From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 05F43C61CE8 for ; Fri, 6 Jun 2025 11:08:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8E09A6B007B; Fri, 6 Jun 2025 07:08:35 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 8B6C76B0088; Fri, 6 Jun 2025 07:08:35 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 7CDB46B0089; Fri, 6 Jun 2025 07:08:35 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 5DCC06B007B for ; Fri, 6 Jun 2025 07:08:35 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id DD643A0A3A for ; Fri, 6 Jun 2025 11:08:34 +0000 (UTC) X-FDA: 83524702548.10.9CF8CAF Received: from mail-ed1-f53.google.com (mail-ed1-f53.google.com [209.85.208.53]) by imf06.hostedemail.com (Postfix) with ESMTP id E21D9180008 for ; Fri, 6 Jun 2025 11:08:32 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="kfl/Wa0k"; spf=pass (imf06.hostedemail.com: domain of jannh@google.com designates 209.85.208.53 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1749208113; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=S4QshsNtFlBM5Nr7CIE3i+/CEVwa1E3Te+i573d46rQ=; b=AtrbMAnFI0vSriUR97mqaJ4lPGtZagT0tafnNp5LfbuMh6fKrH5Pf7Zj/YZiK6LQ80GaaZ P1FV8wSUFqvWAL26GuUa1N1yN/G9ONr//FbD0diT5vB+cFoj6iwJQwFasUnxUMmbXXQ/mr iYknpj/+AK83FvF8Y2LlCcLbdiKje9k= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1749208113; a=rsa-sha256; cv=none; b=Rs9hgZvbe4Ej5u2wPXZQIfYT/yo7zQJlu184iG/9SFizc0O1ms9njD6fhS5qIPwDVPryin KowIh/Tw96iA3wCXVqeqp1d6EsADwziq3/9wzNeITnc/H2lxL78mhCBU2SdTG6BTgIrLW0 B5zaAv9pD7BC7yF002giMICnVIwMAMw= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b="kfl/Wa0k"; spf=pass (imf06.hostedemail.com: domain of jannh@google.com designates 209.85.208.53 as permitted sender) smtp.mailfrom=jannh@google.com; dmarc=pass (policy=reject) header.from=google.com Received: by mail-ed1-f53.google.com with SMTP id 4fb4d7f45d1cf-6000791e832so6902a12.1 for ; Fri, 06 Jun 2025 04:08:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1749208111; x=1749812911; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=S4QshsNtFlBM5Nr7CIE3i+/CEVwa1E3Te+i573d46rQ=; b=kfl/Wa0kJzatU2E7X1TOU8THknIyGJLA4MwI00tiWq+9usAv6t4W4P3gbr/v6KXZp7 igF3mlIqAzIyD22B46kMg7kziRqTHB0bhwA0pAcDWrFMjVBhpUVFXUvJrD+rYzPUhzD6 Y3JLUsvz8o03uBnOatZ6P8kLO2ZH3s2bbZUEnINSTOvYHstioIgc5UMLNb9qpXq4MWo5 Gyu4C+nQeVf8iAqRsm/SIbgT4z+C5oydUR/cqT+gImn16jCyH2uQQZXHqm9jx57plK7F 7pyX3qfgvzCWEUmElOnmwi5L++JS2Vctx0PKoNZeswOTCPSssQL9Ma2Z6E+wSpYVfqp2 hu/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749208111; x=1749812911; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=S4QshsNtFlBM5Nr7CIE3i+/CEVwa1E3Te+i573d46rQ=; b=OqihbttiO7qX3D+K5HUOvO5oHiefbVaQMfMyCWLly1rh0OlCs32SvKSvMqUyhDNM/N 5jGGbjjle3i0gxhkVI65exfJEMNf/IJOOaOk5aJsNu2tM8dmQkzzltgGfTdyk6WVj28t