mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-13 03:56:25 +00:00
17839856fd
Doing a "get_user_pages()" on a copy-on-write page for reading can be ambiguous: the page can be COW'ed at any time afterwards, and the direction of a COW event isn't defined. Yes, whoever writes to it will generally do the COW, but if the thread that did the get_user_pages() unmapped the page before the write (and that could happen due to memory pressure in addition to any outright action), the writer could also just take over the old page instead. End result: the get_user_pages() call might result in a page pointer that is no longer associated with the original VM, and is associated with - and controlled by - another VM having taken it over instead. So when doing a get_user_pages() on a COW mapping, the only really safe thing to do would be to break the COW when getting the page, even when only getting it for reading. At the same time, some users simply don't even care. For example, the perf code wants to look up the page not because it cares about the page, but because the code simply wants to look up the physical address of the access for informational purposes, and doesn't really care about races when a page might be unmapped and remapped elsewhere. This adds logic to force a COW event by setting FOLL_WRITE on any copy-on-write mapping when FOLL_GET (or FOLL_PIN) is used to get a page pointer as a result. The current semantics end up being: - __get_user_pages_fast(): no change. If you don't ask for a write, you won't break COW. You'd better know what you're doing. - get_user_pages_fast(): the fast-case "look it up in the page tables without anything getting mmap_sem" now refuses to follow a read-only page, since it might need COW breaking. Which happens in the slow path - the fast path doesn't know if the memory might be COW or not. - get_user_pages() (including the slow-path fallback for gup_fast()): for a COW mapping, turn on FOLL_WRITE for FOLL_GET/FOLL_PIN, with very similar semantics to FOLL_FORCE. If it turns out that we want finer granularity (ie "only break COW when it might actually matter" - things like the zero page are special and don't need to be broken) we might need to push these semantics deeper into the lookup fault path. So if people care enough, it's possible that we might end up adding a new internal FOLL_BREAK_COW flag to go with the internal FOLL_COW flag we already have for tracking "I had a COW". Alternatively, if it turns out that different callers might want to explicitly control the forced COW break behavior, we might even want to make such a flag visible to the users of get_user_pages() instead of using the above default semantics. But for now, this is mostly commentary on the issue (this commit message being a lot bigger than the patch, and that patch in turn is almost all comments), with that minimal "enable COW breaking early" logic using the existing FOLL_WRITE behavior. [ It might be worth noting that we've always had this ambiguity, and it could arguably be seen as a user-space issue. You only get private COW mappings that could break either way in situations where user space is doing cooperative things (ie fork() before an execve() etc), but it _is_ surprising and very subtle, and fork() is supposed to give you independent address spaces. So let's treat this as a kernel issue and make the semantics of get_user_pages() easier to understand. Note that obviously a true shared mapping will still get a page that can change under us, so this does _not_ mean that get_user_pages() somehow returns any "stable" page ] Reported-by: Jann Horn <jannh@google.com> Tested-by: Christoph Hellwig <hch@lst.de> Acked-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Kirill Shutemov <kirill@shutemov.name> Acked-by: Jan Kara <jack@suse.cz> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Matthew Wilcox <willy@infradead.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|---|---|---|
| .. | ||
| amd | ||
| arc | ||
| arm | ||
| armada | ||
| aspeed | ||
| ast | ||
| atmel-hlcdc | ||
| bochs | ||
| bridge | ||
| cirrus | ||
| etnaviv | ||
| exynos | ||
| fsl-dcu | ||
| gma500 | ||
| hisilicon | ||
| i2c | ||
| i810 | ||
| i915 | ||
| imx | ||
| ingenic | ||
| lib | ||
| lima | ||
| mcde | ||
| mediatek | ||
| meson | ||
| mga | ||
| mgag200 | ||
| msm | ||
| mxsfb | ||
| nouveau | ||
| omapdrm | ||
| panel | ||
| panfrost | ||
| pl111 | ||
| qxl | ||
| r128 | ||
| radeon | ||
| rcar-du | ||
| rockchip | ||
| savage | ||
| scheduler | ||
| selftests | ||
| shmobile | ||
| sis | ||
| sti | ||
| stm | ||
| sun4i | ||
| tdfx | ||
| tegra | ||
| tidss | ||
| tilcdc | ||
| tiny | ||
| ttm | ||
| tve200 | ||
| udl | ||
| v3d | ||
| vboxvideo | ||
| vc4 | ||
| vgem | ||
| via | ||
| virtio | ||
| vkms | ||
| vmwgfx | ||
| xen | ||
| zte | ||
| drm_agpsupport.c | ||
| drm_atomic.c | ||
| drm_atomic_helper.c | ||
| drm_atomic_state_helper.c | ||
| drm_atomic_uapi.c | ||
| drm_auth.c | ||
| drm_blend.c | ||
| drm_bridge.c | ||
| drm_bridge_connector.c | ||
| drm_bufs.c | ||
| drm_cache.c | ||
| drm_client.c | ||
| drm_client_modeset.c | ||
| drm_color_mgmt.c | ||
| drm_connector.c | ||
| drm_context.c | ||
| drm_crtc.c | ||
| drm_crtc_helper.c | ||
| drm_crtc_helper_internal.h | ||
| drm_crtc_internal.h | ||
| drm_damage_helper.c | ||
| drm_debugfs.c | ||
| drm_debugfs_crc.c | ||
| drm_dma.c | ||
| drm_dp_aux_dev.c | ||
| drm_dp_cec.c | ||
| drm_dp_dual_mode_helper.c | ||
| drm_dp_helper.c | ||
| drm_dp_mst_topology.c | ||
| drm_dp_mst_topology_internal.h | ||
| drm_drv.c | ||
| drm_dsc.c | ||
| drm_dumb_buffers.c | ||
| drm_edid.c | ||
| drm_edid_load.c | ||
| drm_encoder.c | ||
| drm_encoder_slave.c | ||
| drm_fb_cma_helper.c | ||
| drm_fb_helper.c | ||
| drm_file.c | ||
| drm_flip_work.c | ||
| drm_format_helper.c | ||
| drm_fourcc.c | ||
| drm_framebuffer.c | ||
| drm_gem.c | ||
| drm_gem_cma_helper.c | ||
| drm_gem_framebuffer_helper.c | ||
| drm_gem_shmem_helper.c | ||
| drm_gem_ttm_helper.c | ||
| drm_gem_vram_helper.c | ||
| drm_hashtab.c | ||
| drm_hdcp.c | ||
| drm_internal.h | ||
| drm_ioc32.c | ||
| drm_ioctl.c | ||
| drm_irq.c | ||
| drm_kms_helper_common.c | ||
| drm_lease.c | ||
| drm_legacy.h | ||
| drm_legacy_misc.c | ||
| drm_lock.c | ||
| drm_memory.c | ||
| drm_mipi_dbi.c | ||
| drm_mipi_dsi.c | ||
| drm_mm.c | ||
| drm_mode_config.c | ||
| drm_mode_object.c | ||
| drm_modes.c | ||
| drm_modeset_helper.c | ||
| drm_modeset_lock.c | ||
| drm_of.c | ||
| drm_panel.c | ||
| drm_panel_orientation_quirks.c | ||
| drm_pci.c | ||
| drm_plane.c | ||
| drm_plane_helper.c | ||
| drm_prime.c | ||
| drm_print.c | ||
| drm_probe_helper.c | ||
| drm_property.c | ||
| drm_rect.c | ||
| drm_scatter.c | ||
| drm_scdc_helper.c | ||
| drm_self_refresh_helper.c | ||
| drm_simple_kms_helper.c | ||
| drm_syncobj.c | ||
| drm_sysfs.c | ||
| drm_trace.h | ||
| drm_trace_points.c | ||
| drm_vblank.c | ||
| drm_vm.c | ||
| drm_vma_manager.c | ||
| drm_vram_helper_common.c | ||
| drm_writeback.c | ||
| Kconfig | ||
| Makefile | ||