From: "HORIGUCHI NAOYA(堀口 直也)" <naoya.horiguchi@nec.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Oscar Salvador <osalvador@suse.de>,
"n-horiguchi@ah.jp.nec.com" <n-horiguchi@ah.jp.nec.com>,
"vbabka@suse.cz" <vbabka@suse.cz>,
"dan.j.williams@intel.com" <dan.j.williams@intel.com>,
"linux-mm@kvack.org" <linux-mm@kvack.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] mm,memory_failure: Always pin the page in madvise_inject_error
Date: Tue, 8 Dec 2020 02:34:46 +0000 [thread overview]
Message-ID: <20201208023446.GA10757@hori.linux.bs1.fc.nec.co.jp> (raw)
In-Reply-To: <20201207182200.21f97d90211c78609ffd7351@linux-foundation.org>
On Mon, Dec 07, 2020 at 06:22:00PM -0800, Andrew Morton wrote:
> On Mon, 7 Dec 2020 10:48:18 +0100 Oscar Salvador <osalvador@suse.de> wrote:
>
> > madvise_inject_error() uses get_user_pages_fast to translate the
> > address we specified to a page.
> > After [1], we drop the extra reference count for memory_failure() path.
> > That commit says that memory_failure wanted to keep the pin in order
> > to take the page out of circulation.
> >
> > The truth is that we need to keep the page pinned, otherwise the
> > page might be re-used after the put_page() and we can end up messing
> > with someone else's memory.
> >
> > E.g:
> >
> > CPU0
> > process X CPU1
> > madvise_inject_error
> > get_user_pages
> > put_page
> > page gets reclaimed
> > process Y allocates the page
> > memory_failure
> > // We mess with process Y memory
> >
> > madvise() is meant to operate on a self address space, so messing with
> > pages that do not belong to us seems the wrong thing to do.
> > To avoid that, let us keep the page pinned for memory_failure as well.
> >
> > Pages for DAX mappings will release this extra refcount in
> > memory_failure_dev_pagemap.
>
> Does the bug have any known user-visible effects? Is a deliberate
> exploit conceivable?
>
> IOW, cc:stable and if so, why?
This interface is a testing feature and only available only for privileged
(CAP_SYS_ADMIN) users, so I don't think that this bug is critical. But if
someone think it need to go to stable, I'm fine with that.
Thanks,
Naoya Horiguchi
next prev parent reply other threads:[~2020-12-08 2:34 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-07 9:48 Oscar Salvador
2020-12-08 2:22 ` Andrew Morton
2020-12-08 2:34 ` HORIGUCHI NAOYA(堀口 直也) [this message]
2020-12-08 2:35 ` HORIGUCHI NAOYA(堀口 直也)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201208023446.GA10757@hori.linux.bs1.fc.nec.co.jp \
--to=naoya.horiguchi@nec.com \
--cc=akpm@linux-foundation.org \
--cc=dan.j.williams@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=n-horiguchi@ah.jp.nec.com \
--cc=osalvador@suse.de \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox