From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F4FAEB64D9 for ; Wed, 14 Jun 2023 15:31:52 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 348506B007B; Wed, 14 Jun 2023 11:31:52 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 2F8BA8E0003; Wed, 14 Jun 2023 11:31:52 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1C09E8E0002; Wed, 14 Jun 2023 11:31:52 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 0DC656B007B for ; Wed, 14 Jun 2023 11:31:52 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id BEDE91A072C for ; Wed, 14 Jun 2023 15:31:51 +0000 (UTC) X-FDA: 80901743622.09.33422AB Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf05.hostedemail.com (Postfix) with ESMTP id CFE85100017 for ; Wed, 14 Jun 2023 15:31:48 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="dh/Cxrkk"; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf05.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1686756709; a=rsa-sha256; cv=none; b=f7Nt3CdLujx5e3SLAAipoZvv6E+IcLz+kmiTtyCiNjL4JvIjbHaHMLEa/GS9wePVKp7Dk0 JBlJKuLsgwB2CFJPj+0VStdPCdQlks079sDJnKbfXwRdYfWWqNPh6/KyxPDRK00eDsBQ/t HlRk3vwBP85TzZvftAUBlMznf9xNjI8= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b="dh/Cxrkk"; dmarc=pass (policy=none) header.from=redhat.com; spf=pass (imf05.hostedemail.com: domain of david@redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1686756709; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=bSMzRpyJ0wNBvXjZw/K2wShxm75deoTyZl3ld1N6BhM=; b=RBYHEneEp3Ze9Vu8aAu9qHND+PKhZjxIqGIRGOJHvxn7bTsdTINbqvvPj+kYQnopksl89G Dw7V4RCiA4YbMGCMsrsKBG3fun71TZvQVt/tAxLYyXfHHvOfDTqG4ZxzAVzXwhzTREu1t9 +Uq8kGRH+7rPBSZDJV/xFsTDgrUb0Sc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1686756708; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bSMzRpyJ0wNBvXjZw/K2wShxm75deoTyZl3ld1N6BhM=; b=dh/CxrkkkUZHTY3RNMk6PH6I3koo0husliE4ns0qQxXMxiHN9Xn3Oif4iPJXamNKpbcvsb ezGI+O2lDvVObZN2Kr9qgY/enSsveBHb4GU9hNWT0cvG0EsS1DV6iENJsC3exOew0ByZWt 0qm/Ofqp61bomBICBW2A1od8lGmM418= Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-460-LL6Y8-lpMhmFYQz8PGpDEQ-1; Wed, 14 Jun 2023 11:31:43 -0400 X-MC-Unique: LL6Y8-lpMhmFYQz8PGpDEQ-1 Received: by mail-wm1-f72.google.com with SMTP id 5b1f17b1804b1-3f814f78af2so4332785e9.0 for ; Wed, 14 Jun 2023 08:31:39 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686756698; x=1689348698; h=content-transfer-encoding:in-reply-to:subject:organization:from :references:cc:to:content-language:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bSMzRpyJ0wNBvXjZw/K2wShxm75deoTyZl3ld1N6BhM=; b=A1Q4Vi/UJE4E+UdfKTUB25+1AFXbMoThTcgThLxvXhbpQT0sj2BfOY9SOjk6tAiAhW UVq7aKKL+0ieNb0Pny/PdqCCNBjQYUkMG/F2VKuM/OK+aRMJGKejwdFNdCNYww8k8yjS mqPLL7wqMaWtp27JNssPOG3u+q37sH8WEnjb1r542n2txD8K173jNms85b6eUflCl7aT tGW+3d62Twk8LvFbL6v6H/Wlx2jLKoGmquwRQ3qIDilnESmWz8DJwAzFBs2Sl6rlWUz9 eS7HJQIRVbdZUb6nce3ewV2dbJ1SWzZT80rYN1083lZFbJaaH69ifHjd5EZvmdCMBbCa Ab5g== X-Gm-Message-State: AC+VfDxPzxWi1bBW1XPwyErJouwDe1CGxEOrMjBhqueo8U7u69B2Md2Y 7L/qUruMpKQoRstiBbkd/DnmStQJ1owCbl/SAPS0QgGJx9lzofu33Ci1AutciMqz7d32VhLTab2 lGbtouT5Pstg= X-Received: by 2002:a05:600c:2189:b0:3f7:81e9:2f02 with SMTP id e9-20020a05600c218900b003f781e92f02mr10963539wme.4.1686756698674; Wed, 14 Jun 2023 08:31:38 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7eW5JkQaMGAkyIQMGW91FvjJ4JWtbJjZ6Dd1Jk4/sDZqCHtz4Qz1KQqmZPpTYxFUoTDrQuiQ== X-Received: by 2002:a05:600c:2189:b0:3f7:81e9:2f02 with SMTP id e9-20020a05600c218900b003f781e92f02mr10963516wme.4.1686756698329; Wed, 14 Jun 2023 08:31:38 -0700 (PDT) Received: from ?IPV6:2003:cb:c704:b200:7d03:23db:ad5:2d21? (p200300cbc704b2007d0323db0ad52d21.dip0.t-ipconnect.de. [2003:cb:c704:b200:7d03:23db:ad5:2d21]) by smtp.gmail.com with ESMTPSA id a11-20020a05600c224b00b003f8126bcf34sm13411844wmm.48.2023.06.14.08.31.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 14 Jun 2023 08:31:37 -0700 (PDT) Message-ID: <24bc512a-b5c2-b7ea-fa83-5752cec7455b@redhat.com> Date: Wed, 14 Jun 2023 17:31:36 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0 To: Peter Xu , linux-kernel@vger.kernel.org, linux-mm@kvack.org Cc: Matthew Wilcox , Andrea Arcangeli , John Hubbard , Mike Rapoport , Vlastimil Babka , "Kirill A . Shutemov" , Andrew Morton , Mike Kravetz , James Houghton , Hugh Dickins References: <20230613215346.1022773-1-peterx@redhat.com> <20230613215346.1022773-3-peterx@redhat.com> From: David Hildenbrand Organization: Red Hat Subject: Re: [PATCH 2/7] mm/hugetlb: Fix hugetlb_follow_page_mask() on permission checks In-Reply-To: <20230613215346.1022773-3-peterx@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: CFE85100017 X-Stat-Signature: 9wcrgrx8zy9at89rxowqapztq63tsjp8 X-HE-Tag: 1686756708-330059 X-HE-Meta: U2FsdGVkX1+qAIfGB/AheM89ADD5fbX5sbqIrXUxFOAEEabUzY2iqSKjZSV1084DhDNqimIwo1x3G5Cz/0nfq4tF8pfbo4frKkqzjvJIXAR+2PySuYRrK7FscBPZMs67NMAD7TrBDfPBN9zx6SGaT3yyelPu5toWc11KPioaxC/VotkLxynw2zHts9Eozb+vHi/d9feTacyJJM+OPWkLni5e5vfsz57keFSDLH5ZPFDdf/48SpXKlJIYRkA1e367EAelE5Ibr4vHwvHHW/uXSBhO3jKRLg/zq4cba1wpEdkfupVd7U48Kfqv5OAr/+BLf9L8Yct6ToSBbXOr5v6YLQ7cZEv+159/JCuBPPH6MSwzVKhHnKXyjD4P9Sxb6NxonxHtGk0I57pLCv54TXJO2OWsPD7+Tzu3by19KdieInZ4E/oaaeIHYXVU4L7GlPe3ryqrH4YDCzR/tH/i5wRxO9mGfcr2SQedGKNIGIP5xnSmGUmV3mt9ISZhIAzRhqaXxVDlub1yaHhzImEphUpfI0nrmRCko7fopCd3RwZfaamI8ZE9xgp1K5fyo0QwhAS0KYAzwv/awMm7mjSkSN0kuqCwIzsVVeZm2rdi7QKXn6xhuwQJN21BqP0uLReGZUWjz3ClsS0X5UYeBpWN6FerhaEfDgd/yn/A86R0eaM/XFRiFqcUxpPbNx9afnIGY1LuOzu8hRDRNpkGOluVG1skyNwaPqoGhhTQOGWmKOtVU/PCN9CkAnK7BxpGUWwo9DcT/RofTg+raZmTNRwmsotskZYIgS8kYMmlatrgt524szaJvpH5TKWqAzAP8rMMwV3KpaO0P8ary3jXyc9PjAPpDn1vy4SgrdXERQFEG/iynV83vCDstnaOF0lEmQpL+X4kiO9sdzeI+ZT/OsCPe66rX1BYAsDQ6wEaj/ikhiAHBj1boKUcUrD7a8f87ogDX2873/uQF0U6m42AMen/TfC I8aZZ9op 