Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp244485ybm; Wed, 22 May 2019 02:22:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqxl1NE+LgZ6qGldp8PLeNp7udvi7b0qM5cgHhZH8lLkdYPnVDRbTPZ8lH1Kd3rVnTizD4dX X-Received: by 2002:a05:6a00:cc:: with SMTP id e12mr95547141pfj.207.1558516958886; Wed, 22 May 2019 02:22:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558516958; cv=none; d=google.com; s=arc-20160816; b=LczAPzEeL+s474qaNGW0sgy/r432pMsuq9JVOuas8XKlAqqKwLZ0AjLcL1LXveQHNN UqTFXQIe3f44nvzRl9X4E+Vc5ub4a9O64hcruR64xCdoDPDev0NnVJq+JtW/a9A4mcPQ axMVOqMQSA+mUcahcgpPfoIhK2qw1RYHV54PBGEjhSsVxdlc/kfHMBC5IkF9Rbw6+Ii5 1aegxvqAc53awJRXvcaapdtz2pXsjooy2ZtRPAt10YmiRSLu0JlG2ojTmuayctotxNIK EmEff9V2i1GOhxHuKxA8dv00mTUNTI3WhcBoUpttnf742di2UO0j9tqKJGNOPAng5Dpr fr9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=tZUZ9TfgpucFboEUSTPoGRBypOIG0X11Ou5bvkpAtYE=; b=LqjyX44jHUV65Oy5CBaA1Iu2O5FswLf+iAPfhGNazCRipVYXA7JEZC1KyRhVjqXuDZ ZdBW7kARLhGQ4HSaVRtt8PSnUITUbrCysdxjGTHbWeBjH6vk4pl0jVb4HAQ3+R96u+PM iQovnbF/LTXK1vPgi6teCpde4Ltx0RtcbopAoXBKyCguPZ9VpnSV4OYPfFxRtB9grQK+ 0hHe9gwpBKoEqDoSdEPVWkW9k3kmVerXfiN9JYlaA76gNHYD4b1JYJ3pGvIzKUyWDPrQ MtOiUfWcOD/FBQL4cAl1tpj79z2MxmGorOZ/zurMWS+zBsJZjlJJRa/zxdiu4Ggf65To 3gDA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f33si23057206plf.166.2019.05.22.02.22.23; Wed, 22 May 2019 02:22:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728946AbfEVJVQ (ORCPT + 99 others); Wed, 22 May 2019 05:21:16 -0400 Received: from mx2.suse.de ([195.135.220.15]:49162 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728547AbfEVJVO (ORCPT ); Wed, 22 May 2019 05:21:14 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 0E3CFADEC; Wed, 22 May 2019 09:21:13 +0000 (UTC) Date: Wed, 22 May 2019 11:21:11 +0200 From: Michal Hocko To: Pavel Machek Cc: Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jiri Kosina , Vlastimil Babka , Josh Snyder , Andy Lutomirski , Dave Chinner , Kevin Easton , Matthew Wilcox , Cyril Hrubis , Tejun Heo , "Kirill A. Shutemov" , Daniel Gruss , Andrew Morton , Linus Torvalds , Dominique Martinet Subject: Re: [PATCH 4.19 053/105] mm/mincore.c: make mincore() more conservative Message-ID: <20190522092111.GD32329@dhcp22.suse.cz> References: <20190520115247.060821231@linuxfoundation.org> <20190520115250.721190520@linuxfoundation.org> <20190522085741.GB8174@amd> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190522085741.GB8174@amd> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed 22-05-19 10:57:41, Pavel Machek wrote: > Hi! > > > commit 134fca9063ad4851de767d1768180e5dede9a881 upstream. > > > > The semantics of what mincore() considers to be resident is not > > completely clear, but Linux has always (since 2.3.52, which is when > > mincore() was initially done) treated it as "page is available in page > > cache". > > > > That's potentially a problem, as that [in]directly exposes > > meta-information about pagecache / memory mapping state even about > > memory not strictly belonging to the process executing the syscall, > > opening possibilities for sidechannel attacks. > > > > Change the semantics of mincore() so that it only reveals pagecache > > information for non-anonymous mappings that belog to files that the > > calling process could (if it tried to) successfully open for writing; > > otherwise we'd be including shared non-exclusive mappings, which > > > > - is the sidechannel > > > > - is not the usecase for mincore(), as that's primarily used for data, > > not (shared) text > > ... > > > @@ -189,8 +205,13 @@ static long do_mincore(unsigned long add > > vma = find_vma(current->mm, addr); > > if (!vma || addr < vma->vm_start) > > return -ENOMEM; > > - mincore_walk.mm = vma->vm_mm; > > end = min(vma->vm_end, addr + (pages << PAGE_SHIFT)); > > + if (!can_do_mincore(vma)) { > > + unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE); > > + memset(vec, 1, pages); > > + return pages; > > + } > > + mincore_walk.mm = vma->vm_mm; > > err = walk_page_range(addr, end, &mincore_walk); > > We normally return errors when we deny permissions; but this one just > returns success and wrong data. > > Could we return -EPERM there? If not, should it at least get a > comment? This was a deliberate decision AFAIR. We cannot return failure because this could lead to an unexpected userspace failure. We are pretendeing that those pages are present because that is the safest option - e.g. consider an application which tries to refault until the page is present... Worth a comment? Probably yes, care to send a patch? -- Michal Hocko SUSE Labs