On Mon, Apr 24, 2023 at 08:29:41AM +1000, Dave Chinner wrote:
> On Sat, Apr 22, 2023 at 02:37:05PM +0100, Lorenzo Stoakes wrote:
> > +/*
> > + * Writing to file-backed mappings using GUP is a fundamentally broken operation
> > + * as kernel write access to GUP mappings may not adhere to the semantics
> > + * expected by a file system.
> > + *
> > + * In most instances we disallow this broken behaviour, however there are some
> > + * exceptions to this enforced here.
> > + */
> > +static inline bool can_write_file_mapping(struct vm_area_struct *vma,
> > + unsigned long gup_flags)
> > +{
> > + struct file *file = vma->vm_file;
> > +
> > + /* If we aren't pinning then no problematic write can occur. */
> > + if (!(gup_flags & (FOLL_GET | FOLL_PIN)))
> > + return true;
> > +
> > + /* Special mappings should pose no problem. */
> > + if (!file)
> > + return true;
>
> Ok...
>
> > +
> > + /* Has the caller explicitly indicated this case is acceptable? */
> > + if (gup_flags & FOLL_ALLOW_BROKEN_FILE_MAPPING)
> > + return true;
> > +
> > + /* shmem and hugetlb mappings do not have problematic semantics. */
> > + return vma_is_shmem(vma) || is_file_hugepages(file);
> > +}
>
> This looks backwards. We only want the override to occur when the
> target won't otherwise allow it. i.e. This should be:
>
> if (vma_is_shmem(vma))
> return true;
> if (is_file_hugepages(vma)
> return true;
>
> /*
> * Issue a warning only if we are allowing a write to a mapping
> * that does not support what we are attempting to do functionality.
> */
> if (WARN_ON_ONCE(gup_flags & FOLL_ALLOW_BROKEN_FILE_MAPPING))
> return true;
> return false;
>
> i.e. we only want the warning to fire when the override is
> triggered - indicating that the caller is actually using a file
> mapping in a broken way, not when it is being used on
> file/filesystem that actually supports file mappings in this way.
>
> > static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
> > {
> > vm_flags_t vm_flags = vma->vm_flags;
> > int write = (gup_flags & FOLL_WRITE);
> > int foreign = (gup_flags & FOLL_REMOTE);
> > + bool vma_anon = vma_is_anonymous(vma);
> >
> > if (vm_flags & (VM_IO | VM_PFNMAP))
> > return -EFAULT;
> >
> > - if (gup_flags & FOLL_ANON && !vma_is_anonymous(vma))
> > + if ((gup_flags & FOLL_ANON) && !vma_anon)
> > return -EFAULT;
> >
> > if ((gup_flags & FOLL_LONGTERM) && vma_is_fsdax(vma))
> > @@ -978,6 +1008,10 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags)
> > return -EFAULT;
> >
> > if (write) {
> > + if (!vma_anon &&
> > + WARN_ON_ONCE(!can_write_file_mapping(vma, gup_flags)))
> > + return -EFAULT;
>
> Yeah, the warning definitely belongs in the check function when the
> override triggers allow broken behaviour to proceed, not when we
> disallow a write fault because the underlying file/filesystem does
> not support the operation being attempted.
I disagree for two reasons:-
1. There are places in the kernel that rely on this broken behaviour, most
notably ptrace (and /proc/$pid/mem), but also the other places where you
can see I've added this flag. I'm not sure spamming warnings for
ordinary cases would be useful.
2. The purpose of putting a warning here is to catch any case I might have
missed where broken behaviour is required, but now disallowed, because it
might actually be hard for a GUP user to track down that this is why the
GUP is no longer functioning (since all they'll see is an -EFAULT).
This warned upon check should in reality not occur, because it implies the
GUP user is trying to do something broken and is _not_ explicitly telling
GUP that it knows it's doing it and can live with the consequences. And on
that basis, is worthy of a warning so we know we have to go put this flag
in that place (and know it is a source of problematic GUP usage), or fix
the caller.
An example case is placing breakpoints in gdb, without the flag being set
for /proc/$pid/mem this will just fail. Raising a kernel warning when a
user places a breakpoint seems... unhelpful :)
>
> -Dave.
> --
> Dave Chinner
> david@xxxxxxxxxxxxx
