From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D6CFC77B60 for ; Fri, 28 Apr 2023 16:13:16 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id AF2826B0075; Fri, 28 Apr 2023 12:13:15 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AA2E46B0078; Fri, 28 Apr 2023 12:13:15 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 943DB6B007B; Fri, 28 Apr 2023 12:13:15 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 85AA56B0075 for ; Fri, 28 Apr 2023 12:13:15 -0400 (EDT) Received: from smtpin04.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 606F7C0217 for ; Fri, 28 Apr 2023 16:13:15 +0000 (UTC) X-FDA: 80731294350.04.FED6763 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf11.hostedemail.com (Postfix) with ESMTP id 3FD1440025 for ; Fri, 28 Apr 2023 16:13:12 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=iE244LyG; spf=pass (imf11.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1682698392; a=rsa-sha256; cv=none; b=bOC3zF7VwsgGrqI3iZuWMgTAN/4ov3ykWs4tgA5jgxsV9EhGVz0lGXN2KHt8ivabudrmNQ C//sTbLthWknd8XQIBKj3wbeRRbW7GBVm0bkl1xNTj4LieW1RFkmxw7oBk+CXv+rjExPqi JK+VE/VA0fsQeQHkmGcWxF1jbTPL0s0= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=iE244LyG; spf=pass (imf11.hostedemail.com: domain of david@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1682698392; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=5xkaTJLSgSiHWckTCCg+jkvg+cPl3tpnSAiaPo9ljdQ=; b=3YmRsFg7KuQldpOZraP5voRZk+UNQCCoOEczZcVywWZdBTtGWaonBPyRIpLKUKtgwgWks6 loYVPOiWAB9Ba+nAJElD79TZeiXQE0Xl9NZuNXuBfgIOfC6GwMFgHmamExvk3/W+oez0HZ HsJutuSScHYQjEKNJCO1W6gpyAlGes4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1682698391; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5xkaTJLSgSiHWckTCCg+jkvg+cPl3tpnSAiaPo9ljdQ=; b=iE244LyGuaeDCaw2FIb3cFBU5mKF1BDZD4fbz0mIXhUcK35dIBtca41DAgw190lJBLGFIw ITJW5bGJQ1n0jdhyUMHqrRptsrFfuuxNwEvMaf+6lY8ARXD35djHaO4X6VaXVskLSCAVUL d2h8ALa2bg5uYOBats5PmGgIr4zGxNw= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-75-LZG2cRb0NDe2hCPzE1VvUw-1; Fri, 28 Apr 2023 12:13:08 -0400 X-MC-Unique: LZG2cRb0NDe2hCPzE1VvUw-1 Received: by mail-wm1-f70.google.com with SMTP id 5b1f17b1804b1-3f1757ebb1eso36370295e9.2 for ; Fri, 28 Apr 2023 09:13:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682698387; x=1685290387; h=content-transfer-encoding:in-reply-to:organization:from:references :cc:to:content-language:subject:user-agent:mime-version:date :message-id:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=5xkaTJLSgSiHWckTCCg+jkvg+cPl3tpnSAiaPo9ljdQ=; b=lTfVs/Kccuw2kMheziH3u6ARsmq3r99n7hmncihhXQBJ8cH7KaqPlyR418DHhmX3DY 1IAc8YTFoy879FcoicwqU6mlrSsdMkWFYGML6dxL6hRbdcx60QrWxShHv4fojgwxWbQK tffnbGCdG4b4OBh2fUgO53VvExurcAOH0EDxCU1WJ4jpI3eq5SOh39TA75H0fNCxOeme x7O5ir7HBqqYR9oxK1FpS3zE5GvGZGUGKtSHkTuYj15z3UNZ9ZUoQOwxZdLIl84bCPJr yRC2wdXxjmBNc6gC4ho6ioj8Qx4McguzfwwMiK2a0CXd3dp4Bve0kQJJ/+mxZYWanFwK E3Dw== X-Gm-Message-State: AC+VfDy0wreuPAAadLk86Sxt2GayRyUgubzUt1HVcTZ3qPcNBx5XtqlD cmFy0PGt2mhIj+Oia4jtB4O6jGgAsi3AUcqsJ5dT1k44mAOSzKl0LIj8bbe5UuPV1Jk8BfBLwSm