Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp5394023pxu; Tue, 22 Dec 2020 16:23:19 -0800 (PST) X-Google-Smtp-Source: ABdhPJxjRLgVom/5J0c/MSQZMMJ+NvCBTuazL3htE0csvYR74/MRENi8EQbfle/MHjz97Ttz7VK1 X-Received: by 2002:aa7:dcd0:: with SMTP id w16mr22692890edu.229.1608682999316; Tue, 22 Dec 2020 16:23:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608682999; cv=none; d=google.com; s=arc-20160816; b=kyFLGM4UKysoEdK7YBTr36fe531bPojqPjJsbAHj/rY/vRiT6Jyfa3KnktuKS+/i9E bAxoSEFMsbtIBVCwZeBdLziMtgqI0AmnjLKOYOFbgPB+dwgNgjXgTIrKy+t2yX326Tec yAVM+6GvdTWf+0gmxOMuZgTNFhp+F6iDJcn9w/rNoIKEwxgoorBNWipkuUUet2Xtdt2G piyQxVX+d9VWVO/xY8fJ3musKdgwT37/ZKOyS0QuQ1IxuoMdcB1kcz4bdK1H2czGDjsR 7BO6kC2GSVmVCaZ8GsCL6nrJ6z7iAyTndmSxD6H+ptaHPv3w9bmU1gujJ4IbcVP0d/j/ MZcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=DLFc43+zWZaHz7DJE5w0IA8m/d3/STNRHdNjNBYY/r8=; b=0u1wy4kLxAoVR+uMwbA5JDeyctdaF59AizGZ8M4WMbPAa0YiwqpQcv81Ut6y5kWog6 aXLqREl3gDROQoAVd+IjpGd/TcX6c7xESkZ4r6Pr8hSYnZlVTYfmLFA4Yw/8KFCunob7 KqDYTmfs3sz85WAljyWNU/Mtrs2Ry5D0XvrA+DBMtbeND5q0kLSQMkmAw1fw/KwFHMI0 7sddX1uC1FuTj4R4X2CNcDOcljBDXIwMNF1bWtjc+MDRF5zO7BQyIWJJfArDzlKEMBQ5 DiScoGFENKGO45q7G5WuaqeyCOWcAbnn76nmbCIxw8d1qUZo2YdmFAYiCqwHRRcHxt4W vInw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=Kv96F1Rj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z23si14428760edl.270.2020.12.22.16.22.56; Tue, 22 Dec 2020 16:23:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=Kv96F1Rj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726260AbgLWAVs (ORCPT + 99 others); Tue, 22 Dec 2020 19:21:48 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46032 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726039AbgLWAVs (ORCPT ); Tue, 22 Dec 2020 19:21:48 -0500 Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 83E82C0613D6 for ; Tue, 22 Dec 2020 16:21:07 -0800 (PST) Received: by mail-lf1-x12c.google.com with SMTP id o17so36138947lfg.4 for ; Tue, 22 Dec 2020 16:21:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DLFc43+zWZaHz7DJE5w0IA8m/d3/STNRHdNjNBYY/r8=; b=Kv96F1RjqhLKNH4Di/XoAkh4fGcFanJF/35mBeZg8s5yZd6emVuhDTmAbKdCOPjTHy 2Flkg4YAHNfaKVQVpWzaowFcfIsg0qWnCHYScg1wPkWTGMP48AsbRBDUDmFxjUz6rUTh Xoab7E7PwRF0MbFD3jGQK+ux0O7RWJxy/Q1DA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DLFc43+zWZaHz7DJE5w0IA8m/d3/STNRHdNjNBYY/r8=; b=QB1p5IMaP4oNvylLh3DN1K11OodNO6PLWQfkE2q466DuddHXoHiOlGpj9Zaqei88Sv gte7Tqg/RsiT8VHiCQj/VA71OYVoqq3vP+25KI7NdZr/fxUK/EMcD82vf5oJF2Wy3mbO OF96py4RT3Wu0VTPNXiDcp8tZu+KOC9NWDBtw0gDBnVRBgp+6TrE33Uw2BTluxPy90/i iEyHqrfVpu+h+rMEnWEh1eDvI9pFDr1MHnwmtRw9OHou6YoG9G6QFw72OHhrF5jeiLAU Nn8xJctCIQFi9ocXF/SwzfzLTD6lu1dd5AIH/wHEtaA1ErASO+4KHaM+7z6NoAn6tO2N BoJw== X-Gm-Message-State: AOAM532xyrgF7PpvY+VgIVmtAyhuSqs6VnBH2aWIENFMDkYJoCQFLGSP JnH/MBkAX9XuI5fbBVQPxIOS6I2Dc78HmQ== X-Received: by 2002:ac2:4463:: with SMTP id y3mr9261320lfl.94.1608682865330; Tue, 22 Dec 2020 16:21:05 -0800 (PST) Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com. [209.85.167.44]) by smtp.gmail.com with ESMTPSA id o138sm2528357lfa.171.2020.12.22.16.21.03 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 22 Dec 2020 16:21:04 -0800 (PST) Received: by mail-lf1-f44.google.com with SMTP id m12so36107395lfo.7 for ; Tue, 22 Dec 2020 16:21:03 -0800 (PST) X-Received: by 2002:a05:6512:338f:: with SMTP id h15mr9238858lfg.40.1608682863624; Tue, 22 Dec 2020 16:21:03 -0800 (PST) MIME-Version: 1.0 References: <9E301C7C-882A-4E0F-8D6D-1170E792065A@gmail.com> <1FCC8F93-FF29-44D3-A73A-DF943D056680@gmail.com> <20201221223041.GL6640@xz-x1> In-Reply-To: From: Linus Torvalds Date: Tue, 22 Dec 2020 16:20:47 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] mm/userfaultfd: fix memory corruption due to writeprotect To: Yu Zhao Cc: Andrea Arcangeli , Andy Lutomirski , Peter Xu , Nadav Amit , linux-mm , lkml , Pavel Emelyanov , Mike Kravetz , Mike Rapoport , stable , Minchan Kim , Will Deacon , Peter Zijlstra Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 22, 2020 at 3:50 PM Linus Torvalds wrote: > > The rule is that the TLB flush has to be done before the page table > lock is released. I take that back. I guess it's ok as long as the mmap_sem is held for writing. Then the TLB flush can be delayed until just before releasing the mmap_sem. I think. The stale TLB entries still mean that somebody else can write through them in another thread, but as long as anybody who actually unmaps the page (and frees it - think rmap etc) is being careful, mprotect() itself can probably afford to be a bit laissez-faire. So mprotect() itself should be ok, I think, because it takes things for writing. Even with the mmap_sem held for writing, truncate and friends can see the read-only page table entries (because they can look things up using the file i_mmap thing instead), but then they rely on the page table lock and they'll also be careful if they then change that PTE and will force their own TLB flushes. So I think a pending TLB flush outside the page table lock is fine - but once again only if you hold the mmap_sem for writing. Not for reading, because then the page tables need to be synchronized with the TLB so that other readers don't see the not-yet-synchronized state. It once again looks like it's just userfaultfd that would trigger this due to the read-lock on the mmap_sem. And mprotect() itself is fine. Am I missing something? But apparently Nadav sees problems even with that lock changed to a write lock. Navad? Linus