From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8BF31D3C52D for ; Thu, 17 Oct 2024 19:37:45 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2D4536B0083; Thu, 17 Oct 2024 15:37:45 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 284636B0085; Thu, 17 Oct 2024 15:37:45 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 14C626B0088; Thu, 17 Oct 2024 15:37:45 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id E99366B0083 for ; Thu, 17 Oct 2024 15:37:44 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id F0FF81C7250 for ; Thu, 17 Oct 2024 19:37:31 +0000 (UTC) X-FDA: 82684103586.13.B94F11C Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) by imf17.hostedemail.com (Postfix) with ESMTP id ACF9C40004 for ; Thu, 17 Oct 2024 19:37:34 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=aNREka7p; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf17.hostedemail.com: domain of pedro.falcato@gmail.com designates 209.85.128.53 as permitted sender) smtp.mailfrom=pedro.falcato@gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729193829; a=rsa-sha256; cv=none; b=U3EXYR6Pb6vstBVmS/s5D2TDjVCEv4fj+AJMo4/GkOzEYVvo3LLwFzL+ifP/QrSOI97fuk GncrSiXh35P2Lwz8r/HQi0olVdL8VKYKWnuZTBsq/474fmTqsv3nmVtbkAYhfV4/HBojJd bKUBB8D1Rln04qxppAxjpFwPJ0ydrfc= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=aNREka7p; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf17.hostedemail.com: domain of pedro.falcato@gmail.com designates 209.85.128.53 as permitted sender) smtp.mailfrom=pedro.falcato@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729193829; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8h/rSuKMBhpDA5BHmrBSxjpD19Vv1E+3fuCAtBFbBiw=; b=4yLfXoG+hZlJiYq1iR7nV6ihFnsSzwxyFMzLc4Ium/rsOqKkBOEYQ77sLNXnc7uUf2FJMc onsScfOaV2kSNsANaQoIpnJ7SYmGPZDdkfqBGc7Y5QGwFXbaDJOAqiTD+CAlcBuj7p7om/ NwfE0KpgC6IBRdFoAvxVpdG852u6J2c= Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-43123368ea9so12076705e9.0 for ; Thu, 17 Oct 2024 12:37:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729193861; x=1729798661; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=8h/rSuKMBhpDA5BHmrBSxjpD19Vv1E+3fuCAtBFbBiw=; b=aNREka7pflM80yV5Ud9+yhqyExny5pHxSVvPpYoxpWYkr8E4xumdnu1KX3tmRFNX5K JrByx2mOTT9bpFZuu9ty4CiBa1NKMgCLdE5DmIoVzc5BJu+K0Ul4NXIgyXti+gTT99Ws 4MDoP0pa9+r5DFmy6kaeXNOOBdZ2IikyNZicRi/djJT5m4ANaR6tS8O9gyv0QJ5tGrgH mdKsWH3Gx3jlqD6XGW0XrNstVQV6QggwWh19nHmDD4pY23Eu73NJ52AK4sT8SS/1w3s9 /3ZsXwvF5oP+J1TaNv6NkgAC4HN9QguF8ETxzyGTjLDYdvilxl+qxOnU9KuFcfAMnC5b 4zSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729193861; x=1729798661; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=8h/rSuKMBhpDA5BHmrBSxjpD19Vv1E+3fuCAtBFbBiw=; b=CCG47hE1/6l2uXw17FvObTg3anxfprSjuJcf1aRPm/9+HCiJ7fCXIzRNLBsK4Thm1J mOCm5L3iuQQoF+j2Q976rQ+gTkrnZNHHsx/Fie5gCIWu6nYfiLNnE3vlQNYcHdnNWIfS dtXgn2qw8SHr7FnRyW0ctdEwK5vsCL1JL0KRcTZV+/HCvJIr5gb+4SQNOJ9Pw62BSIAc /AdMP6W/w6OhWpDZeGrjleLljGG7ax2zulOEZdt5V3u++ZBVe+IKUVvjJZcujCyV66Jl O5UP+FJzq6nClQ0wgJ51v1R2vqWNEK2z3Nuf3jtC2qGB3OsYYUOY7ohHD7CO6FIblQ/0 manw== X-Forwarded-Encrypted: i=1; AJvYcCXg2C4sly3qNLqFar4vJA/GTbPOA0fZlwr8ggnMzBYJ/5tXYS7DPZAoGsX2mpizKA7B3hRsZbF8Fw==@kvack.org