Received: by 2002:a05:7412:b130:b0:e2:908c:2ebd with SMTP id az48csp593809rdb; Fri, 17 Nov 2023 07:26:47 -0800 (PST) X-Google-Smtp-Source: AGHT+IFq1oRcpzY4w9yMzzWOO3YQITfjJ1C/zBmZIMJ5/ZYb3GsLFtav+zsjuodkfzsOdZTLiqsQ X-Received: by 2002:a17:902:d2ca:b0:1bc:1e17:6d70 with SMTP id n10-20020a170902d2ca00b001bc1e176d70mr7453608plc.24.1700234806826; Fri, 17 Nov 2023 07:26:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700234806; cv=none; d=google.com; s=arc-20160816; b=q9DTz7+EMGMtfqR5EX29rlQa74AQLDmzNFYnSkW4P68lsFmmQS0Xt3sF+IH3kyR9QV pV78nYfIG3wrb4uSZ/zjmt1me2BM4cYjXvSVTbXBlHs7i4BA0dIVfzUePc5wtX3b+7eu A/yY92dCnIGuycRQ2Ipi23Y4rV303dbo7X+DQud+GpIwTdzUyhl6dz9c9KkZ2UXhQTWL rXzX38bKGwFhR/vNZ18/dWYYqrSxio2nOkkUpcHX0s4Dk/jE3IgvC9MoLrEkwZ/PrUfx HCvbZYY0Kq5uRXbRH1cLyy9q+xmN8quspqe5USjN3jdhqhsQLeA+KaEVTeVUloPVVnjv 9XTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=Jv7ltsAYcQTMvzd2FUagZjickZhGfcpanYHo/YoGbKs=; fh=R+Df5vCq6PGYOGvTUU4sB3yPm8zrCyA4J71ya8oXjf4=; b=lE05lXxRRsDOZGQ6kKktRkDpRzO31uzexBuegjKe1C7l7CyDjGEnWCGw1AL4Zlk9wv /BEJMANEv3BENnJWD6D3ziJepswiJfwyWEKTFDRlPtS1JSBvnlkejGtEkWhBvODsi1Ak bQwareyVk3bOAMXPXGVnj4yp6ENvuRcckxrOgvBot/FH3uylHsZvfvCmKhC4emoCq74E OZH2Cspbr7GNSlDHzHP6+vSme+H8fmVV63ctbB7PP/15d+nLTdRnV0rh4x/qdzmQ1Cs1 DWHsCSq7jM0idXt8DNJAs7QppfAM3VROIjmZHZ/5EY9PZFIp3LjqTctbLny3mFOLmkmf H4Ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NAdVFCaJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id jh11-20020a170903328b00b001ca6809f9e7si1907894plb.261.2023.11.17.07.26.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Nov 2023 07:26:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NAdVFCaJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id B06C8803098B; Fri, 17 Nov 2023 07:26:45 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231704AbjKQP0j (ORCPT + 99 others); Fri, 17 Nov 2023 10:26:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38676 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230379AbjKQP0h (ORCPT ); Fri, 17 Nov 2023 10:26:37 -0500 Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BC760D56 for ; Fri, 17 Nov 2023 07:26:33 -0800 (PST) Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2c50906f941so29608181fa.2 for ; Fri, 17 Nov 2023 07:26:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700234792; x=1700839592; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Jv7ltsAYcQTMvzd2FUagZjickZhGfcpanYHo/YoGbKs=; b=NAdVFCaJEVf1Maa239vIG6XO/8RtjQGTpZOBnEoWIF5loaWI+ZwT1N7X/FRGYSE7n1 zft+NGGmLSWmZVFknmyldiTSwADQYflrRZuxki/GpMEdwtq8l3qp27lUw1PrLkUln49F YmG9oga6WTEftIzZ6Z+nzE72M0KcfDJU3swBXnmPgUoxJAL8tXW9ZiY/HfSWHb2h5xLU UrbdazipW++vUcGVeWH74KgeMgGMkj7i1Yseu4SETM5tqAaJSy5nHHVZo++TnrumJmsn c6THuL5V6Xh+ftrqFMacZ/rVo2aabccPqxgj5VL9C3UzsehoYxB9X0zy2NTR3rOH3OTH RyGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700234792; x=1700839592; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Jv7ltsAYcQTMvzd2FUagZjickZhGfcpanYHo/YoGbKs=; b=w5bTgvGRfYG03wl2GULiP2FSyPSnmvsfkxnTBBYuE9quoNu8c06TZVn5GY/CMLkDzW XCZmF2eUqRldNtVylk7SXB3gK5V7is5iwiBZh2HDqkjmBB7BKx9ZFZj7tc1fgB12jfWs QcQxA4fytW9/uvijSg1gXVQnJxvr85ujX7bZzfk9CPyXZfTvgGV+mvEZ4YKELcPVvn8u Seg36A7UywypgIMfLee8SiIozY4lZPKUAcAi4SoP6Q4Y9dJFAyXtDPlA7CfmzDCspiya gtGDuwuexrdggrGTccAuf+WhPOF0TwxvHtFbGiM/cKK4uNJMd0YMeJHCjZ/ZQBlt/N3h ugYA== X-Gm-Message-State: AOJu0YwbKwyd0dmFrWPqlux/EiTcP2HXwjfQgwAlWKFR2E7iGRMqOFdd 