Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4272652pxu; Wed, 9 Dec 2020 12:42:54 -0800 (PST) X-Google-Smtp-Source: ABdhPJzlDIwWt8v0B4jPsAGx6cVPyLYtwxDp3okrKx4EVXCRmhFUewOQz5fI4p8sGLGNyAtvBWOp X-Received: by 2002:a05:6402:31b5:: with SMTP id dj21mr3815699edb.90.1607546574441; Wed, 09 Dec 2020 12:42:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607546574; cv=none; d=google.com; s=arc-20160816; b=CdJVZa5FW58wrnc/8GMOVOX6RJNqDqdz8h3Jov2wnUuQc6wBGBmhSTcCVAGvBLRQt/ XL5XcLDLvz8kQWvR4vmpy+NbD4Ex3v5CxB3dOooT1G46ZNzNAOTPcapeFLNec14xyVEG Qd9MEXuZLV/p9UM7lWDg/NHHNdIWPb77U0KZocTl8ROIrAI4TnPWNzokQLVd0XsKD3yi c2u+A6JrGKCHOm9XOuyRnqhH0rB7eNZX7o9Ez5ORCEIvn221Ws6VfYjUVQZ7w8mGQJPu E9lUAWgRpG+WNqFlUcd1OQ5720V47XNVSJwYgaHyvff2z30OvOW/UWch4h8ALho03rBR mnIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=fB1ca+v0LuTk+STIe3QH7NAJWSISf+TmLjGbG0sNRFU=; b=LWjskR841ZJqjwtier/sJg7qdVKZt7zLT4YUl/v2SA+aeqYTZ/7GthV+kYaFN/VWvl 1eBEImy+oOdIUjWKemk0zd4oiehG2dVocSXqNuyXo1wwgRgnEYYTtp8PfakGnLiPEtCh 375ZeupuZxLeycLaEfd/32rfWxdKlkUREam5Mk+eQGqPJGGUlI19+8J3jO51zkXcYAjZ HVIvlqwCJ/g6eJ3s2kINXtd6xGyDXg1/Z/M7BpCka2FwIWOebck7774paXW4MrjmMela LLbnKM6v6bQp6NnyugAmT+TKfNjb1ouLvqp2HbkHLwaxD6MkI3k0dZwXD+LdcpfgyJgQ 9EWw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=QmFRfrUT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h2si1275986ejp.136.2020.12.09.12.42.28; Wed, 09 Dec 2020 12:42:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=casper.20170209 header.b=QmFRfrUT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388156AbgLIUPM (ORCPT + 99 others); Wed, 9 Dec 2020 15:15:12 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33444 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730016AbgLIUPL (ORCPT ); Wed, 9 Dec 2020 15:15:11 -0500 Received: from casper.infradead.org (casper.infradead.org [IPv6:2001:8b0:10b:1236::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72E33C0613CF; Wed, 9 Dec 2020 12:14:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=fB1ca+v0LuTk+STIe3QH7NAJWSISf+TmLjGbG0sNRFU=; b=QmFRfrUTe9D3AFHdF/jnceB22V NaOASlVyoW6ljHtnojtyogE91nwTI+VV02ykZFifhZ+kdsU6U4j7hVlF5yH/dDzeisiKfP2ex8QP4 CWZAK0YwU3NG+aPBhfGhs5XahU6Kyn/0bB79m5UYOeczflCWikURV/oZ2SJ4vGZ57703r5pj0FtlN u9HN+ovwXIBcGNzGkRDuw/GZxCYraLeM1E3f8S25EpLTF39o/yciu4bieRiFLuHm0e1BVyKpo9d+A 7waPlzz8HsHiHX3h8ZlUwOEzhQrHAGn0DJcjntys4HxUGcXdlR8+OWsffvl3tLU+PEyvIZrczaIG3 lQmoTHcw==; Received: from willy by casper.infradead.org with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kn5qp-0006bu-4g; Wed, 09 Dec 2020 20:14:15 +0000 Date: Wed, 9 Dec 2020 20:14:15 +0000 From: Matthew Wilcox To: Dan Williams Cc: Ira Weiny , "Darrick J. Wong" , Thomas Gleixner , Andrew Morton , Dave Hansen , Christoph Hellwig , Al Viro , Eric Biggers , Joonas Lahtinen , Linux Kernel Mailing List , linux-fsdevel Subject: Re: [PATCH V2 2/2] mm/highmem: Lift memcpy_[to|from]_page to core Message-ID: <20201209201415.GT7338@casper.infradead.org> References: <20201208213255.GO1563847@iweiny-DESK2.sc.intel.com> <20201208215028.GK7338@casper.infradead.org> <20201208223234.GL7338@casper.infradead.org> <20201208224555.GA605321@magnolia> <20201209022250.GP1563847@iweiny-DESK2.sc.intel.com> <20201209040312.GN7338@casper.infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Dec 