From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B369DC433DB for ; Fri, 26 Feb 2021 19:09:56 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 4396864F2D for ; Fri, 26 Feb 2021 19:09:56 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4396864F2D Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id B27318D0007; Fri, 26 Feb 2021 14:09:55 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id AB03B8D0002; Fri, 26 Feb 2021 14:09:55 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 99F378D0007; Fri, 26 Feb 2021 14:09:55 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0133.hostedemail.com [216.40.44.133]) by kanga.kvack.org (Postfix) with ESMTP id 80C6D8D0002 for ; Fri, 26 Feb 2021 14:09:55 -0500 (EST) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id 4AD1B181AEF1A for ; Fri, 26 Feb 2021 19:09:55 +0000 (UTC) X-FDA: 77861358750.09.48D4B9D Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf07.hostedemail.com (Postfix) with ESMTP id 36675A0004DD for ; Fri, 26 Feb 2021 19:09:54 +0000 (UTC) Received: by mail.kernel.org (Postfix) with ESMTPSA id 749E264F2A; Fri, 26 Feb 2021 19:09:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1614366593; bh=/3kxvNjF1Sa6PvBx3RXF1h02Nby9cgLfYpaVKzVpAHA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=g1RggvNwBNhbCc5ssFMm2vxNfTJlB0kvlnk+YR9bDkipJaXmMb8I/4jNc9nIyhsH1 UBYjVSP94H/mA0nC1/CV37mOn+NojiurYwIlc+cwl1jtDnplnngbkOO3TuzjWd/DTg tgETwyXZoMYedsdOn3g7YCfNvrTJGaSlgn9naFFPdTa6VDce06TeQZA7I04wNtPAgX fhwD4zogLil4j5O6JRL0LUmjEtdBIqX3lZ/u7yyILzv96NuCW7YvkLEOXF7DL3gEKC cugK+6qIO/xDNVit0NnynTAsy05OnHKY4h3f8/P4vLMn1JwqB06sxZ5yyqLETqdXvI RxC9fqnhSwZtg== Date: Fri, 26 Feb 2021 14:09:52 -0500 From: Sasha Levin To: Vlastimil Babka Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Andrea Arcangeli , "Kirill A. Shutemov" , Jann Horn , Linus Torvalds , Michal Hocko , Hugh Dickins , Nicolai Stange Subject: Re: [PATCH 4.9 STABLE] mm, thp: make do_huge_pmd_wp_page() lock page for testing mapcount Message-ID: <20210226190952.GC473487@sasha-vm> References: <26569718-050f-fc90-e3ac-79edfaae9ac7@suse.cz> <20210226162200.20548-1-vbabka@suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20210226162200.20548-1-vbabka@suse.cz> X-Stat-Signature: pcs6y6w6mwh9z6jkwda3ppwhsus4gbma X-Rspamd-Server: rspam02 X-Rspamd-Queue-Id: 36675A0004DD Received-SPF: none (kernel.org>: No applicable sender policy available) receiver=imf07; identity=mailfrom; envelope-from=""; helo=mail.kernel.org; client-ip=198.145.29.99 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1614366594-541526 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Fri, Feb 26, 2021 at 05:22:00PM +0100, Vlastimil Babka wrote: >Jann reported [1] a race between __split_huge_pmd_locked() and >page_trans_huge_map_swapcount() which can result in a page to be reused >instead of COWed. This was later assigned CVE-2020-29368. > >This was fixed by commit c444eb564fb1 ("mm: thp: make the THP mapcount atomic >against __split_huge_pmd_locked()") by doing the split under the page lock, >while all users of page_trans_huge_map_swapcount() were already also under page >lock. The fix was backported also to 4.9 stable series. > >When testing the backport on a 4.12 based kernel, Nicolai noticed the POC from >[1] still reproduces after backporting c444eb564fb1 and identified a missing >page lock in do_huge_pmd_wp_page() around the call to >page_trans_huge_mapcount(). The page lock was only added in ba3c4ce6def4 ("mm, >THP, swap: make reuse_swap_page() works for THP swapped out") in 4.14. The >commit also wrapped page_trans_huge_mapcount() into >page_trans_huge_map_swapcount() for the purposes of COW decisions. > >I have verified that 4.9.y indeed also reproduces with the POC. Backporting >ba3c4ce6def4 alone however is not possible as it's part of a larger effort of >optimizing THP swapping, which would be risky to backport fully. > >Therefore this 4.9-stable-only patch just wraps page_trans_huge_mapcount() >in page_trans_huge_mapcount() under page lock the same way as ba3c4ce6def4 >does, but without the page_trans_huge_map_swapcount() part. Other callers >of page_trans_huge_mapcount() are all under page lock already. I have verified >the POC no longer reproduces afterwards. > >[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=2045 > >Reported-by: Nicolai Stange >Signed-off-by: Vlastimil Babka Queued up, thanks! -- Thanks, Sasha