Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6917599imu; Thu, 31 Jan 2019 01:44:52 -0800 (PST) X-Google-Smtp-Source: ALg8bN7O61rCDz2PpCQUbdXVFsKXAPKfxJDeYHXE/uJ5zC9FkofWEZsnd8t3aCo+uY8zaY7ORIUF X-Received: by 2002:a63:e247:: with SMTP id y7mr29403335pgj.84.1548927892300; Thu, 31 Jan 2019 01:44:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548927892; cv=none; d=google.com; s=arc-20160816; b=Q8otMciAQepYH2T9zixBho8Ia2YT4YR2OXV9kqYjk763Cp6TKhMTPM7BN6prsKhLmR qbUjUUM0CCU+3BbVkTugCBG+fqxsdIheBw9lQHY44xsjrV4wV3E22a5X0Q0CLDHsP/KB pS2W2VlJgYlwgBCNpMTbradkMTpWR7+xgsXTZzL73WqhAzh5uPmyU+3W5mF9EpY8qadc K/Q2DSL6YOY1+guRCwjoTkckub60OmdYmWGTzJoTrXdeQNdK+Rb81Qsdx2+FjUgXVelA afQLevDwy8Zf7e0+6wEAM/+0Fzb+TgEtwdhD8C5BxOtkZZHiiJ3wvHIiZuaIEsOyQuh1 IXIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=OThIg1X1vSpQkzENK4GGU8PIshLPaP693e3SGyYLOEg=; b=mla/Ua4iHlR4LCbZXg3Wy2+zxXb6Oih4iyTAfLn5/u1GdWfLQTdSSwQbNuN9+UWCIQ wREU4R9f0X7HT+JaZ1KYVuLERjixqkkexTXN9iUkjVck7FaxKLrcqPT2up4IXk6uhvgu gRpbYQgW0/YcH3CAJxMeZ76aNcXkEClE1Yy9U103sEO7D+ZLcgu0dVhwJWvkIZR1W/dG BIKTf/5lksdOp2jl2p3D3rrFBeDM3nuoxehdNPVsXgvmYmO4ilq/G23LJiu8ctbYkYVt waYOAqrFupbCXLCeehpi49qImfeSvlY1Z1RSRmoBBzZFXSf3SmnK7ZScEFSul7/AuDGD fvaQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o7si3682996pgg.118.2019.01.31.01.44.36; Thu, 31 Jan 2019 01:44:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730742AbfAaJoC (ORCPT + 99 others); Thu, 31 Jan 2019 04:44:02 -0500 Received: from mx2.suse.de ([195.135.220.15]:42318 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725963AbfAaJoC (ORCPT ); Thu, 31 Jan 2019 04:44:02 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id D38F7ACD8; Thu, 31 Jan 2019 09:43:59 +0000 (UTC) Date: Thu, 31 Jan 2019 10:43:57 +0100 From: Michal Hocko To: Vlastimil Babka Cc: Andrew Morton , Linus Torvalds , linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-api@vger.kernel.org, Peter Zijlstra , Greg KH , Jann Horn , Jiri Kosina , Dominique Martinet , Andy Lutomirski , Dave Chinner , Kevin Easton , Matthew Wilcox , Cyril Hrubis , Tejun Heo , "Kirill A . Shutemov" , Daniel Gruss , Jiri Kosina Subject: Re: [PATCH 1/3] mm/mincore: make mincore() more conservative Message-ID: <20190131094357.GQ18811@dhcp22.suse.cz> References: <20190130124420.1834-1-vbabka@suse.cz> <20190130124420.1834-2-vbabka@suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190130124420.1834-2-vbabka@suse.cz> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed 30-01-19 13:44:18, Vlastimil Babka wrote: > From: Jiri Kosina > > The semantics of what mincore() considers to be resident is not completely > clear, but Linux has always (since 2.3.52, which is when mincore() was > initially done) treated it as "page is available in page cache". > > That's potentially a problem, as that [in]directly exposes meta-information > about pagecache / memory mapping state even about memory not strictly belonging > to the process executing the syscall, opening possibilities for sidechannel > attacks. > > Change the semantics of mincore() so that it only reveals pagecache information > for non-anonymous mappings that belog to files that the calling process could > (if it tried to) successfully open for writing. I agree that this is a better way than the original 574823bfab82 ("Change mincore() to count "mapped" pages rather than "cached" pages"). One thing is still not clear to me though. Is the new owner/writeable check OK for the Netflix-like usecases? I mean does happycache have appropriate access to the cache data? I have tried to re-read the original thread but couldn't find any confirmation. I nit below > Originally-by: Linus Torvalds > Originally-by: Dominique Martinet > Cc: Dominique Martinet > Cc: Andy Lutomirski > Cc: Dave Chinner > Cc: Kevin Easton > Cc: Matthew Wilcox > Cc: Cyril Hrubis > Cc: Tejun Heo > Cc: Kirill A. Shutemov > Cc: Daniel Gruss > Signed-off-by: Jiri Kosina > Signed-off-by: Vlastimil Babka other than that looks good to me. Acked-by: Michal Hocko If this still doesn't help happycache kind of workloads then we should add a capability check IMO but this looks like a decent foundation to me. > --- > mm/mincore.c | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > > diff --git a/mm/mincore.c b/mm/mincore.c > index 218099b5ed31..747a4907a3ac 100644 > --- a/mm/mincore.c > +++ b/mm/mincore.c > @@ -169,6 +169,14 @@ static int mincore_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end, > return 0; > } > > +static inline bool can_do_mincore(struct vm_area_struct *vma) > +{ > + return vma_is_anonymous(vma) || > + (vma->vm_file && > + (inode_owner_or_capable(file_inode(vma->vm_file)) > + || inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0)); > +} This is hard to read. Can we do if (vma_is_anonymous(vma)) return true; if (!vma->vm_file) return false; return inode_owner_or_capable(file_inode(vma->vm_file)) || inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0; -- Michal Hocko SUSE Labs