From mboxrd@z Thu Jan 1 00:00:00 1970 From: Catalin Marinas Date: Tue, 31 Aug 2021 17:01:58 +0100 Subject: [Cluster-devel] [RFC][arm64] possible infinite loop in btrfs search_ioctl() In-Reply-To: References: <20210827164926.1726765-6-agruenba@redhat.com> Message-ID: List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, Aug 31, 2021 at 03:28:57PM +0000, Al Viro wrote: > On Tue, Aug 31, 2021 at 02:54:50PM +0100, Catalin Marinas wrote: > > > An arm64-specific workaround would be for pagefault_disable() to disable > > tag checking. It's a pretty big hammer, weakening the out of bounds > > access detection of MTE. My preference would be a fix in the btrfs code. > > > > A btrfs option would be for copy_to_sk() to return an indication of > > where the fault occurred and get fault_in_pages_writeable() to check > > that location, even if the copying would restart from an earlier offset > > (this requires open-coding copy_to_user_nofault()). An attempt below, > > untested and does not cover read_extent_buffer_to_user_nofault(): > > Umm... There's another copy_to_user_nofault() call in the same function > (same story, AFAICS). Yeah, I was too lazy to do it all and I don't have a setup to test the patch quickly either. BTW, my hack is missing an access_ok() check. I wonder whether copy_{to,from}_user_nofault() could actually return the number of bytes left to copy, just like their non-nofault counterparts. These are only used in a few places, so fairly easy to change. If we go for a btrfs fix along the lines of my diff, it saves us from duplicating the copy_to_user_nofault() code. -- Catalin From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB09BC433EF for ; Mon, 13 Sep 2021 14:48:02 +0000 (UTC) Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5C63360F92 for ; Mon, 13 Sep 2021 14:48:02 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 5C63360F92 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=oss.oracle.com Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 18DESqiC024401; Mon, 13 Sep 2021 14:48:01 GMT Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3b1h45k12a-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 13 Sep 2021 14:48:01 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 18DEVMxD105272; Mon, 13 Sep 2021 14:31:59 GMT Received: from oss.oracle.com (oss-old-reserved.oracle.com [137.254.22.2]) by userp3020.oracle.com with ESMTP id 3b167qhbdv-1; Mon, 13 Sep 2021 14:31:59 +0000 Received: from localhost ([127.0.0.1] helo=lb-oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1mPmwz-0004gh-Li; Mon, 13 Sep 2021 07:28:49 -0700 Received: from userp3030.oracle.com ([156.151.31.80]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1mL6D9-0007Tt-8E for ocfs2-devel@oss.oracle.com; Tue, 31 Aug 2021 09:02:07 -0700 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17VG0GFB160673 for ; Tue, 31 Aug 2021 16:02:06 GMT Received: from mx0a-00069f01.pphosted.com (mx0a-00069f01.pphosted.com [205.220.165.26]) by userp3030.oracle.com with ESMTP id 3arpf4mppy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 31 Aug 2021 16:02:06 +0000 Received: from pps.filterd (m0246571.ppops.net [127.0.0.1]) by mx0b-00069f01.pphosted.com (8.16.1.2/8.16.0.43) with SMTP id 17VDldEX013934 for ; Tue, 31 Aug 2021 16:02:05 GMT Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by mx0b-00069f01.pphosted.com with ESMTP id 3asnmd9v6v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 31 Aug 2021 16:02:05 +0000 Received: by mail.kernel.org (Postfix) with ESMTPSA id B0F4160F6B; Tue, 31 Aug 2021 16:02:01 +0000 (UTC) Date: Tue, 31 Aug 2021 17:01:58 +0100 From: Catalin Marinas To: Al Viro Message-ID: References: <20210827164926.1726765-6-agruenba@redhat.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Source-IP: 198.145.29.99 X-ServerName: mail.kernel.org X-Proofpoint-SPF-Result: pass X-Proofpoint-SPF-Record: v=spf1 mx include:_spf.kernel.org ~all X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10093 signatures=668682 X-Proofpoint-Spam-Reason: safe X-Spam: OrgSafeList X-SpamRule: orgsafelist X-Mailman-Approved-At: Mon, 13 Sep 2021 07:28:45 -0700 Cc: cluster-devel , Jan Kara , Andreas Gruenbacher , Will Deacon , Linux Kernel Mailing List , Josef Bacik , Christoph Hellwig , linux-fsdevel , Linus Torvalds , "ocfs2-devel@oss.oracle.com" Subject: Re: [Ocfs2-devel] [RFC][arm64] possible infinite loop in btrfs search_ioctl() X-BeenThere: ocfs2-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ocfs2-devel-bounces@oss.oracle.com Errors-To: ocfs2-devel-bounces@oss.oracle.com X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10105 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 adultscore=0 suspectscore=0 phishscore=0 mlxlogscore=999 malwarescore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2109030001 definitions=main-2109130096 X-Proofpoint-ORIG-GUID: VcOMVLGEU0RVK1h6hThfEgiiurjMVWrz X-Proofpoint-GUID: VcOMVLGEU0RVK1h6hThfEgiiurjMVWrz On Tue, Aug 31, 2021 at 03:28:57PM +0000, Al Viro wrote: > On Tue, Aug 31, 2021 at 02:54:50PM +0100, Catalin Marinas wrote: > > > An arm64-specific workaround would be for pagefault_disable() to disable > > tag checking. It's a pretty big hammer, weakening the out of bounds > > access detection of MTE. My preference would be a fix in the btrfs code. > > > > A btrfs option would be for copy_to_sk() to return an indication of > > where the fault occurred and get fault_in_pages_writeable() to check > > that location, even if the copying would restart from an earlier offset > > (this requires open-coding copy_to_user_nofault()). An attempt below, > > untested and does not cover read_extent_buffer_to_user_nofault(): > > Umm... There's another copy_to_user_nofault() call in the same function > (same story, AFAICS). Yeah, I was too lazy to do it all and I don't have a setup to test the patch quickly either. BTW, my hack is missing an access_ok() check. I wonder whether copy_{to,from}_user_nofault() could actually return the number of bytes left to copy, just like their non-nofault counterparts. These are only used in a few places, so fairly easy to change. If we go for a btrfs fix along the lines of my diff, it saves us from duplicating the copy_to_user_nofault() code. -- Catalin _______________________________________________ Ocfs2-devel mailing list Ocfs2-devel@oss.oracle.com https://oss.oracle.com/mailman/listinfo/ocfs2-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A721C4320A for ; Tue, 31 Aug 2021 16:02:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E6ED460FE6 for ; Tue, 31 Aug 2021 16:02:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239482AbhHaQDA (ORCPT ); Tue, 31 Aug 2021 12:03:00 -0400 Received: from mail.kernel.org ([198.145.29.99]:39366 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232770AbhHaQC7 (ORCPT ); Tue, 31 Aug 2021 12:02:59 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id B0F4160F6B; Tue, 31 Aug 2021 16:02:01 +0000 (UTC) Date: Tue, 31 Aug 2021 17:01:58 +0100 From: Catalin Marinas To: Al Viro Cc: Linus Torvalds , Andreas Gruenbacher , Christoph Hellwig , "Darrick J. Wong" , Jan Kara , Matthew Wilcox , cluster-devel , linux-fsdevel , Linux Kernel Mailing List , "ocfs2-devel@oss.oracle.com" , Josef Bacik , Will Deacon Subject: Re: [RFC][arm64] possible infinite loop in btrfs search_ioctl() Message-ID: References: <20210827164926.1726765-6-agruenba@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Tue, Aug 31, 2021 at 03:28:57PM +0000, Al Viro wrote: > On Tue, Aug 31, 2021 at 02:54:50PM +0100, Catalin Marinas wrote: > > > An arm64-specific workaround would be for pagefault_disable() to disable > > tag checking. It's a pretty big hammer, weakening the out of bounds > > access detection of MTE. My preference would be a fix in the btrfs code. > > > > A btrfs option would be for copy_to_sk() to return an indication of > > where the fault occurred and get fault_in_pages_writeable() to check > > that location, even if the copying would restart from an earlier offset > > (this requires open-coding copy_to_user_nofault()). An attempt below, > > untested and does not cover read_extent_buffer_to_user_nofault(): > > Umm... There's another copy_to_user_nofault() call in the same function > (same story, AFAICS). Yeah, I was too lazy to do it all and I don't have a setup to test the patch quickly either. BTW, my hack is missing an access_ok() check. I wonder whether copy_{to,from}_user_nofault() could actually return the number of bytes left to copy, just like their non-nofault counterparts. These are only used in a few places, so fairly easy to change. If we go for a btrfs fix along the lines of my diff, it saves us from duplicating the copy_to_user_nofault() code. -- Catalin