Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp2999367rwr; Fri, 28 Apr 2023 21:43:38 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6T9N9/pLtxnhQ9kmlVtUlf2c14du9fdHKTdFU/8Aq+OAYjzutuFr0pTrMDhLZvc3Angc6N X-Received: by 2002:a05:6a00:22cb:b0:63b:5257:6837 with SMTP id f11-20020a056a0022cb00b0063b52576837mr8897718pfj.1.1682743418200; Fri, 28 Apr 2023 21:43:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682743418; cv=none; d=google.com; s=arc-20160816; b=qSNScgh8WeAIDK5BPJOCTD3nAYX3wVWRrL9+0XI57htpTXFMgX++PcJgvWb0oftvgk gqqeE3pCAif4Co4rMtgMcAbYbnafcaGsQ3FaQuigS+bT58mzhPZYrT/3iTop2VhM1y7I RHCVrBHZlu3Gtqsi/K0GfR7VZ14g+p2N2aQUZLc5Ob47AlC7s+k5W1qPH2hhH29vMEHy iMaNeCImCmiZTa0yR2o0+AiGl3S+Gm6byA61tAjtNn08r+vu8G94ejj53Ug18z8c091M DbJwIUhPoyk3lqd1cJ5/M/hZrB/rBEuyQfJKyGEImifF+4o2GA2HX9uxH0bqM5PaiEey wx0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=x35IJH2Kq57CenRp9XDYUfeb7XaZg8EW3MY2fyeE+60=; b=NaZtmHMCgAoNE+ViNnt1LivLBYxDK5lJbJZNwKYELMdTnEbSfNJPzskqxfSrf15672 aM/Qh2L32t/JlqACgp2dRksqdSL8y3bN51yQ3aGIPCkVdwXT6PPxPJsFkfilcLW3o5Vh R2kl2i7NmFV21ERWH0pD82xHvCP2/OOUlenfIyX/iQX5x+gGwyGDDlRhrCdMtumB2NOd 3SKdghmAQY02zQN5CcNQ1sQx1GxmREuvOcHh22yeZ+lIn6eSVASyKshHC4uA0s9Zpg4B nYnbTUYigNYGPWJbuEtomvSs9aKg77tUOfy9NtfebTN9Vp1T/arTuwz8p04/Iw+bU0Bn a2FA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=XS8yR23b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u185-20020a6279c2000000b006374bd74796si23280387pfc.379.2023.04.28.21.43.26; Fri, 28 Apr 2023 21:43:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@mit.edu header.s=outgoing header.b=XS8yR23b; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347165AbjD2EXB (ORCPT + 99 others); Sat, 29 Apr 2023 00:23:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54756 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230367AbjD2EW5 (ORCPT ); Sat, 29 Apr 2023 00:22:57 -0400 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8BD1F30D2 for ; Fri, 28 Apr 2023 21:22:56 -0700 (PDT) Received: from letrec.thunk.org ([76.150.80.181]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 33T4LADR028231 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 29 Apr 2023 00:21:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1682742083; bh=x35IJH2Kq57CenRp9XDYUfeb7XaZg8EW3MY2fyeE+60=; h=Date:From:To:Cc:Subject:References:In-Reply-To; b=XS8yR23bvao+hUGNsieKp+k9HHEALUC5GU00GcmAg3HvyJBiEA4Pf7P/ZI4AVQ/4m DLsCymUXNURENk/BhLWJGBnSPN3z+hE+GUlBzE0/vn++JMO6ZbYi47/vZ6sz69dJPP dD4T4XIq7/aIS7FJ5s0yWFeUKKqC16QwHnalBpfk4TSzBNznHp5ekdmDaJZYJAWvEo aRNHWwjxwsCOYFn3dqKsxnWxYbJpYvC97hHCygeOb8wNnIIYN4XmlXjK2edXAQqOOc NPi52OLJIF7HFuTRa1DdZThhZTGTOzIODXOHAGl9VpSeq/INVRfHPhguvb7UhY4OSr wmO4iJOBFZj8g== Received: by letrec.thunk.org (Postfix, from userid 15806) id A53098C01B4; Sat, 29 Apr 2023 00:21:09 -0400 (EDT) Date: Sat, 29 Apr 2023 00:21:09 -0400 From: "Theodore Ts'o" To: Jason Gunthorpe Cc: David Hildenbrand , Lorenzo Stoakes , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrew Morton , Jens Axboe , Matthew Wilcox , Dennis Dalessandro , Leon Romanovsky , Christian Benvenuti , Nelson Escobar , Bernard Metzler , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Ian Rogers , Adrian Hunter , Bjorn Topel , Magnus Karlsson , Maciej Fijalkowski , Jonathan Lemon , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Christian Brauner , Richard Cochran , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , linux-fsdevel@vger.kernel.org, linux-perf-users@vger.kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, Oleg Nesterov , John Hubbard , Jan Kara , "Kirill A . Shutemov" , Pavel Begunkov , Mika Penttila , David Howells , Christoph Hellwig Subject: Re: [PATCH v5] mm/gup: disallow GUP writing to file-backed mappings by default Message-ID: References: <6b73e692c2929dc4613af711bdf92e2ec1956a66.1682638385.git.lstoakes@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 28, 2023 at 03:50:20PM -0300, Jason Gunthorpe wrote: > > Do we think we can still trigger a kernel crash, or maybe even some > > more exciting like an arbitrary buffer overrun, via the > > process_vm_writev(2) system call into a file-backed mmap'ed region? I paged back into my memory the details, and (un)fortunately(?) it probably can't be turned into high severity security exploit; it's "just" a silent case of data loss. (Which is *so* much better.... :-) There was a reliable reproducer which was found by Syzkaller, that didn't require any kind of exotic hardware or setup[1], and we ultimately kluged a workaround in commit cc5095747edf ("ext4: don't BUG if someone dirty pages without asking ext4 first"). [1] https://lore.kernel.org/all/Yg0m6IjcNmfaSokM@google.com/ Commit cc5095747edf had the (un)fortunate(?) side effect that GUP writes to ext4 file-backed mappings no longer would cause random low-probability crashes on large installations using RDMA, which has apparently removed some of the motivation of really fixing the problem instead of papering over it. The good news is that I'm no longer getting complaints from syzbot for this issue, and *I* don't have to support anyone trying to use RDMA into file-backed mappings. :-) In any case, the file system maintainers' position (mine and I doubt Dave Chinner's position has changed) is that if you write to file-backed mappings via GUP/RDMA/process_vm_writev, and it causes silent data corruption, you get to keep both pieces, and don't go looking for us for anything other than sympathy... - Ted