Received: by 2002:a05:7412:b130:b0:e2:908c:2ebd with SMTP id az48csp1725828rdb;
        Sun, 19 Nov 2023 07:56:07 -0800 (PST)
X-Google-Smtp-Source: AGHT+IGbhE/IgrJ6yWEY0QYflEJDDCz5UUejlF/B03EzXJYnGC89yRLXd6HrCgyZsPzhnEtYe3sp
X-Received: by 2002:a05:6808:130d:b0:3b2:e74c:30a6 with SMTP id y13-20020a056808130d00b003b2e74c30a6mr6803482oiv.10.1700409367077;
        Sun, 19 Nov 2023 07:56:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1700409367; cv=none;
        d=google.com; s=arc-20160816;
        b=kVnRBXPvgWvniewxtNgtYF6OTMQK6D7uYsQZB4JjKFDSsVKwg2oWLmURClKlpnX57Q
         z9tdZhA7x0QFWGSz0RhaZIf7G1FdpaozpIQFpP9oubpvD+EM0yJ7hT1lnswIbMvkgRDB
         Mknq9Ck19SbbkYt8ylDCh8MOxbixJTviO/vAfY713XYBirhG0Oebtpp8q26T4GMeM+2h
         6zfJqp+/GgtmZnyHpV85LxoPPbYpXOhhdC/PMLmo2OVCBJouyCjzEi9/+jDA4/JgRyIS
         LefvH1mFnIT3hKWJVl4OjUlaE119TxI132S0mvkRY1U02gVyMTXNY15r32Vmo76AtmiF
         WDMQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :content-language:references:to:subject:cc:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=6OrIovHrcc6h0JfFDPf671QU7IADoI4JkJxc5b4T/M4=;
        fh=IjVl3VlgbMrqm/4Wl+cQVzbvQgBOHHqcjONgh9f5ffc=;
        b=DSOtdRRs2u1qk74m/jEDFnXAes6f7nC66GtTARxZmGHdFfQFThhPPO27XQSP3EAu6t
         oYhM546k/py0YFbt6G/Tti6mGXyhgXjcg47nsmNwzSAF82h94tc51EDdanNlSIJ13ctg
         oFwNJVdkPK9jtCNY3cgbhUWT+7Xaq5OjLoRvG9Ow/O2wZNXkf5e0UunEcd7GVuHemm/f
         TkyQhIskkOccwgTL1iYxttthoa4bnUpiMD7kOwJFosvyNhzXQVsR2xVqks8nbYsZ0J2I
         WPIJIgCrYyJ/+CdpCFEIUnHaiKuszZ+5TnmCwaE4nRK+XZJ7qQq3klomb9xxK01WqANl
         DgIQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@collabora.com header.s=mail header.b=h4KeTh5d;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2])
        by mx.google.com with ESMTPS id bx15-20020a056a02050f00b005b95fbb1750si6727347pgb.113.2023.11.19.07.56.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 19 Nov 2023 07:56:07 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@collabora.com header.s=mail header.b=h4KeTh5d;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by agentk.vger.email (Postfix) with ESMTP id 24C758059346;
	Sun, 19 Nov 2023 07:56:02 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229575AbjKSPya (ORCPT <rfc822;aadipersonal10@gmail.com>
        + 99 others); Sun, 19 Nov 2023 10:54:30 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58754 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229441AbjKSPy3 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 19 Nov 2023 10:54:29 -0500
Received: from madras.collabora.co.uk (madras.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e5ab])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10D28C0
        for <linux-kernel@vger.kernel.org>; Sun, 19 Nov 2023 07:54:24 -0800 (PST)
Received: from [100.98.85.67] (cola.collaboradmins.com [195.201.22.229])
        (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
         key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: usama.anjum)
        by madras.collabora.co.uk (Postfix) with ESMTPSA id 4EB146602F2E;
        Sun, 19 Nov 2023 15:54:18 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com;
        s=mail; t=1700409262;
        bh=fW2ihMsH4k3bg/a3NV4eyz3V5tCtUH+zAhUHRItn2/Q=;
        h=Date:Cc:Subject:To:References:From:In-Reply-To:From;
        b=h4KeTh5d6oYOxNuOIOykmJZSmVYkMQLrBElYZF3xrAK21Uua7aQNoH17lSWsJTXZu
         waYfsC8OKwPBbVeEW0b4YDBVEREs3gELk6ICKcemnzRPu205RXl3c9iD5OsYKq/LWk
         pMVZlGZc1/ESL5fYWCU7OAB0MK/PaXJzw0gSA4+ur0ah7uuPVvowyRJvW5aguc62zw
         1O8WJAJKqU5ORDzb8Hlgub80L+6r74vR+sELnXqIHsRvRRSK1e/ESi9GxW6N0mxJl+
         4ikzywIxJZgB9iEwvl0dq2Aa3sSaa8wpfFCMvs/InfbUIo/lcifNxlvfqashUD+uQc
         bZCHTdPjTRN0A==
Message-ID: <9d257ca7-c823-4427-8f57-cbe53b0c3b54@collabora.com>
Date:   Sun, 19 Nov 2023 10:54:12 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Cc:     Muhammad Usama Anjum <usama.anjum@collabora.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        David Hildenbrand <david@redhat.com>,
        Andrei Vagin <avagin@gmail.com>,
        syzbot+e94c5aaf7890901ebf9b@syzkaller.appspotmail.com
Subject: Re: [PATCH 1/3] mm/pagemap: Fix ioctl(PAGEMAP_SCAN) on vma check
To:     Peter Xu <peterx@redhat.com>, linux-mm@kvack.org,
        linux-kernel@vger.kernel.org
References: <20231116201547.536857-1-peterx@redhat.com>
 <20231116201547.536857-2-peterx@redhat.com>
Content-Language: en-US
From:   Muhammad Usama Anjum <usama.anjum@collabora.com>
In-Reply-To: <20231116201547.536857-2-peterx@redhat.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Sun, 19 Nov 2023 07:56:02 -0800 (PST)

