| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c5942226-2102-48bd-949e-2369437e8599@redhat.com>
Date: Mon, 21 Jul 2025 16:39:07 +0200
From: David Hildenbrand <david@...hat.com>
To: Usama Arif <usamaarif642@...il.com>, linux-kernel@...r.kernel.org
Cc: linux-mm@...ck.org, linux-fsdevel@...r.kernel.org,
linux-doc@...r.kernel.org, Jonathan Corbet <corbet@....net>,
Andrew Morton <akpm@...ux-foundation.org>,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>, Zi Yan <ziy@...dia.com>,
Baolin Wang <baolin.wang@...ux.alibaba.com>,
"Liam R. Howlett" <Liam.Howlett@...cle.com>, Nico Pache <npache@...hat.com>,
Ryan Roberts <ryan.roberts@....com>, Dev Jain <dev.jain@....com>,
Barry Song <baohua@...nel.org>, Vlastimil Babka <vbabka@...e.cz>,
Mike Rapoport <rppt@...nel.org>, Suren Baghdasaryan <surenb@...gle.com>,
Michal Hocko <mhocko@...e.com>, SeongJae Park <sj@...nel.org>,
Jann Horn <jannh@...gle.com>, Yafang Shao <laoar.shao@...il.com>,
Matthew Wilcox <willy@...radead.org>
Subject: Re: [PATCH POC] prctl: extend PR_SET_THP_DISABLE to optionally
exclude VM_HUGEPAGE
>> (B) Makes prctl(PR_GET_THP_DISABLE) return 3 if
>> PR_THP_DISABLE_EXCEPT_ADVISED was set while disabling.
>>
>> For now, it would return 1 if THPs were disabled completely. Now
>> it essentially returns the set flags as well.
>>
>
> No strong opinion, but maybe we have it return 2 (i.e. bit 1 set)?
>
> I know that you are returning bit 1 set to indicate the flag, and I know that
> everyone dislikes prctl so its likely no more flags will be added :),
> but in the off chance there are extra flags, than it can make the return
> value weird?
Well, never say never, so I decided to just return the set flags :)
> If instead we return a value with only a single bit set, might be better?
>
> Again, no strong opinion here.
I prefer the current approach, until there is good reason not do do it.
IOW, set bit-0 if something is disabled, and specify using flag what
exectly (provided flags).
>
>> (C) Renames MMF_DISABLE_THP to MMF_DISABLE_THP_COMPLETELY, to express
>> the semantics clearly.
>>
>> Fortunately, there are only two instances outside of prctl() code.
>>
>> (D) Adds MMF_DISABLE_THP_EXCEPT_ADVISED to express "no THP except for VMAs
>> with VM_HUGEPAGE" -- essentially "thp=madvise" behavior
>>
>> Fortunately, we only have to extend vma_thp_disabled().
>>
>> (E) Indicates "THP_enabled: 0" in /proc/pid/status only if THPs are not
>> disabled completely
>>
>> Only indicating that THPs are disabled when they are really disabled
>> completely, not only partially.
>>
>> The documented semantics in the man page for PR_SET_THP_DISABLE
>> "is inherited by a child created via fork(2) and is preserved across
>> execve(2)" is maintained. This behavior, for example, allows for
>> disabling THPs for a workload through the launching process (e.g.,
>> systemd where we fork() a helper process to then exec()).
>>
>> There is currently not way to prevent that a process will not issue
>> PR_SET_THP_DISABLE itself to re-enable THP. We could add a "seal" option
>> to PR_SET_THP_DISABLE through another flag if ever required. The known
>> users (such as redis) really use PR_SET_THP_DISABLE to disable THPs, so
>> that is not added for now.
>>
>> Cc: Jonathan Corbet <corbet@....net>
>> Cc: Andrew Morton <akpm@...ux-foundation.org>
>> Cc: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
>> Cc: Zi Yan <ziy@...dia.com>
>> Cc: Baolin Wang <baolin.wang@...ux.alibaba.com>
>> Cc: "Liam R. Howlett" <Liam.Howlett@...cle.com>
>> Cc: Nico Pache <npache@...hat.com>
>> Cc: Ryan Roberts <ryan.roberts@....com>
>> Cc: Dev Jain <dev.jain@....com>
>> Cc: Barry Song <baohua@...nel.org>
>> Cc: Vlastimil Babka <vbabka@...e.cz>
>> Cc: Mike Rapoport <rppt@...nel.org>
>> Cc: Suren Baghdasaryan <surenb@...gle.com>
>> Cc: Michal Hocko <mhocko@...e.com>
>> Cc: Usama Arif <usamaarif642@...il.com>
>> Cc: SeongJae Park <sj@...nel.org>
>> Cc: Jann Horn <jannh@...gle.com>
>> Cc: Liam R. Howlett <Liam.Howlett@...cle.com>
>> Cc: Yafang Shao <laoar.shao@...il.com>
>> Cc: Matthew Wilcox <willy@...radead.org>
>> Signed-off-by: David Hildenbrand <david@...hat.com>
>>
>> ---
>>
>> At first, I thought of "why not simply relax PR_SET_THP_DISABLE", but I
>> think there might be real use cases where we want to disable any THPs --
>> in particular also around debugging THP-related problems, and
>> "THP=never" not meaning ... "never" anymore. PR_SET_THP_DISABLE will
>> also block MADV_COLLAPSE, which can be very helpful. Of course, I thought
>> of having a system-wide config to change PR_SET_THP_DISABLE behavior, but
>> I just don't like the semantics.
>>
>> "prctl: allow overriding system THP policy to always"[1] proposed
>> "overriding policies to always", which is just the wrong way around: we
>> should not add mechanisms to "enable more" when we already have an
>> interface/mechanism to "disable" them (PR_SET_THP_DISABLE). It all gets
>> weird otherwise.
>>
>> "[PATCH 0/6] prctl: introduce PR_SET/GET_THP_POLICY"[2] proposed
>> setting the default of the VM_HUGEPAGE, which is similarly the wrong way
>> around I think now.
>>
>> The proposals by Lorenzo to extend process_madvise()[3] and mctrl()[4]
>> similarly were around the "default for VM_HUGEPAGE" idea, but after the
>> discussion, I think we should better leave VM_HUGEPAGE untouched.
>>
>> Happy to hear naming suggestions for "PR_THP_DISABLE_EXCEPT_ADVISED" where
>> we essentially want to say "leave advised regions alone" -- "keep THP
>> enabled for advised regions",
>>
>> The only thing I really dislike about this is using another MMF_* flag,
>> but well, no way around it -- and seems like we could easily support
>> more than 32 if we want to, or storing this thp information elsewhere.
>>
>> I think this here (modifying an existing toggle) is the only prctl()
>> extension that we might be willing to accept. In general, I agree like
>> most others, that prctl() is a very bad interface for that -- but
>> PR_SET_THP_DISABLE is already there and is getting used.
>>
>> Long-term, I think the answer will be something based on bpf[5]. Maybe
>> in that context, I there could still be value in easily disabling THPs for
>> selected workloads (esp. debugging purposes).
>>
>> Jann raised valid concerns[6] about new flags that are persistent across
>> exec[6]. As this here is a relaxation to existing PR_SET_THP_DISABLE I
>> consider it having a similar security risk as our existing
>> PR_SET_THP_DISABLE, but devil is in the detail.
>>
>> This is *completely* untested and might be utterly broken. It merely
>> serves as a PoC of what I think could be done. If this ever goes upstream,
>> we need some kselftests for it, and extensive tests.
>>
>> [1] https://lore.kernel.org/r/20250507141132.2773275-1-usamaarif642@gmail.com
>> [2] https://lkml.kernel.org/r/20250515133519.2779639-2-usamaarif642@gmail.com
>> [3] https://lore.kernel.org/r/cover.1747686021.git.lorenzo.stoakes@oracle.com
>> [4] https://lkml.kernel.org/r/85778a76-7dc8-4ea8-8827-acb45f74ee05@lucifer.local
>> [5] https://lkml.kernel.org/r/20250608073516.22415-1-laoar.shao@gmail.com
>> [6] https://lore.kernel.org/r/CAG48ez3-7EnBVEjpdoW7z5K0hX41nLQN5Wb65Vg-1p8DdXRnjg@mail.gmail.com
>>
>> ---
>> Documentation/filesystems/proc.rst | 5 +--
>> fs/proc/array.c | 2 +-
>> include/linux/huge_mm.h | 20 ++++++++---
>> include/linux/mm_types.h | 13 +++----
>> include/uapi/linux/prctl.h | 7 ++++
>> kernel/sys.c | 58 +++++++++++++++++++++++-------
>> mm/khugepaged.c | 2 +-
>> 7 files changed, 78 insertions(+), 29 deletions(-)
>>
>> diff --git a/Documentation/filesystems/proc.rst b/Documentation/filesystems/proc.rst
>> index 2971551b72353..915a3e44bc120 100644
>> --- a/Documentation/filesystems/proc.rst
>> +++ b/Documentation/filesystems/proc.rst
>> @@ -291,8 +291,9 @@ It's slow but very precise.
