From patchwork Mon Nov 26 17:34:48 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Arcangeli X-Patchwork-Id: 10698857 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 428F715A8 for ; Mon, 26 Nov 2018 17:35:02 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C93472973E for ; Mon, 26 Nov 2018 17:34:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BBACF29BE8; Mon, 26 Nov 2018 17:34:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5588B2973E for ; Mon, 26 Nov 2018 17:34:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5B6416B42C9; Mon, 26 Nov 2018 12:34:58 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 562F86B42CB; Mon, 26 Nov 2018 12:34:58 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 467E86B42CD; Mon, 26 Nov 2018 12:34:58 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qk1-f198.google.com (mail-qk1-f198.google.com [209.85.222.198]) by kanga.kvack.org (Postfix) with ESMTP id 1B2636B42C9 for ; Mon, 26 Nov 2018 12:34:58 -0500 (EST) Received: by mail-qk1-f198.google.com with SMTP id c7so19848287qkg.16 for ; Mon, 26 Nov 2018 09:34:58 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=YQAHc8DLHINDXrumhdLVCSgt1dBz0dqfcFclwEqvHIY=; b=g19qrPtK/XGYrLTcAAndbTvhtzKoUGYa3vaKBEOhmMoOTa3cucYXHVRghxD4omQ74x 4qmzqkO6rpsiyts2xHnnqCeNTEYDyxnScPsoXoRiHJBEQPDRu2U5mTrKYUWfeZJeT7tJ 7gjTKIqGv1xi56ruOC3INikZEQoIASO4eXWWpdBMeN4rwTTdGBbxmCSEfcUkicYQBgRb 2w+cFRvDCrc1II16lPGz8i6ztY+1UQh47Bk8XVDSPloq+j+2ihziRnPzyOaGBYrwUJic voMmo5NO7TrntrlgrO4m0thOpNf85jeWmexbqsCmgARUrTOQRJ1BrAg9c+2v8cQysF3t NfIw== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com X-Gm-Message-State: AA+aEWYSG1Ru2r4vY/X9nNiOijOrq2icTwNWWPtr6nzo7w2TbwykvtoC W7PMnz+Tj7wZub1Im8c8GetR+PbVZ9OzcArinS4aGqQQiEpQGHaPbjZATc284V3K8MF1813AYzb ZUahCRXrc9CTttFdfqRu4y5PUOoY48ajHD6xMPv9xJN0EoFgXzW9WaJ3MnjgBtPx7Zw== X-Received: by 2002:a37:7d05:: with SMTP id y5mr24876333qkc.310.1543253697858; Mon, 26 Nov 2018 09:34:57 -0800 (PST) X-Google-Smtp-Source: AFSGD/X1CRXnw6MO98Bvhg7G5e5fonfTX0a+AM4COyQFb7hw7Sir1nL5rH5ng/q6zAZ+D77S4RJ5 X-Received: by 2002:a37:7d05:: with SMTP id y5mr24876276qkc.310.1543253697040; Mon, 26 Nov 2018 09:34:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543253697; cv=none; d=google.com; s=arc-20160816; b=G7H9RcghMC0NxX4e2FM6zJzeeXfac8jzL7BX6fJCafeLAxmAT0/N/zQ6nLA7nRYp2h HOy3bBx9q2ha/HIzFgzCkxHrZtQwutyDtvgAjoJv4+Pf7vWlt7gdfPshg/lOwOYn2WSu l5zJllMvVfp/XAJARceNlnMVZ8gzSF7VtH48VF9TpsFKJdX1VwGpl9vKuuE3sIcAg67P 4TvhilNxSGPaSeyd2J5Jzxci+t1mLR0VP4/9yedT6IgSmbn8mbqUCoftIbGEtcB9Qj0P SZgjLMV3MrHKfWKVVUDOgAt0JHG+7Fv6rq8V6H5rqBcD9MssKaBJkRCicPoVu4fjInRz TSRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=YQAHc8DLHINDXrumhdLVCSgt1dBz0dqfcFclwEqvHIY=; b=sFIC7t+X7EAjBdPY7fozQY6O1vSbmOT2XI8J7CA1vFX4vLRK2zFAxG028me2gfbJj2 g35a7MdAf06mYXv6eqSelQavihNgU+HaBC6NKfbtAXu/095QnQoZvdYTnQsoxESn13Mu Uw8fj5cinHdEkDIX1Sga+NKTIAKuihx6aR+s+oNfEovYXd+S2rQTut5611x/94R6nI8y GSBG/XReUgrvewtelpMFGbhRHSQW4kDSgdO3SiJrBPcRKUGO6BWpr+ds/4z14HekDUXc JY53QtDeyu+urEB5x0WOOA5s6QiqVYaT+jj7190yxBLCyiDP6kCNuXRZNzGMULncfyz8 4QDg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id s80si776260qka.18.2018.11.26.09.34.56 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Nov 2018 09:34:56 -0800 (PST) Received-SPF: pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1D9593084298; Mon, 26 Nov 2018 17:34:56 +0000 (UTC) Received: from sky.random (ovpn-120-160.rdu2.redhat.com [10.10.120.160]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 45B22604CE; Mon, 26 Nov 2018 17:34:53 +0000 (UTC) From: Andrea Arcangeli To: Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Hugh Dickins , Mike Rapoport , Mike Kravetz , Jann Horn , Peter Xu , "Dr. David Alan Gilbert" Subject: [PATCH 1/5] userfaultfd: use ENOENT instead of EFAULT if the atomic copy user fails Date: Mon, 26 Nov 2018 12:34:48 -0500 Message-Id: <20181126173452.26955-2-aarcange@redhat.com> In-Reply-To: <20181126173452.26955-1-aarcange@redhat.com> References: <20181126173452.26955-1-aarcange@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Mon, 26 Nov 2018 17:34:56 +0000 (UTC) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP We internally used EFAULT to communicate with the caller, switch to ENOENT, so EFAULT can be used as a non internal retval. Reviewed-by: Mike Rapoport Reviewed-by: Hugh