From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3561C433FE for ; Mon, 28 Nov 2022 19:57:10 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 8BD536B0071; Mon, 28 Nov 2022 14:57:10 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 86D526B0072; Mon, 28 Nov 2022 14:57:10 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 75CE66B0073; Mon, 28 Nov 2022 14:57:10 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 694516B0071 for ; Mon, 28 Nov 2022 14:57:10 -0500 (EST) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 2590514054B for ; Mon, 28 Nov 2022 19:57:10 +0000 (UTC) X-FDA: 80183909820.21.2FEF7BB Received: from mail-pg1-f170.google.com (mail-pg1-f170.google.com [209.85.215.170]) by imf05.hostedemail.com (Postfix) with ESMTP id BCB4B100006 for ; Mon, 28 Nov 2022 19:57:09 +0000 (UTC) Received: by mail-pg1-f170.google.com with SMTP id f3so10932777pgc.2 for ; Mon, 28 Nov 2022 11:57:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=q++N7mMr2bng1GoyuTRGH7t3fqpBykOOtM6lUt7GCbc=; b=Pn7vV1/M4oM5qFJ3pcZbD0WrvdbiESeFbb0QMGvnyeF7CEZE40krxPB+Ctto/SqrU/ 07pYUte5HyNzmVBJlOQp/qEDAU8ZRc/Nt7IJIWVVR60RWD8JupJvw6C77we/0u9t+0S4 NfwDVZNufFlucKugYMBxxyhViOGtXzkMIjT/+KV40HewUFMv6Ysk1RVTHkMWZYRCVbKY DBJa3Q2LB8TkEOUltC63rGZS8XukkAyz+0PMpr2QtGrGBpKd8dIMStWzyYWwd70/robP Dw2yPMSNTJdxd0HVxqtdFzkMkOqljhO0TpJ2+4M7L7B0Tp9E7EeqNUMK13v20ssvf+n2 vCCg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=q++N7mMr2bng1GoyuTRGH7t3fqpBykOOtM6lUt7GCbc=; b=CMQOwLkEekQu2fWBhUEh2bclr0QRfoqdy4wi0FywLLz+0GQahmD9RLcABudg669N6j Ltr+X9StOY0SDiCXMPQqwp9wwzz7iKnKsEx6bs+//0nehhzRELjg03PbYRb2t0541zWr nPd2Tw1rvheSoMcQ9VKfP+HvxWfcENA2WDmLQEj6tADUhjffbVN0v7+XVf7Ehgl4Y1an jpFM754SJtxD010pLVgHOfY6j6HRVRUKUN2NXUH2GOC4aHz4lboKpc6FB32jh7DHVyFr LffKXLelpuy+vl3DUU16cBW2gt/zDJWmWYOzSt5l107mXfFFLX2DeGAG6tRMwOajBHgx uuww== X-Gm-Message-State: ANoB5pnAyHgkSYF4+z29E7PRgy2GDhL9agXyNh1V6HuP+BQI1dcYTGsU gXWGURKKfc7hsZ6ThsL/VaxTNU0bq1f0iFWrmu8= X-Google-Smtp-Source: AA0mqf5pEXXu3ZZ0NNttSxTKItzjXS6JBsJmqLVUAAHbyjFseNpEy2X8y97Gmcu1eatgGg2U+m/jQiEVV3yMJhTFp44= X-Received: by 2002:a05:6a00:5:b0:574:f82c:9389 with SMTP id h5-20020a056a00000500b00574f82c9389mr11701508pfk.39.1669665428820; Mon, 28 Nov 2022 11:57:08 -0800 (PST) MIME-Version: 1.0 References: <20221128180252.1684965-1-jannh@google.com> <20221128180252.1684965-3-jannh@google.com> In-Reply-To: <20221128180252.1684965-3-jannh@google.com> From: Yang Shi Date: Mon, 28 Nov 2022 11:56:57 -0800 Message-ID: Subject: Re: [PATCH v4 3/3] mm/khugepaged: Invoke MMU notifiers in shmem/file collapse paths To: Jann Horn Cc: security@kernel.org, Andrew Morton , David Hildenbrand , Peter Xu , John Hubbard , linux-kernel@vger.kernel.org, linux-mm@kvack.org Content-Type: text/plain; charset="UTF-8" ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1669665429; a=rsa-sha256; cv=none; b=o/e/4NnTDrMPS12YOCcrQTA6kyzcXp8mZMaXa4RSS7Et7A9AwzzteY+3rPC7LSM2YP5TIt Vp/d/xouBsvrBD6J9pvqY2fJsmQqEOcxDeo5r5SEgx77HNxS0NOTeg3UEAseXnKmZ0ATCO