Hi Peter,

Thank you for taking care of it. I'm on holidays after LPC.

On 11/16/23 3:15 PM, Peter Xu wrote:
> The new ioctl(PAGEMAP_SCAN) relies on vma wr-protect capability provided by
> userfault, however in the vma test it didn't explicitly require the vma to
> have wr-protect function enabled, even if PM_SCAN_WP_MATCHING flag is set.
> 
> It means the pagemap code can now apply uffd-wp bit to a page in the vma
> even if not registered to userfaultfd at all.
> 
> Then in whatever way as long as the pte got written and page fault
> resolved, we'll apply the write bit even if uffd-wp bit is set.  We'll see
> a pte that has both UFFD_WP and WRITE bit set.  Anything later that looks
> up the pte for uffd-wp bit will trigger the warning:
> 
> WARNING: CPU: 1 PID: 5071 at arch/x86/include/asm/pgtable.h:403 pte_uffd_wp arch/x86/include/asm/pgtable.h:403 [inline]
> 
> Fix it by doing proper check over the vma attributes when
> PM_SCAN_WP_MATCHING is specified.
> 
> Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs")
> Reported-by: syzbot+e94c5aaf7890901ebf9b@syzkaller.appspotmail.com
> Signed-off-by: Peter Xu <peterx@redhat.com>
> ---
>  fs/proc/task_mmu.c | 24 ++++++++++++++++++++----
>  1 file changed, 20 insertions(+), 4 deletions(-)
> 
> diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
> index 51e0ec658457..e91085d79926 100644
> --- a/fs/proc/task_mmu.c
> +++ b/fs/proc/task_mmu.c
> @@ -1994,15 +1994,31 @@ static int pagemap_scan_test_walk(unsigned long start, unsigned long end,
>  	struct pagemap_scan_private *p = walk->private;
>  	struct vm_area_struct *vma = walk->vma;
>  	unsigned long vma_category = 0;
> +	bool wp_allowed = userfaultfd_wp_async(vma) &&
> +	    userfaultfd_wp_use_markers(vma);
>  
> -	if (userfaultfd_wp_async(vma) && userfaultfd_wp_use_markers(vma))
> -		vma_category |= PAGE_IS_WPALLOWED;
> -	else if (p->arg.flags & PM_SCAN_CHECK_WPASYNC)
> -		return -EPERM;
> +	if (!wp_allowed) {
> +		/* User requested explicit failure over wp-async capability */
> +		if (p->arg.flags & PM_SCAN_CHECK_WPASYNC)
> +			return -EPERM;
> +		/*
> +		 * User requires wr-protect, and allows silently skipping
> +		 * unsupported vmas.
> +		 */
> +		if (p->arg.flags & PM_SCAN_WP_MATCHING)
> +			return 1;
> +		/*
> +		 * Then the request doesn't involve wr-protects at all,
> +		 * fall through to the rest checks, and allow vma walk.
> +		 */
> +	}
Very simply done. I've really liked it.

Reviewed-by: Muhammad Usama Anjum <usama.anjum@collabora.com>

>  
>  	if (vma->vm_flags & VM_PFNMAP)
>  		return 1;
>  
> +	if (wp_allowed)
> +		vma_category |= PAGE_IS_WPALLOWED;
> +
>  	if (vma->vm_flags & VM_SOFTDIRTY)
>  		vma_category |= PAGE_IS_SOFT_DIRTY;
>  

-- 
BR,
Muhammad Usama Anjum