On Wed, Aug 07, 2024 at 02:17:03PM -0700, Andrew Morton wrote:
> On Wed, 7 Aug 2024 15:48:04 -0400 Peter Xu <peterx@xxxxxxxxxx> wrote:
>
> >
> > Dax supports pud pages for a while, but mprotect on puds was missing since
> > the start. This series tries to fix that by providing pud handling in
> > mprotect(). The goal is to add more types of pud mappings like hugetlb or
> > pfnmaps. This series paves way for it by fixing known pud entries.
> >
> > Considering nobody reported this until when I looked at those other types
> > of pud mappings, I am thinking maybe it doesn't need to be a fix for stable
> > and this may not need to be backported. I would guess whoever cares about
> > mprotect() won't care 1G dax puds yet, vice versa. I hope fixing that in
> > new kernels would be fine, but I'm open to suggestions.
>
> Yes, I'm not sure this is a "fix" at all. We're implementing something
> which previously wasn't there. Perhaps the entire series should be
> called "mm: implement mprotect() for DAX PUDs"?
The problem is mprotect() will skip the dax 1G PUD while it shouldn't;
meanwhile it'll dump some bad PUD in dmesg. Both of them look like (corner
case) bugs to me.. where:
- skipping the 1G pud means mprotect() will succeed even if the pud won't
be updated with the correct permission specified. Logically that can
cause e.g. in mprotect(RO) then write the page can cause data corrupt,
as the pud page will still be writable.
- the bad pud will generate a pr_err() into dmesg, with no limit so far I
can see. So I think it means an userspace can DoS the kernel log if it
wants.. simply by creating the PUD and keep mprotect-ing it
But yeah this series fixes this "bug" by implementing that part..
Thanks,
--
Peter Xu
