lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMgjq7AO__8TFE8ibwQswWmmf4tTGg2NBEJp0aEn32vN+Dy8uw@mail.gmail.com>
Date: Wed, 21 May 2025 03:09:53 +0800
From: Kairui Song <ryncsn@...il.com>
To: Barry Song <21cnbao@...il.com>
Cc: akpm@...ux-foundation.org, baolin.wang@...ux.alibaba.com, bhe@...hat.com, 
	chrisl@...nel.org, david@...hat.com, hannes@...xchg.org, hughd@...gle.com, 
	kaleshsingh@...gle.com, linux-kernel@...r.kernel.org, linux-mm@...ck.org, 
	nphamcs@...il.com, ryan.roberts@....com, shikemeng@...weicloud.com, 
	tim.c.chen@...ux.intel.com, willy@...radead.org, ying.huang@...ux.alibaba.com, 
	yosryahmed@...gle.com
Subject: Re: [PATCH 05/28] mm, swap: sanitize swap cache lookup convention

On Tue, May 20, 2025 at 12:41 PM Barry Song <21cnbao@...il.com> wrote:
>
> On Tue, May 20, 2025 at 3:31 PM Kairui Song <ryncsn@...il.com> wrote:
> >
> > On Mon, May 19, 2025 at 12:38 PM Barry Song <21cnbao@...il.com> wrote:
> > >
> > > > From: Kairui Song <kasong@...cent.com>
> > >
> > > > diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> > > > index e5a0db7f3331..5b4f01aecf35 100644
> > > > --- a/mm/userfaultfd.c
> > > > +++ b/mm/userfaultfd.c
> > > > @@ -1409,6 +1409,10 @@ static int move_pages_pte(struct mm_struct *mm, pmd_t *dst_pmd, pmd_t *src_pmd,
> > > >                               goto retry;
> > > >                       }
> > > >               }
> > > > +             if (!folio_swap_contains(src_folio, entry)) {
> > > > +                     err = -EBUSY;
> > > > +                     goto out;
> > > > +             }
> > >
> > > It seems we don't need this. In move_swap_pte(), we have been checking pte pages
> > > are stable:
> > >
> > >         if (!is_pte_pages_stable(dst_pte, src_pte, orig_dst_pte, orig_src_pte,
> > >                                  dst_pmd, dst_pmdval)) {
> > >                 double_pt_unlock(dst_ptl, src_ptl);
> > >                 return -EAGAIN;
> > >         }
> >
> > The tricky part is when swap_cache_get_folio returns the folio, both
> > folio and ptes are unlocked. So is it possible that someone else
> > swapped in the entries, then swapped them out again using the same
> > entries?
> >
> > The folio will be different here but PTEs are still the same value to
> > they will pass the is_pte_pages_stable check, we previously saw
> > similar races with anon fault or shmem. I think more strict checking
> > won't hurt here.
>
> This doesn't seem to be the same case as the one you fixed in
> do_swap_page(). Here, we're hitting the swap cache, whereas in that
> case, there was no one hitting the swap cache, and you used
> swap_prepare() to set up the cache to fix the issue.
>
> By the way, if we're not hitting the swap cache, src_folio will be
> NULL. Also, it seems that folio_swap_contains(src_folio, entry) does
> not guard against that case either.

Ah, that's true, it should be moved inside the if (folio) {...} block
above. Thanks for catching this!

> But I suspect we won't have a problem, since we're not swapping in —
> we didn't read any stale data, right? Swap-in will only occur after we
> move the PTEs.

My concern is that a parallel swapin / swapout could result in the
folio to be a completely irrelevant or invalid folio.

It's not about the dst, but in the move src side, something like:

CPU1                             CPU2
move_pages_pte
  folio = swap_cache_get_folio(...)
    | Got folio A here
  move_swap_pte
                                 <swapin src_pte, using folio A>
                                 <swapout src_pte, put folio A>
                                   | Now folio A is no longer valid.
                                   | It's very unlikely but here SWAP
                                   | could reuse the same entry as above.
    double_pt_lock
    is_pte_pages_stable
      | Passed because of entry reuse.
    folio_move_anon_rmap(...)
      | Moved invalid folio A.

And could it be possible that the swap_cache_get_folio returns NULL
here, but later right before the double_pt_lock, a folio is added to
swap cache? Maybe we better check the swap cache after clear and
releasing dst lock, but before releasing src lock?


>
> >
> > >
> > > Also, -EBUSY is somehow incorrect error code.
> >
> > Yes, thanks, I'll use EAGAIN here just like move_swap_pte.
> >
> >
> > >
> > > >               err = move_swap_pte(mm, dst_vma, dst_addr, src_addr, dst_pte, src_pte,
> > > >                               orig_dst_pte, orig_src_pte, dst_pmd, dst_pmdval,
> > > >                               dst_ptl, src_ptl, src_folio);
> > > >
> > >
>
> Thanks
> Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