From patchwork Tue Oct 1 08:00:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Patrick Roy X-Patchwork-Id: 13817620 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E6E3CE7CE6 for ; Tue, 1 Oct 2024 08:01:33 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E8ABC280058; Tue, 1 Oct 2024 04:01:32 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id E3B1C280036; Tue, 1 Oct 2024 04:01:32 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D0268280058; Tue, 1 Oct 2024 04:01:32 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id AF9B7280036 for ; Tue, 1 Oct 2024 04:01:32 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 5A0C2140E06 for ; Tue, 1 Oct 2024 08:01:32 +0000 (UTC) X-FDA: 82624288824.12.5285924 Received: from smtp-fw-80008.amazon.com (smtp-fw-80008.amazon.com [99.78.197.219]) by imf07.hostedemail.com (Postfix) with ESMTP id 41D3140017 for ; Tue, 1 Oct 2024 08:01:29 +0000 (UTC) Authentication-Results: imf07.hostedemail.com; dkim=pass header.d=amazon.co.uk header.s=amazon201209 header.b=jp8alNWp; dmarc=pass (policy=quarantine) header.from=amazon.co.uk; spf=pass (imf07.hostedemail.com: domain of "prvs=997c6c938=roypat@amazon.co.uk" designates 99.78.197.219 as permitted sender) smtp.mailfrom="prvs=997c6c938=roypat@amazon.co.uk" ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1727769596; a=rsa-sha256; cv=none; b=uNXtTLpLrHFs4Vk7WMS0GnIIL4sC5rHpsCang3c2GUeccQ8HBIWV3u0GPtLbACWfo9LiQm SmhmGkxPjt1Bld19Qae5oy02S552DF4xjwkD0RM8xr0N9CyVnvVTt1WP3hahMirFIZAV6Q fo2giFP2LV7fMn8R5772Lq/g13o3mVg= ARC-Authentication-Results: i=1; imf07.hostedemail.com; dkim=pass header.d=amazon.co.uk header.s=amazon201209 header.b=jp8alNWp; dmarc=pass (policy=quarantine) header.from=amazon.co.uk; spf=pass (imf07.hostedemail.com: domain of "prvs=997c6c938=roypat@amazon.co.uk" designates 99.78.197.219 as permitted sender) smtp.mailfrom="prvs=997c6c938=roypat@amazon.co.uk" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727769596; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=L/Ba4CuddkD+e4fPw52EHuHMwtFDq8hBWqlmCnVy1ak=; b=XC4cY9/CQQbygg28avKsib1lAwnNpUeanKfX/Zyto4bp4uFVCxKV0WVowdhqW80d/PA3td 6P4HdM/4Bdt28lSu+/BGsntcdCv5OvB/V88H/zZ+519nTTLYfkjehnqtZ9mgY8xGJiDO6F 1Y7p28BzFwe5R35GNVHM6rd2xPoMq60= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.co.uk; i=@amazon.co.uk; q=dns/txt; s=amazon201209; t=1727769689; x=1759305689; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=L/Ba4CuddkD+e4fPw52EHuHMwtFDq8hBWqlmCnVy1ak=; b=jp8alNWp8+OKZMg+o30Jz//frkr86PrtGbccuQOr4eSuXKVJzn+ZXJ3G /D/9pMot5l598uwxo302jq8nNFj5ae67ShLyJVRQ8YNF+Gi1eId+Cymx6 TrNgj/lTl7dOBZdaHhMXZ2y8csrnSnhMsfWmwMO8AXvdzuE7oTWdYrxaF c=; X-IronPort-AV: E=Sophos;i="6.11,167,1725321600"; d="scan'208";a="133361570" Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO smtpout.prod.us-east-1.prod.farcaster.email.amazon.dev) ([10.25.36.214]) by smtp-border-fw-80008.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Oct 2024 08:01:19 +0000 Received: from EX19MTAEUC002.ant.amazon.com [10.0.17.79:1795] by smtpin.naws.eu-west-1.prod.farcaster.email.amazon.dev [10.0.46.202:2525] with esmtp (Farcaster) id dd6681b8-edac-4771-9971-99d358a89959; Tue, 1 Oct 2024 08:01:18 +0000 (UTC) X-Farcaster-Flow-ID: dd6681b8-edac-4771-9971-99d358a89959 Received: from EX19D015EUB003.ant.amazon.com (10.252.51.113) by EX19MTAEUC002.ant.amazon.com (10.252.51.181) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Tue, 1 Oct 2024 08:01:18 +0000 Received: from EX19MTAUEA001.ant.amazon.com (10.252.134.203) by EX19D015EUB003.ant.amazon.com (10.252.51.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Tue, 1 Oct 2024 08:01:17 +0000 Received: from email-imr-corp-prod-pdx-1box-2b-ecca39fb.us-west-2.amazon.com (10.43.8.2) by mail-relay.amazon.com (10.252.134.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34 via Frontend Transport; Tue, 1 Oct 2024 08:01:17 +0000 Received: from ua2d7e1a6107c5b.home (dev-dsk-roypat-1c-dbe2a224.eu-west-1.amazon.com [172.19.88.180]) by email-imr-corp-prod-pdx-1box-2b-ecca39fb.us-west-2.amazon.com (Postfix) with ESMTPS id 65B5880165; Tue, 1 Oct 2024 08:01:15 +0000 (UTC) From: Patrick Roy To: , CC: Patrick Roy , , , , , Subject: [PATCH] secretmem: disable memfd_secret() if arch cannot set direct map Date: Tue, 1 Oct 2024 09:00:41 +0100 Message-ID: <20241001080056.784735-1-roypat@amazon.co.uk> X-Mailer: git-send-email 2.46.2 MIME-Version: 1.0 X-Rspamd-Queue-Id: 41D3140017 X-Rspam-User: X-Rspamd-Server: rspam05 X-Stat-Signature: cm5ga3xikey3xomcnhi599b7d8ygywex X-HE-Tag: 1727769689-3549 X-HE-Meta: U2FsdGVkX18HXJQ0FFtsKHEurx+YvX5FhzNwkjZOop1c1UP+yb1h33RZJBlKLdGN8kpVoVa1cXo4pEwpqc7x2h0AoDMsGS9VjFsy0oi74PXzUpCfUQ3s3+krUzFnSOG8W/q5/lAlV1jTM929W3JWh608Y6CAnnGsRAgLAyEURsledIbx6haF03AXALzql2eWf/vOPR3GWm7RdKVL24jMxgFTJdYFernNvi4WELiz0QmhWI3sS6QdZgFWFeCGtnvus7lTVMoyz+i+kLhD7vOzwTygJ9ZkXbLc6Bicp2DFMr9xhfcX4y/NzStQ3MZCG6CxFNQVEwMFzGzMuCHRu3eI1w17y5Q+8Jh+S7WE9t5DQFGlyzB9Kb3rrR9fj+ppIJQoob/AkXEDBPz9ZSsKuA/VVdpwEUpF2G3ZzhUgsYSH6mVuiKOMANu7zVgiwxGsUcGxjCG45pIobF8iRC1RryGo6vC0QP6YbMIHryb9IGtIX3isLDQslhGG0GDCDq/VvVviZ98OyoXeWEroMJOiBQbaycSO5fI52iR2fGW5naMIGiSNWTs8XjugJUmQLqDjUXhx169LaaVka6PIK5bzkM8sU2oQpjZtu2Av0JSx/HQC98mZ0Qogql0PwfYvwJcKPwrp/RgGkYETAmUB3+MQDFT1dcV4zH9ADzUxdsr+yx6lbJCicHasmUikdOfInVeyxIomygtyyu+Y89DPk2qcOq+A6gMxNwFBeixaIxqSOtlaQS5qOmz2ZZILpe/j13+siDm1Lhz48Um3VE7U1GNLwh8phNrAJ5nIcUYqC+wqqO0a7iBt0U5t1pfKeM2B2JfWYZCdSIKc3R7+gW+wXRM+EtzedQWYl3xlNXf8qIU7POkyvbY/qoqLacWnaxiA5cf/VluBUv2qE8JVETWQ8RsMdiD//h6AfLD0LMoFrJ48sNs+KzFBGoBUDI/mQ2/pg3xG7wR4AOhHwAXZGN0JA/YEdjx vrK2w8// R6hXgG6fKurlxqiq4rSN4xJHBlN5zW+tAvHZxeRbvtZkltkuRKdrlwy8DzDDldkg2RU+KkFGOcc8/fQYruj5Ql6Ve0fPNi6TeuIiDqiVSDy1/ZtDsc2d4ZdX05rQrjuDeuN7g5T5AhGM3se/6H7lMrorOEjevrSkisJ1/KFPRn1zOGvc5vU3G3Zx0OmirBTgvQrDvmDcALpSFA89HW1C5E+H7Jul/55GPYepoMBEfS3JKuRR1kyR2ivv3+2LwNbMRm3ECA/gMG9uyz4AS0f7xv/Q0jyxAXZ0przGM5Jqd2Tz4/55CTVt6TFfXcdCw1rc/nhXv2i0c89Bnl4WsNi4THbQs8BaUNEgg7YoQVpa5cIoSNqKI/w4kuPTcJw2NYp+F3Fy9NLHcfmEUcnIia8U7C/HF7r1KKLb3HTdNSBrt+u5E18W7clvDGu0x0MCFM8VkjsBu4MxNona0zskkba8FvBsj0cGD36IrQqQj25NltYQQ+6l6DljJYciycA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Return -ENOSYS from memfd_secret() syscall if !can_set_direct_map(). This is the case for example on some arm64 configurations, where marking 4k PTEs in the direct map not present can only be done if the direct map is set up at 4k granularity in the first place (as ARM's break-before-make semantics do not easily allow breaking apart large/gigantic pages). More precisely, on arm64 systems with !can_set_direct_map(), set_direct_map_invalid_noflush() is a no-op, however it returns success (0) instead of an error. This means that memfd_secret will seemingly "work" (e.g. syscall succeeds, you can mmap the fd and fault in pages), but it does not actually achieve its goal of removing its memory from the direct map. Note that with this patch, memfd_secret() will start erroring on systems where can_set_direct_map() returns false (arm64 with CONFIG_RODATA_FULL_DEFAULT_ENABLED=n, CONFIG_DEBUG_PAGEALLOC=n and CONFIG_KFENCE=n), but that still seems better than the current silent failure. Since CONFIG_RODATA_FULL_DEFAULT_ENABLED defaults to 'y', most arm64 systems actually have a working memfd_secret() and aren't be affected. From going through the iterations of the original memfd_secret patch series, it seems that disabling the syscall in these scenarios was the intended behavior [1] (preferred over having set_direct_map_invalid_noflush return an error as that would result in SIGBUSes at page-fault time), however the check for it got dropped between v16 [2] and v17 [3], when secretmem moved away from CMA allocations. [1]: https://lore.kernel.org/lkml/20201124164930.GK8537@kernel.org/ [2]: https://lore.kernel.org/lkml/20210121122723.3446-11-rppt@kernel.org/#t [3]: https://lore.kernel.org/lkml/20201125092208.12544-10-rppt@kernel.org/ Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "secret" memory areas") Signed-off-by: Patrick Roy Reviewed-by: Mike Rapoport (Microsoft) --- mm/secretmem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) base-commit: abf2050f51fdca0fd146388f83cddd95a57a008d diff --git a/mm/secretmem.c b/mm/secretmem.c index 3afb5ad701e14..399552814fd0f 100644 --- a/mm/secretmem.c +++ b/mm/secretmem.c @@ -238,7 +238,7 @@ SYSCALL_DEFINE1(memfd_secret, unsigned int, flags) /* make sure local flags do not confict with global fcntl.h */ BUILD_BUG_ON(SECRETMEM_FLAGS_MASK & O_CLOEXEC); - if (!secretmem_enable) + if (!secretmem_enable || !can_set_direct_map()) return -ENOSYS; if (flags & ~(SECRETMEM_FLAGS_MASK | O_CLOEXEC)) @@ -280,7 +280,7 @@ static struct file_system_type secretmem_fs = { static int __init secretmem_init(void) { - if (!secretmem_enable) + if (!secretmem_enable || !can_set_direct_map()) return 0; secretmem_mnt = kern_mount(&secretmem_fs);