Re: [PATCH v5] mm/gup: disallow GUP writing to file-backed mappings by default

From: Jason Gunthorpe
Date: Fri Apr 28 2023 - 10:35:43 EST

Next message: Henrik Grimler: "Re: [PATCH v3 8/8] dt-bindings: Add rt5033 mfd, regulator and charger"
Previous message: Matthew Wilcox: "Re: [PATCH] mm: fix printk format within cma"
In reply to: David Hildenbrand: "Re: [PATCH v5] mm/gup: disallow GUP writing to file-backed mappings by default"
Next in thread: David Hildenbrand: "Re: [PATCH v5] mm/gup: disallow GUP writing to file-backed mappings by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Apr 28, 2023 at 04:20:46PM +0200, David Hildenbrand wrote:
> Sorry for jumping in late, I'm on vacation :)
>
> On 28.04.23 01:42, Lorenzo Stoakes wrote:
> > Writing to file-backed mappings which require folio dirty tracking using
> > GUP is a fundamentally broken operation, as kernel write access to GUP
> > mappings do not adhere to the semantics expected by a file system.
> >
> > A GUP caller uses the direct mapping to access the folio, which does not
> > cause write notify to trigger, nor does it enforce that the caller marks
> > the folio dirty.
>
> How should we enforce it? It would be a BUG in the GUP user.

I hope we don't have these kinds of mistakes.. hard to enforce by
code.

> This change has the potential to break existing setups. Simple example:
> libvirt domains configured for file-backed VM memory that also has a vfio
> device configured. It can easily be configured by users (evolving VM
> configuration, copy-paste etc.). And it works from a VM perspective, because
> the guest memory is essentially stale once the VM is shutdown and the pages
> were unpinned. At least we're not concerned about stale data on
> disk.

I think this is broken today and we should block it. We know from
experiments with RDMA that doing exactly this triggers kernel oop's.

Run your qemu config once, all the pages in the file become dirty.

Run your qmeu config again and now all the dirty pages are longterm
pinned.

Something eventually does writeback and FS cleans the page.

Now close your VM and the page is dirtied without make write. FS is
inconsistent with the MM, kernel will eventually oops.

I'm skeptical that anyone can actually do this combination of things
successfully without getting kernel crashes or file data corruption -
ie there is no real user to break.

> With your changes, such VMs would no longer start, breaking existing user
> setups with a kernel update.

Yes, as a matter of security we should break it.

Earlier I suggested making this contingent on kernel lockdown >=
integrity, if actual users come and complain we should go to that
option.

> Sure, we could warn, or convert individual users using a flag (io_uring).
> But maybe we should invest more energy on a fix?

It has been years now, I think we need to admit a fix is still years
away. Blocking the security problem may even motivate more people to
work on a fix.

Security is the primary case where we have historically closed uAPI
items.

Jason

Next message: Henrik Grimler: "Re: [PATCH v3 8/8] dt-bindings: Add rt5033 mfd, regulator and charger"
Previous message: Matthew Wilcox: "Re: [PATCH] mm: fix printk format within cma"
In reply to: David Hildenbrand: "Re: [PATCH v5] mm/gup: disallow GUP writing to file-backed mappings by default"
Next in thread: David Hildenbrand: "Re: [PATCH v5] mm/gup: disallow GUP writing to file-backed mappings by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]