Skip to content

Draft: mm: fix for "CoW after fork()” "GUP after fork()" bug

Andrea Arcangeli requested to merge HEAD into main

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1958742
Upstream Status: RHEL-only

RHEL-9 (and current upstream) MM is affected by a problem where a
child process can read private memory of the parent process misusing
get_user_pages(), and pinned pages, no matter if short term or
FOLL_LONGTERM or FOLL_PIN or FOLL_GET, may result in silent user
memory corruption.

In this downstream-only patch series we are addressing these pressing
issues ahead of upstream in order to be able to ship RHEL-9 without
risking user memory corruption. While the patches proposed here are an
effective way of addressing the aforementioned issues, upstream is
still discussing alternative approaches to cope with these issues, and
unfortunately we cannot wait on their time for determination before
shipping RHEL-9 free of these regressions.

For more technical details on the regressions resolved you can also
refer to the below post:

https://lkml.kernel.org/r/3ae33b08-d9ef-f846-56fb-645e3b9b4c66@redhat.com

Signed-off-by: Rafael Aquini aquini@redhat.com
Signed-off-by: Andrea Arcangeli aarcange@redhat.com

3632dff74c5d (Andrea Arcangeli)
mm: COW: restore full accuracy in page reuse

6e62805e810f (Andrea Arcangeli)
mm: thp: replace the page lock with the seqlock for the THP mapcount

5463365dcb2b (Andrea Arcangeli)
mm: COW: skip the page lock in the COW copy path

46429aa1f891 (Andrea Arcangeli)
mm: gup: gup_must_unshare() use can_read_pin_swap_page()

44279bc021b7 (Andrea Arcangeli)
mm: hugetlbfs: gup: gup_must_unshare(): enable hugetlbfs

72e904ca24a3 (Andrea Arcangeli)
mm: hugetlbfs: FOLL_FAULT_UNSHARE

8102220120d8 (Andrea Arcangeli)
mm: hugetlbfs: COR: copy-on-read fault

c2624f3ffe39 (Andrea Arcangeli)
mm: gup: FOLL_UNSHARE RHEL

7d4fb0c4b699 (Andrea Arcangeli)
mm: gup: FOLL_NOUNSHARE: optimize follow_page

0af303a5ae39 (Andrea Arcangeli)
mm: gup: FOLL_UNSHARE

15a6fb9b2237 (Andrea Arcangeli)
mm: gup: gup_must_unshare()

3b34c5779c17 (Andrea Arcangeli)
mm: gup: COR: copy-on-read fault

1b3d419c1daf (Andrea Arcangeli)
mm: thp: introduce page_trans_huge_anon_shared

98591e74a95a (Andrea Arcangeli)
mm: thp: stabilize the THP mapcount in page_remove_anon_compound_rmap

d2a6240eea9e (Andrea Arcangeli)
mm: thp: make the THP mapcount atomic with a seqlock

aa967ab69bc1 (David Hildenbrand)
mm: thp: consolidate mapcount logic on THP split

fs/proc/task_mmu.c | 51 +++++-----
include/linux/huge_mm.h | 87 +++++++++++++++++
include/linux/ksm.h | 7 ++
include/linux/mm.h | 15 +++
include/linux/mm_types.h | 6 ++
include/linux/swap.h | 13 ++-
mm/gup.c | 161 ++++++++++++++++++++++++++++++-
mm/huge_memory.c | 150 +++++++++++++++++++----------
mm/hugetlb.c | 78 ++++++++++++---
mm/ksm.c | 25 +++++
mm/memory.c | 244 ++++++++++++++++++++++++++++++++++++++++-------
mm/rmap.c | 24 ++++-
mm/swap_state.c | 2 +-
mm/swapfile.c | 46 ++++++++-
mm/util.c | 25 +++--
mm/vmscan.c | 2 -
16 files changed, 787 insertions(+), 149 deletions(-)

Merge request reports