lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20220406180922.1522433-1-catalin.marinas@arm.com>
Date:   Wed,  6 Apr 2022 19:09:19 +0100
From:   Catalin Marinas <catalin.marinas@....com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Andreas Gruenbacher <agruenba@...hat.com>,
        Josef Bacik <josef@...icpanda.com>
Cc:     Al Viro <viro@...iv.linux.org.uk>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Chris Mason <clm@...com>, David Sterba <dsterba@...e.com>,
        Will Deacon <will@...nel.org>, linux-fsdevel@...r.kernel.org,
        linux-arm-kernel@...ts.infradead.org, linux-btrfs@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH v3 0/3] Avoid live-lock in btrfs fault-in+uaccess loop

Hi,

I finally got around to reviving this series. However, I simplified it
from v2 and focussed on solving the btrfs search_ioctl() problem only:

https://lore.kernel.org/r/20211201193750.2097885-1-catalin.marinas@arm.com

The btrfs search_ioctl() function can potentially live-lock on arm64
with MTE enabled due to a fault_in_writeable() + copy_to_user_nofault()
unbounded loop. The uaccess can fault in the middle of a page (MTE tag
check fault) even if a prior fault_in_writeable() successfully wrote to
the beginning of that page. The btrfs loop always restarts the fault-in
loop from the beginning of the user buffer, hence the live-lock.

The series introduces fault_in_subpage_writeable() together with the
arm64 probing counterpart and the btrfs fix.

I don't think with the current kernel anything other than btrfs
search_ioctl() can live-lock. The buffered file I/O can already cope
with current fault_in_*() + copy_*_user() loops (the uaccess makes
progress). Direct I/O either goes via GUP + kernel mapping access (and
memcpy() can't fault) or, if the user buffer is not PAGE aligned, it may
fall back to buffered I/O. So we really only care about
fault_in_writeable(), hence this simplified series. If at some point
we'll need to address other places, we can expand the sub-page probing
to the other fault_in_*() functions.

Thanks.

Catalin Marinas (3):
  mm: Add fault_in_subpage_writeable() to probe at sub-page granularity
  arm64: Add support for user sub-page fault probing
  btrfs: Avoid live-lock in search_ioctl() on hardware with sub-page
    faults

 arch/Kconfig                     |  7 +++++++
 arch/arm64/Kconfig               |  1 +
 arch/arm64/include/asm/mte.h     |  1 +
 arch/arm64/include/asm/uaccess.h | 15 +++++++++++++++
 arch/arm64/kernel/mte.c          | 30 ++++++++++++++++++++++++++++++
 fs/btrfs/ioctl.c                 |  7 ++++++-
 include/linux/pagemap.h          |  1 +
 include/linux/uaccess.h          | 22 ++++++++++++++++++++++
 mm/gup.c                         | 29 +++++++++++++++++++++++++++++
 9 files changed, 112 insertions(+), 1 deletion(-)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