From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 64335C433FE
	for <linux-mm@archiver.kernel.org>; Mon, 28 Nov 2022 17:58:37 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id B87516B0072; Mon, 28 Nov 2022 12:58:36 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B37F46B0073; Mon, 28 Nov 2022 12:58:36 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 9FF0B6B0074; Mon, 28 Nov 2022 12:58:36 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 8E2CE6B0072
	for <linux-mm@kvack.org>; Mon, 28 Nov 2022 12:58:36 -0500 (EST)
Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 4DAF61A08F8
	for <linux-mm@kvack.org>; Mon, 28 Nov 2022 17:58:36 +0000 (UTC)
X-FDA: 80183611032.22.ACB601A
Received: from mail-il1-f170.google.com (mail-il1-f170.google.com [209.85.166.170])
	by imf08.hostedemail.com (Postfix) with ESMTP id F3B6A16000D
	for <linux-mm@kvack.org>; Mon, 28 Nov 2022 17:58:35 +0000 (UTC)
Received: by mail-il1-f170.google.com with SMTP id z9so5396161ilu.10
        for <linux-mm@kvack.org>; Mon, 28 Nov 2022 09:58:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:from:to:cc:subject:date:message-id:reply-to;
        bh=uD2w3R4o515pC/pkYBEngc4fNNJTLw467snghkylLDg=;
        b=YGcVF035901iCot04PiZsjp+j/CJGXvLVBbsEb6sAA4tFxJZLOY213BfGhXf/9H41Z
         o3uFV4CFicd3Nt9oWN+i84+9mVCl5rS6QZwM526D4cAHrdZprwMZzMdoLXXAhGsV4cQu
         h42Lo793gEjy4GY4NorQrgd1lkj1m4HjuV+rg8pTCd8UkL8tx5YtBoOrikBO+Jegqbks
         xvFyBYrCaq8fvaKKIQXDJ1YbftPKQ0kAvTLRXd5oMKQVAw+okr1PE9TGPvSWL9Z8jUkb
         5HnLpJTirT30+XzdWD4V7F7cPE4yjaJttalyNZFwKRDpbxa8wnxVquRFhpMkmjEnbwq8
         4Tcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=uD2w3R4o515pC/pkYBEngc4fNNJTLw467snghkylLDg=;
        b=Nl47SbAIxa9pFihpt+aCWbFQnxKkmt9aYi38zt+CWTQUVIdS8ldeGmrTK4IVOSlGnr
         nj49d+k0BscZ6Ml2lZaQ6je63F9YWf0+YFImo3TU+2G2uoiun7f/BPEYPU1j8/6nykI/
         2aOS2SDm4YFUEhRXIUMGMOw56sTFOte7+Egp1e1FbQT8Uqt0dHgnQRgYhcBJ49NmBq4n
         IniNfuNXtN+9fIFJn8AUihcje5EfPleb39aXMGZxEKb39+hpJqcHHgI1G5G5nUIewOyq
         sSTmzcfr7yLpvMgmmx277ZJB3IPaQroPhdGqzihLegrFj1NPDKcnKhp6+5+f6GAyAzkQ
         v8iA==
X-Gm-Message-State: ANoB5pmc7C3hBoC5uibNEYJ+NyjjQPLd5fqaMnkj/+7OIu+HnKxqxY0X
	zjgwYDumbAVgvjYIyGclGAZmyAQ7KgGqoU45dNAVng==
X-Google-Smtp-Source: AA0mqf6d8H769WKotjlx89RVrJ2Q6gqYe2VptBWTK4C8VyNlzUcQ9pHKin6+3TRkLvvF/pNON5zTilb85bSeFLGl48Y=
X-Received: by 2002:a92:c8cd:0:b0:2ff:b56a:3984 with SMTP id
 c13-20020a92c8cd000000b002ffb56a3984mr17822786ilq.187.1669658315186; Mon, 28
 Nov 2022 09:58:35 -0800 (PST)
MIME-Version: 1.0
References: <20221125213714.4115729-1-jannh@google.com> <20221125213714.4115729-3-jannh@google.com>
 <66cfc9ba-868c-9620-fbfc-38931c76ff50@redhat.com>
In-Reply-To: <66cfc9ba-868c-9620-fbfc-38931c76ff50@redhat.com>
From: Jann Horn <jannh@google.com>
Date: Mon, 28 Nov 2022 18:57:58 +0100
Message-ID: <CAG48ez23WvRRX6LKgCe+sJMYWBKVa+U1fg7G1o0nOobHCEQBGg@mail.gmail.com>