Dickins Cc: stable@vger.kernel.org Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") Signed-off-by: Andrea Arcangeli --- mm/hugetlb.c | 2 +- mm/shmem.c | 2 +- mm/userfaultfd.c | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 7f2a28ab46d5..705a3e9cc910 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -4080,7 +4080,7 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm, /* fallback to copy_from_user outside mmap_sem */ if (unlikely(ret)) { - ret = -EFAULT; + ret = -ENOENT; *pagep = page; /* don't free the page */ goto out; diff --git a/mm/shmem.c b/mm/shmem.c index d44991ea5ed4..353287412c25 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2236,7 +2236,7 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, *pagep = page; shmem_inode_unacct_blocks(inode, 1); /* don't free the page */ - return -EFAULT; + return -ENOENT; } } else { /* mfill_zeropage_atomic */ clear_highpage(page); diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index 5029f241908f..46c8949e5f8f 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -48,7 +48,7 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm, /* fallback to copy_from_user outside mmap_sem */ if (unlikely(ret)) { - ret = -EFAULT; + ret = -ENOENT; *pagep = page; /* don't free the page */ goto out; @@ -274,7 +274,7 @@ static __always_inline ssize_t __mcopy_atomic_hugetlb(struct mm_struct *dst_mm, cond_resched(); - if (unlikely(err == -EFAULT)) { + if (unlikely(err == -ENOENT)) { up_read(&dst_mm->mmap_sem); BUG_ON(!page); @@ -530,7 +530,7 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm, src_addr, &page, zeropage); cond_resched(); - if (unlikely(err == -EFAULT)) { + if (unlikely(err == -ENOENT)) { void *page_kaddr; up_read(&dst_mm->mmap_sem); From patchwork Mon Nov 26 17:34:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Arcangeli X-Patchwork-Id: 10698865 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8399D13BF for ; Mon, 26 Nov 2018 17:35:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 708C929F76 for ; Mon, 26 Nov 2018 17:35:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 647CF29FD7; Mon, 26 Nov 2018 17:35:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 36FAB29F76 for ; Mon, 26 Nov 2018 17:35:11 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id F2B566B42CE; Mon, 26 Nov 2018 12:35:00 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id EDDD06B42D0; Mon, 26 Nov 2018 12:35:00 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DA1CC6B42D1; Mon, 26 Nov 2018 12:35:00 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) by kanga.kvack.org (Postfix) with ESMTP id A75716B42CE for ; Mon, 26 Nov 2018 12:35:00 -0500 (EST) Received: by mail-qt1-f198.google.com with SMTP id q33so16965042qte.23 for ; Mon, 26 Nov 2018 09:35:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=M4Ayl2rNvFfy5ISSNJCd04rf0YeVTlqJ8cH8z+y8YO8=; b=LySXMxN9B/4de1QREfXJfyPm/P4zkmonA9Ymva5XfoHIUMuesNAFyCuJBkRTGWutUL tZnlaLZd3PC6ms1C1Qf0aEytm+Wf2jjFIVtJcO09bt1bQWabhCaM0Tiv88H0ImrXm6Di suu425NfIaHBvE1Hi39+s5OcEDsm5m0kLutb0/GmmOSBEwo3T+jhRQhwPz8fS7pPHx7X fR9El96ybCryf9RyWU5wbwmAzta9CYjpN4n5tAOYDGiWonr+ZTzYlK/T+XdzCCFrKltN rknacIf5XgO0kdc5QUHkYM7XfoG9ZMHR1G8CTAY/JoYzjHqh49S0Z9yARkOQ4I8KsnV7 6RPQ== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com X-Gm-Message-State: AA+aEWY6j5L/ldsT6XsdQctrRFPlLWIqZxp3AOhkhagbce006P3LrRHy nvZAt5z4XCq7bLggj0uJX/HFBCdnTNOX6ceW0M106nlnPBua9v6MZ8Wn44czSCzJd/wVIj6BWW2 cOOA3HTKy2RTlCn233T/XA0wRp/2NqnLSTaSOIgGzOc7ZlRx8uOF/TJQHkPVst4PIOw== X-Received: by 2002:a0c:f8c7:: with SMTP id h7mr27634795qvo.134.1543253700406; Mon, 26 Nov 2018 09:35:00 -0800 (PST) X-Google-Smtp-Source: AFSGD/XXD+RkCaBjoYnSnpZSZ+htN3DbkiBcgZjtlNw1jeeu0agELuifoa774WtlzX+Wm9hICcx7 X-Received: by 2002:a0c:f8c7:: with SMTP id h7mr27634711qvo.134.1543253699412; Mon, 26 Nov 2018 09:34:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543253699; cv=none; d=google.com; s=arc-20160816; b=eEa2LnnvcNLOBE0EoXgdAnGdQlvwaQeIAi1lP8QVdNtaldRUttWpe1TBnQFgmov/dT wI+sjfJamvvCgWPA/1zkSHb7K7q6Hehesvcdb72tSGGD3TaAiemzy3e+S6UyZ3E5J98T GzShZKqMTlTUIom2sEzOBk3c8bKPdGeEBjK9dvmgfhh8EaiVGfvTC3YrZifMDIXcnD9J n7T8+TinQR5zlQ93Fc1PVkpbdwpim8d+QYROMyOp2B3lkpL57gUdJGtCA+jwd+0ycnzU 53X3TclpnDQwbo2cFFJH1TTM+MNclnccH5XCiusIUYOA7OGmdjQgM2oSnXwOcIoCsGyf