From: Pasha Tatashin <pasha.tatashin@soleen.com>
To: John Hubbard <jhubbard@nvidia.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
linux-mm <linux-mm@kvack.org>,
linux-m68k@lists.linux-m68k.org,
Anshuman Khandual <anshuman.khandual@arm.com>,
Matthew Wilcox <willy@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
william.kucharski@oracle.com,
Mike Kravetz <mike.kravetz@oracle.com>,
Vlastimil Babka <vbabka@suse.cz>,
Geert Uytterhoeven <geert@linux-m68k.org>,
schmitzmic@gmail.com, Steven Rostedt <rostedt@goodmis.org>,
Ingo Molnar <mingo@redhat.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Roman Gushchin <guro@fb.com>,
Muchun Song <songmuchun@bytedance.com>,
weixugc@google.com, Greg Thelen <gthelen@google.com>
Subject: Re: [RFC 3/8] mm: Avoid using set_page_count() in set_page_recounted()
Date: Wed, 27 Oct 2021 14:27:01 -0400 [thread overview]
Message-ID: <CA+CK2bBiomTe-vOuxM_R+0CMAippyrfZ6AgpXQGqps3ZFQCtRA@mail.gmail.com> (raw)
In-Reply-To: <b346cafd-d8b8-57a4-c7b9-6574b256a400@nvidia.com>
On Wed, Oct 27, 2021 at 1:12 AM John Hubbard <jhubbard@nvidia.com> wrote:
>
> On 10/26/21 11:21, Pasha Tatashin wrote:
> > It must return the same thing, if it does not we have a bug in our
> > kernel which may lead to memory corruptions and security holes.
> >
> > So today we have this:
> > VM_BUG_ON_PAGE(page_ref_count(page), page); -> check ref_count is 0
> > < What if something modified here? Hmm..>
> > set_page_count(page, 1); -> Yet we reset it to 1.
> >
> > With my proposed change:
> > VM_BUG_ON_PAGE(page_ref_count(page), page); -> check ref_count is 0
> > refcnt = page_ref_inc_return(page); -> ref_count better be 1.
> > VM_BUG_ON_PAGE(refcnt != 1, page); -> Verify that it is 1.
> >
>
> Yes, you are just repeating what the diffs say.
>
> But it's still not good to have this function name doing something completely
> different than its name indicates.
I see, I can rename it to: 'set_page_recounted/get_page_recounted' ?
>
> >>
> >> I understand where this patchset is going, but this intermediate step is
> >> not a good move.
> >>
> >> Also, for the overall series, if you want to change from
> >> "set_page_count()" to "inc_and_verify_val_equals_one()", then the way to
> >> do that is *not* to depend solely on VM_BUG*() to verify. Instead,
> >> return something like -EBUSY if incrementing the value results in a
> >> surprise, and let the caller decide how to handle it.
> >
> > Actually, -EBUSY would be OK if the problems were because we failed to
> > modify refcount for some reason, but if we modified refcount and got
> > an unexpected value (i.e underflow/overflow) we better report it right
> > away instead of waiting for memory corruption to happen.
> >
>
> Having the caller do the BUG() or VM_BUG*() is not a significant delay.
We cannot guarantee that new callers in the future will check return
values, the idea behind this work is to ensure that we are always
protected from refcount underflow/overflow and invalid refcount
modifications by set_refcount.
Pasha
next prev parent reply other threads:[~2021-10-27 18:27 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-26 17:38 [RFC 0/8] Hardening page _refcount Pasha Tatashin
2021-10-26 17:38 ` [RFC 1/8] mm: add overflow and underflow checks for page->_refcount Pasha Tatashin
2021-10-26 19:48 ` Matthew Wilcox
2021-10-26 21:34 ` Pasha Tatashin
2021-10-27 1:21 ` Pasha Tatashin
2021-10-27 3:04 ` Matthew Wilcox
2021-10-27 18:22 ` Pasha Tatashin
2021-10-27 7:46 ` Muchun Song
2021-10-27 18:22 ` Pasha Tatashin
2021-10-28 4:08 ` Muchun Song
2021-10-26 17:38 ` [RFC 2/8] mm/hugetlb: remove useless set_page_count() Pasha Tatashin
2021-10-26 18:44 ` Mike Kravetz
2021-10-26 18:50 ` Pasha Tatashin
2021-10-26 21:19 ` Mike Kravetz
2021-10-26 17:38 ` [RFC 3/8] mm: Avoid using set_page_count() in set_page_recounted() Pasha Tatashin
2021-10-26 17:53 ` John Hubbard
2021-10-26 18:01 ` John Hubbard
2021-10-26 18:14 ` Pasha Tatashin
2021-10-26 18:21 ` Pasha Tatashin
2021-10-27 5:12 ` John Hubbard
2021-10-27 18:27 ` Pasha Tatashin [this message]
2021-10-28 1:20 ` John Hubbard
2021-10-28 1:35 ` John Hubbard
2021-11-01 14:30 ` Pasha Tatashin
2021-11-01 19:35 ` John Hubbard
2021-11-01 14:22 ` Pasha Tatashin
2021-11-01 19:31 ` John Hubbard
2021-11-01 19:42 ` John Hubbard
2021-10-26 17:38 ` [RFC 4/8] mm: remove set_page_count() from page_frag_alloc_align Pasha Tatashin
2021-10-26 17:38 ` [RFC 5/8] mm: avoid using set_page_count() when pages are freed into allocator Pasha Tatashin
2021-10-26 17:38 ` [RFC 6/8] mm: rename init_page_count() -> page_ref_init() Pasha Tatashin
2021-10-27 6:46 ` Geert Uytterhoeven
2021-10-26 17:38 ` [RFC 7/8] mm: remove set_page_count() Pasha Tatashin
2021-10-26 17:38 ` [RFC 8/8] mm: simplify page_ref_* functions Pasha Tatashin
2021-10-26 18:23 ` [RFC 0/8] Hardening page _refcount Matthew Wilcox
2021-10-26 18:30 ` Pasha Tatashin
2021-10-26 20:13 ` Matthew Wilcox
2021-10-26 21:24 ` Pasha Tatashin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+CK2bBiomTe-vOuxM_R+0CMAippyrfZ6AgpXQGqps3ZFQCtRA@mail.gmail.com \
--to=pasha.tatashin@soleen.com \
--cc=akpm@linux-foundation.org \
--cc=anshuman.khandual@arm.com \
--cc=geert@linux-m68k.org \
--cc=gthelen@google.com \
--cc=guro@fb.com \
--cc=hannes@cmpxchg.org \
--cc=jhubbard@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-m68k@lists.linux-m68k.org \
--cc=linux-mm@kvack.org \
--cc=mike.kravetz@oracle.com \
--cc=mingo@redhat.com \
--cc=rostedt@goodmis.org \
--cc=schmitzmic@gmail.com \
--cc=songmuchun@bytedance.com \
--cc=vbabka@suse.cz \
--cc=weixugc@google.com \
--cc=william.kucharski@oracle.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox