lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8891681e-532c-4d7b-bc28-b4ad3e017331@lucifer.local>
Date:   Mon, 28 Aug 2023 20:00:18 +0100
From:   Lorenzo Stoakes <lstoakes@...il.com>
To:     Joel Fernandes <joel@...lfernandes.org>
Cc:     linux-kernel@...r.kernel.org, linux-kselftest@...r.kernel.org,
        linux-mm@...ck.org, Shuah Khan <shuah@...nel.org>,
        Vlastimil Babka <vbabka@...e.cz>,
        Michal Hocko <mhocko@...e.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Kirill A Shutemov <kirill@...temov.name>,
        "Liam R. Howlett" <liam.howlett@...cle.com>,
        "Paul E. McKenney" <paulmck@...nel.org>,
        Suren Baghdasaryan <surenb@...gle.com>,
        Kalesh Singh <kaleshsingh@...gle.com>,
        Lokesh Gidra <lokeshgidra@...gle.com>
Subject: Re: [PATCH v5 2/7] mm/mremap: Allow moves within the same VMA

On Mon, Aug 28, 2023 at 06:32:40PM +0000, Joel Fernandes wrote:
> On Sun, Aug 27, 2023 at 10:21:14AM +0100, Lorenzo Stoakes wrote:
> [..]
> > >
> > >  /*
> > >   * Flags used by change_protection().  For now we make it a bitmap so
> > > diff --git a/mm/mremap.c b/mm/mremap.c
> > > index 035fbf542a8f..06baa13bd2c8 100644
> > > --- a/mm/mremap.c
> > > +++ b/mm/mremap.c
> > > @@ -490,12 +490,13 @@ static bool move_pgt_entry(enum pgt_entry entry, struct vm_area_struct *vma,
> > >  }
> > >
> > >  /*
> > > - * A helper to check if a previous mapping exists. Required for
> > > - * move_page_tables() and realign_addr() to determine if a previous mapping
> > > - * exists before we can do realignment optimizations.
> > > + * A helper to check if aligning down is OK. The aligned address should fall
> > > + * on *no mapping*. For the stack moving down, that's a special move within
> > > + * the VMA that is created to span the source and destination of the move,
> > > + * so we make an exception for it.
> > >   */
> > >  static bool can_align_down(struct vm_area_struct *vma, unsigned long addr_to_align,
> > > -			       unsigned long mask)
> > > +			    unsigned long mask, bool for_stack)
> > >  {
> > >  	unsigned long addr_masked = addr_to_align & mask;
> > >
> > > @@ -504,7 +505,7 @@ static bool can_align_down(struct vm_area_struct *vma, unsigned long addr_to_ali
> > >  	 * of the corresponding VMA, we can't align down or we will destroy part
> > >  	 * of the current mapping.
> > >  	 */
> > > -	if (vma->vm_start != addr_to_align)
> > > +	if (!for_stack && vma->vm_start != addr_to_align)
> > >  		return false;
> >
> > I'm a little confused by this exception, is it very specifically for the
> > shift_arg_pages() case where can assume we are safe to just discard the
> > lower portion of the stack?
> >
> > Wouldn't the find_vma_intersection() line below fail in this case? I may be
> > missing something here :)
>
> I think you are right. In v4, this was not an issue as we did this:
>
>
> +	if (!for_stack && vma->vm_start != addr_to_align)
> +		return false;
> +
> +	cur = find_vma_prev(vma->vm_mm, vma->vm_start, &prev);
> +	if (WARN_ON_ONCE(cur != vma))
> +		return false;
>
> Which essentially means this patch is a NOOP in v5 for the stack case.

>
> So what we really want is the VMA previous to @vma and whether than subsumes
> the masked address.
>
> Should I just change it back to the v4 version then as above for both patch 1
> and 2 and carry your review tags?

You will not be surprised to hear that I'd rather not :) I think if we did
revert to that approach it'd need rework anyway, so I'd ask for a respin w/o
tag if we were to go down that road.

HOWEVER let's first clarify what we want to check.

My understand (please correct me if mistaken) is that there are two
acceptable cases:-

1. !for_stack

 addr_masked         addr_to_align
 |                   |
 v                   v
 .                   |-----|
 . <-must be empty-> | vma |
 .                   |-----|

2. for_stack

      addr_masked         addr_to_align
      |                   |
      v                   v
 |----.-------------------.-----|
 |    .        vma        .     |
 |----.-------------------.-----|

Meaning that there are only two cases that we should care about:-

1. !for_stack: addr_to_align == vma->vm_start and no other VMA exists
   between this and addr_masked

2. for_stack: addr_masked is in the same VMA as addr_to_align.

In this case, the check can surely be:-

return find_vma_intersection(vma->vm_mm, addr_masked, addr_to_align) ==
	(for_stack ? vma : NULL);

(maybe would be less ugly to actually assign the intersection value to a
local var and check that)

>
> This is also hard to test as it requires triggering the execve stack move
> case. Though it is not a bug (as it is essentially a NOOP), it still would be
> nice to test it. This is complicated by also the fact that mremap(2) itself
> does not allow overlapping moves. I could try to hardcode the unfavorable
> situation as I have done in the past to force that mremap warning.

I find this exception a bit confusing, why are we so adamant on performing
the optimisation in this case when it makes the code uglier and is rather
hard to understand? Does it really matter that much?

I wonder whether it wouldn't be better to just drop that (unless you really
felt strongly about it) for the patch set and then perhaps address it in a
follow up?

This may entirely be a product of my simply not entirely understanding this
case so do forgive the probing, I just want to make sure we handle it
correctly!

>
> thanks,
>
>  - Joel
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