N5HA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=M4Ayl2rNvFfy5ISSNJCd04rf0YeVTlqJ8cH8z+y8YO8=; b=N+8lzilbuG7d50afcxSw79bOCO+kyYYc2u4SY8xzI9XWVNr+Dsrw5LrQ7ejeBL+fRV p0Rn5hFi0NmzM2E0A/v2w8/3el35ytZWFYCU7fT49+ZMkRvAUAtCNamK0qS+8LKHypag mxB8RxcbGeWlCIEdtw/rEStfForDvcXGKYSOBe5UiBygfd9wfx2O31DuLBUj7tmCzXox Gtvj2iRAMZHJ7STWig9iESlt/qJwN4agGmVdWNWVp+O2ZNGiGRnvpxLkxx8FqhSIz9V3 VFM5icsEI6VJAHNqBecqHR5OuKGnFSgSDplw/93fQA/dEKQfCy1w/XJ3Kw0xUTgd5aLm fxDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id t7si693925qtd.217.2018.11.26.09.34.59 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Nov 2018 09:34:59 -0800 (PST) Received-SPF: pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8DA9F307DAA9; Mon, 26 Nov 2018 17:34:58 +0000 (UTC) Received: from sky.random (ovpn-120-160.rdu2.redhat.com [10.10.120.160]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 457D05C229; Mon, 26 Nov 2018 17:34:53 +0000 (UTC) From: Andrea Arcangeli To: Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Hugh Dickins , Mike Rapoport , Mike Kravetz , Jann Horn , Peter Xu , "Dr. David Alan Gilbert" Subject: [PATCH 2/5] userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem Date: Mon, 26 Nov 2018 12:34:49 -0500 Message-Id: <20181126173452.26955-3-aarcange@redhat.com> In-Reply-To: <20181126173452.26955-1-aarcange@redhat.com> References: <20181126173452.26955-1-aarcange@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.42]); Mon, 26 Nov 2018 17:34:58 +0000 (UTC) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Userfaultfd did not create private memory when UFFDIO_COPY was invoked on a MAP_PRIVATE shmem mapping. Instead it wrote to the shmem file, even when that had not been opened for writing. Though, fortunately, that could only happen where there was a hole in the file. Fix the shmem-backed implementation of UFFDIO_COPY to create private memory for MAP_PRIVATE mappings. The hugetlbfs-backed implementation was already correct. This change is visible to userland, if userfaultfd has been used in unintended ways: so it introduces a small risk of incompatibility, but is necessary in order to respect file permissions. An app that uses UFFDIO_COPY for anything like postcopy live migration won't notice the difference, and in fact it'll run faster because there will be no copy-on-write and memory waste in the tmpfs pagecache anymore. Userfaults on MAP_PRIVATE shmem keep triggering only on file holes like before. The real zeropage can also be built on a MAP_PRIVATE shmem mapping through UFFDIO_ZEROPAGE and that's safe because the zeropage pte is never dirty, in turn even an mprotect upgrading the vma permission from PROT_READ to PROT_READ|PROT_WRITE won't make the zeropage pte writable. Reported-by: Mike Rapoport Reviewed-by: Hugh Dickins Cc: stable@vger.kernel.org Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") Signed-off-by: Andrea Arcangeli --- mm/userfaultfd.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index 46c8949e5f8f..471b6457f95f 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -380,7 +380,17 @@ static __always_inline ssize_t mfill_atomic_pte(struct mm_struct *dst_mm, { ssize_t err; - if (vma_is_anonymous(dst_vma)) { + /* + * The normal page fault path for a shmem will invoke the + * fault, fill the hole in the file and COW it right away. The + * result generates plain anonymous memory. So when we are + * asked to fill an hole in a MAP_PRIVATE shmem mapping, we'll + * generate anonymous memory directly without actually filling + * the hole. For the MAP_PRIVATE case the robustness check + * only happens in the pagetable (to verify it's still none) + * and not in the radix tree. + */ + if (!(dst_vma->vm_flags & VM_SHARED)) { if (!zeropage) err = mcopy_atomic_pte(dst_mm, dst_pmd, dst_vma, dst_addr, src_addr, page); @@ -489,7 +499,8 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm, * dst_vma. */ err = -ENOMEM; - if (vma_is_anonymous(dst_vma) && unlikely(anon_vma_prepare(dst_vma))) + if (!