| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8c6a9114-82e9-416e-804b-ffaa7a679ab7@kernel.dk> Date: Tue, 20 Jan 2026 10:03:42 -0700 From: Jens Axboe <axboe@...nel.dk> To: Pavel Begunkov <asml.silence@...il.com>, Yuhao Jiang <danisjiang@...il.com> Cc: io-uring@...r.kernel.org, linux-kernel@...r.kernel.org, stable@...r.kernel.org Subject: Re: [PATCH v2] io_uring/rsrc: fix RLIMIT_MEMLOCK bypass by removing cross-buffer accounting On 1/20/26 5:05 AM, Pavel Begunkov wrote: > On 1/20/26 07:05, Yuhao Jiang wrote: >> Hi Jens, >> >> On Mon, Jan 19, 2026 at 5:40 PM Jens Axboe <axboe@...nel.dk> wrote: >>> >>> On 1/19/26 4:34 PM, Yuhao Jiang wrote: >>>> On Mon, Jan 19, 2026 at 11:03 AM Jens Axboe <axboe@...nel.dk> wrote: >>>>> >>>>> On 1/19/26 12:10 AM, Yuhao Jiang wrote: >>>>>> The trade-off is that memory accounting may be overestimated when >>>>>> multiple buffers share compound pages, but this is safe and prevents >>>>>> the security issue. >>>>> >>>>> I'd be worried that this would break existing setups. We obviously need >>>>> to get the unmap accounting correct, but in terms of practicality, any >>>>> user of registered buffers will have had to bump distro limits manually >>>>> anyway, and in that case it's usually just set very high. Otherwise >>>>> there's very little you can do with it. >>>>> >>>>> How about something else entirely - just track the accounted pages on >>>>> the side. If we ref those, then we can ensure that if a huge page is >>>>> accounted, it's only unaccounted when all existing "users" of it have >>>>> gone away. That means if you drop parts of it, it'll remain accounted. >>>>> >>>>> Something totally untested like the below... Yes it's not a trivial >>>>> amount of code, but it is actually fairly trivial code. >>>> >>>> Thanks, this approach makes sense. I'll send a v3 based on this. >>> >>> Great, thanks! I think the key is tracking this on the side, and then >>> a ref to tell when it's safe to unaccount it. The rest is just >>> implementation details. >>> >>> -- >>> Jens Axboe >>> >> >> I've been implementing the xarray-based ref tracking approach for v3. >> While working on it, I discovered an issue with buffer cloning. >> >> If ctx1 has two buffers sharing a huge page, ctx1->hpage_acct[page] = 2. >> Clone to ctx2, now both have a refcount of 2. On cleanup both hit zero >> and unaccount, so we double-unaccount and user->locked_vm goes negative. >> >> The per-context xarray can't coordinate across clones - each context >> tracks its own refcount independently. I think we either need a global >> xarray (shared across all contexts), or just go back to v2. What do >> you think? > > The Jens' diff is functionally equivalent to your v1 and has > exactly same problems. Global tracking won't work well. Why not? My thinking was that we just use xa_lock() for this, with a global xarray. It's not like register+unregister is a high frequency thing. And if they are, then we've got much bigger problems than the single lock as the runtime complexity isn't ideal. -- Jens Axboe
Powered by blists - more mailing lists