Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp1516568ybm; Thu, 23 May 2019 02:20:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqzl0bY9vXo1qFIhARe0IXns0fdgbUxEjomgNTUmD/d9dvhXpO3IVaVUTx5NFLLubXSo6C2J X-Received: by 2002:a63:c4c:: with SMTP id 12mr26649331pgm.36.1558603221066; Thu, 23 May 2019 02:20:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558603221; cv=none; d=google.com; s=arc-20160816; b=DbvK5WKC8b+75uOtc4Pv7Yoechc8QwIvmokOVoUAmK0jiv7nAiqQoFwEjskthsMqJ9 VXjcZGev5s2RBqS4mISM3SG8DgJZnmciQMFGe/mrA5tlKyEoczIpmsn52QFX23DeLatS tRw/XLH4O58ph6BIDljUclKqmWVNARReayTg/4NxKd+DSPu6++mU2AlA1+UusshlNGha 3dHr2vhZoA335J6P53N2HaL68RC2ZALULV+AXqYo6qFcGfSUAgU6IpkJnSZBU/2WiR+7 /77vKGhn6niARNXh63NKegqaaViUM0pjbL81Q5UjjF+1hM8msQTHwa2tb2Z4BH4PfP3G bC6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=FCgpZ6qtD6fG3L3f7Rb75Q/A+XfYCIkYxvQ7Yn3QMqA=; b=FLU8SA8PgrSNlplDY6U703ZUJTiDI4Bbg4ZpvtAs5hHFAzoOrVhV2R7ZfswQb7Lol4 xPosLOP7DhHWfcpYSG5S3y1g3m7lYA9eiOx18XBMR0Kh+HZwfs9QsQ5Lh+PlGgcFT0tN NaLJZgZt9XRL3G3jbqiV6rdnkNcYQtZOUJonKYjWEhMybqV5i3zwp6CPDrkABA+1chtl xpZ9EFRJlnoKNai8qlraR2i1e7gbGbcb4Evf8R/uRlvYNE6v20VtLHrNaih/8D33bNQX WuLtWlWn8qCLyZ5S/qMhqcCar6oceZ1vm1Bz4iItXj2H4U/Sv9eLQDrjJDGoeZwTm7DC dKDA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a4si27606769pls.189.2019.05.23.02.20.02; Thu, 23 May 2019 02:20:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730233AbfEWJS2 (ORCPT + 99 others); Thu, 23 May 2019 05:18:28 -0400 Received: from aws.guarana.org ([13.237.110.252]:46702 "EHLO aws.guarana.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726230AbfEWJS1 (ORCPT ); Thu, 23 May 2019 05:18:27 -0400 Received: by aws.guarana.org (Postfix, from userid 1006) id 08384A182E; Thu, 23 May 2019 09:18:23 +0000 (UTC) Date: Thu, 23 May 2019 09:18:22 +0000 From: Kevin Easton To: Michal Hocko Cc: Pavel Machek , Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jiri Kosina , Vlastimil Babka , Josh Snyder , Andy Lutomirski , Dave Chinner , Matthew Wilcox , Cyril Hrubis , Tejun Heo , "Kirill A. Shutemov" , Daniel Gruss , Andrew Morton , Linus Torvalds , Dominique Martinet Subject: Re: [PATCH 4.19 053/105] mm/mincore.c: make mincore() more conservative Message-ID: <20190523091822.GA18121@ip-172-31-14-16> References: <20190520115247.060821231@linuxfoundation.org> <20190520115250.721190520@linuxfoundation.org> <20190522085741.GB8174@amd> <20190522092111.GD32329@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190522092111.GD32329@dhcp22.suse.cz> User-Agent: Mutt/1.11.3 (2019-02-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 22, 2019 at 11:21:11AM +0200, Michal Hocko wrote: > On Wed 22-05-19 10:57:41, Pavel Machek wrote: > > Hi! > > > > > commit 134fca9063ad4851de767d1768180e5dede9a881 upstream. > > > > > > The semantics of what mincore() considers to be resident is not > > > completely clear, but Linux has always (since 2.3.52, which is when > > > mincore() was initially done) treated it as "page is available in page > > > cache". > > > > > > That's potentially a problem, as that [in]directly exposes > > > meta-information about pagecache / memory mapping state even about > > > memory not strictly belonging to the process executing the syscall, > > > opening possibilities for sidechannel attacks. > > > > > > Change the semantics of mincore() so that it only reveals pagecache > > > information for non-anonymous mappings that belog to files that the > > > calling process could (if it tried to) successfully open for writing; > > > otherwise we'd be including shared non-exclusive mappings, which > > > > > > - is the sidechannel > > > > > > - is not the usecase for mincore(), as that's primarily used for data, > > > not (shared) text > > > > ... > > > > > @@ -189,8 +205,13 @@ static long do_mincore(unsigned long add > > > vma = find_vma(current->mm, addr); > > > if (!vma || addr < vma->vm_start) > > > return -ENOMEM; > > > - mincore_walk.mm = vma->vm_mm; > > > end = min(vma->vm_end, addr + (pages << PAGE_SHIFT)); > > > + if (!can_do_mincore(vma)) { > > > + unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE); > > > + memset(vec, 1, pages); > > > + return pages; > > > + } > > > + mincore_walk.mm = vma->vm_mm; > > > err = walk_page_range(addr, end, &mincore_walk); > > > > We normally return errors when we deny permissions; but this one just > > returns success and wrong data. > > > > Could we return -EPERM there? If not, should it at least get a > > comment? > > This was a deliberate decision AFAIR. We cannot return failure because > this could lead to an unexpected userspace failure. We are pretendeing > that those pages are present because that is the safest option - > e.g. consider an application which tries to refault until the page is > present... Yes, in particular several userspace applications I found used mincore() to find out whether a particular range is mapped at all or not, treating any error as "unmapped" and any non-error return as "mapped". - Kevin