Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3817604yba; Tue, 16 Apr 2019 21:15:17 -0700 (PDT) X-Google-Smtp-Source: APXvYqwe2ZSTssJM8Abzxuasy35mAE9tr6B0fXqkK65YCtEUJqIxKz6ubwOC526PE5i5IGc+69Gl X-Received: by 2002:aa7:8458:: with SMTP id r24mr85708111pfn.231.1555474517429; Tue, 16 Apr 2019 21:15:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555474517; cv=none; d=google.com; s=arc-20160816; b=gGgHag/h0NqHQ/vsJK5Lk1Iy3lGGiTG2ffjDRv7PAtDevoABe7n9strv20NpT5lu9J PuYqz9l3i7PAji2KfdVmRvFQ8+XQdvc6AF32mmhnSu1Y7NEFLBcoeNc948p4mpb9Rw6I oZgeplsvwrywpghJQqOP3I5BQNdGHQ2D3XEDgjQVYG1A9iFd3E4QR89sXN/1usRyHQcf hwC5pMmd92E6cmsRtremcw7DkbgYeHHRxYDYLIloLonrGyVt+RIJczwRxH4sUfaTKAEj ZoFl871JLhox5Hknvkz6smcyAsO7C/gk9+vteOed4jKOkm2fbxCG0G7jKiC/yXe/0sk/ KTWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Scd0mxLNvddMA/EuL7KgAfLfPq4A2d2A+jt31P9MYwQ=; b=q/6Vpa3IxmmtZ0djKpAs3Ku09vr4A1Lf8yAXGTqltWcOdqDBeREqH3R874RPnhTOMg Fmp2Y5oZNDQI+aSDshhs9cOs4PWph3j+7G+RNSUi6JwIZGs9s9pqSU3cB0xErYidhKiW 9JbjCko/smIlMoEwP4oM76WJEMen3qkjTYBJJhQitR6eLpr2/SLRO6deiuBdJUFlDN61 GGW3v9j340/rpuHs2wOptK3EHab0WYpjuVbJa+1ox2CUu/XFAqARKIXE2l077iVyrsrp TU9zewhoM9eD5U3j3hodSVfr2HIYg/B+G1Bgt4dQGF6KMET1qtbW+HsV6wCHu1m9Msv2 nskA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=f5LPUMyd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v28si16984584pgn.357.2019.04.16.21.15.02; Tue, 16 Apr 2019 21:15:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=f5LPUMyd; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726395AbfDQENi (ORCPT + 99 others); Wed, 17 Apr 2019 00:13:38 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:41667 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725767AbfDQENi (ORCPT ); Wed, 17 Apr 2019 00:13:38 -0400 Received: by mail-lj1-f194.google.com with SMTP id k8so21101779lja.8 for ; Tue, 16 Apr 2019 21:13:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Scd0mxLNvddMA/EuL7KgAfLfPq4A2d2A+jt31P9MYwQ=; b=f5LPUMydRgoieOXcslgprAzTIXLGrkdJ4t2S8woBSwJXvjjtlVT8iDFx/1ghkcZUGh TZTtsQjCJGNB//d2GFXCDvOKk5h8AXP8fCW1qGx8gml+SB2p8iffhIOQtqwHfr/8Ndxv Z0QzY8plk8LPA73p03U7k1H7fhKlySUGyOuzw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Scd0mxLNvddMA/EuL7KgAfLfPq4A2d2A+jt31P9MYwQ=; b=M/2ewF4ZNH2+nrlxfSIz1fxpp7a0acYHFFkd3qyArA/F55GWXJCMoooiZEGHrW6+HE bWQMtfRM/URjU8tVoyMVUQ6nt6MGGt6BoDYMD1pXCmIkA+NUaY3EMjJRvA1QcmieygBr kkP9ediPay+aXQ+2E3qe9R7uL1uMAfLJGRrb2cs12AErih09L9GRMoV5R5fV4TCy6FPO WSVzKKnwfnZN+wVReRbWzSnZ9wSF5B/PbehqrUIW+g9nODUYfJaYnT5TsGiJbfGM2lD/ C2jDRdIti+DMLp5j/RJcOBoU0bG8em4NttcIiCQLPvculbjc97zbt8zGh00ullTCD8hp Po4Q== X-Gm-Message-State: APjAAAWWaHpMmfM5XyUPfohHOItUFrksqflQXIZIXmTApimtHKRnPk/O JDWUmjOpidTDO4innkA8xqCwlJVmhGs= X-Received: by 2002:a2e:88c1:: with SMTP id a1mr5087788ljk.78.1555474415687; Tue, 16 Apr 2019 21:13:35 -0700 (PDT) Received: from mail-lf1-f43.google.com (mail-lf1-f43.google.com. [209.85.167.43]) by smtp.gmail.com with ESMTPSA id m1sm10955438lfk.84.2019.04.16.21.13.33 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 16 Apr 2019 21:13:34 -0700 (PDT) Received: by mail-lf1-f43.google.com with SMTP id j11so17750795lfm.0 for ; Tue, 16 Apr 2019 21:13:33 -0700 (PDT) X-Received: by 2002:ac2:495e:: with SMTP id o30mr24639187lfi.35.1555474413536; Tue, 16 Apr 2019 21:13:33 -0700 (PDT) MIME-Version: 1.0 References: <20190415051919.GA31481@infradead.org> <87sguhti6e.fsf@concordia.ellerman.id.au> In-Reply-To: <87sguhti6e.fsf@concordia.ellerman.id.au> From: Linus Torvalds Date: Tue, 16 Apr 2019 21:13:17 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: Linux 5.1-rc5 To: Michael Ellerman Cc: Christoph Hellwig , Linux List Kernel Mailing , linuxppc-dev@lists.ozlabs.org, Martin Schwidefsky , linux-s390 , Nicholas Piggin , "Aneesh Kumar K.V" , Paul Mackerras Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 16, 2019 at 8:38 PM Michael Ellerman wrote: > > > That said, powerpc and s390 should at least look at maybe adding a > > check for the page ref in their gup paths too. Powerpc has the special > > gup_hugepte() case > > Which uses page_cache_add_speculative(), which handles the case of the > refcount being zero but not overflow. So that looks like it needs > fixing. Note that unlike the zero check, the "too many refs" check does _not_ need to be atomic. Because it's not a correctness issue right at some magical exact point, it's a much more ambiguous a "the refcount is now so large that I'm not going to do GUP on this page any more". Being off by a number of pages in case there's a race is just fine. So you could do something like this (TOTALLY UNTESTED, and whitespace-damaged on purpose - I don't want you to apply it blindly) appended patch. > And we have a few uses of bare get_page() in KVM code which might be > subject to the same attack. Note that you really have to have not just a get_page(), but some way of lining up *billions* of them. Which really tends to be pretty hard. Linus ---- diff --git a/arch/powerpc/mm/hugetlbpage.c b/arch/powerpc/mm/hugetlbpage.c index 9e732bb2c84a..52db7ff7c756 100644 --- a/arch/powerpc/mm/hugetlbpage.c +++ b/arch/powerpc/mm/hugetlbpage.c @@ -523,7 +523,8 @@ struct page *follow_huge_pd(struct vm_area_struct *vma, page = pte_page(*ptep); page += ((address & mask) >> PAGE_SHIFT); if (flags & FOLL_GET) - get_page(page); + if (!try_get_page(page)) + page = NULL; } else { if (is_hugetlb_entry_migration(*ptep)) { spin_unlock(ptl); @@ -883,6 +884,8 @@ int gup_hugepte(pte_t *ptep, unsigned long sz, unsigned long addr, refs = 0; head = pte_page(pte); + if (page_ref_count(head) < 0) + return 0; page = head + ((addr & (sz-1)) >> PAGE_SHIFT); do {