lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230921225443.GC21193@monkey>
Date:   Thu, 21 Sep 2023 15:54:43 -0700
From:   Mike Kravetz <mike.kravetz@...cle.com>
To:     riel@...riel.com
Cc:     linux-kernel@...r.kernel.org, kernel-team@...a.com,
        linux-mm@...ck.org, akpm@...ux-foundation.org,
        muchun.song@...ux.dev, leit@...a.com
Subject: Re: [PATCH 0/2] hugetlbfs: close race between MADV_DONTNEED and page
 fault

On 09/19/23 22:16, riel@...riel.com wrote:
> Malloc libraries, like jemalloc and tcalloc, take decisions on when
> to call madvise independently from the code in the main application.
> 
> This sometimes results in the application page faulting on an address,
> right after the malloc library has shot down the backing memory with
> MADV_DONTNEED.
> 
> Usually this is harmless, because we always have some 4kB pages
> sitting around to satisfy a page fault. However, with hugetlbfs
> systems often allocate only the exact number of huge pages that
> the application wants.
> 
> Due to TLB batching, hugetlbfs MADV_DONTNEED will free pages outside of
> any lock taken on the page fault path, which can open up the following
> race condition:
> 
>        CPU 1                            CPU 2
> 
>        MADV_DONTNEED
>        unmap page
>        shoot down TLB entry
>                                        page fault
>                                        fail to allocate a huge page
>                                        killed with SIGBUS
>        free page

Hi Rik,

I think we discussed this before.  Even with your changes there is no
guarantee that the free'ed hugetlb page can not be stolen by another
application.  This is true even with hugetlb reservations as the
reservation is consumed by the first fault.  After the MADV_DONTNEED
no reservation will exist, which allows another application to steal
the page.

This is VERY unlikely to actually happen.  However, I do want to point
out that it is possible.  Of course, the way the code is today you will
always fail if there is only one hugetlb page in the above scenario.  So,
your changes will help tremendously and I support them moving forward.

I suspect you are already aware of this, but just want to make sure you
are aware there are no guarantees here.
-- 
Mike Kravetz

> 
> Fix that race by extending the hugetlb_vma_lock locking scheme to also
> cover private hugetlb mappings (with resv_map), and pulling the locking 
> from __unmap_hugepage_final_range into helper functions called from
> zap_page_range_single. This ensures page faults stay locked out of
> the MADV_DONTNEED VMA until the huge pages have actually been freed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