Page MenuHomeFreeBSD
Differential D19615

vm_fault_copy_entry: accept invalid source pages.
ClosedPublic
Actions

Authored by kib on Mar 17 2019, 8:21 PM.
Tags
None
Referenced Files
Unknown Object (File)
Wed, Jan 8, 7:03 PM
Unknown Object (File)
Tue, Dec 31, 10:30 AM
Unknown Object (File)
Oct 16 2024, 6:26 PM
Unknown Object (File)
Oct 6 2024, 9:00 PM
Unknown Object (File)
Oct 1 2024, 5:23 AM
Unknown Object (File)
Oct 1 2024, 4:16 AM
Unknown Object (File)
Sep 26 2024, 5:21 PM
Unknown Object (File)
Sep 24 2024, 9:49 AM
View All 43 Files
Subscribers
emaste
imp
pho

Details

Reviewers
alc
markj
Commits
rS345324: vm_fault_copy_entry: accept invalid source pages.
Summary

Either msync(MS_INVALIDATE) or the object unlock during vnode truncation can expose invalid pages backing wired entries. Accept them, but do not install them into destrination pmap. We must create copied pages in the copy case, because e.g. vm_object_unwire() expects that the entry is fully backed.

Reported by: syzkaller, via emaste
Reported by: syzbot+514d40ce757a3f8b15bc@syzkaller.appspotmail.com

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kib created this revision.Mar 17 2019, 8:21 PM
Herald added a subscriber: imp. · View Herald TranscriptMar 17 2019, 8:21 PM
Harbormaster completed remote builds in B23148: Diff 55174.Mar 17 2019, 8:21 PM
emaste added a comment.Mar 18 2019, 1:49 AM

Assuming it was this report panic: invalid dst page 0xfffff8007f14af98 https://syzkaller.appspot.com/bug?id=de0b1fa4863a64133877eb032d3ef876cb70d00a, eventual commit message should contain Reported-by: syzbot+514d40ce757a3f8b15bc@syzkaller.appspotmail.com

markj added inline comments.Mar 18 2019, 3:11 AM
sys/vm/vm_fault.c
1759 ↗(On Diff #55174)

Should we zero the invalid region? Otherwise I don't see the purpose of zeroing a completely invalid page.

1785 ↗(On Diff #55174)

"truncated the backing vnode or shared memory object"

kib marked an inline comment as done.Mar 18 2019, 2:39 PM
kib added inline comments.
sys/vm/vm_fault.c
1759 ↗(On Diff #55174)

I believe this already have been done for src_m, otherwise it is problematic as is. I mean that dst_m is not worse than src_m.

kib edited the summary of this revision. (Show Details)Mar 18 2019, 2:40 PM
markj accepted this revision.Mar 18 2019, 2:47 PM
In D19615#420052, @emaste wrote:

Assuming it was this report panic: invalid dst page 0xfffff8007f14af98 https://syzkaller.appspot.com/bug?id=de0b1fa4863a64133877eb032d3ef876cb70d00a, eventual commit message should contain Reported-by: syzbot+514d40ce757a3f8b15bc@syzkaller.appspotmail.com

Dmitry noted that you shouldn't need the dash, i.e., "Reported by: syzbot+514d40ce757a3f8b15bc@syzkaller.appspotmail.com" is fine.

sys/vm/vm_fault.c
1759 ↗(On Diff #55174)

I don't see the point in checking src_m->valid != 0 then.

This revision is now accepted and ready to land.Mar 18 2019, 2:47 PM
markj added inline comments.Mar 18 2019, 2:48 PM
sys/vm/vm_fault.c
1759 ↗(On Diff #55174)

I mean, I understand that partially valid pages have zero invalid regions, but we are not mapping the page unless it is completely valid.

emaste added a comment.Mar 18 2019, 2:50 PM
In D19615#420152, @markj wrote:

Dmitry noted that you shouldn't need the dash, i.e., "Reported by: syzbot+514d40ce757a3f8b15bc@syzkaller.appspotmail.com" is fine.

Indeed, I just cut and pasted the string from the report.

kib edited the summary of this revision. (Show Details)Mar 18 2019, 5:18 PM
kib updated this revision to Diff 55199.Mar 18 2019, 5:25 PM

Unconditionally copy src_m to dst_m (ignore valid bits).
Update comment.

This revision now requires review to proceed.Mar 18 2019, 5:25 PM
Harbormaster completed remote builds in B23163: Diff 55199.Mar 18 2019, 5:25 PM
emaste added a comment.Mar 18 2019, 6:54 PM

Reported by: emaste using syzcaller

Perhaps more correct as "Reported by: syzkaller, via emaste" - this was reported by Google's public syzkaller while "emaste using syzkaller" implies it's something I directly did myself.

markj accepted this revision.EditedMar 18 2019, 7:05 PM

I'm writing a few test cases for mlock as part of the user wiring work. I added one which does the following:

  1. truncate an empty file to 4KB
  2. map the file and mlock the mapping
  3. write some non-zero bytes to the mapping
  4. truncate the file to 0
  5. truncate the file to 4KB
  6. verify that the mapping is zero-filled

Step 5 does not preemptively fault in pages, which is technically a violation of mlock()'s contract.

This revision is now accepted and ready to land.Mar 18 2019, 7:05 PM
kib edited the summary of this revision. (Show Details)Mar 18 2019, 7:32 PM
kib added a subscriber: pho.

Peter, could you, please, test this change ?

pho added a comment.Mar 20 2019, 5:29 AM
In D19615#420270, @kib wrote:

Peter, could you, please, test this change ?

I ran all of the stress2 tests + a buildworld on amd64. No problems seen.

Closed by commit rS345324: vm_fault_copy_entry: accept invalid source pages. (authored by kib). · Explain WhyMar 20 2019, 1:08 PM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
sys/
vm/
18 lines

Diff 55278

View Options

head/sys/vm/vm_fault.c

Loading...