From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5B0D6C6FD1C
	for <linux-mm@archiver.kernel.org>; Thu, 23 Mar 2023 20:45:32 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 83C406B0071; Thu, 23 Mar 2023 16:45:31 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 7F6AF6B0072; Thu, 23 Mar 2023 16:45:31 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 68BFE6B0074; Thu, 23 Mar 2023 16:45:31 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id 5309E6B0071
	for <linux-mm@kvack.org>; Thu, 23 Mar 2023 16:45:31 -0400 (EDT)
Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 09459407B4
	for <linux-mm@kvack.org>; Thu, 23 Mar 2023 20:45:31 +0000 (UTC)
X-FDA: 80601343662.04.4B9DFFF
Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174])
	by imf01.hostedemail.com (Postfix) with ESMTP id 43E5C4000E
	for <linux-mm@kvack.org>; Thu, 23 Mar 2023 20:45:29 +0000 (UTC)
Authentication-Results: imf01.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=ZC7LcbKK;
	spf=pass (imf01.hostedemail.com: domain of shy828301@gmail.com designates 209.85.215.174 as permitted sender) smtp.mailfrom=shy828301@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1679604329;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=HkFIb5y369ALv/uraf7WBJF0jCLGL7/0PVLZyZnzEfE=;
	b=LHxC11ezPNGd3fndrmbgjHrhDqfHeQfH2EA/ShbL8QSkbtNqjotcJ1Ocnc88hy68diFPEA
	mZRSVy02qb/03p5RZouJYfpQpUYRnn10f9Uh8seJvx4H7lCeFLZg5+7xJkQl7OC0QrahiY
	3jTzggtiBZoKObhey3zSDYrfTeNIpQM=
ARC-Authentication-Results: i=1;
	imf01.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=ZC7LcbKK;
	spf=pass (imf01.hostedemail.com: domain of shy828301@gmail.com designates 209.85.215.174 as permitted sender) smtp.mailfrom=shy828301@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1679604329; a=rsa-sha256;
	cv=none;
	b=DBaBb34eYOBGncEN2l93+osZt4WIXdNWKByxCe5lah2KRLWGUke0IvE3cSL+m/Y+/vHtRY
	3hViUuFFHNQI/2kgu/YxceC8jtT7iNy/sEjoRHrAr6lJvl56gHTTDUMu7DdBptoV7gdJca
	OIivjtncNA73ULmG+7TywwmS7HRrufw=
Received: by mail-pg1-f174.google.com with SMTP id s19so8012174pgi.0
        for <linux-mm@kvack.org>; Thu, 23 Mar 2023 13:45:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112; t=1679604328;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=HkFIb5y369ALv/uraf7WBJF0jCLGL7/0PVLZyZnzEfE=;
        b=ZC7LcbKKAX6hzUly+biSIToShZR6kNkrvYrU4uOUN0+3OxH8qN+ox1Ue5pAGqw4jOE
         SlL7k0SJFziPCc4qQxg7GjMkzR+dOT7gPCY3MNYIuV5ymYr6s2h6s6dPup/36L8+GRC+
         SCMs8wOe4brwI8svowpqIy3dwMQGwt2JI02Zfk5wzzzWxyKw7OSNzHDS+0A1pfp9zFif
         lRtYgjcFLP/Kd9zTfk07hqyHNCho/DTZb+Dg7VTuODRPG4z4kf94wPgic9i9L3iWeucq
         +EB1UlbTmBg5LjoLu45EYN/+vbCisVIfVKA40/+dh5HeAYpM93FixO8dOV6pueJODn8Q
         P8bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112; t=1679604328;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=HkFIb5y369ALv/uraf7WBJF0jCLGL7/0PVLZyZnzEfE=;
        b=fBn4QOTR29YX7i11w0Uu2aWr3u2BGi9IZoQcbec4NuSwNV4zniRm0mw9qNXzSqRZVa
