lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 27 Oct 2021 12:52:21 -0700
From:   Yang Shi <shy828301@...il.com>
To:     hughd@...gle.com, sunhao.th@...il.com, willy@...radead.org,
        kirill.shutemov@...ux.intel.com, songliubraving@...com,
        andrea.righi@...onical.com, akpm@...ux-foundation.org
Cc:     shy828301@...il.com, linux-mm@...ck.org,
        linux-kernel@...r.kernel.org, stable@...r.kernel.org
Subject: [PATCH] mm: khugepaged: skip huge page collapse for special files

The read-only THP for filesystems would collapse THP for file opened
readonly and mapped with VM_EXEC, the intended usecase is to avoid TLB
miss for large text segment.  But it doesn't restrict the file types so
THP could be collapsed for non-regular file, for example, block device,
if it is opened readonly and mapped with EXEC permission.  This may
cause bugs, like [1] and [2].

This is definitely not intended usecase, so just collapsing THP for regular
file in order to close the attack surface.

[1] https://lore.kernel.org/lkml/CACkBjsYwLYLRmX8GpsDpMthagWOjWWrNxqY6ZLNQVr6yx+f5vA@mail.gmail.com/
[2] https://lore.kernel.org/linux-mm/000000000000c6a82505ce284e4c@google.com/

Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
Reported-by: Hao Sun <sunhao.th@...il.com>
Reported-by: syzbot+aae069be1de40fb11825@...kaller.appspotmail.com
Cc: Hao Sun <sunhao.th@...il.com>
Cc: Matthew Wilcox <willy@...radead.org>
Cc: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
Cc: Song Liu <songliubraving@...com>
Cc: Andrea Righi <andrea.righi@...onical.com>
Cc: <stable@...r.kernel.org>
Signed-off-by: Hugh Dickins <hughd@...gle.com>
Signed-off-by: Yang Shi <shy828301@...il.com>
---
The patch is basically based off the proposal from Hugh
(https://lore.kernel.org/linux-mm/a07564a3-b2fc-9ffe-3ace-3f276075ea5c@google.com/).
It seems Hugh is too busy to prepare the patch for formal submission (I
didn't hear from him by pinging him a couple of times on mailing list),
so I prepared the patch and added his SOB.

 mm/khugepaged.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/mm/khugepaged.c b/mm/khugepaged.c
index 045cc579f724..e91b7271275e 100644
--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -445,22 +445,25 @@ static bool hugepage_vma_check(struct vm_area_struct *vma,
 	if (!transhuge_vma_enabled(vma, vm_flags))
 		return false;
 
-	/* Enabled via shmem mount options or sysfs settings. */
-	if (shmem_file(vma->vm_file) && shmem_huge_enabled(vma)) {
+	if (vma->vm_file)
 		return IS_ALIGNED((vma->vm_start >> PAGE_SHIFT) - vma->vm_pgoff,
 				HPAGE_PMD_NR);
-	}
+
+	/* Enabled via shmem mount options or sysfs settings. */
+	if (shmem_file(vma->vm_file))
+		return shmem_huge_enabled(vma);
 
 	/* THP settings require madvise. */
 	if (!(vm_flags & VM_HUGEPAGE) && !khugepaged_always())
 		return false;
 
-	/* Read-only file mappings need to be aligned for THP to work. */
+	/* Only regular file is valid */
 	if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && vma->vm_file &&
-	    !inode_is_open_for_write(vma->vm_file->f_inode) &&
 	    (vm_flags & VM_EXEC)) {
-		return IS_ALIGNED((vma->vm_start >> PAGE_SHIFT) - vma->vm_pgoff,
-				HPAGE_PMD_NR);
+		struct inode *inode = vma->vm_file->f_inode;
+
+		return !inode_is_open_for_write(inode) &&
+			S_ISREG(inode->i_mode);
 	}
 
 	if (!vma->anon_vma || vma->vm_ops)
-- 
2.26.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