Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp203869imu; Thu, 10 Jan 2019 22:01:44 -0800 (PST) X-Google-Smtp-Source: ALg8bN7d6KdmZ/dUbOe3vFFa0T98dZq0PByYWZqF/bQDbOSzRzyIuxWK1arhx0H2mtD/akp2Av1O X-Received: by 2002:a63:e302:: with SMTP id f2mr12325215pgh.320.1547186504065; Thu, 10 Jan 2019 22:01:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547186504; cv=none; d=google.com; s=arc-20160816; b=w35CFQmh491wQWDUtXshBVLBmHkgGpgocbs1Jc6XHKMYzUVe7kg3NkyPdwFsbKldOW YaAzEbzAYyV+rugLxFDovPHWrCn8LljugFTYWuj024o5YGeD8x5/W3WyUC5BQGn5qZUS 7cdsZxmu0wTt8NGyirN7ZFZz+r+m3inzWvcownsovYm1O0065/HkQNgZZDV81ehMNYJt oemd04mmVuh+O9VCd9ERz62k8TfI5/Yqj51GS1aeMvi/l2ZVUFJjjABqmSBoCpzEThIi 6aNWXpPNx65ZzxHLAaH/gX5e+Y3gMqDWhlUtljmLQxiebFxcLe3WCa6fjfbB5gaWD2Ql qdVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=IwEmlRGwHdJ7O3lGFYJW+jg6ng3jN91JyPi2+zBjdEs=; b=ThH6mgW5NrP5iCpbXLBqEU1F6hr/oDPuII4bl/6kb4RdtBI1P2gWhOB/29UWHXD+2N k6FJzOxyG18LDgzMECoDXt3BNoy/S771/n26qa2j2eIL7U5YkJOkoTnW5oEh1y/HDlYT Z/TfmsTSAucYWVjL0j9ugzW8ZUIfdyZkhXqW6cQ+m+/Cr1hxa3j5l0fiBZmuCxYLVHfb L0usHUMssOzmkVsFPZ3cuXTjJgrUS8TVwpYjuxRpomCIueyYRmWtKBxAwsw80JRKc0js f1uyfEVkVrtszOgpYdMP6DFDAe44s0cKgKo0J9yMKibqgiRJnBnbkKYTWlD/a9+dhHxE agrQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="JYnWAo/N"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a32si76028030pla.168.2019.01.10.22.01.28; Thu, 10 Jan 2019 22:01:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b="JYnWAo/N"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729833AbfAKCSi (ORCPT + 99 others); Thu, 10 Jan 2019 21:18:38 -0500 Received: from mail-lf1-f66.google.com ([209.85.167.66]:42777 "EHLO mail-lf1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728243AbfAKCSi (ORCPT ); Thu, 10 Jan 2019 21:18:38 -0500 Received: by mail-lf1-f66.google.com with SMTP id l10so9714088lfh.9 for ; Thu, 10 Jan 2019 18:18:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IwEmlRGwHdJ7O3lGFYJW+jg6ng3jN91JyPi2+zBjdEs=; b=JYnWAo/Ni7M01k1aLsyCYKOAVaGuikAGimbR96ifjilXyAixrlW/S6dIFIVldFUuB7 P+oQbm8rz/de5ONsQm0c9mbnLfseb9TIku0uKKxLtZSkOBWe884bL5INJqxLEYT4fa70 wA3/Al5RSSgoTSyRpLPgS0Qum1NPASPXYVyls= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IwEmlRGwHdJ7O3lGFYJW+jg6ng3jN91JyPi2+zBjdEs=; b=SsBGPM0z2aAekPnvgIJ1Ybr+NZWWaecZhmUhvgzamKDHpmB8ajmypVYAAFABpxJmRe zM45U1sbm+GzzruqoV3tzXw+cDSYPdgW2RYBwvmxiEvQOSCobtic+S42O9aBppBhCpme d7Vr0bZOu8Qt9QwCOLGlkSubzSjsp9WH76bm4f9GOzUvggBiTwY00gipYXxDmy2cVl82 YX458YnoPt/TOA4d/URsoWGnDPhruv5fYrhVPr6McaEBSQYaNfEpNT05aa4UN5dYMy9U n5RQ8H9udYNn7wQ1ZiG6e1wyXV0QcUfR8czgs3oiPoDA/IMAHtQZNqaHsXgA0rmKRXuU +pZg== X-Gm-Message-State: AJcUukeBIaTjAjuTgNy2WJbcP8HYsrrb+A9WCEBOm3Yp7Ab2oepvb422 +LifaN7jsqn/lO+Y6pgavD9wTitjg/E= X-Received: by 2002:a19:789:: with SMTP id 131mr7533024lfh.11.1547173114873; Thu, 10 Jan 2019 18:18:34 -0800 (PST) Received: from mail-lf1-f46.google.com (mail-lf1-f46.google.com. [209.85.167.46]) by smtp.gmail.com with ESMTPSA id m13-v6sm15676115ljg.56.2019.01.10.18.18.33 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Jan 2019 18:18:33 -0800 (PST) Received: by mail-lf1-f46.google.com with SMTP id u18so9713612lff.10 for ; Thu, 10 Jan 2019 18:18:33 -0800 (PST) X-Received: by 2002:a19:6e0b:: with SMTP id j11mr7540441lfc.124.1547173113051; Thu, 10 Jan 2019 18:18:33 -0800 (PST) MIME-Version: 1.0 References: <20190109022430.GE27534@dastard> <20190109043906.GF27534@dastard> <20190110004424.GH27534@dastard> <20190110070355.GJ27534@dastard> <20190110122442.GA21216@nautica> <20190111020340.GM27534@dastard> In-Reply-To: <20190111020340.GM27534@dastard> From: Linus Torvalds Date: Thu, 10 Jan 2019 18:18:16 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] mm/mincore: allow for making sys_mincore() privileged To: Dave Chinner Cc: Dominique Martinet , Jiri Kosina , Matthew Wilcox , Jann Horn , Andrew Morton , Greg KH , Peter Zijlstra , Michal Hocko , Linux-MM , kernel list , Linux API Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 10, 2019 at 6:03 PM Dave Chinner wrote: > > On Thu, Jan 10, 2019 at 02:11:01PM -0800, Linus Torvalds wrote: > > And we *can* do sane things about RWF_NOWAIT. For example, we could > > start async IO on RWF_NOWAIT, and suddenly it would go from "probe the > > page cache" to "probe and fill", and be much harder to use as an > > attack vector.. > > We can only do that if the application submits the read via AIO and > has an async IO completion reporting mechanism. Oh, no, you misunderstand. RWF_NOWAIT has a lot of situations where it will potentially return early (the DAX and direct IO ones have their own), but I was thinking of the one in generic_file_buffered_read(), which triggers when you don't find a page mapping. That looks like the obvious "probe page cache" case. But we could literally move that test down just a few lines. Let it start read-ahead. .. and then it will actually trigger on the *second* case instead, where we have if (!PageUptodate(page)) { if (iocb->ki_flags & IOCB_NOWAIT) { put_page(page); goto would_block; } and that's where RWF_MNOWAIT would act. It would still return EAGAIN. But it would have started filling the page cache. So now the act of probing would fill the page cache, and the attacker would be left high and dry - the fact that the page cache now exists is because of the attack, not because of whatever it was trying to measure. See? But obviously this kind of change only matters if we also have mincore() not returning the probe data. mincore() obviously can't do the same kind of read-ahead to defeat things. Linus