Received: by 2002:a05:7412:b130:b0:e2:908c:2ebd with SMTP id az48csp1725828rdb; Sun, 19 Nov 2023 07:56:07 -0800 (PST) X-Google-Smtp-Source: AGHT+IGbhE/IgrJ6yWEY0QYflEJDDCz5UUejlF/B03EzXJYnGC89yRLXd6HrCgyZsPzhnEtYe3sp X-Received: by 2002:a05:6808:130d:b0:3b2:e74c:30a6 with SMTP id y13-20020a056808130d00b003b2e74c30a6mr6803482oiv.10.1700409367077; Sun, 19 Nov 2023 07:56:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700409367; cv=none; d=google.com; s=arc-20160816; b=kVnRBXPvgWvniewxtNgtYF6OTMQK6D7uYsQZB4JjKFDSsVKwg2oWLmURClKlpnX57Q z9tdZhA7x0QFWGSz0RhaZIf7G1FdpaozpIQFpP9oubpvD+EM0yJ7hT1lnswIbMvkgRDB Mknq9Ck19SbbkYt8ylDCh8MOxbixJTviO/vAfY713XYBirhG0Oebtpp8q26T4GMeM+2h 6zfJqp+/GgtmZnyHpV85LxoPPbYpXOhhdC/PMLmo2OVCBJouyCjzEi9/+jDA4/JgRyIS LefvH1mFnIT3hKWJVl4OjUlaE119TxI132S0mvkRY1U02gVyMTXNY15r32Vmo76AtmiF WDMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :content-language:references:to:subject:cc:user-agent:mime-version :date:message-id:dkim-signature; bh=6OrIovHrcc6h0JfFDPf671QU7IADoI4JkJxc5b4T/M4=; fh=IjVl3VlgbMrqm/4Wl+cQVzbvQgBOHHqcjONgh9f5ffc=; b=DSOtdRRs2u1qk74m/jEDFnXAes6f7nC66GtTARxZmGHdFfQFThhPPO27XQSP3EAu6t oYhM546k/py0YFbt6G/Tti6mGXyhgXjcg47nsmNwzSAF82h94tc51EDdanNlSIJ13ctg oFwNJVdkPK9jtCNY3cgbhUWT+7Xaq5OjLoRvG9Ow/O2wZNXkf5e0UunEcd7GVuHemm/f TkyQhIskkOccwgTL1iYxttthoa4bnUpiMD7kOwJFosvyNhzXQVsR2xVqks8nbYsZ0J2I WPIJIgCrYyJ/+CdpCFEIUnHaiKuszZ+5TnmCwaE4nRK+XZJ7qQq3klomb9xxK01WqANl DgIQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=h4KeTh5d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id bx15-20020a056a02050f00b005b95fbb1750si6727347pgb.113.2023.11.19.07.56.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 19 Nov 2023 07:56:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; dkim=pass header.i=@collabora.com header.s=mail header.b=h4KeTh5d; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=collabora.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 24C758059346; Sun, 19 Nov 2023 07:56:02 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229575AbjKSPya (ORCPT + 99 others); Sun, 19 Nov 2023 10:54:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58754 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229441AbjKSPy3 (ORCPT ); Sun, 19 Nov 2023 10:54:29 -0500 Received: from madras.collabora.co.uk (madras.collabora.co.uk [IPv6:2a00:1098:0:82:1000:25:2eeb:e5ab]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 10D28C0 for ; Sun, 19 Nov 2023 07:54:24 -0800 (PST) Received: from [100.98.85.67] (cola.collaboradmins.com [195.201.22.229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: usama.anjum) by madras.collabora.co.uk (Postfix) with ESMTPSA id 4EB146602F2E; Sun, 19 Nov 2023 15:54:18 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=collabora.com; s=mail; t=1700409262; bh=fW2ihMsH4k3bg/a3NV4eyz3V5tCtUH+zAhUHRItn2/Q=; h=Date:Cc:Subject:To:References:From:In-Reply-To:From; b=h4KeTh5d6oYOxNuOIOykmJZSmVYkMQLrBElYZF3xrAK21Uua7aQNoH17lSWsJTXZu waYfsC8OKwPBbVeEW0b4YDBVEREs3gELk6ICKcemnzRPu205RXl3c9iD5OsYKq/LWk pMVZlGZc1/ESL5fYWCU7OAB0MK/PaXJzw0gSA4+ur0ah7uuPVvowyRJvW5aguc62zw 1O8WJAJKqU5ORDzb8Hlgub80L+6r74vR+sELnXqIHsRvRRSK1e/ESi9GxW6N0mxJl+ 4ikzywIxJZgB9iEwvl0dq2Aa3sSaa8wpfFCMvs/InfbUIo/lcifNxlvfqashUD+uQc bZCHTdPjTRN0A== Message-ID: <9d257ca7-c823-4427-8f57-cbe53b0c3b54@collabora.com> Date: Sun, 19 