From: David Hildenbrand <david@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
stable@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Axel Rasmussen <axelrasmussen@google.com>,
Peter Xu <peterx@redhat.com>, Hugh Dickins <hughd@google.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Matthew Wilcox <willy@infradead.org>,
Vlastimil Babka <vbabka@suse.cz>,
John Hubbard <jhubbard@nvidia.com>,
Jason Gunthorpe <jgg@nvidia.com>
Subject: Re: [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW
Date: Tue, 9 Aug 2022 21:09:59 +0200 [thread overview]
Message-ID: <ac2f75aa-da03-66fb-cb35-ec1b9d69281c@redhat.com> (raw)
In-Reply-To: <CAHk-=wiKm3QjM1_XwWNW8P8drW6s0ZeANm7VKy_1c7WH6RSp3g@mail.gmail.com>
On 09.08.22 20:48, Linus Torvalds wrote:
> On Mon, Aug 8, 2022 at 12:32 AM David Hildenbrand <david@redhat.com> wrote:
>>
>> For example, a write() via /proc/self/mem to a uffd-wp-protected range has
>> to fail instead of silently granting write access and bypassing the
>> userspace fault handler.
>
> This, btw, just makes me go "uffd-wp is broken garbage" once more.
>
> It also makes me go "if uffd-wp can disallow ptrace writes, then why
> doesn't regular write protect do it"?
I remember that it's not just uffd-wp, it's also ordinary userfaultfd if
we have no page mapped, because we'd have to drop the mmap lock in order
to notify user space about the fault and wait for a resolution.
IIUC, we cannot tell what exactly user-space will do as a response to a
user write fault here (for example, QEMU VM snapshots have to copy page
content away such that the VM snapshot remains consistent and we won't
corrupt the snapshot), so we have to back off and fail the GUP. I'd say,
for ptrace that's even the right thing to do because one might deadlock
waiting on the user space thread that handles faults ... but that's a
little off-topic to this fix here. I'm just trying to keep the semantics
unchanged, as weird as they might be.
>
> IOW, I don't think the patch is wrong (apart from the VM_BUG_ON's that
> absolutely must go away), but I get the strong feelign that we instead
> should try to get rid of FOLL_FORCE entirely.
I can resend v2 soonish, taking care of the VM_BUG_ON as you requested
if there are no other comments.
>
> If some other user action can stop FOLL_FORCE anyway, then why do we
> support it at all?
My humble opinion is that debugging userfaultfd-managed memory is a
corner case and that we can hopefully stop using FOLL_FORCE outside of
debugging context soon.
Having that said, I do enjoy having the uffd and uffd-wp feature
available in user space (especially in QEMU). I don't always enjoy
having to handle such corner cases in the kernel.
--
Thanks,
David / dhildenb
next prev parent reply other threads:[~2022-08-09 19:10 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-08 7:32 [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW David Hildenbrand
2022-08-08 16:02 ` David Hildenbrand
2022-08-09 18:27 ` Linus Torvalds
2022-08-09 18:45 ` David Hildenbrand
2022-08-09 18:59 ` Linus Torvalds
2022-08-09 19:07 ` Jason Gunthorpe
2022-08-09 19:21 ` Linus Torvalds
2022-08-09 21:16 ` David Laight
2022-08-11 7:13 ` [PATCH] sched/all: Change BUG_ON() instances to WARN_ON() Ingo Molnar
2022-08-11 20:43 ` Linus Torvalds
2022-08-11 21:28 ` Matthew Wilcox
2022-08-11 23:22 ` Jason Gunthorpe
2022-08-14 1:10 ` John Hubbard
2022-08-12 9:29 ` [PATCH v2] sched/all: Change all BUG_ON() instances in the scheduler to WARN_ON_ONCE() Ingo Molnar
[not found] ` <20220815144143.zjsiamw5y22bvgki@suse.de>
2022-08-15 22:12 ` John Hubbard
2022-08-21 11:28 ` Ingo Molnar
2022-08-09 18:40 ` [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW Linus Torvalds
2022-08-09 18:48 ` Jason Gunthorpe
2022-08-09 18:53 ` David Hildenbrand
2022-08-09 19:07 ` Linus Torvalds
2022-08-09 19:20 ` David Hildenbrand
2022-08-09 18:48 ` Linus Torvalds
2022-08-09 19:09 ` David Hildenbrand [this message]
2022-08-09 20:00 ` Linus Torvalds
2022-08-09 20:06 ` David Hildenbrand
2022-08-09 20:07 ` David Hildenbrand
2022-08-09 20:14 ` Linus Torvalds
2022-08-09 20:20 ` David Hildenbrand
2022-08-09 20:30 ` Linus Torvalds
2022-08-09 20:38 ` Linus Torvalds
2022-08-09 20:42 ` David Hildenbrand
2022-08-09 20:20 ` Linus Torvalds
2022-08-09 20:23 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac2f75aa-da03-66fb-cb35-ec1b9d69281c@redhat.com \
--to=david@redhat.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=axelrasmussen@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hughd@google.com \
--cc=jgg@nvidia.com \
--cc=jhubbard@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterx@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).