Re: [RFC][arm64] possible infinite loop in btrfs search_ioctl()

From: Linus Torvalds
Date: Tue Oct 12 2021 - 13:59:09 EST

Next message: Andy Shevchenko: "Re: [PATCH] iio: buffer: Fix double-free in iio_buffers_alloc_sysfs_and_mask()"
Previous message: kernel test robot: "[dhowells-fs:fscache-rewrite-indexing 78/80] fs/cachefiles/namei.c:403:6: error: variable 'ret' is used uninitialized whenever 'if' condition is true"
In reply to: Catalin Marinas: "Re: [RFC][arm64] possible infinite loop in btrfs search_ioctl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 12, 2021 at 10:27 AM Catalin Marinas
<catalin.marinas@xxxxxxx> wrote:
>
> Apart from fault_in_pages_*(), there's also fault_in_user_writeable()
> called from the futex code which uses the GUP mechanism as the write
> would be destructive. It looks like it could potentially trigger the
> same infinite loop on -EFAULT.

Hmm.

I think the reason we do fault_in_user_writeable() using GUP is that

(a) we can avoid the page fault overhead

(b) we don't have any good "atomic_inc_user()" interface or similar
that could do a write with a zero increment or something like that.

We do have that "arch_futex_atomic_op_inuser()" thing, of course. It's
all kinds of crazy, but we *could* do

arch_futex_atomic_op_inuser(FUTEX_OP_ADD, 0, &dummy, uaddr);

instead of doing the fault_in_user_writeable().

That might be a good idea anyway. I dunno.

But I agree other options exist:

> I wonder whether we should actually just disable tag checking around the
> problematic accesses. What these callers seem to have in common is using
> pagefault_disable/enable(). We could abuse this to disable tag checking
> or maybe in_atomic() when handling the exception to lazily disable such
> faults temporarily.

Hmm. That would work for MTE, but possibly be very inconvenient for
other situations.

> A more invasive change would be to return a different error for such
> faults like -EACCESS and treat them differently in the caller.

That's _really_ hard for things like "copy_to_user()", that isn't a
single operation, and is supposed to return the bytes left.

Adding another error return would be nasty.

We've had hacks like "squirrel away the actual error code in the task
structure", but that tends to be unmaintainable because we have
interrupts (and NMI's) doing their own possibly nested atomics, so
even disabling preemption won't actually fix some of the nesting
issues.

All of these things make me think that the proper fix ends up being to
make sure that our "fault_in_xyz()" functions simply should always
handle all faults.

Another option may be to teach the GUP code to actually check
architecture-specific sub-page ranges.

Linus

Next message: Andy Shevchenko: "Re: [PATCH] iio: buffer: Fix double-free in iio_buffers_alloc_sysfs_and_mask()"
Previous message: kernel test robot: "[dhowells-fs:fscache-rewrite-indexing 78/80] fs/cachefiles/namei.c:403:6: error: variable 'ret' is used uninitialized whenever 'if' condition is true"
In reply to: Catalin Marinas: "Re: [RFC][arm64] possible infinite loop in btrfs search_ioctl()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]