* [PATCH v2 1/3] mm/secretmem: fix GUP-fast succeeding on secretmem folios [not found] <20240326143210.291116-1-david@redhat.com> @ 2024-03-26 14:32 ` David Hildenbrand 2024-03-26 14:56 ` Mike Rapoport 0 siblings, 1 reply; 2+ messages in thread From: David Hildenbrand @ 2024-03-26 14:32 UTC (permalink / raw) To: linux-kernel Cc: linux-mm, David Hildenbrand, Andrew Morton, Mike Rapoport, Miklos Szeredi, Lorenzo Stoakes, xingwei lee, yue sun, Miklos Szeredi, stable folio_is_secretmem() currently relies on secretmem folios being LRU folios, to save some cycles. However, folios might reside in a folio batch without the LRU flag set, or temporarily have their LRU flag cleared. Consequently, the LRU flag is unreliable for this purpose. In particular, this is the case when secretmem_fault() allocates a fresh page and calls filemap_add_folio()->folio_add_lru(). The folio might be added to the per-cpu folio batch and won't get the LRU flag set until the batch was drained using e.g., lru_add_drain(). Consequently, folio_is_secretmem() might not detect secretmem folios and GUP-fast can succeed in grabbing a secretmem folio, crashing the kernel when we would later try reading/writing to the folio, because the folio has been unmapped from the directmap. Fix it by removing that unreliable check. Reported-by: xingwei lee <xrivendell7@gmail.com> Reported-by: yue sun <samsun1006219@gmail.com> Closes: https://lore.kernel.org/lkml/CABOYnLyevJeravW=QrH0JUPYEcDN160aZFb7kwndm-J2rmz0HQ@mail.gmail.com/ Debugged-by: Miklos Szeredi <miklos@szeredi.hu> Tested-by: Miklos Szeredi <mszeredi@redhat.com> Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas") Cc: <stable@vger.kernel.org> Signed-off-by: David Hildenbrand <david@redhat.com> --- include/linux/secretmem.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h index 35f3a4a8ceb1..acf7e1a3f3de 100644 --- a/include/linux/secretmem.h +++ b/include/linux/secretmem.h @@ -13,10 +13,10 @@ static inline bool folio_is_secretmem(struct folio *folio) /* * Using folio_mapping() is quite slow because of the actual call * instruction. - * We know that secretmem pages are not compound and LRU so we can + * We know that secretmem pages are not compound, so we can * save a couple of cycles here. */ - if (folio_test_large(folio) || !folio_test_lru(folio)) + if (folio_test_large(folio)) return false; mapping = (struct address_space *) -- 2.43.2 ^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH v2 1/3] mm/secretmem: fix GUP-fast succeeding on secretmem folios 2024-03-26 14:32 ` [PATCH v2 1/3] mm/secretmem: fix GUP-fast succeeding on secretmem folios David Hildenbrand @ 2024-03-26 14:56 ` Mike Rapoport 0 siblings, 0 replies; 2+ messages in thread From: Mike Rapoport @ 2024-03-26 14:56 UTC (permalink / raw) To: David Hildenbrand Cc: linux-kernel, linux-mm, Andrew Morton, Miklos Szeredi, Lorenzo Stoakes, xingwei lee, yue sun, Miklos Szeredi, stable On Tue, Mar 26, 2024 at 03:32:08PM +0100, David Hildenbrand wrote: > folio_is_secretmem() currently relies on secretmem folios being LRU folios, > to save some cycles. > > However, folios might reside in a folio batch without the LRU flag set, or > temporarily have their LRU flag cleared. Consequently, the LRU flag is > unreliable for this purpose. > > In particular, this is the case when secretmem_fault() allocates a > fresh page and calls filemap_add_folio()->folio_add_lru(). The folio might > be added to the per-cpu folio batch and won't get the LRU flag set until > the batch was drained using e.g., lru_add_drain(). > > Consequently, folio_is_secretmem() might not detect secretmem folios > and GUP-fast can succeed in grabbing a secretmem folio, crashing the > kernel when we would later try reading/writing to the folio, because > the folio has been unmapped from the directmap. > > Fix it by removing that unreliable check. > > Reported-by: xingwei lee <xrivendell7@gmail.com> > Reported-by: yue sun <samsun1006219@gmail.com> > Closes: https://lore.kernel.org/lkml/CABOYnLyevJeravW=QrH0JUPYEcDN160aZFb7kwndm-J2rmz0HQ@mail.gmail.com/ > Debugged-by: Miklos Szeredi <miklos@szeredi.hu> > Tested-by: Miklos Szeredi <mszeredi@redhat.com> > Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas") > Cc: <stable@vger.kernel.org> > Signed-off-by: David Hildenbrand <david@redhat.com> Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org> > --- > include/linux/secretmem.h | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h > index 35f3a4a8ceb1..acf7e1a3f3de 100644 > --- a/include/linux/secretmem.h > +++ b/include/linux/secretmem.h > @@ -13,10 +13,10 @@ static inline bool folio_is_secretmem(struct folio *folio) > /* > * Using folio_mapping() is quite slow because of the actual call > * instruction. > - * We know that secretmem pages are not compound and LRU so we can > + * We know that secretmem pages are not compound, so we can > * save a couple of cycles here. > */ > - if (folio_test_large(folio) || !folio_test_lru(folio)) > + if (folio_test_large(folio)) > return false; > > mapping = (struct address_space *) > -- > 2.43.2 > -- Sincerely yours, Mike. ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-03-26 14:57 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20240326143210.291116-1-david@redhat.com>
2024-03-26 14:32 ` [PATCH v2 1/3] mm/secretmem: fix GUP-fast succeeding on secretmem folios David Hildenbrand
2024-03-26 14:56 ` Mike Rapoport
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox