From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80526C432BE for ; Tue, 31 Aug 2021 15:33:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 68C6561027 for ; Tue, 31 Aug 2021 15:33:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239458AbhHaPeY (ORCPT ); Tue, 31 Aug 2021 11:34:24 -0400 Received: from zeniv-ca.linux.org.uk ([142.44.231.140]:33112 "EHLO zeniv-ca.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234068AbhHaPeW (ORCPT ); Tue, 31 Aug 2021 11:34:22 -0400 Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1mL5h3-0000RV-T4; Tue, 31 Aug 2021 15:28:58 +0000 Date: Tue, 31 Aug 2021 15:28:57 +0000 From: Al Viro To: Catalin Marinas Cc: Linus Torvalds , Andreas Gruenbacher , Christoph Hellwig , "Darrick J. Wong" , Jan Kara , Matthew Wilcox , cluster-devel , linux-fsdevel , Linux Kernel Mailing List , "ocfs2-devel@oss.oracle.com" , Josef Bacik , Will Deacon Subject: Re: [RFC][arm64] possible infinite loop in btrfs search_ioctl() Message-ID: References: <20210827164926.1726765-1-agruenba@redhat.com> <20210827164926.1726765-6-agruenba@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 31, 2021 at 02:54:50PM +0100, Catalin Marinas wrote: > An arm64-specific workaround would be for pagefault_disable() to disable > tag checking. It's a pretty big hammer, weakening the out of bounds > access detection of MTE. My preference would be a fix in the btrfs code. > > A btrfs option would be for copy_to_sk() to return an indication of > where the fault occurred and get fault_in_pages_writeable() to check > that location, even if the copying would restart from an earlier offset > (this requires open-coding copy_to_user_nofault()). An attempt below, > untested and does not cover read_extent_buffer_to_user_nofault(): Umm... There's another copy_to_user_nofault() call in the same function (same story, AFAICS). Can't say I'm fond of their ABI, but then I guess it could've been worse - iterating over btree, running a user-supplied chunk of INTERCAL over it, with all details of internal representation cast in stone by that exposure... From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F6D9C432BE for ; Tue, 31 Aug 2021 15:33:41 +0000 (UTC) Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id B0EBA60F42 for ; Tue, 31 Aug 2021 15:33:40 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org B0EBA60F42 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=zeniv.linux.org.uk Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=oss.oracle.com Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.16.1.2/8.16.1.2) with SMTP id 17VDETme013065; Tue, 31 Aug 2021 15:33:39 GMT Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by mx0b-00069f02.pphosted.com with ESMTP id 3ase029j4x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 31 Aug 2021 15:33:38 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17VFFoDn002633; Tue, 31 Aug 2021 15:33:37 GMT Received: from oss.oracle.com (oss-old-reserved.oracle.com [137.254.22.2]) by userp3020.oracle.com with ESMTP id 3aqxwtqy2x-1 (version=TLSv1 cipher=AES256-SHA bits=256 verify=NO); Tue, 31 Aug 2021 15:33:37 +0000 Received: from localhost ([127.0.0.1] helo=lb-oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1mL5lY-0003yk-0r; Tue, 31 Aug 2021 08:33:36 -0700 Received: from userp3020.oracle.com ([156.151.31.79]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1mL5lU-0003yL-4d for ocfs2-devel@oss.oracle.com; Tue, 31 Aug 2021 08:33:32 -0700 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 17VFFoNT002616 for ; Tue, 31 Aug 2021 15:33:31 GMT Received: from mx0b-00069f01.pphosted.com (mx0b-00069f01.pphosted.com [205.220.177.26]) by userp3020.oracle.com with ESMTP id 3aqxwtqxy5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 31 Aug 2021 15:33:30 +0000 Received: from pps.filterd (m0246579.ppops.net [127.0.0.1]) by mx0b-00069f01.pphosted.com (8.16.1.2/8.16.0.43) with SMTP id 17VCth4U014279 for ; Tue, 31 Aug 2021 15:33:30 GMT Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [142.44.231.140]) by mx0b-00069f01.pphosted.com with ESMTP id 3arwr41bbg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 31 Aug 2021 15:33:29 +0000 Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1mL5h3-0000RV-T4; Tue, 31 Aug 2021 15:28:58 +0000 Date: Tue, 31 Aug 2021 15:28:57 +0000 From: Al Viro To: Catalin Marinas Message-ID: References: <20210827164926.1726765-1-agruenba@redhat.com> <20210827164926.1726765-6-agruenba@redhat.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Source-IP: 142.44.231.140 X-ServerName: zeniv-ca.linux.org.uk X-Proofpoint-SPF-Result: None X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10093 signatures=668682 X-Proofpoint-Spam-Details: rule=tap_notspam policy=tap score=0 spamscore=0 priorityscore=0 bulkscore=0 phishscore=0 impostorscore=0 lowpriorityscore=0 clxscore=344 malwarescore=0 mlxscore=0 mlxlogscore=999 adultscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108310083 domainage_hfrom=9161 X-Spam: Clean Cc: cluster-devel , Jan Kara , Andreas Gruenbacher , Will Deacon , Linux Kernel Mailing List , Josef Bacik , Christoph Hellwig , linux-fsdevel , Linus Torvalds , "ocfs2-devel@oss.oracle.com" Subject: Re: [Ocfs2-devel] [RFC][arm64] possible infinite loop in btrfs search_ioctl() X-BeenThere: ocfs2-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ocfs2-devel-bounces@oss.oracle.com Errors-To: ocfs2-devel-bounces@oss.oracle.com X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10093 signatures=668682 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 mlxlogscore=999 mlxscore=0 malwarescore=0 suspectscore=0 spamscore=0 adultscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108310082 X-Proofpoint-GUID: qOtfxiaK20Y1T7VZBE0-YaDiWxyGO-lh X-Proofpoint-ORIG-GUID: qOtfxiaK20Y1T7VZBE0-YaDiWxyGO-lh On Tue, Aug 31, 2021 at 02:54:50PM +0100, Catalin Marinas wrote: > An arm64-specific workaround would be for pagefault_disable() to disable > tag checking. It's a pretty big hammer, weakening the out of bounds > access detection of MTE. My preference would be a fix in the btrfs code. > > A btrfs option would be for copy_to_sk() to return an indication of > where the fault occurred and get fault_in_pages_writeable() to check > that location, even if the copying would restart from an earlier offset > (this requires open-coding copy_to_user_nofault()). An attempt below, > untested and does not cover read_extent_buffer_to_user_nofault(): Umm... There's another copy_to_user_nofault() call in the same function (same story, AFAICS). Can't say I'm fond of their ABI, but then I guess it could've been worse - iterating over btree, running a user-supplied chunk of INTERCAL over it, with all details of internal representation cast in stone by that exposure... _______________________________________________ Ocfs2-devel mailing list Ocfs2-devel@oss.oracle.com https://oss.oracle.com/mailman/listinfo/ocfs2-devel From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Date: Tue, 31 Aug 2021 15:28:57 +0000 Subject: [Cluster-devel] [RFC][arm64] possible infinite loop in btrfs search_ioctl() In-Reply-To: References: <20210827164926.1726765-1-agruenba@redhat.com> <20210827164926.1726765-6-agruenba@redhat.com> Message-ID: List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, Aug 31, 2021 at 02:54:50PM +0100, Catalin Marinas wrote: > An arm64-specific workaround would be for pagefault_disable() to disable > tag checking. It's a pretty big hammer, weakening the out of bounds > access detection of MTE. My preference would be a fix in the btrfs code. > > A btrfs option would be for copy_to_sk() to return an indication of > where the fault occurred and get fault_in_pages_writeable() to check > that location, even if the copying would restart from an earlier offset > (this requires open-coding copy_to_user_nofault()). An attempt below, > untested and does not cover read_extent_buffer_to_user_nofault(): Umm... There's another copy_to_user_nofault() call in the same function (same story, AFAICS). Can't say I'm fond of their ABI, but then I guess it could've been worse - iterating over btree, running a user-supplied chunk of INTERCAL over it, with all details of internal representation cast in stone by that exposure...