Nov 2023 10:54:12 -0500 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Cc: Muhammad Usama Anjum , Andrew Morton , David Hildenbrand , Andrei Vagin , syzbot+e94c5aaf7890901ebf9b@syzkaller.appspotmail.com Subject: Re: [PATCH 1/3] mm/pagemap: Fix ioctl(PAGEMAP_SCAN) on vma check To: Peter Xu , linux-mm@kvack.org, linux-kernel@vger.kernel.org References: <20231116201547.536857-1-peterx@redhat.com> <20231116201547.536857-2-peterx@redhat.com> Content-Language: en-US From: Muhammad Usama Anjum In-Reply-To: <20231116201547.536857-2-peterx@redhat.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Sun, 19 Nov 2023 07:56:02 -0800 (PST) Hi Peter, Thank you for taking care of it. I'm on holidays after LPC. On 11/16/23 3:15 PM, Peter Xu wrote: > The new ioctl(PAGEMAP_SCAN) relies on vma wr-protect capability provided by > userfault, however in the vma test it didn't explicitly require the vma to > have wr-protect function enabled, even if PM_SCAN_WP_MATCHING flag is set. > > It means the pagemap code can now apply uffd-wp bit to a page in the vma > even if not registered to userfaultfd at all. > > Then in whatever way as long as the pte got written and page fault > resolved, we'll apply the write bit even if uffd-wp bit is set. We'll see > a pte that has both UFFD_WP and WRITE bit set. Anything later that looks > up the pte for uffd-wp bit will trigger the warning: > > WARNING: CPU: 1 PID: 5071 at arch/x86/include/asm/pgtable.h:403 pte_uffd_wp arch/x86/include/asm/pgtable.h:403 [inline] > > Fix it by doing proper check over the vma attributes when > PM_SCAN_WP_MATCHING is specified. > > Fixes: 52526ca7fdb9 ("fs/proc/task_mmu: implement IOCTL to get and optionally clear info about PTEs") > Reported-by: syzbot+e94c5aaf7890901ebf9b@syzkaller.appspotmail.com > Signed-off-by: Peter Xu > --- > fs/proc/task_mmu.c | 24 ++++++++++++++++++++---- > 1 file changed, 20 insertions(+), 4 deletions(-) > > diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c > index 51e0ec658457..e91085d79926 100644 > --- a/fs/proc/task_mmu.c > +++ b/fs/proc/task_mmu.c > @@ -1994,15 +1994,31 @@ static int pagemap_scan_test_walk(unsigned long start, unsigned long end, > struct pagemap_scan_private *p = walk->private; > struct vm_area_struct *vma = walk->vma; > unsigned long vma_category = 0; > + bool wp_allowed = userfaultfd_wp_async(vma) && > + userfaultfd_wp_use_markers(vma); > > - if (userfaultfd_wp_async(vma) && userfaultfd_wp_use_markers(vma)) > - vma_category |= PAGE_IS_WPALLOWED; > - else if (p->arg.flags & PM_SCAN_CHECK_WPASYNC) > - return -EPERM; > + if (!wp_allowed) { > + /* User requested explicit failure over wp-async capability */ > + if (p->arg.flags & PM_SCAN_CHECK_WPASYNC) > + return -EPERM; > + /* > + * User requires wr-protect, and allows silently skipping > + * unsupported vmas. > + */ > + if (p->arg.flags & PM_SCAN_WP_MATCHING) > + return 1; > + /* > + * Then the request doesn't involve wr-protects at all, > + * fall through to the rest checks, and allow vma walk. > + */ > + } Very simply done. I've really liked it. Reviewed-by: Muhammad Usama Anjum > > if (vma->vm_flags & VM_PFNMAP) > return 1; > > + if (wp_allowed) > + vma_category |= PAGE_IS_WPALLOWED; > + > if (vma->vm_flags & VM_SOFTDIRTY) > vma_category |= PAGE_IS_SOFT_DIRTY; > -- BR, Muhammad Usama Anjum