lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 7 Jun 2019 22:13:49 +0300
From:   "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
To:     Andrea Arcangeli <aarcange@...hat.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        Oleg Nesterov <oleg@...hat.com>, Jann Horn <jannh@...gle.com>,
        Hugh Dickins <hughd@...gle.com>,
        Mike Rapoport <rppt@...ux.vnet.ibm.com>,
        Mike Kravetz <mike.kravetz@...cle.com>,
        Peter Xu <peterx@...hat.com>,
        Jason Gunthorpe <jgg@...lanox.com>,
        Michal Hocko <mhocko@...e.com>
Subject: Re: [PATCH 1/1] coredump: fix race condition between
 collapse_huge_page() and core dumping

On Fri, Jun 07, 2019 at 04:15:58PM +0000, Andrea Arcangeli wrote:
> When fixing the race conditions between the coredump and the mmap_sem
> holders outside the context of the process, we focused on
> mmget_not_zero()/get_task_mm() callers in commit
> 04f5866e41fb70690e28397487d8bd8eea7d712a, but those aren't the only
> cases where the mmap_sem can be taken outside of the context of the
> process as Michal Hocko noticed while backporting that commit to
> older -stable kernels.
> 
> If mmgrab() is called in the context of the process, but then the
> mm_count reference is transferred outside the context of the process,
> that can also be a problem if the mmap_sem has to be taken for writing
> through that mm_count reference.
> 
> khugepaged registration calls mmgrab() in the context of the process,
> but the mmap_sem for writing is taken later in the context of the
> khugepaged kernel thread.
> 
> collapse_huge_page() after taking the mmap_sem for writing doesn't
> modify any vma, so it's not obvious that it could cause a problem to
> the coredump, but it happens to modify the pmd in a way that breaks an
> invariant that pmd_trans_huge_lock() relies upon. collapse_huge_page()
> needs the mmap_sem for writing just to block concurrent page faults
> that call pmd_trans_huge_lock().
> 
> Specifically the invariant that "!pmd_trans_huge()" cannot become
> a "pmd_trans_huge()" doesn't hold while collapse_huge_page() runs.
> 
> The coredump will call __get_user_pages() without mmap_sem for
> reading, which eventually can invoke a lockless page fault which will
> need a functional pmd_trans_huge_lock().
> 
> So collapse_huge_page() needs to use mmget_still_valid() to check it's
> not running concurrently with the coredump... as long as the coredump
> can invoke page faults without holding the mmap_sem for reading.
> 
> This has "Fixes: khugepaged" to facilitate backporting, but in my view
> it's more a bug in the coredump code that will eventually have to be
> rewritten to stop invoking page faults without the mmap_sem for
> reading. So the long term plan is still to drop all
> mmget_still_valid().
> 
> Cc: <stable@...r.kernel.org>
> Fixes: ba76149f47d8 ("thp: khugepaged")
> Reported-by: Michal Hocko <mhocko@...e.com>
> Acked-by: Michal Hocko <mhocko@...e.com>
> Signed-off-by: Andrea Arcangeli <aarcange@...hat.com>

Acked-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>

-- 
 Kirill A. Shutemov

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