[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <X95RRZ3hkebEmmaj@redhat.com>
Date: Sat, 19 Dec 2020 14:15:17 -0500
From: Andrea Arcangeli <aarcange@...hat.com>
To: Nadav Amit <nadav.amit@...il.com>
Cc: linux-mm@...ck.org, Peter Xu <peterx@...hat.com>,
linux-kernel@...r.kernel.org, Nadav Amit <namit@...are.com>,
Pavel Emelyanov <xemul@...nvz.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Mike Rapoport <rppt@...ux.vnet.ibm.com>, stable@...r.kernel.org
Subject: Re: [PATCH] mm/userfaultfd: fix memory corruption due to writeprotect
Hello,
On Fri, Dec 18, 2020 at 08:30:06PM -0800, Nadav Amit wrote:
> Analyzing this problem indicates that there is a real bug since
> mmap_lock is only taken for read in mwriteprotect_range(). This might
Never having to take the mmap_sem for writing, and in turn never
blocking, in order to modify the pagetables is quite an important
feature in uffd that justifies uffd instead of mprotect. It's not the
most important reason to use uffd, but it'd be nice if that guarantee
would remain also for the UFFDIO_WRITEPROTECT API, not only for the
other pgtable manipulations.
> Consider the following scenario with 3 CPUs (cpu2 is not shown):
>
> cpu0 cpu1
> ---- ----
> userfaultfd_writeprotect()
> [ write-protecting ]
> mwriteprotect_range()
> mmap_read_lock()
> change_protection()
> change_protection_range()
> ...
> change_pte_range()
> [ defer TLB flushes]
> userfaultfd_writeprotect()
> mmap_read_lock()
> change_protection()
> [ write-unprotect ]
> ...
> [ unprotect PTE logically ]
> ...
> [ page-fault]
> ...
> wp_page_copy()
> [ set new writable page in PTE]
Can't we check mm_tlb_flush_pending(vma->vm_mm) if MM_CP_UFFD_WP_ALL
is set and do an explicit (potentially spurious) tlb flush before
write-unprotect?
Thanks,
Andrea
Powered by blists - more mailing lists