| Message ID | 20220406180922.1522433-4-catalin.marinas@arm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Avoid live-lock in btrfs fault-in+uaccess loop | expand |
On Wed, Apr 06, 2022 at 07:09:22PM +0100, Catalin Marinas wrote: > diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c > index 238cee5b5254..d49e8254f823 100644 > --- a/fs/btrfs/ioctl.c > +++ b/fs/btrfs/ioctl.c > @@ -2556,8 +2556,13 @@ static noinline int search_ioctl(struct inode *inode, > key.offset = sk->min_offset; > > while (1) { > + size_t len = *buf_size - sk_offset; > ret = -EFAULT; > - if (fault_in_writeable(ubuf + sk_offset, *buf_size - sk_offset)) > + /* > + * Ensure that the whole user buffer is faulted in at sub-page > + * granularity, otherwise the loop may live-lock. > + */ > + if (fault_in_subpage_writeable(ubuf + sk_offset, len)) > break; This doesn't need a new 'len' variable. It's a left-over from the v2 where fault_in_writeable() took the size and a min_size argument, both being 'len'.
On Wed, Apr 06, 2022 at 07:09:22PM +0100, Catalin Marinas wrote: > Commit a48b73eca4ce ("btrfs: fix potential deadlock in the search > ioctl") addressed a lockdep warning by pre-faulting the user pages and > attempting the copy_to_user_nofault() in an infinite loop. On > architectures like arm64 with MTE, an access may fault within a page at > a location different from what fault_in_writeable() probed. Since the > sk_offset is rewound to the previous struct btrfs_ioctl_search_header > boundary, there is no guaranteed forward progress and search_ioctl() may > live-lock. > > Use fault_in_subpage_writeable() instead of fault_in_writeable() to > ensure the permission is checked at the right granularity (smaller than > PAGE_SIZE). > > Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> > Fixes: a48b73eca4ce ("btrfs: fix potential deadlock in the search ioctl") > Reported-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: David Sterba <dsterba@suse.com>
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 238cee5b5254..d49e8254f823 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -2556,8 +2556,13 @@ static noinline int search_ioctl(struct inode *inode, key.offset = sk->min_offset; while (1) { + size_t len = *buf_size - sk_offset; ret = -EFAULT; - if (fault_in_writeable(ubuf + sk_offset, *buf_size - sk_offset)) + /* + * Ensure that the whole user buffer is faulted in at sub-page + * granularity, otherwise the loop may live-lock. + */ + if (fault_in_subpage_writeable(ubuf + sk_offset, len)) break; ret = btrfs_search_forward(root, &key, path, sk->min_transid);
Commit a48b73eca4ce ("btrfs: fix potential deadlock in the search ioctl") addressed a lockdep warning by pre-faulting the user pages and attempting the copy_to_user_nofault() in an infinite loop. On architectures like arm64 with MTE, an access may fault within a page at a location different from what fault_in_writeable() probed. Since the sk_offset is rewound to the previous struct btrfs_ioctl_search_header boundary, there is no guaranteed forward progress and search_ioctl() may live-lock. Use fault_in_subpage_writeable() instead of fault_in_writeable() to ensure the permission is checked at the right granularity (smaller than PAGE_SIZE). Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Fixes: a48b73eca4ce ("btrfs: fix potential deadlock in the search ioctl") Reported-by: Al Viro <viro@zeniv.linux.org.uk> Cc: Chris Mason <clm@fb.com> Cc: Josef Bacik <josef@toxicpanda.com> Cc: David Sterba <dsterba@suse.com> --- fs/btrfs/ioctl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)