Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp988010ybh; Tue, 10 Mar 2020 12:13:01 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtk+wKbWJBYQnWmeN8ZNTIfYVTeJYd4Xj5RqqFkDVnsveF0icBiEriHDNWhRs8GOAAJbdAM X-Received: by 2002:a05:6808:244:: with SMTP id m4mr2304130oie.125.1583867581357; Tue, 10 Mar 2020 12:13:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583867581; cv=none; d=google.com; s=arc-20160816; b=Zw0hoF7QaNBnHIoanMyi08RAFqooMtvTmDKEh3FBYPc1AE15cp2jD2Pox/9k2ArYuS hmXRD0FOjfg5Re4CzIrFhAIqsY/hJx0h7BASvZjTVR6zMOZ+S6Pt5ZieZuYHeJu9fz56 o2pM2rAn0H7TQc1nbvcalU2gRLXJ4zWp3EBJQrPkSOQoSHiysC7MUQti8DNpyE7AOW5M bn8tW7cxLjroakg3Vi1Wlq50NhgLX0G0F0hJ59mVDnW/22DqSbP9i+4NU/rLObkgI6Ln 2qm0Rw5W57ebYVHFjfn7cyacMpjahm3UDPVyZev2DB6tkmdmESSKzRjQqtYX6LAEQAZQ jVwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=5f/ZIdPcYSXzyxew8zIk4AJ4DOH6Pen1hOIrk5wOGuM=; b=JgIr2xsqjZCBdctQ1LjzLC800rg1p4X395GYZz2UojDPM95S9t6WQdIxmaxDDwIbPB mi/dVbvepfAi9PPFsjk1KoCDiwtshejrpuLGxzVRUKAM2bJKU2noK3rigJPpnID3H7mV Nmoz90G/zYQ7pxwZGMIkOrxKzOVH2t9r6YnT0vt1sdsHtmiBn3j0bg29p/IiEuVWvdpi yOlB5pttp4onwMI0kNRDR4VEoLSzTz/GbaW2RDo/f0zxDspOVDGmYuB0Mnd9om1Ntuf7 xd/JIgD/pCuDPVuhfxOCa/wwwcT7CwQZeW3tp+PUn2xFo2G7qebSFgPmSxR+CTXHTjP7 JRlA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=J0WefFmT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p21si5531581oic.178.2020.03.10.12.12.48; Tue, 10 Mar 2020 12:13:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=J0WefFmT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726729AbgCJTMN (ORCPT + 99 others); Tue, 10 Mar 2020 15:12:13 -0400 Received: from mail-ot1-f53.google.com ([209.85.210.53]:38762 "EHLO mail-ot1-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726466AbgCJTMM (ORCPT ); Tue, 10 Mar 2020 15:12:12 -0400 Received: by mail-ot1-f53.google.com with SMTP id i14so14315570otp.5 for ; Tue, 10 Mar 2020 12:12:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5f/ZIdPcYSXzyxew8zIk4AJ4DOH6Pen1hOIrk5wOGuM=; b=J0WefFmTNOhOFZfuP45RhnlFcgePPbh0WTKAXHMYkK6WpB792ZvmtCF0IY9fwLL+D9 JYJva+8s2L8brQt+mP0QlFI7Ubx3EtJuWV5oTHXRO+WY28LuJwAyn/8SxV+0Qyy7CD76 /aczONR6PbSmyO4Jpl0ndluwcRjeuPxynXS2PAiNIKnzmcG8zQ+rRLwuSK3v7H/42U7s 3gBiwksatm7XW6OgKd+S9mlSz2ZH4IjWEd7jU44IaTUcLYGy0AfPrWXWEqjPK8Ug+Ff/ 4HY4RTJ54vfJgBDg9xuGCcljL/Sz5iU602XYFQ1/oJw+1pqY892w0lM1AOzT3wGCOwp6 gkvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5f/ZIdPcYSXzyxew8zIk4AJ4DOH6Pen1hOIrk5wOGuM=; b=hU2TL1EYilFCEZJVVYUMeBvX7nhHoOBlbaQUVgoB+EpYfxaCBd/lmWCzZbVMiv+Etc S6PsdNrgyAOlic2qao9TkMvfe7TklmNxiPN1ljstptfC9DBrinXAdcIZk/b2gdY+Q30Z DrxuTO+xMGzsXFKYEWcWNqpKAt/nlOmKDM379ZG2m4/gbSw0rG/ff2sx9SYv0ltJ+w3y q+6Y4+nCRUTnL5py9uZ9Sp0oq09vQs4ijfxdgQ5/QqHCDwmtKXRxoqztuGIJz8tBnuTc ci+KgfN0Jv/Wbb4CdtpxlOJuNjffK9nG4RAy7UQhd5VHB0ibVABV9c4QlJU8UUaX8meH gBDQ== X-Gm-Message-State: ANhLgQ3c5WSFW67CdJNdG94VCqIDE9pWUCxBRImQaC0mzCEHGqEuji8H