From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 16A86C77B7F
	for <linux-mm@archiver.kernel.org>; Sun, 14 May 2023 19:20:12 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 5A08D900003; Sun, 14 May 2023 15:20:12 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 55015900002; Sun, 14 May 2023 15:20:12 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3F10B900003; Sun, 14 May 2023 15:20:12 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 2F4E1900002
	for <linux-mm@kvack.org>; Sun, 14 May 2023 15:20:12 -0400 (EDT)
Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id 005FCAF1C1
	for <linux-mm@kvack.org>; Sun, 14 May 2023 19:20:11 +0000 (UTC)
X-FDA: 80789826264.04.8BA94F9
Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52])
	by imf23.hostedemail.com (Postfix) with ESMTP id 19147140012
	for <linux-mm@kvack.org>; Sun, 14 May 2023 19:20:08 +0000 (UTC)
Authentication-Results: imf23.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20221208 header.b=RDeF3wZR;
	spf=pass (imf23.hostedemail.com: domain of lstoakes@gmail.com designates 209.85.221.52 as permitted sender) smtp.mailfrom=lstoakes@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1684092009; a=rsa-sha256;
	cv=none;
	b=AVXG4CeuHtOoC6ageQpwzJnqFjKK1gAouJwAkOU/O+MTKcTlQYEEBg9snnVA5w1WQLXQAJ
	AstkGSOTS42LtJiRhZdBaHkeLtAQjMc3j3MzHwGNrNZghrmvF/4jg74RRRjwJfYlWmm8hH
	KS86wY/nNUlnJAKPNl7ugHD/XyOvTKE=
ARC-Authentication-Results: i=1;
	imf23.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20221208 header.b=RDeF3wZR;
	spf=pass (imf23.hostedemail.com: domain of lstoakes@gmail.com designates 209.85.221.52 as permitted sender) smtp.mailfrom=lstoakes@gmail.com;
	dmarc=pass (policy=none) header.from=gmail.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1684092009;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=nODLkN3MsrdfKf/UAkqWHH+G5vP9gT0pKV8dR/DBu4s=;
	b=ZuULXr4xCw/Ed2md1MTfUsIM/eNL9Cchhgi+DBV5K9fAemu5wffDymDwu5jBZ5aSOXNlyN
	ak/Pi96uVcRnaqAMQpsAIFxVBCy8528klBrLHoXqxbPDm4bDgbhqu1259QpqVN3aS6uZXm
	QhuNU3CiLtHNEvfuanmz7+AkdrBHfqg=
Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-305f0491e62so11573629f8f.3
        for <linux-mm@kvack.org>; Sun, 14 May 2023 12:20:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20221208; t=1684092007; x=1686684007;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=nODLkN3MsrdfKf/UAkqWHH+G5vP9gT0pKV8dR/DBu4s=;
        b=RDeF3wZRRt16EUG/SiYqKwSADKhumymGx1P92RXpCWJEihqbIAjCclHt6h5mkTO7pD
         T5XFBgMo/0pOlgZKSGzUdM5dVZBn6RlZtdNSUILDCuSMt8wMUCADU4uU7tUMV5esO0gN
         6ZKy02c5iPWnkatFiRS1BtzqwbMqPC03616pW70FyCISKY64mjDDdtYNV61AaCRd8GqE
         B+Ag52Ac22GWgZum4sdq7Gt3IYJBnwpffpv3Sidbf7VFUuK2E/8wlLhGnjoYccqNCrc8
         xHUgfuGtmVfJdQTrr/zu09e9f3xi2UKSAjE4ItYpNxeZX7I568I+F7BO6c1BXPtEl6n0
         c71A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1684092007; x=1686684007;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nODLkN3MsrdfKf/UAkqWHH+G5vP9gT0pKV8dR/DBu4s=;
        b=Gc68K6xDNJMcWn0GLPD4NLEcGGX1BeluJlyUmd7dwJ3B2wJYFiIvjwrrOw0dsToQKW
         bRYycydCDwz/e2sxop4xX180jxI7bSe9eplMOFPh95J6AHrQg2zQxR6YV7XvMke+n9Xw
         DGOXpp++IFUQJdPS8FqqVxy0RoTAUfdKIGXD4GJbVLxafyeUprVTbPCyPfXyvUV7WU6P
         t6eLlzsWRfn9uFNseipDQP/UJgdhOE8lhUl7YeoKL+mVDzivsSQJRcG3oUxABKagJz54
         O7QFRobRLTq4z+YmVcUUvSGKETA4j9SKJYElpmyuNNSkD4M1FsShCnV+uLXFLf8ukqAT
         FPgw==
X-Gm-Message-State: AC+VfDzc4SsmQ+373vlODo4D90HBX+b1U6Meb3uGedB+fEytOu6neWEV
