5a28fc94c9
This is a bit of a mess, to put it mildly. But, it's a bug that only seems to have showed up in 4.20 but wasn't noticed until now, because nobody uses MPX. MPX has the arch_unmap() hook inside of munmap() because MPX uses bounds tables that protect other areas of memory. When memory is unmapped, there is also a need to unmap the MPX bounds tables. Barring this, unused bounds tables can eat 80% of the address space. But, the recursive do_munmap() that gets called vi arch_unmap() wreaks havoc with __do_munmap()'s state. It can result in freeing populated page tables, accessing bogus VMA state, double-freed VMAs and more. See the "long story" further below for the gory details. To fix this, call arch_unmap() before __do_unmap() has a chance to do anything meaningful. Also, remove the 'vma' argument and force the MPX code to do its own, independent VMA lookup. == UML / unicore32 impact == Remove unused 'vma' argument to arch_unmap(). No functional change. I compile tested this on UML but not unicore32. == powerpc impact == powerpc uses arch_unmap() well to watch for munmap() on the VDSO and zeroes out 'current->mm->context.vdso_base'. Moving arch_unmap() makes this happen earlier in __do_munmap(). But, 'vdso_base' seems to only be used in perf and in the signal delivery that happens near the return to userspace. I can not find any likely impact to powerpc, other than the zeroing happening a little earlier. powerpc does not use the 'vma' argument and is unaffected by its removal. I compile-tested a 64-bit powerpc defconfig. == x86 impact == For the common success case this is functionally identical to what was there before. For the munmap() failure case, it's possible that some MPX tables will be zapped for memory that continues to be in use. But, this is an extraordinarily unlikely scenario and the harm would be that MPX provides no protection since the bounds table got reset (zeroed). I can't imagine anyone doing this: ptr = mmap(); // use ptr ret = munmap(ptr); if (ret) // oh, there was an error, I'll // keep using ptr. Because if you're doing munmap(), you are *done* with the memory. There's probably no good data in there _anyway_. This passes the original reproducer from Richard Biener as well as the existing mpx selftests/. The long story: munmap() has a couple of pieces: 1. Find the affected VMA(s) 2. Split the start/end one(s) if neceesary 3. Pull the VMAs out of the rbtree 4. Actually zap the memory via unmap_region(), including freeing page tables (or queueing them to be freed). 5. Fix up some of the accounting (like fput()) and actually free the VMA itself. This specific ordering was actually introduced by: |
||
---|---|---|
.. | ||
assembler.h | ||
barrier.h | ||
bitops.h | ||
bug.h | ||
cache.h | ||
cacheflush.h | ||
checksum.h | ||
cmpxchg.h | ||
cpu-single.h | ||
cputype.h | ||
delay.h | ||
dma.h | ||
elf.h | ||
fpstate.h | ||
fpu-ucf64.h | ||
gpio.h | ||
hwcap.h | ||
hwdef-copro.h | ||
io.h | ||
irq.h | ||
irqflags.h | ||
Kbuild | ||
linkage.h | ||
memblock.h | ||
memory.h | ||
mmu_context.h | ||
mmu.h | ||
page.h | ||
pci.h | ||
pgalloc.h | ||
pgtable-hwdef.h | ||
pgtable.h | ||
processor.h | ||
ptrace.h | ||
stacktrace.h | ||
string.h | ||
suspend.h | ||
switch_to.h | ||
thread_info.h | ||
timex.h | ||
tlb.h | ||
tlbflush.h | ||
traps.h | ||
uaccess.h |