diff mbox series

[12/54] PM: hibernate: disable when there are active secretmem users

Message ID 20210708010807.hHILhs811%akpm@linux-foundation.org (mailing list archive)
State New
Headers show
Series [01/54] lib/test: fix spelling mistakes | expand

Commit Message

Andrew Morton July 8, 2021, 1:08 a.m. UTC 
From: Mike Rapoport <rppt@linux.ibm.com>
Subject: PM: hibernate: disable when there are active secretmem users

It is unsafe to allow saving of secretmem areas to the hibernation
snapshot as they would be visible after the resume and this essentially
will defeat the purpose of secret memory mappings.

Prevent hibernation whenever there are active secret memory users.

Link: https://lkml.kernel.org/r/20210518072034.31572-6-rppt@kernel.org
Signed-off-by: Mike Rapoport <rppt@linux.ibm.com>
Acked-by: David Hildenbrand <david@redhat.com>
Acked-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christopher Lameter <cl@linux.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Elena Reshetova <elena.reshetova@intel.com>
Cc: Hagen Paul Pfeifer <hagen@jauu.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Palmer Dabbelt <palmer@dabbelt.com>
Cc: Palmer Dabbelt <palmerdabbelt@google.com>
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rick Edgecombe <rick.p.edgecombe@intel.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tycho Andersen <tycho@tycho.ws>
Cc: Will Deacon <will@kernel.org>
Cc: kernel test robot <lkp@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 include/linux/secretmem.h |    6 ++++++
 kernel/power/hibernate.c  |    5 ++++-
 mm/secretmem.c            |   15 +++++++++++++++
 3 files changed, 25 insertions(+), 1 deletion(-)

Comments

Linus Torvalds July 8, 2021, 3:15 a.m. UTC | #1 
On Wed, Jul 7, 2021 at 6:08 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> Prevent hibernation whenever there are active secret memory users.

So now anybody can not only use up all memory resources with these
fake mlock regions, they can also force laptops to run out of battery
and crash.

Again, maybe I'm missing something, but I didn't see any capability
checks or anything at all to limit this once it is enabled.

                    Linus
Mike Rapoport July 8, 2021, 5:30 a.m. UTC | #2 
On Wed, Jul 07, 2021 at 08:15:53PM -0700, Linus Torvalds wrote:
> On Wed, Jul 7, 2021 at 6:08 PM Andrew Morton <akpm@linux-foundation.org> wrote:
> >
> > Prevent hibernation whenever there are active secret memory users.
> 
> So now anybody can not only use up all memory resources with these
> fake mlock regions, they can also force laptops to run out of battery
> and crash.

Again, this feature should be explicitly enabled on the command line, so
people that prefer hibernation to suspend-to-ram won't enable secretmem.
diff mbox series

Patch

--- a/include/linux/secretmem.h~pm-hibernate-disable-when-there-are-active-secretmem-users
+++ a/include/linux/secretmem.h
@@ -30,6 +30,7 @@  static inline bool page_is_secretmem(str
 }
 
 bool vma_is_secretmem(struct vm_area_struct *vma);
+bool secretmem_active(void);
 
 #else
 
@@ -42,6 +43,11 @@  static inline bool page_is_secretmem(str
 {
 	return false;
 }
+
+static inline bool secretmem_active(void)
+{
+	return false;
+}
 
 #endif /* CONFIG_SECRETMEM */
 
--- a/kernel/power/hibernate.c~pm-hibernate-disable-when-there-are-active-secretmem-users
+++ a/kernel/power/hibernate.c
@@ -31,6 +31,7 @@ 
 #include <linux/genhd.h>
 #include <linux/ktime.h>
 #include <linux/security.h>
+#include <linux/secretmem.h>
 #include <trace/events/power.h>
 
 #include "power.h"
@@ -81,7 +82,9 @@  void hibernate_release(void)
 
 bool hibernation_available(void)
 {
-	return nohibernate == 0 && !security_locked_down(LOCKDOWN_HIBERNATION);
+	return nohibernate == 0 &&
+		!security_locked_down(LOCKDOWN_HIBERNATION) &&
+		!secretmem_active();
 }
 
 /**
--- a/mm/secretmem.c~pm-hibernate-disable-when-there-are-active-secretmem-users
+++ a/mm/secretmem.c
@@ -40,6 +40,13 @@  module_param_named(enable, secretmem_ena
 MODULE_PARM_DESC(secretmem_enable,
 		 "Enable secretmem and memfd_secret(2) system call");
 
+static atomic_t secretmem_users;
+
+bool secretmem_active(void)
+{
+	return !!atomic_read(&secretmem_users);
+}
+
 static vm_fault_t secretmem_fault(struct vm_fault *vmf)
 {
 	struct address_space *mapping = vmf->vma->vm_file->f_mapping;
@@ -94,6 +101,12 @@  static const struct vm_operations_struct
 	.fault = secretmem_fault,
 };
 
+static int secretmem_release(struct inode *inode, struct file *file)
+{
+	atomic_dec(&secretmem_users);
+	return 0;
+}
+
 static int secretmem_mmap(struct file *file, struct vm_area_struct *vma)
 {
 	unsigned long len = vma->vm_end - vma->vm_start;
@@ -116,6 +129,7 @@  bool vma_is_secretmem(struct vm_area_str
 }
 
 static const struct file_operations secretmem_fops = {
+	.release	= secretmem_release,
 	.mmap		= secretmem_mmap,
 };
 
@@ -202,6 +216,7 @@  SYSCALL_DEFINE1(memfd_secret, unsigned i
 	file->f_flags |= O_LARGEFILE;
 
 	fd_install(fd, file);
+	atomic_inc(&secretmem_users);
 	return fd;
 
 err_put_fd: