From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7394BC433F5 for ; Fri, 17 Dec 2021 21:04:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id D9AB16B0071; Fri, 17 Dec 2021 16:04:28 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id D210A6B0074; Fri, 17 Dec 2021 16:04:28 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B4C706B007B; Fri, 17 Dec 2021 16:04:28 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0204.hostedemail.com [216.40.44.204]) by kanga.kvack.org (Postfix) with ESMTP id 9F7A36B0071 for ; Fri, 17 Dec 2021 16:04:28 -0500 (EST) Received: from smtpin16.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay01.hostedemail.com (Postfix) with ESMTP id 62C45180ABF6A for ; Fri, 17 Dec 2021 21:04:18 +0000 (UTC) X-FDA: 78928514196.16.BBD20FC Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf05.hostedemail.com (Postfix) with ESMTP id 73390100041 for ; Fri, 17 Dec 2021 21:04:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1639775055; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=X31p6tGXAI/4Wa5g0Y2TluwrYpW6tkT7axEPjjTo9xw=; b=BXT/qwyE3vw3b+IaCQAMPITXpcLto2ZBDYfa8Y1MGfWoIu0ywRR0FXKWTRTQ8VfeIyLDwn fmo1ayn2XwlMc9px0ejP/s+3UIXymyk/HhamhC/JlQsNl+ozje5u8xbNi2AKj/SROTfnjt p+KqsPHMAvP/rqPdUh1iEzQWYP7QSUQ= Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-310-sr4t_dGZNGC7pvfNlj_8CQ-1; Fri, 17 Dec 2021 16:04:14 -0500 X-MC-Unique: sr4t_dGZNGC7pvfNlj_8CQ-1 Received: by mail-wm1-f69.google.com with SMTP id a203-20020a1c7fd4000000b0034574187420so2568891wmd.5 for ; Fri, 17 Dec 2021 13:04:14 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent :content-language:to:cc:references:from:organization:subject :in-reply-to:content-transfer-encoding; bh=X31p6tGXAI/4Wa5g0Y2TluwrYpW6tkT7axEPjjTo9xw=; b=NIV+bWvF5vO2KsW7Zx/G9M1xPAUtdX9xseQQL18KIFhNOFrOZHXlKHyKzd8Mex9mOl Am489gs3cfxuFNnbUbjebec5vm6uodcH7auV2FCD7BP02b27ox21gFYA1FY+GAk2oVFG 8UjLM8/yylb17Md+5YFwSJCBlxY6e4qUQ2ikK05ZX/TAacN6gAMe2sYMPzICo1uhLUD7 qRZ3s+5/1almFzqFTFJtMEJe3U/ogEe/FgF5CuaF7tNBGITN7bgGtsgVesBKjED9xg9y qBxeIw0BlIKZGKOjCQivgOhbic3isQl8L5a4CtulN9VrcEskJIv3Zdu7q7cS9XmwmKNQ OxWA== X-Gm-Message-State: AOAM533ovsEOni59rX2GnGCQ/BYcOqeD14D1CO/XnauyBo2P/SN6PPJV CijStAXtvzeNwKHeGHSOgzbKGcInx5REavzAMmseYBu7dAAD0MPwhf2KPVjvCj1uCVfaLf7lr+M i8rRfsZn9b0E= X-Received: by 2002:a05:600c:4e01:: with SMTP id b1mr4204387wmq.109.1639775053257; Fri, 17 Dec 2021 13:04:13 -0800 (PST) X-Google-Smtp-Source: ABdhPJznXkM6loj8ay2QFCN9NcJYgHiicqLXnTDXzjHllmEEggLkSjiKUdQu6Tr1gd/pfJFDFDvzag== X-Received: by 2002:a05:600c:4e01:: with SMTP id b1mr4204377wmq.109.1639775053074; Fri, 17 Dec 2021 13:04:13 -0800 (PST) Received: from [192.168.3.132] (p4ff234b8.dip0.t-ipconnect.de. [79.242.52.184]) by smtp.gmail.com with ESMTPSA id h19sm8592852wmq.0.2021.12.17.13.04.11 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Dec 2021 13:04:12 -0800 (PST) Message-ID: <37dddd67-7e2d-8217-b1e2-31d79bb85693@redhat.com> Date: Fri, 17 Dec 2021 22:04:11 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 To: Jason Gunthorpe , Linus Torvalds Cc: Linux Kernel Mailing List , Andrew Morton , Hugh Dickins , David Rientjes , Shakeel Butt , John Hubbard , Mike Kravetz , Mike Rapoport , Yang Shi , "Kirill A . Shutemov" , Matthew Wilcox , Vlastimil Babka , Jann Horn , Michal Hocko , Nadav Amit , Rik van Riel , Roman Gushchin , Andrea Arcangeli , Peter Xu , Donald Dutile , Christoph Hellwig , Oleg Nesterov , Jan Kara , Linux-MM , "open list:KERNEL SELFTEST FRAMEWORK" , "open list:DOCUMENTATION" References: <20211217113049.23850-1-david@redhat.com> <20211217113049.23850-7-david@redhat.com> <54c492d7-ddcd-dcd0-7209-efb2847adf7c@redhat.com> <20211217204705.GF6385@nvidia.com> From: David Hildenbrand Organization: Red Hat Subject: Re: [PATCH v1 06/11] mm: support GUP-triggered unsharing via FAULT_FLAG_UNSHARE (!hugetlb) In-Reply-To: <20211217204705.GF6385@nvidia.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Stat-Signature: 6sjakc47bjp5warxheidf7fki61scj88 X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 73390100041 Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="BXT/qwyE"; spf=none (imf05.hostedemail.com: domain of david@redhat.com has no SPF policy when checking 170.10.133.124) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com X-HE-Tag: 1639775055-470897 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 17.12.21 21:47, Jason Gunthorpe wrote: > On Fri, Dec 17, 2021 at 12:36:43PM -0800, Linus Torvalds wrote: > >>> 5. Take a R/O pin (RDMA, VFIO, ...) >>> -> refcount > 1 >>> >>> 6. memset(mem, 0xff, pagesize); >>> -> Write fault -> COW >> >> I do not believe this is actually a bug. >> >> You asked for a R/O pin, and you got one. >> >> Then somebody else modified that page, and you got exactly what you >> asked for - a COW event. The original R/O pin has the original page >> that it asked for, and can read it just fine. > Hi Jason > To remind all, the GUP users, like RDMA, VFIO use > FOLL_FORCE|FOLL_WRITE to get a 'r/o pin' specifically because of the I heard that statement often. Can you point me at the code? VFIO: drivers/vfio/vfio_iommu_type1.c vaddr_get_pfns() will end up doing a pin_user_pages_remote(FOLL_LONGTERM) without FOLL_FORCE|FOLL_WRITE. Is that added automatically internally? Note the comment in the next patch + * + * TODO: although the security issue described does no longer apply in any case, + * the full consistency between the pinned pages and the pages mapped into the + * page tables of the MM only apply to short-term pinnings only. For + * FOLL_LONGTERM, FOLL_WRITE|FOLL_FORCE is required for now, which can be + * inefficient and still result in some consistency issues. Extend this + * mechanism to also provide full synchronicity to FOLL_LONGTERM, avoiding + * FOLL_WRITE|FOLL_FORCE. > > Eg in RDMA we know of apps asking for a R/O pin of something in .bss > then filling that something with data finally doing the actual > DMA. Breaking COW after pin breaks those apps. > > The above #5 can occur for O_DIRECT read and in that case the > 'snapshot the data' is perfectly fine as racing the COW with the > O_DIRECT read just resolves the race toward the read() direction. > > IIRC there is some other scenario that motivated this patch? 1. I want to fix the COW security issue as documented. Reproducers in patch #11 2. I want to fix all of the other issues as documented and linked in the cover letter that result from the imprecise page_count check in COW code. Especially the ones where we have memory corruptions, because this is just not acceptable. There are reproducers as well for everybody that doesn't believe me. But this series really just wants to fix the security issue as "part 1". Without any more breakages. I'm sorry, but it's all described in the cover letter. Maybe TL;DR -- Thanks, David / dhildenb