* Regression: mmap rejects shared, read-only mappings of write-sealed memfds
@ 2024-11-27 20:49 Julian Orth
2024-11-27 21:59 ` Lorenzo Stoakes
0 siblings, 1 reply; 2+ messages in thread
From: Julian Orth @ 2024-11-27 20:49 UTC (permalink / raw)
To: Lorenzo Stoakes; +Cc: linux-mm, linux-kernel
Since around
5de19506 mm: resolve faulty mmap_region() error path behaviour
mmap rejects shared, read-only mapping of memfds that have a write-seal applied.
Before the commit, the code in mmap_region was
if (file) {
vma->vm_file = get_file(file);
error = mmap_file(file, vma);
if (error)
goto unmap_and_free_vma;
if (vma_is_shared_maywrite(vma)) {
error = mapping_map_writable(file->f_mapping);
where mmap_file would clear the VM_MAYWRITE flag for write-sealed memfds.
After the commit, the code in mmap_region is simply
if (file && is_shared_maywrite(vm_flags)) {
int error = mapping_map_writable(file->f_mapping);
with mmap_file not being called until much later.
This regression seems to have been first released in 6.12 and is still
present on master.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Regression: mmap rejects shared, read-only mappings of write-sealed memfds
2024-11-27 20:49 Regression: mmap rejects shared, read-only mappings of write-sealed memfds Julian Orth
@ 2024-11-27 21:59 ` Lorenzo Stoakes
0 siblings, 0 replies; 2+ messages in thread
From: Lorenzo Stoakes @ 2024-11-27 21:59 UTC (permalink / raw)
To: Julian Orth
Cc: linux-mm, linux-kernel, Jann Horn, Linus Torvalds,
Vlastimil Babka, Liam Howlett
+ VMA people, Linus
On Wed, Nov 27, 2024 at 09:49:29PM +0100, Julian Orth wrote:
> Since around
>
> 5de19506 mm: resolve faulty mmap_region() error path behaviour
>
> mmap rejects shared, read-only mapping of memfds that have a write-seal applied.
>
> Before the commit, the code in mmap_region was
>
> if (file) {
> vma->vm_file = get_file(file);
> error = mmap_file(file, vma);
> if (error)
> goto unmap_and_free_vma;
>
> if (vma_is_shared_maywrite(vma)) {
> error = mapping_map_writable(file->f_mapping);
>
> where mmap_file would clear the VM_MAYWRITE flag for write-sealed memfds.
>
> After the commit, the code in mmap_region is simply
>
> if (file && is_shared_maywrite(vm_flags)) {
> int error = mapping_map_writable(file->f_mapping);
>
> with mmap_file not being called until much later.
>
> This regression seems to have been first released in 6.12 and is still
> present on master.
Thanks, this is ironic as I was the one who made this behaviour possible in
commit e8e17ee90eaf ("mm: drop the assumption that VM_SHARED always implies
writable") :)
This means this functionality was only available from 6.6, and is pretty
corner-case niche stuff (code written for any prior kernel could not rely
on this being possible), so the number of people impacted by this will be
minimal.
I will look into this and see if it is feasible to resolve it.
However it is of critical importance for security and stability purposes
that we do not abort the mmap operation midway through, and therefore we
cannot have a case where we abort _after_ the mmap_file() call (which calls
the f_op->mmap() hook), so the behaviour as originally implemented simply
cannot be restored.
A workaround might be an icky special case for memfd's or even a
refactoring of this code in general...
Thanks, Lorenzo
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-11-27 21:59 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-11-27 20:49 Regression: mmap rejects shared, read-only mappings of write-sealed memfds Julian Orth
2024-11-27 21:59 ` Lorenzo Stoakes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox