From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E6D01C43334 for ; Fri, 8 Jul 2022 08:29:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 87C9D6B0073; Fri, 8 Jul 2022 04:29:17 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 82B666B0074; Fri, 8 Jul 2022 04:29:17 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 71B0D6B0075; Fri, 8 Jul 2022 04:29:17 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 62D666B0073 for ; Fri, 8 Jul 2022 04:29:17 -0400 (EDT) Received: from smtpin26.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 31BEB324B8 for ; Fri, 8 Jul 2022 08:29:17 +0000 (UTC) X-FDA: 79663257954.26.3844559 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by imf10.hostedemail.com (Postfix) with ESMTP id A759DC0017 for ; Fri, 8 Jul 2022 08:29:16 +0000 (UTC) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 5EED0B8254B; Fri, 8 Jul 2022 08:29:13 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 36D91C341CA; Fri, 8 Jul 2022 08:29:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1657268952; bh=3+lvg4yLRgKw0Av0KSsScOBtHId0AgBC8aS9mfOg6io=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=EGkxqLWDM8MkbcVDWcZ8aYLEUbCFG4AIIr2KogDDfkwFpRUSa2/hHoYR61c9BrSGA Ldm5sJuQdg6JNeV0jsUIKevPJd1tomDhTREE5XUABv49xHHczWpJC04m5d8oserQzk 3zDBaiJ06FyPH+tJa5JB92+vqyxPPaojAGiCdU2PQQgqCq15NjXNZBYj540mZ2oAu6 L2juqbgGNgcSViV5R3dkCu2+TSgOa0IEkgXzWHQWxcPdnKt85g76ZQaoxHuhwpZYtP zNPqDaK75UPQ//QSdInfN4Zht5EabF9XWrdai65dHk7iSF7J7+ib4Q2Yrp0EVhg5DX 42ngGb+GIHtVQ== Date: Fri, 8 Jul 2022 11:28:54 +0300 From: Mike Rapoport To: Yang Shi Cc: "Darrick J. Wong" , Andrew Morton , Axel Rasmussen , Eric Biggers , Hillf Danton , Matthew Wilcox , Mike Rapoport , Linux FS-devel Mailing List , Linux MM , syzkaller-bugs , syzbot+9bd2b7adbd34b30b87e4@syzkaller.appspotmail.com Subject: Re: [PATCH v2] secretmem: fix unhandled fault in truncate Message-ID: References: <20220707165650.248088-1-rppt@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1657268956; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=0OrHWMiVnRDqnLDLoAA04rXm/e6QzYFtiD6HLtxLQU0=; b=KmOW0I23yNbwBaF2EE+sd+WefA8hB5pLB2vufO6aO1xIxRAFdleYMe8CRPShloxh6XKYYY GtIZsoFVta7yBoUWzh4FY8Zws1U34thrUtdozwK4RFsEI4sF4zYcHElJdeQmY1JwbuwMXM 1Qmb0G2zwe9CbDtVrNwSZblbyHUxZ0o= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1657268956; a=rsa-sha256; cv=none; b=DT25kTDbH3C7eKgMi6mx2wT10kG+jTodgUmz7ka2+vna6UMJ4B8cLkaRNItbhv6hZI0yos 0cMkRbXpC4sqrhIcytcK7Ohq3QHFUiYg5V8iXRUkgbF8Ilr4dH3vHDGunT8DfEOPmSFYIf ivfQ9T32HQKWjQRRCpsFc4mEZiYUC6g= ARC-Authentication-Results: i=1; imf10.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=EGkxqLWD; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf10.hostedemail.com: domain of rppt@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=rppt@kernel.org Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=EGkxqLWD; dmarc=pass (policy=none) header.from=kernel.org; spf=pass (imf10.hostedemail.com: domain of rppt@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=rppt@kernel.org X-Stat-Signature: exg4ewb6c1at47ufrefeaf3s7buymc4i X-Rspamd-Queue-Id: A759DC0017 X-Rspamd-Server: rspam07 X-Rspam-User: X-HE-Tag: 1657268956-260211 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Jul 07, 2022 at 03:09:32PM -0700, Yang Shi wrote: > On Thu, Jul 7, 2022 at 1:55 PM Darrick J. Wong wrote: > > > > On Thu, Jul 07, 2022 at 10:48:00AM -0700, Yang Shi wrote: > > > On Thu, Jul 7, 2022 at 9:57 AM Mike Rapoport wrote: > > > > > > > > Eric Biggers suggested that this happens when > > > > secretmem_setattr()->simple_setattr() races with secretmem_fault() so > > > > that a page that is faulted in by secretmem_fault() (and thus removed > > > > from the direct map) is zeroed by inode truncation right afterwards. > > > > > > > > Since do_truncate() takes inode_lock(), adding inode_lock_shared() to > > > > secretmem_fault() prevents the race. > > > > > > Should invalidate_lock be used to serialize between page fault and truncate? > > > > I would have thought so, given Documentation/filesystems/locking.rst: > > > > "->fault() is called when a previously not present pte is about to be > > faulted in. The filesystem must find and return