Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp2314144rwr; Fri, 28 Apr 2023 08:46:08 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4pnlxiEju6r2woArKK4LL66XIz+R7U8WKy7kjtfHpTRg5QcuMFB4GiF63J4LUX6SbV9kOY X-Received: by 2002:a17:902:f814:b0:1a0:50bd:31a8 with SMTP id ix20-20020a170902f81400b001a050bd31a8mr5431454plb.26.1682696768056; Fri, 28 Apr 2023 08:46:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682696768; cv=none; d=google.com; s=arc-20160816; b=QdhbcHmEAkAj+7625+vl8n0V6rLlZ9NYWoRWNND+SvTQeja8Ui7uCe8OubdS3qF6JW ICyUQYOYu3ztkt8fz9C8VdY5u4NFTVvGg5hvOWA9QgQW8YV/1VJq/GDGQHMXwcBjdoOs IJqpvVkIWsaiKmEu/awCUFpH3TRTVea1cK5vCClp4D46E5BxEK26Kc05Dlh0PsMMQyJr qzhHhcwHTaRgaK9+/oIu/i3opoQa2f6gBX/oXtpWlDR4CceP0vqHPhLzkExq9aqSuJAO rH6RJEQ4vlAuwZthM3dcC4lB7mmAr3qN+JE5SkxV5Lsec4bk9YrvDAtKgiMDsj5CMaCN Tbfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:subject :organization:from:references:cc:to:content-language:user-agent :mime-version:date:message-id:dkim-signature; bh=1H9pPvEM+Js8vhAavaMMOgoamiyAYwUIQKWzoU2WpOs=; b=B3fI4QvYYoafdmttLD5KDICgiyAfrWJvpHD8F4vE31DyEPvmKGOjh/ScYXkPF9fq3i c2/9Td8f6tvsb9GxWUioV+QJx5Dzn1Gznb1lqXVP1krG5RQw4WtaS2vqYCaZ+EJZYjKA qyvNiB6fhUQMmaMG4vr1m+3uyDi8eEQWHz7mGHGem6BWxjl6BhZ47++8iwOAoFCcFRnn JSoX9omW5bh8gdI/h7GtLXgOvr9nOos5tx44z4f3truaGId+ka9H02/IrMbwupqy5gHA ftFZ6kmA0Lv5ip7MPp5u3mTCYfFQW/xrxrGAD8IgaJ5XKgbcFeN3meLkChU3MONZLcHb ICNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DqNweZ2r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id j1-20020a17090276c100b001a67b3994dcsi21312532plt.331.2023.04.28.08.45.55; Fri, 28 Apr 2023 08:46:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=DqNweZ2r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230246AbjD1Pma (ORCPT + 99 others); Fri, 28 Apr 2023 11:42:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55250 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229526AbjD1Pm2 (ORCPT ); Fri, 28 Apr 2023 11:42:28 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 891521BD2 for ; Fri, 28 Apr 2023 08:41:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682696512; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1H9pPvEM+Js8vhAavaMMOgoamiyAYwUIQKWzoU2WpOs=; b=DqNweZ2r0M5iA7YIPL3sk5Le+IT2C588f57CjHIGHelEtTik11VfstxVFxhktiQsn1MuCM 2Tu6yxbmZFa6xCXjDVYxmr+iECaiIoS+Px4H4prvYcnQhXO3BVf9QfUB3dQcwM8bEdSiPN 4jzTK43cXpUkbCQ8KGD7pQsukS/xMDw= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-639-PU0UUB8EO0yrwxVD78K_-Q-1; Fri, 28 Apr 2023 11:41:51 -0400 X-MC-Unique: PU0UUB8EO0yrwxVD78K_-Q-1 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-3f17b8d24bbso64605755e9.2 for ; Fri, 28 Apr 2023 08:41:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682696497; x=1685288497; h=content-transfer-encoding:in-reply-to:subject:organization:from :references:cc:to:content-language:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1H9pPvEM+Js8vhAavaMMOgoamiyAYwUIQKWzoU2WpOs=; b=AOkNrCpE98pNcgSDnjF6Fw+l3rdf3JrmforX8lyV8GdaS7MFHnaz6/sRwbXeF0Hykw 6/d/XOIVHIWxDpW8krEQWiLyXjWvBdVvJmYl20jc5eE0FZsA/sRuwBSwre9+zSP6GM9Y r976EWWPByypIz0h9DMOs0GfSdvXn1vXvQOCwLd0wyDdp/KasRDOTeKBmi0WICJyeg3n 9iZ1rCDvxIudI3bTrREg+DhRv/AyHhRbeWg8XGsWtLWzEWhj9cAqzTFO252QVEvgDBX5 CeCvlMXePuIOtHtKB91QPQL6YVIpwuZdbcetSCV8WOzmDdY4I52YXQsXWIcRWRzYcxbU kkxg== X-Gm-Message-State: AC+VfDw2Cd5NBWyCd0cLiIzPtJ68aXU/ff8QQiMBfIEDYVxruJkys3Lr updAjFzlAlC59sioLHOtwxDX0WtGs8fhodSqz6u4nlSM0caPXaRchzkg/55eQsyJhhx6qEbpMD8 8wn8UG18y+B4HTFMdbD0n+9ej X-Received: by 2002:a1c:ed0e:0:b0:3f2:5999:4f2b with SMTP id l14-20020a1ced0e000000b003f259994f2bmr4546918wmh.33.1682696497205; Fri, 28 Apr 2023 08:41:37 -0700 (PDT) X-Received: by 2002:a1c:ed0e:0:b0:3f2:5999:4f2b with SMTP id l14-20020a1ced0e000000b003f259994f2bmr4546874wmh.33.1682696496848; Fri, 28 Apr 2023 08:41:36 -0700 (PDT) Received: from ?IPV6:2003:cb:c726:9300:1711:356:6550:7502? (p200300cbc72693001711035665507502.dip0.t-ipconnect.de. [2003:cb:c726:9300:1711:356:6550:7502]) by smtp.gmail.com with ESMTPSA id r6-20020a05600c458600b003f195d540d9sm20569992wmo.14.2023.04.28.08.41.