Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp69057pxk; Wed, 30 Sep 2020 18:11:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzcmsWCNKOqN9ed3ZiJaHZQV4dZnDapczLkV1R8aErAEQ35I87TyA93zmUK41n0mu73jm/v X-Received: by 2002:a17:906:b756:: with SMTP id fx22mr5436810ejb.245.1601514676581; Wed, 30 Sep 2020 18:11:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601514676; cv=none; d=google.com; s=arc-20160816; b=YU9lExf3dKWo722SytdmV5TO9iv6AQ93nmiSPfZPpLsyk2nHSQHQNXl7ja8prI8Bux 8ntOQN+nb0Y83W4xCGXweFmJ9OhgccvIolnTaonY8X3HhSce0cHdyE0TehrYdBsEfso3 5VC/CbMTdBGRISdxjiIhc+j19DX8v+gtTdl5KCJ9Joyecn1xxovuhtHfvPzyWsvVQhYN JkqigfWfxvRbKjSBNEy/TIFFZInLpyWua3Mdd6h955qXEewLB8GHgASJqyGm+F2iSENZ xnuSRmS60rZPSN1Zi+08lesYjgrzAEdzncuZTCcR8PNquK2vQhjLEUJOjTF4+aQgJyKm aegQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=MY9a7xp4hw7GjU0Q4T5BNjAGiuJEGP50wyCFWUgZk1k=; b=p53tyo1DOHBx/vSkDYeR+oaZP0GNZyzd81zQYHa51lvfNy3KSgQipSwh/5PoFew9/n I3fkQIoBPSfSSac927XaIB7pYEFiiQyYBZO1FPrqnpwNCjWKWEKkXw9FfRU5os7ed7YK nOqwtwKSpEMtu81LmlQfCLYdGd9wOMt4nqlHoBu3xjOl9vnMs8MusjsZ7z5BpZIlUl3w YroNn44ZY1uxt0vLlEe+mrNP7sf55zpTBpAE8wVauvkBE1Ln4jvKRtUjFH3WPMOHIpt5 30c2Kl8fuLDbBt56MRP0b4ZSz7nCCzsTKyJHIFAtKrEcxzXNHU+5k5+/u7r4P1LgUKMj bMfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=AELe5H3n; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qn11si2387925ejb.303.2020.09.30.18.10.31; Wed, 30 Sep 2020 18:11:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=AELe5H3n; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730424AbgI3XwC (ORCPT + 99 others); Wed, 30 Sep 2020 19:52:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35656 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725372AbgI3XwB (ORCPT ); Wed, 30 Sep 2020 19:52:01 -0400 Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 41FAEC061755 for ; Wed, 30 Sep 2020 16:52:01 -0700 (PDT) Received: by mail-ej1-x643.google.com with SMTP id j11so5413383ejk.0 for ; Wed, 30 Sep 2020 16:52:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MY9a7xp4hw7GjU0Q4T5BNjAGiuJEGP50wyCFWUgZk1k=; b=AELe5H3n4BIlWjHXZ8r0jnQ4ThIPG3VpSN0Dy8jgcOZhwowpmOkqepQ+PBeMU8jyIc VlwXwFPyC4nbDVO4YfZgsLK3gKvQzJ3SSb1X/Hx5t/0UcMhkLahc8Uft9DAEusFGCap+ CX2HC8TiovDz5sO/UufY0huVNWGDL5aAuyeBZwYfpHmL1DJTgPuz0hy6etNKObn7Fhfz a0Xu9WDxHFrMgnqOiyX0tbmvXGLB3ilFCon8VJ1WxNWS4M9erfImNmmkWzNutY9TU5iT rDm5YKC0eJr5qK2Oz5W5YhRzq0Bt9JAVYa0sZYI5dpw14H6udz3ch80exedbQtaF1rzp ipKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MY9a7xp4hw7GjU0Q4T5BNjAGiuJEGP50wyCFWUgZk1k=; b=StmORjtm9WLqWJ1V9cSph1Z+zklja2HFj0qN2I+sRmAJ/gRxes2A4m4lji6o6Bpj8r XCZlDcyWbl4zE53Xon7RDamvd8ciPTBY+++DbfwWHPcBDn5iWJD0tRAJrZhxsAdRal7r nKgxuRI6dVTtPbekq6y5D+wKhzsD+X5/jUR3zTNDegZI6vjs75IGmG1iSkHaY2EqyaXF lip8pBaD2ohioqwZS0LQ0ZPMNsY1fPOD7ucvUvMOxprP+hxIVxcKZ6d1Opk4Kd0Ky2U/ Iwhn9JW15JbAMwXQEQ5wL6d1uMkJ7xQgH1mVkP7wkebvvYEysKVYG0KETQ2Qgk0ZVXqg Ri6g== X-Gm-Message-State: AOAM531LeNJrPF4LPp2ot0zsOXRdXlFvmWEb5gVSSGBS9hn1VdPA8oBh jtgLBDK9JwkaSDC6ZbT04orXeOBnb8RVqlrt6X6Tog== X-Received: by 2002:a17:906:394:: with SMTP id b20mr4134151eja.513.1601509919666; Wed, 30 Sep 2020 16:51:59 -0700 (PDT) MIME-Version: 1.0 References: <20200930011944.19869-1-jannh@google.com> <20200930123000.GC9916@ziepe.ca> <20200930232655.GE9916@ziepe.ca> In-Reply-To: <20200930232655.GE9916@ziepe.ca> From: Jann Horn Date: Thu, 1 Oct 2020 01:51:33 +0200 Message-ID: Subject: Re: [PATCH 3/4] mmap locking API: Don't check locking if the mm isn't live yet To: Jason Gunthorpe , Michel Lespinasse Cc: Andrew Morton , Linux-MM , kernel list , "Eric W . Biederman" , Mauro Carvalho Chehab , Sakari Ailus Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 1, 2020 at 1:26 AM Jason Gunthorpe wrote: > On Wed, Sep 30, 2020 at 10:14:57PM +0200, Jann Horn wrote: > > On Wed, Sep 30, 2020 at 2:50 PM Jann Horn wrote: > > > On Wed, Sep 30, 2020 at 2:30 PM Jason Gunthorpe wrote: > > > > On Tue, Sep 29, 2020 at 06:20:00PM -0700, Jann Horn wrote: > > > > > In preparation for adding a mmap_assert_locked() check in > > > > > __get_user_pages(), teach the mmap_assert_*locked() helpers that it's fine > > > > > to operate on an mm without locking in the middle of execve() as long as > > > > > it hasn't been installed on a process yet. > > > > > > > > I'm happy to see lockdep being added here, but can you elaborate on > > > > why add this mmap_locked_required instead of obtaining the lock in the > > > > execv path? > > > > > > My thinking was: At that point, we're logically still in the > > > single-owner initialization phase of the mm_struct. Almost any object > > > has initialization and teardown steps that occur in a context where > > > the object only has a single owner, and therefore no locking is > > > required. It seems to me that adding locking in places like > > > get_arg_page() would be confusing because it would suggest the > > > existence of concurrency where there is no actual concurrency, and it > > > might be annoying in terms of lockdep if someone tries to use > > > something like get_arg_page() while holding the mmap_sem of the > > > calling process. It would also mean that we'd be doing extra locking > > > in normal kernel builds that isn't actually logically required. > > > > > > Hmm, on the other hand, dup_mmap() already locks the child mm (with > > > mmap_write_lock_nested()), so I guess it wouldn't be too bad to also > > > do it in get_arg_page() and tomoyo_dump_page(), with comments that > > > note that we're doing this for lockdep consistency... I guess I can go > > > change this in v2. > > > > Actually, I'm taking that back. There's an extra problem: > > get_arg_page() accesses bprm->vma, which is set all the way back in > > __bprm_mm_init(). We really shouldn't be pretending that we're > > properly taking the mmap_sem when actually, we keep reusing a > > vm_area_struct pointer. > > Any chance the mmap lock can just be held from mm_struct allocation > till exec inserts it into the process? Hm... it should work if we define a lockdep subclass for this so that lockdep is happy when we call get_user() on the old mm_struct while holding that mmap lock. > > Does that sound reasonable? > > My only concern is how weird it is to do this with a variable, I've > never seen something like this before It seems clearer to me this way than taking locks when there is no concurrency that we actually need to guard against. But since both you and Michel seem to hate it, I'll go and code up the version with a lockdep subclass. Under protest. :P