From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 60F8FC433EF for ; Mon, 25 Jul 2022 09:08:07 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D1EBD94000B; Mon, 25 Jul 2022 05:08:06 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CCE058E0001; Mon, 25 Jul 2022 05:08:06 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BBCEA94000B; Mon, 25 Jul 2022 05:08:06 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id AB8818E0001 for ; Mon, 25 Jul 2022 05:08:06 -0400 (EDT) Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 7CBB5A0443 for ; Mon, 25 Jul 2022 09:08:06 +0000 (UTC) X-FDA: 79725045372.11.A4645EE Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by imf03.hostedemail.com (Postfix) with ESMTP id E0C6720093 for ; Mon, 25 Jul 2022 09:08:03 +0000 (UTC) Received: from canpemm500002.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4LrvH66qcgzGpVV; Mon, 25 Jul 2022 17:04:02 +0800 (CST) Received: from [10.174.177.76] (10.174.177.76) by canpemm500002.china.huawei.com (7.192.104.244) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Mon, 25 Jul 2022 17:07:54 +0800 From: Miaohe Lin Subject: [bug report] mm/hugetlb: possible data leak with huge pmd sharing To: Linux-MM , linux-kernel CC: Andrew Morton , Mike Kravetz , Muchun Song Message-ID: <025b3ea6-4b26-f091-5464-0eef5aac7719@huawei.com> Date: Mon, 25 Jul 2022 17:07:54 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.177.76] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To canpemm500002.china.huawei.com (7.192.104.244) X-CFilter-Loop: Reflected ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1658740084; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=5BqIWFVw/O65jDTE/9rbrGIEDMqUancQ+9ufzCWrrSI=; b=Ae2AcA63NVE+b0hdHzNQcfcdLkwvbMqGyUzKA8ZuBlj/CUfDOAwzYcwbNIDMuKSgl5Jb/o fDHwvpqvfcnIpqzPcRMOP2fdOiwjQeEOrwH1HpkXdGjJBXn6bdxTyw1LFUgD1ScMHIT5vS 4OoJ321XwXfqd0RqZ/6ESxwyr7MhZII= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1658740084; a=rsa-sha256; cv=none; b=Nh/ylu2kkMpaJvPrKLREH8RIFS+giljJjfptd4EsABoFF+BYpQtMLCcG1PyNtRybb9C2JD 03oah4y6sZQ4IDPmUAlbfjH0WpFW8poTg30zE0U6sOIgSkOPJ/YN1l4URLbogiavK5r/9u DujQc5VY8SVR3c0NSFikVLUX96ajVA0= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf03.hostedemail.com: domain of linmiaohe@huawei.com designates 45.249.212.188 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com Authentication-Results: imf03.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf03.hostedemail.com: domain of linmiaohe@huawei.com designates 45.249.212.188 as permitted sender) smtp.mailfrom=linmiaohe@huawei.com X-Rspam-User: X-Rspamd-Queue-Id: E0C6720093 X-Rspamd-Server: rspam06 X-Stat-Signature: 53t7br5pkxna3hf9x1pkqkbfhepr464y X-HE-Tag: 1658740083-319099 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000112, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Hi all: When I investigate the mm/hugetlb code, I found there's a possible data leak issue with huge pmd sharing. Thank about the below scene: 1. Process A and process B shares huge pmd page.(vm_flags: VM_MAYSHARE but !VM_SHARED) 2. Process A write fault a hugetlb page. As vm_flags is !VM_SHARED, a private copy of hugetlb page will be installed in the pagetable via hugetlb_wp. 3. Process A writes private data into hugetlb page. 4. Process B can read process A's private data since hugetlb page is shared through huge pmd sharing... I think the above scene is possible. If so, huge pmd sharing for !VM_SHARED should be disabled to fix this issue? Or am I miss something about hugetlb huge pmd sharing? Any response would be appreciated. Thanks! :)