(dst_vma->vm_flags & VM_SHARED) && + unlikely(anon_vma_prepare(dst_vma))) goto out_unlock; while (src_addr < src_start + len) { From patchwork Mon Nov 26 17:34:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Arcangeli X-Patchwork-Id: 10698861 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EFCF115A8 for ; Mon, 26 Nov 2018 17:35:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DCBA62973E for ; Mon, 26 Nov 2018 17:35:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id D01AC29F76; Mon, 26 Nov 2018 17:35:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 58E1128630 for ; Mon, 26 Nov 2018 17:35:04 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0FBCD6B42CB; Mon, 26 Nov 2018 12:35:00 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 084736B42CE; Mon, 26 Nov 2018 12:35:00 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id EB53F6B42CF; Mon, 26 Nov 2018 12:34:59 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) by kanga.kvack.org (Postfix) with ESMTP id B9C446B42CB for ; Mon, 26 Nov 2018 12:34:59 -0500 (EST) Received: by mail-qk1-f197.google.com with SMTP id v64so20113795qka.5 for ; Mon, 26 Nov 2018 09:34:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=axc/ygK2Iy+mbOpHS99vyA6pAj0I1vBN2VE9f/hYflU=; b=KfBrRHvz27BMlc7oido61S1fuGtro05BUtDPfxuQVzDeWaqzALEYOHJ3ApowkjK4M2 AySO0t5ukkQ3Ej8Vlc1ZhP9oPAm3YD9/s3zRCSrNAUYX5P1WpmEwuUPoLFh+46GeekbC N0Eu5WqQ1eVWnOUyVw8EihbTH7WWHwl3qO9XMcSOWapYvafLAim58dD1Gn4vLNTY8kFE 0cBo97ucXe3Tj/BMMPo0VFNOg4ytaLJozYrfdC30NmBWV+rYfBJPwKcoGOEDn86b/kRp kAYdqY8JD492U6eBGu+TyioZgMG+Qef9EW2h29NKQ5213rYBClGZLjwyByLcPR67enQe nq7A== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com X-Gm-Message-State: AA+aEWamQfU1XznabZUfqrUNdTDJAAPKoebQz+zZScpv+iibi8n9n9Bl QRq+q1XUMmxLEIMgbCYdjpr/DGKmo37PIh5OjCPjdcDL97te2k5Ua7CqucwsCe6SzQrnJ+bBpgj MmQv7tendDWWRE7SUu7b//02wQPsMba2ziKLACe0HhkeHEAeRW735GO/exvHVkS9klQ== X-Received: by 2002:a37:9584:: with SMTP id x126mr25920732qkd.36.1543253699483; Mon, 26 Nov 2018 09:34:59 -0800 (PST) X-Google-Smtp-Source: AFSGD/UvC7eOFclx1SN4F2ojLxaFX4+2RD5c1iebeXcT/Obvh2mx2qhlN4cVvzdZAzVwSWPKtx1H X-Received: by 2002:a37:9584:: with SMTP id x126mr25920649qkd.36.1543253698380; Mon, 26 Nov 2018 09:34:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543253698; cv=none; d=google.com; s=arc-20160816; b=mAbSGP4yGQAxUH5WiEG2etuLfY8zxoMmNQLsUUA4V+RPwhxWpK3Zp+CuU7KbeKQ9je MhGUa/GkXAY+azppFT+UFLJZ/1JxNvkfs7Hisq1r7d1r7SyEUE5X3EZAEfhZ5+9RzSAH X+zhEkMJcno9Uot3T0gWWN6+wqwVmSlG+nlWwqcg4QY8ovB6I8g4Z9mz8YZJ4SeZ7n80 BJ7kqZ6HT0PW+6s7C+iNT584sBiyQ05KoIlHdub0D2MCDriqwTXOGp0yI4yDOnwkMVHT Sr7N+k1AOzWuTJMuNwqGfm6Hx/uLLloctj9IviHU2sHUqACD7ju/usYA6hSudsIaTFML /OHQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=axc/ygK2Iy+mbOpHS99vyA6pAj0I1vBN2VE9f/hYflU=; b=0iqRwnHsE/0tApuTHh/oaQMXg/3euOypMpb76y8USbyGxfO8R1oM52RIsHrt+D/Ouy ULpTg8zN7dUhUnJfjXsfY0zYd5i0voO4sJaJUIKO3RADe36hzRLcv4iEr4bKvTC3nS5n Q1AQupEvwSYmvxXNovm6ckkVjuklC9dKO3TWlsiPocgQqaHw9VgKrAbYfXWKteqB5M8t LsVeiZqcYLzSWGLu5kzJ0gExkYR2MiYdWSgYvyO+RoYfqnwGvtcYcds8lEun9bXUM3H+ IT5jVkjvMA+2Ba6jLjtAzgc+T9W8r0CSd9lLTapAnwUE7Tw2Ol1CrAPyTtfn27s350QT vyrA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id 36si531307qta.249.2018.11.26.09.34.58 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Nov 2018 09:34:58 -0800 (PST) Received-SPF: pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2DB1030015EC; Mon, 26 Nov 2018 17:34:57 +0000 (UTC) Received: from sky.random (ovpn-120-160.rdu2.redhat.com [10.10.120.160]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 48017608F3; Mon, 26 Nov 2018 17:34:53 +0000 (UTC) From: Andrea Arcangeli To: Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Hugh Dickins , Mike Rapoport , Mike Kravetz , Jann Horn , Peter Xu , "Dr. David Alan Gilbert" Subject: [PATCH 3/5] userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas Date: Mon, 26 Nov 2018 12:34:50 -0500 Message-Id: <20181126173452.26955-4-aarcange@redhat.com> In-Reply-To: <20181126173452.26955-1-aarcange@redhat.com> References: <20181126173452.26955-1-aarcange@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Mon, 26 Nov 2018 17:34:57 +0000 (UTC) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP After the VMA to register the uffd onto is found, check that it has VM_MAYWRITE set before allowing registration. This way we inherit all common code checks before allowing to fill file holes in shmem and hugetlbfs with UFFDIO_COPY. The userfaultfd memory model is not applicable for readonly files unless it's a MAP_PRIVATE. Reviewed-by: Mike Rapoport Reviewed-by: Hugh Dickins Reported-by: Jann Horn Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") Fixes: ff62a3421044 ("hugetlb: implement memfd sealing") Cc: stable@vger.kernel.org Signed-off-by: Andrea Arcangeli --- fs/userfaultfd.c | 15 +++++++++++++++ mm/userfaultfd.c | 15 ++++++--------- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 356d2b8568c1..cd58939dc977 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -1361,6 +1361,19 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, ret = -EINVAL; if (!vma_can_userfault(cur)) goto out_unlock; + + /* + * UFFDIO_COPY will fill file holes even without + * PROT_WRITE. This check enforces that if this is a + * MAP_SHARED, the process has write permission to the backing + * file. If VM_MAYWRITE is set it also enforces that on a + * MAP_SHARED vma: there is no F_WRITE_SEAL and no further + * F_WRITE_SEAL can be taken until the vma is destroyed. + */ + ret = -EPERM; + if (unlikely(!(cur->vm_flags & VM_MAYWRITE))) + goto out_unlock; + /* * If this vma contains ending address, and huge pages * check alignment. @@ -1406,6 +1419,7 @@ static int userfaultfd_register(struct userfaultfd_ctx *ctx, BUG_ON(!vma_can_userfault(vma)); BUG_ON(vma->vm_userfaultfd_ctx.ctx && vma->vm_userfaultfd_ctx.ctx != ctx); + WARN_ON(!(vma->vm_flags & VM_MAYWRITE)); /* * Nothing to do: this vma is already registered into this @@ -1552,6 +1566,7 @@ static int userfaultfd_unregister(struct userfaultfd_ctx *ctx, cond_resched(); BUG_ON(!vma_can_userfault(vma)); + WARN_ON(!(vma->vm_flags & VM_MAYWRITE)); /* * Nothing to do: this vma is already registered into this diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index 471b6457f95f..43cf314cfddd 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -205,8 +205,9 @@ static __always_inline ssize_t __mcopy_atomic_hugetlb(struct mm_struct *dst_mm, if (!dst_vma || !is_vm_hugetlb_page(dst_vma)) goto out_unlock; /* - * Only allow __mcopy_atomic_hugetlb on userfaultfd - * registered ranges. + * Check the vma is registered in uffd, this is + * required to enforce the VM_MAYWRITE check done at + * uffd registration time. */ if (!dst_vma->vm_userfaultfd_ctx.ctx) goto out_unlock; @@ -459,13 +460,9 @@ static __always_inline ssize_t __mcopy_atomic(struct mm_struct *dst_mm, if (!dst_vma) goto out_unlock; /* - * Be strict and only allow __mcopy_atomic on userfaultfd - * registered ranges to prevent userland errors going - * unnoticed. As far as the VM consistency is concerned, it - * would be perfectly safe to remove this check, but there's - * no useful usage for __mcopy_atomic ouside of userfaultfd - * registered ranges. This is after all why these are ioctls - * belonging to the userfaultfd and not syscalls. + * Check the vma is registered in uffd, this is required to + * enforce the VM_MAYWRITE check done at uffd registration + * time. */ if (!dst_vma->vm_userfaultfd_ctx.ctx) goto out_unlock; From patchwork Mon Nov 26 17:34:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Arcangeli X-Patchwork-Id: 10698859 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AC1D213BF for ; Mon, 26 Nov 2018 17:35:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 94D1C28630 for ; Mon, 26 Nov 2018 17:35:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8591729F76; Mon, 26 Nov 2018 17:35:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8795228630 for ; Mon, 26 Nov 2018 17:35:01 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 93B466B42CA; Mon, 26 Nov 2018 12:34:58 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 8C45B6B42CB; Mon, 26 Nov 2018 12:34:58 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 75DDE6B42CE; Mon, 26 Nov 2018 12:34:58 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qt1-f198.google.com (mail-qt1-f198.google.com [209.85.160.198]) by kanga.kvack.org (Postfix) with ESMTP id 3E8A16B42CA for ; Mon, 26 Nov 2018 12:34:58 -0500 (EST) Received: by mail-qt1-f198.google.com with SMTP id b16so17025519qtc.22 for ; Mon, 26 Nov 2018 09:34:58 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=6n4GNHlA9ZS4Y3E0x8zmJPG1InhQ9JnR+HZCRoVwkGw=; b=MiWPl9N+B9rOnK1rTpxXjFkmoOf+mSGtaITP1dMiwT10zSM16kyQHVRkruYashAxl6 jo53JgWItYvbThG9j4BY/yaZcqC1fY4JHfrb6rEPDB+5Ni2Y5dCkkow+ajvssi6qJzHE LOJYMOhuGRPdtqNlIfQUnMzYGOVb5QjgXdZ8iOJKoN8uJN8RF1rRvE7Y9hsEuEUTvEgI dj+ty0ouLieWEWsMlDkGE01BZ3UDTz8jBhLpsuzjhhjLMtJBwglPR/7lv84V6LNbvJ7q