From: Dan Williams <dan.j.williams@intel.com>
To: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Jan Kara <jack@suse.cz>,
"linux-nvdimm@lists.01.org" <linux-nvdimm@lists.01.org>,
Linux API <linux-api@vger.kernel.org>,
"Darrick J. Wong" <darrick.wong@oracle.com>,
Dave Chinner <david@fromorbit.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-xfs@vger.kernel.org, Linux MM <linux-mm@kvack.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH v4 3/3] fs, xfs: introduce MAP_DIRECT for creating block-map-sealed file ranges
Date: Tue, 15 Aug 2017 10:11:27 -0700 [thread overview]
Message-ID: <CAPcyv4gmyFugKwMJCVwC9wFmQ8TL4TbHsa0p2Pqg2a6LziRHVw@mail.gmail.com> (raw)
In-Reply-To: <20170815091836.c3xpsfgfwz7w35od@node.shutemov.name>
On Tue, Aug 15, 2017 at 2:18 AM, Kirill A. Shutemov
<kirill@shutemov.name> wrote:
> On Mon, Aug 14, 2017 at 11:12:22PM -0700, Dan Williams wrote:
>> MAP_DIRECT is an mmap(2) flag with the following semantics:
>>
>> MAP_DIRECT
>> In addition to this mapping having MAP_SHARED semantics, successful
>> faults in this range may assume that the block map (logical-file-offset
>> to physical memory address) is pinned for the lifetime of the mapping.
>> Successful MAP_DIRECT faults establish mappings that bypass any kernel
>> indirections like the page-cache. All updates are carried directly
>> through to the underlying file physical blocks (modulo cpu cache
>> effects).
>>
>> ETXTBSY is returned on attempts to change the block map (allocate blocks
>> / convert unwritten extents / break shared extents) in the mapped range.
>> Some filesystems may extend these same restrictions outside the mapped
>> range and return ETXTBSY to any file operations that might mutate the
>> block map. MAP_DIRECT faults may fail with a SIGSEGV if the filesystem
>> needs to write the block map to satisfy the fault. For example, if the
>> mapping was established over a hole in a sparse file.
>
> We had issues before with user-imposed ETXTBSY. See MAP_DENYWRITE.
>
> Are we sure it won't a source of denial-of-service attacks?
I believe MAP_DENYWRITE allowed any application with read access to be
able to deny writes which is obviously problematic. MAP_DIRECT is
different. You need write access to the file so you can already
destroy data that another application might depend on, and this only
blocks allocation and reflink.
However, I'm not opposed to adding more safety around this. I think we
can address this concern with an fcntl seal as Dave suggests, but the
seal only applies to the 'struct file' instance and only gates whether
MAP_DIRECT is allowed on that file. The act of setting
F_MAY_SEAL_IOMAP requires CAP_IMMUTABLE, but MAP_DIRECT does not. This
allows the 'permission to mmap(MAP_DIRECT)' to be passed around with
an open file descriptor.
>
>> The kernel ignores attempts to mark a MAP_DIRECT mapping MAP_PRIVATE and
>> will silently fall back to MAP_SHARED semantics.
>
> Hm.. Any reason for this strage behaviour? Looks just broken to me.
>
>>
>> ERRORS
>> EACCES A MAP_DIRECT mapping was requested and PROT_WRITE was not set.
>>
>> EINVAL MAP_ANONYMOUS was specified with MAP_DIRECT.
>>
>> EOPNOTSUPP The filesystem explicitly does not support the flag
>>
>> SIGSEGV Attempted to write a MAP_DIRECT mapping at a file offset that
>> might require block-map updates.
>
> I think it should be SIGBUS.
Ok, that does seem to fit this definition from the mmap(2) man page:
SIGBUS Attempted access to a portion of the buffer that does not
correspond to the file (for example, beyond the end of the file,
including the case where another process has truncated the file).
