| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <39ab53c4-cb2f-82f4-1097-65d000284b23@oracle.com>
Date: Tue, 15 Feb 2022 11:11:51 -0800
From: Mike Kravetz <mike.kravetz@...cle.com>
To: Muchun Song <songmuchun@...edance.com>, akpm@...ux-foundation.org,
zi.yan@...rutgers.edu, kirill.shutemov@...ux.intel.com,
rientjes@...gle.com, lars.persson@...s.com, ziy@...dia.com
Cc: linux-mm@...ck.org, linux-kernel@...r.kernel.org,
duanxiongchun@...edance.com, fam.zheng@...edance.com
Subject: Re: [PATCH v5 5/7] mm: shmem: fix missing cache flush in
shmem_mfill_atomic_pte()
On 2/10/22 04:30, Muchun Song wrote:
> The userfaultfd calls shmem_mfill_atomic_pte() which does not do any
> cache flushing for the target page. Then the target page will be mapped
> to the user space with a different address (user address), which might
> have an alias issue with the kernel address used to copy the data from the
> user to. Insert flush_dcache_page() in non-zero-page case. And replace
> clear_highpage() with clear_user_highpage() which already considers
> the cache maintenance.
>
> Fixes: 8d1039634206 ("userfaultfd: shmem: add shmem_mfill_zeropage_pte for userfaultfd support")
> Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support")
> Signed-off-by: Muchun Song <songmuchun@...edance.com>
> ---
> mm/shmem.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Thanks,
It might have been better to combine this and the next patch. When looking
at this, I noted the 'fallback to copy_from_user outside mmap_lock' case needs
to be addressed as well. It is in the next patch. No need to change.
Reviewed-by: Mike Kravetz <mike.kravetz@...cle.com>
--
Mike Kravetz
>
> diff --git a/mm/shmem.c b/mm/shmem.c
> index eb0fd9001130..2e17ec9231a2 100644
> --- a/mm/shmem.c
> +++ b/mm/shmem.c
> @@ -2371,8 +2371,10 @@ int shmem_mfill_atomic_pte(struct mm_struct *dst_mm,
> /* don't free the page */
> goto out_unacct_blocks;
> }
> +
> + flush_dcache_page(page);
> } else { /* ZEROPAGE */
> - clear_highpage(page);
> + clear_user_highpage(page, dst_addr);
> }
> } else {
> page = *pagep;
--
Mike Kravetz
Powered by blists - more mailing lists