Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1194530ybz; Wed, 29 Apr 2020 16:56:34 -0700 (PDT) X-Google-Smtp-Source: APiQypLiAdtW4F4vbm7MNYwzX1FdpcvW09RKBNV0O+ykUR2zRUOHOv1V2j7JO/+TWns9r9Gp84Lc X-Received: by 2002:a17:907:4033:: with SMTP id nk3mr240965ejb.273.1588204594289; Wed, 29 Apr 2020 16:56:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588204594; cv=none; d=google.com; s=arc-20160816; b=zn167UJzWeQ7CJObQtf5BLfE5rW15ciIIGNQssj2Dp1ko429aM68RH4JeNO30o+P9M yDiLklMk+CaWQq4Rk+rMS3xN0nvEVfUtzbappavXjMgSbkcEr5zTnPf4Vu60M8XtpgPl CbY2BIoC4BWmrnVFYA7VETzCHzcGip/PQnsAdgPfEzbJnAYwqyWOOH7RSDt8ecSEdipd 45t0ef47F32kvJ32W8x2ck793sypYS50IavCz1PLZyijeLCPcl6PLq5dSkIFrP66lxrI 6Y+lqDEMQ+IY8DXiYB/RXssTBrDI5uZZTuiiq/AYoAgajGS2q+IKAY6eETBDHaiHdFPm jMaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:cc:to:subject:ironport-sdr :ironport-sdr; bh=kky/p179dWIqP13m1QyEGUzT2z519Zu2wqZ/56z3ygU=; b=f11MupgJKilLypxjIAyYEGghUYJhY9cCn0Bwi3h0hy8x/r+PHXOF/1duhoYZQu19HS CF9JdUCpSYpy4AQePoNrhcWlBxssS69eWc430QzyHYD15P05MbPDeQ1rrOmE6CNpi4A0 22y8ZIhDAQHov2SM/tn94sP+6AfsjXW6t7z+ptesLB35RRBro+EFkzGnaBsYZzXBYS8p fzswmytvuQqfbBbpQu91WWtb94YLQR/MC6b6QUHOKMmQvFuaaYxdcgXvSenWlbbf/O57 JjQUvxu1Doe+RnECfQwBQl8RHFRRXUEqKi/QeUvEbjj06kb/yOKaDUUp6z28VmoAcagj hLgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c8si4386820edn.192.2020.04.29.16.56.10; Wed, 29 Apr 2020 16:56:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727772AbgD2Xws (ORCPT + 99 others); Wed, 29 Apr 2020 19:52:48 -0400 Received: from mga05.intel.com ([192.55.52.43]:24649 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726775AbgD2Xws (ORCPT ); Wed, 29 Apr 2020 19:52:48 -0400 IronPort-SDR: 4wDAuRXY2rW0ENMW0ScAusgnmnY5AgXawBK+KXrmZ3culFHq9RnueDoUFQRq7y50BFDb0bJnxO ML+zAS4mCRsg== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 29 Apr 2020 16:52:48 -0700 IronPort-SDR: 5PKddNU5qfNlbLPmLWP+BQ+Nwj2De5T4GlyeO6H6YH7Gv55n2RXNcpXSd0MnUCQfOzB0T3MyBJ 4F7wea+TFveg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,333,1583222400"; d="scan'208";a="261591798" Received: from isdasana-mobl1.amr.corp.intel.com (HELO [10.254.74.214]) ([10.254.74.214]) by orsmga006.jf.intel.com with ESMTP; 29 Apr 2020 16:52:46 -0700 Subject: Re: [PATCH v1 1/1] fs/splice: add missing callback for inaccessible pages To: Claudio Imbrenda Cc: Christian Borntraeger , akpm@linux-foundation.org, jack@suse.cz, kirill@shutemov.name, david@redhat.com, aarcange@redhat.com, linux-mm@kvack.org, frankja@linux.ibm.com, sfr@canb.auug.org.au, jhubbard@nvidia.com, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, peterz@infradead.org, sean.j.christopherson@intel.com, Ulrich.Weigand@de.ibm.com