_______________________________________________
Linux-nvdimm mailing list
Linux-nvdimm@lists.01.org
https://lists.01.org/mailman/listinfo/linux-nvdimm
WARNING: multiple messages have this Message-ID (diff)
From: Dan Williams <dan.j.williams@intel.com>
To: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: "Darrick J. Wong" <darrick.wong@oracle.com>,
Jan Kara <jack@suse.cz>,
"linux-nvdimm@lists.01.org" <linux-nvdimm@lists.01.org>,
Linux API <linux-api@vger.kernel.org>,
Dave Chinner <david@fromorbit.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-xfs@vger.kernel.org, Linux MM <linux-mm@kvack.org>,
Jeff Moyer <jmoyer@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Ross Zwisler <ross.zwisler@linux.intel.com>,
Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH v4 3/3] fs, xfs: introduce MAP_DIRECT for creating block-map-sealed file ranges
Date: Tue, 15 Aug 2017 10:11:27 -0700 [thread overview]
Message-ID: <CAPcyv4gmyFugKwMJCVwC9wFmQ8TL4TbHsa0p2Pqg2a6LziRHVw@mail.gmail.com> (raw)
In-Reply-To: <20170815091836.c3xpsfgfwz7w35od@node.shutemov.name>
On Tue, Aug 15, 2017 at 2:18 AM, Kirill A. Shutemov
<kirill@shutemov.name> wrote:
> On Mon, Aug 14, 2017 at 11:12:22PM -0700, Dan Williams wrote:
>> MAP_DIRECT is an mmap(2) flag with the following semantics:
>>
>> MAP_DIRECT
>> In addition to this mapping having MAP_SHARED semantics, successful
>> faults in this range may assume that the block map (logical-file-offset
>> to physical memory address) is pinned for the lifetime of the mapping.
>> Successful MAP_DIRECT faults establish mappings that bypass any kernel
>> indirections like the page-cache. All updates are carried directly
>> through to the underlying file physical blocks (modulo cpu cache
>> effects).
>>
>> ETXTBSY is returned on attempts to change the block map (allocate blocks
>> / convert unwritten extents / break shared extents) in the mapped range.
>> Some filesystems may extend these same restrictions outside the mapped
>> range and return ETXTBSY to any file operations that might mutate the
>> block map. MAP_DIRECT faults may fail with a SIGSEGV if the filesystem
>> needs to write the block map to satisfy the fault. For example, if the
>> mapping was established over a hole in a sparse file.
>
> We had issues before with user-imposed ETXTBSY. See MAP_DENYWRITE.
>
> Are we sure it won't a source of denial-of-service attacks?
I believe MAP_DENYWRITE allowed any application with read access to be
able to deny writes which is obviously problematic. MAP_DIRECT is
different. You need write access to the file so you can already
destroy data that another application might depend on, and this only
blocks allocation and reflink.
However, I'm not opposed to adding more safety around this. I think we
can address this concern with an fcntl seal as Dave suggests, but the
seal only applies to the 'struct file' instance and only gates whether
MAP_DIRECT is allowed on that file. The act of setting
F_MAY_SEAL_IOMAP requires CAP_IMMUTABLE, but MAP_DIRECT does not. This
allows the 'permission to mmap(MAP_DIRECT)' to be passed around with
an open file descriptor.
>
>> The kernel ignores attempts to mark a MAP_DIRECT mapping MAP_PRIVATE and
>> will silently fall back to MAP_SHARED semantics.
>
> Hm.. Any reason for this strage behaviour? Looks just broken to me.
>
>>
>> ERRORS
>> EACCES A MAP_DIRECT mapping was requested and PROT_WRITE was not set.
>>
>> EINVAL MAP_ANONYMOUS was specified with MAP_DIRECT.
>>
>> EOPNOTSUPP The filesystem explicitly does not support the flag
>>
>> SIGSEGV Attempted to write a MAP_DIRECT mapping at a file offset that
>> might require block-map updates.
>
> I think it should be SIGBUS.
Ok, that does seem to fit this definition from the mmap(2) man page:
SIGBUS Attempted access to a portion of the buffer that does not
correspond to the file (for example, beyond the end of the file,
including the case where another process has truncated the file).