X-Gm-Message-State: AOJu0Yzee5iYMXdzghtPe+CFn1PUesXRGsaWNIG7gMKmrABneUXgnv03 0f45j/lDGu4lIhRkhbYXl5fFdJR0A45IZi3Qzznwb2Ns7hGN6xOA X-Google-Smtp-Source: AGHT+IEtxhKwkjiDOlpe66PvkClngkn2lHQGqPXQiW+OMdxDPk+q4H51x+PeupG9zfJTkn1htd/7eg== X-Received: by 2002:a05:600c:5118:b0:431:5f1b:a7c6 with SMTP id 5b1f17b1804b1-4315f1baa8dmr12646175e9.30.1729193860904; Thu, 17 Oct 2024 12:37:40 -0700 (PDT) Received: from PC-PEDRO-ARCH ([2001:818:e92f:6400:a118:25f3:b27f:9f34]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-37d7fa90c60sm8286800f8f.62.2024.10.17.12.37.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Oct 2024 12:37:40 -0700 (PDT) Date: Thu, 17 Oct 2024 20:37:37 +0100 From: Pedro Falcato To: jeffxu@chromium.org Cc: akpm@linux-foundation.org, keescook@chromium.org, torvalds@linux-foundation.org, usama.anjum@collabora.com, corbet@lwn.net, Liam.Howlett@oracle.com, lorenzo.stoakes@oracle.com, jeffxu@google.com, jorgelo@chromium.org, groeck@chromium.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, jannh@google.com, sroettger@google.com, linux-hardening@vger.kernel.org, willy@infradead.org, gregkh@linuxfoundation.org, deraadt@openbsd.org, surenb@google.com, merimus@google.com, rdunlap@infradead.org, stable@vger.kernel.org Subject: Re: [PATCH v1 1/2] mseal: Two fixes for madvise(MADV_DONTNEED) when sealed Message-ID: <5svaztlptf4gs4sp6zyzycwjm2fnpd2xw3oirsls67sq7gq7wv@pwcktbixrzdo> References: <20241017005105.3047458-1-jeffxu@chromium.org> <20241017005105.3047458-2-jeffxu@chromium.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20241017005105.3047458-2-jeffxu@chromium.org> X-Rspam-User: X-Stat-Signature: qkmq5osmzqph4qqjuz3n1uyns8qeecfc X-Rspamd-Queue-Id: ACF9C40004 X-Rspamd-Server: rspam02 X-HE-Tag: 1729193854-410155 X-HE-Meta: U2FsdGVkX1+IyXjMWOThRRMNidAiBqN08NxlHFlOFSuW8CR1S1gTSB6x0T2jhQOYnhPzPYBFoF8W9oAPxo96dPoyB/f/kbQlnzplFJOFRzmwwadVEuUxq6xBF73ErOavjTOmloODtmwIGwqhHns4s4gvRjDXKQZk+L8czDl8AUZRu7coEMk/A2fl3AtQ8LQc0lGkxNKBVHkA8HaV/z8iI3WM5RRrX16uEJeoCSGgFXAhAn0Xo0rlXpHOY43Xp/ehz+6O6yVQobdIBLoF92qawq3hVgHZ3vGS9E1Rx6b3SGn73J8ETM37Hd3hEVr2s7vJmB0+vkUG8Qrmx50Xfjp6o3bZqaw0i4fzZBTCcY73sw7xpPgFz4cpjZaR+yQ3Jk0v6Ebn4+Hr6t5fyl1ahf6B8czf0ycTW5tt+XNqwgVHBqmZs+YpDR/qy0GHVJx5gLZDM5erioZYNpaHhBQQfy7mQiWlGHkzMox0QdOrqSY7PPjE8nBw7mTpiPmPh8cY59ejVBZcZG8YTvbzqZVJ0zH4OcwHgMr39eXaQ/6H11m2ZBkT+PeGBFqywVgz34q0w/oxhSBh2jA/l1kOq2opuoRebDzb/IBx/6EwVwkHto5Ii+UUQDUL4QRdPzdZz8joSDbpsZ1Tunfpt84sfGpgrQdipT2B/QExA9KGUP0obVEjcy8CkNDO0NJWl6Pq0jLGddw4Qi375a0KfukiCZsncaQAgS4UiAmM5Ci8SW7hai0t6uQR07SftaLlO824k2v2OwfJ1thxUQWPv394stUkOC4lyH9v7arB7YXtIoIYrBjQfEmZB9qGApMNyqxqEEJo8aaq12RFvL+IY0ovavLAQGfwyarYQry0ZjRKa/OBR8n3y0/TX+224VNGWD+qJ8Z5NjKPX0kP/aQGnjUOnjSwNGf5U6+sqMgDckXtBzfPop+K6/TAZUpFcJxCy1qNtYLq/I4ZKtbWGLVED01paIAdJal lafbn8Rl Uo2Dbdh87kxno7CcXdSF8/shHeFMHglB6apoJ81gNmoRHC7spAxs6Gu9eKuXZ7TL34w6OclpRbNi176KwTpgOQ+DZFheoU2h/Va4EgHXYCfFIc6oiy+JjdE3BMtZsbhwyJ/As9UHrwNs146vK0Ty5NLtTXo9pXpoRHMsLpDDjYPEPSZLU2zyLBY+I8k3hCqWMDpXPZ9IM9fBNj1ea0cDAhGj7HEi5wUI78mUOGGlM7pwj9LmXD+0PPN6xALJ2hQ+nqzBx4VcbRq5QsKyst5LR2EcfwBY9IA0+IeN9iJGWM+5cdGvdSSQzx6XG5jLervlC88DJKbai7Jjlj75voY7aexQy3QTpEqlorY1KEd/yYNIShUVGWeaL281oEP+1CYTad6y8BYUcWPh1MPnqVaA4fXou1LxOzU28PVRo3md4lA/6oFgv7qam+iE3u8uMwNgXqrpaShdZxdwX3oy9y0BXwN/GqAKxN9FAauXP9O1zcGxGk29UvpOumDbsQJR0HdzmmpOB88OI1N3VH+Hh/dRpk5+xJD3iql8ULDGrMBI6PYWiJls= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Thu, Oct 17, 2024 at 12:51:04AM +0000, jeffxu@chromium.org wrote: > From: Jeff Xu > > Two fixes for madvise(MADV_DONTNEED) when sealed. > Please separate these fixes into two separate patches. > For PROT_NONE mappings, the previous blocking of > madvise(MADV_DONTNEED) is unnecessary. As PROT_NONE already prohibits > memory access, madvise(MADV_DONTNEED) should be allowed to proceed in > order to free the page. I don't get it. Is there an actual use case for this? > For file-backed, private, read-only memory mappings, we previously did > not block the madvise(MADV_DONTNEED). This was based on > the assumption that the memory's content, being file-backed, could be > retrieved from the file if accessed again. However, this assumption > failed to consider scenarios where a mapping is initially created as > read-write, modified, and subsequently changed to read-only. The newly > introduced VM_WASWRITE flag addresses this oversight. We *do not* need this. It's sufficient to just block discard operations on read-only private mappings. Sending a possible (fully untested) fix. If you like this approach I can resend properly, or Andrew can pick it up, whatever floats people's boats. ----8<---- >From dc5ec662dcb79156f4bdc1cba2a2575dce905ffa Mon Sep 17 00:00:00 2001 From: Pedro Falcato Date: Thu, 17 Oct 2024 20:21:10 +0100 Subject: [PATCH] mm/mseal: Disallow madvise discard on file-private sealed mappings Doing an operation such as MADV_DONTNEED on a file-private mapping may forcibly alter data by discarding CoW'd, anon pages and replacing them with page cache pages fresh from the filesystem. As such, this somewhat bypasses the mseal of a read-only mapping, and should be disallowed. Signed-off-by: Pedro Falcato Fixes: 8be7258aad44 ("mseal: add mseal syscall") Cc: # 6.11.y --- mm/mseal.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/mm/mseal.c b/mm/mseal.c index 28cd17d7aaf2..d053303c5542 100644 --- a/mm/mseal.c +++ b/mm/mseal.c @@ -36,10 +36,15 @@ static bool is_madv_discard(int behavior) return false; } -static bool is_ro_anon(struct vm_area_struct *vma) +static bool is_ro_private(struct vm_area_struct *vma) { - /* check anonymous mapping. */ - if (vma->vm_file || vma->vm_flags & VM_SHARED) + /* + * If shared, allow discard operations - it shouldn't + * affect the underlying data. Discard on private VMAs may + * forcibly alter data by replacing CoW'd anonymous pages + * with ones fresh from the page cache. + */ + if (vma->vm_flags & VM_SHARED) return false; /* @@ -61,7 +66,7 @@ bool can_modify_vma_madv(struct vm_area_struct *vma, int behavior) if (!is_madv_discard(behavior)) return true; - if (unlikely(!can_modify_vma(vma) && is_ro_anon(vma))) + if (unlikely(!can_modify_vma(vma) && is_ro_private(vma))) return false; /* Allow by default. */ -- 2.47.0