| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <46A852E1-B19E-4ABE-B96C-992DC7C67414@linux.dev>
Date: Wed, 26 Oct 2022 16:53:33 +0800
From: Muchun Song <muchun.song@...ux.dev>
To: Anshuman Khandual <anshuman.khandual@....com>
Cc: Wupeng Ma <mawupeng1@...wei.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Mike Kravetz <mike.kravetz@...cle.com>,
Muchun Song <songmuchun@...edance.com>,
Michal Hocko <mhocko@...e.com>,
Oscar Salvador <osalvador@...e.de>, catalin.marinas@....com,
Linux Memory Management List <linux-mm@...ck.org>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH -next 1/1] mm: hugetlb_vmemmap: Fix WARN_ON in
vmemmap_remap_pte
> On Oct 26, 2022, at 16:36, Anshuman Khandual <anshuman.khandual@....com> wrote:
>
>
>
> On 10/26/22 12:31, Muchun Song wrote:
>>
>>
>>> On Oct 26, 2022, at 13:06, Anshuman Khandual <anshuman.khandual@....com> wrote:
>>>
>>>
>>>
>>> On 10/25/22 12:06, Muchun Song wrote:
>>>>
>>>>
>>>>> On Oct 25, 2022, at 09:42, Wupeng Ma <mawupeng1@...wei.com> wrote:
>>>>>
>>>>> From: Ma Wupeng <mawupeng1@...wei.com>
>>>>>
>>>>> Commit f41f2ed43ca5 ("mm: hugetlb: free the vmemmap pages associated with
>>>>> each HugeTLB page") add vmemmap_remap_pte to remap the tail pages as
>>>>> read-only to catch illegal write operation to the tail page.
>>>>>
>>>>> However this will lead to WARN_ON in arm64 in __check_racy_pte_update()
>>>>
>>>> Thanks for your finding this issue.
>>>>
>>>>> since this may lead to dirty state cleaned. This check is introduced by
>>>>> commit 2f4b829c625e ("arm64: Add support for hardware updates of the
>>>>> access and dirty pte bits") and the initial check is as follow:
>>>>>
>>>>> BUG_ON(pte_write(*ptep) && !pte_dirty(pte));
>>>>>
>>>>> Since we do need to mark this pte as read-only to catch illegal write
>>>>> operation to the tail pages, use set_pte to replace set_pte_at to bypass
>>>>> this check.
>>>>
>>>> In theory, the waring does not affect anything since the tail vmemmap
>>>> pages are supposed to be read-only. So, skipping this check for vmemmap
>>>
>>> Tails vmemmap pages are supposed to be read-only, in practice but their
>>> backing pages do have pte_write() enabled. Otherwise the VM_WARN_ONCE()
>>> warning would not have triggered.
>>
>> Right.
>>
>>>
>>> VM_WARN_ONCE(pte_write(old_pte) && !pte_dirty(pte),
>>> "%s: racy dirty state clearing: 0x%016llx -> 0x%016llx",
>>> __func__, pte_val(old_pte), pte_val(pte));
>>>
>>> Also, is not it true that the pte being remapped into a different page
>>> as read only, than what it had originally (which will be freed up) i.e
>>> the PFN in 'old_pte' and 'pte' will be different. Hence is there still
>>
>> Right.
>>
>>> a possibility for a race condition even when the PFN changes ?
>>
>> Sorry, I didn't get this question. Did you mean the PTE is changed from
>> new (pte) to the old one (old_pte) by the hardware because of the update
>> of dirty bit when a concurrent write operation to the tail vmemmap page?
>
> No, but is not vmemmap_remap_pte() reuses walk->reuse_page for all remaining
> tails pages ? Is not there a PFN change, along with access permission change
> involved in this remapping process ?
Alright, yes, both the PFN and the access permission are changed.
Powered by blists - more mailing lists