From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 23EF7C83004 for ; Wed, 29 Apr 2020 11:59:06 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id C4AEB2085B for ; Wed, 29 Apr 2020 11:59:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C4AEB2085B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 53C738E0005; Wed, 29 Apr 2020 07:59:05 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 4ECB48E0001; Wed, 29 Apr 2020 07:59:05 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4026E8E0005; Wed, 29 Apr 2020 07:59:05 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0062.hostedemail.com [216.40.44.62]) by kanga.kvack.org (Postfix) with ESMTP id 26CB58E0001 for ; Wed, 29 Apr 2020 07:59:05 -0400 (EDT) Received: from smtpin07.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id E154B4DCB for ; Wed, 29 Apr 2020 11:59:04 +0000 (UTC) X-FDA: 76760746608.07.oil15_4f38136dccc54 X-HE-Tag: oil15_4f38136dccc54 X-Filterd-Recvd-Size: 6159 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by imf32.hostedemail.com (Postfix) with ESMTP for ; Wed, 29 Apr 2020 11:59:04 +0000 (UTC) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 5768D1063; Wed, 29 Apr 2020 04:59:03 -0700 (PDT) Received: from gaia (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C98633F73D; Wed, 29 Apr 2020 04:59:01 -0700 (PDT) Date: Wed, 29 Apr 2020 12:58:59 +0100 From: Catalin Marinas To: Kevin Brodsky Cc: linux-arm-kernel@lists.infradead.org, Will Deacon , Vincenzo Frascino , Szabolcs Nagy , Richard Earnshaw , Andrey Konovalov , Peter Collingbourne , linux-mm@kvack.org, linux-arch@vger.kernel.org, Alexander Viro Subject: Re: [PATCH v3 20/23] fs: Allow copy_mount_options() to access user-space in a single pass Message-ID: <20200429115858.GA10651@gaia> References: <20200421142603.3894-1-catalin.marinas@arm.com> <20200421142603.3894-21-catalin.marinas@arm.com> <9544d86b-d445-3497-fbbf-56c590400f83@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9544d86b-d445-3497-fbbf-56c590400f83@arm.com> User-Agent: Mutt/1.10.1 (2018-07-13) X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, Apr 28, 2020 at 07:16:29PM +0100, Kevin Brodsky wrote: > On 21/04/2020 15:26, Catalin Marinas wrote: > > diff --git a/fs/namespace.c b/fs/namespace.c > > index a28e4db075ed..8febc50dfc5d 100644 > > --- a/fs/namespace.c > > +++ b/fs/namespace.c > > @@ -3025,13 +3025,16 @@ void *copy_mount_options(const void __user * data) > > if (!copy) > > return ERR_PTR(-ENOMEM); > > - size = PAGE_SIZE - offset_in_page(data); > > + size = PAGE_SIZE; > > + if (!arch_has_exact_copy_from_user(size)) > > + size -= offset_in_page(data); > > - if (copy_from_user(copy, data, size)) { > > + if (copy_from_user(copy, data, size) == size) { > > kfree(copy); > > return ERR_PTR(-EFAULT); > > } > > if (size != PAGE_SIZE) { > > + WARN_ON(1); > > I'm not sure I understand the rationale here. If we don't have exact > copy_from_user for size, then we will attempt to copy up to the end of the > page. Assuming this doesn't fault, we then want to carry on copying from the > start of the next page, until we reach a total size of up to 4K. Why would > we warn in that case? AIUI, if you don't have exact copy_from_user, there > are 3 cases: > 1. copy_from_user() returns size, we bail out. > 2. copy_from_user() returns 0, we carry on copying from the next page. > 3. copy_from_user() returns anything else, we return immediately. > > I think you're not handling case 3 here. (3) is still handled as (2) since the only check we have is whether copy_from_user() returned size. Since size is not updated, it falls through the second if block (where WARN_ON should have disappeared). Thinking some more about this, I think it can be simplified without adding arch_has_exact_copy_from_user(). We do have to guarantee on arm64 that a copy_from_user() to the end of a page (4K aligned, hence tag granule aligned) is exact but that's just matching the current semantics. What about this new patch below, replacing the current one: -------------8<------------------------------- >From cf9a1c9668ce77af3ef6589ee8038e91df127dab Mon Sep 17 00:00:00 2001 From: Catalin Marinas Date: Wed, 15 Apr 2020 18:45:44 +0100 Subject: [PATCH] fs: Handle intra-page faults in copy_mount_options() The copy_mount_options() function takes a user pointer argument but no size. It tries to read up to a PAGE_SIZE. However, copy_from_user() is not guaranteed to return all the accessible bytes if, for example, the access crosses a page boundary and gets a fault on the second page. To work around this, the current copy_mount_options() implementation performs two copy_from_user() passes, first to the end of the current page and the second to what's left in the subsequent page. On arm64 with MTE enabled, access to a user page may trigger a fault after part of the buffer has been copied (when the user pointer tag, bits 56-59, no longer matches the allocation tag stored in memory). Allow copy_mount_options() to handle such case by only returning -EFAULT if the first copy_from_user() has not copied any bytes. Signed-off-by: Catalin Marinas Cc: Alexander Viro Cc: Will Deacon --- fs/namespace.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index a28e4db075ed..51eecbd8ea89 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -3016,7 +3016,7 @@ static void shrink_submounts(struct mount *mnt) void *copy_mount_options(const void __user * data) { char *copy; - unsigned size; + unsigned size, left; if (!data) return NULL; @@ -3027,11 +3027,22 @@ void *copy_mount_options(const void __user * data) size = PAGE_SIZE - offset_in_page(data); - if (copy_from_user(copy, data, size)) { + /* + * Attempt to copy to the end of the first user page. On success, + * left == 0, copy the rest from the second user page (if it is + * accessible). + * + * On architectures with intra-page faults (arm64 with MTE), the read + * from the first page may fail after copying part of the user data + * (left > 0 && left < size). Do not attempt the second copy in this + * case as the end of the valid user buffer has already been reached. + */ + left = copy_from_user(copy, data, size); + if (left == size) { kfree(copy); return ERR_PTR(-EFAULT); } - if (size != PAGE_SIZE) { + if (left == 0 && size != PAGE_SIZE) { if (copy_from_user(copy + size, data + size, PAGE_SIZE - size)) memset(copy + size, 0, PAGE_SIZE - size); }