linux

iv/linux

History

David Hildenbrand b2747b690c mm/userfaultfd: propagate uffd-wp bit when PTE-mapping the huge zeropage

commit 42b2af2c9b7eede8ef21d0943f84d135e21a32a3 upstream.

Currently, we'd lose the userfaultfd-wp marker when PTE-mapping a huge
zeropage, resulting in the next write faults in the PMD range not
triggering uffd-wp events.

Various actions (partial MADV_DONTNEED, partial mremap, partial munmap,
partial mprotect) could trigger this.  However, most importantly,
un-protecting a single sub-page from the userfaultfd-wp handler when
processing a uffd-wp event will PTE-map the shared huge zeropage and lose
the uffd-wp bit for the remainder of the PMD.

Let's properly propagate the uffd-wp bit to the PMDs.

 #define _GNU_SOURCE
 #include <stdio.h>
 #include <stdlib.h>
 #include <stdint.h>
 #include <stdbool.h>
 #include <inttypes.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>
 #include <poll.h>
 #include <pthread.h>
 #include <sys/mman.h>
 #include <sys/syscall.h>
 #include <sys/ioctl.h>
 #include <linux/userfaultfd.h>

 static size_t pagesize;
 static int uffd;
 static volatile bool uffd_triggered;

 #define barrier() __asm__ __volatile__("": : :"memory")

 static void uffd_wp_range(char *start, size_t size, bool wp)
 {
 	struct uffdio_writeprotect uffd_writeprotect;

 	uffd_writeprotect.range.start = (unsigned long) start;
 	uffd_writeprotect.range.len = size;
 	if (wp) {
 		uffd_writeprotect.mode = UFFDIO_WRITEPROTECT_MODE_WP;
 	} else {
 		uffd_writeprotect.mode = 0;
 	}
 	if (ioctl(uffd, UFFDIO_WRITEPROTECT, &uffd_writeprotect)) {
 		fprintf(stderr, "UFFDIO_WRITEPROTECT failed: %d\n", errno);
 		exit(1);
 	}
 }

 static void *uffd_thread_fn(void *arg)
 {
 	static struct uffd_msg msg;
 	ssize_t nread;

 	while (1) {
 		struct pollfd pollfd;
 		int nready;

 		pollfd.fd = uffd;
 		pollfd.events = POLLIN;
 		nready = poll(&pollfd, 1, -1);
 		if (nready == -1) {
 			fprintf(stderr, "poll() failed: %d\n", errno);
 			exit(1);
 		}

 		nread = read(uffd, &msg, sizeof(msg));
 		if (nread <= 0)
 			continue;

 		if (msg.event != UFFD_EVENT_PAGEFAULT ||
 		    !(msg.arg.pagefault.flags & UFFD_PAGEFAULT_FLAG_WP)) {
 			printf("FAIL: wrong uffd-wp event fired\n");
 			exit(1);
 		}

 		/* un-protect the single page. */
 		uffd_triggered = true;
 		uffd_wp_range((char *)(uintptr_t)msg.arg.pagefault.address,
 			      pagesize, false);
 	}
 	return arg;
 }

 static int setup_uffd(char *map, size_t size)
 {
 	struct uffdio_api uffdio_api;
 	struct uffdio_register uffdio_register;
 	pthread_t thread;

 	uffd = syscall(__NR_userfaultfd,
 		       O_CLOEXEC | O_NONBLOCK | UFFD_USER_MODE_ONLY);
 	if (uffd < 0) {
 		fprintf(stderr, "syscall() failed: %d\n", errno);
 		return -errno;
 	}

 	uffdio_api.api = UFFD_API;
 	uffdio_api.features = UFFD_FEATURE_PAGEFAULT_FLAG_WP;
 	if (ioctl(uffd, UFFDIO_API, &uffdio_api) < 0) {
 		fprintf(stderr, "UFFDIO_API failed: %d\n", errno);
 		return -errno;
 	}

 	if (!(uffdio_api.features & UFFD_FEATURE_PAGEFAULT_FLAG_WP)) {
 		fprintf(stderr, "UFFD_FEATURE_WRITEPROTECT missing\n");
 		return -ENOSYS;
 	}

 	uffdio_register.range.start = (unsigned long) map;
 	uffdio_register.range.len = size;
 	uffdio_register.mode = UFFDIO_REGISTER_MODE_WP;
 	if (ioctl(uffd, UFFDIO_REGISTER, &uffdio_register) < 0) {
 		fprintf(stderr, "UFFDIO_REGISTER failed: %d\n", errno);
 		return -errno;
 	}

 	pthread_create(&thread, NULL, uffd_thread_fn, NULL);

 	return 0;
 }

 int main(void)
 {
 	const size_t size = 4 * 1024 * 1024ull;
 	char *map, *cur;

 	pagesize = getpagesize();

 	map = mmap(NULL, size, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0);
 	if (map == MAP_FAILED) {
 		fprintf(stderr, "mmap() failed\n");
 		return -errno;
 	}

 	if (madvise(map, size, MADV_HUGEPAGE)) {
 		fprintf(stderr, "MADV_HUGEPAGE failed\n");
 		return -errno;
 	}

 	if (setup_uffd(map, size))
 		return 1;

 	/* Read the whole range, populating zeropages. */
 	madvise(map, size, MADV_POPULATE_READ);

 	/* Write-protect the whole range. */
 	uffd_wp_range(map, size, true);

 	/* Make sure uffd-wp triggers on each page. */
 	for (cur = map; cur < map + size; cur += pagesize) {
 		uffd_triggered = false;

 		barrier();
 		/* Trigger a write fault. */
 		*cur = 1;
 		barrier();

 		if (!uffd_triggered) {
 			printf("FAIL: uffd-wp did not trigger\n");
 			return 1;
 		}
 	}

 	printf("PASS: uffd-wp triggered\n");
 	return 0;
 }

Link: https://lkml.kernel.org/r/20230302175423.589164-1-david@redhat.com
Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API")
Signed-off-by: David Hildenbrand <david@redhat.com>
Acked-by: Peter Xu <peterx@redhat.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Shaohua Li <shli@fb.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

2023-03-22 13:30:04 +01:00

kasan

panic: Consolidate open-coded panic_on_warn checks

2023-02-01 08:23:20 +01:00

backing-dev.c

mm: bdi: initialize bdi_min_ratio when bdi is unregistered

2021-12-14 11:32:37 +01:00

balloon_compaction.c

…

cleancache.c

…

cma_debug.c

debugfs: make sure we can remove u32_array files cleanly

2020-07-10 13:54:00 -07:00

cma.c

cma: don't quit at first error when activating reserved areas

2020-08-12 10:57:57 -07:00

cma.h

mm: cma: use CMA_MAX_NAME to define the length of cma name array

2020-09-01 09:19:43 +02:00

compaction.c

mm, compaction: fix fast_isolate_around() to stay within boundaries

2023-01-14 10:16:27 +01:00

debug_page_ref.c

…

debug_vm_pgtable.c

mm/debug_vm_pgtable: remove pte entry from the page table

2022-02-08 18:30:35 +01:00

debug.c

mm, dump_page: rename head_mapcount() --> head_compound_mapcount()

2020-10-13 18:38:29 -07:00

dmapool.c

mm/dmapool.c: replace hard coded function name with __func__

2020-10-13 18:38:32 -07:00

early_ioremap.c

…

fadvise.c

mm, fadvise: improve the expensive remote LRU cache draining after FADV_DONTNEED

2020-10-13 18:38:29 -07:00

failslab.c

…

filemap.c

mm: fs: initialize fsdata passed to write_begin/write_end interface

2022-11-25 17:45:56 +01:00

frame_vector.c

v4l2: don't fall back to follow_pfn() if pin_user_pages_fast() fails

2022-12-08 11:24:00 +01:00

frontswap.c

mm/frontswap: mark various intentional data races

2020-08-14 19:56:56 -07:00

gup_benchmark.c

mm/gup_benchmark: take the mmap lock around GUP

2020-10-18 09:27:09 -07:00

gup.c

mm/migration: return errno when isolate_huge_page failed

2023-02-15 17:22:21 +01:00

highmem.c

mm/highmem.c: clean up endif comments

2020-10-16 11:11:18 -07:00

hmm.c

mm/hmm.c: allow VM_MIXEDMAP to work with hmm_range_fault

2022-01-27 10:54:36 +01:00

huge_memory.c

mm/userfaultfd: propagate uffd-wp bit when PTE-mapping the huge zeropage

2023-03-22 13:30:04 +01:00

hugetlb_cgroup.c

hugetlb_cgroup: fix imbalanced css_get and css_put pair for shared mappings

2021-03-30 14:31:54 +02:00

hugetlb.c

mm/migration: return errno when isolate_huge_page failed

2023-02-15 17:22:21 +01:00

hwpoison-inject.c

mm,hwpoison-inject: don't pin for hwpoison_filter

2020-10-16 11:11:16 -07:00

init-mm.c

mm/gup: prevent gup_fast from racing with COW during fork

2020-12-30 11:53:54 +01:00

internal.h

mm/thp: fix vma_address() if virtual address below file offset

2021-06-30 08:47:27 -04:00

interval_tree.c

…

ioremap.c

mm: move p?d_alloc_track to separate header file

2020-08-07 11:33:26 -07:00

Kconfig

mm/zsmalloc.c: drop ZSMALLOC_PGTABLE_MAPPING

2020-12-06 10:19:07 -08:00

Kconfig.debug

treewide: replace '---help---' in Kconfig files with 'help'

2020-06-14 01:57:21 +09:00

khugepaged.c

mm/khugepaged: fix collapse_pte_mapped_thp() to allow anon_vma

2023-01-24 07:20:01 +01:00

kmemleak.c

Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()"

2022-09-15 11:32:02 +02:00

ksm.c

ksm: fix potential missing rmap_item for stable_node

2021-05-19 10:13:07 +02:00

list_lru.c

mm: list_lru: set shrinker map bit when child nr_items is not zero

2020-12-06 10:19:07 -08:00

maccess.c

maccess: Fix writing offset in case of fault in strncpy_from_kernel_nofault()

2022-11-25 17:45:53 +01:00

madvise.c

mm: fix madivse_pageout mishandling on non-LRU page

2022-10-05 10:38:40 +02:00

Makefile

mm,kmemleak-test.c: move kmemleak-test.c to samples dir

2020-10-13 18:38:27 -07:00

mapping_dirty_helpers.c

…

memblock.c

Revert "mm: Always release pages to the buddy allocator in memblock_free_late()."

2023-02-22 12:55:56 +01:00

memcontrol.c

mm: memcontrol: deprecate charge moving

2023-03-11 16:40:04 +01:00

memfd.c

memfd: fix F_SEAL_WRITE after shmem huge page allocated

2022-03-08 19:09:36 +01:00

memory_hotplug.c

mm/migration: return errno when isolate_huge_page failed

2023-02-15 17:22:21 +01:00

memory-failure.c

mm/migration: return errno when isolate_huge_page failed

2023-02-15 17:22:21 +01:00

memory.c

mm/memory: add non-anonymous page check in the copy_present_page()

2022-11-03 23:57:50 +09:00

mempolicy.c

migrate: hugetlb: check for hugetlb shared PMD in node migration

2023-02-15 17:22:21 +01:00

mempool.c

mm/mempool: add 'else' to split mutually exclusive case

2020-10-13 18:38:34 -07:00

memremap.c

mm/memremap.c: map FS_DAX device memory as decrypted

2022-11-16 09:57:17 +01:00

memtest.c

…

migrate.c

mm/migration: return errno when isolate_huge_page failed

2023-02-15 17:22:21 +01:00

mincore.c

mm: factor find_get_incore_page out of mincore_page

2020-10-13 18:38:29 -07:00

mlock.c

mlock: fix unevictable_pgs event counts on THP

2020-09-19 13:13:38 -07:00

mm_init.c

mm: adjust vm_committed_as_batch according to vm overcommit policy

2020-08-07 11:33:26 -07:00

mmap.c

mm/mmap: undo ->mmap() when arch_validate_flags() fails

2022-10-26 13:25:11 +02:00

mmu_gather.c

mm/khugepaged: fix GUP-fast interaction by sending IPI

2022-12-14 11:31:55 +01:00

mmu_notifier.c

mm/mmu_notifier.c: fix race in mmu_interval_notifier_remove()

