From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=VM1+=FM=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 392EFC433FE
	for <linux-mm@archiver.kernel.org>; Tue,  8 Dec 2020 02:22:10 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 6E81023A57
	for <linux-mm@archiver.kernel.org>; Tue,  8 Dec 2020 02:22:09 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 6E81023A57
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id E17ED8D0002; Mon,  7 Dec 2020 21:22:08 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id DC96F8D0001; Mon,  7 Dec 2020 21:22:08 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id CDF3F8D0002; Mon,  7 Dec 2020 21:22:08 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0155.hostedemail.com [216.40.44.155])
	by kanga.kvack.org (Postfix) with ESMTP id B4A7F8D0001
	for <linux-mm@kvack.org>; Mon,  7 Dec 2020 21:22:08 -0500 (EST)
Received: from smtpin10.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay02.hostedemail.com (Postfix) with ESMTP id 7E0613622
	for <linux-mm@kvack.org>; Tue,  8 Dec 2020 02:22:08 +0000 (UTC)
X-FDA: 77568515136.10.cent69_300936e273e3
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin10.hostedemail.com (Postfix) with ESMTP id 5790816A4AB
	for <linux-mm@kvack.org>; Tue,  8 Dec 2020 02:22:08 +0000 (UTC)
X-HE-Tag: cent69_300936e273e3
X-Filterd-Recvd-Size: 2469
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by imf49.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue,  8 Dec 2020 02:22:07 +0000 (UTC)
Date: Mon, 7 Dec 2020 18:22:00 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linux-foundation.org;
	s=korg; t=1607394122;
	bh=qU6zM7QAs82ehJmwX3kZ3oZRWj6vTv8kXeUUdmv6o8A=;
	h=From:To:Cc:Subject:In-Reply-To:References:From;
	b=HxySnUMJM74ZwVbsjYl7JeIR4PwaISWikylUvKa0Vsta5/e56ijMO/2ZUrCeB0Sv/
	 D5Eu3IhSbb2ECL6yExnVgG6ZdSf9380fBCGY4qfzYI6+irLA5Eb8qLA1+xZkNSze5t
	 VbuwSKVX6Kq4tB/KnzJG3v1OiHgz9gjepiAWT5hQ=
From: Andrew Morton <akpm@linux-foundation.org>
To: Oscar Salvador <osalvador@suse.de>
Cc: n-horiguchi@ah.jp.nec.com, vbabka@suse.cz, dan.j.williams@intel.com,
 linux-mm@kvack.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] mm,memory_failure: Always pin the page in
 madvise_inject_error
Message-Id: <20201207182200.21f97d90211c78609ffd7351@linux-foundation.org>
In-Reply-To: <20201207094818.8518-1-osalvador@suse.de>
References: <20201207094818.8518-1-osalvador@suse.de>
X-Mailer: Sylpheed 3.5.1 (GTK+ 2.24.32; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon,  7 Dec 2020 10:48:18 +0100 Oscar Salvador <osalvador@suse.de> wrote:

> madvise_inject_error() uses get_user_pages_fast to translate the
> address we specified to a page.
> After [1], we drop the extra reference count for memory_failure() path.
> That commit says that memory_failure wanted to keep the pin in order
> to take the page out of circulation.
> 
> The truth is that we need to keep the page pinned, otherwise the
> page might be re-used after the put_page() and we can end up messing
> with someone else's memory.
> 
> E.g:
> 
> CPU0
> process X					CPU1
>  madvise_inject_error
>   get_user_pages
>    put_page
> 					page gets reclaimed
> 					process Y allocates the page
>   memory_failure
>    // We mess with process Y memory
> 
> madvise() is meant to operate on a self address space, so messing with
> pages that do not belong to us seems the wrong thing to do.
> To avoid that, let us keep the page pinned for memory_failure as well.
> 
> Pages for DAX mappings will release this extra refcount in
> memory_failure_dev_pagemap.

Does the bug have any known user-visible effects?  Is a deliberate
exploit conceivable?

IOW, cc:stable and if so, why?