From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1C02DC7618E
	for <linux-mm@archiver.kernel.org>; Sat, 29 Apr 2023 04:22:34 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 131726B0071; Sat, 29 Apr 2023 00:22:34 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0BB106B0074; Sat, 29 Apr 2023 00:22:34 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id EC4DA6B0075; Sat, 29 Apr 2023 00:22:33 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id D90856B0071
	for <linux-mm@kvack.org>; Sat, 29 Apr 2023 00:22:33 -0400 (EDT)
Received: from smtpin06.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id A58421C67B0
	for <linux-mm@kvack.org>; Sat, 29 Apr 2023 04:22:33 +0000 (UTC)
X-FDA: 80733132186.06.7D9DCE6
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
	by imf07.hostedemail.com (Postfix) with ESMTP id E889540017
	for <linux-mm@kvack.org>; Sat, 29 Apr 2023 04:22:30 +0000 (UTC)
Authentication-Results: imf07.hostedemail.com;
	dkim=fail ("headers rsa verify failed") header.d=mit.edu header.s=outgoing header.b=XS8yR23b;
	spf=pass (imf07.hostedemail.com: domain of tytso@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=tytso@mit.edu;
	dmarc=pass (policy=none) header.from=mit.edu
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1682742151;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=x35IJH2Kq57CenRp9XDYUfeb7XaZg8EW3MY2fyeE+60=;
	b=ruTP44edXmNaGCV9iK/Am/jUsgh7qUi6EHeVII5W05utAEfMkYO3hiDgAVLlwbCJ3a5BWw
	cbHIkwy1XSHgCPLhbHGhc7ESZCpt3jckHgEbtMgx9RnVizlt3v3fXH+eC6PWuIfGIEXaOH
	kX5CSS8iEbOLtDVMTVeJEB+K1tQyY58=
ARC-Authentication-Results: i=1;
	imf07.hostedemail.com;
	dkim=fail ("headers rsa verify failed") header.d=mit.edu header.s=outgoing header.b=XS8yR23b;
	spf=pass (imf07.hostedemail.com: domain of tytso@mit.edu designates 18.9.28.11 as permitted sender) smtp.mailfrom=tytso@mit.edu;
	dmarc=pass (policy=none) header.from=mit.edu
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1682742151; a=rsa-sha256;
	cv=none;
	b=BkLb237DCnzb3DMwPAkefOtinGFRwrWR/Ql1WbuIm1E66ecQWWGg77/Wu6Ct6NDlhZcvt5
	ENg12fItfLD5eFOfBSr7KHZTT3kwwqYRP0VbGqGciDw6Is42lnQClgG8CnSJ+weYQPvFXn
	rrwnqz4iivs23a9Hls/T9A7aDmaO4Bc=
Received: from letrec.thunk.org ([76.150.80.181])
	(authenticated bits=0)
        (User authenticated as tytso@ATHENA.MIT.EDU)
	by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 33T4LADR028231
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Sat, 29 Apr 2023 00:21:11 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
	t=1682742083; bh=x35IJH2Kq57CenRp9XDYUfeb7XaZg8EW3MY2fyeE+60=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To;
	b=XS8yR23bvao+hUGNsieKp+k9HHEALUC5GU00GcmAg3HvyJBiEA4Pf7P/ZI4AVQ/4m
	 DLsCymUXNURENk/BhLWJGBnSPN3z+hE+GUlBzE0/vn++JMO6ZbYi47/vZ6sz69dJPP
	 dD4T4XIq7/aIS7FJ5s0yWFeUKKqC16QwHnalBpfk4TSzBNznHp5ekdmDaJZYJAWvEo
	 aRNHWwjxwsCOYFn3dqKsxnWxYbJpYvC97hHCygeOb8wNnIIYN4XmlXjK2edXAQqOOc