nGOd0MncjD6M= X-Received: by 2002:a1c:cc0f:0:b0:3f1:718d:a21c with SMTP id h15-20020a1ccc0f000000b003f1718da21cmr4546954wmb.31.1682698386877; Fri, 28 Apr 2023 09:13:06 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5UcVnruZKFM610WaYbD7KosGHJuT9juitvMObOnL1WWik01k7wINU0BT60S4IoSquURMFEKg== X-Received: by 2002:a1c:cc0f:0:b0:3f1:718d:a21c with SMTP id h15-20020a1ccc0f000000b003f1718da21cmr4546897wmb.31.1682698386533; Fri, 28 Apr 2023 09:13:06 -0700 (PDT) Received: from ?IPV6:2003:cb:c726:9300:1711:356:6550:7502? (p200300cbc72693001711035665507502.dip0.t-ipconnect.de. [2003:cb:c726:9300:1711:356:6550:7502]) by smtp.gmail.com with ESMTPSA id c21-20020a7bc855000000b003f17300c7dcsm24667685wml.48.2023.04.28.09.13.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 28 Apr 2023 09:13:06 -0700 (PDT) Message-ID: <39cc0f26-8fc2-79dd-2e84-62238d27fd98@redhat.com> Date: Fri, 28 Apr 2023 18:13:03 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [PATCH v5] mm/gup: disallow GUP writing to file-backed mappings by default To: "Kirill A . Shutemov" Cc: Lorenzo Stoakes , Jason Gunthorpe , linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrew Morton , Jens Axboe , Matthew Wilcox , Dennis Dalessandro , Leon Romanovsky , Christian Benvenuti , Nelson Escobar , Bernard Metzler , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Mark Rutland , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Ian Rogers , Adrian Hunter , Bjorn Topel , Magnus Karlsson , Maciej Fijalkowski , Jonathan Lemon , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Christian Brauner , Richard Cochran , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , linux-fsdevel@vger.kernel.org, linux-perf-users@vger.kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, Oleg Nesterov , John Hubbard , Jan Kara , Pavel Begunkov , Mika Penttila , David Howells , Christoph Hellwig References: <6b73e692c2929dc4613af711bdf92e2ec1956a66.1682638385.git.lstoakes@gmail.com> <094d2074-5b69-5d61-07f7-9f962014fa68@redhat.com> <400da248-a14e-46a4-420a-a3e075291085@redhat.com> <077c4b21-8806-455f-be98-d7052a584259@lucifer.local> <62ec50da-5f73-559c-c4b3-bde4eb215e08@redhat.com> <6ddc7ac4-4091-632a-7b2c-df2005438ec4@redhat.com> <20230428160925.5medjfxkyvmzfyhq@box.shutemov.name> From: David Hildenbrand Organization: Red Hat In-Reply-To: <20230428160925.5medjfxkyvmzfyhq@box.shutemov.name> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Rspam-User: X-Rspamd-Queue-Id: 3FD1440025 X-Rspamd-Server: rspam01 X-Stat-Signature: jabmgw91kqpctobdfeoggwjodtctbw8d X-HE-Tag: 1682698392-273344 X-HE-Meta: U2FsdGVkX1/kIOmhWeVJ65Spb65Qcx9KPTjwfS4XFQAbuiXP1sLOSQjwuvI70R8mwChA+lpBAyi30rRrKwkROreZp11DI6Wf0Ts2lk1y2LsOguACJ2BrUnbNetStpOlPfFhazJNY2ld2JLFAcW3xf97jKewgEJ5t6q61N+9qjG278NuxlG1NRFjJhO1Ld1+J8aEkv8nieLX3RhgIGYpxv3VM3iEhB7ovCmH5R3NzM9vtI8nEtZqQxCgUaDncw7YY2V+xCLj6eD4FWdvbBNQ1Vp/uXfUe7odKuM5KhU72vhr7FzVLxtZIkUmt14WqJ5yu9+F6t/QEprvplJDSs39vQtFV8GoPfBsUL7I63ypb8m5BO3esTnhQbiZ3SDypROrlbONiumX/nGJYygYXg24E0dIMzz85kcAgETeVblMlUfRqJAR/rj5gxGBDQZHSGhfQb+GxZuqA9NY5XO14WWtQAF6YJHno5aGvfFrApuDWHJ874VvdrRffu30NbDlC4b4usMPEM3lbMMzuxG+2bD3egTIazx4O3ZUENZR5FeDOPabxQAX5hOeOs8lTdviZjh3wCIERdvmpexmkF5zB68yLj9swZZmWrEKmPYy5XQvPElwR18OliJRbNMIyjIQEa9ghB/zSO3+pgKOgTG+G41T0CytgAw+Zfsrm3za5YH58G7HRZql4DEMl73h278IoWVcIWOUHoryTJJerB4Ub5tTnNM9da4ImeMnop15uOSUnsyn8oSNX0bncZfrVzvhXO7Fku8wWsLQMX/L12sgIUX5C8rOFVMaq3+NC456NdxKWAFHRKJvdodyvoQGmzzL8YBS7wtJSXMCwHX7iY+jh61PXyxBDo2EF7Vt2RQ5wRFkPx9QCYR7tIg2fMOzBH2gAY8zKb+DQl1UTjwUVLNcwmtk1FLZ0u7SyTX8lO0qAxiUQ4AvIsNEpgiS+J0SJSVGSyMLUFWlpAkPhdCQ5QPo+Ffq MzcOBF7z Kkus2pAsMrPVVh7MV0CCFMzL+/7c4zmi01uFe1OrVF/aqGm7GjJrLBqzEdjKhTQsdxr0oQ0RivWOG3VdQ2E8cyxjch6Qpir7CllViJ09NeThoSQWD3X6rfydSuMjIg2L03JEWyK1vudZhga0rL888n3+Q3N1WEoB3QCCcfj61lYuyTfhUF4cpKjaFhQgoUaoJxKXGMlgqksvWB4PWbJSmUgmvQ+dW7eDbbLN/TKF1LWd2j26OaoaHFci6PHEuwyu/UFzBT95idvpmvZQQO99G2dfJrrixIVzs4O1Iff2xauwOI9w+2/NHbac+NttBSVWnm63n16CFp2kOpeNIxyIrca/AUDfJqDBh5XKwXfikTFfft3dhir8+G+G/ZLnFKjvdCdZUV3Efg6N3qn8cKypZSyWHBbYPFUSaJCuZ3qAqHi67h3+nFnf6+J6GIDltWGtonIWhrYlrI8PL0d0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 28.04.23 18:09, Kirill A . Shutemov wrote: > On Fri, Apr 28, 2023 at 05:43:52PM +0200, David Hildenbrand wrote: >> On 28.04.23 17:34, David Hildenbrand wrote: >>> On 28.04.23 17:33, Lorenzo Stoakes wrote: >>>> On Fri, Apr 28, 2023 at 05:23:29PM +0200, David Hildenbrand wrote: >>>>>>> >>>>>>> Security is the primary case where we have historically closed uAPI >>>>>>> items. >>>>>> >>>>>> As this patch >>>>>> >>>>>> 1) Does not tackle GUP-fast >>>>>> 2) Does not take care of !FOLL_LONGTERM >>>>>> >>>>>> I am not convinced by the security argument in regard to this patch. >>>>>> >>>>>> >>>>>> If we want to sells this as a security thing, we have to block it >>>>>> *completely* and then CC stable. >>>>> >>>>> Regarding GUP-fast, to fix the issue there as well, I guess we could do >>>>> something similar as I did in gup_must_unshare(): >>>>> >>>>> If we're in GUP-fast (no VMA), and want to pin a !anon page writable, >>>>> fallback to ordinary GUP. IOW, if we don't know, better be safe. >>>> >>>> How do we determine it's non-anon in the first place? The check is on the >>>> VMA. We could do it by following page tables down to folio and checking >>>> folio->mapping for PAGE_MAPPING_ANON I suppose? >>> >>> PageAnon(page) can be called from GUP-fast after grabbing a reference. >>> See gup_must_unshare(). >> >> IIRC, PageHuge() can also be called from GUP-fast and could special-case >> hugetlb eventually, as it's table while we hold a (temporary) reference. >> Shmem might be not so easy ... > > page->mapping->a_ops should be enough to whitelist whatever fs you want. > The issue is how to stabilize that from GUP-fast, such that we can safely dereference the mapping. Any idea? At least for anon page I know that page->mapping only gets cleared when freeing the page, and we don't dereference the mapping but only check a single flag stored alongside the mapping. Therefore, PageAnon() is fine in GUP-fast context. -- Thanks, David / dhildenb