On Tue, Dec 05, 2017 at 10:39:59AM +0100, Michal Hocko wrote:
> From: Wang Nan <wangnan0@xxxxxxxxxx>
>
> commit 687cb0884a714ff484d038e9190edc874edcf146 upstream.
>
> tlb_gather_mmu(&tlb, mm, 0, -1) means gathering the whole virtual memory
> space. In this case, tlb->fullmm is true. Some archs like arm64
> doesn't flush TLB when tlb->fullmm is true:
>
> commit 5a7862e83000 ("arm64: tlbflush: avoid flushing when fullmm == 1").
>
> Which causes leaking of tlb entries.
>
> Will clarifies his patch:
> "Basically, we tag each address space with an ASID (PCID on x86) which
> is resident in the TLB. This means we can elide TLB invalidation when
> pulling down a full mm because we won't ever assign that ASID to
> another mm without doing TLB invalidation elsewhere (which actually
> just nukes the whole TLB).
>
> I think that means that we could potentially not fault on a kernel
> uaccess, because we could hit in the TLB"
>
> There could be a window between complete_signal() sending IPI to other
> cores and all threads sharing this mm are really kicked off from cores.
> In this window, the oom reaper may calls tlb_flush_mmu_tlbonly() to
> flush TLB then frees pages. However, due to the above problem, the TLB
> entries are not really flushed on arm64. Other threads are possible to
> access these pages through TLB entries. Moreover, a copy_to_user() can
> also write to these pages without generating page fault, causes
> use-after-free bugs.
>
> This patch gathers each vma instead of gathering full vm space. In this
> case tlb->fullmm is not true. The behavior of oom reaper become similar
> to munmapping before do_exit, which should be safe for all archs.
>
> Link: http://lkml.kernel.org/r/20171107095453.179940-1-wangnan0@xxxxxxxxxx
> Fixes: aac453635549 ("mm, oom: introduce oom reaper")
> Signed-off-by: Wang Nan <wangnan0@xxxxxxxxxx>
> Acked-by: Michal Hocko <mhocko@xxxxxxxx>
> Acked-by: David Rientjes <rientjes@xxxxxxxxxx>
> Cc: Minchan Kim <minchan@xxxxxxxxxx>
> Cc: Will Deacon <will.deacon@xxxxxxx>
> Cc: Bob Liu <liubo95@xxxxxxxxxx>
> Cc: Ingo Molnar <mingo@xxxxxxxxxx>
> Cc: Roman Gushchin <guro@xxxxxx>
> Cc: Konstantin Khlebnikov <khlebnikov@xxxxxxxxxxxxxx>
> Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> [backported to 4.9 stable tree]
> Signed-off-by: Michal Hocko <mhocko@xxxxxxxx>
Thanks for the backport, now queued up.
greg k-h