| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Nov 2017 08:54:28 +0100
From: Michal Hocko <mhocko@...nel.org>
To: Will Deacon <will.deacon@....com>, Wang Nan <wangnan0@...wei.com>
Cc: Bob Liu <lliubbo@...il.com>, Linux-MM <linux-mm@...ck.org>,
Linux-Kernel <linux-kernel@...r.kernel.org>,
Bob Liu <liubo95@...wei.com>,
Andrew Morton <akpm@...ux-foundation.org>,
David Rientjes <rientjes@...gle.com>,
Ingo Molnar <mingo@...nel.org>, Roman Gushchin <guro@...com>,
Konstantin Khlebnikov <khlebnikov@...dex-team.ru>,
Andrea Arcangeli <aarcange@...hat.com>
Subject: Re: [RFC PATCH] mm, oom_reaper: gather each vma to prevent leaking
TLB entry
On Tue 07-11-17 00:54:32, Will Deacon wrote:
> On Mon, Nov 06, 2017 at 01:27:26PM +0100, Michal Hocko wrote:
> > On Mon 06-11-17 09:52:51, Michal Hocko wrote:
> > > On Mon 06-11-17 15:04:40, Bob Liu wrote:
> > > > On Mon, Nov 6, 2017 at 11:36 AM, Wang Nan <wangnan0@...wei.com> wrote:
> > > > > tlb_gather_mmu(&tlb, mm, 0, -1) means gathering all virtual memory space.
> > > > > In this case, tlb->fullmm is true. Some archs like arm64 doesn't flush
> > > > > TLB when tlb->fullmm is true:
> > > > >
> > > > > commit 5a7862e83000 ("arm64: tlbflush: avoid flushing when fullmm == 1").
> > > > >
> > > >
> > > > CC'ed Will Deacon.
> > > >
> > > > > Which makes leaking of tlb entries. For example, when oom_reaper
> > > > > selects a task and reaps its virtual memory space, another thread
> > > > > in this task group may still running on another core and access
> > > > > these already freed memory through tlb entries.
> > >
> > > No threads should be running in userspace by the time the reaper gets to
> > > unmap their address space. So the only potential case is they are
> > > accessing the user memory from the kernel when we should fault and we
> > > have MMF_UNSTABLE to cause a SIGBUS.
> >
> > I hope we have clarified that the tasks are not running in userspace at
> > the time of reaping. I am still wondering whether this is real from the
> > kernel space via copy_{from,to}_user. Is it possible we won't fault?
> > I am not sure I understand what "Given that the ASID allocator will
> > never re-allocate a dirty ASID" means exactly. Will, could you clarify
> > please?
>
> Sure. Basically, we tag each address space with an ASID (PCID on x86) which
> is resident in the TLB. This means we can elide TLB invalidation when
> pulling down a full mm because we won't ever assign that ASID to another mm
> without doing TLB invalidation elsewhere (which actually just nukes the
> whole TLB).
Thanks for the clarification!
> I think that means that we could potentially not fault on a kernel uaccess,
> because we could hit in the TLB. Perhaps a fix would be to set the force
> variable in tlb_finish_mmu if MMF_UNSTABLE is set on the mm?
OK, I suspect this is a more likely scenario than a race with the
reschedule IPI discussed elsewhere in the email thread. Even though I
have to admit I have never checked how are IPIs implemented on arm64, so
my perception might be off.
I think it would be best to simply do per VMA tlb gather like the
original patch does. It would be great if the changelog absorbed the
above two paragraphs. Wangnan could you resend with those clarifications
please?
--
Michal Hocko
SUSE Labs
Powered by blists - more mailing lists