Re: [PATCH v3] Fixes: null pointer dereference in pfnmap_lockdep_assert

From: Peter Xu
Date: Tue Oct 08 2024 - 15:28:11 EST

Next message: Sabyrzhan Tasbolatov: "[PATCH v4] mm, kasan, kmsan: copy_from/to_kernel_nofault"
Previous message: yuan.gao: "Re: [PATCH v2] mm/slub: Avoid list corruption when removing a slab from the full list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Oct 07, 2024 at 09:23:47AM -0400, Peter Xu wrote:
> On Fri, Oct 04, 2024 at 04:17:42PM +0100, Matthew Wilcox wrote:
> > On Fri, Oct 04, 2024 at 07:15:48PM +0530, Manas via B4 Relay wrote:
> > > +++ b/mm/memory.c
> > > @@ -6346,10 +6346,10 @@ static inline void pfnmap_args_setup(struct follow_pfnmap_args *args,
> > > static inline void pfnmap_lockdep_assert(struct vm_area_struct *vma)
> > > {
> > > #ifdef CONFIG_LOCKDEP
> > > - struct address_space *mapping = vma->vm_file->f_mapping;
> > > + struct address_space *mapping = vma->vm_file ? vma->vm_file->f_mapping : NULL;
> >
> > Overly long and complex line. Much simpler to write:
> >
> > struct address_space *mapping = NULL;
> >
> > if (vma->vm_file)
> > mapping = vma->vm_file->f_mapping;
> >
> > > if (mapping)
> > > - lockdep_assert(lockdep_is_held(&vma->vm_file->f_mapping->i_mmap_rwsem) ||
> > > + lockdep_assert(lockdep_is_held(&mapping->i_mmap_rwsem) ||
> > > lockdep_is_held(&vma->vm_mm->mmap_lock));
> > > else
> > > lockdep_assert(lockdep_is_held(&vma->vm_mm->mmap_lock));
> >
> > This one should have been lockdep_assert_held(&vma->vm_mm->mmap_lock).
> >
> > I'm not sure that the previous one is correct. The
> > lockdep_assert_held() macro is pretty careful about checking
> > LOCK_STATE_NOT_HELD to avoid the LOCK_STATE_UNKNOWN possibility.
> > But I'll leave that for Peter to fix.
>
> Indeed..
>
> Then looks like we could have quite a few other places in Linux that can
> have used this wrong.. when the assert wants to check against either of the
> two locks (one mutex or rcu read lock, for example) is held.
>
> I'll send a patch after this one lands.

Just to follow this up and leave a record: I had a closer look today and
then quickly I found above should be all fine (similar to all kernel usages
like this, for example, rcu_dereference_check()).

The trick is LOCK_STATE_NOT_HELD is defined as 0:

#define LOCK_STATE_UNKNOWN -1
#define LOCK_STATE_NOT_HELD 0
#define LOCK_STATE_HELD 1

So this:

#define lockdep_assert_held(l) \
lockdep_assert(lockdep_is_held(l) != LOCK_STATE_NOT_HELD)

Is the same to:

#define lockdep_assert_held(l) \
lockdep_assert(lockdep_is_held(l))

The lockdep_assert() was introduced exactly for such >1 lock assertion use
cases, in this commit:

commit d19c81378829e5d774c951219c5a973965b9202c
Author: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Date: Mon Aug 2 18:59:56 2021 +0800

locking/lockdep: Provide lockdep_assert{,_once}() helpers

Extract lockdep_assert{,_once}() helpers to more easily write composite
assertions like, for example:

lockdep_assert(lockdep_is_held(&drm_device.master_mutex) ||
lockdep_is_held(&drm_file.master_lookup_lock));

Thanks,

--
Peter Xu

Next message: Sabyrzhan Tasbolatov: "[PATCH v4] mm, kasan, kmsan: copy_from/to_kernel_nofault"
Previous message: yuan.gao: "Re: [PATCH v2] mm/slub: Avoid list corruption when removing a slab from the full list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]