From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF391D30011 for ; Fri, 18 Oct 2024 15:05:47 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 6A38E6B007B; Fri, 18 Oct 2024 11:05:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 653E46B0082; Fri, 18 Oct 2024 11:05:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 51B456B0083; Fri, 18 Oct 2024 11:05:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 2E5636B007B for ; Fri, 18 Oct 2024 11:05:47 -0400 (EDT) Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id C82D2ACDC3 for ; Fri, 18 Oct 2024 15:05:22 +0000 (UTC) X-FDA: 82687047072.27.FA6B234 Received: from mail-lf1-f52.google.com (mail-lf1-f52.google.com [209.85.167.52]) by imf06.hostedemail.com (Postfix) with ESMTP id C31E8180026 for ; Fri, 18 Oct 2024 15:05:36 +0000 (UTC) Authentication-Results: imf06.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=fI9hRQC7; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf06.hostedemail.com: domain of jannh@google.com designates 209.85.167.52 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729263910; a=rsa-sha256; cv=none; b=JxNXSP0xLNpLbHEVykalxjnBblJL2oHnC2Hd8kD9cQe3ixyGUp+HYB4uzVXMEEj4aaianu vaCqqCsRf4+82iXCeWMUDkTr9X+TuJvZWGWtQm59NZnIEnq9ouUy9fyPBCOEA1pSYL0r7a 7NH++WgcNWRMGsMbtVmbtJHQb7Tlx+w= ARC-Authentication-Results: i=1; imf06.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=fI9hRQC7; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf06.hostedemail.com: domain of jannh@google.com designates 209.85.167.52 as permitted sender) smtp.mailfrom=jannh@google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729263910; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=VY+gOC6a4ZSs6CZ8Ns3SAUj2iHkxiyZBv5pZmVF9X+g=; b=D3M5g2IpXD4yIcHF+D3HQY7kWiCXA9b+7vFtWHQQMpcMMHCSn4TrfO0iM+xhK2Nwv8CSj0 Z3faYyveig6E5UU96+0VTWx+gbwmnjkPzhAc8eqGbGvIl29uWPAzjpiNaOlATHUdTms5LR pVoolQTI4gvZ+VVBEzObfSEmDYSEbAs= Received: by mail-lf1-f52.google.com with SMTP id 2adb3069b0e04-539e681ba70so20355e87.1 for ; Fri, 18 Oct 2024 08:05:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1729263943; x=1729868743; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=VY+gOC6a4ZSs6CZ8Ns3SAUj2iHkxiyZBv5pZmVF9X+g=; b=fI9hRQC7tHvz/u1zp1HUkXEsF8FtQmh/nxhNcII0epCfQFNcaDF4MHTW9y/x7/NFbf xTEq0cGGIvajmAioeA1161fNgkK+hWl85E0dvF+ZnXrwVt3JXoqmZYuKPkdJSEdspJXJ /BVl0jSogVgESdLfrZ8J8WtY7cDYw1aa8a43xnvxNay7JNSpfGCUoNEbTOshjDKByNyK h9acoehSYX6qysAp2k8jC6MvToH5NxsxKJS/02cvbAKMDNZK+dK6DSvyIO3CcPQBGrc9 fi3bHyTG/pCqX+/2CGzGfNpahZInFWbB81b/rUaLOxBDsDcnm7NBh7pr2/gXDkjGr2/h BGSA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729263943; x=1729868743; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VY+gOC6a4ZSs6CZ8Ns3SAUj2iHkxiyZBv5pZmVF9X+g=; b=lnc7v0XOOnnb8gEOUiV1qB9hGUWIPuAPJovimyuHvJR5udEuwvbuhjE6g7UBhXlReL JirGQeXJbfDh7YztorGFNsO+zZT8UeDItXmEfFdOweliCgWH78tSYUULEMFbIqK9S7Ut Ls8rP2ZXAnIUkpNlnMxEzrKovMpFqPuFwux7TPzJ1ddMWmUwbDOX+11eidvqTQbXwIH9 vE8CGVJPpxmheP3AINoipj6DlX6jN2OY2IkcnauXir5TUUvbadQnBFdYi427xp8743wM drQEWmZ1zW7JGT7RbAcqq5Tnny7UxNseFTSTOvvBVg/PVqbQ2BcwPUJQ1FfXpXhRDnbp wOmQ== X-Forwarded-Encrypted: i=1; AJvYcCXtTjjcNy93NxKa4TJ6SpHkxeFXnWjp5kmcKkhOlDYpvRAEaQX2CoqQHEwzkH4whLdTV8pLSQub7w==@kvack.org X-Gm-Message-State: AOJu0YxJZ0t497CdSd69VU66Tk2FLIQkkWz9P5sfhl+9JdTZL2IYSZPb sFlFJZ0ubdiEFaMw15WCG/mQtHswrQAvQfhP3aiF8+9FOz2BzBYviUWH3lJq9gGta6BVMFYuhJF ccaw04dmblPabNaUBLHNFChT7BVHdV8Z0qFec X-Google-Smtp-Source: AGHT+IHEdjAuAnZpQTb3020lZcH6NNioXnQO8TFmyT8yTm8pf+QhIDKkj1QU/pK6ubOymnxvMFhGxeUvu4tJjCuhK2I= X-Received: by 2002:a05:6512:31c2:b0:52e:8475:7c23 with SMTP id 2adb3069b0e04-53a157613d6mr366525e87.7.1729263942596; Fri, 18 Oct 2024 08:05:42 -0700 (PDT) MIME-Version: 1.0 References: <20241018144710.3800385-1-roberto.sassu@huaweicloud.com> In-Reply-To: <20241018144710.3800385-1-roberto.sassu@huaweicloud.com> From: Jann Horn Date: Fri, 18 Oct 2024 17:05:04 +0200 Message-ID: Subject: Re: [RFC][PATCH] mm: Split locks in remap_file_pages() To: Roberto Sassu Cc: akpm@linux-foundation.org, Liam.Howlett@oracle.com, lorenzo.stoakes@oracle.com, vbabka@suse.cz, linux-mm@kvack.org, linux-kernel@vger.kernel.org, ebpqwerty472123@gmail.com, paul@paul-moore.com, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, jmorris@namei.org, serge@hallyn.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org, "Kirill A. Shutemov" , stable@vger.kernel.org, syzbot+91ae49e1c1a2634d20c0@syzkaller.appspotmail.com, Roberto Sassu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspam-User: X-Stat-Signature: 9q5pygydmao1iwj4yi8xcnmzd6rayhhw X-Rspamd-Queue-Id: C31E8180026 X-Rspamd-Server: rspam02 X-HE-Tag: 1729263936-893158 X-HE-Meta: U2FsdGVkX1/kGSD1n/LYia/Dq1Wl3+clv6CDr9YRpGbKBx8gwQvb9xb08A3KEqXFtsme5JMphFiSQUtdcpLyFhFeYy0GK13UXxf6ZTcu4nKe+v726Wxv+xkkZ4/CUkUm875Zw9zsTwUgk9LkXREEX3llUQy+F9gdbFix5naze17b9mlxugs5dI5Q6J2q2OpujGqU45oqb05fFrdTEto+5pMaNkbCrReJEW2xVJZzi4FYRDo/JtKdob6IaOeOEN9Hjutq7AUAl1yVLpVTiHFoEFRisCqTOqNfq15QjC2WIUy1PyA2zVq0Fa8t/fumB9nRPYDWJmz664exeuoSkyLOcWiZmKjqwGVHjw81gAA0XCQsXBmpv9SUbl+nU1d+Zh05Lcj81aMPnIBwp42zEhWmc8pqqemvsbTh5JV0AHLfaC0x7uMZkUMJkSXFnE0JsSY542a0JNI5f3uVtV7AnmbY5m9ZameE6gMjqiv+i0L3XYCFNYZw1WS0JM+4VEMtivcs54RnTcjJhybck3BmE/rXwrLHLOYIAPP5zGhcfZrUT0CN0MgXsLC0UDwpCJheYL0YMUjydm88RItk2FGUU8BTrqBzUxmAX9rJBda7+1D0e1iaMn1p1AdLA50T3MmtjzQVedslL3I+iqjQwuv804TitYsMgMVLq27VLdCgi4yj9qq9lrSdKWZL3iNm0UGrpib0gyrWWpHAwo3T/LPXQrj8x/S42SXtE0KzctzBHgZ68MIDnvDIaBuY2PFxSltfqLv5LjKYrI1ng5f+jxZx32qtumgBznFy8TXbmZWCl2FkoRQwtftqjlUNHzzvOpSdFJ0fKy8XVci9sK7CaAyAmyD3xEDWjfzv+C2DlTtnbTsDgmviaT9xHt6yLoplWR4R2URrDHCxAMRotY7STwF2ZIoNBqY3Bv8mw75ZsISUTCil1v5m/TwWzt2drEAbI797cqNyRI0ZQeMokwDJTAi134U