Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2325708ybz; Thu, 30 Apr 2020 15:12:15 -0700 (PDT) X-Google-Smtp-Source: APiQypJWESeJ5Jhuosyy6etunfqyrX/63d83c2M+wY7hRPe+kP4b4k4nFsKIQjHAZeE0Qbl/f9ue X-Received: by 2002:aa7:d2cd:: with SMTP id k13mr1129656edr.116.1588284735027; Thu, 30 Apr 2020 15:12:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588284735; cv=none; d=google.com; s=arc-20160816; b=GFLUV1KwuFlLrcGkwLmWYszha9/FjAXkLMY8NHODHqqHBzIVoVJqNI9ZywJ3NUxzzV T09OP3EoPVwe/AjZjBhnW84wHK4iIw/xJRztKWm3DD2Yj3ZJCDilJUS5NVrbJnZIVbL7 vRhuE7PPN4KKSr9H/5HZdFtVSKt9RDHnYPIK0uAuQBCVDNpzbdwIJB4eiwNmI0mLwTCU TVrcizj8+ff50qQ24/upBWzbxxit0/g6QYAmxwq5zgZd6p0EnHI1tvfLgzafBwUR38xx qnpN+J/hhM65kOGyB3Npa/UCy86RnOR7MQ7W8LSyMUBf+R0cwVGliBSvogkmkOXgplgb UA+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:autocrypt:from:references:cc:to:subject:ironport-sdr :ironport-sdr; bh=akkhfeNVa+ZP/nhzJatlMLMqNTdx9E4ASFp0GyRT/PA=; b=jUQDPuWWA9lgXq2ejHC6ozRRmIijlA28r+kDh4aPtkBpyE0q6SrWZkFC6eOC7M2he3 hU4qd4FZYDLR24j9dqavSryuQdQvpBEdAic0a7/JyBP9l0r0obCAXhZZ0B3mIKRTqAb0 IjqM6FTqxhGLY3+TWLtbx5EFpdmuDXxpqNbZJxzR6QSTgKpuCyzBiqM2GpqX4+xSS2wL QOPt6Z30wGp+jOXzng+Mtax8QR++ufxHX2lOkUcx+1EkZTtXdPPk4bebOdtqjuzUi4J0 2Kj/Qe8hLAN1PR4n4LugVw/vYhL3uD9fKE9+IDt2q/Neo/Ur43sy6ft404tBQ/tIOtwC qnSA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k16si596195ejr.429.2020.04.30.15.11.49; Thu, 30 Apr 2020 15:12:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728102AbgD3WHZ (ORCPT + 99 others); Thu, 30 Apr 2020 18:07:25 -0400 Received: from mga11.intel.com ([192.55.52.93]:23209 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727930AbgD3WGt (ORCPT ); Thu, 30 Apr 2020 18:06:49 -0400 IronPort-SDR: wFddU0H/qqyEsIFD2VY5QDn1+BVhIPD0+cLTNf1QHwEklus7DOtWRCJNnHk2Z/3pgAPPxq9Soa ZyiuRkl6DnKA== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 30 Apr 2020 15:06:47 -0700 IronPort-SDR: EKa0MD1KFBL+6pqaxJP2pWCwCBDSir+lBLyLu+xgV2xbsbFCzrH2Wc2b2lTCwSQqAlfvQPv9WU oJNekRcfvZhw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,337,1583222400"; d="scan'208";a="261926444" Received: from dnlloyd-mobl.amr.corp.intel.com (HELO [10.255.231.251]) ([10.255.231.251]) by orsmga006.jf.intel.com with ESMTP; 30 Apr 2020 15:06:46 -0700 Subject: Re: [PATCH v2 1/1] fs/splice: add missing callback for inaccessible pages To: Christian Borntraeger , Claudio Imbrenda , viro@zeniv.linux.org.uk Cc: david@redhat.com, akpm@linux-foundation.org, aarcange@redhat.com, linux-mm@kvack.org, frankja@linux.ibm.com, sfr@canb.auug.org.au, jhubbard@nvidia.com, linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org, jack@suse.cz, kirill@shutemov.name, peterz@infradead.org, sean.j.christopherson@intel.com, Ulrich.Weigand@de.ibm.com