From: Oscar Salvador <osalvador@suse.de>
To: Peter Xu <peterx@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>,
Oscar Salvador <OSalvador@suse.com>,
cve@kernel.org, linux-kernel@vger.kernel.org,
linux-cve-announce@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: Re: CVE-2024-36000: mm/hugetlb: fix missing hugetlb_lock for resv uncharge
Date: Fri, 14 Jun 2024 13:48:30 +0200 [thread overview]
Message-ID: <ZmwuDvvTDpCFGTdi@localhost.localdomain> (raw)
In-Reply-To: <Zk9j5j-VSAOWrmg7@x1n>
On Thu, May 23, 2024 at 11:42:30AM -0400, Peter Xu wrote:
> I really don't know enough on these areas to tell, perhaps I missed
> something. But maybe any of you may have some idea.. In general, I think
> besides LOCKDEP the lock is definitely needed to at least make sure things
> like:
>
> __set_hugetlb_cgroup(folio, NULL, rsvd);
I do not think this is a problem, you are only setting folio->_hugetlb_cgroup_rsvd
to the hugetlb cgroup.
And no one else should fiddle with that folio.
> page_counter_uncharge(),
This on the hand might be another story:
page_counter_uncharge
new = atomic_long_sub_return(nr_pages, &counter->usage)
propagate_protected_usage
The first atomic_long_sub_return is ok because it is an atomic one, so
whoever comes last will not see e.g: a half-updated value.
But propagate_protected_usage() is a bit more convoluted as involves a bunch of
atomic operations and comparasions that in case they are not serialized, the counters
will not be consistent, which means that any charge/uncharge operation that comes after
might not reflect reality.
So I guess we could end up with scenarios where cgroups would not get as many pages as
they should, or maybe more pages than they should.
If this reasoning is accurate, I am leaning towards taking this as a security fix.
--
Oscar Salvador
SUSE Labs
prev parent reply other threads:[~2024-06-14 11:48 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-20 9:48 CVE-2024-36000: mm/hugetlb: fix missing hugetlb_lock for resv uncharge Greg Kroah-Hartman
2024-05-20 15:14 ` Michal Hocko
2024-05-21 19:38 ` Peter Xu
2024-05-23 7:30 ` Michal Hocko
2024-05-23 10:33 ` Oscar Salvador
2024-05-23 13:08 ` Michal Hocko
2024-05-23 15:42 ` Peter Xu
2024-06-14 11:48 ` Oscar Salvador [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZmwuDvvTDpCFGTdi@localhost.localdomain \
--to=osalvador@suse.de \
--cc=OSalvador@suse.com \
--cc=cve@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mhocko@suse.com \
--cc=peterx@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.