 3:00 PM, Vlastimil Babka wrote: > On 10/30/2017 08:15 PM, Dmitry Vyukov wrote: >> On Mon, Oct 30, 2017 at 10:12 PM, syzbot >> >> wrote: >>> Hello, >>> >>> syzkaller hit the following crash on >>> 887c8ba753fbe809ba93fa3cfd0cc46db18d37d4 >>>

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Vlastimil Babka
On 10/30/2017 08:15 PM, Dmitry Vyukov wrote: > On Mon, Oct 30, 2017 at 10:12 PM, syzbot > > wrote: >> Hello, >> >> syzkaller hit the following crash on >> 887c8ba753fbe809ba93fa3cfd0cc46db18d37d4 >>

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-31 Thread Vlastimil Babka
On 10/30/2017 08:15 PM, Dmitry Vyukov wrote: > On Mon, Oct 30, 2017 at 10:12 PM, syzbot > > wrote: >> Hello, >> >> syzkaller hit the following crash on >> 887c8ba753fbe809ba93fa3cfd0cc46db18d37d4 >> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master >> compiler: gcc (GCC)

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-30 Thread Dmitry Vyukov
On Mon, Oct 30, 2017 at 10:12 PM, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 887c8ba753fbe809ba93fa3cfd0cc46db18d37d4 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master >

Re: KASAN: use-after-free Read in __do_page_fault

2017-10-30 Thread Dmitry Vyukov
On Mon, Oct 30, 2017 at 10:12 PM, syzbot wrote: > Hello, > > syzkaller hit the following crash on > 887c8ba753fbe809ba93fa3cfd0cc46db18d37d4 > git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master > compiler: gcc (GCC) 7.1.1 20170620 > .config is attached > Raw console output is