2022-04-27 13:53:54 +02:00

mmzone.c

arm: remove CONFIG_ARCH_HAS_HOLES_MEMORYMODEL

2022-05-15 20:00:09 +02:00

mprotect.c

mm: don't try to NUMA-migrate COW pages that have other uses

2022-02-23 12:00:57 +01:00

mremap.c

mm/mremap: hold the rmap lock in write mode when moving page table entries.

2022-08-21 15:15:21 +02:00

msync.c

mmap locking API: use coccinelle to convert mmap_sem rwsem call sites

2020-06-09 09:39:14 -07:00

nommu.c

mm: remove alloc_vm_area

2020-10-18 09:27:10 -07:00

oom_kill.c

oom_kill.c: futex: delay the OOM reaper to allow time for proper futex cleanup

2022-04-27 13:53:54 +02:00

page_alloc.c

Fix page corruption caused by racy check in __free_pages

2023-02-15 17:22:27 +01:00

page_counter.c

mm/page_counter: correct the obsolete func name in the comment of page_counter_try_charge()

2020-10-13 18:38:30 -07:00

page_ext.c

mm/page_ext.c: drop pfn_present() check when onlining

2020-04-07 10:43:40 -07:00

page_idle.c

mm/page_idle.c: skip offline pages

2020-06-08 11:05:55 -07:00

page_io.c

mm: fix unexpected zeroed page mapping with zram swap

2022-04-20 09:23:25 +02:00

page_isolation.c

mm: rename page_order() to buddy_order()

2020-10-16 11:11:19 -07:00

page_owner.c

mm: rename page_order() to buddy_order()

2020-10-16 11:11:19 -07:00

page_poison.c

mm/page_poison.c: replace bool variable with static key

2020-10-16 11:11:17 -07:00

page_reporting.c

mm: rename page_order() to buddy_order()

2020-10-16 11:11:19 -07:00

page_reporting.h

mm: introduce include/linux/pgtable.h

2020-06-09 09:39:13 -07:00

page_vma_mapped.c

mm/thp: another PVMW_SYNC fix in page_vma_mapped_walk()