Qjb8k7OTX6V0C+MgxFXzPIgvMA68ZpAb3xnbtTfsBwu7KWXncfmV21KY/wqn35ahbqCF zmeg== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com X-Gm-Message-State: AA+aEWZrQTkD+QgmX3Ky+NRKUJsXr4XyPr9Bb7mWQxaYZQKk+n0mF0rA SC79M37FkZ0KlEPQeOBVnR84mKLlXeGroBUJDiVC/Bfbtr3o1Meims6y5uavYx9v42qygcCP/PA jz2lJCBOPsA9sQfXDhzVa5rfSujDni0EWJXFsxk/OeN0FIHyMr8+gU87V7vbXXhvMYA== X-Received: by 2002:a0c:afd1:: with SMTP id t17mr26948103qvc.93.1543253698004; Mon, 26 Nov 2018 09:34:58 -0800 (PST) X-Google-Smtp-Source: AFSGD/XxFJwYoyKSDtyZvMEOm/ij3/OsHHn244SsCifgLfgp6JwNZswqWGV1IkzeiF/L6dBPDS9t X-Received: by 2002:a0c:afd1:: with SMTP id t17mr26948059qvc.93.1543253697333; Mon, 26 Nov 2018 09:34:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543253697; cv=none; d=google.com; s=arc-20160816; b=ysLQHLuSau5wS3HLt22CKdR03MT7EdlX9D9B6SR3ROd6lOzqnmiCcM4LSh53qPAJPg W9BKG5+byDPBoM+FTJoSy66fgAzcBUR878AN+LfLaKIBUWSOhYcMv9IjZdhWcIoAF9Ho wKTw7GR07KYtnAsladLz8uBB2YjSSbpxwHSfluSn2B6L1ZkLTM/tLgbS5rLLBK0b1LCa KmMK/dvB94RoTsVQ8MN6Q4xHQb0h23etNIdc414KkDxJpL1O9gKagcZiQdvFeGLMP9yH H8qLySaJQBf/KTMrA/PiV9Ax4nCssWdYf/8vwAWwS7c9QYwNDhWA9gny5HsRR8YUPqZs uwcA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=6n4GNHlA9ZS4Y3E0x8zmJPG1InhQ9JnR+HZCRoVwkGw=; b=krHsU26xZfnpqv9rlbLAXEzJlmfBwk6K3zlO3rKEMnDvaaURPz8wbNqvxzSHyWbPGU ju1yep7anMEf8UOZplxqkl3wNwpekNgtkxDHr3QHCjjuS/oCb5HI6T9N7PpIeBWfG+hS Y8TdQqqfshH3Bv08iDI/thoEorOYb3tmsQMnV3t7e5NRZ3xizwCS2o/29xcHK6UD2nON lZ2bPWzhAKhXmuXhuRhGdeckVU2IgsLAgKaeiwjFa1EIrbb9iQ8yvs+JlFYjo/HfCncn Rjv6cGy+HjcGTvlCnXKJtrx0IoTfdDTJd74qRkWvc569pwjwKy2NCJH5cdQvu7ag8mez bgSQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id q15si796478qti.20.2018.11.26.09.34.56 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Nov 2018 09:34:57 -0800 (PST) Received-SPF: pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CCF8853F6; Mon, 26 Nov 2018 17:34:55 +0000 (UTC) Received: from sky.random (ovpn-120-160.rdu2.redhat.com [10.10.120.160]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 481EA58B1; Mon, 26 Nov 2018 17:34:53 +0000 (UTC) From: Andrea Arcangeli To: Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Hugh Dickins , Mike Rapoport , Mike Kravetz , Jann Horn , Peter Xu , "Dr. David Alan Gilbert" Subject: [PATCH 4/5] userfaultfd: shmem: add i_size checks Date: Mon, 26 Nov 2018 12:34:51 -0500 Message-Id: <20181126173452.26955-5-aarcange@redhat.com> In-Reply-To: <20181126173452.26955-1-aarcange@redhat.com> References: <20181126173452.26955-1-aarcange@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Mon, 26 Nov 2018 17:34:56 +0000 (UTC) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP With MAP_SHARED: recheck the i_size after taking the PT lock, to serialize against truncate with the PT lock. Delete the page from the pagecache if the i_size_read check fails. With MAP_PRIVATE: check the i_size after the PT lock before mapping anonymous memory or zeropages into the MAP_PRIVATE shmem mapping. A mostly irrelevant cleanup: like we do the delete_from_page_cache() pagecache removal after dropping the PT lock, the PT lock is a spinlock so drop it before the sleepable page lock. Reviewed-by: Mike Rapoport Reviewed-by: Hugh Dickins Reported-by: Jann Horn Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") Cc: stable@vger.kernel.org Signed-off-by: Andrea Arcangeli Reviewed-by: Mike Rapoport Reviewed-by: Hugh Dickins Reported-by: Jann Horn Signed-off-by: Andrea Arcangeli Signed-off-by: Mike Rapoport --- mm/shmem.c | 18 ++++++++++++++++-- mm/userfaultfd.c | 26 ++++++++++++++++++++++++-- 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/mm/shmem.c b/mm/shmem.c index 353287412c25..c3ece7a51949 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2214,6 +2214,7 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, struct page *page; pte_t _dst_pte, *dst_pte; int ret; + pgoff_t offset, max_off; ret = -ENOMEM; if (!shmem_inode_acct_block(inode, 1)) @@ -2251,6 +2252,12 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, __SetPageSwapBacked(page); __SetPageUptodate(page); + ret = -EFAULT; + offset = linear_page_index(dst_vma, dst_addr); + max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); + if (unlikely(offset >= max_off)) + goto out_release; + ret = mem_cgroup_try_charge_delay(page, dst_mm, gfp, &memcg, false); if (ret) goto out_release; @@ -2266,8 +2273,14 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, if (dst_vma->vm_flags & VM_WRITE) _dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte)); - ret = -EEXIST; dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl); + + ret = -EFAULT; + max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); + if (unlikely(offset >= max_off)) + goto out_release_uncharge_unlock; + + ret = -EEXIST; if (!pte_none(*dst_pte)) goto out_release_uncharge_unlock; @@ -2285,13 +2298,14 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, /* No need to invalidate - it was non-present before */ update_mmu_cache(dst_vma, dst_addr, dst_pte); - unlock_page(page); pte_unmap_unlock(dst_pte, ptl); + unlock_page(page); ret = 0; out: return ret; out_release_uncharge_unlock: pte_unmap_unlock(dst_pte, ptl); + delete_from_page_cache(page); out_release_uncharge: mem_cgroup_cancel_charge(page, memcg, false); out_release: diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c index 43cf314cfddd..458acda96f20 100644 --- a/mm/userfaultfd.c +++ b/mm/userfaultfd.c @@ -33,6 +33,8 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm, void *page_kaddr; int ret; struct page *page; + pgoff_t offset, max_off; + struct inode *inode; if (!*pagep) { ret = -ENOMEM; @@ -73,8 +75,17 @@ static int mcopy_atomic_pte(struct mm_struct *dst_mm, if (dst_vma->vm_flags & VM_WRITE) _dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte)); - ret = -EEXIST; dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl); + if (dst_vma->vm_file) { + /* the shmem MAP_PRIVATE case requires checking the i_size */ + inode = dst_vma->vm_file->f_inode; + offset = linear_page_index(dst_vma, dst_addr); + max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); + ret = -EFAULT; + if (unlikely(offset >= max_off)) + goto out_release_uncharge_unlock; + } + ret = -EEXIST; if (!pte_none(*dst_pte)) goto out_release_uncharge_unlock; @@ -108,11 +119,22 @@ static int mfill_zeropage_pte(struct mm_struct *dst_mm, pte_t _dst_pte, *dst_pte; spinlock_t *ptl; int ret; + pgoff_t offset, max_off; + struct inode *inode; _dst_pte = pte_mkspecial(pfn_pte(my_zero_pfn(dst_addr), dst_vma->vm_page_prot)); - ret = -EEXIST; dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl); + if (dst_vma->vm_file) { + /* the shmem MAP_PRIVATE case requires checking the i_size */ + inode = dst_vma->vm_file->f_inode; + offset = linear_page_index(dst_vma, dst_addr); + max_off = DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE); + ret = -EFAULT; + if (unlikely(offset >= max_off)) + goto out_unlock; + } + ret = -EEXIST; if (!pte_none(*dst_pte)) goto out_unlock; set_pte_at(dst_mm, dst_addr, dst_pte, _dst_pte); From patchwork Mon Nov 26 17:34:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrea Arcangeli X-Patchwork-Id: 10698867 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 13ED613BF for ; Mon, 26 Nov 2018 17:35:15 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0136029F76 for ; Mon, 26 Nov 2018 17:35:15 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E9FF229FD7; Mon, 26 Nov 2018 17:35:14 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8AA6029F76 for ; Mon, 26 Nov 2018 17:35:14 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 0FDAC6B42D1; Mon, 26 Nov 2018 12:35:02 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 02B866B42D3; Mon, 26 Nov 2018 12:35:01 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D05186B42D4; Mon, 26 Nov 2018 12:35:01 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) by kanga.kvack.org (Postfix) with ESMTP id A1C2D6B42D1 for ; Mon, 26 Nov 2018 12:35:01 -0500 (EST) Received: by mail-qt1-f199.google.com with SMTP id w1so5145441qta.12 for ; Mon, 26 Nov 2018 09:35:01 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:from:to:cc :subject:date:message-id:in-reply-to:references; bh=rdn8X4fdbwOWmWDhsswjLhcYSPpV/bWEy+t2pqaKdjo=; b=HA7mjic5cQLlGtqCp/Swz0hGivfGq5zC8zLTfAGb+LJEPhgs4T54wLztwJojp9I6WX nY61W3tTQ8PERSgWMlKUPb6a0gbfbg88fCfUy/JEtMO4KhymlM/40wFuBuQKLy+C0q9Z RmD/r0amnrqbGT7CX+hTjgvQ/rAV2RBbC1VGk1GgSzusykhmUxyComCppg00lObMiCR2 0ftF9LJ8uN7iabVSxgh90nc/51ZdUQdi4yvGgBAzxNTq/40L0LeVAnU/xwAW39c4rL4d GY0+AsuyvziBZYcBysHNdVAVOMM2sP6/L5C8DLomyJ4slSPJ9zqVU6VG86MN3cJufWMW BFPQ== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com