| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ae3717ca-42e7-49a6-99f9-73a4c0be70f9@lucifer.local>
Date: Wed, 30 Apr 2025 17:07:40 +0100
From: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
To: Wei Yang <richard.weiyang@...il.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Vlastimil Babka <vbabka@...e.cz>, Jann Horn <jannh@...gle.com>,
"Liam R . Howlett" <Liam.Howlett@...cle.com>,
Suren Baghdasaryan <surenb@...gle.com>,
Matthew Wilcox <willy@...radead.org>,
David Hildenbrand <david@...hat.com>, Pedro Falcato <pfalcato@...e.de>,
linux-mm@...ck.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v2 01/10] mm/mremap: introduce more mergeable mremap
via MREMAP_RELOCATE_ANON
On Wed, Apr 30, 2025 at 03:41:19PM +0000, Wei Yang wrote:
> On Wed, Apr 30, 2025 at 02:15:24PM +0100, Lorenzo Stoakes wrote:
> >On Wed, Apr 30, 2025 at 12:47:03AM +0000, Wei Yang wrote:
> >> On Tue, Apr 22, 2025 at 09:09:20AM +0100, Lorenzo Stoakes wrote:
> >> [...]
> >> >+bool vma_had_uncowed_children(struct vm_area_struct *vma)
> >> >+{
> >> >+ struct anon_vma *anon_vma = vma ? vma->anon_vma : NULL;
> >> >+ bool ret;
> >> >+
> >> >+ if (!anon_vma)
> >> >+ return false;
> >> >+
> >> >+ /*
> >> >+ * If we're mmap locked then there's no way for this count to change, as
> >> >+ * any such change would require this lock not be held.
> >> >+ */
> >> >+ if (rwsem_is_locked(&vma->vm_mm->mmap_lock))
> >> >+ return anon_vma->num_children > 1;
> >>
> >> Hi, Lorenzo
> >>
> >> May I have a question here?
> >
> >Just ask the question.
> >
>
> Thanks.
>
> My question is the function is expected to return true, if we have forked a
> vma from this one, right?
>
> IMO there are cases when it has one forked child and anon_vma->num_children == 1,
> which means folios are not exclusively mapped. But the function would return
> false.
>
> Or maybe I misunderstand the logic here.
I mean, it'd be helpful if you delineated which cases these were?
Presumably you're thiking of something like:
1. Process 1: VMA A is established. num_children == 1 (self-reference is counted).
2. Process 2: Process 1 forks, VMA B references A, a->num_children++
3. Process 3: Process 2 forks, VMA C is established (maybe you think b->num_children++?)
4. Unmap vma B, oops, a->num_children == 1 but it still has C!
But that won't happen, as VMA C will be referencing a->anon_vma, so in reality
a->anon_vma->num_children == 3, then after unmap == 2.
References to the originally faulted-in anon_vma is propagated through the
forks.
anon_vma logic is tricky, one of many reasons I want to (significantly) rework
it.
Though sadly there is a lot of _essential_ complexity, I do think we can do
better.
>
> >However, with respect, the last drive-by review you gave was not helpful,
> >so I strongly suggest that this is not a great use of your time.
> >
> >Again, I _strongly_ suggest you focus on bug fixes or the like.
>
> Thanks for your suggestion and patience. I would try to focus on bugs and skip
> those subtle things.
Thanks, you've contributed good bug reports in the past, I'm not just
recommending this for no reason! :)
David's suggested tests are also a positive way forward.
Thanks, Lorenzo
>
> >
> >Thanks.
> >
> >>
> >> >+
> >> >+ /*
> >> >+ * Any change that would increase the number of children would be
> >> >+ * prevented by a read lock.
> >> >+ */
> >> >+ anon_vma_lock_read(anon_vma);
> >> >+ ret = anon_vma->num_children > 1;
> >> >+ anon_vma_unlock_read(anon_vma);
> >> >+
> >> >+ return ret;
> >> >+}
> >>
> >> --
> >> Wei Yang
> >> Help you, Help me
>
> --
> Wei Yang
> Help you, Help me
Powered by blists - more mailing lists