| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Apr 2010 16:57:03 +0900 From: KAMEZAWA Hiroyuki <kamezawa.hiroyu@...fujitsu.com> To: KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com> Cc: Nick Piggin <npiggin@...e.de>, Peter Zijlstra <a.p.zijlstra@...llo.nl>, Andrea Arcangeli <aarcange@...hat.com>, Avi Kivity <avi@...hat.com>, Thomas Gleixner <tglx@...utronix.de>, Rik van Riel <riel@...hat.com>, Ingo Molnar <mingo@...e.hu>, akpm@...ux-foundation.org, Linus Torvalds <torvalds@...ux-foundation.org>, linux-kernel@...r.kernel.org, linux-arch@...r.kernel.org, Benjamin Herrenschmidt <benh@...nel.crashing.org>, David Miller <davem@...emloft.net>, Hugh Dickins <hugh.dickins@...cali.co.uk>, Mel Gorman <mel@....ul.ie> Subject: Re: [PATCH 02/13] mm: Revalidate anon_vma in page_lock_anon_vma() On Fri, 9 Apr 2010 16:29:59 +0900 (JST) KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com> wrote: > > On Fri, 9 Apr 2010 15:34:33 +0900 (JST) > > KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com> wrote: > > > > > > On Fri, 9 Apr 2010 13:16:41 +1000 > > > > Nick Piggin <npiggin@...e.de> wrote: > > > > > > > > > On Thu, Apr 08, 2010 at 09:17:39PM +0200, Peter Zijlstra wrote: > > > > > > There is nothing preventing the anon_vma from being detached while we > > > > > > are spinning to acquire the lock. Most (all?) current users end up > > > > > > calling something like vma_address(page, vma) on it, which has a > > > > > > fairly good chance of weeding out wonky vmas. > > > > > > > > > > > > However suppose the anon_vma got freed and re-used while we were > > > > > > waiting to acquire the lock, and the new anon_vma fits with the > > > > > > page->index (because that is the only thing vma_address() uses to > > > > > > determine if the page fits in a particular vma, we could end up > > > > > > traversing faulty anon_vma chains. > > > > > > > > > > > > Close this hole for good by re-validating that page->mapping still > > > > > > holds the very same anon_vma pointer after we acquire the lock, if not > > > > > > be utterly paranoid and retry the whole operation (which will very > > > > > > likely bail, because it's unlikely the page got attached to a different > > > > > > anon_vma in the meantime). > > > > > > > > > > Hm, looks like a bugfix? How was this supposed to be safe? > > > > > > > > > IIUC. > > > > > > > > Before Rik's change to anon_vma, once page->mapping is set as anon_vma | 0x1, > > > > it's not modified until the page is freed. > > > > After the patch, do_wp_page() overwrite page->mapping when it reuse existing > > > > page. > > > > > > Why? > > > IIUC. page->mapping dereference in page_lock_anon_vma() makes four story. > > > > > > 1. the anon_vma is valid > > > -> do page_referenced_one(). > > > 2. the anon_vma is invalid and freed to buddy > > > -> bail out by page_mapped(), no touch anon_vma > > > 3. the anon_vma is kfreed, and not reused > > > -> bail out by page_mapped() > > > 4. the anon_vma is kfreed, but reused as another anon_vma > > > -> bail out by page_check_address() > > > > > > Now we have to consider 5th story. > > > > > > 5. the anon_vma is exchanged another anon_vma by do_wp_page. > > > -> bail out by above bailing out stuff. > > > > > > > > > I agree peter's patch makes sense. but I don't think Rik's patch change > > > locking rule. > > > > > > > Hmm, I think following. > > > > Assume a page is ANON and SwapCache, and it has only one reference. > > Consider it's read-only mapped and cause do_wp_page(). > > page_mapcount(page) == 1 here. > > > > CPU0 CPU1 > > > > 1. do_wp_page() > > 2. ..... > > 3. replace anon_vma. anon_vma = lock_page_anon_vma() > > > > So, lock_page_anon_vma() may have lock on wrong anon_vma, here.(mapcount=1) > > > > 4. modify pte to writable. do something... > > > > After lock, in CPU1, a pte of estimated address by vma_address(vma, page) > > containes pfn of the page and page_check_address() will success. > > > > I'm not sure how this is dangerouns. > > But it's possible that CPU1 cannot notice there was anon_vma replacement. > > And modifies pte withoug holding anon vma's lock which the code believes > > it's holded. > > > Hehe, page_referenced() already can take unstable VM_LOCKED value. So, > In worst case we make false positive pageout, but it's not disaster. > I think. Anyway "use after free" don't happen by this blutal code. > > However, I think you pointed one good thing. before Rik patch, we don't have > page->mapping reassignment. then, we didn't need rcu_dereference(). > but now it can happen. so, I think rcu_dereference() is better. > > Perhaps, I'm missing something. > Hmm. I wonder we can check "whether we lock valid anon_vma or not" only under pte_lock or lock_page(). == anon_vma = page_anon_vma(); lock(anon_vma->lock); .... page_check_address(page) .... pte_lock(); if (page_anon_vma(page) == anon_vma) # anon_vma replacement happens! unlock(anon_vma->lock); == So, rather than page_lock_anon_vma(), page_check_address() may have to check anon_vma replacement....But I cannot think of dangerous case which can cause panic for now. I may miss something... Thanks, -Kame > > diff --git a/mm/rmap.c b/mm/rmap.c > index 8b088f0..b4a0b5b 100644 > --- a/mm/rmap.c > +++ b/mm/rmap.c > @@ -295,7 +295,7 @@ struct anon_vma *page_lock_anon_vma(struct page *page) > unsigned long anon_mapping; > > rcu_read_lock(); > - anon_mapping = (unsigned long) ACCESS_ONCE(page->mapping); > + anon_mapping = (unsigned long) rcu_dereference(page->mapping); > if ((anon_mapping & PAGE_MAPPING_FLAGS) != PAGE_MAPPING_ANON) > goto out; > if (!page_mapped(page)) > > > > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists