From patchwork Mon Mar 25 13:41:12 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Hildenbrand <david@redhat.com>
X-Patchwork-Id: 13602229
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2B914C54E64
	for <linux-mm@archiver.kernel.org>; Mon, 25 Mar 2024 13:41:34 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 7033A6B008A; Mon, 25 Mar 2024 09:41:33 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6B08B6B008C; Mon, 25 Mar 2024 09:41:33 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 578B06B0092; Mon, 25 Mar 2024 09:41:33 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 49C106B008A
	for <linux-mm@kvack.org>; Mon, 25 Mar 2024 09:41:33 -0400 (EDT)
Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay06.hostedemail.com (Postfix) with ESMTP id 102A8A0853
	for <linux-mm@kvack.org>; Mon, 25 Mar 2024 13:41:33 +0000 (UTC)
X-FDA: 81935673666.28.95D085D
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by imf10.hostedemail.com (Postfix) with ESMTP id 77684C0006
	for <linux-mm@kvack.org>; Mon, 25 Mar 2024 13:41:31 +0000 (UTC)
Authentication-Results: imf10.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=Nb2fZU2t;
	spf=pass (imf10.hostedemail.com: domain of david@redhat.com designates
 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1711374091;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=jIOwlwxzzcSMslwXLrjLWmaoHhvyTmqwx/xJnqLqn6Y=;
	b=sSBr52/2dHplQ441wMbgH0wWtDCE7htR9FHxk7c0mQ3v0BeaZtr/S5/vIrGVq4IrPGCQ6L
	FH3oSbQ+RtBGHZKcMrHRWALWfnkiGZKHy0Wuwkh8lBQMIIniaSmwpPZFDDPH927A7YI10w
	tEUPmA6sh/j9bAZT1bQ0mSqRioG2EaE=
ARC-Authentication-Results: i=1;
	imf10.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=Nb2fZU2t;
	spf=pass (imf10.hostedemail.com: domain of david@redhat.com designates
 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1711374091; a=rsa-sha256;
	cv=none;
	b=kclgqv60fUcyioKUI2UCnWfrx90HDNXbKL9rf04othvztSv+V4JqUyYQsvUj46eV+/48Dz
	flWJb2dp0lQRdyBnIrK4I6cbQN/dAjoS3h/F/FHkF7IFUx+LK/17/0lc9pB1T58+aS97sp
	guKCPjrQ9Ckw0M9fvpOrsug70ouvWVw=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1711374090;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=jIOwlwxzzcSMslwXLrjLWmaoHhvyTmqwx/xJnqLqn6Y=;
	b=Nb2fZU2tQzcANAQcnmghC/hRb0ysMLkOqbyxtfNFYB7zPInme/2g8M9SNKAHBxxg7AdzTu
	vWgd3Xw4zupMLPyY++yiR/QPnV4znrjQ39VF5NxIUAiM2T+vVX/DEtWAz/uhlYxJXluzJ+
	2F2F/01MAK6FZIrZ0Bs3wbfs0aMflEg=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-556-beZWhhHSNDqBQcS9cJvtwA-1; Mon,
 25 Mar 2024 09:41:29 -0400
X-MC-Unique: beZWhhHSNDqBQcS9cJvtwA-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
 [10.11.54.6])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A6DE438035AB;
	Mon, 25 Mar 2024 13:41:28 +0000 (UTC)
Received: from t14s.redhat.com (unknown [10.39.193.143])
	by smtp.corp.redhat.com (Postfix) with ESMTP id AAFEF2166B5D;
	Mon, 25 Mar 2024 13:41:25 +0000 (UTC)
From: David Hildenbrand <david@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org,
	David Hildenbrand <david@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Mike Rapoport <rppt@kernel.org>,
	Miklos Szeredi <mszeredi@redhat.com>,
	Lorenzo Stoakes <lstoakes@gmail.com>,
	xingwei lee <xrivendell7@gmail.com>,
	yue sun <samsun1006219@gmail.com>,
	Miklos Szeredi <miklos@szeredi.hu>,
	stable@vger.kernel.org
Subject: [PATCH v1 1/3] mm/secretmem: fix GUP-fast succeeding on secretmem
 folios
Date: Mon, 25 Mar 2024 14:41:12 +0100
Message-ID: <20240325134114.257544-2-david@redhat.com>
In-Reply-To: <20240325134114.257544-1-david@redhat.com>
References: <20240325134114.257544-1-david@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6
X-Rspamd-Queue-Id: 77684C0006
X-Rspam-User: 
X-Stat-Signature: s484wt1t34y1spa1nypgi6ohb7sbw7gw
X-Rspamd-Server: rspam01
X-HE-Tag: 1711374091-494104
X-HE-Meta: 
 U2FsdGVkX1+gfDOhBwcPxR0qmlQMUn4OrCVRwoVqKAazU5ma//HdJ2V37HwChtzK/yQY1GAU1QAmngsp2jqGGYCE39mY8ilh/gUwKwsqcNjqRCcyZtk57p6+e2cK3gqUE8BxfXOKmud62eCsN/7eqFwV0umPLL04NLGm7CHntlyxrxEsqYhnPvSAPtx3jsN07kCCUbEz50m5JFK7BJg+9y2991yvsLJWigTVszJh0qdQblGVHNiSJfB5cRAEsaxtF0c0Bf67VGuNKQrpDXsm+VJhMeu26IKRbJjmGU6BI1hjqgm2XTNxUEUVj42KIrE0pWtqsW1Nyc4uJNJ5W7q6IGJ52jFyjUts7ayBftu8qWlaBQ5+IcsOp6kmTLf5Fi3q/Etu1XvgkeAF5SzlRxDZzA9eAztzQIQvXYN1uyT90Vl0SHxo8QtTkM0J8raZ1eBt12lPOrIjjPjihntg4Xp+Oh831AhRtnYlhYpBNsq1FWkwn0RcHy896UviwQhuPC9ETlcBJhtYwTTdkeTsYFX5gdxq92rmgDYGzEJAdVgf1DZfgPdRyhl2dYVby1vf6JMjMZgmU0+bev6xvCLLdPMORDA07LZsLM5bQ7+XYdu8ftd+3O2yI2Noe+4g+bTkYkbzd1wNtWriZOBntkABtGtyxnzz0OmFfN/FgjVZi6EfHsh1Mu3sV/6BZrARpH6vFn4ThRKC5kOW1E0Dp/jqOi0c2syfbby8D3KPOeGpKXaa8YFwCVmy/NUHZYWwtKyvFUxn+dex/DcCmdkKXXn1BF3kC7AaoKRbixgIuCjYSO5yICyxijcOFZOnPfaLfY/nOjhQCaK7S4TqEYY3ZUlhxdR881EJSid2wqcnQYy0Wi9hiBkl7ja1OL+i5L33v/giV/urbZayog9Pib02BFBnEihULg==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

folio_is_secretmem() states that secretmem folios cannot be LRU folios:
so we may only exit early if we find an LRU folio. Yet, we exit early if
we find a folio that is not a secretmem folio.

Consequently, folio_is_secretmem() fails to detect secretmem folios and,
therefore, we can succeed in grabbing a secretmem folio during GUP-fast,
crashing the kernel when we later try reading/writing to the folio, because
the folio has been unmapped from the directmap.

Reported-by: xingwei lee <xrivendell7@gmail.com>
Reported-by: yue sun <samsun1006219@gmail.com>
Closes: https://lore.kernel.org/lkml/CABOYnLyevJeravW=QrH0JUPYEcDN160aZFb7kwndm-J2rmz0HQ@mail.gmail.com/
Debugged-by: Miklos Szeredi <miklos@szeredi.hu>
Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org>
Tested-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas")
Cc: <stable@vger.kernel.org>
Signed-off-by: David Hildenbrand <david@redhat.com>
---
 include/linux/secretmem.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h
index 35f3a4a8ceb1..6996f1f53f14 100644
--- a/include/linux/secretmem.h
+++ b/include/linux/secretmem.h
@@ -16,7 +16,7 @@ static inline bool folio_is_secretmem(struct folio *folio)
 	 * We know that secretmem pages are not compound and LRU so we can
 	 * save a couple of cycles here.
 	 */
-	if (folio_test_large(folio) || !folio_test_lru(folio))
+	if (folio_test_large(folio) || folio_test_lru(folio))
 		return false;
 
 	mapping = (struct address_space *)

From patchwork Mon Mar 25 13:41:13 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Hildenbrand <david@redhat.com>
X-Patchwork-Id: 13602230
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8FEDEC54E64
	for <linux-mm@archiver.kernel.org>; Mon, 25 Mar 2024 13:41:40 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 21F7D6B0093; Mon, 25 Mar 2024 09:41:40 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 1D2856B0095; Mon, 25 Mar 2024 09:41:40 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 0210F6B0096; Mon, 25 Mar 2024 09:41:39 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com
 [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id E3A406B0093
	for <linux-mm@kvack.org>; Mon, 25 Mar 2024 09:41:39 -0400 (EDT)
Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id 9E66BA01FA
	for <linux-mm@kvack.org>; Mon, 25 Mar 2024 13:41:39 +0000 (UTC)
X-FDA: 81935673918.28.62075A3
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by imf17.hostedemail.com (Postfix) with ESMTP id CF9434001A
	for <linux-mm@kvack.org>; Mon, 25 Mar 2024 13:41:37 +0000 (UTC)
Authentication-Results: imf17.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=iSZkONXR;
	dmarc=pass (policy=none) header.from=redhat.com;
	spf=pass (imf17.hostedemail.com: domain of david@redhat.com designates
 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1711374097;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=cpEPWSpCeTwbxNQN5JgorLS4hcdt0dP0Q44OLrNb3L4=;
	b=oE+6uIa2Mb33spGXu5+WxH+yTpMPDgjTVS3RwsNtuO1WpZSv9LBCTrjdMottIsjaYY/jlM
	AV2UQSvrZYnnO4euJP49aqCjofgqZOL71gj3IEK2tw56B0X9lJViuBDyaMjwNNLT2yZfMc
	amsuGs7sTAtZDukNJas36he9aRVjU4I=
ARC-Authentication-Results: i=1;
	imf17.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=iSZkONXR;
	dmarc=pass (policy=none) header.from=redhat.com;
	spf=pass (imf17.hostedemail.com: domain of david@redhat.com designates
 170.10.133.124 as permitted sender) smtp.mailfrom=david@redhat.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1711374097; a=rsa-sha256;
	cv=none;
	b=ZmjyDumpg87LKo9bMrdENFKo2mRvsmnL99WVQzWfj+An33KiFnluCXOnpLOZ4cHvXX1Du8
	G6yN9SbH0VCoA6wahzx84sA4Mbpo/SZIAjLk3BdrYcredkZY4KsMwv3wYbrEVONZE5DzsQ
	sk0SQ4nK5n3pXQHG8dzwZi0omluWbaU=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1711374097;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=cpEPWSpCeTwbxNQN5JgorLS4hcdt0dP0Q44OLrNb3L4=;
	b=iSZkONXRerQZMTaJGM8WiKLxH/0EghWhtQl6tgElHySIQCM2p2IAxlOfAI3ielGGgf/3y4
	hUOmwDu8HyjJpf0u4H1CiDiEwEpbEegBofatjbj42GlBoO4kRBk5v6J/I+0nXdWAMM58Fa
	APWkkEaJhvwMTh00yT/yAyohqTuCd8s=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-398-TiJUf4AYOGuuhRDZm9FyBA-1; Mon,
 25 Mar 2024 09:41:31 -0400
X-MC-Unique: TiJUf4AYOGuuhRDZm9FyBA-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
 [10.11.54.6])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 696A73CBD4E7;
	Mon, 25 Mar 2024 13:41:31 +0000 (UTC)
Received: from t14s.redhat.com (unknown [10.39.193.143])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 0EA692166B31;
	Mon, 25 Mar 2024 13:41:28 +0000 (UTC)
From: David Hildenbrand <david@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org,
	David Hildenbrand <david@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Mike Rapoport <rppt@kernel.org>,
	Miklos Szeredi <mszeredi@redhat.com>,
	Lorenzo Stoakes <lstoakes@gmail.com>,
	xingwei lee <xrivendell7@gmail.com>,
	yue sun <samsun1006219@gmail.com>
Subject: [PATCH v1 2/3] selftests/memfd_secret: add vmsplice() test
Date: Mon, 25 Mar 2024 14:41:13 +0100
Message-ID: <20240325134114.257544-3-david@redhat.com>
In-Reply-To: <20240325134114.257544-1-david@redhat.com>
References: <20240325134114.257544-1-david@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6
X-Rspamd-Queue-Id: CF9434001A
X-Rspam-User: 
X-Rspamd-Server: rspam04
X-Stat-Signature: 4aaz5oxrmu3t3kffhzopsre3f63pa54u
X-HE-Tag: 1711374097-859320
X-HE-Meta: 
 U2FsdGVkX1/b+Zg10PRfyDV4lvTaoTBzBk0fkQpVNuQ/l0jLTPWMl1r7my+Vfl+0fJRHIbx+FOk9M9qhvkRzlgBgTnc5TL4n9td6FxZ1gdmzArHvfKY3WSxbXByn4moLQGiiHzccMoI+xQhwSAl6I6YlbM5yGHozlygGbY4JJESypbTBZl9bQVQ/fvHRV87YHQP0m5hleHSCRLAjhvid40FXw8Nt5cV8dNXCZz0poFRIgOpbA2Td0aMWykAuvYK4tqFT/ip+IceUUKE98Qk3OioJAztwzhwqLpJig1AYtZmViQDAzbm89IeAG9m95I28h4AInbz31g8JK1Z50FFaugS10z47VYIiZyqT+f3tra7TK+40M7+2S2CTrySf55O2KUa+uX6d2u3zsHBkPc4TNPamOuldzPosnOLLuBSIaiaNRzKvGoZh7ThSZ5cwV2BL2dXGjkf/WMXDUZB3MAHpI5cuyjHBfHPwJPHQQRwkzb3lMx9x524zFwgYnJ6Lf++pCbzH/oS9rcvVw9YZeE0pN7NvEmV7jCR81y0rwNKfRowq4AI2XRsLGOG3hmq3oB1Lx5hNGWTY6tcAoBTLQy6B42uXXF5CAZ1a/gh1fEy9PSupK/V87m9G6mRxQGl+vvwwo1yaiejrGSPP3MRiwL/PLDphVsjecK2d/RfEkJK6OZYAlSSd15vnD4KUODj35oc1t4S1VFzdG7DpR7ohNqkdVLL0Js0ElcsFjh1VVV/oDSjo9/KSGQvnLcBzkzuBNbGhwVVs3Sl3sKtuTMcvdkhZ9mBZ8L9lRBSzcvLmKIC9EUHW1mY/Yo/mxmV4kzx4nfYhjLhR0odyTL7V7ZBuhbeYFMslgnLnjda45vCvnon5nqHAfnOuG71zW3E2qW6L38sKfQTJWm9llb7fSAZNqw+S74MWiALZiewMA4F8OjjUEh5c3MHkoy9jriETRjcOgyMr2IyzGMJ3/jwe8dU6Zq5
 UHYk7mPX
 VOX1TAoxeYL28ogPffx9rK6IBT8OT+yqc7WJt3whTecYpGmzRIpw7ZrlwytkhTyWqb2YEt+eemelgXwl7wPWMTN84tPOxmqfbw9UVg/tqt6hUNEMh0rHX2xA/AyzjcqcfDinOGJglbDcyIbQgdUYEHO3lVwJuuprXdtIu3CYZ1AgG1g3rvoBreYZxx9goOM+T/DqlCNnhAmYriRHDJBRNfZW2aSOgSm0/gXN2Y/dJYua8zMMzuuYtEYwHjPG2nTEwEyp5MFdKX8+dlvvZVS1MJEE8Bw4BxtldyHHVtlGLCxKHDJA=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Let's add a simple reproducer for a scneario where GUP-fast could succeed
on secretmem folios, making vmsplice() succeed instead of failing. The
reproducer is based on a reproducer [1] by Miklos Szeredi.

Perform the ftruncate() only once, and check the return value.

For some reason, vmsplice() reliably fails (making the test succeed) when
we move the test_vmsplice() call after test_process_vm_read() /
test_ptrace(). Properly cleaning up in test_remote_access(), which is not
part of this change, won't change that behavior. Therefore, run the
vmsplice() test for now first -- something is a bit off once we involve
fork().

[1] https://lkml.kernel.org/r/CAJfpegt3UCsMmxd0taOY11Uaw5U=eS1fE5dn0wZX3HF0oy8-oQ@mail.gmail.com

Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org>
---
 tools/testing/selftests/mm/memfd_secret.c | 44 +++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/mm/memfd_secret.c b/tools/testing/selftests/mm/memfd_secret.c
index 9b298f6a04b3..0acbdcf8230e 100644
--- a/tools/testing/selftests/mm/memfd_secret.c
+++ b/tools/testing/selftests/mm/memfd_secret.c
@@ -20,6 +20,7 @@
 #include <unistd.h>
 #include <errno.h>
 #include <stdio.h>
+#include <fcntl.h>
 
 #include "../kselftest.h"
 
@@ -83,6 +84,43 @@ static void test_mlock_limit(int fd)
 	pass("mlock limit is respected\n");
 }
 
+static void test_vmsplice(int fd)
+{
+	ssize_t transferred;
+	struct iovec iov;
+	int pipefd[2];
+	char *mem;
+
+	if (pipe(pipefd)) {
+		fail("pipe failed: %s\n", strerror(errno));
+		return;
+	}
+
+	mem = mmap(NULL, page_size, prot, mode, fd, 0);
+	if (mem == MAP_FAILED) {
+		fail("Unable to mmap secret memory\n");
+		goto close_pipe;
+	}
+
+	/*
+	 * vmsplice() may use GUP-fast, which must also fail. Prefault the
+	 * page table, so GUP-fast could find it.
+	 */
+	memset(mem, PATTERN, page_size);
+
+	iov.iov_base = mem;
+	iov.iov_len = page_size;
+	transferred = vmsplice(pipefd[1], &iov, 1, 0);
+
+	ksft_test_result(transferred < 0 && errno == EFAULT,
+			 "vmsplice is blocked as expected\n");
+
+	munmap(mem, page_size);
+close_pipe:
+	close(pipefd[0]);
+	close(pipefd[1]);
+}
+
 static void try_process_vm_read(int fd, int pipefd[2])
 {
 	struct iovec liov, riov;
@@ -187,7 +225,6 @@ static void test_remote_access(int fd, const char *name,
 		return;
 	}
 
-	ftruncate(fd, page_size);
 	memset(mem, PATTERN, page_size);
 
 	if (write(pipefd[1], &mem, sizeof(mem)) < 0) {
@@ -258,7 +295,7 @@ static void prepare(void)
 				   strerror(errno));
 }
 
-#define NUM_TESTS 4
+#define NUM_TESTS 5
 
 int main(int argc, char *argv[])
 {
@@ -277,9 +314,12 @@ int main(int argc, char *argv[])
 			ksft_exit_fail_msg("memfd_secret failed: %s\n",
 					   strerror(errno));
 	}
+	if (ftruncate(fd, page_size))
+		ksft_exit_fail_msg("ftruncate failed: %s\n", strerror(errno));
 
 	test_mlock_limit(fd);
 	test_file_apis(fd);
+	test_vmsplice(fd);
 	test_process_vm_read(fd);
 	test_ptrace(fd);
 

From patchwork Mon Mar 25 13:41:14 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: David Hildenbrand <david@redhat.com>
X-Patchwork-Id: 13602231
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 0E7D3C54E58
	for <linux-mm@archiver.kernel.org>; Mon, 25 Mar 2024 13:41:42 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id B96576B0095; Mon, 25 Mar 2024 09:41:40 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B1EC76B0096; Mon, 25 Mar 2024 09:41:40 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 9A3966B0098; Mon, 25 Mar 2024 09:41:40 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com
 [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id 86A5F6B0095
	for <linux-mm@kvack.org>; Mon, 25 Mar 2024 09:41:40 -0400 (EDT)
Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 1552E406EB
	for <linux-mm@kvack.org>; Mon, 25 Mar 2024 13:41:40 +0000 (UTC)
X-FDA: 81935673960.23.A9F0586
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	by imf18.hostedemail.com (Postfix) with ESMTP id 386441C0003
	for <linux-mm@kvack.org>; Mon, 25 Mar 2024 13:41:38 +0000 (UTC)
Authentication-Results: imf18.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=IJEf6P3d;
	spf=pass (imf18.hostedemail.com: domain of david@redhat.com designates
 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1711374098;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=CokJpVlNHQkDeOM8Ax0bVh3dvCSI52pFoSUWrkagN08=;
	b=uvsIwaX0hliYOoOnt84dbq9UJtaf5Dej3B+7X8mKxKQRa41B/c3KLhSh3rUsg6Ei8RIXf4
	2nVJepOD0YmiVZDFA2qDuXenobAxvXrnrFzJZJpizLVsW6Gm0eRfS+D7VR51j64QYLvAmQ
	6C7WeTvvfxdB52TabroD7LySrGhitUM=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1711374098; a=rsa-sha256;
	cv=none;
	b=rUjHPYtYPz7AkHh+hmmDZcksYfBKJo0VOwMT6tZb0UvyM7058XWFhMjcDDpUbizTsCp5Sm
	oy6eK9A8IL4+Xd9LvdwaScx/4lKaQUiNKMu524T5InezZgpzD/YLOoQM0Wqt7B2Zo7r6yR
	0ZovCFgKiXoRVZtbJ7gt468bUnpqhbw=
ARC-Authentication-Results: i=1;
	imf18.hostedemail.com;
	dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=IJEf6P3d;
	spf=pass (imf18.hostedemail.com: domain of david@redhat.com designates
 170.10.129.124 as permitted sender) smtp.mailfrom=david@redhat.com;
	dmarc=pass (policy=none) header.from=redhat.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1711374097;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=CokJpVlNHQkDeOM8Ax0bVh3dvCSI52pFoSUWrkagN08=;
	b=IJEf6P3dq/q+8xLpM+JAKdIqazpas6s+waaZhbuEq9tjR6NO3b+gJtf+8vqg3kIVe3vHNx
	hmR/kQbm/XGISq5hmxMtdRUZqcsgOxU59p5mF7hY4Ubg59T6hBI9fiW2pEo2omGw7uzj+z
	wzBylNfSsCxw8mvzb6xfEjgzZTr0sME=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-373-tEBRYUiQPDClGkgaC9S8ug-1; Mon, 25 Mar 2024 09:41:33 -0400
X-MC-Unique: tEBRYUiQPDClGkgaC9S8ug-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com
 [10.11.54.6])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4A2D5891E69;
	Mon, 25 Mar 2024 13:41:33 +0000 (UTC)
Received: from t14s.redhat.com (unknown [10.39.193.143])
	by smtp.corp.redhat.com (Postfix) with ESMTP id B5DA62166B35;
	Mon, 25 Mar 2024 13:41:31 +0000 (UTC)
From: David Hildenbrand <david@redhat.com>
To: linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org,
	David Hildenbrand <david@redhat.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Mike Rapoport <rppt@kernel.org>,
	Miklos Szeredi <mszeredi@redhat.com>,
	Lorenzo Stoakes <lstoakes@gmail.com>,
	xingwei lee <xrivendell7@gmail.com>,
	yue sun <samsun1006219@gmail.com>
Subject: [PATCH v1 3/3] mm: merge folio_is_secretmem() into
 folio_fast_pin_allowed()
Date: Mon, 25 Mar 2024 14:41:14 +0100
Message-ID: <20240325134114.257544-4-david@redhat.com>
In-Reply-To: <20240325134114.257544-1-david@redhat.com>
References: <20240325134114.257544-1-david@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6
X-Stat-Signature: pxhwwpfnn4egkzhdg9jgd3w799u5mh9o
X-Rspamd-Server: rspam10
X-Rspamd-Queue-Id: 386441C0003
X-Rspam-User: 
X-HE-Tag: 1711374098-161761
X-HE-Meta: 
 U2FsdGVkX19gAmUaw14UsFuBtvZ5eO9tat1JU6p8C/ET69vmHUNe5Zgsz5H+hD+Rgfwiqo87qgDkGHvzt4WmqIskIupK+clJvdbVnQZS885tjwHRuERslYQAZ8sGXNqpbUemi8q5J5G+KGEM6/BYaminzZammOzAVgMarVuwY8C6G6w0wukDezohL9IFQYtHuTeifKg/ftFLhoiSgUD7OKH98Xudu2oV1lpQLC/bltziCnMXv6IYmE+zLmYcihpY8ZcPlnSeN2jeqcM7ffS/qvHrZDcYlmcy+wXYuIatCdYCdkYCgzRA2tTNfdQfHe57/3sw+pX4xupc4gpf/k4nBaYDm03bcrTIFcRn2joZwgYpcCKwOnkuUAKTwHCUTP5ARb3Kv+8ZmMFXLSH1DKcl7CJup/rU+Kqjf1CjIh24T/u13AKIgrqHl1c647qcpIt9sMOaCtRAh6mk2jA23Zo8aX9LFklfKFUSXemjUE4PD52cRzAUb6L2vVMvZ2E+C48mXNbVQljpF81hk2Cu6S/ZizAFPern1Y1l2V2hzfamfJIkiuoqyrRBlBMSx3+N0EHNiGM0NjXciJ64ljKhIT4Rg4pVORX8bQbTyktHtst0M0I9fskp0P3vNcfRoUGrtfnt9ARiBdKSETYSbbPeBkM1N1/bOL7CV6Yki4FEismOXKW75YkPGQpAqwtAbnMKGFqgzKkWKdMzWpcgQ6KUdN8WECvQg4kI8TgCHJWpS6O3rVU8oMWlk1KuxxTueu49+LZb8nzlfvVDyQlIvzIlkWBBgBwrxIPnynDTuzBQAuLsjzmzO/fWUrJOIrBosVm3FcFhKiWNiggqG9M5HCU13IIwu502vGtK5MDf7BkfZR03+I3v1JEd7ICsFjqABFW+S4MFWvDcMMJOVB+5xJ/Cn5q2tYu51r7D95/6QzEUEgSh8vaAxq3mP33Jr5CwnC7pkr53jFhu3F6wsckSrydaIFo
 ZMHzUefS
 poS7j17KNEQR++mHzhn6IaywOFOIdbWXvuWPtdOzCx42tgtilkN0QoZbBobi75oPZkwsgADoURpsb0Hi9hfN8+O3AA2DjvJSAoa9gI0/1g6hLEDBUAE7YWg6+xkwic/q+zzPk9LJoH/gwAeUUqqf85wPh5A+IJpsE/ze+o49jit63k50P1y2sOFlW22QDIsHSLa6iUgPaYvmPxEyp2ZZiObaCGQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

folio_is_secretmem() is currently only used during GUP-fast, and using
it in wrong context where concurrent truncation might happen, could be
problematic.

Nowadays, folio_fast_pin_allowed() performs similar checks during
GUP-fast and contains a lot of careful handling -- READ_ONCE( -- ), sanity
checks -- lockdep_assert_irqs_disabled() --  and helpful comments on how
this handling is safe and correct.

So let's merge folio_is_secretmem() into folio_fast_pin_allowed(), still
avoiding checking the actual mapping only if really required.

Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Mike Rapoport (IBM) <rppt@kernel.org>
---
 include/linux/secretmem.h | 21 ++-------------------
 mm/gup.c                  | 33 +++++++++++++++++++++------------
 2 files changed, 23 insertions(+), 31 deletions(-)

diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h
index 6996f1f53f14..e918f96881f5 100644
--- a/include/linux/secretmem.h
+++ b/include/linux/secretmem.h
@@ -6,25 +6,8 @@
 
 extern const struct address_space_operations secretmem_aops;
 
-static inline bool folio_is_secretmem(struct folio *folio)
+static inline bool secretmem_mapping(struct address_space *mapping)
 {
-	struct address_space *mapping;
-
-	/*
-	 * Using folio_mapping() is quite slow because of the actual call
-	 * instruction.
-	 * We know that secretmem pages are not compound and LRU so we can
-	 * save a couple of cycles here.
-	 */
-	if (folio_test_large(folio) || folio_test_lru(folio))
-		return false;
-
-	mapping = (struct address_space *)
-		((unsigned long)folio->mapping & ~PAGE_MAPPING_FLAGS);
-
-	if (!mapping || mapping != folio->mapping)
-		return false;
-
 	return mapping->a_ops == &secretmem_aops;
 }
 
@@ -38,7 +21,7 @@ static inline bool vma_is_secretmem(struct vm_area_struct *vma)
 	return false;
 }
 
-static inline bool folio_is_secretmem(struct folio *folio)
+static inline bool secretmem_mapping(struct address_space *mapping)
 {
 	return false;
 }
diff --git a/mm/gup.c b/mm/gup.c
index e7510b6ce765..69d8bc8e4451 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -2472,6 +2472,8 @@ EXPORT_SYMBOL(get_user_pages_unlocked);
  * This call assumes the caller has pinned the folio, that the lowest page table
  * level still points to this folio, and that interrupts have been disabled.
  *
+ * GUP-fast must reject all secretmem folios.
+ *
  * Writing to pinned file-backed dirty tracked folios is inherently problematic
  * (see comment describing the writable_file_mapping_allowed() function). We
  * therefore try to avoid the most egregious case of a long-term mapping doing
@@ -2484,22 +2486,32 @@ EXPORT_SYMBOL(get_user_pages_unlocked);
 static bool folio_fast_pin_allowed(struct folio *folio, unsigned int flags)
 {
 	struct address_space *mapping;
+	bool check_secretmem = false;
+	bool reject_file_backed = false;
 	unsigned long mapping_flags;
 
 	/*
 	 * If we aren't pinning then no problematic write can occur. A long term
 	 * pin is the most egregious case so this is the one we disallow.
 	 */
-	if ((flags & (FOLL_PIN | FOLL_LONGTERM | FOLL_WRITE)) !=
+	if ((flags & (FOLL_PIN | FOLL_LONGTERM | FOLL_WRITE)) ==
 	    (FOLL_PIN | FOLL_LONGTERM | FOLL_WRITE))
-		return true;
+		reject_file_backed = true;
+
+	/* We hold a folio reference, so we can safely access folio fields. */
 
-	/* The folio is pinned, so we can safely access folio fields. */
+	/* secretmem folios are only order-0 folios and never LRU folios. */
+	if (IS_ENABLED(CONFIG_SECRETMEM) && !folio_test_large(folio) &&
+	    !folio_test_lru(folio))
+		check_secretmem = true;
+
+	if (!reject_file_backed && !check_secretmem)
+		return true;
 
 	if (WARN_ON_ONCE(folio_test_slab(folio)))
 		return false;
 
-	/* hugetlb mappings do not require dirty-tracking. */
+	/* hugetlb neither requires dirty-tracking nor can be secretmem. */
 	if (folio_test_hugetlb(folio))
 		return true;
 
@@ -2535,10 +2547,12 @@ static bool folio_fast_pin_allowed(struct folio *folio, unsigned int flags)
 
 	/*
 	 * At this point, we know the mapping is non-null and points to an
-	 * address_space object. The only remaining whitelisted file system is
-	 * shmem.
+	 * address_space object.
 	 */
-	return shmem_mapping(mapping);
+	if (check_secretmem && secretmem_mapping(mapping))
+		return false;
+	/* The only remaining allowed file system is shmem. */
+	return !reject_file_backed || shmem_mapping(mapping);
 }
 
 static void __maybe_unused undo_dev_pagemap(int *nr, int nr_start,
@@ -2624,11 +2638,6 @@ static int gup_pte_range(pmd_t pmd, pmd_t *pmdp, unsigned long addr,
 		if (!folio)
 			goto pte_unmap;
 
-		if (unlikely(folio_is_secretmem(folio))) {
-			gup_put_folio(folio, 1, flags);
-			goto pte_unmap;
-		}
-
 		if (unlikely(pmd_val(pmd) != pmd_val(*pmdp)) ||
 		    unlikely(pte_val(pte) != pte_val(ptep_get(ptep)))) {
 			gup_put_folio(folio, 1, flags);