fpfMK/OSq2C/k4qeUjj9OQMNBu5LVQk= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b="Pn7vV1/M"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf05.hostedemail.com: domain of shy828301@gmail.com designates 209.85.215.170 as permitted sender) smtp.mailfrom=shy828301@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1669665429; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=q++N7mMr2bng1GoyuTRGH7t3fqpBykOOtM6lUt7GCbc=; b=NZuqx1XzxDsewHeO3nsGPPMOD1MeAPhoj39c0zsIzJMbPgiDnACv+9NiAPmZTHbRFNzpVW Rn0BqFTCYUmsW5U+AxBzuFr3CpfgftKFtlHuxqZ63QYJA4m26KLmABU/I5fakhNq4rmheB hejG2MN88/zsYcVffn58Gwj03+4Htmg= X-Rspamd-Queue-Id: BCB4B100006 Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=gmail.com header.s=20210112 header.b="Pn7vV1/M"; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf05.hostedemail.com: domain of shy828301@gmail.com designates 209.85.215.170 as permitted sender) smtp.mailfrom=shy828301@gmail.com X-Rspamd-Server: rspam12 X-Rspam-User: X-Stat-Signature: 3k9bri87noq3xo3c768ju4hdyan83b91 X-HE-Tag: 1669665429-197646 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon, Nov 28, 2022 at 10:03 AM Jann Horn wrote: > > Any codepath that zaps page table entries must invoke MMU notifiers to > ensure that secondary MMUs (like KVM) don't keep accessing pages which > aren't mapped anymore. Secondary MMUs don't hold their own references to > pages that are mirrored over, so failing to notify them can lead to page > use-after-free. > > I'm marking this as addressing an issue introduced in commit f3f0e1d2150b > ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of > the security impact of this only came in commit 27e1f8273113 ("khugepaged: > enable collapse pmd for pte-mapped THP"), which actually omitted flushes > for the removal of present PTEs, not just for the removal of empty page > tables. > > Cc: stable@kernel.org > Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages") > Signed-off-by: Jann Horn Reviewed-by: Yang Shi > --- > v4: no changes > > mm/khugepaged.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/mm/khugepaged.c b/mm/khugepaged.c > index c3d3ce596bff7..49eb4b4981d88 100644 > --- a/mm/khugepaged.c > +++ b/mm/khugepaged.c > @@ -1404,6 +1404,7 @@ static void collapse_and_free_pmd(struct mm_struct *mm, struct vm_area_struct *v > unsigned long addr, pmd_t *pmdp) > { > pmd_t pmd; > + struct mmu_notifier_range range; > > mmap_assert_write_locked(mm); > if (vma->vm_file) > @@ -1415,8 +1416,12 @@ static void collapse_and_free_pmd(struct mm_struct *mm, struct vm_area_struct *v > if (vma->anon_vma) > lockdep_assert_held_write(&vma->anon_vma->root->rwsem); > > + mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, NULL, mm, addr, > + addr + HPAGE_PMD_SIZE); > + mmu_notifier_invalidate_range_start(&range); > pmd = pmdp_collapse_flush(vma, addr, pmdp); > tlb_remove_table_sync_one(); > + mmu_notifier_invalidate_range_end(&range); > mm_dec_nr_ptes(mm); > page_table_check_pte_clear_range(mm, addr, pmd); > pte_free(mm, pmd_pgtable(pmd)); > -- > 2.38.1.584.g0f3c55d4c2-goog >