Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp936821ybh; Tue, 10 Mar 2020 11:09:29 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtvNtlUC4sNUvuHnhOn7t08fBn7tKjaYSEOnwdIwxaTAk3NGUXpGO5SRKEb/tMaM0wOJszt X-Received: by 2002:a05:6830:10da:: with SMTP id z26mr4297620oto.27.1583863769104; Tue, 10 Mar 2020 11:09:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583863769; cv=none; d=google.com; s=arc-20160816; b=kl8d7f0jsn7biYUu0Qi1Q6cFekE4u3Y1c5zSuj9Xpccos7QZPfXmN40LdZVQXpt/dp UEF5Kuh7wVDshylZ7UCYLRlmoodrqOtVZaR6PGpwNyVuF8dtb4V0os9RbYY9ZMSDFzYW +nwSXOafDjX4UrX/2aN7InuNohSLhE2Lb5R2tGCmaDRMqkhZ0BdDglcJd9YIPCeBclpk wP1iGkUDJQayZiAzyYRQDZ8F4YaWLtWkKcYycLggDroQYmp0f6C/ioIR/Btmr+INMDaF 7e3NkajhXRHGPt6Dh77sB5+IHHVOKH05MdAHQV8LPbiIMvoXJiQJ5B8y6Y9zYaQaezmK dNYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :mime-version:dkim-signature; bh=k0YINB0FGb2izRGDvx6dOeweQ26xeFfqgFiUly0T1/8=; b=pu5oOw/e231z8cy1R3PsPfZ8tLbQTp5bZpKTEQxFedTDtJkM2yhVLGGPIx69Mk7CW7 5IzU2dP7vGVANSiQ0ZLCJFuYbLkvTXzI+vmC9fUu30eP8doXB8Ht2I81lLqGu3lDdRYi cpGKWVzYQ5fftiCXsTdwh+VEb/grUKzNzln+emQJq4hxsg36vlzwz/RwMQJsZjwlBSQy WYkau6IsmiHXmWljSzH8/m9v76H0Gdv0XqDmJIbTpSifKEuXVGxN+r1mVkCWjwqJJnyD bOdPf3SktmX+yVVV1FSCasIYITe0UAmmAfL115b4Z9TxPAlkuYEtnwqWU4El7rrU78ay aOPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lQaUMGOJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f187si6482535oia.218.2020.03.10.11.09.16; Tue, 10 Mar 2020 11:09:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=lQaUMGOJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726641AbgCJSI5 (ORCPT + 99 others); Tue, 10 Mar 2020 14:08:57 -0400 Received: from mail-ot1-f54.google.com ([209.85.210.54]:35516 "EHLO mail-ot1-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726403AbgCJSI5 (ORCPT ); Tue, 10 Mar 2020 14:08:57 -0400 Received: by mail-ot1-f54.google.com with SMTP id k26so6841524otr.2 for ; Tue, 10 Mar 2020 11:08:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=k0YINB0FGb2izRGDvx6dOeweQ26xeFfqgFiUly0T1/8=; b=lQaUMGOJHO38pdQsfm+YF9Hjvz2ISFmJWQowjGrWwKTDNGxgjqUZxI/jaQVO6qbP2i QGfCgEcg0A/QCP/Xp4BleRLam2x5ZJquwMYF4/BjOS7GXqND31C86ME1wB5TqaTq/4ij i5puUFShLSbloXJW2J5vmtYmDY4VnQ+4Fon9DJRbCYhK8PvILBLE0rD8fgs/LyPw03zH QaJUyAFf2mlBFSEGAJ6M6KnNuDcf/hFXMe2Zmbra0r0S+8mh7YruvWBXkqyAbp7OSaDE taMlrywYmhVuq32hgVTtci472Ic4H0XCP1gZYWuZc1srQpgqEWN3X5+gip4OR3I29Btb 4mIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=k0YINB0FGb2izRGDvx6dOeweQ26xeFfqgFiUly0T1/8=; b=lI8l/vmTQ2mtbwQGMb0rW4juS0DLtKlZpeQpbNk3+tBDqDU2M6DQX9VCfE4nAqqGc2 s22icfSWguDk0z4Mc7u5EY6t3CAXhIgkbmCAzfiqHu+uLDLqQMw0eV7Fvjn6gpx1k23D bSl5NQ2eXuDJxqTBlQzR7zjTc5LPrWKFrmHY9J5SPNwDuiJf9rRdJS41ydaAGYGclLeW SBbYHqDhoTEMbNVphScxbTtUPjH6B6cVHG9J8fCsC3EJ/x2z50/GnIv/B0I//ldjxxqD 2pU2V5iuHFhNWloyB/5UKMPquioOxMRZOkydO/KEp/X/PRPaRlBEGUVwVRfLSzI9qLHL LRxQ== X-Gm-Message-State: ANhLgQ2mysOc4fjnPK/Lv10p6NBEZgLkch1QsxDiMANM7oNbTOQmSBFT njMqVnciIpipUqkBTcY7nJ35i59Cq+xlHWaylcTk7ZS8p34= X-Received: by 2002:a9d:5e8b:: with SMTP id f11mr18154276otl.110.1583863734919; Tue, 10 Mar 2020 11:08:54 -0700 (PDT) MIME-Version: 1.0 From: Jann Horn Date: Tue, 10 Mar 2020 19:08:28 +0100 Message-ID: Subject: interaction of MADV_PAGEOUT with CoW anonymous mappings? To: Minchan Kim Cc: Michal Hocko , Linux-MM , kernel list , Daniel Colascione , Dave Hansen , "Joel Fernandes (Google)" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! From looking at the source code, it looks to me as if using MADV_PAGEOUT on a CoW anonymous mapping will page out the page if possible, even if other processes still have the same page mapped. Is that correct? If so, that's probably bad in environments where many processes (with different privileges) are forked from a single zygote process (like Android and Chrome), I think? If you accidentally call it on a CoW anonymous mapping with shared pages, you'll degrade the performance of other processes. And if an attacker does it intentionally, they could use that to aid with exploiting race conditions or weird microarchitectural stuff (e.g. the new https://lviattack.eu/lvi.pdf talks about "the assumption that attackers can provoke page faults or microcode assists for (arbitrary) load operations in the victim domain"). Should madvise_cold_or_pageout_pte_range() maybe refuse to operate on pages with mapcount>1, or something like that? Or does it already do that, and I just missed the check?