Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3502882pxu; Tue, 8 Dec 2020 13:55:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJzP6ORsoybuS+UetK8PAqWb6rgWAalKmris11j1JOdmad8E6j2zCBH6p5a8bkzzCMp/9FC1 X-Received: by 2002:a05:6402:1c96:: with SMTP id cy22mr4821edb.339.1607464544524; Tue, 08 Dec 2020 13:55:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607464544; cv=none; d=google.com; s=arc-20160816; b=mUYqql7KenjdBe2g+u0zV2ucHGVgc7ZTJsCD0lZwPVv2s7o/BmbExfjLg89aMSE4Dg rtann4bSSCeug8UqFZKwAdVqI0xCa25/5V4DawGUhVTJJ8dTI47B3W+k4VYKAzFdEeal VNWhpkUvCsAzDu2DamHRNaNMPdyKxh0kKAj90xmBJaN1BHKmawyXhjnouTD7HQCUO4rc 7tJt3ZPt+0MVNVjaYMDLYNsWCYguGsi8KMDLgN+pGd5QhiVcGPXrzgk+JuTPhAYwpQPA QtHtSFg9/ejg3Cru2HaJKBpvtcxd5KV5ILjUdqpfSIGY46V8rQvhlNgFJzfioSn8RoZX +kdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=DYsse9W76whGjoHmMZxw0YkyPt6KIsCHj+NH/lrBlYk=; b=v8faEPYEdauj7xahuFJ+pP+1Km7I2HVnDK003HzL1I1eLsc4LZBoLyGiH582N2Logg KyVF7CkaRcaUgxIOunApfqoyJFwC9NExSJ1gynScTRYvsZ0RAOc/nBk43DhLxp0MGypV cb5I0o5473IXrSjnpnP40A+HEiFQJtXv4XTbqB/domV/Et5nmlxpkRCVaaCOsmAvXpAO JFlPKUObO3latBCqxgGew2mYfSpxbt5fRuediYQClHbURHPlcqj8AOexCQBfmEKxA3dB 715IDMWQwpYivD51q2LHcV8SWLe+tWg36KVKvqRuC9AJ47xIi1qvkcRS9zS4jgUT2vyK 7RuQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=mOQ48H7n; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bd14si10871549edb.478.2020.12.08.13.55.18; Tue, 08 Dec 2020 13:55:44 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=mOQ48H7n; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730302AbgLHVvS (ORCPT + 99 others); Tue, 8 Dec 2020 16:51:18 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51958 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729323AbgLHVvR (ORCPT ); Tue, 8 Dec 2020 16:51:17 -0500 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AF981C0613D6; Tue, 8 Dec 2020 13:50:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=DYsse9W76whGjoHmMZxw0YkyPt6KIsCHj+NH/lrBlYk=; b=mOQ48H7nc0k+2I7h+BwMy31BfF iLgV3xXOj/eZBIhCmO04pdfv9GvFWSMrX2qxQshjy8AUM3ReRrPoG6rV1EHk0QjpD7LKkLC2EGjjJ Gp6da0OP6jYAn/Km9/LJIOcON3sVxc/nZdvk48uPMOm1B4FW8kj8aa66nn++vFIrgu8Y1DK/c16/3 cIY4zZ7ROUZ2Fanqmyxf7pdiV571/TZjFwi1KUtWqzyDntnAXYqYQC5IgEmRsSA4hCeMYiNC5KVX5 AkiUm1dJ/RUn5iku+DFhv4MmhJsVoArAtqjpfSEnUo36nTPHuarpty/BXFrSVwminLTxCGQKElOmO 89Mu033Q==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kmksO-0004D6-F3; Tue, 08 Dec 2020 21:50:28 +0000 Date: Tue, 8 Dec 2020 21:50:28 +0000 From: Matthew Wilcox To: Ira Weiny Cc: Dan Williams , Thomas Gleixner , Andrew Morton , Dave Hansen , Christoph Hellwig , Al Viro , Eric Biggers , Joonas Lahtinen , Linux Kernel Mailing List , linux-fsdevel Subject: Re: [PATCH V2 2/2] mm/highmem: Lift memcpy_[to|from]_page to core Message-ID: <20201208215028.GK7338@casper.infradead.org> References: <20201207225703.2033611-1-ira.weiny@intel.com> <20201207225703.2033611-3-ira.weiny@intel.com> <20201207232649.GD7338@casper.infradead.org> <20201207234008.GE7338@casper.infradead.org> <20201208213255.GO1563847@iweiny-DESK2.sc.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201208213255.GO1563847@iweiny-DESK2.sc.intel.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 08, 2020 at 01:32:55PM -0800, Ira Weiny wrote: > On Mon, Dec 07, 2020 at 03:49:55PM -0800, Dan Williams wrote: > > On Mon, Dec 7, 2020 at 3:40 PM Matthew Wilcox wrote: > > > > > > On Mon, Dec 07, 2020 at 03:34:44PM -0800, Dan Williams wrote: > > > > On Mon, Dec 7, 2020 at 3:27 PM Matthew Wilcox wrote: > > > > > > > > > > On Mon, Dec 07, 2020 at 02:57:03PM -0800, ira.weiny@intel.com wrote: > > > > > > +static inline void memcpy_page(struct page *dst_page, size_t dst_off, > > > > > > + struct page *src_page, size_t src_off, > > > > > > + size_t len) > > > > > > +{ > > > > > > + char *dst = kmap_local_page(dst_page); > > > > > > + char *src = kmap_local_page(src_page); > > > > > > > > > > I appreciate you've only moved these, but please add: > > > > > > > > > > BUG_ON(dst_off + len > PAGE_SIZE || src_off + len > PAGE_SIZE); > > > > > > > > I imagine it's not outside the realm of possibility that some driver > > > > on CONFIG_HIGHMEM=n is violating this assumption and getting away with > > > > it because kmap_atomic() of contiguous pages "just works (TM)". > > > > Shouldn't this WARN rather than BUG so that the user can report the > > > > buggy driver and not have a dead system? > > > > > > As opposed to (on a HIGHMEM=y system) silently corrupting data that > > > is on the next page of memory? > > > > Wouldn't it fault in HIGHMEM=y case? I guess not necessarily... > > > > > I suppose ideally ... > > > > > > if (WARN_ON(dst_off + len > PAGE_SIZE)) > > > len = PAGE_SIZE - dst_off; > > > if (WARN_ON(src_off + len > PAGE_SIZE)) > > > len = PAGE_SIZE - src_off; > > > > > > and then we just truncate the data of the offending caller instead of > > > corrupting innocent data that happens to be adjacent. Although that's > > > not ideal either ... I dunno, what's the least bad poison to drink here? > > > > Right, if the driver was relying on "corruption" for correct operation. > > > > If corruption actual were happening in practice wouldn't there have > > been screams by now? Again, not necessarily... > > > > At least with just plain WARN the kernel will start screaming on the > > user's behalf, and if it worked before it will keep working. > > So I decided to just sleep on this because I was recently told to not introduce > new WARN_ON's[1] > > I don't think that truncating len is worth the effort. The conversions being > done should all 'work' At least corrupting users data in the same way as it > used to... ;-) I'm ok with adding the WARN_ON's and I have modified the patch > to do so while I work through the 0-day issues. (not sure what is going on > there.) > > However, are we ok with adding the WARN_ON's given what Greg KH told me? This > is a bit more critical than the PKS API in that it could result in corrupt > data. zero_user_segments contains: BUG_ON(end1 > page_size(page) || end2 > page_size(page)); These should be consistent. I think we've demonstrated that there is no good option here.