Received: by 10.213.65.68 with SMTP id h4csp905889imn; Wed, 14 Mar 2018 03:55:19 -0700 (PDT) X-Google-Smtp-Source: AG47ELt5I6cR0VJsGrus+cTHvY7PqKk5Bwn6+oIERGvN4B9vwCZwtFRG6nKp2vALZeNX5oEOBoyY X-Received: by 10.99.109.198 with SMTP id i189mr3319328pgc.328.1521024919078; Wed, 14 Mar 2018 03:55:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521024919; cv=none; d=google.com; s=arc-20160816; b=ntSwbFdvOWRjAiABPM7oIKlUX3JJGC2mORzq1W1j6dQYc8+a1xWxdAg6ey/sV8Sk3B 6TV7Atu3Fuk1LhGIwUnrDUtrJmSKjTAZb8Y8im47kp88JBbVX76Bw0kveK2u0BvVdz05 ZVsFidn3b+WYNw/2WVD6ADJrDjPyZcitaFqglS8Hroozb6Ccjd/BtTOMf3nM78ugD2Py Ppqx7fDfdBplFEcOsKZq+2wQBKuJ8EVu12p+K3jn25Q5JgdOmaNM502jvh9yQHMFRUV1 aCcuGa+/SxiGY03qKWJyc2jqNNdqc9PRNrXAI959foVXnSLAYqQH9zihBXPMr8iynhDo FcLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=cteOaz4APZ8DIriCzv1+w1hkaeQcxU7G+LfswOXW6h0=; b=PqkSCK+u2CWfIFJj/cKwY+Jutr/bAq8rI+xUO3nbce2l/QIIrTPS8HM00d8z8TRFep oIB/7qrXhi4fLZtKsQ4Xqf/5buJq3hietwmib1S2MVv2E5Fo8KeDc8ul1vnnIRVGDuYC 9fl0ulhYGTCSVXAE5fmc/i67MUsqbr9r1Wn5NGeFxadqR24yw6SWz+Qqk/sChqBu87wp +Y0Ix7J1AXhZ7bPAhknfyKfW+YC87kVTZb49VNebGAqwPiAed7wn6pqapLBIF13Zj1yP QZroyP5EdcLiqXIMKNYad8f1EL4RVFCAM1gnp+qtZ2BEK3dsUd+oCpwh+brjzwwd9J4N f3GA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2-v6si1747669pln.115.2018.03.14.03.55.04; Wed, 14 Mar 2018 03:55:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751624AbeCNKxu (ORCPT + 99 others); Wed, 14 Mar 2018 06:53:50 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:50600 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751005AbeCNKxt (ORCPT ); Wed, 14 Mar 2018 06:53:49 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id BC2CC15AB; Wed, 14 Mar 2018 03:53:48 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1A07E3F53D; Wed, 14 Mar 2018 03:53:45 -0700 (PDT) Date: Wed, 14 Mar 2018 10:53:43 +0000 From: Mark Rutland To: Chintan Pandya Cc: catalin.marinas@arm.com, will.deacon@arm.com, arnd@arndb.de, ard.biesheuvel@linaro.org, marc.zyngier@arm.com, james.morse@arm.com, kristina.martsenko@arm.com, takahiro.akashi@linaro.org, gregkh@linuxfoundation.org, tglx@linutronix.de, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, akpm@linux-foundation.org, toshi.kani@hpe.com Subject: Re: [PATCH v1 3/4] arm64: Fix the page leak in pud/pmd_set_huge Message-ID: <20180314105343.nxw2mwkm4pao3hur@lakrids.cambridge.arm.com> References: <1521017305-28518-1-git-send-email-cpandya@codeaurora.org> <1521017305-28518-4-git-send-email-cpandya@codeaurora.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1521017305-28518-4-git-send-email-cpandya@codeaurora.org> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 14, 2018 at 02:18:24PM +0530, Chintan Pandya wrote: > While setting huge page, we need to take care of > previously existing next level mapping. Since, > we are going to overrite previous mapping, the > only reference to next level page table will get > lost and the next level page table will be zombie, > occupying space forever. So, free it before > overriding. > @@ -939,6 +940,9 @@ int pud_set_huge(pud_t *pudp, phys_addr_t phys, pgprot_t prot) > return 0; > > BUG_ON(phys & ~PUD_MASK); > + if (pud_val(*pud) && !pud_huge(*pud)) > + free_page((unsigned long)__va(pud_val(*pud))); > + > set_pud(pudp, pfn_pud(__phys_to_pfn(phys), sect_prot)); > return 1; > } > @@ -953,6 +957,9 @@ int pmd_set_huge(pmd_t *pmdp, phys_addr_t phys, pgprot_t prot) > return 0; > > BUG_ON(phys & ~PMD_MASK); > + if (pmd_val(*pmd) && !pmd_huge(*pmd)) > + free_page((unsigned long)__va(pmd_val(*pmd))); > + As Marc noted, (assuming the subsequent revert is applied) in both of these cases, these tables are still live, and thus it is not safe to free them. Consider that immediately after freeing the pages, they may get re-allocated elsewhere, where they may be modified. If this happens before TLB invalidation, page table walks may allocate junk into TLBs, resulting in a number of problems. It is *never* safe to free a live page table, therefore NAK to this patch. Thanks, Mark.