From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0EC12C6FD1D for ; Thu, 23 Mar 2023 10:11:46 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8AF516B0072; Thu, 23 Mar 2023 06:11:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 85F676B0074; Thu, 23 Mar 2023 06:11:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7269E6B0075; Thu, 23 Mar 2023 06:11:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 5EFFA6B0072 for ; Thu, 23 Mar 2023 06:11:45 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 0CEE6160508 for ; Thu, 23 Mar 2023 10:11:44 +0000 (UTC) X-FDA: 80599746570.12.A95023B Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by imf13.hostedemail.com (Postfix) with ESMTP id ECC7A20019 for ; Thu, 23 Mar 2023 10:11:41 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=pv0xanWE; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=sRexLaKz; spf=pass (imf13.hostedemail.com: domain of vbabka@suse.cz designates 195.135.220.29 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1679566302; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=eIVf6X9+8w7hFkVIs+NEITGJgY3dPy4ZtkDYRI94iS4=; b=vNxpSgfDB6H0ju86my+5wLsiN+YT7JsGEUIQGAZgnfO4H/lK7KABhSbkCQ4+B2zZTi2yu1 lV24BnImURz641ojZhRIW9hfMD4p1Nt3rmnQYfrcOsnNDk3G/CvT5THLKP40Zsw8/r+nA7 enXGUtroeHiiZIZJcm9EVhrTJPL3VGs= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=pv0xanWE; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=sRexLaKz; spf=pass (imf13.hostedemail.com: domain of vbabka@suse.cz designates 195.135.220.29 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1679566302; a=rsa-sha256; cv=none; b=rvYRNQwbIIN1w+CqpypRzqg//mf+WVBJs9i1S+5jn4sN9jzMeANmbKpyvf36LwXCQg+Vom //ipXsVodH86lOt8D1mLwabW0cr6MY9Awbx2PnGpBqveToI6nlTfsgTwRH3bT4CQ8BxTL9 0vK2+yI2lInBYATg/hFkvMwPGfVAITg= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 7F2F61FDB6; Thu, 23 Mar 2023 10:11:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1679566300; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eIVf6X9+8w7hFkVIs+NEITGJgY3dPy4ZtkDYRI94iS4=; b=pv0xanWEkShhW8d9mi9xUUKWZCzV5wq1QxwI5LK3zM7ugLCnEb7SJgXrfzjJqROaYC5sJ5 Hh3IyZK3OVFNWwkuYDnF/mxRh88kIlYIs8pWCxQIMwvSrsmN0MJjmdQ9C33HY+UxxYEn9T Orjb3Mv3szzbF0HcmYf1LhgpbYPDtiw= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1679566300; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eIVf6X9+8w7hFkVIs+NEITGJgY3dPy4ZtkDYRI94iS4=; b=sRexLaKzDUTT7eODp4EQ1BU8/ZK30x6HSerOZZzUI2XzbAWEE0gnj8gw7SMh+Gc+Auys0i Th5K7lmGXZuxdpBw== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 5C993132C2; Thu, 23 Mar 2023 10:11:40 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id EawSFtwlHGTTYAAAMHmgww (envelope-from ); Thu, 23 Mar 2023 10:11:40 +0000 Message-ID: <64ec7939-0733-7925-0ec0-d333e62c5f21@suse.cz> Date: Thu, 23 Mar 2023 11:11:40 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0 Subject: Re: [v4 PATCH] fs/proc: task_mmu.c: don't read mapcount for migration entry Content-Language: en-US To: David Hildenbrand , Yang Shi , kirill.shutemov@linux.intel.com, jannh@google.com, willy@infradead.org, akpm@linux-foundation.org Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org References: <20220203182641.824731-1-shy828301@gmail.com> <132ba4a4-3b1d-329d-1db4-f102eea2fd08@suse.cz> <9ba70a5e-4e12-0e9f-a6a4-d955bf25d0fe@redhat.com> From: Vlastimil Babka In-Reply-To: <9ba70a5e-4e12-0e9f-a6a4-d955bf25d0fe@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Stat-Signature: q4izhn5ax17pmao17oh8b5r5afgtrgnk X-Rspam-User: X-Rspamd-Queue-Id: ECC7A20019 X-Rspamd-Server: rspam06 X-HE-Tag: 1679566301-922977 X-HE-Meta: U2FsdGVkX1/BmA0/PNL/seV8kpKYmFJts0Vrx5D89N3vMq8LUIKwDDqFy/pzHKTk9YMIlfOWhTtisZ/Ge7z587S0Ncc4SKhQNuFjhe6jfXInG/yotC2s7LEP/HMqgTmX3srE4py3Uv8990FBXWvPaw4Qph42G3Qecf7z5HuU09kfo1FMtZUR3E9S+UAImyytGGR9KQRiRmUnZx7A5cUX8HTwDUHI7W+s9tfzh/ApjIrmOBoWPPdCl16Lw6jF+bqDy2keYFq/K3SVRBOoTJrzKsnqCq7ZZ3mtWxq3s0ENHDQowGYQUjUbRcuMhEAXWFL/DNPo4nt93ZlpUvo0Gqt9n7N62ZlLiBpXJWLkzS7vM+Fe9wEM6BfDvy8s5UqfdsujzMrt905GKvtCNvOk0wuvRNfIDouGhfAvSbkNX5Z1VtB0EufKaBz2KszabP2Z9nqYeMr0iobEpEnmmN8jLioxGY8nXfS8KSjPkAu9+XfAzW4NzSiF+UM6gxdsofLQZNSLHMXpReojDBEayL5s9aOKDdRI+op6dcPggePCeWrMIIsfvX+HlHoLxGze5Pr+rxb5qb4j98M7JC1tSaTW8KIoGGzJuzvHHgDgXheEkrgRiqFCuAJbEkfs/z0qC/q5/8V8CxQKRgIOLfdv+YoPYPIq5CzBRT7OZDqGw3dp7h3b8MrGwvnJuZm2YOcYSK9bMLrsok89/smGQ2+qlgq5p1ZVHZIrKpI2ntuX29+BSiIjhRuTyuAu6VFIepCR+XXDChjtQr+wGla3jWT4FCZux0WNN9+PDDBU70ou2+aa2qR5ZSdHhNcaL04rNDLuP2kome63yIx8XJakrRFnLAddrPeE+JjdyHfjIQd2K99E+zjy88r5QzWQIHvqwNCMYxdgYA+gsInJ10/f0WNtCLYZTo2aNLa7gN06PsgX89p+q/pdWRPCdOvXDfHzzSEPN50ggU8Ip9A9RMFBYUQFPSWrWvZ ht3k9u1j USMrotMFTJqcV11b8E4WWM8PiJHngcjP67irGA0x0+LHMUwMY6ScgEmKDGSQINkDy0w8aXt6lvVBoNljazfc0/bBQ5VOiRI1/TDaR2U2/MWevfTmcrlTw19YEapIvzfnvB7enUn6b4bw/BOMpJqSA0xt72u7qRv2Rv5CK1WViQcWyJk6R+gAj9tXjEn/E9mUkIHVX4Fa1wH3tndvxPpcUh7uZKwtAxF888+PWGUk4RrBkzfQnkjhNgw9PS1M08v+DjCkOg1ntF/5hG/s= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 3/23/23 11:08, David Hildenbrand wrote: > On 23.03.23 10:52, Vlastimil Babka wrote: >> On 2/3/22 19:26, Yang Shi wrote: >>> --- a/fs/proc/task_mmu.c >>> +++ b/fs/proc/task_mmu.c >>> @@ -440,7 +440,8 @@ static void smaps_page_accumulate(struct mem_size_stats *mss, >>> } >>> >>> static void smaps_account(struct mem_size_stats *mss, struct page *page, >>> - bool compound, bool young, bool dirty, bool locked) >>> + bool compound, bool young, bool dirty, bool locked, >>> + bool migration) >>> { >>> int i, nr = compound ? compound_nr(page) : 1; >>> unsigned long size = nr * PAGE_SIZE; >>> @@ -467,8 +468,15 @@ static void smaps_account(struct mem_size_stats *mss, struct page *page, >>> * page_count(page) == 1 guarantees the page is mapped exactly once. >>> * If any subpage of the compound page mapped with PTE it would elevate >>> * page_count(). >>> + * >>> + * The page_mapcount() is called to get a snapshot of the mapcount. >>> + * Without holding the page lock this snapshot can be slightly wrong as >>> + * we cannot always read the mapcount atomically. It is not safe to >>> + * call page_mapcount() even with PTL held if the page is not mapped, >>> + * especially for migration entries. Treat regular migration entries >>> + * as mapcount == 1. >>> */ >>> - if (page_count(page) == 1) { >>> + if ((page_count(page) == 1) || migration) { >> >> Since this is now apparently a CVE-2023-1582 for whatever RHeasons... >> >> wonder if the patch actually works as intended when >> (page_count() || migration) is in this particular order and not the other one? > > Only the page_mapcount() call to a page that should be problematic, not > the page_count() call. There might be the rare chance of the page Oh right, page_mapcount() vs page_count(), I need more coffee. > getting remove due to memory offlining... but we're still holding the > page table lock with the migration entry, so we should be protected > against that. > > Regarding the CVE, IIUC the main reason for the CVE should be > RHEL-specific -- which behaves differently than other code bases; for > other code bases, it's just a way to trigger a BUG_ON as described here. That's good to know so at least my bogus mail was useful for that, thanks!