	aAOmPIaftUUlMFz19hhVGCJ0UPBrKTNtPQ==
X-Google-Smtp-Source: ACHHUZ4vkD1FNhCyar5Wr13d+5f42yS2y5SigsQHIIg0eQIr0a/1ANHo564HGxX9Z2ALlM8QkyE/Vw==
X-Received: by 2002:a5d:4c8c:0:b0:2f5:3dfd:f4d2 with SMTP id z12-20020a5d4c8c000000b002f53dfdf4d2mr22848833wrs.64.1684092006850;
        Sun, 14 May 2023 12:20:06 -0700 (PDT)
Received: from localhost ([2a00:23c5:dc8c:8701:1663:9a35:5a7b:1d76])
        by smtp.gmail.com with ESMTPSA id w12-20020a05600c474c00b003f07ef4e3e0sm25829024wmo.0.2023.05.14.12.20.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 14 May 2023 12:20:05 -0700 (PDT)
Date: Sun, 14 May 2023 20:20:04 +0100
From: Lorenzo Stoakes <lstoakes@gmail.com>
To: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>
Cc: Jason Gunthorpe <jgg@ziepe.ca>, Jens Axboe <axboe@kernel.dk>,
	Matthew Wilcox <willy@infradead.org>,
	Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
	Leon Romanovsky <leon@kernel.org>,
	Christian Benvenuti <benve@cisco.com>,
	Nelson Escobar <neescoba@cisco.com>,
	Bernard Metzler <bmt@zurich.ibm.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Ingo Molnar <mingo@redhat.com>,
	Arnaldo Carvalho de Melo <acme@kernel.org>,
	Mark Rutland <mark.rutland@arm.com>,
	Alexander Shishkin <alexander.shishkin@linux.intel.com>,
	Jiri Olsa <jolsa@kernel.org>, Namhyung Kim <namhyung@kernel.org>,
	Ian Rogers <irogers@google.com>,
	Adrian Hunter <adrian.hunter@intel.com>,
	Bjorn Topel <bjorn@kernel.org>,
	Magnus Karlsson <magnus.karlsson@intel.com>,
	Maciej Fijalkowski <maciej.fijalkowski@intel.com>,
	Jonathan Lemon <jonathan.lemon@gmail.com>,
	"David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Christian Brauner <brauner@kernel.org>,
	Richard Cochran <richardcochran@gmail.com>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Jesper Dangaard Brouer <hawk@kernel.org>,
	John Fastabend <john.fastabend@gmail.com>,
	linux-fsdevel@vger.kernel.org, linux-perf-users@vger.kernel.org,
	netdev@vger.kernel.org, bpf@vger.kernel.org,
	Oleg Nesterov <oleg@redhat.com>, Jason Gunthorpe <jgg@nvidia.com>,
	John Hubbard <jhubbard@nvidia.com>, Jan Kara <jack@suse.cz>,
	"Kirill A . Shutemov" <kirill@shutemov.name>,
	Pavel Begunkov <asml.silence@gmail.com>,
	Mika Penttila <mpenttil@redhat.com>,
	David Hildenbrand <david@redhat.com>,
	Dave Chinner <david@fromorbit.com>, Theodore Ts'o <tytso@mit.edu>,
	Peter Xu <peterx@redhat.com>,
	Matthew Rosato <mjrosato@linux.ibm.com>,
	"Paul E . McKenney" <paulmck@kernel.org>,
	Christian Borntraeger <borntraeger@linux.ibm.com>
Subject: Re: [PATCH v9 0/3] mm/gup: disallow GUP writing to file-backed
 mappings by default
Message-ID: <0eb31f6f-a122-4a5b-a959-03ed4dee1f3c@lucifer.local>
References: <cover.1683235180.git.lstoakes@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <cover.1683235180.git.lstoakes@gmail.com>
X-Rspam-User: 
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: 19147140012
X-Stat-Signature: icju6gpznnt875xrfgossxhxnzjudaz1
X-HE-Tag: 1684092008-660595
X-HE-Meta: U2FsdGVkX1+g9hKmDoUNBSfNCcpBpgJ0Z51B9y05HPS/O5D90vBX9K2w6e873gJ6bia+r4h5yEG3Dsh0oPbBgnpzVI035lcwnwobYeznyNd/tosZZW2THjSy8lR/sUYU651Y779lD4HmPm/KIgNAq+Cbf3s9ssgxm5RE3EGK9tayN9yVC/+Yz58LV+hCVtwquMOR5Hn6CCkm9igFXnZk034fnLwD61c9yI4Kqsee9hG+q1MmwTuydjkBzU0E2JlCi1luqfRHM9OYfptBrpcw8rOCx1aWi+RKCMUgJ//YJJUc1AFzqfXc1yF+5CbKJOiz6h6LIpD0ebOfH7jxsFSQcfstmPywkxao6iaJlZVj+FWUs2b4/vIQSQNNdvgFtPTh9ZWImKtAlFx7+pWgLm2tBH2A7AWaPiX5vsjrClwluF38CzrLx748Qzo/WtL/LwurupQd9v6ESbZreH5VzB0AHdCPISkEIxmfrbFpGAl56oa3LUzXHvvbJmcjzeFg8zF4W3/L7vn73fTPsqzNujwCiFOtrjNNultcAW5IXeOEXqPcrpdphLdUPF2hvpsG+FEyfxpQAhhmJyqstFPYS3fG+wGgxzHm46U64BeZKUTlCOqjdS+nJqKwpwN7zk+YRiTM8q39Lx1h32CtANrRbr0w9jYyCadsjyqVBxixh3XjSvWHnDpK+t6FJ17mOo7WNzBzfmjFv85+9eXU9Yh5h7n+FOO0RxTdbdT5gYJnuJm+v9ErprmINKhrse2Jp5eG+u7LqRkBY+7632J+9Qgf/qOHWWhNes7j8NS61fdJKot+di28Hj6Y5LrLgODvRkZtpDzDAYUjwUxaFBtMqWKt71SfM7+49WdJPTK1SKO1xEZ4+fiwIa3fRZNnjn+MRJa2vpADpSmrIAUGWzaSCKMJQG5kN0OK3k1r7ZWAql/Oop7ncvjcJxLWXhDmC5dk84dpv4KjY1qdvDxQjhNSzuV4Z5P
