Re: [patch 023/192] mm, hugetlb: fix racy resv_huge_pages underflow on UFFDIO_COPY

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 7/12/21 7:48 AM, Matthew Wilcox wrote:
> On Wed, Jun 30, 2021 at 06:48:19PM -0700, Andrew Morton wrote:
>> From: Mina Almasry <almasrymina@xxxxxxxxxx>
>> Subject: mm, hugetlb: fix racy resv_huge_pages underflow on UFFDIO_COPY
>>
>> On UFFDIO_COPY, if we fail to copy the page contents while holding the
>> hugetlb_fault_mutex, we will drop the mutex and return to the caller after
>> allocating a page that consumed a reservation.  In this case there may be
>> a fault that double consumes the reservation.  To handle this, we free the
>> allocated page, fix the reservations, and allocate a temporary hugetlb
>> page and return that to the caller.  When the caller does the copy outside
>> of the lock, we again check the cache, and allocate a page consuming the
>> reservation, and copy over the contents.
> 
> But you only copy over the contents *IF* CONFIG_MIGRATION is enabled!
> Now, maybe there aren't many configs out there that enable HUGETLBFS
> and disable MIGRATION, but this is sloppy.
> 

Thanks Matthew!

Not copying the contents is also a security exposure.  We rely on copying
the contents to clear the page's previous contents.

I suggested using copy_huge_page here as a previous version of the patch
replicated the code.  The NULL function slipped by me when reviewing.
Perhaps it would be best to move those copy_huge_page routines to
huge_memory.c as it is used by both THP and hugetlbfs.

Mina, can you look into fixing this?
-- 
Mike Kravetz



[Index of Archives]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]

  Powered by Linux