Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1674948pxb; Mon, 11 Oct 2021 10:40:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwCWQXshyvdxigZlJdp366H2WrOAvprSv+Uqsghq7fRJIckXFo0BSeTcBl6sb15nW6Vsf2K X-Received: by 2002:a50:d9c9:: with SMTP id x9mr43919100edj.179.1633974030840; Mon, 11 Oct 2021 10:40:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633974030; cv=none; d=google.com; s=arc-20160816; b=KAS5H6Kd/S+L2TkLq342zl3/jvFN5evA8IDbhVZLlyAR1xK1M1uTAUZnNsZGnsWkKl dnJL0A5IR104A3w7VMlOOdYGl9jkppVpc8Dju8Y8faQsBQmN8vpcAO4iUaBZDrOlD6Ba EF1AiaMvZ2CPULfrzqgJgnr+l7/q6PvzEATzmyogQU2E/CwfHLfLA4vStDkJUCC9j9dm xT8gKInNmGf7kRZTPLPP/bkW+mOZFuU5GBR91b+nUCdiFfbz+ePl0TIerDsJFie8JcvC 7zZd/Oove0UEaPZLC9fBw8oDJjY5bOM1/PufxMUqJLYvVpi56JnB7wvLQe5D+k0VL4yT mSXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=ZZDRPSDrxTEgY1gsIKwvKk/4hK5bztS4LMgPlqPN+Ds=; b=GDTQHP4JHdRAENkgOTcBIrFToM65BxaEXgjwePn/G5DQqr/VKhXtS0GeYJqtwW5Cbn ce2CK2fqjL/ItyLCfNTB0+n2dr88aT24qFTsiVJeb4WXu6c7+5YGAA1/+ZNXpMYqcCET jJasQ73aB/N2ss/DtLqyelJtx4/nCcg4kHq+9P7wmDHsQm/5txqAFTGMV/IhXJ1SJPZV bfvMjFoHIXrKUfHEK8w9cRMaxQ9OvuIsPUYCTZ7dQ1tjNlP3LpMdOjNE0TUJSRWbQZtc 0TaIhlC3AQcLmcShmgIgGTstRWaPiG1Iih1Co5j/pDZ4MZA4iCBzz/NeGtumAMSQBjiX yHBw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bh21si12906733ejb.428.2021.10.11.10.40.05; Mon, 11 Oct 2021 10:40:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230486AbhJKRj7 (ORCPT + 99 others); Mon, 11 Oct 2021 13:39:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:58900 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232708AbhJKRj6 (ORCPT ); Mon, 11 Oct 2021 13:39:58 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2A26E60560; Mon, 11 Oct 2021 17:37:56 +0000 (UTC) Date: Mon, 11 Oct 2021 18:37:52 +0100 From: Catalin Marinas To: Al Viro Cc: Linus Torvalds , Andreas Gruenbacher , Christoph Hellwig , "Darrick J. Wong" , Jan Kara , Matthew Wilcox , cluster-devel , linux-fsdevel , Linux Kernel Mailing List , "ocfs2-devel@oss.oracle.com" , Josef Bacik , Will Deacon Subject: Re: [RFC][arm64] possible infinite loop in btrfs search_ioctl() Message-ID: References: <20210827164926.1726765-6-agruenba@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 31, 2021 at 03:28:57PM +0000, Al Viro wrote: > On Tue, Aug 31, 2021 at 02:54:50PM +0100, Catalin Marinas wrote: > > An arm64-specific workaround would be for pagefault_disable() to disable > > tag checking. It's a pretty big hammer, weakening the out of bounds > > access detection of MTE. My preference would be a fix in the btrfs code. > > > > A btrfs option would be for copy_to_sk() to return an indication of > > where the fault occurred and get fault_in_pages_writeable() to check > > that location, even if the copying would restart from an earlier offset > > (this requires open-coding copy_to_user_nofault()). An attempt below, > > untested and does not cover read_extent_buffer_to_user_nofault(): > > Umm... There's another copy_to_user_nofault() call in the same function > (same story, AFAICS). I cleaned up this patch [1] but I realised it still doesn't solve it. The arm64 __copy_to_user_inatomic(), while ensuring progress if called in a loop, it does not guarantee precise copy to the fault position. The copy_to_sk(), after returning an error, starts again from the previous sizeof(sh) boundary rather than from where the __copy_to_user_inatomic() stopped. So it can get stuck attempting to copy the same search header. An ugly fix is to fall back to byte by byte copying so that we can attempt the actual fault address in fault_in_pages_writeable(). If the sh being recreated in copy_to_sk() is the same on the retried iteration, we could use an *sk_offset that is not a multiple of sizeof(sh) in order to have progress. But it's not clear to me whether the data being copied can change once btrfs_release_path() is called. [1] https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/log/?h=devel/btrfs-fix -- Catalin