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 28 Apr 2023 08:41:36 -0700 (PDT) Message-ID: <3f97c798-3598-1729-1981-ab8acb7b5663@redhat.com> Date: Fri, 28 Apr 2023 17:41:33 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Content-Language: en-US To: Jason Gunthorpe Cc: Lorenzo Stoakes , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrew Morton , Jens Axboe , Matthew Wilcox , Dennis Dalessandro , Leon Romanovsky , Christian Benvenuti , Nelson Escobar , Bernard Metzler , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Ian Rogers , Adrian Hunter , Bjorn Topel , Magnus Karlsson , Maciej Fijalkowski , Jonathan Lemon , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Christian Brauner , Richard Cochran , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , linux-fsdevel@vger.kernel.org, linux-perf-users@vger.kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, Oleg Nesterov , John Hubbard , Jan Kara , "Kirill A . Shutemov" , Pavel Begunkov , Mika Penttila , David Howells , Christoph Hellwig References: <6b73e692c2929dc4613af711bdf92e2ec1956a66.1682638385.git.lstoakes@gmail.com> <094d2074-5b69-5d61-07f7-9f962014fa68@redhat.com> From: David Hildenbrand Organization: Red Hat Subject: Re: [PATCH v5] mm/gup: disallow GUP writing to file-backed mappings by default In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 28.04.23 17:27, Jason Gunthorpe wrote: > On Fri, Apr 28, 2023 at 05:08:27PM +0200, David Hildenbrand wrote: > >>> I think this is broken today and we should block it. We know from >>> experiments with RDMA that doing exactly this triggers kernel oop's. >> >> I never saw similar reports in the wild (especially targeted at RHEL), so is >> this still a current issue that has not been mitigated? Or is it just so >> hard to actually trigger? > > People send RDMA related bug reports to us, and we tell them not to do > this stuff :) > >>> I'm skeptical that anyone can actually do this combination of things >>> successfully without getting kernel crashes or file data corruption - >>> ie there is no real user to break. >> >> I am pretty sure that there are such VM users, because on the libvirt level >> it's completely unclear which features trigger what behavior :/ > > IDK, why on earth would anyone want to do this? Using VFIO forces all > the memory to become resident so what was the point of making it file > backed in the first place? As I said, copy-and paste, incremental changes to domain XMLs. I've seen some crazy domain XMLs in bug reports. > > I'm skeptical there are real users even if it now requires special > steps to be crashy/corrupty. In any case, I think we should document the possible implications of this patch. I gave one use case that could be broken. > >>>> Sure, we could warn, or convert individual users using a flag (io_uring). >>>> But maybe we should invest more energy on a fix? >>> >>> It has been years now, I think we need to admit a fix is still years >>> away. Blocking the security problem may even motivate more people to >>> work on a fix. >> >> Maybe we should make this a topic this year at LSF/MM (again?). At least we >> learned a lot about GUP, what might work, what might not work, and got a >> depper understanding (+ motivation to fix? :) ) the issue at hand. > > We keep having the topic.. This is the old argument that the FS people > say the MM isn't following its inode and dirty lifetime rules and the > MM people say the FS isn't following its refcounting rules :/ so we have to discuss it ... again I guess. > >>> Security is the primary case where we have historically closed uAPI >>> items. >> >> As this patch >> >> 1) Does not tackle GUP-fast >> 2) Does not take care of !FOLL_LONGTERM >> >> I am not convinced by the security argument in regard to this patch. > > It is incremental and a temperature check to see what kind of real > users exist. We have no idea right now, just speculation. Right, but again, if we start talking about security it's a different thing IMHO. >> Everything else sounds like band-aids to me, is insufficient, and might >> cause more harm than actually help IMHO. Especially the gup-fast case is >> extremely easy to work-around in malicious user space. > > It is true this patch should probably block gup_fast when using > FOLL_LONGTERM as well, just like we used to do for the DAX check. Then we'd at least fix the security issue for all FOLL_LONGTERM completely. -- Thanks, David / dhildenb