QRlZT1G9V1g+zOlUfs9dMMtXfGNl7CmU3zgAzDMDgQ== X-Received: by 2002:a05:6830:1d6e:: with SMTP id l14mr17635080oti.32.1583867531366; Tue, 10 Mar 2020 12:12:11 -0700 (PDT) MIME-Version: 1.0 References: <20200310184814.GA8447@dhcp22.suse.cz> In-Reply-To: <20200310184814.GA8447@dhcp22.suse.cz> From: Jann Horn Date: Tue, 10 Mar 2020 20:11:45 +0100 Message-ID: Subject: Re: interaction of MADV_PAGEOUT with CoW anonymous mappings? To: Michal Hocko Cc: Minchan Kim , Linux-MM , kernel list , Daniel Colascione , Dave Hansen , "Joel Fernandes (Google)" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Mar 10, 2020 at 7:48 PM Michal Hocko wrote: > On Tue 10-03-20 19:08:28, Jann Horn wrote: > > Hi! > > > > >From looking at the source code, it looks to me as if using > > MADV_PAGEOUT on a CoW anonymous mapping will page out the page if > > possible, even if other processes still have the same page mapped. Is > > that correct? > > > > If so, that's probably bad in environments where many processes (with > > different privileges) are forked from a single zygote process (like > > Android and Chrome), I think? If you accidentally call it on a CoW > > anonymous mapping with shared pages, you'll degrade the performance of > > other processes. And if an attacker does it intentionally, they could > > use that to aid with exploiting race conditions or weird > > microarchitectural stuff (e.g. the new https://lviattack.eu/lvi.pdf > > talks about "the assumption that attackers can provoke page faults or > > microcode assists for (arbitrary) load operations in the victim > > domain"). > > > > Should madvise_cold_or_pageout_pte_range() maybe refuse to operate on > > pages with mapcount>1, or something like that? Or does it already do > > that, and I just missed the check? > > I have brought up side channel attacks earlier [1] but only in the > context of shared page cache pages. I didn't really consider shared > anonymous pages to be a real problem. I was under impression that CoW > pages shouldn't be a real problem because any security sensible > applications shouldn't allow untrusted code to be forked and CoW > anything really important. I believe we have made this assumption > in other places - IIRC on gup with FOLL_FORCE but I admit I have > very happily forgot most details. Android has a "zygote" process that starts up the whole Java environment with a bunch of libraries before entering into a loop that fork()s off a child every time the user wants to launch an app. So all the apps, and even browser renderer processes, on the device share many CoW VMAs. See . I think Chrome on Linux desktop systems also forks off renderers from a common zygote process after initializing libraries and so on. See . (But they use a relatively strict seccomp sandbox that e.g. doesn't permit MADV_PAGEOUT.)