From: David Hildenbrand <david@redhat.com>
To: Jason Gunthorpe <jgg@nvidia.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org,
stable@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Axel Rasmussen <axelrasmussen@google.com>,
Peter Xu <peterx@redhat.com>, Hugh Dickins <hughd@google.com>,
Andrea Arcangeli <aarcange@redhat.com>,
Matthew Wilcox <willy@infradead.org>,
Vlastimil Babka <vbabka@suse.cz>,
John Hubbard <jhubbard@nvidia.com>
Subject: Re: [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW
Date: Tue, 9 Aug 2022 20:53:01 +0200 [thread overview]
Message-ID: <d8765f51-c6f6-1d21-82ba-877515acf17d@redhat.com> (raw)
In-Reply-To: <YvKsBUuwLNlHwhnE@nvidia.com>
On 09.08.22 20:48, Jason Gunthorpe wrote:
> On Tue, Aug 09, 2022 at 11:40:50AM -0700, Linus Torvalds wrote:
>> On Mon, Aug 8, 2022 at 12:32 AM David Hildenbrand <david@redhat.com> wrote:
>>>
>>> For example, a write() via /proc/self/mem to a uffd-wp-protected range has
>>> to fail instead of silently granting write access and bypassing the
>>> userspace fault handler. Note that FOLL_FORCE is not only used for debug
>>> access, but also triggered by applications without debug intentions, for
>>> example, when pinning pages via RDMA.
>>
>> So this made me go "Whaa?"
>>
>> I didn't even realize that the media drivers and rdma used FOLL_FORCE.
>>
>> That's just completely bogus.
>>
>> Why do they do that?
>>
>> It seems to be completely bogus, and seems to have no actual valid
>> reason for it. Looking through the history, it goes back to the
>> original code submission in 2006, and doesn't have a mention of why.
>
> It is because of all this madness with COW.
>
> Lets say an app does:
>
> buf = mmap(MAP_PRIVATE)
> rdma_pin_for_read(buf)
> buf[0] = 1
>
> Then the store to buf[0] will COW the page and the pin will become
> decoherent.
>
> The purpose of the FORCE is to force COW to happen early so this is
> avoided.
>
> Sadly there are real apps that end up working this way, eg because
> they are using buffer in .data or something.
>
> I've hoped David's new work on this provided some kind of path to a
> proper solution, as the need is very similar to all the other places
> where we need to ensure there is no possiblity of future COW.
>
> So, these usage can be interpreted as a FOLL flag we don't have - some
> kind of (FOLL_EXCLUSIVE | FOLL_READ) to match the PG_anon_exclusive
> sort of idea.
Thanks Jason for the explanation.
I have patches in the works to no longer use FOLL_FORCE|FOLL_WRITE for
taking a reliable longerterm R/O pin in a MAP_PRIVATE mapping. The
patches are mostly done (and comparably simple), I merely deferred
sending them out because I stumbled over this issue first.
Some ugly corner cases of MAP_SHARED remain, but for most prominent use
cases, my upcoming patches should allow us to just have longterm R/O
pins working as expected.
--
Thanks,
David / dhildenb
next prev parent reply other threads:[~2022-08-09 18:53 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-08 7:32 [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW David Hildenbrand
2022-08-08 16:02 ` David Hildenbrand
2022-08-09 18:27 ` Linus Torvalds
2022-08-09 18:45 ` David Hildenbrand
2022-08-09 18:59 ` Linus Torvalds
2022-08-09 19:07 ` Jason Gunthorpe
2022-08-09 19:21 ` Linus Torvalds
2022-08-09 21:16 ` David Laight
2022-08-11 7:13 ` [PATCH] sched/all: Change BUG_ON() instances to WARN_ON() Ingo Molnar
2022-08-11 20:43 ` Linus Torvalds
2022-08-11 21:28 ` Matthew Wilcox
2022-08-11 23:22 ` Jason Gunthorpe
2022-08-14 1:10 ` John Hubbard
2022-08-12 9:29 ` [PATCH v2] sched/all: Change all BUG_ON() instances in the scheduler to WARN_ON_ONCE() Ingo Molnar
[not found] ` <20220815144143.zjsiamw5y22bvgki@suse.de>
2022-08-15 22:12 ` John Hubbard
2022-08-21 11:28 ` Ingo Molnar
2022-08-09 18:40 ` [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW Linus Torvalds
2022-08-09 18:48 ` Jason Gunthorpe
2022-08-09 18:53 ` David Hildenbrand [this message]
2022-08-09 19:07 ` Linus Torvalds
2022-08-09 19:20 ` David Hildenbrand
2022-08-09 18:48 ` Linus Torvalds
2022-08-09 19:09 ` David Hildenbrand
2022-08-09 20:00 ` Linus Torvalds
2022-08-09 20:06 ` David Hildenbrand
2022-08-09 20:07 ` David Hildenbrand
2022-08-09 20:14 ` Linus Torvalds
2022-08-09 20:20 ` David Hildenbrand
2022-08-09 20:30 ` Linus Torvalds
2022-08-09 20:38 ` Linus Torvalds
2022-08-09 20:42 ` David Hildenbrand
2022-08-09 20:20 ` Linus Torvalds
2022-08-09 20:23 ` David Hildenbrand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d8765f51-c6f6-1d21-82ba-877515acf17d@redhat.com \
--to=david@redhat.com \
--cc=aarcange@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=axelrasmussen@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=hughd@google.com \
--cc=jgg@nvidia.com \
--cc=jhubbard@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterx@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).