| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240227132556.17e87767.alex.williamson@redhat.com> Date: Tue, 27 Feb 2024 13:25:56 -0700 From: Alex Williamson <alex.williamson@...hat.com> To: David Hildenbrand <david@...hat.com> Cc: Yisheng Xie <ethan.xys@...ux.alibaba.com>, akpm@...ux-foundation.org, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org Subject: Re: [PATCH] vfio/type1: unpin PageReserved page On Tue, 27 Feb 2024 11:27:08 +0100 David Hildenbrand <david@...hat.com> wrote: > On 26.02.24 18:32, Alex Williamson wrote: > > On Tue, 27 Feb 2024 01:14:54 +0800 > > Yisheng Xie <ethan.xys@...ux.alibaba.com> wrote: > > > >> 在 2024/2/27 00:14, Alex Williamson 写道: > >>> On Tue, 27 Feb 2024 00:01:06 +0800 > >>> Yisheng Xie<ethan.xys@...ux.alibaba.com> wrote: > >>> > >>>> We meet a warning as following: > >>>> WARNING: CPU: 99 PID: 1766859 at mm/gup.c:209 try_grab_page.part.0+0xe8/0x1b0 > >>>> CPU: 99 PID: 1766859 Comm: qemu-kvm Kdump: loaded Tainted: GOE 510.134-008.2.x86_64 #1 > >>> ^^^^^^^^ > >>> > >>> Does this issue reproduce on mainline? Thanks, > >> > >> I have check the code of mainline, the logical seems the same as my > >> version. > >> > >> so I think it can reproduce if i understand correctly. > > > > I obviously can't speak to what's in your 5.10.134-008.2 kernel, but I > > do know there's a very similar issue resolved in v6.0 mainline and > > included in v5.10.146 of the stable tree. Please test. Thanks, > > This commit, to be precise: > > commit 873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4 > Author: Alex Williamson <alex.williamson@...hat.com> > Date: Mon Aug 29 21:05:40 2022 -0600 > > vfio/type1: Unpin zero pages > > There's currently a reference count leak on the zero page. We increment > the reference via pin_user_pages_remote(), but the page is later handled > as an invalid/reserved page, therefore it's not accounted against the > user and not unpinned by our put_pfn(). > > Introducing special zero page handling in put_pfn() would resolve the > leak, but without accounting of the zero page, a single user could > still create enough mappings to generate a reference count overflow. > > The zero page is always resident, so for our purposes there's no reason > to keep it pinned. Therefore, add a loop to walk pages returned from > pin_user_pages_remote() and unpin any zero pages. > > > BUT > > in the meantime, we also have > > commit c8070b78751955e59b42457b974bea4a4fe00187 > Author: David Howells <dhowells@...hat.com> > Date: Fri May 26 22:41:40 2023 +0100 > > mm: Don't pin ZERO_PAGE in pin_user_pages() > > Make pin_user_pages*() leave a ZERO_PAGE unpinned if it extracts a pointer > to it from the page tables and make unpin_user_page*() correspondingly > ignore a ZERO_PAGE when unpinning. We don't want to risk overrunning a > zero page's refcount as we're only allowed ~2 million pins on it - > something that userspace can conceivably trigger. > > Add a pair of functions to test whether a page or a folio is a ZERO_PAGE. > > > So the unpin_user_page_* won't do anything with the shared zeropage. > > (likely, we could revert 873aefb376bbc0ed1dd2381ea1d6ec88106fdbd4) Yes, according to the commit log it seems like the unpin is now just wasted work since v6.5. Thanks! Alex
Powered by blists - more mailing lists