Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1752624pxb; Mon, 11 Oct 2021 12:18:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxwj+vrs5yrASzop+g6lkgjACkyJ/dWqVHL/edP1jt6rGTrSqSz7y2q4iTiqSuq9dST6mWF X-Received: by 2002:a17:90a:f415:: with SMTP id ch21mr860102pjb.235.1633979919092; Mon, 11 Oct 2021 12:18:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633979919; cv=none; d=google.com; s=arc-20160816; b=jzqwOO5HDt2BDcbReqmkZ431B6PwFYQJZ5byFKbogGCvrE1yA1mdrcRmz9+YQU2h7F aI3k3ylRBpnfTHQ8v4A4RaWnDbMZfUGiaJbJGSkVkoQ9ho/kQfqoECGvawRbQm10SVxh YwJj/wSujgwLGaaZyETP33ELEiNrRkmD5naYjN+SL34YYAEhvhxjSm39cJhWJ2gNcU5z /kaspQon8fuhNFAsnp70uFufjFCNO43KOzmKtDqj90jy/k4udeRdL6TrJX1LpOv6H06s t/73KnNWXDWvlhL0Z5iUCQi0SySXC4skhm8y1FrXYE6otazTIpDF9CfUG73Yh9kfLocY Vq1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=8GEklByxwtz5UkrPD1VA8xZriJ2DJzNE/WJEIN7V+8A=; b=nzzQHIJX/IlMMkcYIyzjVxBeasZpDe1Vfx848YWjmsSMLEos6oMKWVuDbVI1oYFPC3 jeiVcWYeQduvaBZwXiMqRm9StA7GIhe5AsGe7Onh4sdqy/ve+z6cNkEwSQ6JdV8NEEha BlyEEOWGmFmMtKA1yWQm7R/U3qO58pVl4RCKC03JDzFbZnDMWLpHoG4PZsVplbPU9i9I WdkpHFBZ6dYI9edxaGt5dA+x0FBQJw7Oa1taAoIQYkVNX+vtLRaQH2M2PBosTxQGwHAH R4c5IYsZuvTiUSK46npAuFhT9YL+nBwQQR/bbz9bwCKz2HbiPPuvb22dHfnY55xEYH/8 5lCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=BaraWCtY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 20si10354551pgm.554.2021.10.11.12.18.25; Mon, 11 Oct 2021 12:18:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=BaraWCtY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234610AbhJKTSI (ORCPT + 99 others); Mon, 11 Oct 2021 15:18:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54448 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234564AbhJKTSE (ORCPT ); Mon, 11 Oct 2021 15:18:04 -0400 Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C19E9C06161C for ; Mon, 11 Oct 2021 12:16:03 -0700 (PDT) Received: by mail-lf1-x129.google.com with SMTP id t9so76327934lfd.1 for ; Mon, 11 Oct 2021 12:16:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8GEklByxwtz5UkrPD1VA8xZriJ2DJzNE/WJEIN7V+8A=; b=BaraWCtYvtkSMzuRzKNgVvTF5yuwTb4Fo9FxC3NbVtpYfpe1sv/ynisHfSSDya7EuW PFrxkb/Kv3LRAKFFlLZuP59WIGKDKsUWQRxvyeh55cw6xngdskSjD0Z4oTpKWS+UhP2y hMqafTvOfghXFedCqm8oaR7ZxL9+GTUanRU6U= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8GEklByxwtz5UkrPD1VA8xZriJ2DJzNE/WJEIN7V+8A=; b=dWFCNdZUYf6YkzOIXEbExyrfHCHdFUpPvryE9n2TG6gKlrgFFyswVqY7sZrW2eD5ym 6vfHTlzZjoR6J1fkaZ/77TCBnsxLKuxmC5szPQVk2elsc/MThk5z2mjo7JMV8m9Fz5FA iixlTKn4ZZEQlcl52XDFbQivyRth8yXGaJ/yJmRdYojLj903swplAaNc1dlCxdWEsje6 6KNc6GKUu++kufIEKZo9k6vkHkAg/DbY5sY/XTeB75UCRMPbUIT/nHkMPC0zarChrrgo UnI/qwiTAmu2TK7f6tquJ41+LIOjVO5vjlHS3dpK6zj4EruHdlYgntimOgX39Y1wgIuS oJqg== X-Gm-Message-State: AOAM532sQDDuScarFzusEGNH6IPpyXciJlRybB6Vm5KPR9tJD6LqBhyG 52Q7IQDhat7WxLmFTyoxsjdXxXicUe4Kgb1c X-Received: by 2002:a19:c34d:: with SMTP id t74mr9328351lff.452.1633979761447; Mon, 11 Oct 2021 12:16:01 -0700 (PDT) Received: from mail-lf1-f46.google.com (mail-lf1-f46.google.com. [209.85.167.46]) by smtp.gmail.com with ESMTPSA id i6sm808668lfc.252.2021.10.11.12.15.59 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 11 Oct 2021 12:16:00 -0700 (PDT) Received: by mail-lf1-f46.google.com with SMTP id x27so77516459lfa.9 for ; Mon, 11 Oct 2021 12:15:59 -0700 (PDT) X-Received: by 2002:a05:6512:12d3:: with SMTP id p19mr30204794lfg.280.1633979759600; Mon, 