From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 13537D3C91C for ; Sat, 19 Oct 2024 15:34:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 15F0F6B0082; Sat, 19 Oct 2024 11:34:23 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 10F6D6B0083; Sat, 19 Oct 2024 11:34:23 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id F18886B0085; Sat, 19 Oct 2024 11:34:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id D21FB6B0082 for ; Sat, 19 Oct 2024 11:34:22 -0400 (EDT) Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 418751C6319 for ; Sat, 19 Oct 2024 15:34:07 +0000 (UTC) X-FDA: 82690747986.10.E9C06A7 Received: from mail-yb1-f171.google.com (mail-yb1-f171.google.com [209.85.219.171]) by imf20.hostedemail.com (Postfix) with ESMTP id 4B2F61C001E for ; Sat, 19 Oct 2024 15:34:05 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b=LRP88pAQ; spf=pass (imf20.hostedemail.com: domain of paul@paul-moore.com designates 209.85.219.171 as permitted sender) smtp.mailfrom=paul@paul-moore.com; dmarc=pass (policy=none) header.from=paul-moore.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1729351985; a=rsa-sha256; cv=none; b=nVXgzVGtrN7u/RglLXSk+m1EI4uxGyh2qoCQT4PLAQw4V1P/0lQnl7zTRx9bsjlYLyx6SG uRkkEc379w2ou77G35tocT8SnCRwAb7CGaC8E1n5O1z4kTFznA03INy0+kSLib2zW7kBA+ HejjR9Gg1xAZ0cjVoBl2Ulj064y/wjc= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=pass header.d=paul-moore.com header.s=google header.b=LRP88pAQ; spf=pass (imf20.hostedemail.com: domain of paul@paul-moore.com designates 209.85.219.171 as permitted sender) smtp.mailfrom=paul@paul-moore.com; dmarc=pass (policy=none) header.from=paul-moore.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1729351985; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=dt9BnWbKgBvIPn8Egk93F8g/4UamVtbhqjDHYRc0VbU=; b=gmezFhh/dT2lz0qI92MkRtnv0Egh+91Lv7lpNJCiLzmTCD52aw565WHf1eXu2RVVZtOJ1/ bEUzFMP70dMCOObDH0Ld8s5X1mA09SudAgoMy94W0szuaNhl16FOPO2hTiBxA7l/DnhgH0 2F5377Qp3ThQpvMzCOZSB9wb7NR8KNE= Received: by mail-yb1-f171.google.com with SMTP id 3f1490d57ef6-e2908e8d45eso2788918276.2 for ; Sat, 19 Oct 2024 08:34:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1729352059; x=1729956859; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=dt9BnWbKgBvIPn8Egk93F8g/4UamVtbhqjDHYRc0VbU=; b=LRP88pAQclsqH9Y8YxJhOIkDngz3FBU+47CaOhhJZr4Zjojir3u0D8gptKBXMM8Ckx foZUyACxL33Q30onlDNEfuAK2LFio9iW5aYqRSMz1JJZqCc87mjQz4SCWDa883OYM+8v Fq5DC+15qRuet0JRgLgk15RWKATX5WkC/hvaaHwn05lIrx4mbBkfCX9uxCF8SC5AkdAl 02+lMcWluRSEQcG7wIhBl7WoACRAXr38WFsAt7pk5fsXPVlb1zlglzu8UbarfLGnlJXZ 1WLmcnQfcM7EMukpcfveb07NHeIMrzMQ0GwHKEe4CaYGJoBstJsXH8pM8Y+62zfaveD6 pAfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729352059; x=1729956859; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dt9BnWbKgBvIPn8Egk93F8g/4UamVtbhqjDHYRc0VbU=; b=ckGJcr+9t+W5JPxqX8W8fW45FLGDW8uImLRl+V5DRtDIirP2xbOga4p8Ck/DlY967Q c596fdaSVMN+xxe8fYbHUkMdHDoCsUhG3Uss+2eBUYw0UES3xfx8FgVUVqrR38Oa+wPH bxnhbD0qh+4YYH27NoCkb8+7UyrgQjrt6YS159jOZ+KVlidTDL3uQWxhzGm24/61TufE jmT53dQAg/eDISnFzWNp/NKqX9etbddZQyAWqZ6PbKSUG4R4sSyf8NogtFWuZkG18CFf IiiOU7rZXMV5qEdkIPqX2KKXIb6t6jlL7wNGxqQ59CqKpMA6aML2PZ0b4DPWoPmMKerA VQiw== X-Forwarded-Encrypted: i=1; AJvYcCXHfuf1hO8zFI6tw+YekuZk1vJmCxVF2qAN56KhXTGjBpAe2q3Ft2F65TXbwrr1FcRNYuk0q8zHLQ==@kvack.org X-Gm-Message-State: AOJu0YyFzJtxq9CcyjiL3hrG3BFQ6zue2jNjs2YHihWoy4GuPIj/TJFL X7k3I4+auej23AK8Ja/oMenryit3zqIrhbGLCa7sOaxW7OFM6llA7kvR+HI+wDqv1szKi5KWHTg LGwFAlnEVxaQLeQDlXSP9xzfG/z1VcyzJCElP X-Google-Smtp-Source: AGHT+IGtdGqzYcDLxnIpfjuAVP5vxoGEl/nSImRtgtKWi9QsQ/qNJR8p9BgodGD1xEymrlwrAaFBjtak2CSZfpvFhTo= X-Received: by 2002:a05:690c:f91:b0:6de:c0e:20ef with SMTP id 00721157ae682-6e5bfbdbe14mr53079707b3.7.1729352059439; Sat, 19 Oct 2024 08:34:19 -0700 (PDT) MIME-Version: 1.0 References: <20241018161415.3845146-1-roberto.sassu@huaweicloud.com> In-Reply-To: <20241018161415.3845146-1-roberto.sassu@huaweicloud.com> From: Paul Moore Date: Sat, 19 Oct 2024 11:34:08 -0400 Message-ID: Subject: Re: [PATCH v2] mm: Split critical region in remap_file_pages() and invoke LSMs in between To: "Kirill A. Shutemov" , Roberto Sassu , akpm@linux-foundation.org Cc: Liam.Howlett@oracle.com, lorenzo.stoakes@oracle.com, vbabka@suse.cz, jannh@google.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, ebpqwerty472123@gmail.com, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, jmorris@namei.org, serge@hallyn.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, bpf@vger.kernel.org, linux-fsdevel@vger.kernel.org, stable@vger.kernel.org, syzbot+1cd571a672400ef3a930@syzkaller.appspotmail.com, Roberto Sassu Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Stat-Signature: beir6z3o9jh81ceunrq3gocwccyszjw1 X-Rspamd-Queue-Id: 4B2F61C001E X-Rspam-User: X-Rspamd-Server: rspam10 X-HE-Tag: 1729352045-635261 X-HE-Meta: U2FsdGVkX1+gMGM4uCEATWmdNC7PhNiqhplAzG8r6XrwMTVer19qgyWjM/p4u5FUVANILxWG55L0suztXJHhsTxhHCHIBNAitE34vMZBw8QkEuJV0upWqyJfrXQD12VS4a+uqIhwJdF+bcCysUHXrlPIJRdw7t9i90Fna82fJcpqIXA7F7QTchDc2RLNypp0jgOgH5RghAwvyf1h+E7aTB7NGIo2NY3Vywx9zBHrVbYOTdNtkdJsNSthVnwuaWZ1aZdm8wIeFI/R2UyFmJZGcdOUxzM+h2uwFTji2PWa40fJrY1ZjmreqxGMqB2DWfJbDzSysv196onXpcbJtcWNIhat9F7MPF4Q3XDgeBgEvCvbOyaAup5OLNzGzREJGj1qr1HTD/q8LoSBFxMrQtGVyG/eB9zhL7XFQNdVSLRKKJKoia0kaKfKIZnOAWrRQkTl5iOUSoxDjkTLn2WDpHBrNgKTBwS4R7fX6NIFxcJRn6d8pt6/De8KlX+XdfaEtHSy8r6z/VXK+lTJlZc84zOve2JMYrSduQdHzTL3XcJGLDTgeoVgKR0nehfF5a6Pn65HtaZfSyiV17yf1/LhI0gv7QyR4JCN94Y7pjdnuU/ZafOFzUU7hjdYPK8gdc9MqxouWb/DJ/P2McnP9kimPCuxPRELG+cH6PTsQrAyjP8OOLCQOihrHILIs3i3tn/vmefSpf2kiv1D0huj0E6XdRLuuO05uJmh8VpfO02AheFZ92TBtFBLbNJ7S8hFIMvaaPOYrJrgLfMIprk//wNLyAZx8vClGFoANIpfC0+G19GfLK/5kFYHFHsrxE+/RwWIeIL5PpvK9hrM7SYs2raaCLsvvajLOKTjr/rOLoivn9hJOU9oLWOCruqmQ9iopUm9NroyBqazxiaTB2wpn3RyFSBK5o+vaXJYexdrl1UIOAeih1d4RPbYR4HHchMDNcld+/4zV/w+HErg1+5xUUijzAE 9qPVp6H7 