Fixes for 5.6

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.6/mm-check-that-mm-is-still-valid-in-madvise.patch b/queue-5.6/mm-check-that-mm-is-still-valid-in-madvise.patch
new file mode 100644 (file)
index 0000000..9307899
--- /dev/null
+++ b/queue-5.6/mm-check-that-mm-is-still-valid-in-madvise.patch
@@ -0,0 +1,77 @@
+From ec02221ee83bde910fd02c9e03345d8bed25898b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Apr 2020 11:10:58 -0700
+Subject: mm: check that mm is still valid in madvise()
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+[ Upstream commit bc0c4d1e176eeb614dc8734fc3ace34292771f11 ]
+
+IORING_OP_MADVISE can end up basically doing mprotect() on the VM of
+another process, which means that it can race with our crazy core dump
+handling which accesses the VM state without holding the mmap_sem
+(because it incorrectly thinks that it is the final user).
+
+This is clearly a core dumping problem, but we've never fixed it the
+right way, and instead have the notion of "check that the mm is still
+ok" using mmget_still_valid() after getting the mmap_sem for writing in
+any situation where we're not the original VM thread.
+
+See commit 04f5866e41fb ("coredump: fix race condition between
+mmget_not_zero()/get_task_mm() and core dumping") for more background on
+this whole mmget_still_valid() thing.  You might want to have a barf bag
+handy when you do.
+
+We're discussing just fixing this properly in the only remaining core
+dumping routines.  But even if we do that, let's make do_madvise() do
+the right thing, and then when we fix core dumping, we can remove all
+these mmget_still_valid() checks.
+
+Reported-and-tested-by: Jann Horn <jannh@google.com>
+Fixes: c1ca757bd6f4 ("io_uring: add IORING_OP_MADVISE")
+Acked-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/madvise.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/mm/madvise.c b/mm/madvise.c
+index 4bb30ed6c8d21..8cbd8c1bfe159 100644
+--- a/mm/madvise.c
++++ b/mm/madvise.c
+@@ -27,6 +27,7 @@
+ #include <linux/swapops.h>
+ #include <linux/shmem_fs.h>
+ #include <linux/mmu_notifier.h>
++#include <linux/sched/mm.h>
+ 
+ #include <asm/tlb.h>
+ 
+@@ -1090,6 +1091,23 @@ int do_madvise(unsigned long start, size_t len_in, int behavior)
+       if (write) {
+               if (down_write_killable(&current->mm->mmap_sem))
+                       return -EINTR;
++
++              /*
++               * We may have stolen the mm from another process
++               * that is undergoing core dumping.
++               *
++               * Right now that's io_ring, in the future it may
++               * be remote process management and not "current"
++               * at all.
++               *
++               * We need to fix core dumping to not do this,
++               * but for now we have the mmget_still_valid()
++               * model.
++               */
++              if (!mmget_still_valid(current->mm)) {
++                      up_write(&current->mm->mmap_sem);
++                      return -EINTR;
++              }
+       } else {
+               down_read(&current->mm->mmap_sem);
+       }
+-- 
+2.20.1
+

diff --git a/queue-5.6/series b/queue-5.6/series
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..c967a0a347edc3eee8093c37a79eb1cae6b6031f 100644 (file)
--- a/queue-5.6/series
+++ b/queue-5.6/series
@@ -0,0 +1 @@
+mm-check-that-mm-is-still-valid-in-madvise.patch