From: Al Viro <viro@ZenIV.linux.org.uk>
To: linux-rdma@vger.kernel.org
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Doug Ledford <dledford@redhat.com>
Subject: mthca misuse of get_user_pages() (was Re: [git pull] vfs.git get_user_pages_fast() conversion)
Date: Sun, 19 Nov 2017 21:23:54 +0000 [thread overview]
Message-ID: <20171119212354.GU21978@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20171117213215.GQ21978@ZenIV.linux.org.uk>
On Fri, Nov 17, 2017 at 09:32:15PM +0000, Al Viro wrote:
[snip]
> drivers/infiniband/hw/mthca/mthca_memfree.c:475: ret = get_user_pages(uaddr & PAGE_MASK, 1, FOLL_WRITE, pages, NULL);
[snip]
> Itanic
> one is almost certainly buggered - we are not holding ->mmap_sem there.
So's the mthca one - that caller (mthca_map_user_db()) does not take ->mmap_sem
and at least some of its calls are immediately preceded by copy_from_user().
If we don't have ->mmap_sem there, this get_user_pages() is oopsably racy; if
we do, those copy_from_user() calls is deadlock-prone.
To make things even nastier, mthca_map_user_db() does grab a mutex around the
chunk that contains get_user_pages() call:
mutex_lock(&db_tab->mutex);
several lines prior. And _that_ is taken on a whole lot of codepaths; if any of
those happen to be under ->mmap_sem, we can't grab ->mmap_sem just around that
get_user_pages(). I've poked around a bit, but I'm really unfamiliar with that
code... The questions so far:
* can mthca_map_user_db() ever be called under ->mmap_sem? Looks like
it shouldn't, but...
* do we really need that get_user_pages() under ->mutex? Would something
like
....
if (db_tab->page[i].refcount) {
++db_tab->page[i].refcount;
goto out;
}
mutex_unlock(&db_tab->mutex);
ret = get_user_pages_fast(uaddr & PAGE_MASK, 1, true, pages);
if (ret < 0)
return ret;
mutex_lock(&db_tab->mutex);
if (unlikely(db_tab->page[i].refcount)) {
/* lost the race */
put_page(pages[0]);
++db_tab->page[i].refcount;
goto out;
}
....
in place of the current
if (db_tab->page[i].refcount) {
++db_tab->page[i].refcount;
goto out;
}
ret = get_user_pages(uaddr & PAGE_MASK, 1, FOLL_WRITE, pages, NULL);
if (ret < 0)
goto out;
be a usable solution?
Comments?
prev parent reply other threads:[~2017-11-19 21:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-17 3:02 [git pull] vfs.git get_user_pages_fast() conversion Al Viro
2017-11-17 20:50 ` Linus Torvalds
2017-11-17 21:32 ` Al Viro
2017-11-18 21:45 ` Al Viro
2017-11-21 18:35 ` Andrea Arcangeli
2017-11-18 21:49 ` Dan Williams
2017-11-19 21:23 ` Al Viro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171119212354.GU21978@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=dledford@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.