6Vx6mYjL0cNTz3WBQ0V3aMd3o5E+45V5VV85i5d0V+sDbBi2BQ== X-Received: by 2002:a2e:9d92:0:b0:2c5:8a0:b502 with SMTP id c18-20020a2e9d92000000b002c508a0b502mr8711151ljj.48.1700234791421; Fri, 17 Nov 2023 07:26:31 -0800 (PST) MIME-Version: 1.0 References: <20231116201547.536857-1-peterx@redhat.com> <20231116201547.536857-2-peterx@redhat.com> In-Reply-To: <20231116201547.536857-2-peterx@redhat.com> From: Andrei Vagin Date: Fri, 17 Nov 2023 07:26:19 -0800 Message-ID: Subject: Re: [PATCH 1/3] mm/pagemap: Fix ioctl(PAGEMAP_SCAN) on vma check To: Peter Xu Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Muhammad Usama Anjum , Andrew Morton , David Hildenbrand , syzbot+e94c5aaf7890901ebf9b@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Fri, 17 Nov 2023 07:26:45 -0800 (PST) On Thu, Nov 16, 2023 at 12:15=E2=80=AFPM Peter Xu wrote= : > > The new ioctl(PAGEMAP_SCAN) relies on vma wr-protect capability provided = by > userfault, however in the vma test it didn't explicitly require the vma t= o > have wr-protect function enabled, even if PM_SCAN_WP_MATCHING flag is set= . > > It means the pagemap code can now apply uffd-wp bit to a page in the vma > even if not registered to userfaultfd at all. > > Then in whatever way as long as the pte got written and page fault > resolved, we'll apply the write bit even if uffd-wp bit is set. We'll se= e > a pte that has both UFFD_WP and WRITE bit set. Anything later that looks > up the pte for uffd-wp bit will trigger the warning: > > WARNING: CPU: 1 PID: 5071 at arch/x86/include/asm/pgtable.h:403 pte_uffd_= wp arch/x86/include/asm/pgtable.h:403 [inline] > > Fix it by doing proper check over the vma attributes when > PM_SCAN_WP_MATCHING is specified. > > Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and option= ally clear info about PTEs") > Reported-by: syzbot+e94c5aaf7890901ebf9b@syzkaller.appspotmail.com > Signed-off-by: Peter Xu Reviewed-by: Andrei Vagin > --- > fs/proc/task_mmu.c | 24 ++++++++++++++++++++---- > 1 file changed, 20 insertions(+), 4 deletions(-) > > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c > index 51e0ec658457..e91085d79926 100644 > --- a/fs/proc/task_mmu.c > +++ b/fs/proc/task_mmu.c > @@ -1994,15 +1994,31 @@ static int pagemap_scan_test_walk(unsigned long s= tart, unsigned long end, > struct pagemap_scan_private *p =3D walk->private; > struct vm_area_struct *vma =3D walk->vma; > unsigned long vma_category =3D 0; > + bool wp_allowed =3D userfaultfd_wp_async(vma) && > + userfaultfd_wp_use_markers(vma); > > - if (userfaultfd_wp_async(vma) && userfaultfd_wp_use_markers(vma)) > - vma_category |=3D PAGE_IS_WPALLOWED; > - else if (p->arg.flags & PM_SCAN_CHECK_WPASYNC) > - return -EPERM; > + if (!wp_allowed) { > + /* User requested explicit failure over wp-async capabili= ty */ > + if (p->arg.flags & PM_SCAN_CHECK_WPASYNC) > + return -EPERM; > + /* > + * User requires wr-protect, and allows silently skipping > + * unsupported vmas. > + */ > + if (p->arg.flags & PM_SCAN_WP_MATCHING) > + return 1; > + /* > + * Then the request doesn't involve wr-protects at all, > + * fall through to the rest checks, and allow vma walk. > + */ > + } > > if (vma->vm_flags & VM_PFNMAP) > return 1; > > + if (wp_allowed) > + vma_category |=3D PAGE_IS_WPALLOWED; > + > if (vma->vm_flags & VM_SOFTDIRTY) > vma_category |=3D PAGE_IS_SOFT_DIRTY; > > -- > 2.41.0 >