| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <cover.1734526570.git.zhengqi.arch@bytedance.com>
Date: Wed, 18 Dec 2024 21:04:36 +0800
From: Qi Zheng <zhengqi.arch@...edance.com>
To: peterz@...radead.org,
tglx@...utronix.de,
david@...hat.com,
jannh@...gle.com,
hughd@...gle.com,
yuzhao@...gle.com,
willy@...radead.org,
muchun.song@...ux.dev,
vbabka@...nel.org,
lorenzo.stoakes@...cle.com,
akpm@...ux-foundation.org,
rientjes@...gle.com,
vishal.moola@...il.com
Cc: linux-mm@...ck.org,
linux-kernel@...r.kernel.org,
Qi Zheng <zhengqi.arch@...edance.com>
Subject: [PATCH v2 00/15] move pagetable_*_dtor() to __tlb_remove_table()
Changes in v2:
- add [PATCH v2 13|14|15/15] (suggested by Peter Zijlstra)
- add Originally-bys and Suggested-bys
- rebase onto the next-20241218
Hi all,
As proposed [1] by Peter Zijlstra below, this patch series aims to move
pagetable_*_dtor() into __tlb_remove_table(). This will cleanup pagetable_*_dtor()
a bit and more gracefully fix the UAF issue [2] reported by syzbot.
```
Notably:
- s390 pud isn't calling the existing pagetable_pud_[cd]tor()
- none of the p4d things have pagetable_p4d_[cd]tor() (x86,arm64,s390,riscv)
and they have inconsistent accounting
- while much of the _ctor calls are in generic code, many of the _dtor
calls are in arch code for hysterial raisins, this could easily be
fixed
- if we fix ptlock_free() to handle NULL, then all the _dtor()
functions can use it, and we can observe they're all identical
and can be folded
after all that cleanup, you can move the _dtor from *_free_tlb() into
tlb_remove_table() -- which for the above case, would then have it
called from __tlb_remove_table_free().
```
And hi Andrew, I developed the code based on the latest linux-next, so I reverted
the "mm: pgtable: make ptlock be freed by RCU" first. Once the review of this
patch series is completed, the "mm: pgtable: make ptlock be freed by RCU" can be
dropped directly from mm tree, and this revert patch will not be needed.
This series is based on next-20241218. And I tested this patch series on x86 and
only cross-compiled it on arm[|64], powerpc, riscv, s390 and sparc.
Comments and suggestions are welcome!
Thanks,
Qi
[1]. https://lore.kernel.org/all/20241211133433.GC12500@noisy.programming.kicks-ass.net/
[2]. https://lore.kernel.org/all/67548279.050a0220.a30f1.015b.GAE@google.com/
Qi Zheng (15):
Revert "mm: pgtable: make ptlock be freed by RCU"
mm: pgtable: introduce generic p4d_alloc_one() and p4d_free()
arm64: pgtable: use mmu gather to free p4d level page table
s390: pgtable: add statistics for PUD and P4D level page table
mm: pgtable: introduce pagetable_dtor()
arm: pgtable: move pagetable_dtor() to __tlb_remove_table()
arm64: pgtable: move pagetable_dtor() to __tlb_remove_table()
riscv: pgtable: move pagetable_dtor() to __tlb_remove_table()
x86: pgtable: move pagetable_dtor() to __tlb_remove_table()
s390: pgtable: also move pagetable_dtor() of PxD to
__tlb_remove_table()
mm: pgtable: introduce generic __tlb_remove_table()
mm: pgtable: move __tlb_remove_table_one() in x86 to generic file
mm: pgtable: remove tlb_remove_page_ptdesc()
mm: pgtable: remove tlb_remove_ptdesc()
mm: pgtable: introduce generic pagetable_dtor_free()
Documentation/mm/split_page_table_lock.rst | 4 +-
arch/arm/include/asm/tlb.h | 18 +-----
arch/arm64/include/asm/pgalloc.h | 17 +++---
arch/arm64/include/asm/tlb.h | 31 +++++-----
arch/csky/include/asm/pgalloc.h | 4 +-
arch/hexagon/include/asm/pgalloc.h | 4 +-
arch/loongarch/include/asm/pgalloc.h | 4 +-
arch/m68k/include/asm/mcf_pgalloc.h | 4 +-
arch/m68k/include/asm/sun3_pgalloc.h | 4 +-
arch/m68k/mm/motorola.c | 2 +-
arch/mips/include/asm/pgalloc.h | 4 +-
arch/nios2/include/asm/pgalloc.h | 4 +-
arch/openrisc/include/asm/pgalloc.h | 4 +-
arch/powerpc/include/asm/tlb.h | 1 +
arch/powerpc/mm/book3s64/mmu_context.c | 2 +-
arch/powerpc/mm/book3s64/pgtable.c | 2 +-
arch/powerpc/mm/pgtable-frag.c | 4 +-
arch/riscv/include/asm/pgalloc.h | 57 ++++++++----------
arch/riscv/include/asm/tlb.h | 18 ------
arch/riscv/mm/init.c | 4 +-
arch/s390/include/asm/pgalloc.h | 31 +++++++---
arch/s390/include/asm/tlb.h | 43 +++++++-------
arch/s390/mm/pgalloc.c | 31 ++--------
arch/sh/include/asm/pgalloc.h | 4 +-
arch/sparc/include/asm/tlb_32.h | 1 +
arch/sparc/include/asm/tlb_64.h | 1 +
arch/sparc/mm/init_64.c | 2 +-
arch/sparc/mm/srmmu.c | 2 +-
arch/um/include/asm/pgalloc.h | 12 ++--
arch/x86/include/asm/pgalloc.h | 16 +++--
arch/x86/include/asm/tlb.h | 33 -----------
arch/x86/kernel/paravirt.c | 1 +
arch/x86/mm/pgtable.c | 13 ++---
include/asm-generic/pgalloc.h | 68 +++++++++++++++++-----
include/asm-generic/tlb.h | 23 ++++----
include/linux/mm.h | 52 +++++++----------
include/linux/mm_types.h | 9 +--
mm/memory.c | 23 +++-----
mm/mmu_gather.c | 19 +++++-
39 files changed, 255 insertions(+), 321 deletions(-)
--
2.20.1
Powered by blists - more mailing lists