lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8c36dd0a-90be-91bf-0ded-55b34ee0a770@redhat.com>
Date:   Fri, 16 Dec 2022 16:57:33 +0100
From:   David Hildenbrand <david@...hat.com>
To:     Peter Xu <peterx@...hat.com>
Cc:     linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        Andrea Arcangeli <aarcange@...hat.com>,
        Pengfei Xu <pengfei.xu@...el.com>,
        Nadav Amit <nadav.amit@...il.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Miaohe Lin <linmiaohe@...wei.com>,
        Huang Ying <ying.huang@...el.com>, stable@...r.kernel.org
Subject: Re: [PATCH 1/2] mm/uffd: Fix pte marker when fork() without fork
 event

>>
>> Wouldn't it be cleaner to be able to "clean" specific markers from a PTE
>> marker without having to special case on each and everyone? I mean, only
>> uffd-wp is really special such that it might disappear for the target.
> 
> Quotting the commit message in patch 2:
> 
>    Currently there is a priority difference between the uffd-wp bit and the
>    swapin error entry, in which the swapin error always has higher priority
>    (e.g. we don't need to wr-protect a swapin error pte marker).
> 
>    If there will be a 3rd bit introduced, we'll probably need to consider a
>    more involved approach so we may need to start operate on the bits.
>    Let's leave that for later.
> 
> I actually started the fix with something like that, but I noticed it's not
> needed to add more code if there's no 3rd bit introduced so I dropped that.
> I decided to go the simpler change approach and leave that for later.

Okay, makes sense.

> 
>>
>> Something like (pseudocode):
>>
>> if (!userfaultfd_wp(dst_vma))
>> 	pte_marker_clear_uff_wp(entry);
>> if (!pte_marker_empty(entry)) {
>> 	pte = make_pte_marker(pte_marker_get(entry));
>> 	set_pte_at(dst_mm, addr, dst_pte, pte);
>> }
>>
>> Then this fix would be correct and backport-able even without #2. And it
>> would work for new types of markers :)
> 
> When that comes, we may need one set_pte_marker_at() taking care of empty
> pte markers, otherwise there can be a lot of such check.

Right. In the future it might be cleaner.

> 
>>
>>
>> I'd prefer a fix that doesn't break something else temporarily, even if the
>> stable backport might require 5 additional minutes to do. So squashing #2
>> into #1 would also work.
> 
> The thing is whether do we care about someone: (1) explicitly checkout at
> the commit of patch 1, then (2) runs the kernel, hit a swapnin error, (3)
> fork(), and (4) access the swapin error page in the child.

I'm more concerned about backports, when one backports #1 but not #2. In 
theory, patch #2 fixes patch #1, because that introduced IMHO a real 
regression -- a possible memory corruption when discarding a hwpoison 
marker. Warnings are not nice but at least indicate that something needs 
a second look.

> 
> To me I don't care even starting from (1).. because it really shouldn't
> happen at all in any serious environment.
> 
> The other reason is these are indeed two issues to solve.  Even if by
> accident we kept the swapin error in old code we'll probably dump an
> warning which is not wanted either.  It's not something someone will really
> get benefit from..
> 
> So like many other places, I don't have a strong opinion, but personally I
> prefer the current approach.


Me neither, two patches just felt more complicated than it should be.

Anyhow, the final code change LGTM.

-- 
Thanks,

David / dhildenb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