From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 16667C00140 for ; Wed, 10 Aug 2022 09:13:03 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7AA148E0002; Wed, 10 Aug 2022 05:13:03 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 759CE8E0001; Wed, 10 Aug 2022 05:13:03 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 648998E0002; Wed, 10 Aug 2022 05:13:03 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 568028E0001 for ; Wed, 10 Aug 2022 05:13:03 -0400 (EDT) Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 27B7581271 for ; Wed, 10 Aug 2022 09:13:03 +0000 (UTC) X-FDA: 79783118646.23.FBAB915 Received: from eu-smtp-delivery-151.mimecast.com (eu-smtp-delivery-151.mimecast.com [185.58.85.151]) by imf12.hostedemail.com (Postfix) with ESMTP id DB34540183 for ; Wed, 10 Aug 2022 09:13:00 +0000 (UTC) Received: from AcuMS.aculab.com (156.67.243.121 [156.67.243.121]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id uk-mta-252-W1bmLIhxOFKkLHIJ4pvk4Q-1; Wed, 10 Aug 2022 10:12:58 +0100 X-MC-Unique: W1bmLIhxOFKkLHIJ4pvk4Q-1 Received: from AcuMS.Aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) by AcuMS.aculab.com (fd9f:af1c:a25b:0:994c:f5c2:35d6:9b65) with Microsoft SMTP Server (TLS) id 15.0.1497.36; Wed, 10 Aug 2022 10:12:57 +0100 Received: from AcuMS.Aculab.com ([fe80::994c:f5c2:35d6:9b65]) by AcuMS.aculab.com ([fe80::994c:f5c2:35d6:9b65%12]) with mapi id 15.00.1497.036; Wed, 10 Aug 2022 10:12:57 +0100 From: David Laight To: 'David Hildenbrand' , "linux-kernel@vger.kernel.org" CC: "linux-mm@kvack.org" , "stable@vger.kernel.org" , Linus Torvalds , Andrew Morton , Greg Kroah-Hartman , Axel Rasmussen , Nadav Amit , Peter Xu , Hugh Dickins , Andrea Arcangeli , Matthew Wilcox , Vlastimil Babka , John Hubbard , Jason Gunthorpe Subject: RE: [PATCH v2] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW Thread-Topic: [PATCH v2] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW Thread-Index: AQHYrJfABWLOSW6JU02QVOI07vnRa62n2Fmw Date: Wed, 10 Aug 2022 09:12:57 +0000 Message-ID: References: <20220809205640.70916-1-david@redhat.com> In-Reply-To: <20220809205640.70916-1-david@redhat.com> Accept-Language: en-GB, en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.202.205.107] MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: aculab.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1660122782; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xzzbLN2INOGx5YxYtXPKlHxne0aXD++Evfmu+LpQ5f0=; b=OjnfvbKl6vyY7/OOypYmI5vupwvyXGSe1IqKDroRnbg/EdKsYyt+WUK/iIKuYII3i8qPvB pUDqjqRYepRIhFhY4ttGwwBBCjNKwLjZLnGig8f8YFGepZHT6wwBezHYG4q6FTl3HXUJFv rfoG0BzzaywZQACQdqObqhZVBsbmYqU= ARC-Authentication-Results: i=1; imf12.hostedemail.com; dkim=none; dmarc=pass (policy=none) header.from=aculab.com; spf=pass (imf12.hostedemail.com: domain of david.laight@aculab.com designates 185.58.85.151 as permitted sender) smtp.mailfrom=david.laight@aculab.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1660122782; a=rsa-sha256; cv=none; b=nB7743jezvTgAKCWueGAHCuAtCPqXfNhnG79PtYH5gIKx+D7ECeFv/Ncc7q6PoYGMcmLFc nQJtFehdJscIQlKjxEUu5a3bNWygRqlpJypwXSTrwD46qIrPMS9RK26WIJcGbUwcwDUVxm 90Pzwv1wWphb+boQcefcg/FbaVmtb3A= X-Rspamd-Queue-Id: DB34540183 Authentication-Results: imf12.hostedemail.com; dkim=none; dmarc=pass (policy=none) header.from=aculab.com; spf=pass (imf12.hostedemail.com: domain of david.laight@aculab.com designates 185.58.85.151 as permitted sender) smtp.mailfrom=david.laight@aculab.com X-Rspam-User: X-Rspamd-Server: rspam07 