Re: [PATCH] mm/userfaultfd: fix memory corruption due to writeprotect

From: Linus Torvalds
Date: Tue Dec 22 2020 - 19:03:01 EST

Next message: kernel test robot: "drivers/clocksource/timer-clint.c:72:24: sparse: sparse: cast removes address space '__iomem' of expression"
Previous message: Thomas Gleixner: "[GIT pull] irq/core for v5.11-rc1"
In reply to: Linus Torvalds: "Re: [PATCH] mm/userfaultfd: fix memory corruption due to writeprotect"
Next in thread: Yu Zhao: "Re: [PATCH] mm/userfaultfd: fix memory corruption due to writeprotect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Dec 22, 2020 at 3:50 PM Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> See zap_pte_range() for an example of doing it right, even in the
> presence of complexities (ie that has an example of both flushing the
> TLB, and doing the actual "free the pages after flush", and it does
> the two cases separately).

The more I look at the mprotect code, the less I like it. We seem to
be much better about the TLB flushes in other places (looking at
mremap, for example). The mprotect code seems to be very laissez-faire
about the TLB flushing.

Does adding a TLB flush to before that

pte_unmap_unlock(pte - 1, ptl);

fix things for you?

That's not the right fix - leaving a stale TLB entry around is fine if
the TLB entry is more strict wrt protections - but it might be worth
testing as a "does it at least close the problem" patch.

Linus

Next message: kernel test robot: "drivers/clocksource/timer-clint.c:72:24: sparse: sparse: cast removes address space '__iomem' of expression"
Previous message: Thomas Gleixner: "[GIT pull] irq/core for v5.11-rc1"
In reply to: Linus Torvalds: "Re: [PATCH] mm/userfaultfd: fix memory corruption due to writeprotect"
Next in thread: Yu Zhao: "Re: [PATCH] mm/userfaultfd: fix memory corruption due to writeprotect"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]