From patchwork Sat May 1 14:41:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Xu X-Patchwork-Id: 12234799 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C12C1C43460 for ; Sat, 1 May 2021 14:41:21 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 4F622615FF for ; Sat, 1 May 2021 14:41:21 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4F622615FF Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id DB0C06B006E; Sat, 1 May 2021 10:41:20 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D862A6B0070; Sat, 1 May 2021 10:41:20 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BB38C6B0071; Sat, 1 May 2021 10:41:20 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0169.hostedemail.com [216.40.44.169]) by kanga.kvack.org (Postfix) with ESMTP id 9FBE16B006E for ; Sat, 1 May 2021 10:41:20 -0400 (EDT) Received: from smtpin09.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 5AF718249980 for ; Sat, 1 May 2021 14:41:20 +0000 (UTC) X-FDA: 78092925120.09.8CBE4F3 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by imf09.hostedemail.com (Postfix) with ESMTP id F29EE600010A for ; Sat, 1 May 2021 14:41:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1619880079; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KWU4dToOlrdXt6xX3Zm8/xsHlBzDG+7XGBVqeUZV/DE=; b=Oa6zI1zrQl1B6LQRNFt0+FzVfvflYXvdGxnJkQg1X3sWy/YiA6UFWD1YYC1lsGNSNpAm0u tTrAuDnTObuxhCKi7KSUpu/3u1kPWyHCJYVw+vOmbQUa2uyW74cZIJ95bo/FwkdJwTeGPm gHYfUGO0SxTGJRKJJZ2Qd6O7XGg0a8c= Received: from mail-io1-f70.google.com (mail-io1-f70.google.com [209.85.166.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-317-0SjAkfakOuC3ZGXA45ANOQ-1; Sat, 01 May 2021 10:41:18 -0400 X-MC-Unique: 0SjAkfakOuC3ZGXA45ANOQ-1 Received: by mail-io1-f70.google.com with SMTP id b16-20020a5ea7100000b02904037ac1756fso572075iod.13 for ; Sat, 01 May 2021 07:41:18 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=KWU4dToOlrdXt6xX3Zm8/xsHlBzDG+7XGBVqeUZV/DE=; b=WwnvzccrsffXzYAsKngQGDET7IXZCCG7UCDGIOaWZ4SUOY0eW0s5cwIayNLKV9QWP1 0tNVLUByYbUgNHTBg0jswNVhWJENSzR88NVoJ8Nq5R+YOXaBHbz6BthFeh7PbWNSV8VQ g5fcS4ZHOvN6DB4eBqUtO+mR4JWMf5Q3ds/isNFZPg5/aBETlnHQ1Fan0RIOZvCWNggp icOIQmNNHf6cpg4qJxRPtp+WNtIK+EFCT18UpuOROT4fAdCb5Z1OOpLc7FJ+A1lH6T6Z 76VFPac4IKqvTv5f2FR4k300KLeHRHBs6pww5nFoDsBTpa22Osq2mrg/KOTiHRJqJ0nD sxWg== X-Gm-Message-State: AOAM532iqHcyriuXGWJnR3L48SgJJquQSgABM+zbx9C8aoQoELxOKUuW rsVnzsYXyf7gh1vqRWGdmF9OzSaInLfxQY0/pST0ymepBQQ4A8le8hmQRDf/UKMU1uSKyPFBIHA 5xvtWfIapr2uxE1hbHYjlpBpojEhkoKjjA+0zYL/aWcJXSP7KJUTGHSbknQOf X-Received: by 2002:a5e:8a47:: with SMTP id o7mr7511180iom.57.1619880077068; Sat, 01 May 2021 07:41:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJycsNtoj33R2zB2+M6cM7bHXmSU+NsARgEVbboh0t47qVEaUvyu/N0/3sYR9xMpmJWJ5hCPDQ== X-Received: by 2002:a5e:8a47:: with SMTP id o7mr7511157iom.57.1619880076788; Sat, 01 May 2021 07:41:16 -0700 (PDT) Received: from localhost.localdomain (bras-base-toroon474qw-grc-72-184-145-4-219.dsl.bell.ca. [184.145.4.219]) by smtp.gmail.com with ESMTPSA id k2sm2649343ilq.71.2021.05.01.07.41.