lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y3KAWnFkG7hC1D/B@dhcp22.suse.cz>
Date:   Mon, 14 Nov 2022 18:52:26 +0100
From:   Michal Hocko <mhocko@...e.com>
To:     Zhongkun He <hezhongkun.hzk@...edance.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>, corbet@....net,
        linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        linux-api@...r.kernel.org, linux-doc@...r.kernel.org
Subject: Re: [External] Re: [PATCH v2] mm: add new syscall
 pidfd_set_mempolicy().

On Mon 14-11-22 12:46:53, Michal Hocko wrote:
> On Mon 14-11-22 12:44:48, Michal Hocko wrote:
> > On Mon 14-11-22 00:41:21, Zhongkun He wrote:
> > > Hi Andrew, thanks for your replay.
> > > 
> > > > This sounds a bit suspicious.  Please share much more detail about
> > > > these races.  If we proced with this design then mpol_put_async()
> > > > shouild have comments which fully describe the need for the async free.
> > > > 
> > > > How do we *know* that these races are fully prevented with this
> > > > approach?  How do we know that mpol_put_async() won't free the data
> > > > until the race window has fully passed?
> > > 
> > > A mempolicy can be either associated with a process or with a VMA.
> > > All vma manipulation is somewhat protected by a down_read on
> > > mmap_lock.In process context there is no locking because only
> > > the process accesses its own state before.
> > 
> > We shouldn't really rely on mmap_sem for this IMO. There is alloc_lock
> > (aka task lock) that makes sure the policy is stable so that caller can
> > atomically take a reference and hold on the policy. And we do not do
> > that consistently and this should be fixed. E.g. just looking at some
> > random places like allowed_mems_nr (relying on get_task_policy) is
> > completely lockless and some paths (like fadvise) do not use any of the
> > explicit (alloc_lock) or implicit (mmap_lock) locking. That means that
> > the task_work based approach cannot really work in this case, right?
> 
> Just to be more explicit. Task work based approach still requires an
> additional synchronization among different threads unless I miss
> something so this is really fragile synchronization model.

Scratch that. I've managed to confuse myself. Multi-threading doesn't
play any role as the mempolicy changed by the syscall is per-task_struct
so task_work context is indeed mutually exclusive with any in kernel use
of the policy.

I will need to think about it some more.
-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