         Kt6Q2fBgU3Qv6RLEKDRbU3X/BhwMrJHV1dwhbMwYlEYTZFGe6oLyFs69SAi6OZ9UPNPj
         P/BCbj/hj3QH03Ly3puOmyakf6hJdVRafKeL6TyY+3XsH5s5TaDZ+2GnAi//dEeoSbFc
         p5azOV1wjmSZZnACHTdoYK2XOiBmu8Dy5u5jb1LtyY9bcCtBmDtZHYjgT7q/Eq4YcNNc
         JFXVjeT6U5YxrtpP84COKlRn129+gbBVt5QVqVKnixssNbEz4/n93f0mjfxxxYaBoJ7D
         SqVA==
X-Gm-Message-State: AO0yUKWBhJa4nib5C03udj8jiFtzOD3CIEc14JyMOdPXWiM5I5f3HGZg
	mcKGg9M5WUUpk9IGztBuSWcMtv5OGBXR9lG33Bg=
X-Google-Smtp-Source: AK7set+0yy8YgmbG5LFZTd+1sGnN2sabKkbGcNeJ8C6HJt001bRUyI6k/+CrcqiRwC0aCBMqGKISiKVPqZzuUAYLX48=
X-Received: by 2002:a63:1919:0:b0:50b:e80f:caff with SMTP id
 z25-20020a631919000000b0050be80fcaffmr2319620pgl.0.1679604327835; Thu, 23 Mar
 2023 13:45:27 -0700 (PDT)
MIME-Version: 1.0
References: <20220203182641.824731-1-shy828301@gmail.com> <132ba4a4-3b1d-329d-1db4-f102eea2fd08@suse.cz>
 <9ba70a5e-4e12-0e9f-a6a4-d955bf25d0fe@redhat.com> <64ec7939-0733-7925-0ec0-d333e62c5f21@suse.cz>
In-Reply-To: <64ec7939-0733-7925-0ec0-d333e62c5f21@suse.cz>
From: Yang Shi <shy828301@gmail.com>
Date: Thu, 23 Mar 2023 13:45:16 -0700
Message-ID: <CAHbLzkoZctsJf92Lw3wKMuSqT7-aje0SiAjc6JVW5Z3bNS1JNg@mail.gmail.com>
Subject: Re: [v4 PATCH] fs/proc: task_mmu.c: don't read mapcount for migration entry
To: Vlastimil Babka <vbabka@suse.cz>
Cc: David Hildenbrand <david@redhat.com>, kirill.shutemov@linux.intel.com, jannh@google.com, 
	willy@infradead.org, akpm@linux-foundation.org, linux-mm@kvack.org, 
	linux-kernel@vger.kernel.org, stable@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Stat-Signature: opj3i89ciigzb3hqqkgiwnpgrztcycbj
X-Rspam-User: 
X-Rspamd-Queue-Id: 43E5C4000E
X-Rspamd-Server: rspam06
X-HE-Tag: 1679604329-576006
X-HE-Meta: U2FsdGVkX1/CPtgd8K9p/SB4ORDYVnOjwV3lsxdO0iTmVf03Xd3sIZ1Duh6AWwvh5jaEie2xzEd6i6Q7hR3vpWDzpkyJaWDYzqiB9BcB8T0cJEW+MLm92BksI60iGwf2A8fNA52tz/EFppFcPSsw9WPp9LHUT9tRNuXouMe7QdcZaPFBO3J9nisBjvZsi3fSDboZTJYU087+eU8AZuJ3u0j8wSIe3tf3omQcVnEMOmj/cN/eY24bvEFq6kCAooGWf91B1ZEyUeor5VaaXtx+2wJWVSv55A++kTIosFbj7A5PVHnF5OslVatUwFyl6vZWe94Azec71RVpR4JJBYQMxaU063pdbJSb5srqg6X0k7mTElRRwdB1YsWSHk3L6pwhAPl/JFWJOHiLAWBZqyBmAxx8+dpcTkE932/7wbzaL8jgCV+IdtQERzg+SZduo/XuT+CSudRL7Op+btCFwbj8nCnZF7Dhb6XidMsbi5FZJjW5AK0BYYVsFa8C6tXPi+KXdJnULsPacd71JseZOIO/5iUTWJBUL8g46ObxGEv9DQ6E/T3mFMN/lkoR+8T4/Ze7SuFlC7aEPfWc/3j9K8WZRIXXEoTvpR96+D8Wq3w3ulkC7qfYUrFvgSEiT93mrzizLEXyvV4esgBdbPy3ZUGUqfChE23Hjf/cG+07WkSBfzJfsnSutNOjLyivqQN4q/80/qmJMmo6ZErPFXcVz5+5+l4ghNDUshp98bjKWBQ3HGqsoWrUMj9bNyfIBorlQszzFpzEiTeljL0eH8vR9xaxaPD5iOqTb31Or8IK63JZom1ivhZktSqzJUI337a3s+YmDx37HdbCpueai1oIWegTRTbW3zUXPCBhtZbN6PW4D6qh5Kz9fmkYJCV+NDS3A4hF9KqcUX+z4EgCA6VxPD4GEJVny3sQ4YtdlKRgOvjMF435wlXlF1NQzZ34O98K0w7ik1oNiW8WWljIHdZqc5Y
 28WTnGhO