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 01 May 2021 07:41:16 -0700 (PDT) From: Peter Xu To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: Hugh Dickins , Andrew Morton , Andrea Arcangeli , peterx@redhat.com, Mike Kravetz , Axel Rasmussen Subject: [PATCH 1/2] mm/hugetlb: Fix F_SEAL_FUTURE_WRITE Date: Sat, 1 May 2021 10:41:09 -0400 Message-Id: <20210501144110.8784-2-peterx@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210501144110.8784-1-peterx@redhat.com> References: <20210501144110.8784-1-peterx@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=Oa6zI1zr; spf=none (imf09.hostedemail.com: domain of peterx@redhat.com has no SPF policy when checking 216.205.24.124) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=none) header.from=redhat.com X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: F29EE600010A X-Stat-Signature: 97kdbaays8tj9fzba6xpatoq5gofmtr5 Received-SPF: none (redhat.com>: No applicable sender policy available) receiver=imf09; identity=mailfrom; envelope-from=""; helo=us-smtp-delivery-124.mimecast.com; client-ip=216.205.24.124 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1619880071-745466 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: F_SEAL_FUTURE_WRITE is missing for hugetlb starting from the first day. There is a test program for that and it fails constantly. $ ./memfd_test hugetlbfs memfd-hugetlb: CREATE memfd-hugetlb: BASIC memfd-hugetlb: SEAL-WRITE memfd-hugetlb: SEAL-FUTURE-WRITE mmap() didn't fail as expected Aborted (core dumped) I think it's probably because no one is really running the hugetlbfs test. Fix it by checking FUTURE_WRITE also in hugetlbfs_file_mmap() as what we do in shmem_mmap(). Generalize a helper for that. Reported-by: Hugh Dickins Signed-off-by: Peter Xu Reviewed-by: Mike Kravetz --- fs/hugetlbfs/inode.c | 5 +++++ include/linux/mm.h | 32 ++++++++++++++++++++++++++++++++ mm/shmem.c | 22 ++++------------------ 3 files changed, 41 insertions(+), 18 deletions(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index a2a42335e8fd2..39922c0f2fc8c 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -131,10 +131,15 @@ static void huge_pagevec_release(struct pagevec *pvec) static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma) { struct inode *inode = file_inode(file); + struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode); loff_t len, vma_len; int ret; struct hstate *h = hstate_file(file); + ret = seal_check_future_write(info->seals, vma); + if (ret) + return ret; + /* * vma address alignment (but not the pgoff alignment) has * already been checked by prepare_hugepage_range. If you add diff --git a/include/linux/mm.h b/include/linux/mm.h index 84fb1697b20ff..c3fd7d504a60e 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3200,5 +3200,37 @@ extern int sysctl_nr_trim_pages; void mem_dump_obj(void *object); +/** + * seal_check_future_write - Check for F_SEAL_FUTURE_WRITE flag and handle it + * @seals: the seals to check + * @vma: the vma to operate on + * + * Check whether F_SEAL_FUTURE_WRITE is set; if so, do proper check/handling on + * the vma flags. Return 0 if check pass, or <0 for errors. + */ +static inline int seal_check_future_write(int seals, struct vm_area_struct *vma) +{ + if (seals & F_SEAL_FUTURE_WRITE) { + /* + * New PROT_WRITE and MAP_SHARED mmaps are not allowed when + * "future write" seal active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) + return -EPERM; + + /* + * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as + * MAP_SHARED and read-only, take care to not allow mprotect to + * revert protections on such mappings. Do this only for shared + * mappings. For private mappings, don't need to mask + * VM_MAYWRITE as we still want them to be COW-writable. + */ + if (vma->vm_flags & VM_SHARED) + vma->vm_flags &= ~(VM_MAYWRITE); + } + + return 0; +} + #endif /* __KERNEL__ */ #endif /* _LINUX_MM_H */ diff --git a/mm/shmem.c b/mm/shmem.c index 26c76b13ad233..e86a230735b60 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2258,25 +2258,11 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user) static int shmem_mmap(struct file *file, struct vm_area_struct *vma) { struct shmem_inode_info *info = SHMEM_I(file_inode(file)); + int ret; - if (info->seals & F_SEAL_FUTURE_WRITE) { - /* - * New PROT_WRITE and MAP_SHARED mmaps are not allowed when - * "future write" seal active. - */ - if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE)) - return -EPERM; - - /* - * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as - * MAP_SHARED and read-only, take care to not allow mprotect to - * revert protections on such mappings. Do this only for shared - * mappings. For private mappings, don't need to mask - * VM_MAYWRITE as we still want them to be COW-writable. - */ - if (vma->vm_flags & VM_SHARED) - vma->vm_flags &= ~(VM_MAYWRITE); - } + ret = seal_check_future_write(info->seals, vma); + if (ret) + return ret; /* arm64 - allow memory tagging on RAM-based files */ vma->vm_flags |= VM_MTE_ALLOWED; From patchwork Sat May 1 14:41:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Xu X-Patchwork-Id: 12234801 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.6 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C8C87C433ED for ; Sat, 1 May 2021 14:41:23 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 58A236157F for ; Sat, 1 May 2021 14:41:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 58A236157F Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id D3A006B0070; Sat, 1 May 2021 10:41:22 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id CC4856B0071; Sat, 1 May 2021 10:41:22 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id B651F6B0072; Sat, 1 May 2021 10:41:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0162.hostedemail.com [216.40.44.162]) by kanga.kvack.org (Postfix) with ESMTP id 978576B0070 for ; Sat, 1 May 2021 10:41:22 -0400 (EDT) Received: from smtpin23.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 54804363E for ; Sat, 1 May 2021 14:41:22 +0000 (UTC) X-FDA: 78092925204.23.9275805 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by imf06.hostedemail.com (Postfix) with ESMTP id 4B7F0C0007C9 for ; Sat, 1 May 2021 14:41:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1619880081; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=C/tBe8WZmkkOxqF/hwRfEFiIpzRFCG2CptqZIBKPw6Q=; b=Ysnc9L1IS/Bg54HQuSGmuiOfAHCNtAtdPyrEJDJ6Ooet6HcerIFoFSs4BFAjbC6KXLSq1L aQuqYbrwa4QjY0grJCKW3MbSS7KMNRpXztUEqbKepNNmlehcF7kRaopjQS3YCwWEoHhKiJ YgkajtTYIOxk2RdQaa6m1HNirRcc8qQ= Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-332-jLUuYYL1OcGE95m_cB0ibg-1; Sat, 01 May 2021 10:41:19 -0400 X-MC-Unique: jLUuYYL1OcGE95m_cB0ibg-1 Received: by mail-io1-f71.google.com with SMTP id e18-20020a5ed5120000b029041705a6ed5cso584511iom.4 for ; Sat, 01 May 2021 07:41:19 