Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1459931pxb; Fri, 26 Feb 2021 11:12:20 -0800 (PST) X-Google-Smtp-Source: ABdhPJxVqMJMsBmc+Dj21s610ovTEBpFnF+fEjcGCBmDmo/nCf4hLPwt+N0craQCiR3xBfdI9QTx X-Received: by 2002:a05:6402:270d:: with SMTP id y13mr5079388edd.149.1614366740335; Fri, 26 Feb 2021 11:12:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614366740; cv=none; d=google.com; s=arc-20160816; b=o2QAHlIfc+3eJz/JM+jkgOSPhXb2/I2OREWkPmu1NZb2rs4P01tWEgJkTGcefAUuFy VR8GvvyQWWe34HoWyfpG66+ee1MMMMzKm5W3PSYJPz3/gFql/CglV2S84Jzfkjaf0p0o N7Dpw8MK4mam/8f2maKCG17Ra7oZDAScEsyg4sUxAIUECNjL06ACYAiARoS0uh2lxAhI 8st9rgjGN04dGaVn675o/tVmIcXxhrOvb02FrmNrSlvH37CPtz6HE/+J5OeEHQU22qsb MVgF1pNCrLJy9pDIn6aG90UJlYB8LKJE0KSm56QocjyA7RZQw+H0q3jZPOKiZbPx30Qc QzHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=zweVd0xDtJXwi48JdRVaiE+9peVg3DrPpeSSiUcMH0I=; b=SVNSRvzsqijw2jmVUF1e6QDmBM8JVtuejgr9B3SLnqViWUqj69zHrCN99v/x4upJzH NbdymGcsZsOoYNJ2c/s5h4O28k/1QMjV0S3zwuSLsZNonoBjD9o/wMqisW0dtpwNgW3U qRP42FQ2XwQX1RRrb1tY/QEzMO6MXX86IaBaBX0ZcEEv5TdFQDprB82gMEzXjK8o90nB myae1kZmSmRJZdogrNLL7R+GcUwYV3ScnZ9pBX+cOc9coazQmQaGnyfruXqIqrG1am+P RIf8U8oTZEELqiOURRwYpq4CTY7RHCmdukG3R5oGyuqJb887mLld8Sk6UzDNXNJL3+F7 rH5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=g1RggvNw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c1si5514050edq.252.2021.02.26.11.11.57; Fri, 26 Feb 2021 11:12:20 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=g1RggvNw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230215AbhBZTKg (ORCPT + 99 others); Fri, 26 Feb 2021 14:10:36 -0500 Received: from mail.kernel.org ([198.145.29.99]:41400 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229698AbhBZTKe (ORCPT ); Fri, 26 Feb 2021 14:10:34 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 749E264F2A; Fri, 26 Feb 2021 19:09:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1614366593; bh=/3kxvNjF1Sa6PvBx3RXF1h02Nby9cgLfYpaVKzVpAHA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=g1RggvNwBNhbCc5ssFMm2vxNfTJlB0kvlnk+YR9bDkipJaXmMb8I/4jNc9nIyhsH1 UBYjVSP94H/mA0nC1/CV37mOn+NojiurYwIlc+cwl1jtDnplnngbkOO3TuzjWd/DTg tgETwyXZoMYedsdOn3g7YCfNvrTJGaSlgn9naFFPdTa6VDce06TeQZA7I04wNtPAgX fhwD4zogLil4j5O6JRL0LUmjEtdBIqX3lZ/u7yyILzv96NuCW7YvkLEOXF7DL3gEKC cugK+6qIO/xDNVit0NnynTAsy05OnHKY4h3f8/P4vLMn1JwqB06sxZ5yyqLETqdXvI RxC9fqnhSwZtg== Date: Fri, 26 Feb 2021 14:09:52 -0500 From: Sasha Levin To: Vlastimil Babka Cc: stable@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, Andrea Arcangeli , "Kirill A. Shutemov" , Jann Horn , Linus Torvalds , Michal Hocko , Hugh Dickins , Nicolai Stange Subject: Re: [PATCH 4.9 STABLE] mm, thp: make do_huge_pmd_wp_page() lock page for testing mapcount Message-ID: <20210226190952.GC473487@sasha-vm> References: <26569718-050f-fc90-e3ac-79edfaae9ac7@suse.cz> <20210226162200.20548-1-vbabka@suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <20210226162200.20548-1-vbabka@suse.cz> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Feb 26, 2021 at 05:22:00PM +0100, Vlastimil Babka wrote: >Jann reported [1] a race between __split_huge_pmd_locked() and >page_trans_huge_map_swapcount() which can result in a page to be reused >instead of COWed. This was later assigned CVE-2020-29368. > >This was fixed by commit c444eb564fb1 ("mm: thp: make the THP mapcount atomic >against __split_huge_pmd_locked()") by doing the split under the page lock, >while all users of page_trans_huge_map_swapcount() were already also under page >lock. The fix was backported also to 4.9 stable series. > >When testing the backport on a 4.12 based kernel, Nicolai noticed the POC from >[1] still reproduces after backporting c444eb564fb1 and identified a missing >page lock in do_huge_pmd_wp_page() around the call to >page_trans_huge_mapcount(). The page lock was only added in ba3c4ce6def4 ("mm, >THP, swap: make reuse_swap_page() works for THP swapped out") in 4.14. The >commit also wrapped page_trans_huge_mapcount() into >page_trans_huge_map_swapcount() for the purposes of COW decisions. > >I have verified that 4.9.y indeed also reproduces with the POC. Backporting >ba3c4ce6def4 alone however is not possible as it's part of a larger effort of >optimizing THP swapping, which would be risky to backport fully. > >Therefore this 4.9-stable-only patch just wraps page_trans_huge_mapcount() >in page_trans_huge_mapcount() under page lock the same way as ba3c4ce6def4 >does, but without the page_trans_huge_map_swapcount() part. Other callers >of page_trans_huge_mapcount() are all under page lock already. I have verified >the POC no longer reproduces afterwards. > >[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=2045 > >Reported-by: Nicolai Stange >Signed-off-by: Vlastimil Babka Queued up, thanks! -- Thanks, Sasha