From: Mike Rapoport <rppt@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Patrick Roy <roypat@amazon.co.uk>,
david@redhat.com, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, graf@amazon.com,
jgowans@amazon.com
Subject: Re: [PATCH] secretmem: disable memfd_secret() if arch cannot set direct map
Date: Wed, 2 Oct 2024 08:11:24 +0300 [thread overview]
Message-ID: <ZvzV_GVjp05rcqxj@kernel.org> (raw)
In-Reply-To: <20241001150438.017b7bb4cd1baceb53a764bf@linux-foundation.org>
On Tue, Oct 01, 2024 at 03:04:38PM -0700, Andrew Morton wrote:
> On Tue, 1 Oct 2024 09:00:41 +0100 Patrick Roy <roypat@amazon.co.uk> wrote:
>
> > Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map().
> > This is the case for example on some arm64 configurations, where marking
> > 4k PTEs in the direct map not present can only be done if the direct map
> > is set up at 4k granularity in the first place (as ARM's
> > break-before-make semantics do not easily allow breaking apart
> > large/gigantic pages).
> >
> > More precisely, on arm64 systems with !can_set_direct_map(),
> > set_direct_map_invalid_noflush() is a no-op, however it returns success
> > (0) instead of an error. This means that memfd_secret will seemingly
> > "work" (e.g. syscall succeeds, you can mmap the fd and fault in pages),
> > but it does not actually achieve its goal of removing its memory from
> > the direct map.
> >
> > Note that with this patch, memfd_secret() will start erroring on systems
> > where can_set_direct_map() returns false (arm64 with
> > CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n and
> > CONFIG_KFENCE=n), but that still seems better than the current silent
> > failure. Since CONFIG_RODATA_FULL_DEFAULT_ENABLED defaults to 'y', most
> > arm64 systems actually have a working memfd_secret() and aren't be
> > affected.
> >
> > >From going through the iterations of the original memfd_secret patch
> > series, it seems that disabling the syscall in these scenarios was the
> > intended behavior [1] (preferred over having
> > set_direct_map_invalid_noflush return an error as that would result in
> > SIGBUSes at page-fault time), however the check for it got dropped
> > between v16 [2] and v17 [3], when secretmem moved away from CMA
> > allocations.
> >
> > [1]: https://lore.kernel.org/lkml/20201124164930.GK8537@kernel.org/
> > [2]: https://lore.kernel.org/lkml/20210121122723.3446-11-rppt@kernel.org/#t
> > [3]: https://lore.kernel.org/lkml/20201125092208.12544-10-rppt@kernel.org/
>
> Thanks.
>
> > Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas")
>
> So I'm thinking this fix should be backported into kernels which
> contain 1507f51255c9, agree?
Yes
--
Sincerely yours,
Mike.
prev parent reply other threads:[~2024-10-02 5:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-01 8:00 Patrick Roy
2024-10-01 8:08 ` Mike Rapoport
2024-10-01 22:04 ` Andrew Morton
2024-10-02 5:11 ` Mike Rapoport [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZvzV_GVjp05rcqxj@kernel.org \
--to=rppt@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=graf@amazon.com \
--cc=jgowans@amazon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=roypat@amazon.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox