[PATCH v2 1/1] fs/splice: add missing callback for inaccessible pages

From: Claudio Imbrenda
Date: Thu Apr 30 2020 - 10:38:49 EST


Inaccessible pages are pages that should not be accessed by any device,
and belong to a protected VM. If any such pages are passed to a
device, there will be I/O errors, which will not always be recoverable,
depending on the architecture and on the specific device.

CPU accesses to inaccessible pages are less problematic, since they are
always recoverable.

Page cache and direct I/O were fixed in a previous patch, in which a
architecture hook is provided to make the page accessible by I/O
devices.

One possible remaining path to sneak a protected page directly to a
device is sendfile and similar syscalls. Those syscalls take a page
directly from the page cache and give them directly to the device with
zero-copy. This bypasses both existing hooks in gup and in writeback.

This patch fixes the issue by adding a call to arch_make_page_accessible
in page_cache_pipe_buf_confirm, thus fixing the issue.

Notice that we only need to make sure the source is accessible, since
zero-copy only works in one direction, and CPU accesses to inaccessible
pages are not a problem. Pagecache-to-pagecache is also not a problem
since that is done by the CPU.

The hook has no overhead for architectures that do not need to deal
with inaccessible pages.

Fixes: f28d43636d6f ("mm/gup/writeback: add callbacks for inaccessible pages")
Signed-off-by: Claudio Imbrenda <imbrenda@xxxxxxxxxxxxx>
---
fs/splice.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/fs/splice.c b/fs/splice.c
index 4735defc46ee..f026e0ce9acd 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -106,6 +106,9 @@ static int page_cache_pipe_buf_confirm(struct pipe_inode_info *pipe,
struct page *page = buf->page;
int err;

+ if (arch_make_page_accessible(page))
+ return -EIO;
+
if (!PageUptodate(page)) {
lock_page(page);

--
2.25.4