lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200414141859.GM4629@dhcp22.suse.cz>
Date:   Tue, 14 Apr 2020 16:18:59 +0200
From:   Michal Hocko <mhocko@...nel.org>
To:     Peter Xu <peterx@...hat.com>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux-MM <linux-mm@...ck.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        syzbot+693dc11fcb53120b5559@...kaller.appspotmail.com
Subject: Re: [PATCH 1/2] mm/mempolicy: Allow lookup_node() to handle fatal
 signal

On Tue 14-04-20 09:49:06, Peter Xu wrote:
> On Tue, Apr 14, 2020 at 01:04:29PM +0200, Michal Hocko wrote:
> 
> [...]
> 
> > @@ -1247,6 +1248,10 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
> >  }
> >  EXPORT_SYMBOL_GPL(fixup_user_fault);
> >  
> > +/*
> > + * Please note that this function, unlike __get_user_pages will not
> > + * return 0 for nr_pages > 0 without FOLL_NOWAIT
> > + */
> >  static __always_inline long __get_user_pages_locked(struct task_struct *tsk,
> >  						struct mm_struct *mm,
> >  						unsigned long start,
> > diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> > index 48ba9729062e..1965e2681877 100644
> > --- a/mm/mempolicy.c
> > +++ b/mm/mempolicy.c
> > @@ -927,10 +927,7 @@ static int lookup_node(struct mm_struct *mm, unsigned long addr)
> >  
> >  	int locked = 1;
> >  	err = get_user_pages_locked(addr & PAGE_MASK, 1, 0, &p, &locked);
> > -	if (err == 0) {
> > -		/* E.g. GUP interrupted by fatal signal */
> > -		err = -EFAULT;
> > -	} else if (err > 0) {
> > +	if (err > 0) {
> >  		err = page_to_nid(p);
> >  		put_page(p);
> >  	}
> 
> Hi, Michal,
> 
> IIUC this is not the only place that we check against ret==0 for gup.
> For example, the other direct caller of the same function,
> get_vaddr_frames(), which will set -EFAULT too if ret==0.  So do we
> want to change all the places and don't check against zero explicitly?

This would require to analyze each such a call. For example
get_vaddr_frames has to handle get_user_pages_locked returning 0 because
it allows callers to specify FOLL_NOWAIT. Whether EFAULT is a proper
return value for that case is a question I didn't really get to analyze.

> I'm now thinking whether this would be good even if we refactored gup
> and only allow it to return either >0 as number of page pinned, or <0
> for all the rest.  I'm not sure how others will see this, but the
> answer is probably the same at least to me as before for this issue.

I would consider a semantic without that special case for FOLL_NOWAIT
much more clear but I do not really understand the historical background
for it TBH so I do not dare to touch that.

> As a caller, I'll see gup as a black box.  Even if the gup function
> guarantees that the retcode won't be zero and documented it, I (as a
> caller) will be using that to index page array so I'd still better to
> check that value before I do anything (because it's meaningless to
> index an array with zero size), and a convertion of "ret==0" -->
> "-EFAULT" (or some other failures) in this case still makes sense.
> While removing that doesn't help a lot, imho, but instead make it
> slightly unsafer.

Well, my experience tells me that people really love to copy&paste code
and error handling and if the error handling is bogus it just spreads
all over the place until it really defines a new standard which is close
to impossible to get rid of. So if the error handling can be done
properly then I would really prefer it. In the above case it is clearly
misleading, because fatal signal should be never reflected by err==0.
-- 
Michal Hocko
SUSE Labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