• Pasha Tatashin's avatar
    mm: change page type prior to adding page table entry · 1eba86c0
    Pasha Tatashin authored
    Patch series "page table check", v3.
    
    Ensure that some memory corruptions are prevented by checking at the
    time of insertion of entries into user page tables that there is no
    illegal sharing.
    
    We have recently found a problem [1] that existed in kernel since 4.14.
    The problem was caused by broken page ref count and led to memory
    leaking from one process into another.  The problem was accidentally
    detected by studying a dump of one process and noticing that one page
    contains memory that should not belong to this process.
    
    There are some other page->_refcount related problems that were recently
    fixed: [2], [3] which potentially could also lead to illegal sharing.
    
    In addition to hardening refcount [4] itself, this work is an attempt to
    prevent this class of memory corruption issues.
    
    It uses a simple state machine that is independent from regular MM logic
    to check for illegal sharing at time pages are inserted and removed from
    page tables.
    
    [1] https://lore.kernel.org/all/xr9335nxwc5y.fsf@gthelen2.svl.corp.google.com
    [2] https://lore.kernel.org/all/1582661774-30925-2-git-send-email-akaher@vmware.com
    [3] https://lore.kernel.org/all/20210622021423.154662-3-mike.kravetz@oracle.com
    [4] https://lore.kernel.org/all/20211221150140.988298-1-pasha.tatashin@soleen.com
    
    This patch (of 4):
    
    There are a few places where we first update the entry in the user page
    table, and later change the struct page to indicate that this is
    anonymous or file page.
    
    In most places, however, we first configure the page metadata and then
    insert entries into the page table.  Page table check, will use the
    information from struct page to verify the type of entry is inserted.
    
    Change the order in all places to first update struct page, and later to
    update page table.
    
    This means that we first do calls that may change the type of page (anon
    or file):
    
    	page_move_anon_rmap
    	page_add_anon_rmap
    	do_page_add_anon_rmap
    	page_add_new_anon_rmap
    	page_add_file_rmap
    	hugepage_add_anon_rmap
    	hugepage_add_new_anon_rmap
    
    And after that do calls that add entries to the page table:
    
    	set_huge_pte_at
    	set_pte_at
    
    Link: https://lkml.kernel.org/r/20211221154650.1047963-1-pasha.tatashin@soleen.com
    Link: https://lkml.kernel.org/r/20211221154650.1047963-2-pasha.tatashin@soleen.comSigned-off-by: default avatarPasha Tatashin <pasha.tatashin@soleen.com>
    Cc: David Rientjes <rientjes@google.com>
    Cc: Paul Turner <pjt@google.com>
    Cc: Wei Xu <weixugc@google.com>
    Cc: Greg Thelen <gthelen@google.com>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Jonathan Corbet <corbet@lwn.net>
    Cc: Will Deacon <will@kernel.org>
    Cc: Mike Rapoport <rppt@kernel.org>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Masahiro Yamada <masahiroy@kernel.org>
    Cc: Sami Tolvanen <samitolvanen@google.com>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Frederic Weisbecker <frederic@kernel.org>
    Cc: "H. Peter Anvin" <hpa@zytor.com>
    Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
    Cc: Jiri Slaby <jirislaby@kernel.org>
    Cc: Muchun Song <songmuchun@bytedance.com>
    Cc: Hugh Dickins <hughd@google.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    1eba86c0
migrate.c 85.4 KB