 vb1BdqSY
 2BxJrnxcHyytoAmCTJLF81lB75Nw9lOK+6i+v0e/KiHnXEhsrTVIksxf32d5uI1pWrJ9TqwnmCpzlD5srh7OW/JW5tHRw7XEdwtrEzB7O31VMVedcFQjE7LcFyw+I/Zy7ISocZn4I7UO1WYEmCYW2efMj4elviF1XdDxngcwglvguypvJiCmCXxvKdINBUK41d3XsjVH4wdlW4duAgD5XZf/Ft1IliMb0xfi5WHaS9dVt3U8V+MFGi56YcPye6NJJcvhM4uRmTXiwQYGctez8i8e1ruYEFLpPQeGenud4HJXwkwl79G3qlDHZOYdx5nCnbm16xUzuLWkluqgqTBoLyn9g5NE7ILWQ1gpt7v7TuF3fPKrOVSWqOM3jza2eJPT9UCoR4JqEeB4qlgCOx24n6S2VGauNSGLeIHBMbBiMLVTawr1Hk1/HwwIj47DvyJvxNN+KMDBKl70s/fPmjEpX4jQvo091g9Tio2GHVRXKVdgjtud3urlfcWULvA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Thu, May 04, 2023 at 10:27:50PM +0100, Lorenzo Stoakes wrote:
> Writing to file-backed mappings which require folio dirty tracking using
> GUP is a fundamentally broken operation, as kernel write access to GUP
> mappings do not adhere to the semantics expected by a file system.
>
> A GUP caller uses the direct mapping to access the folio, which does not
> cause write notify to trigger, nor does it enforce that the caller marks
> the folio dirty.
>
> The problem arises when, after an initial write to the folio, writeback
> results in the folio being cleaned and then the caller, via the GUP
> interface, writes to the folio again.
>
> As a result of the use of this secondary, direct, mapping to the folio no
> write notify will occur, and if the caller does mark the folio dirty, this
> will be done so unexpectedly.
>
> For example, consider the following scenario:-
>
> 1. A folio is written to via GUP which write-faults the memory, notifying
>    the file system and dirtying the folio.
> 2. Later, writeback is triggered, resulting in the folio being cleaned and
>    the PTE being marked read-only.
> 3. The GUP caller writes to the folio, as it is mapped read/write via the
>    direct mapping.
> 4. The GUP caller, now done with the page, unpins it and sets it dirty
>    (though it does not have to).
>
> This change updates both the PUP FOLL_LONGTERM slow and fast APIs. As
> pin_user_pages_fast_only() does not exist, we can rely on a slightly
> imperfect whitelisting in the PUP-fast case and fall back to the slow case
> should this fail.
[snip]

As discussed at LSF/MM, on the flight over I wrote a little repro [0] which
reliably triggers the ext4 warning by recreating the scenario described
above, using a small userland program and kernel module.

This code is not perfect (plane code :) but does seem to do the job
adequately, also obviously this should only be run in a VM environment
where data loss is acceptable (in my case a small qemu instance).

Hopefully this is useful in some way. Note that I explicitly use
pin_user_pages() without FOLL_LONGTERM here in order to not run into the
mitigation this very patch series provides! Obviously if you revert this
series you can see the same happening with FOLL_LONGTERM set.

I have licensed the code as GPLv2 so anybody's free to do with it as they
will if it's useful in any way!

[0]:https://github.com/lorenzo-stoakes/gup-repro