From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5DE58C433E7 for ; Thu, 15 Oct 2020 09:06:40 +0000 (UTC) Received: from merlin.infradead.org (merlin.infradead.org [205.233.59.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id BB3A5218AC for ; Thu, 15 Oct 2020 09:06:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="c+H+G8YL" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org BB3A5218AC Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID: Subject:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=rLWDFqKNW0NQ0/W7YLu5pONRSsNx79jdkBRnoILrFpY=; b=c+H+G8YLaHZCcKfnjSZRQW/xh sKewqd5gUKR6gsu0vWtXTMe91d0/Eqp4AE9oCyquM7kcQ3pj5FPillz0i94lc6balQ3JqBQ10pppY 4qbKM5fze+hXwRcdeJ5X30GDeI/+yy3ZmiO8fL8JT/SkoM3m34GlnCDRnbWAWZO3MBr/Enpvy216l dCtaSBohClxn1VPEgssKHFaHuSCpueQGlo60fDvwE4KtmF1vxAlHZ6vkysP1XAsyg6BVAV9GlNIRM 4He/eAf9WWLd5E8VHV8faBwSDKsx3NOea64Eau6zPoB0TcDt9L2dBOr75LKGlHhAvpp7qh4rWO2yB GsBvcFQdg==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kSzCL-0003Eu-NK; Thu, 15 Oct 2020 09:05:21 +0000 Received: from mail.kernel.org ([198.145.29.99]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kSzCI-0003Ca-EA for linux-arm-kernel@lists.infradead.org; Thu, 15 Oct 2020 09:05:19 +0000 Received: from gaia (unknown [95.149.105.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9F9102145D; Thu, 15 Oct 2020 09:05:14 +0000 (UTC) Date: Thu, 15 Oct 2020 10:05:12 +0100 From: Catalin Marinas To: Khalid Aziz Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length Message-ID: <20201015084936.GC20197@gaia> References: <20201007073932.865218-1-jannh@google.com> <20201010110949.GA32545@gaia> <20201012172218.GE6493@gaia> <20c85633-b559-c299-3e57-ae136b201526@oracle.com> <20201013091638.GA10778@gaia> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20201015_050518_648355_BBF58F9D X-CRM114-Status: GOOD ( 36.25 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Jann Horn , Michael Ellerman , linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, Christoph Hellwig , linux-mm@kvack.org, Paul Mackerras , Benjamin Herrenschmidt , sparclinux@vger.kernel.org, Anthony Yznaga , Andrew Morton , Will Deacon , "David S. Miller" , linux-arm-kernel@lists.infradead.org Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Wed, Oct 14, 2020 at 03:21:16PM -0600, Khalid Aziz wrote: > On 10/13/20 3:16 AM, Catalin Marinas wrote: > > On Mon, Oct 12, 2020 at 01:14:50PM -0600, Khalid Aziz wrote: > >> On 10/12/20 11:22 AM, Catalin Marinas wrote: > >>> On Mon, Oct 12, 2020 at 11:03:33AM -0600, Khalid Aziz wrote: > >>>> On 10/10/20 5:09 AM, Catalin Marinas wrote: > >>>>> I still think sparc should avoid walking the vmas in > >>>>> arch_validate_prot(). The core code already has the vmas, though not > >>>>> when calling arch_validate_prot(). That's one of the reasons I added > >>>>> arch_validate_flags() with the MTE patches. For sparc, this could be > >>>>> (untested, just copied the arch_validate_prot() code): > >>>> > >>>> I am little uncomfortable with the idea of validating protection bits > >>>> inside the VMA walk loop in do_mprotect_pkey(). When ADI is being > >>>> enabled across multiple VMAs and arch_validate_flags() fails on a VMA > >>>> later, do_mprotect_pkey() will bail out with error leaving ADI enabled > >>>> on earlier VMAs. This will apply to protection bits other than ADI as > >>>> well of course. This becomes a partial failure of mprotect() call. I > >>>> think it should be all or nothing with mprotect() - when one calls > >>>> mprotect() from userspace, either the entire address range passed in > >>>> gets its protection bits updated or none of it does. That requires > >>>> validating protection bits upfront or undoing what earlier iterations of > >>>> VMA walk loop might have done. > >>> > >>> I thought the same initially but mprotect() already does this with the > >>> VM_MAY* flag checking. If you ask it for an mprotect() that crosses > >>> multiple vmas and one of them fails, it doesn't roll back the changes to > >>> the prior ones. I considered that a similar approach is fine for MTE > >>> (it's most likely a user error). > >> > >> You are right about the current behavior with VM_MAY* flags, but that is > >> not the right behavior. Adding more cases to this just perpetuates > >> incorrect behavior. It is not easy to roll back changes after VMAs have > >> potentially been split/merged which is probably why the current code > >> simply throws in the towel and returns with partially modified address > >> space. It is lot easier to do all the checks upfront and then proceed or > >> not proceed with modifying VMAs. One approach might be to call > >> arch_validate_flags() in a loop before modifying VMAs and walk all VMAs > >> with a read lock held. Current code also bails out with ENOMEM if it > >> finds a hole in the address range and leaves any modifications already > >> made in place. This is another case where a hole could have been > >> detected earlier. > > > > This should be ideal indeed though with the risk of breaking the current > > ABI (FWIW, FreeBSD seems to do a first pass to check for violations: > > https://github.com/freebsd/freebsd/blob/master/sys/vm/vm_map.c#L2630). > > I am not sure I understand where the ABI breakage would be. Are we aware > of apps that intentionally modify address space partially using the > current code? I hope there aren't any but you never know until you make the change and someone complains. Arguably, such user code is already broken since mprotect() doesn't even tell where the failure occurred. > What FreeBSD does seems like a reasonable thing to do. Any way first > thing to do is to update sparc to use arch_validate_flags() and update > sparc_validate_prot() to not peek into vma without lock. If you go for arch_validate_flags(), I think sparc_validate_prot() doesn't need the vma at all. BTW, on the ADI topic, I think you have a race in do_swap_page() since set_pte_at() is called before arch_do_swap_page(). So a thread in the same process would see the new mapping but the tags have not been updated yet. Unless sparc relies on the new user pte to be set, I think you can just swap the two calls. -- Catalin _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel