From patchwork Wed Jul  5 12:34:14 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
X-Patchwork-Id: 1803663
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=HDI4er9d;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4QwzgJ2nMQz1yV0
	for <incoming@patchwork.ozlabs.org>; Wed,  5 Jul 2023 22:36:44 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qH1kG-0004uH-RY; Wed, 05 Jul 2023 12:36:32 +0000
Received: from smtp-relay-canonical-0.internal ([10.131.114.83]
 helo=smtp-relay-canonical-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <cascardo@canonical.com>) id 1qH1k3-0004P3-Od
 for kernel-team@lists.ubuntu.com; Wed, 05 Jul 2023 12:36:19 +0000
Received: from localhost.localdomain (1.general.cascardo.us.vpn
 [10.172.70.58])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 05ED74271A
 for <kernel-team@lists.ubuntu.com>; Wed,  5 Jul 2023 12:36:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1688560576;
 bh=8av1JIFb9KU16m4fJQufNc7aSQm29Cz6TgRBDtYdcz0=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=HDI4er9dlKTI9Ua3A6NLDGzL5hTO7kw+7NP7v6J3otC4hMhc4qdL2VZ7/0vgAxnsx
 1o3bxkZmLQTDcH7YESDJzS5qwbwxbQ6uCI36c5bnSHIorQamlkkBFHOUBr5nHjojwB
 WUnbjnga8HABKcn8bSHjL8Oxh7a8ZE65oexaTmrocv/niBs/6GB1H7TV8n8UmVox3C
 KrffU3FQrRaH58f4LKSxorSSEnobUqdVYQb28MV/9WF/SBP2nK/UPba8DxsCLF0nR3
 cTjKsupUkU7QrrvXmgwWbsgMqCQJ7nxDvLYsnaFRiEMFB/m7DNr+/eSnElBw1Kf0qC
 Ker9mfb+KbRVQ==
From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Lunar 02/13] mm: make the page fault mmap locking killable
Date: Wed,  5 Jul 2023 09:34:14 -0300
Message-Id: <20230705123425.764300-17-cascardo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230705123425.764300-1-cascardo@canonical.com>
References: <20230705123425.764300-1-cascardo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Linus Torvalds <torvalds@linux-foundation.org>

This is done as a separate patch from introducing the new
lock_mm_and_find_vma() helper, because while it's an obvious change,
it's not what x86 used to do in this area.

We already abort the page fault on fatal signals anyway, so why should
we wait for the mmap lock only to then abort later? With the new helper
function that returns without the lock held on failure anyway, this is
particularly easy and straightforward.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit eda0047296a16d65a7f2bc60a408f70d178b2014)
CVE-2023-3269
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 mm/memory.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/mm/memory.c b/mm/memory.c
index 09c030386ab0..5697af462cd0 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -5273,8 +5273,7 @@ static inline bool get_mmap_lock_carefully(struct mm_struct *mm, struct pt_regs
 			return false;
 	}
 
-	mmap_read_lock(mm);
-	return true;
+	return !mmap_read_lock_killable(mm);
 }
 
 static inline bool mmap_upgrade_trylock(struct mm_struct *mm)
@@ -5298,8 +5297,7 @@ static inline bool upgrade_mmap_lock_carefully(struct mm_struct *mm, struct pt_r
 		if (!search_exception_tables(ip))
 			return false;
 	}
-	mmap_write_lock(mm);
-	return true;
+	return !mmap_write_lock_killable(mm);
 }
 
 /*