lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <90c1b3c7-cdf7-40fa-ae06-5565c1d760ee@redhat.com>
Date:   Mon, 27 Nov 2023 17:22:14 +0100
From:   David Hildenbrand <david@...hat.com>
To:     Peter Xu <peterx@...hat.com>,
        Andrew Morton <akpm@...ux-foundation.org>
Cc:     linux-mm@...ck.org, linux-kernel@...r.kernel.org,
        Dan Williams <dan.j.williams@...el.com>,
        Mel Gorman <mgorman@...e.de>,
        Matthew Wilcox <willy@...radead.org>,
        "Aneesh Kumar K . V" <aneesh.kumar@...ux.vnet.ibm.com>,
        Christoph Hellwig <hch@....de>
Subject: Re: [PATCH] mm/gup: Fix follow_devmap_p[mu]d() on page==NULL handling

On 26.11.23 22:55, Peter Xu wrote:
> On Fri, Nov 24, 2023 at 11:20:59AM -0800, Andrew Morton wrote:
>> On Thu, 23 Nov 2023 13:02:22 -0500 Peter Xu <peterx@...hat.com> wrote:
>>
>>> This is a bug found not by any report but only by code observations.
>>>
>>> When GUP sees a devpmd/devpud and if page==NULL is returned, it means a
>>> fault is probably required.  Here falling through when page==NULL can cause
>>> unexpected behavior.
>>>
>>
>> Well this is worrisome.  We aren't able to construct a test case to
>> demonstrate this bug?  Why is that?  Is it perhaps just dead code?
> 
> IIUC it's not dead code. Take the example of follow_devmap_pmd(), it can
> return page==NULL at least when seeing write bit missing:
> 
> 	if (flags & FOLL_WRITE && !pmd_write(*pmd))
> 		return NULL;
> 
> AFAICT it can happen if someone does "echo 4 > /proc/$PID/clear_refs" when
> the mm contains the devmap pmd.  Same to pud.
> 
> It'll be nice if someone that works with dax would like to verify it.  In
> my series (refactor hugetlb gup, part 2) IIUC some hugetlb selftest can
> start to trigger this path, but I'll need to check.  So far it's dax-only.

It certainly looks weird to continue there. Triggering it by mmaping 
some devdax device might be possible (e.g., using devdax emulation).

We know the PMD is present and the PMD is devmap. We take the pmd lock, 
and in follow_devmap_pmd() we recheck both.

I suspect the original idea was: if it's suddenly no longer present or 
no longer devmap, it was replaced by a PTE table. So we know a deeper 
level is there and can simply continue instead of triggering a fault.

But that does not seem to be the case, because I suspect the PMD could 
have been zapped (MADV_DONTNEED?) in the meantime, and the "writability" 
check is similarly weird.

So I assume the patch from Peter is ok: even if the PMD got replaced by 
a PTE table, we'd trigger a fault and simply retry.

Acked-by: David Hildenbrand <david@...hat.com>

-- 
Cheers,

David / dhildenb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