11 Oct 2021 12:15:59 -0700 (PDT) MIME-Version: 1.0 References: <20210827164926.1726765-6-agruenba@redhat.com> In-Reply-To: From: Linus Torvalds Date: Mon, 11 Oct 2021 12:15:43 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [RFC][arm64] possible infinite loop in btrfs search_ioctl() To: Catalin Marinas Cc: Al Viro , Andreas Gruenbacher , Christoph Hellwig , "Darrick J. Wong" , Jan Kara , Matthew Wilcox , cluster-devel , linux-fsdevel , Linux Kernel Mailing List , "ocfs2-devel@oss.oracle.com" , Josef Bacik , Will Deacon Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Oct 11, 2021 at 10:38 AM Catalin Marinas wrote: > > I cleaned up this patch [1] but I realised it still doesn't solve it. > The arm64 __copy_to_user_inatomic(), while ensuring progress if called > in a loop, it does not guarantee precise copy to the fault position. That should be ok., We've always allowed the user copy to return early if it does word copies and hits a page crosser that causes a fault. Any user then has the choice of: - partial copies are bad - partial copies are handled and then you retry from the place copy_to_user() failed at and in that second case, the next time around, you'll get the fault immediately (or you'll make some more progress - maybe the user copy loop did something different just because the length and/or alignment was different). If you get the fault immediately, that's -EFAULT. And if you make some more progress, it's again up to the caller to rinse and repeat. End result: user copy functions do not have to report errors exactly. It is the caller that has to handle the situation. Most importantly: "exact error or not" doesn't actually _matter_ to the caller. If the caller does the right thing for an exact error, it will do the right thing for an inexact one too. See above. > The copy_to_sk(), after returning an error, starts again from the previous > sizeof(sh) boundary rather than from where the __copy_to_user_inatomic() > stopped. So it can get stuck attempting to copy the same search header. That seems to be purely a copy_to_sk() bug. Or rather, it looks like a bug in the caller. copy_to_sk() itself does if (copy_to_user_nofault(ubuf + *sk_offset, &sh, sizeof(sh))) { ret = 0; goto out; } and the comment says * 0: all items from this leaf copied, continue with next but that comment is then obviously not actually true in that it's not "continue with next" at all. But this is all very much a bug in the btrfs search_ioctl()/copy_to_sk() code: it simply doesn't do the proper thing for a partial result. Because no, "just retry the whole thing" is by definition not the proper thing. That said, I think that if we can have faults at non-page-aligned boundaries, then we just need to make fault_in_pages_writeable() check non-page boundaries. > An ugly fix is to fall back to byte by byte copying so that we can > attempt the actual fault address in fault_in_pages_writeable(). No, changing the user copy machinery is wrong. The caller really has to do the right thing with partial results. And I think we need to make fault_in_pages_writeable() match the actual faulting cases - maybe remote the "pages" part of the name? That would fix the btrfs code - it's not doing the right thing as-is, but it's "close enough' to right that I think fixing fault_in_pages_writeable() should fix it. No? Linus