	 NPi52OLJIF7HFuTRa1DdZThhZTGTOzIODXOHAGl9VpSeq/INVRfHPhguvb7UhY4OSr
	 wmO4iJOBFZj8g==
Received: by letrec.thunk.org (Postfix, from userid 15806)
	id A53098C01B4; Sat, 29 Apr 2023 00:21:09 -0400 (EDT)
Date: Sat, 29 Apr 2023 00:21:09 -0400
From: "Theodore Ts'o" <tytso@mit.edu>
To: Jason Gunthorpe <jgg@nvidia.com>
Cc: David Hildenbrand <david@redhat.com>, Lorenzo Stoakes <lstoakes@gmail.com>,
        linux-mm@kvack.org, linux-kernel@vger.kernel.org,
        Andrew Morton <akpm@linux-foundation.org>,
        Jens Axboe <axboe@kernel.dk>, Matthew Wilcox <willy@infradead.org>,
        Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>,
        Leon Romanovsky <leon@kernel.org>,
        Christian Benvenuti <benve@cisco.com>,
        Nelson Escobar <neescoba@cisco.com>,
        Bernard Metzler <bmt@zurich.ibm.com>,
        Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@redhat.com>,
        Arnaldo Carvalho de Melo <acme@kernel.org>,
        Mark Rutland <mark.rutland@arm.com>,
        Alexander Shishkin <alexander.shishkin@linux.intel.com>,
        Jiri Olsa <jolsa@kernel.org>, Namhyung Kim <namhyung@kernel.org>,
        Ian Rogers <irogers@google.com>,
        Adrian Hunter <adrian.hunter@intel.com>,
        Bjorn Topel <bjorn@kernel.org>,
        Magnus Karlsson <magnus.karlsson@intel.com>,
        Maciej Fijalkowski <maciej.fijalkowski@intel.com>,
        Jonathan Lemon <jonathan.lemon@gmail.com>,
        "David S . Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Christian Brauner <brauner@kernel.org>,
        Richard Cochran <richardcochran@gmail.com>,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Jesper Dangaard Brouer <hawk@kernel.org>,
        John Fastabend <john.fastabend@gmail.com>,
        linux-fsdevel@vger.kernel.org, linux-perf-users@vger.kernel.org,
        netdev@vger.kernel.org, bpf@vger.kernel.org,
        Oleg Nesterov <oleg@redhat.com>, John Hubbard <jhubbard@nvidia.com>,
        Jan Kara <jack@suse.cz>, "Kirill A . Shutemov" <kirill@shutemov.name>,
        Pavel Begunkov <asml.silence@gmail.com>,
        Mika Penttila <mpenttil@redhat.com>,
        David Howells <dhowells@redhat.com>, Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH v5] mm/gup: disallow GUP writing to file-backed mappings
 by default
Message-ID: <ZEybNZ7Rev+XM4GU@mit.edu>
References: <6b73e692c2929dc4613af711bdf92e2ec1956a66.1682638385.git.lstoakes@gmail.com>
 <afcc124e-7a9b-879c-dfdf-200426b84e24@redhat.com>
 <ZEvZtIb2EDb/WudP@nvidia.com>
 <ZEwPscQu68kx32zF@mit.edu>
 <ZEwVbPM2OPSeY21R@nvidia.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZEwVbPM2OPSeY21R@nvidia.com>
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: E889540017
X-Rspam-User: 
X-Stat-Signature: 8uwof7comxh3c6pyiromrr3w1z5fj4i6
X-HE-Tag: 1682742150-226039
X-HE-Meta: U2FsdGVkX1+is2w+dXIcwDZ9pyc8AKGM2QA+kFx29KCgOT7h8XX+fXWG93W2ZCEur76Nwku1/Ljc1IpNyJAC/WP+0dYdWGvTbagXV011t7tuZKqFmxqHL2x96c7sWNXcX/Bc0pB1zQmzSmJNpj0B2NggwW08Wwi3jNxvr6nSNRe1C90XVMe0Yy/eyIOpgOcP6H07qCyks7JZ1508xC+Zt+zoPqfZsA++gFzJI6L3urviUtJFO8z6UcP5OGwWYlPqdzduZYv56kLEU8kaCjMx6OmrX899VqPm0xpgvm+sR8QOWdFYUmWcNqDG4DXVHBdBwGCsDWCNY43xLJaPlmlACZbf3hnEWNC/TtFZkuvZTNVfiZxZgneyecU+Ut+JyF9VBY5488B/a4O/EI71c5dmZn80fYs/+2myMR9d4vN2M+xoHAtHkc6HFeh92DMVf50Xl+haFNZcZ9Qv0hk1PgZC3m8avCW5gBbKAh6JjguumE/s4+3E7QSwRnM5djQ8S5YsuK6EvedAJANQSb4wxaJDd3+MvWC6gxn+AtuNU574jtxiNhk3SVDW9+xZKupzuge6eiEobTAteJddrI5h4jJjJeDbMt7FCBkb3OIjxGhVIgeZzrA+0FEjHBw5584IF9hIndWqYo71Ko7SR08Gd2Eepu0mcrTCndF8D4S8e8yUBjnNqlqbKGwkKTqyh1xKTVuHOUad9MX3BwvRxxOauAauDcdb7DIxsGpHj1S6gO3IhawecKDdZLQx07zm42m1m4NK7NRqlmryl0bQk8QEuRerjfpEfvdZphtZadLFLQinLUnpdG/qTGDa0uMKP77e0DZtQTmoXazGkM6q23/wwYZqzfkZEE4Qji8+8Zud/qNSmHYJK5N+HCOiRKjk0qyXV44etsngx6YEJr5Z00xhgr7YXbAijle+c9yeLCjFYRVJ9zARNX24sB0860Cf9SaM0QxVb4zQqy9DIqGPC8KyU1t
 WvJlQ5Ba
 +QHeMXxDpL4YYmUlvTucaKiz8T56w3DNYyyf4unGicNwsZs4eSac2IccfidvFwqXbd0iTINok1WBwgz7ViyWuX50XDqWicPUl0zqQHa+kNMFtIAj8Vns55zkKk+dtlrd4yYdr/G3jesYvbW8T/d48FI2wWFOUCKO6jSbs9yh0dkDFoyYq4gc+4u0K0SmtLEOFODPT8YovIUTX0qrkN+tZc/Rz/mcyCQuqNF/HgA/FNKA6gomWHq+4eKAR9GcFLys+/YY6uqzvhniuxT3TF5Cy9A59VWDiMbTSErgsjLuKJZ8ELa7D/rCoYvKlaNUkjoyXUso0QFUFq/FcMUzqan0wxoy+XithG/u8QwgDt7yVyLHG50bXKdeN9gmsxA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Fri, Apr 28, 2023 at 03:50:20PM -0300, Jason Gunthorpe wrote:
> > Do we think we can still trigger a kernel crash, or maybe even some
> > more exciting like an arbitrary buffer overrun, via the
> > process_vm_writev(2) system call into a file-backed mmap'ed region?

I paged back into my memory the details, and (un)fortunately(?) it
probably can't be turned into high severity security exploit; it's
"just" a silent case of data loss.  (Which is *so* much better.... :-)

There was a reliable reproducer which was found by Syzkaller, that
didn't require any kind of exotic hardware or setup[1], and we
ultimately kluged a workaround in commit cc5095747edf ("ext4: don't
BUG if someone dirty pages without asking ext4 first").

[1] https://lore.kernel.org/all/Yg0m6IjcNmfaSokM@google.com/

Commit cc5095747edf had the (un)fortunate(?) side effect that GUP
writes to ext4 file-backed mappings no longer would cause random
low-probability crashes on large installations using RDMA, which has
apparently removed some of the motivation of really fixing the problem
instead of papering over it.  The good news is that I'm no longer
getting complaints from syzbot for this issue, and *I* don't have to
support anyone trying to use RDMA into file-backed mappings.  :-)

In any case, the file system maintainers' position (mine and I doubt
Dave Chinner's position has changed) is that if you write to
file-backed mappings via GUP/RDMA/process_vm_writev, and it causes
silent data corruption, you get to keep both pieces, and don't go
looking for us for anything other than sympathy...

						- Ted