Subject: Re: [PATCH v3 3/3] mm/khugepaged: Invoke MMU notifiers in shmem/file
 collapse paths
To: David Hildenbrand <david@redhat.com>
Cc: security@kernel.org, Andrew Morton <akpm@linux-foundation.org>, 
	Yang Shi <shy828301@gmail.com>, Peter Xu <peterx@redhat.com>, 
	John Hubbard <jhubbard@nvidia.com>, linux-kernel@vger.kernel.org, linux-mm@kvack.org
Content-Type: text/plain; charset="UTF-8"
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1669658316;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=uD2w3R4o515pC/pkYBEngc4fNNJTLw467snghkylLDg=;
	b=qZ0c6hmRGW4uwrHOcSL+8+WpAxE4oCsSRLPt5MPD/Ipto+ApEtgJf5JH60Ef/ENuJyCik3
	ssBbhh2P+mQRy5oTwJRD/kvETlpuJEHY9FxqbenPLj2w076A1BeptUpGvtT8lSJg7UJdje
	7k45BiAzEZsxLQFJLjZBxU6dvOxLD/Y=
ARC-Authentication-Results: i=1;
	imf08.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=YGcVF035;
	spf=pass (imf08.hostedemail.com: domain of jannh@google.com designates 209.85.166.170 as permitted sender) smtp.mailfrom=jannh@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1669658316; a=rsa-sha256;
	cv=none;
	b=LVx12M03x2iFlxqRXhZxmUYRCLjyqRQ3ZX8hl/Ni+Ffo+qY6mihII26g+19HvEIzpfo9FC
	DnySvEl5izmxAdhyoUwJsHAMyFv2uX6bfN6pMF6DUD9wBWvfSAvCXhy2wrq/vISvwnwWKw
	b4nFiqXCLFK8D2VG+aoXB2CsT8AlKw4=
X-Stat-Signature: f9bpgihtp6dop7n6kdqzuwrp7c6tnbwx
X-Rspamd-Queue-Id: F3B6A16000D
Authentication-Results: imf08.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=YGcVF035;
	spf=pass (imf08.hostedemail.com: domain of jannh@google.com designates 209.85.166.170 as permitted sender) smtp.mailfrom=jannh@google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-Rspamd-Server: rspam06
X-Rspam-User: 
X-HE-Tag: 1669658315-213443
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Mon, Nov 28, 2022 at 6:37 PM David Hildenbrand <david@redhat.com> wrote:
>
> On 25.11.22 22:37, Jann Horn wrote:
> > Any codepath that zaps page table entries must invoke MMU notifiers to
> > ensure that secondary MMUs (like KVM) don't keep accessing pages which
> > aren't mapped anymore. Secondary MMUs don't hold their own references to
> > pages that are mirrored over, so failing to notify them can lead to page
> > use-after-free.
> >
> > I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
> > ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
> > the security impact of this only came in commit 27e1f8273113 ("khugepaged:
> > enable collapse pmd for pte-mapped THP"), which actually omitted flushes
> > for the removal of present PTEs, not just for the removal of empty page
> > tables.
> >
> > Cc: stable@kernel.org
> > Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages")
>
> I'm curious, do you have a working reproducer for this?

You're on the CC list of my bug report to security@kernel.org
with title "khugepaged races with rmap-based zap, races with GUP-fast,
and fails to call MMU notifiers". That has an attached reproducer
thp_ro_no_notify_kvm.c that is able to read PAGE_POISON out of freed
file THP pages through KVM.