X-Stat-Signature: woypyh6wyocg8zwe9787jtwatsqqcm9r X-HE-Tag: 1660122780-215479 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: David Hildenbrand > Sent: 09 August 2022 21:57 ... These two functions seem to contain a lot of the same tests. They also seem a bit large for 'inline'. > -static inline bool can_follow_write_pte(pte_t pte, unsigned int flags) > +/* FOLL_FORCE can write to even unwritable PTEs in COW mappings. */ > +static inline bool can_follow_write_pte(pte_t pte, struct page *page, > +=09=09=09=09=09struct vm_area_struct *vma, > +=09=09=09=09=09unsigned int flags) > { > -=09return pte_write(pte) || > -=09=09((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte)); > +=09/* If the pte is writable, we can write to the page. */ > +=09if (pte_write(pte)) > +=09=09return true; > + > +=09/* Maybe FOLL_FORCE is set to override it? */ > +=09if (!(flags & FOLL_FORCE)) > +=09=09return false; > + > +=09/* But FOLL_FORCE has no effect on shared mappings */ > +=09if (vma->vm_flags & (VM_MAYSHARE | VM_SHARED)) > +=09=09return false; > + > +=09/* ... or read-only private ones */ > +=09if (!(vma->vm_flags & VM_MAYWRITE)) > +=09=09return false; > + > +=09/* ... or already writable ones that just need to take a write fault = */ > +=09if (vma->vm_flags & VM_WRITE) > +=09=09return false; > + > +=09/* > +=09 * See can_change_pte_writable(): we broke COW and could map the page > +=09 * writable if we have an exclusive anonymous page ... > +=09 */ > +=09if (!page || !PageAnon(page) || !PageAnonExclusive(page)) > +=09=09return false; > + > +=09/* ... and a write-fault isn't required for other reasons. */ > +=09if (vma_soft_dirty_enabled(vma) && !pte_soft_dirty(pte)) > +=09=09return false; > +=09return !userfaultfd_pte_wp(vma, pte); > } ... > -static inline bool can_follow_write_pmd(pmd_t pmd, unsigned int flags) > +/* FOLL_FORCE can write to even unwritable PMDs in COW mappings. */ > +static inline bool can_follow_write_pmd(pmd_t pmd, struct page *page, > +=09=09=09=09=09struct vm_area_struct *vma, > +=09=09=09=09=09unsigned int flags) > { > -=09return pmd_write(pmd) || > -=09 ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pmd_dirty(pmd))= ; > +=09/* If the pmd is writable, we can write to the page. */ > +=09if (pmd_write(pmd)) > +=09=09return true; > + > +=09/* Maybe FOLL_FORCE is set to override it? */ > +=09if (!(flags & FOLL_FORCE)) > +=09=09return false; > + > +=09/* But FOLL_FORCE has no effect on shared mappings */ > +=09if (vma->vm_flags & (VM_MAYSHARE | VM_SHARED)) > +=09=09return false; > + > +=09/* ... or read-only private ones */ > +=09if (!(vma->vm_flags & VM_MAYWRITE)) > +=09=09return false; > + > +=09/* ... or already writable ones that just need to take a write fault = */ > +=09if (vma->vm_flags & VM_WRITE) > +=09=09return false; > + > +=09/* > +=09 * See can_change_pte_writable(): we broke COW and could map the page > +=09 * writable if we have an exclusive anonymous page ... > +=09 */ > +=09if (!page || !PageAnon(page) || !PageAnonExclusive(page)) > +=09=09return false; > + > +=09/* ... and a write-fault isn't required for other reasons. */ > +=09if (vma_soft_dirty_enabled(vma) && !pmd_soft_dirty(pmd)) > +=09=09return false; > +=09return !userfaultfd_huge_pmd_wp(vma, pmd); > } Perhaps only the initial call (common success path?) should be inlined? With the flags and vma tests being moved to an inline helper. =09David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1= PT, UK Registration No: 1397386 (Wales)