References: <20200428225043.3091359-1-imbrenda@linux.ibm.com> <2a1abf38-d321-e3c7-c3b1-53b6db6da310@intel.com> <609afef2-43c2-d048-1c01-448a53a54d4e@intel.com> <20200430005310.7b25efab@p-imbrenda> From: Dave Hansen Autocrypt: addr=dave.hansen@intel.com; keydata= xsFNBE6HMP0BEADIMA3XYkQfF3dwHlj58Yjsc4E5y5G67cfbt8dvaUq2fx1lR0K9h1bOI6fC oAiUXvGAOxPDsB/P6UEOISPpLl5IuYsSwAeZGkdQ5g6m1xq7AlDJQZddhr/1DC/nMVa/2BoY 2UnKuZuSBu7lgOE193+7Uks3416N2hTkyKUSNkduyoZ9F5twiBhxPJwPtn/wnch6n5RsoXsb ygOEDxLEsSk/7eyFycjE+btUtAWZtx+HseyaGfqkZK0Z9bT1lsaHecmB203xShwCPT49Blxz VOab8668QpaEOdLGhtvrVYVK7x4skyT3nGWcgDCl5/Vp3TWA4K+IofwvXzX2ON/Mj7aQwf5W iC+3nWC7q0uxKwwsddJ0Nu+dpA/UORQWa1NiAftEoSpk5+nUUi0WE+5DRm0H+TXKBWMGNCFn c6+EKg5zQaa8KqymHcOrSXNPmzJuXvDQ8uj2J8XuzCZfK4uy1+YdIr0yyEMI7mdh4KX50LO1 pmowEqDh7dLShTOif/7UtQYrzYq9cPnjU2ZW4qd5Qz2joSGTG9eCXLz5PRe5SqHxv6ljk8mb ApNuY7bOXO/A7T2j5RwXIlcmssqIjBcxsRRoIbpCwWWGjkYjzYCjgsNFL6rt4OL11OUF37wL QcTl7fbCGv53KfKPdYD5hcbguLKi/aCccJK18ZwNjFhqr4MliQARAQABzShEYXZpZCBDaHJp c3RvcGhlciBIYW5zZW4gPGRhdmVAc3I3MS5uZXQ+wsF7BBMBAgAlAhsDBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgAUCTo3k0QIZAQAKCRBoNZUwcMmSsMO2D/421Xg8pimb9mPzM5N7khT0 2MCnaGssU1T59YPE25kYdx2HntwdO0JA27Wn9xx5zYijOe6B21ufrvsyv42auCO85+oFJWfE K2R/IpLle09GDx5tcEmMAHX6KSxpHmGuJmUPibHVbfep2aCh9lKaDqQR07gXXWK5/yU1Dx0r VVFRaHTasp9fZ9AmY4K9/BSA3VkQ8v3OrxNty3OdsrmTTzO91YszpdbjjEFZK53zXy6tUD2d e1i0kBBS6NLAAsqEtneplz88T/v7MpLmpY30N9gQU3QyRC50jJ7LU9RazMjUQY1WohVsR56d ORqFxS8ChhyJs7BI34vQusYHDTp6PnZHUppb9WIzjeWlC7Jc8lSBDlEWodmqQQgp5+6AfhTD kDv1a+W5+ncq+Uo63WHRiCPuyt4di4/0zo28RVcjtzlGBZtmz2EIC3vUfmoZbO/Gn6EKbYAn rzz3iU/JWV8DwQ+sZSGu0HmvYMt6t5SmqWQo/hyHtA7uF5Wxtu1lCgolSQw4t49ZuOyOnQi5 f8R3nE7lpVCSF1TT+h8kMvFPv3VG7KunyjHr3sEptYxQs4VRxqeirSuyBv1TyxT+LdTm6j4a mulOWf+YtFRAgIYyyN5YOepDEBv4LUM8Tz98lZiNMlFyRMNrsLV6Pv6SxhrMxbT6TNVS5D+6 UorTLotDZKp5+M7BTQRUY85qARAAsgMW71BIXRgxjYNCYQ3Xs8k3TfAvQRbHccky50h99TUY sqdULbsb3KhmY29raw1bgmyM0a4DGS1YKN7qazCDsdQlxIJp9t2YYdBKXVRzPCCsfWe1dK/q 66UVhRPP8EGZ4CmFYuPTxqGY+dGRInxCeap/xzbKdvmPm01Iw3YFjAE4PQ4hTMr/H76KoDbD cq62U50oKC83ca/PRRh2QqEqACvIH4BR7jueAZSPEDnzwxvVgzyeuhwqHY05QRK/wsKuhq7s UuYtmN92Fasbxbw2tbVLZfoidklikvZAmotg0dwcFTjSRGEg0Gr3p/xBzJWNavFZZ95Rj7Et db0lCt0HDSY5q4GMR+SrFbH+jzUY/ZqfGdZCBqo0cdPPp58krVgtIGR+ja2Mkva6ah94/oQN lnCOw3udS+Eb/aRcM6detZr7XOngvxsWolBrhwTQFT9D2NH6ryAuvKd6yyAFt3/e7r+HHtkU kOy27D7IpjngqP+b4EumELI/NxPgIqT69PQmo9IZaI/oRaKorYnDaZrMXViqDrFdD37XELwQ gmLoSm2VfbOYY7fap/AhPOgOYOSqg3/Nxcapv71yoBzRRxOc4FxmZ65mn+q3rEM27yRztBW9 AnCKIc66T2i92HqXCw6AgoBJRjBkI3QnEkPgohQkZdAb8o9WGVKpfmZKbYBo4pEAEQEAAcLB XwQYAQIACQUCVGPOagIbDAAKCRBoNZUwcMmSsJeCEACCh7P/aaOLKWQxcnw47p4phIVR6pVL