WARNING: multiple messages have this Message-ID (diff)
From: Dan Williams <dan.j.williams@intel.com>
To: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: "Darrick J. Wong" <darrick.wong@oracle.com>,
Jan Kara <jack@suse.cz>,
"linux-nvdimm@lists.01.org" <linux-nvdimm@lists.01.org>,
Linux API <linux-api@vger.kernel.org>,
Dave Chinner <david@fromorbit.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
linux-xfs@vger.kernel.org, Linux MM <linux-mm@kvack.org>,
Jeff Moyer <jmoyer@redhat.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Andy Lutomirski <luto@kernel.org>,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Ross Zwisler <ross.zwisler@linux.intel.com>,
Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH v4 3/3] fs, xfs: introduce MAP_DIRECT for creating block-map-sealed file ranges
Date: Tue, 15 Aug 2017 10:11:27 -0700 [thread overview]
Message-ID: <CAPcyv4gmyFugKwMJCVwC9wFmQ8TL4TbHsa0p2Pqg2a6LziRHVw@mail.gmail.com> (raw)
In-Reply-To: <20170815091836.c3xpsfgfwz7w35od@node.shutemov.name>
On Tue, Aug 15, 2017 at 2:18 AM, Kirill A. Shutemov
<kirill@shutemov.name> wrote:
> On Mon, Aug 14, 2017 at 11:12:22PM -0700, Dan Williams wrote:
>> MAP_DIRECT is an mmap(2) flag with the following semantics:
>>
>> MAP_DIRECT
>> In addition to this mapping having MAP_SHARED semantics, successful
>> faults in this range may assume that the block map (logical-file-offset
>> to physical memory address) is pinned for the lifetime of the mapping.
>> Successful MAP_DIRECT faults establish mappings that bypass any kernel
>> indirections like the page-cache. All updates are carried directly
>> through to the underlying file physical blocks (modulo cpu cache
>> effects).
>>
>> ETXTBSY is returned on attempts to change the block map (allocate blocks
>> / convert unwritten extents / break shared extents) in the mapped range.
>> Some filesystems may extend these same restrictions outside the mapped
>> range and return ETXTBSY to any file operations that might mutate the
>> block map. MAP_DIRECT faults may fail with a SIGSEGV if the filesystem
>> needs to write the block map to satisfy the fault. For example, if the
>> mapping was established over a hole in a sparse file.
>
> We had issues before with user-imposed ETXTBSY. See MAP_DENYWRITE.
>
> Are we sure it won't a source of denial-of-service attacks?
I believe MAP_DENYWRITE allowed any application with read access to be
able to deny writes which is obviously problematic. MAP_DIRECT is
different. You need write access to the file so you can already
destroy data that another application might depend on, and this only
blocks allocation and reflink.
However, I'm not opposed to adding more safety around this. I think we
can address this concern with an fcntl seal as Dave suggests, but the
seal only applies to the 'struct file' instance and only gates whether
MAP_DIRECT is allowed on that file. The act of setting
F_MAY_SEAL_IOMAP requires CAP_IMMUTABLE, but MAP_DIRECT does not. This
allows the 'permission to mmap(MAP_DIRECT)' to be passed around with
an open file descriptor.
>
>> The kernel ignores attempts to mark a MAP_DIRECT mapping MAP_PRIVATE and
>> will silently fall back to MAP_SHARED semantics.
>
> Hm.. Any reason for this strage behaviour? Looks just broken to me.
>
>>
>> ERRORS
>> EACCES A MAP_DIRECT mapping was requested and PROT_WRITE was not set.
>>
>> EINVAL MAP_ANONYMOUS was specified with MAP_DIRECT.
>>
>> EOPNOTSUPP The filesystem explicitly does not support the flag
>>
>> SIGSEGV Attempted to write a MAP_DIRECT mapping at a file offset that
>> might require block-map updates.
>
> I think it should be SIGBUS.
Ok, that does seem to fit this definition from the mmap(2) man page:
SIGBUS Attempted access to a portion of the buffer that does not
correspond to the file (for example, beyond the end of the file,
including the case where another process has truncated the file).
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-08-15 17:09 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-15 6:12 [PATCH v4 0/3] MAP_DIRECT and block-map sealed files Dan Williams
2017-08-15 6:12 ` Dan Williams
2017-08-15 6:12 ` Dan Williams
2017-08-15 6:12 ` Dan Williams
2017-08-15 6:12 ` [PATCH v4 1/3] fs, xfs: introduce S_IOMAP_SEALED Dan Williams
2017-08-15 6:12 ` Dan Williams
2017-08-15 6:12 ` Dan Williams
2017-08-15 6:12 ` [PATCH v4 2/3] mm: introduce MAP_VALIDATE a mechanism for adding new mmap flags Dan Williams
2017-08-15 6:12 ` Dan Williams
2017-08-15 6:12 ` Dan Williams
2017-08-15 6:12 ` Dan Williams
2017-08-15 12:27 ` Jan Kara
2017-08-15 12:27 ` Jan Kara
2017-08-15 16:24 ` Dan Williams
2017-08-15 16:24 ` Dan Williams
2017-08-15 16:24 ` Dan Williams
2017-08-15 16:24 ` Dan Williams
2017-09-17 3:44 ` Dan Williams
2017-09-17 3:44 ` Dan Williams
2017-09-17 3:44 ` Dan Williams
2017-09-17 17:39 ` Christoph Hellwig
2017-09-17 17:39 ` Christoph Hellwig
2017-09-17 17:39 ` Christoph Hellwig
2017-09-18 9:31 ` Jan Kara
2017-09-18 9:31 ` Jan Kara
2017-09-18 9:31 ` Jan Kara
2017-09-18 9:31 ` Jan Kara
2017-09-18 15:47 ` Dan Williams
2017-09-18 15:47 ` Dan Williams
2017-09-18 9:26 ` Jan Kara
2017-09-18 9:26 ` Jan Kara
2017-09-18 9:26 ` Jan Kara
2017-08-15 16:28 ` Andy Lutomirski
2017-08-15 16:28 ` Andy Lutomirski
2017-08-15 16:28 ` Andy Lutomirski
2017-08-15 22:31 ` Dan Williams
2017-08-15 22:31 ` Dan Williams
2017-08-17 8:06 ` kbuild test robot
2017-08-17 8:06 ` kbuild test robot
2017-08-15 6:12 ` [PATCH v4 3/3] fs, xfs: introduce MAP_DIRECT for creating block-map-sealed file ranges Dan Williams
2017-08-15 6:12 ` Dan Williams
2017-08-15 6:12 ` Dan Williams
2017-08-15 9:18 ` Kirill A. Shutemov
2017-08-15 9:18 ` Kirill A. Shutemov
2017-08-15 9:18 ` Kirill A. Shutemov
2017-08-15 17:11 ` Dan Williams [this message]
2017-08-15 17:11 ` Dan Williams
2017-08-15 17:11 ` Dan Williams
2017-08-16 10:25 ` Kirill A. Shutemov
2017-08-16 10:25 ` Kirill A. Shutemov
2017-08-16 10:25 ` Kirill A. Shutemov
2017-08-15 12:42 ` Jan Kara
2017-08-15 12:42 ` Jan Kara
2017-08-15 12:42 ` Jan Kara
2017-08-15 16:29 ` Dan Williams
2017-08-15 16:29 ` Dan Williams
2017-08-15 16:29 ` Dan Williams
2017-08-15 16:29 ` Dan Williams
2017-08-16 1:15 ` Dan Williams
2017-08-16 1:15 ` Dan Williams
2017-08-16 1:15 ` Dan Williams
2017-08-16 1:15 ` Dan Williams
2017-08-17 8:49 ` kbuild test robot
2017-08-17 8:49 ` kbuild test robot
2017-08-17 8:49 ` kbuild test robot
2017-08-15 9:01 ` [PATCH v4 0/3] MAP_DIRECT and block-map sealed files Dave Chinner
2017-08-15 9:01 ` Dave Chinner
2017-08-15 9:01 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPcyv4gmyFugKwMJCVwC9wFmQ8TL4TbHsa0p2Pqg2a6LziRHVw@mail.gmail.com \
--to=dan.j.williams@intel.com \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=hch@lst.de \
--cc=jack@suse.cz \
--cc=kirill@shutemov.name \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-nvdimm@lists.01.org \
--cc=linux-xfs@vger.kernel.org \
--cc=luto@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.