Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3684795pxu; Tue, 8 Dec 2020 20:07:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJyzElIEiNwlASobe8USwv0ro8XyywnVWAFmw1P/whDPML8N5m+nYISovkjEmUBj9JVE0I23 X-Received: by 2002:a17:906:710b:: with SMTP id x11mr472145ejj.433.1607486827840; Tue, 08 Dec 2020 20:07:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607486827; cv=none; d=google.com; s=arc-20160816; b=xA9tHK4ab8DPU1CXsQ1hyoOEiD8GeXkS15JB/PWDpFn7FAsqqdEHiNzPUxedrRanDV t2MWfyAtXl7twUx3wJ9IRbcBXgZ1MJlJZOB/l6ZbT0AYyDZppzRQTn6wvEcjtTVdjbBt hselFiXf0NCzLiTIfXF0wPyGGghKuz2tOgpNitxyBBXckI1RTa5d5fQoJ1zoeuf5PO5v p69QXfPR3RNajij5ZZ2IQnRhXi84HVKtNDcewG56yuTe+2gjgYJ7xPlxz+g+9hJJQD/Z Zs3JoegU1VidQaTZHqcCsmHG3sdi9KTuzrXDlw5RJZpfJk6Tdc3FdFVjsmUwW0InwHz2 bRdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=Ptjl1vOkAECNNGD8FjP9CmBCmHgTzCuywcTzKIYkzYw=; b=Q4LdnbUYY6+Lfj6l8ww8V5Wz/js7Pzw6l6HWci/zKhl+8j7IDkFx61RqJotti5c13c B1aHloCzlACj8Q7CBC0Da+CnLUbqd1/wj+ljNYPXFkh7wMVAcpR9RwIjDPItzC1zE7Mx OtjnTLhUWo8Pw3b3gGW+PqDb5llE5WbZqf2lT6xp8ZMC0CLlke807oKGC9kEWibGpIzp 86FokXeYgAmUl/KAey3d3NsQdFUNgKAwHdf3+pRaeIrTv3AGJnRvlYhayWcY5ILibas6 rVOlTIUz7S64dXiz8ATNBnhwTMqG/TjYNkvGOOsR2dX8fkt4iSrnRqHzdLx+T7juaYRf Tb3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=gYUQXZT8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g18si169912edh.40.2020.12.08.20.06.45; Tue, 08 Dec 2020 20:07:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=gYUQXZT8; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726775AbgLIEEI (ORCPT + 99 others); Tue, 8 Dec 2020 23:04:08 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53086 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725911AbgLIEEI (ORCPT ); Tue, 8 Dec 2020 23:04:08 -0500 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2E127C0613CF; Tue, 8 Dec 2020 20:03:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=Ptjl1vOkAECNNGD8FjP9CmBCmHgTzCuywcTzKIYkzYw=; b=gYUQXZT87oKHPRmAzCyz2v0+q2 Q6+nWIVVrwqJR4T7g2r38PdidVo/NscPGofu4tGqU0lFPRs61ECqei/fKI9cPhLCM2o7OeFfv1oRy BSXvNTRUH7hxvUuQRtydYrk7P0KDK4puaetLnP/RgTTDl/AezCyTUpf6rg7D8BaL5gulYtO8JR5BU eCgfNrCiQxriCWNJbp4ZySU9FXWHXCmA0thvvB/VbCds/U3u/FL0B057XyJVlBG8ZSLj2Gc9Yh82Z icd0zYpjbNCe5CW0tpPj46TktpIECNya3xBKJvWNUrzZ5FNJhR2rDi7JUoMmn4nhE9ZsI0+mN3Srd diIYI5WQ==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kmqh6-0006FZ-Up; Wed, 09 Dec 2020 04:03:13 +0000 Date: Wed, 9 Dec 2020 04:03:12 +0000 From: Matthew Wilcox To: Ira Weiny Cc: Dan Williams , "Darrick J. Wong" , Thomas Gleixner , Andrew Morton , Dave Hansen , Christoph Hellwig , Al Viro , Eric Biggers , Joonas Lahtinen , Linux Kernel Mailing List , linux-fsdevel Subject: Re: [PATCH V2 2/2] mm/highmem: Lift memcpy_[to|from]_page to core Message-ID: <20201209040312.GN7338@casper.infradead.org> References: <20201207234008.GE7338@casper.infradead.org> <20201208213255.GO1563847@iweiny-DESK2.sc.intel.com> <20201208215028.GK7338@casper.infradead.org> <20201208223234.GL7338@casper.infradead.org> <20201208224555.GA605321@magnolia> <20201209022250.GP1563847@iweiny-DESK2.sc.intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201209022250.GP1563847@iweiny-DESK2.sc.intel.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Dec 08, 2020 at 06:22:50PM -0800, Ira Weiny wrote: > Right now we have a mixed bag. zero_user() [and it's variants, circa 2008] > does a BUG_ON.[0] While the other ones do nothing; clear_highpage(), > clear_user_highpage(), copy_user_highpage(), and copy_highpage(). Erm, those functions operate on the entire PAGE_SIZE. There's nothing for them to check. > While continuing to audit the code I don't see any users who would violating > the API with a simple conversion of the code. The calls which I have worked on > [which is many at this point] all have checks in place which are well aware of > page boundaries. Oh good, then this BUG_ON won't trigger. > Therefore, I tend to agree with Dan that if anything is to be done it should be > a WARN_ON() which is only going to throw an error that something has probably > been wrong all along and should be fixed but continue running as before. Silent data corruption is for ever. Are you absolutely sure nobody has done: page = alloc_pages(GFP_HIGHUSER_MOVABLE, 3); memcpy_to_page(page, PAGE_SIZE * 2, p, PAGE_SIZE * 2); because that will work fine if the pages come from ZONE_NORMAL and fail miserably if they came from ZONE_HIGHMEM. > FWIW I think this is a 'bad BUG_ON' use because we are "checking something that > we know we might be getting wrong".[1] And because, "BUG() is only good for > something that never happens and that we really have no other option for".[2] BUG() is our only option here. Both limiting how much we copy or copying the requested amount result in data corruption or leaking information to a process that isn't supposed to see it. What Linus is railing against is the developers who say "Oh, I don't know what to do here, I'll just BUG()". That's not the case here. We've thought about it. We've discussed it. There's NO GOOD OPTION. Unless you want to do the moral equivalent of this: http://git.infradead.org/users/willy/pagecache.git/commitdiff/d2417516bd8b3dd1db096a9b040b0264d8052339 I think that would look something like this ... void memcpy_to_page(struct page *page, size_t offset, const char *from, size_t len) { page += offset / PAGE_SIZE; offset %= PAGE_SIZE; while (len) { char *to = kmap_atomic(page); size_t bytes = min(len, PAGE_SIZE - offset); memcpy(to + offset, from, len); kunmap_atomic(to); len -= bytes; offset = 0; page++; } } Now 32-bit highmem will do the same thing as 64-bit for my example above, just more slowly. Untested, obviously.