Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <20221128180252.1684965-1-jannh@google.com> <20221128180252.1684965-3-jannh@google.com>
In-Reply-To: <20221128180252.1684965-3-jannh@google.com>
From:   Yang Shi <shy828301@gmail.com>
Date:   Mon, 28 Nov 2022 11:56:57 -0800
Message-ID: <CAHbLzkoPdeMYOd591vS8XnWmwwn92kp30tac7_a8tWJE2+aN7w@mail.gmail.com>
Subject: Re: [PATCH v4 3/3] mm/khugepaged: Invoke MMU notifiers in shmem/file
 collapse paths
To:     Jann Horn <jannh@google.com>
Cc:     security@kernel.org, Andrew Morton <akpm@linux-foundation.org>,
        David Hildenbrand <david@redhat.com>,
        Peter Xu <peterx@redhat.com>,
        John Hubbard <jhubbard@nvidia.com>,
        linux-kernel@vger.kernel.org, linux-mm@kvack.org
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Mon, Nov 28, 2022 at 10:03 AM Jann Horn <jannh@google.com> wrote:
>
> Any codepath that zaps page table entries must invoke MMU notifiers to
> ensure that secondary MMUs (like KVM) don't keep accessing pages which
> aren't mapped anymore. Secondary MMUs don't hold their own references to
> pages that are mirrored over, so failing to notify them can lead to page
> use-after-free.
>
> I'm marking this as addressing an issue introduced in commit f3f0e1d2150b
> ("khugepaged: add support of collapse for tmpfs/shmem pages"), but most of
> the security impact of this only came in commit 27e1f8273113 ("khugepaged:
> enable collapse pmd for pte-mapped THP"), which actually omitted flushes
> for the removal of present PTEs, not just for the removal of empty page
> tables.
>
> Cc: stable@kernel.org
> Fixes: f3f0e1d2150b ("khugepaged: add support of collapse for tmpfs/shmem pages")
> Signed-off-by: Jann Horn <jannh@google.com>

Reviewed-by: Yang Shi <shy828301@gmail.com>

> ---
> v4: no changes
>
>  mm/khugepaged.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/mm/khugepaged.c b/mm/khugepaged.c
> index c3d3ce596bff7..49eb4b4981d88 100644
> --- a/mm/khugepaged.c
> +++ b/mm/khugepaged.c
> @@ -1404,6 +1404,7 @@ static void collapse_and_free_pmd(struct mm_struct *mm, struct vm_area_struct *v
>                                   unsigned long addr, pmd_t *pmdp)
>  {
>         pmd_t pmd;
> +       struct mmu_notifier_range range;
>
>         mmap_assert_write_locked(mm);
>         if (vma->vm_file)
> @@ -1415,8 +1416,12 @@ static void collapse_and_free_pmd(struct mm_struct *mm, struct vm_area_struct *v
>         if (vma->anon_vma)
>                 lockdep_assert_held_write(&vma->anon_vma->root->rwsem);
>
> +       mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, NULL, mm, addr,
> +                               addr + HPAGE_PMD_SIZE);
> +       mmu_notifier_invalidate_range_start(&range);
>         pmd = pmdp_collapse_flush(vma, addr, pmdp);
>         tlb_remove_table_sync_one();
> +       mmu_notifier_invalidate_range_end(&range);
>         mm_dec_nr_ptes(mm);
>         page_table_check_pte_clear_range(mm, addr, pmd);
>         pte_free(mm, pmd_pgtable(pmd));
> --
> 2.38.1.584.g0f3c55d4c2-goog
>