SOg+9sTKLEJyyXhQbsyk6deLVXN7FbfQDEXxoMOCYHzKOkJoJzlvNS8/xgBbvKX/QZ/z ptBZU/zz2utE8wab+VgOBGVNHvMlXO9jOqwRVAqiP2WOrMmr8OZtqj2S9fRzAJh23zKm obcpdt+yYfyt/0eHf6KBmT5VR3/oJimLdVLKR3daSSiT26J7IwxxeY+psiqY75wFFpgY mNDw== X-Forwarded-Encrypted: i=1; AJvYcCWXec/UWXWFNkmLpvJUZna1LyI+otYjiXo1Dq0h3XzJw9dM1iFjRTs7xyHXlWi6AtszdxK1oTRN0A==@kvack.org X-Gm-Message-State: AOJu0YzRzkACRAtGVuCgfCi3Okwu3RqwCPiR1AZ2lkbOGo6WUyLPIYfG Bdv43COlWK0kUWwCiJU7L33LnVfKLVaRQti+ecAi683h60upQBtVwYaCN9y6hxXWWxOu1vwH6Qb pqciNyWhWDMp1IVvWTRIhLzsZuv/YirkqMMhsadj9ux3Euk2LSpHEhj1p X-Gm-Gg: ASbGncu9Uakw9oEswrNFye3yNiwgonoXNQ9JWtNIYqpYWeus8Rpf2KIb4dzDDgwc3NH LdsErgsgdLG7+t5mh7hNh+AXmT1J94/iG4lj0WP7H7vrpaXhQEnpU0buWG6Y9uWVFi0yVDn7Ovk 6DA2rvZniZ9mraG2PtE9G77mVvsDqu+zDwAZaiyiyYBZuBRbViIOR/LHyui2hLmWGcqM++rA== X-Google-Smtp-Source: AGHT+IFzJK1PmF+ubahnyn3+Q756t7KJvt+rp8ZMsFN3/mcorsJT8TiEEZKFL71ZKG4v26uGjEh+iNVgLntRQ/Zd8tY= X-Received: by 2002:a05:6402:344:b0:607:2070:3a4 with SMTP id 4fb4d7f45d1cf-60773ec8ca6mr84433a12.2.1749208110975; Fri, 06 Jun 2025 04:08:30 -0700 (PDT) MIME-Version: 1.0 References: <20250530104439.64841-1-21cnbao@gmail.com> <0fb74598-1fee-428e-987b-c52276bfb975@bytedance.com> <3cb53060-9769-43f4-996d-355189df107d@bytedance.com> In-Reply-To: From: Jann Horn Date: Fri, 6 Jun 2025 13:07:54 +0200 X-Gm-Features: AX0GCFv6lixFuiId659KjPXOkzqXx1PP1aVQxHcGUT1KxI_F8oqFZhplOl6k-ZI Message-ID: Subject: Re: [PATCH RFC v2] mm: use per_vma lock for MADV_DONTNEED To: Lorenzo Stoakes Cc: Qi Zheng , Barry Song <21cnbao@gmail.com>, akpm@linux-foundation.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, Barry Song , "Liam R. Howlett" , David Hildenbrand , Vlastimil Babka , Suren Baghdasaryan , Lokesh Gidra , Tangquan Zheng Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: E21D9180008 X-Stat-Signature: h3y9n8d13n3z3ahqxsdca113ntjzmni6 X-Rspam-User: X-HE-Tag: 1749208112-722356 X-HE-Meta: U2FsdGVkX19QexTfK+AX08P4pfbYz8oBWIKe/G15U4KxFJUKW65edjjWjvaO5PqjDjf1QHzwBO/MZHALoCf5idxlpA9XruWioDcJgNoBMAfhpLgup8X0XOm4FNVbhBhCTCkJnNwQAj+2TwpBHMWBrL12fqerRZwwOhPHt0l2Nt1b5OKVbOt2PgaZIPnCITnXJo7NCsIzROQuoB/1G968/VvN8sdmp5MND/VhB6wRFoaqPtQ4yI6RCVFhiujJXoOl3OgjQfmqsg3eqtCsUvROiBJCPBY7O2TqxiR21AQt66M2tb/HQr2qhgLZDbfVTQl71BwrsF9HEQWpjkmBegIbNFyP5cxltzkWb7aOOM6jP8cDjHBXHghB3bdz/ohxtSeMhdsemZiETRT4IbcU/z/Gf8wG3q3uW035/TWuhYnNdH+/+7k8HBi0/KxU4A1CgMug14X+2vQXEqhs1f6qS3e1514KsPC6uZfQ+z6vsXBUH/cT1wWy/RcTPoI90NA34+k+9ckG9Vl7aMa25r4zW/IgdOdCgQXytQC2JK4WsBuawcg42DfjHmIUZreKzrY4GPU/pkrKnVgtJrPpBI8uyyHMEhg00ErBVOE4+kBRv4/4EwaiSyq9pjnyjfmZfpL8yxx7ehhhf6eO41TdXNJu6Il6y+tceBUGfrS5FqCWjJyBBryoAQ8iLN6nBmqlUit81ojc8Fm3N6dxO+TKBZ7I0+Vsc6OtlHsoDZafAySC4vQFmkYAAXb+iE+SAjaaktS+f30W3J3Ek+WZLAJC2WHZytcCwdqT78/GROQOo34owhlEf5ehRW0rGc5bN0WOmwRBalSrenOyE6PiKYBVUkAUO9vY/Ja9gCmhGxpsaKMVUK6GmdxVlIJ81VjczWw6Xf9FS3qrPGRobd18NUoyY9kJ13OE5pOeWNkFW+k0Wxt/qTQ+fOzZbrVEotSTU0viEbNyJgw1LH3zGkngkGGS0uaIJAK