lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <yt9dcz0dbn8p.fsf@linux.ibm.com>
Date:   Thu, 27 Jul 2023 13:35:50 +0200
From:   Sven Schnelle <svens@...ux.ibm.com>
To:     Ryan Roberts <ryan.roberts@....com>
Cc:     David Hildenbrand <david@...hat.com>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Matthew Wilcox <willy@...radead.org>,
        Yin Fengwei <fengwei.yin@...el.com>,
        Yu Zhao <yuzhao@...gle.com>, Yang Shi <shy828301@...il.com>,
        "Huang, Ying" <ying.huang@...el.com>, Zi Yan <ziy@...dia.com>,
        Nathan Chancellor <nathan@...nel.org>,
        linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        linux-s390@...r.kernel.org
Subject: Re: [PATCH v1] mm: Fix use-after-free for MMU_GATHER_NO_GATHER

Ryan,

David Hildenbrand <david@...hat.com> writes:

> On 27.07.23 13:02, Ryan Roberts wrote:
>> The recent change to batch-zap anonymous ptes did not take into account
>> that for platforms where MMU_GATHER_NO_GATHER is enabled (e.g. s390),
>> __tlb_remove_page() drops a reference to the page. This means that the
>> folio reference count can drop to zero while still in use (i.e. before
>> folio_remove_rmap_range() is called). This does not happen on other
>> platforms because the actual page freeing is deferred.
>> Solve this by appropriately getting/putting the folio to guarrantee
>> it
>> does not get freed early.
>> Given the new need to get/put the folio in the batch path, let's
>> stick
>> to the non-batched path if the folio is not large. In this case batching
>> is not helpful since the batch size is 1.
>> Signed-off-by: Ryan Roberts <ryan.roberts@....com>
>> Fixes: 904d9713b3b0 ("mm: batch-zap large anonymous folio PTE mappings")
>> Reported-by: Nathan Chancellor <nathan@...nel.org>
>> Link: https://lore.kernel.org/linux-mm/20230726161942.GA1123863@dev-arch.thelio-3990X/
>> ---
>> Hi Andrew,
>> This fixes patch 3 in the series at [1], which is currently in
>> mm-unstable. I'm
>> not sure whether you want to take the fix or whether I should re-post the entire
>> series?
>> 
>
> Please repost the complete thing, you're touching some sensible places
> that really need decent review.

Please also add:

Alexander Gordeev <agordeev@...ux.ibm.com>
Gerald Schaefer <gerald.schaefer@...ux.ibm.com>

when reposting. Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