 +wDQtmb2V/26X7S8AwjiwPNBVxBlltMfoSNTeVs/OLYKFYXrwpgMT2PUjhURFY/hF8CNzrNV8ReKH0VxB38Trc9SlNSCSeBvW5Ts3BJByp3Hiej3lQrjwIZZw8JUWECI3ZJrgfG4GXPaTerIt10viJGWuXY7y1x6D130Lypj5RCNY60ynyj/YqG5BNKVYBKcniQQ2u3Kdtfl3TtGD+Yw2tKiMBMJgltGZ3lNt00DnwighEKP5mEzk0IKCD1JSVp/8XtegTalXVjaZKJ5jGVJIXJfFDJ56ta2vNn+GydLXHeo0nA3X7vv1GjSoA+ZXr129NMwNiv/Ytx85cRvGiv6OC+vAZ7d1dVOdl6lr9eoNdbGla1RUhgGVFGmEJNbkk6A+L03S3nC4/MvxPiRW972LisG6qGs3kvD0ZLq8
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, Mar 23, 2023 at 3:11=E2=80=AFAM Vlastimil Babka <vbabka@suse.cz> wr=
ote:
>
> On 3/23/23 11:08, David Hildenbrand wrote:
> > On 23.03.23 10:52, Vlastimil Babka wrote:
> >> On 2/3/22 19:26, Yang Shi wrote:
> >>> --- a/fs/proc/task_mmu.c
> >>> +++ b/fs/proc/task_mmu.c
> >>> @@ -440,7 +440,8 @@ static void smaps_page_accumulate(struct mem_size=
_stats *mss,
> >>>   }
> >>>
> >>>   static void smaps_account(struct mem_size_stats *mss, struct page *=
page,
> >>> -           bool compound, bool young, bool dirty, bool locked)
> >>> +           bool compound, bool young, bool dirty, bool locked,
> >>> +           bool migration)
> >>>   {
> >>>     int i, nr =3D compound ? compound_nr(page) : 1;
> >>>     unsigned long size =3D nr * PAGE_SIZE;
> >>> @@ -467,8 +468,15 @@ static void smaps_account(struct mem_size_stats =
*mss, struct page *page,
> >>>      * page_count(page) =3D=3D 1 guarantees the page is mapped exactl=
y once.
> >>>      * If any subpage of the compound page mapped with PTE it would e=
levate
> >>>      * page_count().
> >>> +    *
> >>> +    * The page_mapcount() is called to get a snapshot of the mapcoun=
t.
> >>> +    * Without holding the page lock this snapshot can be slightly wr=
ong as
> >>> +    * we cannot always read the mapcount atomically.  It is not safe=
 to
> >>> +    * call page_mapcount() even with PTL held if the page is not map=
ped,
> >>> +    * especially for migration entries.  Treat regular migration ent=
ries
> >>> +    * as mapcount =3D=3D 1.
> >>>      */
> >>> -   if (page_count(page) =3D=3D 1) {
> >>> +   if ((page_count(page) =3D=3D 1) || migration) {
> >>
> >> Since this is now apparently a CVE-2023-1582 for whatever RHeasons...
> >>
> >> wonder if the patch actually works as intended when
> >> (page_count() || migration) is in this particular order and not the ot=
her one?
> >
> > Only the page_mapcount() call to a page that should be problematic, not
> > the page_count() call. There might be the rare chance of the page
>
> Oh right, page_mapcount() vs page_count(), I need more coffee.
>
> > getting remove due to memory offlining... but we're still holding the
> > page table lock with the migration entry, so we should be protected
> > against that.
> >
> > Regarding the CVE, IIUC the main reason for the CVE should be
> > RHEL-specific -- which behaves differently than other code bases; for
> > other code bases, it's just a way to trigger a BUG_ON as described here=
.

Out of curiosity, is there any public link for this CVE? Google search
can't find it.

>
> That's good to know so at least my bogus mail was useful for that, thanks=
!