Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1521898pxb; Fri, 22 Oct 2021 02:35:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx/sH6eq4LcjXPeLDUEcb8rDSMucYBRkL4glz+Rg2m2IEVDs+/MhNe+Wa8eqk6KJb12kp/D X-Received: by 2002:a17:90b:3141:: with SMTP id ip1mr13088429pjb.41.1634895328381; Fri, 22 Oct 2021 02:35:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634895328; cv=none; d=google.com; s=arc-20160816; b=IbwcPUPHMcsIY7O2aevIcCCe963EcqF1PlBKrZoFSt/PJcnOocnnfJsOJnvvYOKJiA ue8SQQtubfQ+2pEekPOzYAoflIC/rKbCak/TZ/wI7/Yu7VDdjizyw+l/2JPt8bt7Lfef pN0s4MkYZ9DijoTLBF0MIYPA2nZDRImc73sz++1WuYl/F39OdHFhcTPZKd6cBd9rQyQb Xq0sZvQl3FkDJLC200LFN/bGXygzuy2/GslSVefiSoOS587UFycRJbAt4qldTk24M3vl iaUKwm5Ysxu/nK4joIz2Uk0x2j2Ptys93V86chE7qEv4UxY9XC7kqkzqS99f8OS8eJYq 9qcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=yUKFF0bAwqZY47HXweFTPtwA+V9lQi6/TNwwfE4Rc2c=; b=C4mVCG7YWSMFrFkjR3UEKNLxyilwH8+30lV+SGfxrB3Tc/6D85WlNP9hI7v+hhjM7T qATI+HnYnhuhdi+ssepQKzUFg88WqEUN+ykvf8N11GDmv5S8/rfmbaSFHJqkfOZm3L/q 4Z0xegFSowEl9KGLQgPtdQjXVswxDJJYPeRjCCVh7cYx5qvrZ+5oB3h28OlteoeESmhh ohaEdXnGoIM+u2kNm2UKW122/6SpF177hPo5WmZRXuH5M2rL+3zrSo3FxhS6326jnvOv a7q3oWazge/NsHz2TbfhUg1Vo9r3edyACOCjNl0GmgWQ+9f4VK/md63iV+JdocBephwL ioQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z16si7119010pfe.110.2021.10.22.02.35.13; Fri, 22 Oct 2021 02:35:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232430AbhJVJgY (ORCPT + 99 others); Fri, 22 Oct 2021 05:36:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:52058 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231563AbhJVJgX (ORCPT ); Fri, 22 Oct 2021 05:36:23 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D4BE761163; Fri, 22 Oct 2021 09:34:03 +0000 (UTC) Date: Fri, 22 Oct 2021 10:34:00 +0100 From: Catalin Marinas To: Linus Torvalds Cc: Andreas Gruenbacher , Al Viro , Christoph Hellwig , "Darrick J. Wong" , Jan Kara , Matthew Wilcox , cluster-devel , linux-fsdevel , Linux Kernel Mailing List , "ocfs2-devel@oss.oracle.com" , Josef Bacik , Will Deacon Subject: Re: [RFC][arm64] possible infinite loop in btrfs search_ioctl() Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 21, 2021 at 04:30:30PM -1000, Linus Torvalds wrote: > On Thu, Oct 21, 2021 at 4:42 AM Andreas Gruenbacher wrote: > > But probing the entire memory range in fault domain granularity in the > > page fault-in functions still doesn't actually make sense. Those > > functions really only need to guarantee that we'll be able to make > > progress eventually. From that point of view, it should be enough to > > probe the first byte of the requested memory range > > That's probably fine. > > Although it should be more than one byte - "copy_from_user()" might do > word-at-a-time optimizations, so you could have an infinite loop of > > (a) copy_from_user() fails because the chunk it tried to get failed partly > > (b) fault_in() probing succeeds, because the beginning part is fine > > so I agree that the fault-in code doesn't need to do the whole area, > but it needs to at least do some thing, to > handle the situation where the copy_to/from_user requires more than a > single byte. From a discussion with Al some months ago, if there are bytes still accessible, copy_from_user() is not allowed to fail fully (i.e. return the requested copy size) even when it uses word-at-a-time. In the worst case, it should return size - 1. If the fault_in() then continues probing from uaddr + 1, it should eventually hit the faulty address. The problem appears when fault_in() restarts from uaddr rather than where copy_from_user() stopped. That's what the btrfs search_ioctl() does. I also need to check the direct I/O cases that Andreas mentioned, maybe they can be changed not to attempt the fault_in() from the beginning of the block. -- Catalin