From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=qj00=43=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.4 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id AE117C3F2C6
	for <linux-mm@archiver.kernel.org>; Tue, 10 Mar 2020 18:08:58 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 728802146E
	for <linux-mm@archiver.kernel.org>; Tue, 10 Mar 2020 18:08:58 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="lQaUMGOJ"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 728802146E
Authentication-Results: mail.kernel.org; dmarc=fail (p=reject dis=none) header.from=google.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 14F986B0005; Tue, 10 Mar 2020 14:08:58 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 100886B0006; Tue, 10 Mar 2020 14:08:58 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0151D6B0007; Tue, 10 Mar 2020 14:08:57 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0003.hostedemail.com [216.40.44.3])
	by kanga.kvack.org (Postfix) with ESMTP id DC3B26B0005
	for <linux-mm@kvack.org>; Tue, 10 Mar 2020 14:08:57 -0400 (EDT)
Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 9BEDC180ACF75
	for <linux-mm@kvack.org>; Tue, 10 Mar 2020 18:08:57 +0000 (UTC)
X-FDA: 76580238714.09.ship55_6b403f9e5f03d
X-HE-Tag: ship55_6b403f9e5f03d
X-Filterd-Recvd-Size: 3563
Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com [209.85.210.46])
	by imf12.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue, 10 Mar 2020 18:08:56 +0000 (UTC)
Received: by mail-ot1-f46.google.com with SMTP id h17so1656852otn.7
        for <linux-mm@kvack.org>; Tue, 10 Mar 2020 11:08:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to:cc;
        bh=k0YINB0FGb2izRGDvx6dOeweQ26xeFfqgFiUly0T1/8=;
        b=lQaUMGOJHO38pdQsfm+YF9Hjvz2ISFmJWQowjGrWwKTDNGxgjqUZxI/jaQVO6qbP2i
         QGfCgEcg0A/QCP/Xp4BleRLam2x5ZJquwMYF4/BjOS7GXqND31C86ME1wB5TqaTq/4ij
         i5puUFShLSbloXJW2J5vmtYmDY4VnQ+4Fon9DJRbCYhK8PvILBLE0rD8fgs/LyPw03zH
         QaJUyAFf2mlBFSEGAJ6M6KnNuDcf/hFXMe2Zmbra0r0S+8mh7YruvWBXkqyAbp7OSaDE
         taMlrywYmhVuq32hgVTtci472Ic4H0XCP1gZYWuZc1srQpgqEWN3X5+gip4OR3I29Btb
         4mIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=k0YINB0FGb2izRGDvx6dOeweQ26xeFfqgFiUly0T1/8=;
        b=St3SMUeCMeR7dhMkUrmjqyBCMCkCmXIYEf6D05H4J8vlTPcvQGUZMaEoCJlb5SOz6M
         Rj4GYG35zLfmgiKe0gdntMhPkjmaRrKT6o62qBdOJaurGhursxofx06qlLiJKs80dD4d
         EstE4A343qOZWJC+0JdtARyRxE5mMpwHVr21QQkU93GxFWFxVdTd5dzacXOSA0JWUCpi
         Wf8xKElP/Xuu6Mh6lYhwLe8rAMikB+6jDGWB6NZGXP09TNNFMkUn3JPgIOtdAhwkSRyL
         FLusTWLcpJyWe8BW1KKUCet8r/lizSBxrRq6HM3/drq7tpi+NtdIPG2nACriDrKUzCh0
         X3FQ==
X-Gm-Message-State: ANhLgQ1aUNbLdjjtT8IMZAFfOiqeIG4PsXkInbHvhZRwcJKfnAqfkaHw
	2j3IqmS0Wv+6jjgqgaQRRp4QBi1p9HSe/4bpVQxrrw==
X-Google-Smtp-Source: ADFU+vuWAonvIQE1fvFkPfcoOs/5Bq1l3fPdVW7kVNiRepRS2lFM4d4PXrhb9txFaSDi9JANBW/6IZbgB78jYDhzrQE=
X-Received: by 2002:a9d:5e8b:: with SMTP id f11mr18154276otl.110.1583863734919;
 Tue, 10 Mar 2020 11:08:54 -0700 (PDT)
MIME-Version: 1.0
From: Jann Horn <jannh@google.com>
Date: Tue, 10 Mar 2020 19:08:28 +0100
Message-ID: <CAG48ez0G3JkMq61gUmyQAaCq=_TwHbi1XKzWRooxZkv08PQKuw@mail.gmail.com>
Subject: interaction of MADV_PAGEOUT with CoW anonymous mappings?
To: Minchan Kim <minchan@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>, Linux-MM <linux-mm@kvack.org>, 
	kernel list <linux-kernel@vger.kernel.org>, Daniel Colascione <dancol@google.com>, 
	Dave Hansen <dave.hansen@intel.com>, "Joel Fernandes (Google)" <joel@joelfernandes.org>
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.024626, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Hi!

>From looking at the source code, it looks to me as if using
MADV_PAGEOUT on a CoW anonymous mapping will page out the page if
possible, even if other processes still have the same page mapped. Is
that correct?

If so, that's probably bad in environments where many processes (with
different privileges) are forked from a single zygote process (like
Android and Chrome), I think? If you accidentally call it on a CoW
anonymous mapping with shared pages, you'll degrade the performance of
other processes. And if an attacker does it intentionally, they could
use that to aid with exploiting race conditions or weird
microarchitectural stuff (e.g. the new https://lviattack.eu/lvi.pdf
talks about "the assumption that attackers can provoke page faults or
microcode assists for (arbitrary) load operations in the victim
domain").

Should madvise_cold_or_pageout_pte_range() maybe refuse to operate on
pages with mapcount>1, or something like that? Or does it already do
that, and I just missed the check?