[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <52wapi4gdnh3i2oiyk44utrco4ck5zph5mikoejfjrlfz2pwhe@eyiaozi4q23x>
Date: Fri, 9 Aug 2024 12:05:55 -0400
From: "Liam R. Howlett" <Liam.Howlett@...cle.com>
To: Pedro Falcato <pedro.falcato@...il.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>,
Vlastimil Babka <vbabka@...e.cz>,
Lorenzo Stoakes <lorenzo.stoakes@...cle.com>, linux-mm@...ck.org,
linux-kernel@...r.kernel.org, oliver.sang@...el.com,
torvalds@...ux-foundation.org, jeffxu@...gle.com,
Michael Ellerman <mpe@...erman.id.au>
Subject: Re: [PATCH v2 4/6] mm/mremap: Replace can_modify_mm with
can_modify_vma
* Pedro Falcato <pedro.falcato@...il.com> [240807 17:13]:
> Delegate all can_modify checks to the proper places. Unmap checks are
> done in do_unmap (et al).
>
> This patch allows for mremap partial failure in certain cases (for
> instance, when destination VMAs aren't sealed, but the source VMA is).
> It shouldn't be too troublesome, as you'd need to go out of your way to
> do illegal operations on a VMA.
As mseal() is supposed to be a security thing, is the illegal operation
not a concern?
>
> Signed-off-by: Pedro Falcato <pedro.falcato@...il.com>
> ---
> v2:
> - Removed a superfluous check in mremap (Jeff Xu)
>
> mm/mremap.c | 30 ++++--------------------------
> 1 file changed, 4 insertions(+), 26 deletions(-)
>
> diff --git a/mm/mremap.c b/mm/mremap.c
> index e7ae140fc64..35afb3e38a8 100644
> --- a/mm/mremap.c
> +++ b/mm/mremap.c
> @@ -821,6 +821,10 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
> if (!vma)
> return ERR_PTR(-EFAULT);
>
> + /* Don't allow vma expansion when it has already been sealed */
> + if (!can_modify_vma(vma))
> + return ERR_PTR(-EPERM);
> +
> /*
> * !old_len is a special case where an attempt is made to 'duplicate'
> * a mapping. This makes no sense for private mappings as it will
> @@ -902,19 +906,6 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
> if ((mm->map_count + 2) >= sysctl_max_map_count - 3)
> return -ENOMEM;
>
> - /*
> - * In mremap_to().
> - * Move a VMA to another location, check if src addr is sealed.
> - *
> - * Place can_modify_mm here because mremap_to()
> - * does its own checking for address range, and we only
> - * check the sealing after passing those checks.
> - *
> - * can_modify_mm assumes we have acquired the lock on MM.
> - */
> - if (unlikely(!can_modify_mm(mm, addr, addr + old_len)))
> - return -EPERM;
> -
> if (flags & MREMAP_FIXED) {
> /*
> * In mremap_to().
> @@ -1079,19 +1070,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
> goto out;
> }
>
> - /*
> - * Below is shrink/expand case (not mremap_to())
> - * Check if src address is sealed, if so, reject.
> - * In other words, prevent shrinking or expanding a sealed VMA.
> - *
> - * Place can_modify_mm here so we can keep the logic related to
> - * shrink/expand together.
> - */
> - if (unlikely(!can_modify_mm(mm, addr, addr + old_len))) {
> - ret = -EPERM;
> - goto out;
> - }
> -
> /*
> * Always allow a shrinking remap: that just unmaps
> * the unnecessary pages..
> --
> 2.46.0
>
Powered by blists - more mailing lists