the page associated with > > the passed in "pgoff" in the vm_fault structure. If it is possible that > > the page may be truncated and/or invalidated, then the filesystem must > > lock invalidate_lock, then ensure the page is not already truncated > > (invalidate_lock will block subsequent truncate), and then return with > > VM_FAULT_LOCKED, and the page locked. The VM will unlock the page." > > > > IIRC page faults aren't supposed to take i_rwsem because the fault could > > be in response to someone mmaping a file into memory and then write()ing > > to the same file using the mmapped region. The write() takes > > inode_lock and faults on the buffer, so the fault cannot take inode_lock > > again. > > Do you mean writing from one part of the file to the other part of the > file so the "from" buffer used by copy_from_user() is part of the > mmaped region? > > Another possible deadlock issue by using inode_lock in page faults is > mmap_lock is acquired before inode_lock, but write may acquire > inode_lock before mmap_lock, it is a AB-BA lock pattern, but it should > not cause real deadlock since mmap_lock is not exclusive for page > faults. But such pattern should be avoided IMHO. > > > That said... I don't think memfd_secret files /can/ be written to? memfd_secret files cannot be written to, they can only be mmap()ed. Synchronization is only required between do_truncate()->...->simple_setatt() and secretmem->fault() and I don't see how that can deadlock. I'm not an fs expert though, so if you think that invalidate_lock() is safer, I don't mind s/inode_lock/invalidate_lock/ in the patch. > > Hard to say, since I can't find a manpage describing what that syscall > > does. Right, I don't see it's published :-/ There is a groff version: https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/tree/man2/memfd_secret.2 > > --D > > > > > > > > > > > > > Reported-by: syzbot+9bd2b7adbd34b30b87e4@syzkaller.appspotmail.com > > > > Suggested-by: Eric Biggers > > > > Signed-off-by: Mike Rapoport > > > > --- > > > > > > > > v2: use inode_lock_shared() rather than add a new rw_sem to secretmem > > > > > > > > Axel, I didn't add your Reviewed-by because v2 is quite different. > > > > > > > > mm/secretmem.c | 21 ++++++++++++++++----- > > > > 1 file changed, 16 insertions(+), 5 deletions(-) > > > > > > > > diff --git a/mm/secretmem.c b/mm/secretmem.c > > > > index 206ed6b40c1d..a4fabf705e4f 100644 > > > > --- a/mm/secretmem.c > > > > +++ b/mm/secretmem.c > > > > @@ -55,22 +55,28 @@ static vm_fault_t secretmem_fault(struct vm_fault *vmf) > > > > gfp_t gfp = vmf->gfp_mask; > > > > unsigned long addr; > > > > struct page *page; > > > > + vm_fault_t ret; > > > > int err; > > > > > > > > if (((loff_t)vmf->pgoff << PAGE_SHIFT) >= i_size_read(inode)) > > > > return vmf_error(-EINVAL); > > > > > > > > + inode_lock_shared(inode); > > > > + > > > > retry: > > > > page = find_lock_page(mapping, offset); > > > > if (!page) { > > > > page = alloc_page(gfp | __GFP_ZERO); > > > > - if (!page) > > > > - return VM_FAULT_OOM; > > > > + if (!page) { > > > > + ret = VM_FAULT_OOM; > > > > + goto out; > > > > + } > > > > > > > > err = set_direct_map_invalid_noflush(page); > > > > if (err) { > > > > put_page(page); > > > > - return vmf_error(err); > > > > + ret = vmf_error(err); > > > > + goto out; > > > > } > > > > > > > > __SetPageUptodate(page); > > > > @@ -86,7 +92,8 @@ static vm_fault_t secretmem_fault(struct vm_fault *vmf) > > > > if (err == -EEXIST) > > > > goto retry; > > > > > > > > - return vmf_error(err); > > > > + ret = vmf_error(err); > > > > + goto out; > > > > } > > > > > > > > addr = (unsigned long)page_address(page); > > > > @@ -94,7 +101,11 @@ static vm_fault_t secretmem_fault(struct vm_fault *vmf) > > > > } > > > > > > > > vmf->page = page; > > > > - return VM_FAULT_LOCKED; > > > > + ret = VM_FAULT_LOCKED; > > > > + > > > > +out: > > > > + inode_unlock_shared(inode); > > > > + return ret; > > > > } > > > > > > > > static const struct vm_operations_struct secretmem_vm_ops = { > > > > > > > > base-commit: 03c765b0e3b4cb5063276b086c76f7a612856a9a > > > > -- > > > > 2.34.1 > > > > > > > > -- Sincerely yours, Mike.