Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932957AbbFWQND (ORCPT ); Tue, 23 Jun 2015 12:13:03 -0400 Received: from cantor2.suse.de ([195.135.220.15]:39924 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754422AbbFWQMz (ORCPT ); Tue, 23 Jun 2015 12:12:55 -0400 Date: Tue, 23 Jun 2015 18:12:47 +0200 From: Jan Kara To: OGAWA Hirofumi Cc: Jan Kara , Daniel Phillips , David Lang , Rik van Riel , tux3@tux3.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [FYI] tux3: Core changes Message-ID: <20150623161247.GP2427@quack.suse.cz> References: <5563F5C8.2040806@redhat.com> <67294911-1776-46b8-916d-0e5642a38725@phunq.net> <20150526070910.GA3307@quack.suse.cz> <20150526090058.GA8024@quack.suse.cz> <5564D60E.6000306@phunq.net> <20150527084138.GD2590@quack.suse.cz> <87a8vtdqfz.fsf@mail.parknet.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87a8vtdqfz.fsf@mail.parknet.co.jp> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4474 Lines: 107 On Mon 22-06-15 00:36:00, OGAWA Hirofumi wrote: > Jan Kara writes: > > So there are a few things to have in mind: > > 1) There is nothing like a "writeable" page. Page is always writeable (at > > least on x86 architecture). When a page is mapped into some virtual address > > space (or more of them), this *mapping* can be either writeable or read-only. > > mkwrite changes the mapping from read-only to writeable but kernel / > > hardware is free to write to the page regardless of the mapping. > > > > 2) When kernel / hardware writes to the page, it first modifies the page > > and then marks it dirty. > > > > So what can happen in this scenario is: > > > > 1) You hand kernel a part of a page as a buffer. page_mkwrite() happens, > > page is dirtied, kernel notes a PFN of the page somewhere internally. > > > > 2) Writeback comes and starts writeback for the page. > > > > 3) Kernel ships the PFN to the hardware. > > > > 4) Userspace comes and wants to write to the page (different part than the > > HW is instructed to use). page_mkwrite is called, page is forked. > > Userspace writes to the forked page. > > > > 5) HW stores its data in the original page. > > > > Userspace never sees data from the HW! Data corrupted where without page > > forking everything would work just fine. > > I'm not sure I'm understanding your pseudocode logic correctly though. > This logic doesn't seems to be a page forking specific issue. And > this pseudocode logic seems to be missing the locking and revalidate of > page. > > If you can show more details, it would be helpful to see more, and > discuss the issue of page forking, or we can think about how to handle > the corner cases. > > Well, before that, why need more details? > > For example, replace the page fork at (4) with "truncate", "punch > hole", or "invalidate page". > > Those operations remove the old page from radix tree, so the > userspace's write creates the new page, and HW still refererences the > old page. (I.e. situation should be same with page forking, in my > understand of this pseudocode logic.) Yes, if userspace truncates the file, the situation we end up with is basically the same. However for truncate to happen some malicious process has to come and truncate the file - a failure scenario that is acceptable for most use cases since it doesn't happen unless someone is actively trying to screw you. With page forking it is enough for flusher thread to start writeback for that page to trigger the problem - event that is basically bound to happen without any other userspace application interfering. > IOW, this pseudocode logic seems to be broken without page forking if > no lock and revalidate. Usually, we prevent unpleasant I/O by > lock_page or PG_writeback, and an obsolated page is revalidated under > lock_page. Well, good luck with converting all the get_user_pages() users in kernel to use lock_page() or PG_writeback checks to avoid issues with page forking. I don't think that's really feasible. > For page forking, we may also be able to prevent similar situation by > locking, flags, and revalidate. But those details might be different > with current code, because page states are different. Sorry, I don't understand what do you mean in this paragraph. Can you explain it a bit more? > > Another possible scenario: > > > > 1) Userspace app tells kernel to setup a HW buffer in a page. > > > > 2) Userspace app fills page with data -> page_mkwrite is called, page is > > dirtied. > > > > 3) Userspace app tells kernel to ship buffer to video HW. > > > > 4) Writeback comes and starts writeback for the page > > > > 5) Video HW is done with the page. Userspace app fills new set of data into > > the page -> page_mkwrite is called, page is forked. > > > > 6) Userspace app tells kernel to ship buffer to video HW. But HW gets the > > old data from the original page. > > > > Again a data corruption issue where previously things were working fine. > > This logic seems to be same as above. Replace the page fork at (5). > With no revalidate of page, (6) will use the old page. Yes, the same arguments as above apply... Honza -- Jan Kara SUSE Labs, CR -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/