>> HugetlbPages size of hugetlb memory portions
>> CoreDumping process's memory is currently being dumped
>> (killing the process may lead to a corrupted core)
>> - THP_enabled process is allowed to use THP (returns 0 when
>> - PR_SET_THP_DISABLE is set on the process
>> + THP_enabled process is allowed to use THP (returns 0 when
>> + PR_SET_THP_DISABLE is set on the process to disable
>> + THP completely, not just partially)
>> Threads number of threads
>> SigQ number of signals queued/max. number for queue
>> SigPnd bitmap of pending signals for the thread
>> diff --git a/fs/proc/array.c b/fs/proc/array.c
>> index d6a0369caa931..c4f91a784104f 100644
>> --- a/fs/proc/array.c
>> +++ b/fs/proc/array.c
>> @@ -422,7 +422,7 @@ static inline void task_thp_status(struct seq_file *m, struct mm_struct *mm)
>> bool thp_enabled = IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE);
>>
>> if (thp_enabled)
>> - thp_enabled = !test_bit(MMF_DISABLE_THP, &mm->flags);
>> + thp_enabled = !test_bit(MMF_DISABLE_THP_COMPLETELY, &mm->flags);
>> seq_printf(m, "THP_enabled:\t%d\n", thp_enabled);
>> }
>>
>> diff --git a/include/linux/huge_mm.h b/include/linux/huge_mm.h
>> index e0a27f80f390d..c4127104d9bc3 100644
>> --- a/include/linux/huge_mm.h
>> +++ b/include/linux/huge_mm.h
>> @@ -323,16 +323,26 @@ struct thpsize {
>> (transparent_hugepage_flags & \
>> (1<<TRANSPARENT_HUGEPAGE_USE_ZERO_PAGE_FLAG))
>>
>> +/*
>> + * Check whether THPs are explicitly disabled through madvise or prctl, or some
>> + * architectures may disable THP for some mappings, for example, s390 kvm.
>> + */
>> static inline bool vma_thp_disabled(struct vm_area_struct *vma,
>> vm_flags_t vm_flags)
>> {
>> + /* Are THPs disabled for this VMA? */
>> + if (vm_flags & VM_NOHUGEPAGE)
>> + return true;
>> + /* Are THPs disabled for all VMAs in the whole process? */
>> + if (test_bit(MMF_DISABLE_THP_COMPLETELY, &vma->vm_mm->flags))
>> + return true;
>> /*
>> - * Explicitly disabled through madvise or prctl, or some
>> - * architectures may disable THP for some mappings, for
>> - * example, s390 kvm.
>> + * Are THPs disabled only for VMAs where we didn't get an explicit
>> + * advise to use them?
>> */
>> - return (vm_flags & VM_NOHUGEPAGE) ||
>> - test_bit(MMF_DISABLE_THP, &vma->vm_mm->flags);
>> + if (vm_flags & VM_HUGEPAGE)
>> + return false;
>> + return test_bit(MMF_DISABLE_THP_EXCEPT_ADVISED, &vma->vm_mm->flags);
>> }
>>
>> static inline bool thp_disabled_by_hw(void)
>> diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
>> index 1ec273b066915..a999f2d352648 100644
>> --- a/include/linux/mm_types.h
>> +++ b/include/linux/mm_types.h
>> @@ -1743,19 +1743,16 @@ enum {
>> #define MMF_VM_MERGEABLE 16 /* KSM may merge identical pages */
>> #define MMF_VM_HUGEPAGE 17 /* set when mm is available for khugepaged */
>>
>> -/*
>> - * This one-shot flag is dropped due to necessity of changing exe once again
>> - * on NFS restore
>> - */
>> -//#define MMF_EXE_FILE_CHANGED 18 /* see prctl_set_mm_exe_file() */
>> +#define MMF_HUGE_ZERO_PAGE 18 /* mm has ever used the global huge zero page */
>>
>> #define MMF_HAS_UPROBES 19 /* has uprobes */
>> #define MMF_RECALC_UPROBES 20 /* MMF_HAS_UPROBES can be wrong */
>> #define MMF_OOM_SKIP 21 /* mm is of no interest for the OOM killer */
>> #define MMF_UNSTABLE 22 /* mm is unstable for copy_from_user */
>> -#define MMF_HUGE_ZERO_PAGE 23 /* mm has ever used the global huge zero page */
>> -#define MMF_DISABLE_THP 24 /* disable THP for all VMAs */
>> -#define MMF_DISABLE_THP_MASK (1 << MMF_DISABLE_THP)
>> +#define MMF_DISABLE_THP_EXCEPT_ADVISED 23 /* no THP except for VMAs with VM_HUGEPAGE */
>> +#define MMF_DISABLE_THP_COMPLETELY 24 /* no THP for all VMAs */
>> +#define MMF_DISABLE_THP_MASK ((1 << MMF_DISABLE_THP_COMPLETELY) |\
>> + (1 << MMF_DISABLE_THP_EXCEPT_ADVISED))
>> #define MMF_OOM_REAP_QUEUED 25 /* mm was queued for oom_reaper */
>> #define MMF_MULTIPROCESS 26 /* mm is shared between processes */
>> /*
>> diff --git a/include/uapi/linux/prctl.h b/include/uapi/linux/prctl.h
>> index 43dec6eed559a..1949bb9270d48 100644
>> --- a/include/uapi/linux/prctl.h
>> +++ b/include/uapi/linux/prctl.h
>> @@ -177,7 +177,14 @@ struct prctl_mm_map {
>>
>> #define PR_GET_TID_ADDRESS 40
>>
>> +/*
>> + * Flags for PR_SET_THP_DISABLE are only applicable when disabling. Bit 0
>> + * is reserved, so PR_GET_THP_DISABLE can return 1 when no other flags were
>> + * specified for PR_SET_THP_DISABLE.
>> + */
>> #define PR_SET_THP_DISABLE 41
>> +/* Don't disable THPs when explicitly advised (MADV_HUGEPAGE / VM_HUGEPAGE). */
>> +# define PR_THP_DISABLE_EXCEPT_ADVISED (1 << 1)
>> #define PR_GET_THP_DISABLE 42
>>
>> /*
>> diff --git a/kernel/sys.c b/kernel/sys.c
>> index b153fb345ada2..2a34b2f708900 100644
>> --- a/kernel/sys.c
>> +++ b/kernel/sys.c
>> @@ -2423,6 +2423,50 @@ static int prctl_get_auxv(void __user *addr, unsigned long len)
>> return sizeof(mm->saved_auxv);
>> }
>>
>> +static int prctl_get_thp_disable(unsigned long arg2, unsigned long arg3,
>> + unsigned long arg4, unsigned long arg5)
>> +{
>> + unsigned long *mm_flags = ¤t->mm->flags;
>> +
>> + if (arg2 || arg3 || arg4 || arg5)
>> + return -EINVAL;
>> +
>> + if (test_bit(MMF_DISABLE_THP_COMPLETELY, mm_flags))
>> + return 1;
>> + else if (test_bit(MMF_DISABLE_THP_EXCEPT_ADVISED, mm_flags))
>> + return 1 | PR_THP_DISABLE_EXCEPT_ADVISED;
>> + return 0;
>> +}
>> +
>> +static int prctl_set_thp_disable(unsigned long thp_disable, unsigned long flags,
>> + unsigned long arg4, unsigned long arg5)
>> +{
>> + unsigned long *mm_flags = ¤t->mm->flags;
>> +
>> + if (arg4 || arg5)
>> + return -EINVAL;
>> +
>> + /* Flags are only allowed when disabling. */
>> + if (!thp_disable || (flags & ~PR_THP_DISABLE_EXCEPT_ADVISED))
>
>
> I think you meant over here?
>
> if (!thp_disable && (flags & PR_THP_DISABLE_EXCEPT_ADVISED))
>
When re-enabling, we don't allow flags, otherwise we only allow the
supported (PR_THP_DISABLE_EXCEPT_ADVISED) flag.
So I think it should probably be something like
if ((!thp_disable && flags) || (flags & ~PR_THP_DISABLE_EXCEPT_ADVISED))
--
Cheers,
David / dhildenb
Powered by blists - more mailing lists