xtFjey6i Dvd2ohiX5KTV2A0I9gXh8Yc9RFul2Lm//xUmZCOMLqVmGSlgicvvf23ZNmIaWX7gwGg2id8/dyTeEtGxw1cxyF024liFcFAcmc85/ooT5ijZcth2JrIb0pCsEN4stMazm5XxXCYVfvz8iz41ZcV4i+PPe4SmsufEafHFB5cq06DhL80RxSIdHkuG4XsadS0JrgEfBSm1EUzbIwn05s4Ie4YLtyFAHBZyq7Zi4eNJK/pOpBgaxwLMXC3gfOw/aij1SixCPs7x3dDgQCVs= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Wed, Jun 4, 2025 at 7:50=E2=80=AFPM Lorenzo Stoakes wrote: > On Wed, Jun 04, 2025 at 02:02:12PM +0800, Qi Zheng wrote: > > Hi Lorenzo, > > > > On 6/3/25 5:54 PM, Lorenzo Stoakes wrote: > > > On Tue, Jun 03, 2025 at 03:24:28PM +0800, Qi Zheng wrote: > > > > Hi Jann, > > > > > > > > On 5/30/25 10:06 PM, Jann Horn wrote: > > > > > One important quirk of this is that it can, from what I can see, = cause > > > > > freeing of page tables (through pt_reclaim) without holding the m= map > > > > > lock at all: > > > > > > > > > > do_madvise [behavior=3DMADV_DONTNEED] > > > > > madvise_lock > > > > > lock_vma_under_rcu > > > > > madvise_do_behavior > > > > > madvise_single_locked_vma > > > > > madvise_vma_behavior > > > > > madvise_dontneed_free > > > > > madvise_dontneed_single_vma > > > > > zap_page_range_single_batched [.reclaim_pt =3D true= ] > > > > > unmap_single_vma > > > > > unmap_page_range > > > > > zap_p4d_range > > > > > zap_pud_range > > > > > zap_pmd_range > > > > > zap_pte_range > > > > > try_get_and_clear_pmd > > > > > free_pte > > > > > > > > > > This clashes with the assumption in walk_page_range_novma() that > > > > > holding the mmap lock in write mode is sufficient to prevent > > > > > concurrent page table freeing, so it can probably lead to page ta= ble > > > > > UAF through the ptdump interface (see ptdump_walk_pgd()). > > > > > > > > Maybe not? The PTE page is freed via RCU in zap_pte_range(), so in = the > > > > following case: > > > > > > > > cpu 0 cpu 1 > > > > > > > > ptdump_walk_pgd > > > > --> walk_pte_range > > > > --> pte_offset_map (hold RCU read lock) > > > > zap_pte_range > > > > --> free_pte (via RCU) > > > > walk_pte_range_inner > > > > --> ptdump_pte_entry (the PTE page is not freed at this ti= me) > > > > > > > > IIUC, there is no UAF issue here? > > > > > > > > If I missed anything please let me know. > > Seems to me that we don't need the VMA locks then unless I'm missing > something? :) Jann? Aah, right, this is one of those paths that use RCU to protect read-only PTE-level page table access that can tolerate seeing stale data. Sorry about the confusion. > Would this RCU-lock-acquired-by-pte_offset_map also save us from the > munmap() downgraded read lock scenario also? Or is the problem there > intermediate page table teardown I guess? (I see Qi Zheng already clarified this part.)