From: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
To: Julian Orth <ju.orth@gmail.com>
Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Jann Horn <jannh@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Vlastimil Babka <vbabka@suse.cz>,
Liam Howlett <liam.howlett@oracle.com>
Subject: Re: Regression: mmap rejects shared, read-only mappings of write-sealed memfds
Date: Wed, 27 Nov 2024 21:59:06 +0000 [thread overview]
Message-ID: <b36af945-9233-490e-8d15-c088d59bc17e@lucifer.local> (raw)
In-Reply-To: <CAHijbEUMhvJTN9Xw1GmbM266FXXv=U7s4L_Jem5x3AaPZxrYpQ@mail.gmail.com>
+ VMA people, Linus
On Wed, Nov 27, 2024 at 09:49:29PM +0100, Julian Orth wrote:
> Since around
>
> 5de19506 mm: resolve faulty mmap_region() error path behaviour
>
> mmap rejects shared, read-only mapping of memfds that have a write-seal applied.
>
> Before the commit, the code in mmap_region was
>
> if (file) {
> vma->vm_file = get_file(file);
> error = mmap_file(file, vma);
> if (error)
> goto unmap_and_free_vma;
>
> if (vma_is_shared_maywrite(vma)) {
> error = mapping_map_writable(file->f_mapping);
>
> where mmap_file would clear the VM_MAYWRITE flag for write-sealed memfds.
>
> After the commit, the code in mmap_region is simply
>
> if (file && is_shared_maywrite(vm_flags)) {
> int error = mapping_map_writable(file->f_mapping);
>
> with mmap_file not being called until much later.
>
> This regression seems to have been first released in 6.12 and is still
> present on master.
Thanks, this is ironic as I was the one who made this behaviour possible in
commit e8e17ee90eaf ("mm: drop the assumption that VM_SHARED always implies
writable") :)
This means this functionality was only available from 6.6, and is pretty
corner-case niche stuff (code written for any prior kernel could not rely
on this being possible), so the number of people impacted by this will be
minimal.
I will look into this and see if it is feasible to resolve it.
However it is of critical importance for security and stability purposes
that we do not abort the mmap operation midway through, and therefore we
cannot have a case where we abort _after_ the mmap_file() call (which calls
the f_op->mmap() hook), so the behaviour as originally implemented simply
cannot be restored.
A workaround might be an icky special case for memfd's or even a
refactoring of this code in general...
Thanks, Lorenzo
prev parent reply other threads:[~2024-11-27 21:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-27 20:49 Julian Orth
2024-11-27 21:59 ` Lorenzo Stoakes [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b36af945-9233-490e-8d15-c088d59bc17e@lucifer.local \
--to=lorenzo.stoakes@oracle.com \
--cc=jannh@google.com \
--cc=ju.orth@gmail.com \
--cc=liam.howlett@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox