From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=3xAm=F2=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3B571C433E0
	for <linux-mm@archiver.kernel.org>; Tue, 22 Dec 2020 23:50:52 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id B9A9B22B2D
	for <linux-mm@archiver.kernel.org>; Tue, 22 Dec 2020 23:50:51 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org B9A9B22B2D
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 2ADBD6B005D; Tue, 22 Dec 2020 18:50:51 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 2858D6B0068; Tue, 22 Dec 2020 18:50:51 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 19B286B006E; Tue, 22 Dec 2020 18:50:51 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0083.hostedemail.com [216.40.44.83])
	by kanga.kvack.org (Postfix) with ESMTP id 0443E6B005D
	for <linux-mm@kvack.org>; Tue, 22 Dec 2020 18:50:50 -0500 (EST)
Received: from smtpin19.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id B9C8E824999B
	for <linux-mm@kvack.org>; Tue, 22 Dec 2020 23:50:50 +0000 (UTC)
X-FDA: 77622565860.19.paper78_051781227464
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin19.hostedemail.com (Postfix) with ESMTP id 9C1C91AD1B1
	for <linux-mm@kvack.org>; Tue, 22 Dec 2020 23:50:50 +0000 (UTC)
X-HE-Tag: paper78_051781227464
X-Filterd-Recvd-Size: 4620
Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47])
	by imf35.hostedemail.com (Postfix) with ESMTP
	for <linux-mm@kvack.org>; Tue, 22 Dec 2020 23:50:50 +0000 (UTC)
Received: by mail-lf1-f47.google.com with SMTP id m25so35879257lfc.11
        for <linux-mm@kvack.org>; Tue, 22 Dec 2020 15:50:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=wT+z8aeZsnOOzxK6hRvN9mbQoYBCIG22xW14cZwa86w=;
        b=MyXM9vqGI+WhI8Rv8h6RJuLl253A3dVDm7Wiw79euFHzsqdzhooZCUkLAygIrH6ipb
         kAS54/dbjFQk681nMzW1KllhvwGrPLMHaiwMbXVIdiWMzE+LAAShC4Wb9zlbpq+nM4kS
         fWHpqNltPGPg5x9GVJGujYfbWfRTyMdNA8src=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=wT+z8aeZsnOOzxK6hRvN9mbQoYBCIG22xW14cZwa86w=;
        b=d4K2EIj5+kALx/MJzrYIuAK51CBwOpqqSEVnYq5KkHOLtXTL0J7COBsgvK7CjT9tVG
         okZNqUl5ixJG3bhdvXuU4gZbvbfzkhjFiAMkiq74USxBwgf0g17+kDX97pnMckvCmmfS
         KcQNqBwPNROrF8NVqe0OjvfCF+BWlfhV/ew4nP3/zkfwKlaCCeX0UV07NPZNEGQCMr65
         VlusK6QhM64elPXhfD3C2yJaXmkyRs7IHE7o4Ey1PbN9oxTqS6cgwIR+joiR5nYlTtXa
         2yFG4zcKgq+659BpwPR114mIILdCwWOq2tU3xU9W+qV16kr/5z/QrnCGpWwv0oEKbjGf
         adPg==
X-Gm-Message-State: AOAM533sKJyssF6qAZ8dF/iWlKgscjTQq5oP3HCDC0E+ALB3dkW+Hmff
	3xQ6tRg/VaVOI+cZ/IGy+sXPMEGTwrwhlg==
X-Google-Smtp-Source: ABdhPJxYcGx4mJ/1LCiSFOUGl3KNrD6e5J4Ixvu//t7iEo6cq4fnVPNnTi9iLZ6Wwk/QqlSS7O4c7Q==
X-Received: by 2002:a05:651c:1254:: with SMTP id h20mr10909842ljh.211.1608681048029;
        Tue, 22 Dec 2020 15:50:48 -0800 (PST)
Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com. [209.85.167.41])
        by smtp.gmail.com with ESMTPSA id y12sm2924833lfy.300.2020.12.22.15.50.46
        for <linux-mm@kvack.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 22 Dec 2020 15:50:46 -0800 (PST)
Received: by mail-lf1-f41.google.com with SMTP id m25so35879059lfc.11
        for <linux-mm@kvack.org>; Tue, 22 Dec 2020 15:50:46 -0800 (PST)
X-Received: by 2002:a2e:9ad7:: with SMTP id p23mr10303284ljj.465.1608681045870;
 Tue, 22 Dec 2020 15:50:45 -0800 (PST)
MIME-Version: 1.0
References: <9E301C7C-882A-4E0F-8D6D-1170E792065A@gmail.com>
 <CAHk-=wg-Y+svNy3CDkJjj0X_CJkSbpERLg64-Vqwq5u7SC4z0g@mail.gmail.com>
 <X+ESkna2z3WjjniN@google.com> <1FCC8F93-FF29-44D3-A73A-DF943D056680@gmail.com>
 <20201221223041.GL6640@xz-x1> <CAHk-=wh-bG4thjXUekLtrCg8FRrdWjtT40ibXXLSm_hzQG8eOw@mail.gmail.com>
 <CALCETrV=8tY7h=aaudWBEn-MJnNkm2wz5qjH49SYqwkjYTpOaA@mail.gmail.com>
 <X+JJqK91plkBVisG@redhat.com> <X+JhwVX3s5mU9ZNx@google.com>
 <X+Js/dFbC5P7C3oO@redhat.com> <X+KDwu1PRQ93E2LK@google.com>
In-Reply-To: <X+KDwu1PRQ93E2LK@google.com>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue, 22 Dec 2020 15:50:29 -0800
X-Gmail-Original-Message-ID: <CAHk-=wiBWkgxLtwD7n01irD7hTQzuumtrqCkxxZx=6dbiGKUqQ@mail.gmail.com>
Message-ID: <CAHk-=wiBWkgxLtwD7n01irD7hTQzuumtrqCkxxZx=6dbiGKUqQ@mail.gmail.com>
Subject: Re: [PATCH] mm/userfaultfd: fix memory corruption due to writeprotect
To: Yu Zhao <yuzhao@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>, Andy Lutomirski <luto@kernel.org>, Peter Xu <peterx@redhat.com>, 
	Nadav Amit <nadav.amit@gmail.com>, linux-mm <linux-mm@kvack.org>, 
	lkml <linux-kernel@vger.kernel.org>, Pavel Emelyanov <xemul@openvz.org>, 
	Mike Kravetz <mike.kravetz@oracle.com>, Mike Rapoport <rppt@linux.vnet.ibm.com>, 
	stable <stable@vger.kernel.org>, Minchan Kim <minchan@kernel.org>, 
	Will Deacon <will@kernel.org>, Peter Zijlstra <peterz@infradead.org>
Content-Type: text/plain; charset="UTF-8"
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Tue, Dec 22, 2020 at 3:39 PM Yu Zhao <yuzhao@google.com> wrote:
>
> 2) is the false positive because of what we do, and it's causing the
> memory corruption because do_wp_page() tries to make copies of pages
> that seem to be RO but may have stale RW tlb entries pending flush.

Yeah, that's definitely a different bug.

The rule is that the TLB flush has to be done before the page table
lock is released.

See zap_pte_range() for an example of doing it right, even in the
presence of complexities (ie that has an example of both flushing the
TLB, and doing the actual "free the pages after flush", and it does
the two cases separately).

           Linus