| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cd72e289-f671-4b8d-adb9-aebdf8a43afd@kernel.dk> Date: Wed, 27 Nov 2024 13:01:31 -0700 From: Jens Axboe <axboe@...nel.dk> To: Jann Horn <jannh@...gle.com> Cc: Kent Overstreet <kent.overstreet@...ux.dev>, linux-bcachefs@...r.kernel.org, kernel list <linux-kernel@...r.kernel.org>, Pavel Begunkov <asml.silence@...il.com>, io-uring <io-uring@...r.kernel.org> Subject: Re: bcachefs: suspicious mm pointer in struct dio_write On 11/27/24 12:43 PM, Jann Horn wrote: > On Wed, Nov 27, 2024 at 7:09?PM Jens Axboe <axboe@...nel.dk> wrote: >> On 11/27/24 9:57 AM, Jann Horn wrote: >>> Hi! >>> >>> In fs/bcachefs/fs-io-direct.c, "struct dio_write" contains a pointer >>> to an mm_struct. This pointer is grabbed in bch2_direct_write() >>> (without any kind of refcount increment), and used in >>> bch2_dio_write_continue() for kthread_use_mm()/kthread_unuse_mm() >>> which are used to enable userspace memory access from kthread context. >>> I believe kthread_use_mm()/kthread_unuse_mm() require that the caller >>> guarantees that the MM hasn't gone through exit_mmap() yet (normally >>> by holding an mmget() reference). >>> >>> If we reach this codepath via io_uring, do we have a guarantee that >>> the mm_struct that called bch2_direct_write() is still alive and >>> hasn't yet gone through exit_mmap() when it is accessed from >>> bch2_dio_write_continue()? >>> >>> I don't know the async direct I/O codepath particularly well, so I >>> cc'ed the uring maintainers, who probably know this better than me. >> >> I _think_ this is fine as-is, even if it does look dubious and bcachefs >> arguably should grab an mm ref for this just for safety to avoid future >> problems. The reason is that bcachefs doesn't set FMODE_NOWAIT, which >> means that on the io_uring side it cannot do non-blocking issue of >> requests. This is slower as it always punts to an io-wq thread, which >> shares the same mm. Hence if the request is alive, there's always a >> thread with the same mm alive as well. >> >> Now if FMODE_NOWAIT was set, then the original task could exit. I'd need >> to dig a bit deeper to verify that would always be safe and there's not >> a of time today with a few days off in the US looming, so I'll defer >> that to next week. It certainly would be fine with an mm ref grabbed. > > Ah, thanks for looking into it! I missed this implication of not > setting FMODE_NOWAIT. > > Anyway, what you said sounds like it would be cleaner for bcachefs to > grab its own extra reference, maybe by initially grabbing an mm > reference with mmgrab() in bch2_direct_write(), and then use > mmget_not_zero() in bch2_dio_write_continue() to ensure the MM is > stable. Yep I think that would definitely make it more sturdy, and also less headscratchy in terms of being able to verify it's actually safe. > What do other file systems do for this? I think they normally grab > page references so that they don't need the MM anymore when > asynchronously fulfilling the request, right? Like in > iomap_dio_bio_iter(), which uses bio_iov_iter_get_pages() to grab > references to the pages corresponding to the userspace regions in > dio->submit.iter? Not aware of anything else doing it like this, where it's punted to a kthread and then the mm used from there. The upfront page getting/mapping is the common approach, like you described. Which does seem like a much better choice, rather than needing to rely on the mm in a kworker. -- Jens Axboe
Powered by blists - more mailing lists