Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp828501pxb; Thu, 21 Oct 2021 10:14:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw4w7gzFlRp+FQqn5O/YDGtBO/TX4PxMEBZ+z2JUltxzOCy1fgpkHbih6q1oOGR0bPBd2zj X-Received: by 2002:a05:6402:10cd:: with SMTP id p13mr9354773edu.214.1634836454682; Thu, 21 Oct 2021 10:14:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634836454; cv=none; d=google.com; s=arc-20160816; b=VSkq7DspVe0TcP019vRmma2/pzYMpQGAROKXneNsTNWI/p2o9ssJ2kVE+sq9bHadbG v/Q6tvc9Qm9Tn89Ru/N38lzc2x2pxVeZAx7QY056oOEVdNyCp4weqabGnB6wAQEf293g /v4FDz6WMAMtdyDnfaAYfvekEGn8OFCQsZ23scjvY1of5lt5pQ10qzGMjos6Dulllzeh 6GetC/p7y/pJzaYCL/y+eXMuQCVHUD3ozoR+Q/X2YHm2u6V04dBOtb91MDzoA+GK1/9N js9ATJWf4dgGedqhvwr3JYFqmZI1dk5rJ6FuM/0UkbGSye4cmXmit2UyFHbhF1KjBAs1 3F2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=LN4rK46DN0m6WYPwF5VTY33hvRAUtOC0bV2KPd7qyKk=; b=tyLxBKVm70p19pAKbpBxvo0ZSZbgIOiw4CSAXHziYAL8qEz73X+EctKgOSmeu8J3hP 6NZa5iPG9fa8/upj9bWIELv8KKr4ZLcSPe+ctcpm9QHm7KaWDFhRvyRcaGUM72sl1DWy 4Rp0/Cbowjv4HmpOWs7lqqcTxAuigN+ln4l1wiSjGLV2aA1dTzYlYrk6TfcxD+uStUFn L3I/rhAwUCo8JSvzcuI3OLhre7euWMczJ/1TKFscXli0NWzDbMjy3/k3WhER9MudUlQJ /AgRxJT7pdZ83fGQgfzYNcq+TUb79HrqjD7NAoq1YHpsBW3QWNBdS5JAsOFDoPe6Gn31 xSWQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h3si13001160ede.407.2021.10.21.10.13.50; Thu, 21 Oct 2021 10:14:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231579AbhJURLx (ORCPT + 99 others); Thu, 21 Oct 2021 13:11:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:42682 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230281AbhJURLr (ORCPT ); Thu, 21 Oct 2021 13:11:47 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id EA4EE61A0A; Thu, 21 Oct 2021 17:09:28 +0000 (UTC) Date: Thu, 21 Oct 2021 18:09:26 +0100 From: Catalin Marinas To: Andreas Gruenbacher Cc: Linus Torvalds , Al Viro , Christoph Hellwig , "Darrick J. Wong" , Jan Kara , Matthew Wilcox , cluster-devel , linux-fsdevel , Linux Kernel Mailing List , "ocfs2-devel@oss.oracle.com" , Josef Bacik , Will Deacon Subject: Re: [RFC][arm64] possible infinite loop in btrfs search_ioctl() Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 21, 2021 at 04:42:33PM +0200, Andreas Gruenbacher wrote: > On Thu, Oct 21, 2021 at 12:06 PM Catalin Marinas > wrote: > > On Thu, Oct 21, 2021 at 02:46:10AM +0200, Andreas Gruenbacher wrote: > > > When a page fault would occur, we > > > get back an error instead, and then we try to fault in the offending > > > pages. If a page is resident and we still get a fault trying to access > > > it, trying to fault in the same page again isn't going to help and we > > > have a true error. > > > > You can't be sure the second fault is a true error. The unlocked > > fault_in_*() may race with some LRU scheme making the pte not accessible > > or a write-back making it clean/read-only. copy_to_user() with > > pagefault_disabled() fails again but that's a benign fault. The > > filesystem should re-attempt the fault-in (gup would correct the pte), > > disable page faults and copy_to_user(), potentially in an infinite loop. > > If you bail out on the second/third uaccess following a fault_in_*() > > call, you may get some unexpected errors (though very rare). Maybe the > > filesystems avoid this problem somehow but I couldn't figure it out. > > Good point, we can indeed only bail out if both the user copy and the > fault-in fail. > > But probing the entire memory range in fault domain granularity in the > page fault-in functions still doesn't actually make sense. Those > functions really only need to guarantee that we'll be able to make > progress eventually. From that point of view, it should be enough to > probe the first byte of the requested memory range, so when one of > those functions reports that the next N bytes should be accessible, > this really means that the first byte surely isn't permanently > inaccessible and that the rest is likely accessible. Functions > fault_in_readable and fault_in_writeable already work that way, so > this only leaves function fault_in_safe_writeable to worry about. I agree, that's why generic_perform_write() works. It does a get_user() from the first byte in that range and the subsequent copy_from_user() will make progress of at least one byte if it was readable. Eventually it will hit the byte that faults. The gup-based fault_in_*() are a bit more problematic. Your series introduces fault_in_safe_writeable() and I think for MTE doing a _single_ get_user(uaddr) (in addition to the gup checks for write) would be sufficient as long as generic_file_read_iter() advances by at least one byte (eventually). This discussion started with the btrfs search_ioctl() where, even if some bytes were written in copy_to_sk(), it always restarts from an earlier position, reattempting to write the same bytes. Since copy_to_sk() doesn't guarantee forward progress even if some bytes are writable, Linus' suggestion was for fault_in_writable() to probe the whole range. I consider this overkill since btrfs is the only one that needs probing every 16 bytes. The other cases like the new fault_in_safe_writeable() can be fixed by probing the first byte only followed by gup. I think we need to better define the semantics of the fault_in + uaccess sequences. For uaccess, we document "a hard requirement that not storing anything at all (i.e. returning size) should happen only when nothing could be copied" (from linux/uaccess.h). I think we can add a requirement for the new size_t-based fault_in_* variants without mandating that the whole range is probed, something like: "returning leftover < size guarantees that a subsequent user access at uaddr copies at least one byte eventually". I said "eventually" but maybe we can come up with some clearer wording for a liveness property. Such requirement would ensure that infinite loops of fault_in_* + uaccess make progress as long as they don't reset the probed range. Code like btrfs search_ioctl() would need to be adjusted to avoid such range reset and guarantee forward progress. -- Catalin