X-Gm-Message-State: AA+aEWZty/wTc+96OGx0xxgdEmZg7OHezBfMLsFnmSpxX6F5evhFm4D5 jZJtvPp1eaSo6+e5PFo4Qv+++ZZmfe+Ku1nZiC5gSovdZbWFUg5CeHY7Rvzndt/vdImnqsR7ngd QIngGgbX6PualUifjo/BDfrxVpn1bAH41ipggdRIVNppF8DmSkEWqzV2APmsCu/Dt/Q== X-Received: by 2002:a37:848:: with SMTP id 69mr25967643qki.351.1543253701400; Mon, 26 Nov 2018 09:35:01 -0800 (PST) X-Google-Smtp-Source: AFSGD/WhY0Samh9YIwBZ7H0rbVDd0vGkiojhbAingrBYsnZYEWbDXs9ZD0C0Dx7J1kqOKQvfnQCW X-Received: by 2002:a37:848:: with SMTP id 69mr25967587qki.351.1543253700648; Mon, 26 Nov 2018 09:35:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543253700; cv=none; d=google.com; s=arc-20160816; b=WSBp5C4EnSQ7qyx7WHM8xK7DhF90V9ei4+EGy0xO5TS7JC7HxYILwOgjsMMS1T7asG PK25YGGBX4D/x6Fpa7X3wgWmMX0+q39wjIoyPImVrxSVjHDVNIbWshMSQtNWYhh/9mAu kaAIbgdqupNI8CdPvEGEFHOan5iK9L1x4puNkz8t6Ck/1gc667KcbnNFr7xsAb3HlwUm W6fvYyBsoED7iTvIS3/tHUp2RoSUepNot3Q1RCIbTUWRvhhk1WLxrxCyWm+uhBMggprz UhaHLJXUTuoqv45ngc/65HrnLcwu/R+nEKR07OiaspCovnqqd56y117GsfVdabGoxqS0 rSIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=rdn8X4fdbwOWmWDhsswjLhcYSPpV/bWEy+t2pqaKdjo=; b=GHrPIuB5d4Y+qRZp6ozmEcdLslQCFglykZNW1EQKrmeCzxThwNnu1Wxv1kI3jcLa9Y Ra22ymp3cQkKDUJa35B55G/g5QNk1Y3Or/oJLduVvDpHJax6VcFIXqoIw1aU913eRJZq WwdTDTyP1YIRka+YV/oh3o7FfQj5AZG+ofv92ADFa5RZUhOJCjHW5Txpf1kQsVFn4Qhs adcayuMNvB7JbJ38NmWq4ueYU/yPEve/CWYDZlGb9NwXH1rS6HAnevupFAYqhgplbQIr K2eue1gtNNdQCzwHE1KHZUxODCUCu92rcg11hYxXaeLpqm31kxtDxq3jnVjZjFe2UG9f yflA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id e24si690728qtp.141.2018.11.26.09.35.00 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 26 Nov 2018 09:35:00 -0800 (PST) Received-SPF: pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of aarcange@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=aarcange@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id CA8F580F8D; Mon, 26 Nov 2018 17:34:59 +0000 (UTC) Received: from sky.random (ovpn-120-160.rdu2.redhat.com [10.10.120.160]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 7B942173DF; Mon, 26 Nov 2018 17:34:56 +0000 (UTC) From: Andrea Arcangeli To: Andrew Morton Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Hugh Dickins , Mike Rapoport , Mike Kravetz , Jann Horn , Peter Xu , "Dr. David Alan Gilbert" Subject: [PATCH 5/5] userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set Date: Mon, 26 Nov 2018 12:34:52 -0500 Message-Id: <20181126173452.26955-6-aarcange@redhat.com> In-Reply-To: <20181126173452.26955-1-aarcange@redhat.com> References: <20181126173452.26955-1-aarcange@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Mon, 26 Nov 2018 17:34:59 +0000 (UTC) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP Set the page dirty if VM_WRITE is not set because in such case the pte won't be marked dirty and the page would be reclaimed without writepage (i.e. swapout in the shmem case). This was found by source review. Most apps (certainly including QEMU) only use UFFDIO_COPY on PROT_READ|PROT_WRITE mappings or the app can't modify the memory in the first place. This is for correctness and it could help the non cooperative use case to avoid unexpected data loss. Reviewed-by: Hugh Dickins Cc: stable@vger.kernel.org Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") Reported-by: Hugh Dickins Signed-off-by: Andrea Arcangeli --- mm/shmem.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/mm/shmem.c b/mm/shmem.c index c3ece7a51949..82a381d463bc 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2272,6 +2272,16 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, _dst_pte = mk_pte(page, dst_vma->vm_page_prot); if (dst_vma->vm_flags & VM_WRITE) _dst_pte = pte_mkwrite(pte_mkdirty(_dst_pte)); + else { + /* + * We don't set the pte dirty if the vma has no + * VM_WRITE permission, so mark the page dirty or it + * could be freed from under us. We could do it + * unconditionally before unlock_page(), but doing it + * only if VM_WRITE is not set is faster. + */ + set_page_dirty(page); + } dst_pte = pte_offset_map_lock(dst_mm, dst_pmd, dst_addr, &ptl); @@ -2305,6 +2315,7 @@ static int shmem_mfill_atomic_pte(struct mm_struct *dst_mm, return ret; out_release_uncharge_unlock: pte_unmap_unlock(dst_pte, ptl); + ClearPageDirty(page); delete_from_page_cache(page); out_release_uncharge: mem_cgroup_cancel_charge(page, memcg, false);