From: Greg KH <gregkh@linuxfoundation.org>
To: David Hildenbrand <david@redhat.com>
Cc: stable@vger.kernel.org, xingwei lee <xrivendell7@gmail.com>,
yue sun <samsun1006219@gmail.com>,
Miklos Szeredi <miklos@szeredi.hu>,
Miklos Szeredi <mszeredi@redhat.com>,
Mike Rapoport <rppt@kernel.org>,
Lorenzo Stoakes <lstoakes@gmail.com>
Subject: Re: [PATCH 6.1.y] mm/secretmem: fix GUP-fast succeeding on secretmem folios
Date: Mon, 8 Apr 2024 13:27:26 +0200 [thread overview]
Message-ID: <2024040816-hunting-trapezoid-c87e@gregkh> (raw)
In-Reply-To: <05c72609-06ed-43bd-94a1-e32788cf5654@redhat.com>
On Mon, Apr 08, 2024 at 12:39:51PM +0200, David Hildenbrand wrote:
> On 08.04.24 12:34, David Hildenbrand wrote:
> > folio_is_secretmem() currently relies on secretmem folios being LRU
> > folios, to save some cycles.
> >
> > However, folios might reside in a folio batch without the LRU flag set, or
> > temporarily have their LRU flag cleared. Consequently, the LRU flag is
> > unreliable for this purpose.
> >
> > In particular, this is the case when secretmem_fault() allocates a fresh
> > page and calls filemap_add_folio()->folio_add_lru(). The folio might be
> > added to the per-cpu folio batch and won't get the LRU flag set until the
> > batch was drained using e.g., lru_add_drain().
> >
> > Consequently, folio_is_secretmem() might not detect secretmem folios and
> > GUP-fast can succeed in grabbing a secretmem folio, crashing the kernel
> > when we would later try reading/writing to the folio, because the folio
> > has been unmapped from the directmap.
> >
> > Fix it by removing that unreliable check.
> >
> > Link: https://lkml.kernel.org/r/20240326143210.291116-2-david@redhat.com
> > Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas")
> > Signed-off-by: David Hildenbrand <david@redhat.com>
> > Reported-by: xingwei lee <xrivendell7@gmail.com>
> > Reported-by: yue sun <samsun1006219@gmail.com>
> > Closes: https://lore.kernel.org/lkml/CABOYnLyevJeravW=QrH0JUPYEcDN160aZFb7kwndm-J2rmz0HQ@mail.gmail.com/
> > Debugged-by: Miklos Szeredi <miklos@szeredi.hu>
> > Tested-by: Miklos Szeredi <mszeredi@redhat.com>
> > Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org>
> > Cc: Lorenzo Stoakes <lstoakes@gmail.com>
> > Cc: <stable@vger.kernel.org>
> > Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> > (cherry picked from commit 65291dcfcf8936e1b23cfd7718fdfde7cfaf7706)
>
> Forgot to add when cherry-picking
>
> Signed-off-by: David Hildenbrand <david@redhat.com>
Now queued up, thanks.
greg k-h
next prev parent reply other threads:[~2024-04-08 11:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-08 10:14 FAILED: patch "[PATCH] mm/secretmem: fix GUP-fast succeeding on secretmem folios" failed to apply to 6.1-stable tree gregkh
2024-04-08 10:34 ` [PATCH 6.1.y] mm/secretmem: fix GUP-fast succeeding on secretmem folios David Hildenbrand
2024-04-08 10:39 ` David Hildenbrand
2024-04-08 11:27 ` Greg KH [this message]
2024-04-08 10:42 ` FAILED: patch "[PATCH] mm/secretmem: fix GUP-fast succeeding on secretmem folios" failed to apply to 6.1-stable tree David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024040816-hunting-trapezoid-c87e@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=david@redhat.com \
--cc=lstoakes@gmail.com \
--cc=miklos@szeredi.hu \
--cc=mszeredi@redhat.com \
--cc=rppt@kernel.org \
--cc=samsun1006219@gmail.com \
--cc=stable@vger.kernel.org \
--cc=xrivendell7@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox