On Sat, Apr 22, 2023 at 02:37:05PM +0100, Lorenzo Stoakes wrote:
> +/*
> + * Writing to file-backed mappings using GUP is a fundamentally broken operation
> + * as kernel write access to GUP mappings may not adhere to the semantics
> + * expected by a file system.
> + *
> + * In most instances we disallow this broken behaviour, however there are some
> + * exceptions to this enforced here.
> + */
> +static inline bool can_write_file_mapping(struct vm_area_struct *vma,
> + unsigned long gup_flags)
> +{
> + struct file *file = vma->vm_file;
> +
> + /* If we aren't pinning then no problematic write can occur. */
> + if (!(gup_flags & (FOLL_GET | FOLL_PIN)))
> + return true;
> +
> + /* Special mappings should pose no problem. */
> + if (!file)
> + return true;
Ok...
> +
> + /* Has the caller explicitly indicated this case is acceptable? */
> + if (gup_flags & FOLL_ALLOW_BROKEN_FILE_MAPPING)
> + return true;
> +
> + /* shmem and hugetlb mappings do not have problematic semantics. */
> + return vma_is_shmem(vma) || is_file_hugepages(file);
> +}
This looks backwards. We only want the override to occur when the
target won't otherwise allow it. i.e. This should be:
if (vma_is_shmem(vma))
return true;
if (is_file_hugepages(vma)
return true;
/*
* Issue a warning only if we are allowing a write to a mapping
* that does not support what we are attempting to do functionality.
*/
if (WARN_ON_ONCE(gup_flags & FOLL_ALLOW_BROKEN_FILE_MAPPING))
return true;
return false;
i.e. we only want the warning to fire when the override is
triggered - indicating that the caller is actually using a file
mapping in a broken way, not when it is being used on
file/filesystem that actually supports file mappings in this way.
> static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
> {
> vm_flags_t vm_flags = vma->vm_flags;
> int write = (gup_flags & FOLL_WRITE);
> int foreign = (gup_flags & FOLL_REMOTE);
> + bool vma_anon = vma_is_anonymous(vma);
>
> if (vm_flags & (VM_IO | VM_PFNMAP))
> return -EFAULT;
>
> - if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma))
> + if ((gup_flags & FOLL_ANON) && !vma_anon)
> return -EFAULT;
>
> if ((gup_flags & FOLL_LONGTERM) && vma_is_fsdax(vma))
> @@ -978,6 +1008,10 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
> return -EFAULT;
>
> if (write) {
> + if (!vma_anon &&
> + WARN_ON_ONCE(!can_write_file_mapping(vma, gup_flags)))
> + return -EFAULT;
Yeah, the warning definitely belongs in the check function when the
override triggers allow broken behaviour to proceed, not when we
disallow a write fault because the underlying file/filesystem does
not support the operation being attempted.
-Dave.
--
Dave Chinner
david@xxxxxxxxxxxxx
