| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LSU.2.11.1510011109390.6920@eggly.anvils> Date: Thu, 1 Oct 2015 11:34:27 -0700 (PDT) From: Hugh Dickins <hughd@...gle.com> To: Oleg Nesterov <oleg@...hat.com> cc: Hugh Dickins <hughd@...gle.com>, Andrew Morton <akpm@...ux-foundation.org>, Andrey Konovalov <andreyknvl@...gle.com>, Davidlohr Bueso <dave@...olabs.net>, "Kirill A. Shutemov" <kirill@...temov.name>, Sasha Levin <sasha.levin@...cle.com>, Vlastimil Babka <vbabka@...e.cz>, Andrea Arcangeli <aarcange@...hat.com>, Michel Lespinasse <walken@...gle.com>, linux-kernel@...r.kernel.org, linux-mm@...ck.org Subject: Re: [PATCH 1/2] mm: fix the racy mm->locked_vm change in On Thu, 1 Oct 2015, Oleg Nesterov wrote: > On 09/30, Hugh Dickins wrote: > > > > On Tue, 29 Sep 2015, Oleg Nesterov wrote: > > > > > "mm->locked_vm += grow" and vm_stat_account() in acct_stack_growth() > > > are not safe; multiple threads using the same ->mm can do this at the > > > same time trying to expans different vma's under down_read(mmap_sem). > > expand > > > This means that one of the "locked_vm += grow" changes can be lost > > > and we can miss munlock_vma_pages_all() later. > > > > From the Cc list, I guess you are thinking this might be the fix to > > the "Bad state page (mlocked)" issues Andrey and Sasha have reported. > > Yes, I found this when I tried to explain this problem, but I doubt > this change can fix it... Firstly I think it is very unlikely that > trinity hits this race. And even if mm->locked_vm is wrongly equal > to zero in exit_mmap(), it seems that page_remove_rmap() should do > clear_page_mlock(). Oh yes, good point, a subsequent clear_page_mlock(), in unmapping this address space, or later unmapping from another, ought to clear it before the page ever gets freed. > But I do not understand this code enough. So if > this patch can actually help I would really like to know why ;) I doubt any of us understand it very well, mlock+munlock have over the years become so much more grotesque than the uninitiated would expect. > > And of course this can not explain other traces which look like > mm->mmap corruption. > > > Acked-by: Hugh Dickins <hughd@...gle.com> > > Thanks! > > > with some hesitation. I don't like very much that the preliminary > > mm->locked_vm + grow check is still done without complete locking, > > so racing threads could get more locked_vm than they're permitted; > > but I'm not sure that we care enough to put page_table_lock back > > over all of that (and security_vm_enough_memory wants to have final > > say on whether to go ahead); even if it was that way years ago. > > Yes. Plus all these RLIMIT_MEMLOCK/etc and security_* checks assume > that we are going to expand current->mm, but this is not necessarily > true. Debugger or sys_process_vm_* can expand a foreign vma. Right, I'd forgotten all about that aspect: yes, none of us ever took expand_stack()'s "current" assumptions seriously enough to rework its interface with all the architectures, so that's another argument for sticking for now with the patch you already have here - thanks. Hugh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists