From patchwork Tue Nov 20 05:21:36 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joel Fernandes X-Patchwork-Id: 10689859 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 520D013BB for ; Tue, 20 Nov 2018 05:22:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 442E72A0A1 for ; Tue, 20 Nov 2018 05:22:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 3844A2A325; Tue, 20 Nov 2018 05:22:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B5B182A0A1 for ; Tue, 20 Nov 2018 05:22:00 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 99B406B1E55; Tue, 20 Nov 2018 00:21:59 -0500 (EST) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 94A4E6B1E56; Tue, 20 Nov 2018 00:21:59 -0500 (EST) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 839036B1E57; Tue, 20 Nov 2018 00:21:59 -0500 (EST) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pf1-f197.google.com (mail-pf1-f197.google.com [209.85.210.197]) by kanga.kvack.org (Postfix) with ESMTP id 41AC76B1E55 for ; Tue, 20 Nov 2018 00:21:59 -0500 (EST) Received: by mail-pf1-f197.google.com with SMTP id i19-v6so690710pfi.21 for ; Mon, 19 Nov 2018 21:21:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:from:to:cc:subject:date :message-id:mime-version:content-transfer-encoding; bh=ZGjhfyB62ZBE0Pl3zrr5IPaSCTrMuQUlFPIG+7VVFnc=; b=cqvKUJL8vARRLtvpVIEsPG7IkAV4IDo7ioxtLuO5ITCtYGJN/uZLOq6yRxLUAQY9YB eP0bB+wYmGyybStzyFvQPgoRZHs8FF20J4TpzmftsRcpE7H4YuOFvb2c0+1RKzqT3Ac7 kcxTaYXKXq0WBgD2zS08dLRvX91pcmGm0jV/CW9YnF0F9Tq8mPc1GyXvk9TKdqvVMQfB /4kWz76xjkKuRkozGx/XsZW2O+Ne31qdQSEh5OLdtjvspde1wCGEjC0KTFfOE+25kewA qwJuuftliWWN1c2mSR9cnlihYGt0GEyn61BKvljR7LyWXhNt2z711sEhs7KtUHENam4R SUjQ== X-Gm-Message-State: AA+aEWY90cZxsSFuABerWamFw7rAIZIJZhYiDmNlJ8jbXl9B7mEi/9Cf Mj903NOXBLmF4SM7O9Zg1cj3yyEDzELXFsdixAUbXoDmSWIAz2rZ9RSBIyO/mAd6yHfZKEu/X8t 3nyt2bmMhbG5UEXFhwkh8sTzKLoMfGEmEOyWLA+BW5P7DEXG7676mepbgYFYCwbtErzPn7A0ivl ILvrzEMd98m2HQ/bNHh0+dikQHKzkP3ThqTQ4RlYJ0ajQe6APJMzaJFpVs42dRBO6y93CuzMpxy tTcL0OQOD0eXqzwDTK6kmQn5uRnsTTN9UUfUm/gDybeYCM1MRidLUucnKnD5RrRTAWteWV3UwtI ullHygTLk4K+EEVz54irWfIoZennuRwCWs/3/F4UDdYUKX9KoTMzi9yhOjSg1eRmdZmhq6tYbfm W X-Received: by 2002:a63:4101:: with SMTP id o1mr607881pga.447.1542691318832; Mon, 19 Nov 2018 21:21:58 -0800 (PST) X-Received: by 2002:a63:4101:: with SMTP id o1mr607839pga.447.1542691317733; Mon, 19 Nov 2018 21:21:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542691317; cv=none; d=google.com; s=arc-20160816; b=kGOH6gywkXfDoO5BTkbUMG5XaYwzALir+vCXIixX9tGMVzBSEXYrjfEOg/12C6YjrC InqEEnuWrogCVeKRQydrm9sa2DfC6LxR2qrByl/JnRNum+aE6ByH9g2y4v4eEuynNiBH 8qIzgVx3KdM6sXt8L9I7dwALh3dg1VyOhvJ9Cg3B20lKEtZ0C7tXBzUgqPeigPqxviSS D3bnLMgkQEuwNX8ukFoN1jbNrg3i/4MPSEqCTVn2mDfchrExF5Fl85QmwZs1wy8+540w FdHCy4v3LVKI7iWEvru0bT1yc/DA/OVdMT/xQtK9mm2UEbI4BYfEpZGhW/LqC/imDc4L buiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature; bh=ZGjhfyB62ZBE0Pl3zrr5IPaSCTrMuQUlFPIG+7VVFnc=; b=tLodXpAeCNFeT4KGwK+m63rkksU/J6M5nJxb0O/OinhbdtJYcwNWVVlfsWpoZHyEbb 7J+QoXnaXHslRhQQgx7ZQZht7K0hBbgYGItnCZDI+UkiT6s50STENr/45QYhPs4oU2wF hGZoIC5rAQDyhJpWy/GE7txqgmhcc4fJPWLGKG76G7Z20u80UqTr5AwCS4UMNrJPy/Er U9z3jFezc8QEWhQ5Jqc4Xu/8V3OFt5/y0+9FXaJ0s8D8kQxXVmOZZ8w9PhQtqNCQjpSz xzospoHf4rqk5JxeXLRZSZg+TiGSYg81R9aFJOgVzJvpaMzCcRGYFXuVAKwjnzL+fCnV 1LGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@joelfernandes.org header.s=google header.b=IR2MbOVY; spf=pass (google.com: domain of joel@joelfernandes.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=joel@joelfernandes.org Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id n13sor19641080pfj.12.2018.11.19.21.21.57 for (Google Transport Security); Mon, 19 Nov 2018 21:21:57 -0800 (PST) Received-SPF: pass (google.com: domain of joel@joelfernandes.org designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@joelfernandes.org header.s=google header.b=IR2MbOVY; spf=pass (google.com: domain of joel@joelfernandes.org designates 209.85.220.65 as permitted sender) smtp.mailfrom=joel@joelfernandes.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=ZGjhfyB62ZBE0Pl3zrr5IPaSCTrMuQUlFPIG+7VVFnc=; b=IR2MbOVYMj3U+8v4jTjEJi0bB/H0X8D1FslRcoRNeZ86p0CTbT3EV1LPoT3oQ/x5o1 K0KN3NwIAjcwlPnNmIoBsk6Bcn1DswvVt75ZYvSgdYIP0jmmaPk8og5MFoPOFnBr3CJB sfs+xdqcSzMOVQ/gXooR1zwPOhb+OjobBu7aI= X-Google-Smtp-Source: AJdET5eZckjl1cfIWi1ApcqBgha7ZlHsRT0nWreuEqc6sUj908rKDkkihjtpOuI7hwV60G5hhk5+FQ== X-Received: by 2002:a62:1912:: with SMTP id 18-v6mr783240pfz.194.1542691317005; Mon, 19 Nov 2018 21:21:57 -0800 (PST) Received: from joelaf.mtv.corp.google.com ([2620:0:1000:1601:3aef:314f:b9ea:889f]) by smtp.gmail.com with ESMTPSA id q199sm34237451pfc.97.2018.11.19.21.21.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Nov 2018 21:21:55 -0800 (PST) From: "Joel Fernandes (Google)" To: linux-kernel@vger.kernel.org Cc: "Joel Fernandes (Google)" , Andy Lutomirski , Andrew Morton , Hugh Dickins , Jann Horn , Khalid Aziz , linux-api@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-mm@kvack.org, =?utf-8?q?Marc-Andr?= =?utf-8?q?=C3=A9_Lureau?= , Matthew Wilcox , Mike Kravetz , Shuah Khan , Stephen Rothwell Subject: [PATCH -next 1/2] mm/memfd: make F_SEAL_FUTURE_WRITE seal more robust Date: Mon, 19 Nov 2018 21:21:36 -0800 Message-Id: <20181120052137.74317-1-joel@joelfernandes.org> X-Mailer: git-send-email 2.19.1.1215.g8438c0b245-goog MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP A better way to do F_SEAL_FUTURE_WRITE seal was discussed [1] last week where we don't need to modify core VFS structures to get the same behavior of the seal. This solves several side-effects pointed out by Andy [2]. [1] https://lore.kernel.org/lkml/20181111173650.GA256781@google.com/ [2] https://lore.kernel.org/lkml/69CE06CC-E47C-4992-848A-66EB23EE6C74@amacapital.net/ Suggested-by: Andy Lutomirski Fixes: 5e653c2923fd ("mm: Add an F_SEAL_FUTURE_WRITE seal to memfd") Signed-off-by: Joel Fernandes (Google) Signed-off-by: Joel Fernandes (Google) Signed-off-by: Andrew Morton Signed-off-by: Joel Fernandes (Google) --- fs/hugetlbfs/inode.c | 2 +- mm/memfd.c | 19 ------------------- mm/shmem.c | 24 +++++++++++++++++++++--- 3 files changed, 22 insertions(+), 23 deletions(-) diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 762028994f47..5b54bf893a67 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -558,7 +558,7 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len) inode_lock(inode); /* protected by i_mutex */ - if (info->seals & F_SEAL_WRITE) { + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { inode_unlock(inode); return -EPERM; } diff --git a/mm/memfd.c b/mm/memfd.c index 63fff5e77114..650e65a46b9c 100644 --- a/mm/memfd.c +++ b/mm/memfd.c @@ -201,25 +201,6 @@ static int memfd_add_seals(struct file *file, unsigned int seals) } } - if ((seals & F_SEAL_FUTURE_WRITE) && - !(*file_seals & F_SEAL_FUTURE_WRITE)) { - /* - * The FUTURE_WRITE seal also prevents growing and shrinking - * so we need them to be already set, or requested now. - */ - int test_seals = (seals | *file_seals) & - (F_SEAL_GROW | F_SEAL_SHRINK); - - if (test_seals != (F_SEAL_GROW | F_SEAL_SHRINK)) { - error = -EINVAL; - goto unlock; - } - - spin_lock(&file->f_lock); - file->f_mode &= ~(FMODE_WRITE | FMODE_PWRITE); - spin_unlock(&file->f_lock); - } - *file_seals |= seals; error = 0; diff --git a/mm/shmem.c b/mm/shmem.c index 32eb29bd72c6..cee9878c87f1 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2121,6 +2121,23 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user) static int shmem_mmap(struct file *file, struct vm_area_struct *vma) { + struct shmem_inode_info *info = SHMEM_I(file_inode(file)); + + /* + * New PROT_READ and MAP_SHARED mmaps are not allowed when "future + * write" seal active. + */ + if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE) && + (info->seals & F_SEAL_FUTURE_WRITE)) + return -EPERM; + + /* + * Since the F_SEAL_FUTURE_WRITE seals allow for a MAP_SHARED read-only + * mapping, take care to not allow mprotect to revert protections. + */ + if (info->seals & F_SEAL_FUTURE_WRITE) + vma->vm_flags &= ~(VM_MAYWRITE); + file_accessed(file); vma->vm_ops = &shmem_vm_ops; if (IS_ENABLED(CONFIG_TRANSPARENT_HUGE_PAGECACHE) && @@ -2346,8 +2363,9 @@ shmem_write_begin(struct file *file, struct address_space *mapping, pgoff_t index = pos >> PAGE_SHIFT; /* i_mutex is held by caller */ - if (unlikely(info->seals & (F_SEAL_WRITE | F_SEAL_GROW))) { - if (info->seals & F_SEAL_WRITE) + if (unlikely(info->seals & (F_SEAL_GROW | + F_SEAL_WRITE | F_SEAL_FUTURE_WRITE))) { + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) return -EPERM; if ((info->seals & F_SEAL_GROW) && pos + len > inode->i_size) return -EPERM; @@ -2610,7 +2628,7 @@ static long shmem_fallocate(struct file *file, int mode, loff_t offset, DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq); /* protected by i_mutex */ - if (info->seals & F_SEAL_WRITE) { + if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) { error = -EPERM; goto out; }