dOFTULnGj+hFDGV6HxYxKTGwpOFvjnIyLvqWwZwIDPn01/UDPuwRqVAmNVei8kkX0jC0keRfxR7LtkIfYse86iGCNW+2SERi+RJxo3WghMF5Vg+TKB7XzrWfVf7Pe1/o7Njws0Umlzm77HevGBGmBSbdqtBwlaklyQVOzkLyFaeGIPyVGg1FBsazg0q7bT6ELdRZfXGlvhp16nY1EdmGbGahw3UHXhxYsuMd7DcBNqpmWXEmi6fUc6CXwGMPIJrWK7WNVOuEtT8NUaj9yZjgFmwV6TtufjbfITeIXzurjn3bzmpUfnLw3dR78KaGQ6zzTsEQKZQFFWnpqSzlH5bzXgBh91QM+qXQk9Qba24nPgYZvyARBvz3IFj/VCJwrUm8E1xz37o6DlymwXxZcslaGX4ZiQWeelwWGNcLjF4VQtF2+mSsqIAmR0mNrq9tmDWd78sT0ZN/DEJlBaB7jzKe9OYReDEnl+9zSEbdygCOIIZXbFLCjM5hW5ej1riQS70qo9IGv2u53exG8DqYM657yNpLXazxkSyoKBh66y4DW2JOK6tGmkuYul2ruV9SL2hU5bS5brinxfoAxcoyQrljNMpIA5uDQVAxjmPIiyiSRglRnGRg= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Fri, Oct 18, 2024 at 12:15=E2=80=AFPM Roberto Sassu wrote: > From: "Kirill A. Shutemov" > > Commit ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in > remap_file_pages()") fixed a security issue, it added an LSM check when > trying to remap file pages, so that LSMs have the opportunity to evaluate > such action like for other memory operations such as mmap() and mprotect(= ). > > However, that commit called security_mmap_file() inside the mmap_lock loc= k, > while the other calls do it before taking the lock, after commit > 8b3ec6814c83 ("take security_mmap_file() outside of ->mmap_sem"). > > This caused lock inversion issue with IMA which was taking the mmap_lock > and i_mutex lock in the opposite way when the remap_file_pages() system > call was called. > > Solve the issue by splitting the critical region in remap_file_pages() in > two regions: the first takes a read lock of mmap_lock, retrieves the VMA > and the file descriptor associated, and calculates the 'prot' and 'flags' > variables; the second takes a write lock on mmap_lock, checks that the VM= A > flags and the VMA file descriptor are the same as the ones obtained in th= e > first critical region (otherwise the system call fails), and calls > do_mmap(). > > In between, after releasing the read lock and before taking the write loc= k, > call security_mmap_file(), and solve the lock inversion issue. > > Cc: stable@vger.kernel.org # v6.12-rcx > Fixes: ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in remap= _file_pages()") > Reported-by: syzbot+1cd571a672400ef3a930@syzkaller.appspotmail.com > Closes: https://lore.kernel.org/linux-security-module/66f7b10e.050a0220.4= 6d20.0036.GAE@google.com/ > Reviewed-by: Roberto Sassu > Reviewed-by: Jann Horn > Reviewed-by: Lorenzo Stoakes > Tested-by: Roberto Sassu > Tested-by: syzbot+1cd571a672400ef3a930@syzkaller.appspotmail.com > Signed-off-by: Kirill A. Shutemov > --- > mm/mmap.c | 69 +++++++++++++++++++++++++++++++++++++++++-------------- > 1 file changed, 52 insertions(+), 17 deletions(-) Thanks for working on this Roberto, Kirill, and everyone else who had a hand in reviewing and testing. Reviewed-by: Paul Moore Andrew, I see you're pulling this into the MM/hotfixes-unstable branch, do you also plan to send this up to Linus soon/next-week? If so, great, if not let me know and I can send it up via the LSM tree. We need to get clarity around Roberto's sign-off, but I think that is more of an administrative mistake rather than an intentional omission :) --=20 paul-moore.com