Re: [PATCH 2/2] fsnotify: avoid pre-content events when faulting in user pages

Christian Brauner <brauner@xxxxxxxxxx> · Mon, 10 Mar 2025 09:09:01 +0100

On Sun, Mar 09, 2025 at 12:52:07PM +0100, Amir Goldstein wrote:
> In the use case of buffered write whose input buffer is mmapped file on a
> filesystem with a pre-content mark, the prefaulting of the buffer can
> happen under the filesystem freeze protection (obtained in vfs_write())
> which breaks assumptions of pre-content hook and introduces potential
> deadlock of HSM handler in userspace with filesystem freezing.
> 
> Disable pagefaults in the context of filesystem freeze protection
> if the filesystem has any pre-content marks to avert this potential
> deadlock.
> 
> Reported-by: syzbot+7229071b47908b19d5b7@xxxxxxxxxxxxxxxxxxxxxxxxx
> Tested-by: syzbot+7229071b47908b19d5b7@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://lore.kernel.org/linux-fsdevel/7ehxrhbvehlrjwvrduoxsao5k3x4aw275patsb3krkwuq573yv@o2hskrfawbnc/
> Signed-off-by: Amir Goldstein <amir73il@xxxxxxxxx>
> ---
>  include/linux/fs.h | 18 +++++++++++++++++-
>  1 file changed, 17 insertions(+), 1 deletion(-)
> 
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 2788df98080f8..a8822b44d4967 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -3033,13 +3033,27 @@ static inline void file_start_write(struct file *file)
>  	if (!S_ISREG(file_inode(file)->i_mode))
>  		return;
>  	sb_start_write(file_inode(file)->i_sb);
> +	/*
> +	 * Prevent fault-in pages from user that may call HSM hooks with
> +	 * sb_writers held.
> +	 */
> +	if (unlikely(FMODE_FSNOTIFY_HSM(file->f_mode)))
> +		pagefault_disable();
>  }
>  
>  static inline bool file_start_write_trylock(struct file *file)
>  {
>  	if (!S_ISREG(file_inode(file)->i_mode))
>  		return true;
> -	return sb_start_write_trylock(file_inode(file)->i_sb);
> +	if (!sb_start_write_trylock(file_inode(file)->i_sb))
> +		return false;
> +	/*
> +	 * Prevent fault-in pages from user that may call HSM hooks with
> +	 * sb_writers held.
> +	 */
> +	if (unlikely(FMODE_FSNOTIFY_HSM(file->f_mode)))
> +		pagefault_disable();

That looks very iffy tbh.

> +	return true;
>  }
>  
>  /**
> @@ -3053,6 +3067,8 @@ static inline void file_end_write(struct file *file)
>  	if (!S_ISREG(file_inode(file)->i_mode))
>  		return;
>  	sb_end_write(file_inode(file)->i_sb);
> +	if (unlikely(FMODE_FSNOTIFY_HSM(file->f_mode)))
> +		pagefault_enable();
>  }
>  
>  /**
> -- 
> 2.34.1
> 