09, 2020 at 11:47:56AM -0800, Dan Williams wrote: > On Tue, Dec 8, 2020 at 8:03 PM Matthew Wilcox wrote: > > On Tue, Dec 08, 2020 at 06:22:50PM -0800, Ira Weiny wrote: > > > Therefore, I tend to agree with Dan that if anything is to be done it should be > > > a WARN_ON() which is only going to throw an error that something has probably > > > been wrong all along and should be fixed but continue running as before. > > > > Silent data corruption is for ever. Are you absolutely sure nobody has > > done: > > > > page = alloc_pages(GFP_HIGHUSER_MOVABLE, 3); > > memcpy_to_page(page, PAGE_SIZE * 2, p, PAGE_SIZE * 2); > > > > because that will work fine if the pages come from ZONE_NORMAL and fail > > miserably if they came from ZONE_HIGHMEM. > > ...and violently regress with the BUG_ON. ... which is what we want, no? > The question to me is: which is more likely that any bad usages have > been covered up by being limited to ZONE_NORMAL / 64-bit only, or that > silent data corruption has been occurring with no ill effects? I wouldn't be at all surprised to learn that there is silent data corruption on 32-bit systems with HIGHMEM. Would you? How much testing do you do on 32-bit HIGHMEM systems? Actually, I wouldn't be at all surprised if we can hit this problem today. Look at this: size_t _copy_from_iter(void *addr, size_t bytes, struct iov_iter *i) { char *to = addr; if (unlikely(iov_iter_is_pipe(i))) { WARN_ON(1); return 0; } if (iter_is_iovec(i)) might_fault(); iterate_and_advance(i, bytes, v, copyin((to += v.iov_len) - v.iov_len, v.iov_base, v.iov_len), memcpy_from_page((to += v.bv_len) - v.bv_len, v.bv_page, v.bv_offset, v.bv_len), memcpy((to += v.iov_len) - v.iov_len, v.iov_base, v.iov_len) ) return bytes; } EXPORT_SYMBOL(_copy_from_iter); There's a lot of macrology in there, so for those following along who aren't familiar with the iov_iter code, if the iter is operating on a bvec, then iterate_and_advance() will call memcpy_from_page(), passing it the bv_page, bv_offset and bv_len stored in the bvec. Since 2019, Linux has supported multipage bvecs (commit 07173c3ec276). So bv_len absolutely *can* be > PAGE_SIZE. Does this ever happen in practice? I have no idea; I don't know whether any multipage BIOs are currently handed to copy_from_iter(). But I have no confidence in your audit if you didn't catch this one. > > > FWIW I think this is a 'bad BUG_ON' use because we are "checking something that > > > we know we might be getting wrong".[1] And because, "BUG() is only good for > > > something that never happens and that we really have no other option for".[2] > > > > BUG() is our only option here. Both limiting how much we copy or > > copying the requested amount result in data corruption or leaking > > information to a process that isn't supposed to see it. > > At a minimum I think this should be debated in a follow on patch to > add assertion checking where there was none before. There is no > evidence of a page being overrun in the audit Ira performed. If we put in into a separate patch, someone will suggest backing out the patch which tells us that there's a problem. You know, like this guy ... https://lore.kernel.org/linux-mm/CAPcyv4jNVroYmirzKw_=CsEixOEACdL3M1Wc4xjd_TFv3h+o8Q@mail.gmail.com/