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=C/tBe8WZmkkOxqF/hwRfEFiIpzRFCG2CptqZIBKPw6Q=; b=KiTkcUk0aPtZAnBz1ytmilIlxzIKTsl9fywbNqStWB/neg/dbINE30idpCsBc6qq3G q0OhDNR8plal3rN8LbVY8evV7HOcZargkhYne8upxR6n6BZijWBFj0TSQzK5bmzZb1is OQN75Nm0q/I5r3/IBvKyiFQNlqulIQW22XPDMy3k+niR7zvvADOPKbcD11Jph6i5uKa/ uZwsc3QKo79b/rgSmDrAY8+OqHAYaMeeTAm1n3OsQc71AGErBWC2m7pZCE65D45BZvD2 LwKncw1lJFRFbHDYpurw5IQqqZEqFG9P1rySB3K9SdSRnL9U7sQWcSckx5Riqe2d7EQS jaaA== X-Gm-Message-State: AOAM532GgTrD9jG1fFPIA48bHQKz2B78rsmi0ThPHTucv5wMAyriqILI Dv1FhRQMbAQ/+KZLaNmDEbys9Oh4foc68p8frINcd/BvtF6sJoayaV9Wy87K+BXJ5sMrtD0qLJC wOCLTn4S/Y3xFUSzDfcNLvPUeBTMdD5nNaWVLJHtoEMYszk+oLeJH0RhqfKv2 X-Received: by 2002:a05:6e02:1c42:: with SMTP id d2mr7926106ilg.287.1619880078517; Sat, 01 May 2021 07:41:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx6T9MfV4SDndTsV4uuk0FwJd2cZzRHntQUOZ5i0PdrgXvusQOFPqGUeX8DQ65+FUIWtJ1BJw== X-Received: by 2002:a05:6e02:1c42:: with SMTP id d2mr7926087ilg.287.1619880078253; Sat, 01 May 2021 07:41:18 -0700 (PDT) Received: from localhost.localdomain (bras-base-toroon474qw-grc-72-184-145-4-219.dsl.bell.ca. [184.145.4.219]) by smtp.gmail.com with ESMTPSA id k2sm2649343ilq.71.2021.05.01.07.41.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 01 May 2021 07:41:17 -0700 (PDT) From: Peter Xu To: linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: Hugh Dickins , Andrew Morton , Andrea Arcangeli , peterx@redhat.com, Mike Kravetz , Axel Rasmussen Subject: [PATCH 2/2] mm/hugetlb: Fix cow where page writtable in child Date: Sat, 1 May 2021 10:41:10 -0400 Message-Id: <20210501144110.8784-3-peterx@redhat.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210501144110.8784-1-peterx@redhat.com> References: <20210501144110.8784-1-peterx@redhat.com> MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=Ysnc9L1I; dmarc=pass (policy=none) header.from=redhat.com; spf=none (imf06.hostedemail.com: domain of peterx@redhat.com has no SPF policy when checking 170.10.133.124) smtp.mailfrom=peterx@redhat.com X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: 4B7F0C0007C9 X-Stat-Signature: gs35zzqf73xpfzi9aahwpmykn7hye1hx Received-SPF: none (redhat.com>: No applicable sender policy available) receiver=imf06; identity=mailfrom; envelope-from=""; helo=us-smtp-delivery-124.mimecast.com; client-ip=170.10.133.124 X-HE-DKIM-Result: pass/pass X-HE-Tag: 1619880084-542030 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: When fork() and copy hugetlb page range, we'll remember to wrprotect src pte if needed, however we forget about the child! Without it, the child will be able to write to parent's pages when mapped as PROT_READ|PROT_WRITE and MAP_PRIVATE, which will cause data corruption in the parent process. This issue can also be exposed by "memfd_test hugetlbfs" kselftest (if it can pass the F_SEAL_FUTURE_WRITE test first, though). Signed-off-by: Peter Xu Reviewed-by: Mike Kravetz --- mm/hugetlb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/hugetlb.c b/mm/hugetlb.c index 629aa4c2259c8..9978fb73b8caf 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -4056,6 +4056,8 @@ int copy_hugetlb_page_range(struct mm_struct *dst, struct mm_struct *src, * See Documentation/vm/mmu_notifier.rst */ huge_ptep_set_wrprotect(src, addr, src_pte); + /* Child cannot write too! */ + entry = huge_pte_wrprotect(entry); } page_dup_rmap(ptepage, true);