Re: [PATCH V3] mm: fix use-after free of page_ext after race with memory-offline

[Charan Teja Kalla <quic_charante@quicinc.com>]

Thanks Andrew/Michal!!

On 8/10/2022 12:53 PM, Michal Hocko wrote:
> On Tue 09-08-22 18:57:14, Andrew Morton wrote:
>> On Tue, 9 Aug 2022 20:16:43 +0530 Charan Teja Kalla <quic_charante@quicinc.com> wrote:
>>
>>> The below is one path where race between page_ext and  offline of the
>>> respective memory blocks will cause use-after-free on the access of
>>> page_ext structure.
>>
>> Has this race ever been observed at runtime?
>>
>> Given the size of the fix, I'm looking for excuses to not backport it
>> into -stable kernels!
> 
> I believe this is quite theoretical for two reasons
> 1) the memory hotplug (offlining) is quite rare operation
> 2) with all the retries the race window is quite hard to trigger
> 
> So this is good to have address long term but nothing really for stable
> until somebody actually hits that with a real world workload.
> 

Actually in the embedded systems the offline is not a rare operation,
especially,  in cases where one want to save some power through PASR[1].

This issue is caught with and in the page_pinner[2](currently being used
in Android) path where it is accessing the page_ext of a page after it
is freed. This is again not with the real workload but with some stress
tests. So, I am also agree with Michal here to not to backport it.

[1]https://lwn.net/Articles/478049/
[2] https://lore.kernel.org/all/20211228175904.3739751-1-minchan@kernel.org/

> Btw. I plan to have a look and review this but times are busy. Hopefully
> soon.
> 
> Thanks!
>