From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=qj00=43=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=3.0 tests=DKIM_INVALID,DKIM_SIGNED,
	FSL_HELO_FAKE,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0C059C10F27
	for <linux-mm@archiver.kernel.org>; Tue, 10 Mar 2020 22:14:46 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id B38F8208E4
	for <linux-mm@archiver.kernel.org>; Tue, 10 Mar 2020 22:14:45 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jZvVnCBe"
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B38F8208E4
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 467BD6B0003; Tue, 10 Mar 2020 18:14:45 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 3C95D6B0006; Tue, 10 Mar 2020 18:14:45 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2B83F6B0007; Tue, 10 Mar 2020 18:14:45 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0102.hostedemail.com [216.40.44.102])
	by kanga.kvack.org (Postfix) with ESMTP id 0E7356B0003
	for <linux-mm@kvack.org>; Tue, 10 Mar 2020 18:14:45 -0400 (EDT)
Received: from smtpin12.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id D46B4180AD81A
	for <linux-mm@kvack.org>; Tue, 10 Mar 2020 22:14:44 +0000 (UTC)
X-FDA: 76580858088.12.loaf12_467ef4fda7d56
X-HE-Tag: loaf12_467ef4fda7d56
X-Filterd-Recvd-Size: 4887
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com [209.85.214.178])
	by imf32.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue, 10 Mar 2020 22:14:44 +0000 (UTC)
Received: by mail-pl1-f178.google.com with SMTP id b22so71324pls.12
        for <linux-mm@kvack.org>; Tue, 10 Mar 2020 15:14:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=sender:date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=qC8GAUuR4P3Ihh/wBkWywJtv6lirNyfGJk8EnvJshE8=;
        b=jZvVnCBeMjLVo4/ypI5WH9f5cD9fa7eRyo8ChnGZP7Dy3c4fuAfswYtWukOMt2pPlG
         nkm6sguxpkwMfvNGcU1Qy4zQqYY5SfWaD4wNcelQ1Bp9Zk5CEf4AU6vGZtS8u84BUrNR
         8cxGzN4+e3V618fVyF8mri1OxOKhkWOdPNJll5Yt+fCR/e/HX833UB1L7nbfvO1RoO5O
         +9ggd/8ngqGTlbUrgQdPpGf0Lu5XxEhbLcSX9D34glSy2kywmCkAHkrzlu8QxzUharIN
         EeyUkwy1W7f0siKUmpsWZaQ1kuJGS2qHbGNcTsqBcGsg8ndO5DyTSC2qM1DWfTlrh2lT
         Qwkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:sender:date:from:to:cc:subject:message-id
         :references:mime-version:content-disposition:in-reply-to:user-agent;
        bh=qC8GAUuR4P3Ihh/wBkWywJtv6lirNyfGJk8EnvJshE8=;
        b=TqwfNEetQ9HWZMmFuKM/hmz1wBYGqkGeA9k0S4R1kWTNf8iMp3EybFYFWChBJ3VARz
         8GFYe0k4IttTv4Lxlib+P+aGcBvxhS9+55qpF6LiQv1sKZ6Fh5oCMqk1V/Q5um+dzQ6/
         oZrhq5PO71yRB24o85VpdWgKET+ek3TfPkzwlu1x8wbEQnfdvYx+0y1NXBeNHJksBJqH
         qzMmun1KAFt1F/v6EeNSKgRb0ES9qWAWisZhZ3/pTC33iPeZV1MrPih+tXetcM9hC9TF
         EBeGNG7WPgygWd15rpZhTM/iPg/0Mr33Ii2VMTam2rtvp8+wYRVY74Kzu1UsbHx5eXQD
         LfNA==
X-Gm-Message-State: ANhLgQ3qR/2r7aQ/MXlCUtbiB6lElkvEKQVsDv6T+TaktjNxCPILN/mR
	8yz2ePcp2oH0tN+pWKUHivs=
X-Google-Smtp-Source: ADFU+vsFhYKBd/NsJnYeB5XON8zxOKT2DjZ1OPEyMz++H2Emj/2WjXteH/gy00smlkpGZjZg2BpfGQ==
X-Received: by 2002:a17:902:db83:: with SMTP id m3mr117436pld.166.1583878483130;
        Tue, 10 Mar 2020 15:14:43 -0700 (PDT)
Received: from google.com ([2620:15c:211:1:3e01:2939:5992:52da])
        by smtp.gmail.com with ESMTPSA id o2sm42464515pfh.26.2020.03.10.15.14.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 10 Mar 2020 15:14:41 -0700 (PDT)
Date: Tue, 10 Mar 2020 15:14:40 -0700
From: Minchan Kim <minchan@kernel.org>
To: Jann Horn <jannh@google.com>
Cc: Michal Hocko <mhocko@suse.com>, Linux-MM <linux-mm@kvack.org>,
	kernel list <linux-kernel@vger.kernel.org>,
	Daniel Colascione <dancol@google.com>,
	Dave Hansen <dave.hansen@intel.com>,
	"Joel Fernandes (Google)" <joel@joelfernandes.org>
Subject: Re: interaction of MADV_PAGEOUT with CoW anonymous mappings?
Message-ID: <20200310221440.GA72963@google.com>
References: <CAG48ez0G3JkMq61gUmyQAaCq=_TwHbi1XKzWRooxZkv08PQKuw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAG48ez0G3JkMq61gUmyQAaCq=_TwHbi1XKzWRooxZkv08PQKuw@mail.gmail.com>
User-Agent: Mutt/1.12.2 (2019-09-21)
X-Bogosity: Ham, tests=bogofilter, spamicity=0.171265, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

Hi Jann,

On Tue, Mar 10, 2020 at 07:08:28PM +0100, Jann Horn wrote:
> Hi!
> 
> From looking at the source code, it looks to me as if using
> MADV_PAGEOUT on a CoW anonymous mapping will page out the page if
> possible, even if other processes still have the same page mapped. Is
> that correct?
> 
> If so, that's probably bad in environments where many processes (with
> different privileges) are forked from a single zygote process (like
> Android and Chrome), I think? If you accidentally call it on a CoW
> anonymous mapping with shared pages, you'll degrade the performance of
> other processes. And if an attacker does it intentionally, they could
> use that to aid with exploiting race conditions or weird
> microarchitectural stuff (e.g. the new https://lviattack.eu/lvi.pdf
> talks about "the assumption that attackers can provoke page faults or
> microcode assists for (arbitrary) load operations in the victim
> domain").
> 
> Should madvise_cold_or_pageout_pte_range() maybe refuse to operate on
> pages with mapcount>1, or something like that? Or does it already do
> that, and I just missed the check?

Originally, patchset had the mapcount check to filer out shared page
due to performance concern, not security stuff. However, the code
was removed because reviewer asked me "let the shared pages rely on
general LRU" because shared pages would have higher chance to be
touched compared to private pages so naturally, they will keep in
the memory. It did make sense for me.

I am not familiar with the security stuff but if it's really vulnerable
and everyone agree on that, it's easy to add mapcount check there.

Thanks.