From patchwork Mon Aug  1 21:09:46 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Zach O'Keefe <zokeefe@google.com>
X-Patchwork-Id: 12934047
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8B870C19F29
	for <linux-mm@archiver.kernel.org>; Mon,  1 Aug 2022 21:10:42 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 990BB6B0071; Mon,  1 Aug 2022 17:10:41 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 93FB36B0072; Mon,  1 Aug 2022 17:10:41 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7E0588E0001; Mon,  1 Aug 2022 17:10:41 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com
 [216.40.44.17])
	by kanga.kvack.org (Postfix) with ESMTP id 6D00A6B0071
	for <linux-mm@kvack.org>; Mon,  1 Aug 2022 17:10:41 -0400 (EDT)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id 3A0781C67CD
	for <linux-mm@kvack.org>; Mon,  1 Aug 2022 21:10:41 +0000 (UTC)
X-FDA: 79752267882.07.0865F8F
Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com
 [209.85.215.202])
	by imf09.hostedemail.com (Postfix) with ESMTP id C30C6140116
	for <linux-mm@kvack.org>; Mon,  1 Aug 2022 21:10:40 +0000 (UTC)
Received: by mail-pg1-f202.google.com with SMTP id
 196-20020a6301cd000000b0041b0f053fd1so4850505pgb.6
        for <linux-mm@kvack.org>; Mon, 01 Aug 2022 14:10:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:message-id:mime-version:subject:from:to:cc;
        bh=KL3c87ruB0ymX0jSv32942oFvhIYzdHqFNkGFEIua/8=;
        b=gDv+x1MaW0q4itUhOty9KtQFH3rn+38zjhyw39LajomZ3bqfVNAiip5CCmU1Qc6c1l
         5l3Dfqh1QQyglYnkmKujQsy9dEg9Gif8JXMkEjvj6nuPH4PjF/wAnA47tTQVah2DyW3s
         d3mdG17rP9EP/IsHkXFh4rnevkmZDf6MHO/m5np3SY2w0sF2vA5SEUQ1Y4YUOARQe+ht
         LEZrbovL+hfZoBN3l7aW9kTsDJWhmsrBBOzXgkuRliGXrUH6TaVDYD2Ud+OXwlFwD/cf
         lND037pswgBPiVpoqHgTj1y359JbAE8zClUjqrmPgxeBDoiWVDmnnRslnAXdTv5amivu
         FEIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc;
        bh=KL3c87ruB0ymX0jSv32942oFvhIYzdHqFNkGFEIua/8=;
        b=sENK678YjTffpAAQNadM3YWLCoHDa8VM5wC5Nz6A1uw2ZclhVUfaWVwv4KMbY6M5Yw
         PDCdRs6ejJTWEPQC6LFa5c8pA4M6lSxT6y3Ej00q/OQ67RxYClxWT52Ki2hMALxSpvTr
         OEGkNZ6zC/Fjt3EiyYGIztUq+6Ejok2bmwGql7rXteSE+yupuJU3+RPo17oAgaP5MDBa
         3gelZG3SfyU8jrYV79cabhw5IxjZV0GlF1lbZzZ8Ok8pjCUpq0TRYH85phJ0O9ea3B2B
         ML68C7mkHL5zUq5tuU4+mXl7YcwipaUnEh95Dsih447EDrNx2X9aA/ZKseQfyxL9oVcL
         IkZA==
X-Gm-Message-State: AJIora+TVhDUU7UW0XZ9x9JwpAJReER3bo4eRks3uNoH0rwgPKv+P81R
	4ZftRmV2NoElaZN2j60H9+C7FBwVaVhN/cLDGcd4KhJNPSyCmwI+fgYXk0v8vc5zykYAlRpgfT1
	5a94jsW2pz/tMVj+pS93haBaedPAHwAV0+Zbcz0EaKTHHU7aaKqX51f31K2g=
X-Google-Smtp-Source: 
 AGRyM1skHXU43IOBJT0QFPsSd+aD0Ri8/sHejHzRcXCCizH8vRYYDPN81WNYC0Tpk5hlL0wyz52QS7AYf6bg
X-Received: from zokeefe3.c.googlers.com
 ([fda3:e722:ac3:cc00:7f:e700:c0a8:1b6])
 (user=zokeefe job=sendgmr) by 2002:a05:6a00:2312:b0:52b:928:99dd with SMTP id
 h18-20020a056a00231200b0052b092899ddmr17511637pfh.77.1659388239374; Mon, 01
 Aug 2022 14:10:39 -0700 (PDT)
Date: Mon,  1 Aug 2022 14:09:46 -0700
Message-Id: <20220801210946.3069083-1-zokeefe@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.37.1.455.g008518b4e5-goog
Subject: [PATCH mm-unstable] mm/madvise: remove CAP_SYS_ADMIN requirement for
 process_madvise(MADV_COLLAPSE)
From: "Zach O'Keefe" <zokeefe@google.com>
To: linux-mm@kvack.org
Cc: Andrew Morton <akpm@linux-foundation.org>, linux-api@vger.kernel.org,
	linux-kernel@vger.kernel.org, Axel Rasmussen <axelrasmussen@google.com>,
	James Houghton <jthoughton@google.com>, Hugh Dickins <hughd@google.com>,
 Yang Shi <shy828301@gmail.com>,
	Miaohe Lin <linmiaohe@huawei.com>, David Hildenbrand <david@redhat.com>,
	David Rientjes <rientjes@google.com>, Matthew Wilcox <willy@infradead.org>,
	Michal Hocko <mhocko@suse.com>, Pasha Tatashin <pasha.tatashin@soleen.com>,
	Peter Xu <peterx@redhat.com>, Rongwei Wang <rongwei.wang@linux.alibaba.com>,
	SeongJae Park <sj@kernel.org>, Song Liu <songliubraving@fb.com>,
 Vlastimil Babka <vbabka@suse.cz>,
	Zi Yan <ziy@nvidia.com>, Andrea Arcangeli <aarcange@redhat.com>,
 Arnd Bergmann <arnd@arndb.de>,
	Chris Kennelly <ckennelly@google.com>, Chris Zankel <chris@zankel.net>,
 Helge Deller <deller@gmx.de>,
	Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
	"James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
 Jens Axboe <axboe@kernel.dk>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>,
 Matt Turner <mattst88@gmail.com>,
	Max Filippov <jcmvbkbc@gmail.com>, Minchan Kim <minchan@kernel.org>,
	Patrick Xia <patrickx@google.com>, Pavel Begunkov <asml.silence@gmail.com>,
	Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
 "Zach O'Keefe" <zokeefe@google.com>
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1659388240;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=KL3c87ruB0ymX0jSv32942oFvhIYzdHqFNkGFEIua/8=;
	b=vCBUOy7fGUfl0/5+y9QBdQHC3f7SDOLjk17RdH1CtPvvSe6bLVOUU6MecaghUZOo6RX2C9
	x5FORZBe0p1XztISHPCaoUSfXhrqcwl6HNbkbM3TSb4ZSV5RZRFCxnk4Q0zGU7g5ws3LYT
	rLO5TUDs4AuOWbpaF7iK5n1ytAcmScE=
ARC-Authentication-Results: i=1;
	imf09.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=gDv+x1Ma;
	spf=pass (imf09.hostedemail.com: domain of
 3T0HoYgcKCJAJ84yyzy08805y.w86527EH-664Fuw4.8B0@flex--zokeefe.bounces.google.com
 designates 209.85.215.202 as permitted sender)
 smtp.mailfrom=3T0HoYgcKCJAJ84yyzy08805y.w86527EH-664Fuw4.8B0@flex--zokeefe.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1659388240; a=rsa-sha256;
	cv=none;
	b=anJJ4i7feBXoq8+0yKd+WfYpgtmzXReOROUHb5HoIJekB45antXgGGz1qxPgDvFp3JK3FV
	PwfUWmYEf6YcmpKDsUNe3Mt55rJ7qYgtqUoxgewjXSixf5VYsHNXDM8e7yWN91mKZ+ssSp
	zgDEVrKOmqqFJCNuBVBSkZIOMTWbYJY=
X-Rspam-User: 
Authentication-Results: imf09.hostedemail.com;
	dkim=pass header.d=google.com header.s=20210112 header.b=gDv+x1Ma;
	spf=pass (imf09.hostedemail.com: domain of
 3T0HoYgcKCJAJ84yyzy08805y.w86527EH-664Fuw4.8B0@flex--zokeefe.bounces.google.com
 designates 209.85.215.202 as permitted sender)
 smtp.mailfrom=3T0HoYgcKCJAJ84yyzy08805y.w86527EH-664Fuw4.8B0@flex--zokeefe.bounces.google.com;
	dmarc=pass (policy=reject) header.from=google.com
X-Stat-Signature: amsah53rqs77phfhyqdymit9dw39crpa
X-Rspamd-Queue-Id: C30C6140116
X-Rspamd-Server: rspam10
X-HE-Tag: 1659388240-333410
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

process_madvise(MADV_COLLAPSE) currently requires CAP_SYS_ADMIN when not
acting on the caller's own mm.  This is maximally restrictive, and
perpetuates existing issues with CAP_SYS_ADMIN.  Remove this requirement.

When acting on an external process' memory, the biggest concerns for
process_madvise(MADV_COLLAPSE) are (1) being able to influence process
performance by moving memory, possibly between nodes, that is mapped
into the address space of external process(es), (2) defeat of
address-space-layout randomization, and (3), being able to increase
process RSS and memcg usage, possibly causing memcg OOM.

process_madvise(2) already enforces CAP_SYS_NICE and PTRACE_MODE_READ (in
PTRACE_MODE_FSCREDS mode).  A process with these credentials can already
accomplish (1) and (2) via move_pages(MPOL_MF_MOVE_ALL), and (3) via
process_madvise(MADV_WILLNEED).

process_madvise(MADV_COLLAPSE) may also circumvent sysfs THP settings.
When acting on one's own memory (which is equivalent to
madvise(MADV_COLLAPSE)), this is deemed acceptable, since aside from the
possibility of hoarding available hugepages (which is currently already
possible) no harm to the system can be done.  When acting on an external
process' memory, circumventing sysfs THP settings should provide no
additional threat compared to the ones listed.  As such, imposing
additional capabilities (such as CAP_SETUID, as a way to ensure the
caller could have just altered the sysfs THP settings themselves)
provides no extra protection.

Fixes: 7ec952341312 ("mm/madvise: add MADV_COLLAPSE to process_madvise()")
Signed-off-by: Zach O'Keefe <zokeefe@google.com>
---
 mm/madvise.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/mm/madvise.c b/mm/madvise.c
index f9e11b6c9916..af97100a0727 100644
--- a/mm/madvise.c
+++ b/mm/madvise.c
@@ -1170,16 +1170,14 @@ madvise_behavior_valid(int behavior)
 	}
 }
 
-static bool
-process_madvise_behavior_valid(int behavior, struct task_struct *task)
+static bool process_madvise_behavior_valid(int behavior)
 {
 	switch (behavior) {
 	case MADV_COLD:
 	case MADV_PAGEOUT:
 	case MADV_WILLNEED:
-		return true;
 	case MADV_COLLAPSE:
-		return task == current || capable(CAP_SYS_ADMIN);
+		return true;
 	default:
 		return false;
 	}
@@ -1457,7 +1455,7 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,
 		goto free_iov;
 	}
 
-	if (!process_madvise_behavior_valid(behavior, task)) {
+	if (!process_madvise_behavior_valid(behavior)) {
 		ret = -EINVAL;
 		goto release_task;
 	}