References: <20200430143825.3534128-1-imbrenda@linux.ibm.com> <1a3f5107-9847-73d4-5059-c6ef9d293551@de.ibm.com> From: Dave Hansen Autocrypt: addr=dave.hansen@intel.com; keydata= xsFNBE6HMP0BEADIMA3XYkQfF3dwHlj58Yjsc4E5y5G67cfbt8dvaUq2fx1lR0K9h1bOI6fC oAiUXvGAOxPDsB/P6UEOISPpLl5IuYsSwAeZGkdQ5g6m1xq7AlDJQZddhr/1DC/nMVa/2BoY 2UnKuZuSBu7lgOE193+7Uks3416N2hTkyKUSNkduyoZ9F5twiBhxPJwPtn/wnch6n5RsoXsb ygOEDxLEsSk/7eyFycjE+btUtAWZtx+HseyaGfqkZK0Z9bT1lsaHecmB203xShwCPT49Blxz VOab8668QpaEOdLGhtvrVYVK7x4skyT3nGWcgDCl5/Vp3TWA4K+IofwvXzX2ON/Mj7aQwf5W iC+3nWC7q0uxKwwsddJ0Nu+dpA/UORQWa1NiAftEoSpk5+nUUi0WE+5DRm0H+TXKBWMGNCFn c6+EKg5zQaa8KqymHcOrSXNPmzJuXvDQ8uj2J8XuzCZfK4uy1+YdIr0yyEMI7mdh4KX50LO1 pmowEqDh7dLShTOif/7UtQYrzYq9cPnjU2ZW4qd5Qz2joSGTG9eCXLz5PRe5SqHxv6ljk8mb ApNuY7bOXO/A7T2j5RwXIlcmssqIjBcxsRRoIbpCwWWGjkYjzYCjgsNFL6rt4OL11OUF37wL QcTl7fbCGv53KfKPdYD5hcbguLKi/aCccJK18ZwNjFhqr4MliQARAQABzShEYXZpZCBDaHJp c3RvcGhlciBIYW5zZW4gPGRhdmVAc3I3MS5uZXQ+wsF7BBMBAgAlAhsDBgsJCAcDAgYVCAIJ CgsEFgIDAQIeAQIXgAUCTo3k0QIZAQAKCRBoNZUwcMmSsMO2D/421Xg8pimb9mPzM5N7khT0 2MCnaGssU1T59YPE25kYdx2HntwdO0JA27Wn9xx5zYijOe6B21ufrvsyv42auCO85+oFJWfE K2R/IpLle09GDx5tcEmMAHX6KSxpHmGuJmUPibHVbfep2aCh9lKaDqQR07gXXWK5/yU1Dx0r VVFRaHTasp9fZ9AmY4K9/BSA3VkQ8v3OrxNty3OdsrmTTzO91YszpdbjjEFZK53zXy6tUD2d e1i0kBBS6NLAAsqEtneplz88T/v7MpLmpY30N9gQU3QyRC50jJ7LU9RazMjUQY1WohVsR56d ORqFxS8ChhyJs7BI34vQusYHDTp6PnZHUppb9WIzjeWlC7Jc8lSBDlEWodmqQQgp5+6AfhTD kDv1a+W5+ncq+Uo63WHRiCPuyt4di4/0zo28RVcjtzlGBZtmz2EIC3vUfmoZbO/Gn6EKbYAn rzz3iU/JWV8DwQ+sZSGu0HmvYMt6t5SmqWQo/hyHtA7uF5Wxtu1lCgolSQw4t49ZuOyOnQi5 f8R3nE7lpVCSF1TT+h8kMvFPv3VG7KunyjHr3sEptYxQs4VRxqeirSuyBv1TyxT+LdTm6j4a mulOWf+YtFRAgIYyyN5YOepDEBv4LUM8Tz98lZiNMlFyRMNrsLV6Pv6SxhrMxbT6TNVS5D+6 UorTLotDZKp5+M7BTQRUY85qARAAsgMW71BIXRgxjYNCYQ3Xs8k3TfAvQRbHccky50h99TUY sqdULbsb3KhmY29raw1bgmyM0a4DGS1YKN7qazCDsdQlxIJp9t2YYdBKXVRzPCCsfWe1dK/q 66UVhRPP8EGZ4CmFYuPTxqGY+dGRInxCeap/xzbKdvmPm01Iw3YFjAE4PQ4hTMr/H76KoDbD cq62U50oKC83ca/PRRh2QqEqACvIH4BR7jueAZSPEDnzwxvVgzyeuhwqHY05QRK/wsKuhq7s UuYtmN92Fasbxbw2tbVLZfoidklikvZAmotg0dwcFTjSRGEg0Gr3p/xBzJWNavFZZ95Rj7Et db0lCt0HDSY5q4GMR+SrFbH+jzUY/ZqfGdZCBqo0cdPPp58krVgtIGR+ja2Mkva6ah94/oQN lnCOw3udS+Eb/aRcM6detZr7XOngvxsWolBrhwTQFT9D2NH6ryAuvKd6yyAFt3/e7r+HHtkU kOy27D7IpjngqP+b4EumELI/NxPgIqT69PQmo9IZaI/oRaKorYnDaZrMXViqDrFdD37XELwQ gmLoSm2VfbOYY7fap/AhPOgOYOSqg3/Nxcapv71yoBzRRxOc4FxmZ65mn+q3rEM27yRztBW9 AnCKIc66T2i92HqXCw6AgoBJRjBkI3QnEkPgohQkZdAb8o9WGVKpfmZKbYBo4pEAEQEAAcLB XwQYAQIACQUCVGPOagIbDAAKCRBoNZUwcMmSsJeCEACCh7P/aaOLKWQxcnw47p4phIVR6pVL e4IEdR7Jf7ZL00s3vKSNT+nRqdl1ugJx9Ymsp8kXKMk9GSfmZpuMQB9c6io1qZc6nW/3TtvK pNGz7KPPtaDzvKA4S5tfrWPnDr7n15AU5vsIZvgMjU42gkbemkjJwP0B1RkifIK60yQqAAlT YZ14P0dIPdIPIlfEPiAWcg5BtLQU4Wg3cNQdpWrCJ1E3m/RIlXy/2Y3YOVVohfSy+4kvvYU3 lXUdPb04UPw4VWwjcVZPg7cgR7Izion61bGHqVqURgSALt2yvHl7cr68NYoFkzbNsGsye9ft M9ozM23JSgMkRylPSXTeh5JIK9pz2+etco3AfLCKtaRVysjvpysukmWMTrx8QnI5Nn5MOlJj 1Ov4/50JY9pXzgIDVSrgy6LYSMc4vKZ3QfCY7ipLRORyalFDF3j5AGCMRENJjHPD6O7bl3Xo 4DzMID+8eucbXxKiNEbs21IqBZbbKdY1GkcEGTE7AnkA3Y6YB7I/j9mQ3hCgm5muJuhM/2Fr OPsw5tV/LmQ5GXH0JQ/TZXWygyRFyyI2FqNTx4WHqUn3yFj8rwTAU1tluRUYyeLy0ayUlKBH ybj0N71vWO936MqP6haFERzuPAIpxj2ezwu0xb1GjTk4ynna6h5GjnKgdfOWoRtoWndMZxbA z5cecg== Message-ID: Date: Thu, 30 Apr 2020 15:06:46 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <1a3f5107-9847-73d4-5059-c6ef9d293551@de.ibm.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org I was also wondering if Claudio was right about the debug patch having races. I went to go look how the s390 code avoids races when pages go from accessible->inaccessible. Because, if if all of the traps are in place to transform pages from inaccessible->accessible, the code *after* those traps is still vulnerable. What *keeps* pages accessible? The race avoidance is this, basically: down_read(&gmap->mm->mmap_sem); lock_page(page); ptep = get_locked_pte(gmap->mm, uaddr, &ptelock); ... > expected = expected_page_refs(page); > if (!page_ref_freeze(page, expected)) > return -EBUSY; > set_bit(PG_arch_1, &page->flags); > rc = uv_call(0, (u64)uvcb); > page_ref_unfreeze(page, expected); ... up_read(mmap_sem) / unlock_page() / unlock pte I'm assuming that after the uv_call(), the page is inaccessible and I/O devices will go boom if they touch the page. The page_ref_freeze() ensures that references come between the freeze/unfreeze are noticed, but it doesn't actually *stop* new ones for users that hold references already. For the page cache, especially, someone could do: page = find_get_page(); arch_make_page_accessible(); lock_page(); ... make_secure_pte(); unlock_page(); get_page(); // ^ OK because I have a ref // do DMA on inaccessible page Because the make_secure_pte() code isn't looking for a *specific* 'expected' value, it has no way of noticing that the extra ref snuck in there. I _think_ expected actually needs to be checked for having a specific (low) value so that if there's a *possibility* of a reference holder acquiring additional references, the page is known to be off-limits. mm/migrate.c has a few examples of this, but I'm not quite sure how bulletproof they are. Some of it appears to just be optimizations.