e4IEdR7Jf7ZL00s3vKSNT+nRqdl1ugJx9Ymsp8kXKMk9GSfmZpuMQB9c6io1qZc6nW/3TtvK pNGz7KPPtaDzvKA4S5tfrWPnDr7n15AU5vsIZvgMjU42gkbemkjJwP0B1RkifIK60yQqAAlT YZ14P0dIPdIPIlfEPiAWcg5BtLQU4Wg3cNQdpWrCJ1E3m/RIlXy/2Y3YOVVohfSy+4kvvYU3 lXUdPb04UPw4VWwjcVZPg7cgR7Izion61bGHqVqURgSALt2yvHl7cr68NYoFkzbNsGsye9ft M9ozM23JSgMkRylPSXTeh5JIK9pz2+etco3AfLCKtaRVysjvpysukmWMTrx8QnI5Nn5MOlJj 1Ov4/50JY9pXzgIDVSrgy6LYSMc4vKZ3QfCY7ipLRORyalFDF3j5AGCMRENJjHPD6O7bl3Xo 4DzMID+8eucbXxKiNEbs21IqBZbbKdY1GkcEGTE7AnkA3Y6YB7I/j9mQ3hCgm5muJuhM/2Fr OPsw5tV/LmQ5GXH0JQ/TZXWygyRFyyI2FqNTx4WHqUn3yFj8rwTAU1tluRUYyeLy0ayUlKBH ybj0N71vWO936MqP6haFERzuPAIpxj2ezwu0xb1GjTk4ynna6h5GjnKgdfOWoRtoWndMZxbA z5cecg== Message-ID: <172c51f7-7dd6-7dd0-153f-aedd4b10a9f3@intel.com> Date: Wed, 29 Apr 2020 16:52:46 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <20200430005310.7b25efab@p-imbrenda> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/29/20 3:53 PM, Claudio Imbrenda wrote: >> Actually, that's the problem. You've gone through all these careful >> checks and made the page inaccessible. *After* that process, how do >> you keep the page from being hit by an I/O device before it's made >> accessible again? My patch just assumes that *all* pages have gone >> through that process and passed those checks. > I don't understand what you are saying here. > > we start with all pages accessible, we mark pages as inaccessible when > they are imported in the secure guest (we use the PG_arch_1 bit in > struct page). we then try to catch all I/O on inaccessible pages and > make them accessible so that I/O devices are happy. The catching mechanism is incomplete, that's all I'm saying. Without looking too hard, and not even having the hardware, I've found two paths where the "catching" was incomplete: 1. sendfile(), which you've patched 2. sendto(), which you haven't patched > either your quick and dirty patch was too dirty (e.g. not accounting > for possible races between make_accessible/make_inaccessible), or some > of the functions in the trace you provided should do pin_user_page > instead of get_user_page (or both) I looked in the traces for any races. For sendto(), at least, the make_accessible() never happened before the process exited. That's entirely consistent with the theory that it entirely missed being caught. I can't find any evidence that there were races. Go ahead and try it. You have the patch! I mean, I found a bug in about 10 minutes in one tiny little VM. And, yes, you need to get rid of the FOLL_PIN check unless you want to go change a big swath of the remaining get_user_pages*() sites.