2021-06-30 08:47:29 -04:00

page-writeback.c

mm: make wait_on_page_writeback() wait for multiple pending writebacks

2021-01-12 20:18:22 +01:00

pagewalk.c

mm: pagewalk: Fix race between unmap and page walker

2022-09-08 11:11:38 +02:00

percpu-internal.h

percpu: make pcpu_nr_empty_pop_pages per chunk type

2021-04-14 08:42:03 +02:00

percpu-km.c

mm: memcg/percpu: account percpu memory to memory cgroups

2020-08-12 10:57:55 -07:00

percpu-stats.c

percpu: make pcpu_nr_empty_pop_pages per chunk type

2021-04-14 08:42:03 +02:00

percpu-vm.c

mm: memcg/percpu: account percpu memory to memory cgroups

2020-08-12 10:57:55 -07:00

percpu.c

percpu: make pcpu_nr_empty_pop_pages per chunk type

2021-04-14 08:42:03 +02:00

pgalloc-track.h

mm: move p?d_alloc_track to separate header file

2020-08-07 11:33:26 -07:00

pgtable-generic.c

mm/thp: fix __split_huge_pmd_locked() on shmem migration entry

2021-06-30 08:47:26 -04:00

process_vm_access.c

mm/process_vm_access.c: include compat.h

2021-01-19 18:27:21 +01:00

ptdump.c

mm: pagewalk: Fix race between unmap and page walker

2022-09-08 11:11:38 +02:00

readahead.c

mm: use limited read-ahead to satisfy read

2020-10-17 13:49:08 -06:00

rmap.c

mm/rmap: Fix anon_vma->degree ambiguity leading to double-reuse

2022-09-05 10:28:56 +02:00

rodata_test.c

mm/rodata_test.c: fix missing function declaration

2020-08-21 09:52:53 -07:00

shmem.c

shmem: fix a race between shmem_unused_huge_shrink and shmem_evict_inode

2022-01-27 10:53:44 +01:00

shuffle.c

mm: rename page_order() to buddy_order()

2020-10-16 11:11:19 -07:00

shuffle.h

mm/shuffle: remove dynamic reconfiguration

2020-08-07 11:33:29 -07:00

slab_common.c

mm/slub: fix redzoning for small allocations

2021-06-23 14:42:54 +02:00

slab.c

mm/sl?b.c: remove ctor argument from kmem_cache_flags

2021-05-14 09:50:45 +02:00

slab.h

mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag

2021-11-26 10:39:19 +01:00

slob.c

mm: memcg: convert vmstat slab counters to bytes

2020-08-07 11:33:24 -07:00

slub.c

mm/slub: fix to return errno if kmalloc() fails

2022-09-28 11:10:28 +02:00

sparse-vmemmap.c

mm/sparse: only sub-section aligned range would be populated

2020-08-07 11:33:27 -07:00

sparse.c

mm/sparse: add the missing sparse_buffer_fini() in error branch

2021-05-14 09:50:45 +02:00

swap_cgroup.c

mm: memcontrol: make swap tracking an integral part of memory control

2020-06-03 20:09:48 -07:00

swap_slots.c

mm/swap_slots.c: remove always zero and unused return value of enable_swap_slots_cache()

2020-10-13 18:38:30 -07:00

swap_state.c

mm: swap: get rid of livelock in swapin readahead

2022-03-23 09:13:27 +01:00

swap.c

mm: move call to compound_head() in release_pages()

2020-10-13 18:38:33 -07:00

swapfile.c

mm/swapfile: add cond_resched() in get_swap_pages()

2023-02-15 17:22:20 +01:00

truncate.c

mm/thp: unmap_mapping_page() to fix THP truncate_cleanup_page()

2021-06-30 08:47:27 -04:00

usercopy.c

mm/usercopy: return 1 from hardened_usercopy __setup() handler

2022-04-08 14:40:43 +02:00

userfaultfd.c

mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and __mcopy_atomic()

2022-05-15 20:00:09 +02:00

util.c

mm: Add kvrealloc()

2022-08-21 15:15:21 +02:00

vmacache.c

kernel: better document the use_mm/unuse_mm API contract

2020-06-10 19:14:18 -07:00

vmalloc.c

mm/vmalloc.c: fix potential memory leak

2021-01-19 18:27:21 +01:00

vmpressure.c

…

vmscan.c

mm: vmscan: fix extreme overreclaim and swap floods

2022-12-02 17:40:04 +01:00

vmstat.c

arm: remove CONFIG_ARCH_HAS_HOLES_MEMORYMODEL

2022-05-15 20:00:09 +02:00

workingset.c

XArray updates for 5.9

2020-10-20 14:39:37 -07:00

z3fold.c

mm/z3fold: use release_z3fold_page_locked() to release locked z3fold page

2021-07-14 16:56:51 +02:00

zbud.c

mm/zbud: remove redundant initialization

2020-10-13 18:38:34 -07:00

zpool.c

mm/zpool.c: delete duplicated word and fix grammar

2020-08-12 10:57:58 -07:00

zsmalloc.c

zsmalloc: fix races between asynchronous zspage free and page migration

2022-06-06 08:42:43 +02:00

zswap.c

mm/zswap: allow setting default status, compressor and allocator in Kconfig

2020-04-07 10:43:41 -07:00