From: Christian Borntraeger <borntraeger@de.ibm.com>
To: Dave Hansen <dave.hansen@intel.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>,
viro@zeniv.linux.org.uk
Cc: david@redhat.com, akpm@linux-foundation.org, aarcange@redhat.com,
linux-mm@kvack.org, frankja@linux.ibm.com, sfr@canb.auug.org.au,
jhubbard@nvidia.com, linux-kernel@vger.kernel.org,
linux-s390@vger.kernel.org, jack@suse.cz, kirill@shutemov.name,
peterz@infradead.org, sean.j.christopherson@intel.com,
Ulrich.Weigand@de.ibm.com
Subject: Re: [PATCH v2 1/1] fs/splice: add missing callback for inaccessible pages
Date: Fri, 1 May 2020 09:18:34 +0200 [thread overview]
Message-ID: <3d379d9e-241c-ef3b-dcef-20fdd3b8740d@de.ibm.com> (raw)
In-Reply-To: <e3e95a35-b0e3-b733-92f4-98bcccbe7ca5@intel.com>
On 01.05.20 00:06, Dave Hansen wrote:
> I was also wondering if Claudio was right about the debug patch having
> races. I went to go look how the s390 code avoids races when pages go
> from accessible->inaccessible.
>
> Because, if if all of the traps are in place to transform pages from
> inaccessible->accessible, the code *after* those traps is still
> vulnerable. What *keeps* pages accessible?
>
> The race avoidance is this, basically:
>
> down_read(&gmap->mm->mmap_sem);
> lock_page(page);
> ptep = get_locked_pte(gmap->mm, uaddr, &ptelock);
> ...
>> expected = expected_page_refs(page);
>> if (!page_ref_freeze(page, expected))
>> return -EBUSY;
>> set_bit(PG_arch_1, &page->flags);
>> rc = uv_call(0, (u64)uvcb);
>> page_ref_unfreeze(page, expected);
>
> ... up_read(mmap_sem) / unlock_page() / unlock pte
>
> I'm assuming that after the uv_call(), the page is inaccessible and I/O
> devices will go boom if they touch the page.
>
> The page_ref_freeze() ensures that references come between the
> freeze/unfreeze are noticed, but it doesn't actually *stop* new ones for
> users that hold references already. For the page cache, especially,
> someone could do:
>
> page = find_get_page();
> arch_make_page_accessible();
> lock_page();
> ... make_secure_pte();
Not sure if I got your point here, but this make_secure_pte should bail
out because we actually do check for a calculated refcount value and return
-EBUSY. The find_get_page should have raised this refcount to a value that
would go beyond the expected value, No?
> unlock_page();
> get_page();
> // ^ OK because I have a ref
> // do DMA on inaccessible page
>
> Because the make_secure_pte() code isn't looking for a *specific*
> 'expected' value, it has no way of noticing that the extra ref snuck in
> there.
I think the expected calcution is actually doing that,giving back the minimum
value when no one else has any references that are valid for I/O.
But I might not have understood what you are trying to tell me?
>
> I _think_ expected actually needs to be checked for having a specific
> (low) value so that if there's a *possibility* of a reference holder
> acquiring additional references, the page is known to be off-limits.
> mm/migrate.c has a few examples of this, but I'm not quite sure how
> bulletproof they are. Some of it appears to just be optimizations.
>
>
>
b
next prev parent reply other threads:[~2020-05-01 7:18 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-30 14:38 Claudio Imbrenda
2020-04-30 20:04 ` Christian Borntraeger
2020-04-30 22:06 ` Dave Hansen
2020-04-30 22:20 ` Dave Hansen
2020-05-01 7:18 ` Christian Borntraeger [this message]
2020-05-01 16:32 ` Dave Hansen
2020-05-04 13:41 ` Ulrich Weigand
2020-05-05 12:34 ` Dave Hansen
2020-05-05 13:55 ` Ulrich Weigand
2020-05-05 14:01 ` Christian Borntraeger
2020-05-05 14:03 ` Christian Borntraeger
2020-05-05 14:33 ` Ulrich Weigand
2020-05-05 14:49 ` Christian Borntraeger
2020-05-05 14:57 ` Dave Hansen
2020-05-05 14:00 ` Christian Borntraeger
2020-05-05 14:24 ` Dave Hansen
2020-05-05 14:31 ` Christian Borntraeger
2020-05-05 14:34 ` Dave Hansen
2020-05-05 14:39 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3d379d9e-241c-ef3b-dcef-20fdd3b8740d@de.ibm.com \
--to=borntraeger@de.ibm.com \
--cc=Ulrich.Weigand@de.ibm.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=dave.hansen@intel.com \
--cc=david@redhat.com \
--cc=frankja@linux.ibm.com \
--cc=imbrenda@linux.ibm.com \
--cc=jack@suse.cz \
--cc=jhubbard@nvidia.com \
--cc=kirill@shutemov.name \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-s390@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=sean.j.christopherson@intel.com \
--cc=sfr@canb.auug.org.au \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox