Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp1096896rwd; Sun, 14 May 2023 12:34:48 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5HZtf8Q3Pkc83fwmZoBp1nyjnFfvTAYTn3uQTQR1kNcyEDLT+u9ENzfbpYKmoMuvZU6XAC X-Received: by 2002:a05:6a00:2344:b0:643:b68b:dd08 with SMTP id j4-20020a056a00234400b00643b68bdd08mr39652589pfj.30.1684092887789; Sun, 14 May 2023 12:34:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684092887; cv=none; d=google.com; s=arc-20160816; b=mqLHVKZMq2caVI+yoe851X5jaxvjlbxnHG83fRC/cgTVnqEYhXyrREYhD1nRofCxuX x2y/T6PoAgHrGIiVqdGUl+TxJyUQSH17pQa+YX19Z7MyOTzV5z6S8Q44e0PhI9/IqDIQ vOCmJpKeLVdRpQf3JhFS+kZgmxmj6MSTARseG4Y4BepguM5bNjdSTzR4NxIs/OR48XMk 6UqnQ5pVAwCnHqJDR0SigOKwGMc6RrY4q4NA/TmsTpCoNRPjwwtsL7JFQshIea8F3q04 ww+39SqRXC+3g+l+ggfj95vheSJToI/suYtcJrKwOtyEVKIm7LIMRYA2JsfpRw4kRPem zACw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=nODLkN3MsrdfKf/UAkqWHH+G5vP9gT0pKV8dR/DBu4s=; b=EZkXTwpsUZwphMteav3YZQC2yMoP6e8JY9CymQ55DfjrDfkbLvICYYqFpfFXGcBI/I d2wzHMt8KJ+vyGztSP0AOYlKuENEMCz50MnGoGoCgLLYQNp5bUC9hSnIWA7xfVeYvkYo WlzNveUvCXD33UKfcx+sgz0qOahRdrFDWI2J++RfjBDYJyaXlVneeFKulSt/sozv/WO0 qyjTlWDR3eN6yN/Ut5ZYRXJXc2gejWel9oCuxAnNVAQUD+IfWfCJOFU50yLnnvKrkcTd 4AXr6gzCfwOEM0YLnse28pIV7dbUBUSp3NAphxZhOLgIKfqjJAoag+MhIMrN15I+CbJn 2q9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=RDeF3wZR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s4-20020a63b404000000b005096eb1dabbsi14405839pgf.716.2023.05.14.12.34.31; Sun, 14 May 2023 12:34:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=RDeF3wZR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234567AbjENTUO (ORCPT + 99 others); Sun, 14 May 2023 15:20:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45236 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229611AbjENTUL (ORCPT ); Sun, 14 May 2023 15:20:11 -0400 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 260B9E6F; Sun, 14 May 2023 12:20:10 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-30796c0cbcaso8254919f8f.1; Sun, 14 May 2023 12:20:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684092007; x=1686684007; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=nODLkN3MsrdfKf/UAkqWHH+G5vP9gT0pKV8dR/DBu4s=; b=RDeF3wZRRt16EUG/SiYqKwSADKhumymGx1P92RXpCWJEihqbIAjCclHt6h5mkTO7pD T5XFBgMo/0pOlgZKSGzUdM5dVZBn6RlZtdNSUILDCuSMt8wMUCADU4uU7tUMV5esO0gN 6ZKy02c5iPWnkatFiRS1BtzqwbMqPC03616pW70FyCISKY64mjDDdtYNV61AaCRd8GqE B+Ag52Ac22GWgZum4sdq7Gt3IYJBnwpffpv3Sidbf7VFUuK2E/8wlLhGnjoYccqNCrc8 xHUgfuGtmVfJdQTrr/zu09e9f3xi2UKSAjE4ItYpNxeZX7I568I+F7BO6c1BXPtEl6n0 c71A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684092007; x=1686684007; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=nODLkN3MsrdfKf/UAkqWHH+G5vP9gT0pKV8dR/DBu4s=; b=AtRp+86RR8sDiqPSh8GUbvDVPSieQBGBvCqj3xH6xz7UHqU2eHVSkWPaTlbwmb8blw Q5SVPVMiwL/rI6yZcpejlb4dYopU927OG8eIILOsDESxNvA9RyTNOmchPq3tPo3qzhQm Fz+5yCvHJFPYQ5qKuxHSKDy9QjCPNg9eLc5a1WgHRRtjTBJI9dl6zqt5WLG5RKYnuARj D6J/7X1SWN5O1ZZyVti3zkF531AWadXcOk9kZEegzlbybURYInt21n+xSjDuZdTu+ZsO 3rJWeYnot0C/l8ym9YZ+vwzGz59vaGbB0frfwpi23816jTm9Kl231YsMlFfDCn1cWimE bZFA== X-Gm-Message-State: AC+VfDz5c1FzT4p9XdCTnBVzc9r/nxFf5p+vyb3t6dtF61yCG4xjZQ/6 T8WpeyzktFusUM2I4U+scG0= X-Received: by 2002:a5d:4c8c:0:b0:2f5:3dfd:f4d2 with SMTP id z12-20020a5d4c8c000000b002f53dfdf4d2mr22848833wrs.64.1684092006850; Sun, 14 May 2023 12:20:06 -0700 (PDT) Received: from localhost ([2a00:23c5:dc8c:8701:1663:9a35:5a7b:1d76]) by smtp.gmail.com with ESMTPSA id w12-20020a05600c474c00b003f07ef4e3e0sm25829024wmo.0.2023.05.14.12.20.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 14 May 2023 12:20:05 -0700 (PDT) Date: Sun, 14 May 2023 20:20:04 +0100 From: Lorenzo Stoakes To: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrew Morton Cc: Jason Gunthorpe , Jens Axboe , Matthew Wilcox , Dennis Dalessandro , Leon Romanovsky , Christian Benvenuti , Nelson Escobar , Bernard Metzler , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Ian Rogers , Adrian Hunter , Bjorn Topel , Magnus Karlsson , Maciej Fijalkowski , Jonathan Lemon , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Christian Brauner , Richard Cochran , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , linux-fsdevel@vger.kernel.org, linux-perf-users@vger.kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, Oleg Nesterov , Jason Gunthorpe , John Hubbard , Jan Kara , "Kirill A . Shutemov" , Pavel Begunkov , Mika Penttila , David Hildenbrand , Dave Chinner , Theodore Ts'o , Peter Xu , Matthew Rosato , "Paul E . McKenney" , Christian Borntraeger Subject: Re: [PATCH v9 0/3] mm/gup: disallow GUP writing to file-backed mappings by default Message-ID: <0eb31f6f-a122-4a5b-a959-03ed4dee1f3c@lucifer.local> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 04, 2023 at 10:27:50PM +0100, Lorenzo Stoakes wrote: > Writing to file-backed mappings which require folio dirty tracking using > GUP is a fundamentally broken operation, as kernel write access to GUP > mappings do not adhere to the semantics expected by a file system. > > A GUP caller uses the direct mapping to access the folio, which does not > cause write notify to trigger, nor does it enforce that the caller marks > the folio dirty. > > The problem arises when, after an initial write to the folio, writeback > results in the folio being cleaned and then the caller, via the GUP > interface, writes to the folio again. > > As a result of the use of this secondary, direct, mapping to the folio no > write notify will occur, and if the caller does mark the folio dirty, this > will be done so unexpectedly. > > For example, consider the following scenario:- > > 1. A folio is written to via GUP which write-faults the memory, notifying > the file system and dirtying the folio. > 2. Later, writeback is triggered, resulting in the folio being cleaned and > the PTE being marked read-only. > 3. The GUP caller writes to the folio, as it is mapped read/write via the > direct mapping. > 4. The GUP caller, now done with the page, unpins it and sets it dirty > (though it does not have to). > > This change updates both the PUP FOLL_LONGTERM slow and fast APIs. As > pin_user_pages_fast_only() does not exist, we can rely on a slightly > imperfect whitelisting in the PUP-fast case and fall back to the slow case > should this fail. [snip] As discussed at LSF/MM, on the flight over I wrote a little repro [0] which reliably triggers the ext4 warning by recreating the scenario described above, using a small userland program and kernel module. This code is not perfect (plane code :) but does seem to do the job adequately, also obviously this should only be run in a VM environment where data loss is acceptable (in my case a small qemu instance). Hopefully this is useful in some way. Note that I explicitly use pin_user_pages() without FOLL_LONGTERM here in order to not run into the mitigation this very patch series provides! Obviously if you revert this series you can see the same happening with FOLL_LONGTERM set. I have licensed the code as GPLv2 so anybody's free to do with it as they will if it's useful in any way! [0]:https://github.com/lorenzo-stoakes/gup-repro