6Ki2o4cRVe3PIfEai396kfbOSlZYUTPrNbJ8rYI9Yzqs3CmIOsXsX+ol7WvRBnBMa6K7r8k2c4DdNaoMHd3Mg+qjVH6WuByAnila3bsDS1d3y3f5jhZNVM/LW3Sivk6yayYHn3Zb7zBKtuJo6P3xcY7N/IzZ2gq0KCS6K8wCXiSkt6uyNZIiy0vRUHBm4PKQS5namv5vSA0r2o9jW0idZAg5hakB9J3ZXhY+xBah6DIMb1wdIr/6LriBXeAS3OFMdk9+6xHfF8OkMzvRA/w0LljgKH5vmFVEFwpweWsEP4WspPSOShwkQVEIjj/dv8AqTlYpXi7PuhpRaK4jl/wjV3561jv9umPw9qjSCqengZUhvCjYzvcdAdlsWKy7Qi9XIUeRs9wMXYYg3OrpAFGQYSD4iuAF6/QgS6u/ajEJtbnJ1vwNYK6KGnsMjCGN14Z6WvTsCe5up1ABPd/0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 13.06.23 23:53, Peter Xu wrote: > It seems hugetlb_follow_page_mask() was missing permission checks. For > example, one follow_page() can get the hugetlb page with FOLL_WRITE even if > the page is read-only. I'm curious if there even is a follow_page() user that operates on hugetlb ... s390x secure storage does not apply to hugetlb IIRC. ksm.c? no. huge_memory.c ? no So what remains is most probably mm/migrate.c, which never sets FOLL_WRITE. Or am I missing something a user? > > And it wasn't there even in the old follow_page_mask(), where we can > reference from before commit 57a196a58421 ("hugetlb: simplify hugetlb > handling in follow_page_mask"). > > Let's add them, namely, either the need to CoW due to missing write bit, or > proper CoR on !AnonExclusive pages over R/O pins to reject the follow page. > That brings this function closer to follow_hugetlb_page(). > > I just doubt how many of us care for that, for FOLL_PIN follow_page doesn't > really happen at all. But we'll care, and care more if we switch over > slow-gup to use hugetlb_follow_page_mask(). We'll also care when to return > -EMLINK then, as that's the gup internal api to mean "we should do CoR". > > When at it, switching the try_grab_page() to use WARN_ON_ONCE(), to be > clear that it just should never fail. > > Signed-off-by: Peter Xu > --- > mm/hugetlb.c | 22 ++++++++++++++++------ > 1 file changed, 16 insertions(+), 6 deletions(-) > > diff --git a/mm/hugetlb.c b/mm/hugetlb.c > index 82dfdd96db4c..9c261921b2cf 100644 > --- a/mm/hugetlb.c > +++ b/mm/hugetlb.c > @@ -6481,8 +6481,21 @@ struct page *hugetlb_follow_page_mask(struct vm_area_struct *vma, > ptl = huge_pte_lock(h, mm, pte); > entry = huge_ptep_get(pte); > if (pte_present(entry)) { > - page = pte_page(entry) + > - ((address & ~huge_page_mask(h)) >> PAGE_SHIFT); > + page = pte_page(entry); > + > + if (gup_must_unshare(vma, flags, page)) { > + /* Tell the caller to do Copy-On-Read */ > + page = ERR_PTR(-EMLINK); > + goto out; > + } > + > + if ((flags & FOLL_WRITE) && !pte_write(entry)) { > + page = NULL; > + goto out; > + } > + > + page += ((address & ~huge_page_mask(h)) >> PAGE_SHIFT); > + > /* > * Note that page may be a sub-page, and with vmemmap > * optimizations the page struct may be read only. > @@ -6492,10 +6505,7 @@ struct page *hugetlb_follow_page_mask(struct vm_area_struct *vma, > * try_grab_page() should always be able to get the page here, > * because we hold the ptl lock and have verified pte_present(). > */ > - if (try_grab_page(page, flags)) { > - page = NULL; > - goto out; > - } > + WARN_ON_ONCE(try_grab_page(page, flags)); > } > out: > spin_unlock(ptl); -- Cheers, David / dhildenb