VkpB75Lo 8kgaECe31psPLCD9+kuecLhLtmHvgZG3aNonZG2vfbsR5EjSc8gtTy4qCTKAMczvxcPyg4YGkwdtnUIZTkSZ6iSukUPjKqZcBKxjVOCtn8sliNPLX3oArhCrNQI4Lxjd5TtAWMfmKiar6bk1hnd1Spe5ji0tTRBJPR2CgUe9N1PehD4L1xXrAIZirVOgbOPagSs4Nbbm5JIl9rzOZyGi25QSV0Xel4/mT2CUhBOh8tq6taUQCFiKoAOaTR5q6Ea2AqJUMBpi2BQdI0cwijNXWHrqHJq3oqkIUYImt46F/IbTj0KEkLDPZ6TymO6zc9yi9CM2HY5MokwxxAyf+u3CBBs4HpSzNj33YIwHhatEc+81C5l+3Z2Nxe214H4qb5gJMXbGvhNzzT6yT+UgffO5sw0tTNnsnxCIg2+4pp3VRtZrMhROUg7PPVXdXYVlafVkq2xOytr3r+734ux7PZV/Hg+dY9NIT+/eY4okwpUh6B/vf0rglx6VLOfrabPzOmCDZ6WKs X-Bogosity: Ham, tests=bogofilter, spamicity=0.000087, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Oct 18, 2024 at 4:48=E2=80=AFPM Roberto Sassu wrote: > Commit ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in > remap_file_pages()") fixed a security issue, it added an LSM check when > trying to remap file pages, so that LSMs have the opportunity to evaluate > such action like for other memory operations such as mmap() and mprotect(= ). > > However, that commit called security_mmap_file() inside the mmap_lock loc= k, > while the other calls do it before taking the lock, after commit > 8b3ec6814c83 ("take security_mmap_file() outside of ->mmap_sem"). > > This caused lock inversion issue with IMA which was taking the mmap_lock > and i_mutex lock in the opposite way when the remap_file_pages() system > call was called. > > Solve the issue by splitting the critical region in remap_file_pages() in > two regions: the first takes a read lock of mmap_lock and retrieves the V= MA > and the file associated, and calculate the 'prot' and 'flags' variable; t= he > second takes a write lock on mmap_lock, checks that the VMA flags and the > VMA file descriptor are the same as the ones obtained in the first critic= al > region (otherwise the system call fails), and calls do_mmap(). > > In between, after releasing the read lock and taking the write lock, call > security_mmap_file(), and solve the lock inversion issue. > > Cc: stable@vger.kernel.org > Fixes: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap= _file_pages()") > Reported-by: syzbot+91ae49e1c1a2634d20c0@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/linux-security-module/66f7b10e.050a0220.4= 6d20.0036.GAE@google.com/ > Reviewed-by: Roberto Sassu (Calculate prot and= flags earlier) > Signed-off-by: Kirill A. Shutemov Reviewed-by: Jann Horn