From: Tudor Brindus <me@tbrindus.ca>
To: linux-mm@kvack.org
Subject: Bug/inconsistency in hugepage permission checking between mmap and shmget
Date: Sun, 27 Oct 2024 12:00:12 -0400 [thread overview]
Message-ID: <CABPTGz-fbRscfniu1Qjdpq7h+O5v7COVuxnWOyV7CD9B2atTeA@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 1874 bytes --]
Hi,
The documentation for both `man 2 mmap` and `man 2 shmget` states that
anonymous hugepage mappings can only be obtained if the caller has
`CAP_IPC_LOCK`, or is part of the `sysctl_hugetlb_shm_group`.
I believe that in practice this is only enforced for `shmget`, and not
`mmap`.
This is true as of current master, and has been true at least since 4.x (I
have
not looked further back).
`mm/mmap.c` contains, in a `MAP_HUGETLB` branch:
file = hugetlb_file_setup(HUGETLB_ANON_FILE, len,
VM_NORESERVE,
HUGETLB_ANONHUGE_INODE,
(flags >> MAP_HUGE_SHIFT) & MAP_HUGE_MASK);
While `fs/hugetlbfs/inode.c` contains:
static int can_do_hugetlb_shm(void)
{
kgid_t shm_group;
shm_group = make_kgid(&init_user_ns, sysctl_hugetlb_shm_group);
return capable(CAP_IPC_LOCK) || in_group_p(shm_group);
}
...
struct file *hugetlb_file_setup(const char *name, size_t size,
vm_flags_t acctflag, int creat_flags,
int page_size_log)
{
...
if (creat_flags == HUGETLB_SHMFS_INODE && !can_do_hugetlb_shm()) {
...
return ERR_PTR(-EPERM);
}
i.e., only checks `can_do_hugetlb_shm` when `create_flags ==
HUGETLB_SHMFS_INODE`, whereas the callsite in `mm/mmap.c` passes in
`HUGETLB_ANONHUGE_INODE`.
A simple test program that tries allocating hugepage memory with `mmap` and
`shmget` while not possessing `CAP_IPC_LOCK` and not being in the
`sysctl_hugetlb_shm_group` confirms this behavior.
What's the right course of action here?
- The logic in `hugetlb_file_setup` could be modified to enforce the
permissions on `mmap` calls. This might break userspace code that's been
relying on this working, though.
- The restriction could be removed from `shmget`.
- The inconsistency between `mmap` and `shmget` could be accepted as a fact
of
life, and the documentation fixed to match this reality.
-- Tudor
[-- Attachment #2: Type: text/html, Size: 2145 bytes --]
reply other threads:[~2024-10-27 16:00 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABPTGz-fbRscfniu1Qjdpq7h+O5v7COVuxnWOyV7CD9B2atTeA@mail.gmail.com \
--to=me@tbrindus.ca \
--cc=linux-mm@kvack.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox