From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6B769CD6E54 for ; Wed, 11 Oct 2023 09:46:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BE0A98E0005; Wed, 11 Oct 2023 05:46:32 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id B8F1C8D0002; Wed, 11 Oct 2023 05:46:32 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A572C8E0005; Wed, 11 Oct 2023 05:46:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 926F38D0002 for ; Wed, 11 Oct 2023 05:46:32 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 64E961A0194 for ; Wed, 11 Oct 2023 09:46:32 +0000 (UTC) X-FDA: 81332700624.25.36629D9 Received: from smtp-out1.suse.de (smtp-out1.suse.de [195.135.220.28]) by imf29.hostedemail.com (Postfix) with ESMTP id 3AE0A12000E for ; Wed, 11 Oct 2023 09:46:29 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=MINSzmiM; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=PuflIjs6; spf=pass (imf29.hostedemail.com: domain of jack@suse.cz designates 195.135.220.28 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1697017590; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=soXVte2VbxPbbCiLRCQN5td7yB/rAeQqYWLQLBxTIFU=; b=KU+GcGOqU9RnrPS8kDfkJcG1wOrwvFOyhUGMEhxPGP0JiJRZ1z6w9IVYb+RK0UfR81JWaW bazrW89NCldc6qe1z5UUxtGAQFkoD2YhKaG1j2bb5AkUYoHl+VzljxieaJKbo0HUFoigN6 F4iazZFKaHg9Mdgig5MSwPYfCC3go7A= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1697017590; a=rsa-sha256; cv=none; b=m5P5sp5b0ngzCDUspewEQJHiAFFajnP4CfMC3wA2/PP3NhUHOzwAc9Fa/xLv/Bwjv6WX8U 1MrVMjSwu+Bp4WOTThRR+jYz4Ii7vIN5cYvgDibljvaT4lQrvrjXZX/u/7B5mqdFQ//A5p OextWMOv90AyiB/gOHmfJPBgRDV1tgA= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=MINSzmiM; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=PuflIjs6; spf=pass (imf29.hostedemail.com: domain of jack@suse.cz designates 195.135.220.28 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 4CBEE21846; Wed, 11 Oct 2023 09:46:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1697017588; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=soXVte2VbxPbbCiLRCQN5td7yB/rAeQqYWLQLBxTIFU=; b=MINSzmiMBqPcCbrrb5vPVjQ4FAleRRJnE1hYr+yINv0F92u7+T9emi+0wjSB8uUZUd69D0 zh4gFBG77P84Bzd6iajzSLr+gqwv8cUjeCNuBJedY1ICnaMghUIWuVEjc4F1Obrx6fG7bM fXwXQ2CAmNnHT3yKSi8LykyvJd3qaN0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1697017588; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=soXVte2VbxPbbCiLRCQN5td7yB/rAeQqYWLQLBxTIFU=; b=PuflIjs6dBQNsSmZ34SZrkDPJN2uCfXBS9AiB4CipN0nI/vA5+5fZYmJ2XDxUn5d3P7yKC 9X6t0U2qgkZGmDCg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 3EDD6134F5; Wed, 11 Oct 2023 09:46:28 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 5E5TD/RuJmWnSwAAMHmgww (envelope-from ); Wed, 11 Oct 2023 09:46:28 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id C200BA05BC; Wed, 11 Oct 2023 11:46:27 +0200 (CEST) Date: Wed, 11 Oct 2023 11:46:27 +0200 From: Jan Kara To: Lorenzo Stoakes Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrew Morton , Mike Kravetz , Muchun Song , Alexander Viro , Christian Brauner , Matthew Wilcox , Hugh Dickins , Andy Lutomirski , Jan Kara , linux-fsdevel@vger.kernel.org, bpf@vger.kernel.org Subject: Re: [PATCH v3 3/3] mm: enforce the mapping_map_writable() check after call_mmap() Message-ID: <20231011094627.3xohlpe4gm2idszm@quack3> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 3AE0A12000E X-Rspam-User: X-Rspamd-Server: rspam11 X-Stat-Signature: ws78qdob3hz7wcusdwbafr5rt8dywjkr X-HE-Tag: 1697017589-769777 X-HE-Meta: U2FsdGVkX1/n8jDn5OWtPblChuh9AbWecFVdTxVAagWvL4Qlk9+fChA34qfKeBInmN8glkXGLMLEdr/an1rzCrcobia658Dijg2UkbvXX7utH7a7qO4CCxGDn6rtwH1iSOrJMlAqEK+niCCXP6I01zOVqVxtPqHfW1KnoZ3bMTNF8T3ZG0gqOFA+KjLVtvxoLBEfWVTnZifxM+YfwhOd5wRyMsWh2Kn+ZZgsVHisd13X8VffqVsRkZqOsv3Gi8hnmOUf4WP0JdKuFIfUm4X3xr8/NdFjArhshkeym9zhzzaug17qJc2fNR5jOQ7PTUWhWqM4cdbzgJpizQGLqMQyqccfrJzQx/166iIVI91IIDbV2asxaDxHKWgK9dSKCZfj2jLj4RodsE2yDfmFQ3rAi4W9vQT8bR8nmRfi4rZuUJFnhCpS+NQpDjFH2ZiXew5GvwMXpkyWY+/8Ye81+2ZW1KFn8ShbCOQXbWVACsTxzcryzuqSfSDGJ7/2Y9LFGmzcM5hxWmnz+qROYm3dJBRpWnryhTt2JJuVUcl4Qo7avq83SDTb/KQcEo2tfZGA30j5MSgiWGp7WbDK5WaTpvSqP5Quj0KTP0i109DT4yKoK/1W8kxROZHOvuUpbarVwD+eYE3AUrCUQiRjBGlxxKb+QPUNk5Y3RTC/zEbFFtltIyFcBde6Lc/7hZakNUmCs4t17pm4LrT84BqNU6/b4cRWJVsQcIGTbOKi7CFA3SRsuUJoLezhsjmKCip39u9/KNokG7Wyh36Jnl+iLp3hfKwSbF1RqJNdMNO46LULOeg7rOmHUst5x5pmJez8/sOsCdoFnfP3yh9LeNzOx+rmcI0TOPBCR/JZGKAfGtVSVhYxyvyS11g4/ouZ5d+M21JGkgl6IaMndrUAjVfY7fXQYsynUp+DTGRBf1MmA8I8VtZFFcugdObWicxtPy7jNF7mvAedLEX/+3cnxpLQSMs4xGM 7V/Itl+3 NZEO25VqHh3SbngqjgUr8c8//pLCHPpVj/GkvzflrsgHjyMCKzdvAgJGezWJYLer78BN5A5pLClMY2FuzzpvHPSi1cOd44LeXVGaFB5R6yRXqler1Z6YUmLiWNOrPW1KBNPEdrsh27qp7/IMaYLxQVwVzB2FvMOGc7KuSStQfLXZ9zasPdZoSO60gQOxaTQl8r4rHlJpdb3kBhTFya8C7le3Sbb9f5sLwWUaFfMHSpwrCQtyr+fdsPj+XTQ39LW+HA8zZ1UnETtvKIWS0Jme99+7rgJhlsJMrk8NXvxbpcEMIqqETXSPaRjkFpPeycDhUxtdB+DWBa3NSrWxWJeC+g+cAANOnpQNRimlPCeegiWeaeKWzGyuHNpQ8e8N748w2lcIl X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Sat 07-10-23 21:51:01, Lorenzo Stoakes wrote: > In order for an F_SEAL_WRITE sealed memfd mapping to have an opportunity to > clear VM_MAYWRITE in seal_check_write() we must be able to invoke either > the shmem_mmap() or hugetlbfs_file_mmap() f_ops->mmap() handler to do so. > > We would otherwise fail the mapping_map_writable() check before we had > the opportunity to clear VM_MAYWRITE. > > However, the existing logic in mmap_region() performs this check BEFORE > calling call_mmap() (which invokes file->f_ops->mmap()). We must enforce > this check AFTER the function call. > > In order to avoid any risk of breaking call_mmap() handlers which assume > this will have been done first, we continue to mark the file writable > first, simply deferring enforcement of it failing until afterwards. > > This enables mmap(..., PROT_READ, MAP_SHARED, fd, 0) mappings for memfd's > sealed via F_SEAL_WRITE to succeed, whereas previously they were not > permitted. > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=217238 > Signed-off-by: Lorenzo Stoakes ... > diff --git a/mm/mmap.c b/mm/mmap.c > index 6f6856b3267a..9fbee92aaaee 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -2767,17 +2767,25 @@ unsigned long mmap_region(struct file *file, unsigned long addr, > vma->vm_pgoff = pgoff; > > if (file) { > - if (is_shared_maywrite(vm_flags)) { > - error = mapping_map_writable(file->f_mapping); > - if (error) > - goto free_vma; > - } > + int writable_error = 0; > + > + if (vma_is_shared_maywrite(vma)) > + writable_error = mapping_map_writable(file->f_mapping); > > vma->vm_file = get_file(file); > error = call_mmap(file, vma); > if (error) > goto unmap_and_free_vma; > > + /* > + * call_mmap() may have changed VMA flags, so retry this check > + * if it failed before. > + */ > + if (writable_error && vma_is_shared_maywrite(vma)) { > + error = writable_error; > + goto close_and_free_vma; > + } Hum, this doesn't quite give me a peace of mind ;). One bug I can see is that if call_mmap() drops the VM_MAYWRITE flag, we seem to forget to drop i_mmap_writeable counter here? I've checked why your v2 version broke i915 and I think the reason maybe has nothing to do with i915. Just in case call_mmap() failed, it ended up jumping to unmap_and_free_vma which calls mapping_unmap_writable() but we didn't call mapping_map_writable() yet so the counter became imbalanced. So I'd be for returning to v2 version, just fix up the error handling paths... Honza > + > /* > * Expansion is handled above, merging is handled below. > * Drivers should not alter the address of the VMA. > -- > 2.42.0 > -- Jan Kara SUSE Labs, CR