Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp767848pxk; Thu, 1 Oct 2020 13:21:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZV1slRtCwHyH6jGLen5tKa0LXDODamjGt5sdHNEhr3lpe03hi918h+03r0C2IvJeZ4/+2 X-Received: by 2002:a50:ee10:: with SMTP id g16mr10630496eds.258.1601583687971; Thu, 01 Oct 2020 13:21:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601583687; cv=none; d=google.com; s=arc-20160816; b=CDM2mCOh7RJM0CaBpsYymsPB/b6xG8d2HIIOiokgLHJ6l7LXLu5OsO1fFA8NLh3SFA LhDm2XRajSJg89lxNN6xmfktPwpOZQXapvcPfpP6BRpRnU9I+pyczPegTzc2RiTMn5ls Lppxc26zfqPH8kBSgPI3QAiM0fx4dB7besy2jMHmipDuO/GqCdjkjvAn0ggkGihQf5ju FSbjumYn/ezJyOdxBxKp3k5OE/Ik6rVGY4YRUgAiZ4can2mb0+swxWhLIBEzirfwUciU vNDAWD8Aw1K+iwoq4HQo/DQsKvcSccLaV7Sxki4Vi3pqr9CRegYsa5CfKKhpCfFujz45 5yvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=KoOUahrMeyAsDE3oQQyqv2s9yY8l3xOTS/NeUkZg2MI=; b=EnuLtxhUGXT3UT0CD3KxyihZq45BJsxK+nQ7NdD+07QCaF9whsko6KciRgydTidVYY zUYLXUzGuqF6rydIFLa191/DqzTdvkZPqT+pf9vpIVTyulD3+3lLzo5iNQIvSOZi4Ece sCuyL5LflbU9iwb9LHqm2Jtx7LsgEJTwiKBaxQF/ajxcMnpuj+76tU6W5YbIvOF5ycTH xJNsh06O/xTG5CXyjriBy6G4WmouiyNQuVRAuB4h2V8vxxXn0topWKQ4lXplM+SFE8sX QA4njIC7W7KEEvjQ0RJgCwK3HVGZ0xH7sTIcSwfY8sJjkI3ABZ/YKacjU2FxA8QNdgWL kpmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=cs9lvKVs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h15si2166085ejx.276.2020.10.01.13.21.05; Thu, 01 Oct 2020 13:21:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=cs9lvKVs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732967AbgJAUSB (ORCPT + 99 others); Thu, 1 Oct 2020 16:18:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55274 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726671AbgJAUSB (ORCPT ); Thu, 1 Oct 2020 16:18:01 -0400 Received: from mail-ej1-x642.google.com (mail-ej1-x642.google.com [IPv6:2a00:1450:4864:20::642]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E6F39C0613E4 for ; Thu, 1 Oct 2020 13:17:03 -0700 (PDT) Received: by mail-ej1-x642.google.com with SMTP id qp15so9035100ejb.3 for ; Thu, 01 Oct 2020 13:17:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KoOUahrMeyAsDE3oQQyqv2s9yY8l3xOTS/NeUkZg2MI=; b=cs9lvKVsNx/11Qr3REjeolUBHOiaVpoLUXk6f1C2zVadx1U7tV6p0ycccRnj0KUavS Y9TzZ4I3c726eRkbW2TGrgqYswDo6SfIP+38ukO+trgWznYHvEi3MvUiceLmBvibes8i ZtYTFjpMBsCyJjKB796uYMKj5L3uzo4LLgvjHtWcBeo1Tk4Yx+LFc+PqFfAKiE+o+2AS fora95yyPF8K5ifGMtGSbZ+C7u8C0sOCaimllNZzE61LAfI2/IQIVe0I2dxrhhiG5luz Q78dy/6lXP2MWiYmvHi3CEOkrGfwf7PdK2NUBcb6YJpZwrXx7c+E74tGnE6zBQwEddRG eGIg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KoOUahrMeyAsDE3oQQyqv2s9yY8l3xOTS/NeUkZg2MI=; b=DZVIiTj4jfoOcRW8xBD8RFMHKguv3bWgz4Efy1fdU9pxfCeV4xd+eNLz7jRylgvpE5 /aoG6syCyX/eOyiYUtW+qZ1aTDwYC4zgGNXxs9he2aZiwRjp8dKs7EKeKFNn4tlJI/K3 Wv2fpq3MVIR6ocdrEJTz0t8bZahTM+u4lmk8ta5l1lp2FhQkGkM+clNmxxvTq04LWmnj a8bsSeQQWdWBs6TqQtuhb9AXssAg6miUrfKDkzf4Xk+L1VfyfNpxvRmSyw6Vx04Izwqz +NUr/foyEtg+gz04Ux6Yo7u9E/1hPe3/dsxP4ga1ZKQNFcCoeQEPzkqpjGuPkxYmtkj2 RtdQ== X-Gm-Message-State: AOAM530APdtP/V/SX7xrwroqv1qwFylS5Zrt7AN4YNK9p6jpv0T99d2R 78f2skx+wQsjm4FFqD/MDrEPcXl710Fh5EvdZNBTHw== X-Received: by 2002:a17:907:94cf:: with SMTP id dn15mr10231781ejc.114.1601583422367; Thu, 01 Oct 2020 13:17:02 -0700 (PDT) MIME-Version: 1.0 References: <20200930011944.19869-1-jannh@google.com> <20200930123000.GC9916@ziepe.ca> <20200930232655.GE9916@ziepe.ca> <20201001191512.GF9916@ziepe.ca> In-Reply-To: <20201001191512.GF9916@ziepe.ca> From: Jann Horn Date: Thu, 1 Oct 2020 22:16:35 +0200 Message-ID: Subject: Re: [PATCH 3/4] mmap locking API: Don't check locking if the mm isn't live yet To: Jason Gunthorpe Cc: Michel Lespinasse , Andrew Morton , Linux-MM , kernel list , "Eric W . Biederman" , Mauro Carvalho Chehab , Sakari Ailus Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 1, 2020 at 9:15 PM Jason Gunthorpe wrote: > On Thu, Oct 01, 2020 at 01:51:33AM +0200, Jann Horn wrote: > > On Thu, Oct 1, 2020 at 1:26 AM Jason Gunthorpe wrote: > > > On Wed, Sep 30, 2020 at 10:14:57PM +0200, Jann Horn wrote: > > > > On Wed, Sep 30, 2020 at 2:50 PM Jann Horn wrote: > > > > > On Wed, Sep 30, 2020 at 2:30 PM Jason Gunthorpe wrote: > > > > > > On Tue, Sep 29, 2020 at 06:20:00PM -0700, Jann Horn wrote: > > > > > > > In preparation for adding a mmap_assert_locked() check in > > > > > > > __get_user_pages(), teach the mmap_assert_*locked() helpers that it's fine > > > > > > > to operate on an mm without locking in the middle of execve() as long as > > > > > > > it hasn't been installed on a process yet. > > > > > > > > > > > > I'm happy to see lockdep being added here, but can you elaborate on > > > > > > why add this mmap_locked_required instead of obtaining the lock in the > > > > > > execv path? > > > > > > > > > > My thinking was: At that point, we're logically still in the > > > > > single-owner initialization phase of the mm_struct. Almost any object > > > > > has initialization and teardown steps that occur in a context where > > > > > the object only has a single owner, and therefore no locking is > > > > > required. It seems to me that adding locking in places like > > > > > get_arg_page() would be confusing because it would suggest the > > > > > existence of concurrency where there is no actual concurrency, and it > > > > > might be annoying in terms of lockdep if someone tries to use > > > > > something like get_arg_page() while holding the mmap_sem of the > > > > > calling process. It would also mean that we'd be doing extra locking > > > > > in normal kernel builds that isn't actually logically required. > > > > > > > > > > Hmm, on the other hand, dup_mmap() already locks the child mm (with > > > > > mmap_write_lock_nested()), so I guess it wouldn't be too bad to also > > > > > do it in get_arg_page() and tomoyo_dump_page(), with comments that > > > > > note that we're doing this for lockdep consistency... I guess I can go > > > > > change this in v2. > > > > > > > > Actually, I'm taking that back. There's an extra problem: > > > > get_arg_page() accesses bprm->vma, which is set all the way back in > > > > __bprm_mm_init(). We really shouldn't be pretending that we're > > > > properly taking the mmap_sem when actually, we keep reusing a > > > > vm_area_struct pointer. > > > > > > Any chance the mmap lock can just be held from mm_struct allocation > > > till exec inserts it into the process? > > > > Hm... it should work if we define a lockdep subclass for this so that > > lockdep is happy when we call get_user() on the old mm_struct while > > holding that mmap lock. > > A subclass isn't right, it has to be a _nested annotation. > > nested locking is a pretty good reason to not be able to do this, this > is something lockdep does struggle to model. Did I get the terminology wrong? I thought they were the same. The down_*_nested() APIs take an argument "subclass", with the default subclass for the functions without "_nested" being 0. Anyway, I wrote a patch for this yesterday, I'll send it out later today after testing that it still boots without lockdep warnings. Then you can decide whether you prefer it to the current patch.