Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1277830ybz; Wed, 22 Apr 2020 17:28:19 -0700 (PDT) X-Google-Smtp-Source: APiQypJWy8mujKk2KzRHy1/Sp/cGMeRcHd+MARvVCAjEYKKKVt4jToUKusc+edQZRX4jb/ZLVcG5 X-Received: by 2002:a17:907:20f7:: with SMTP id rh23mr638272ejb.71.1587601699413; Wed, 22 Apr 2020 17:28:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587601699; cv=none; d=google.com; s=arc-20160816; b=bCPZgbMg1waediKuUWxrIl3MbW7+zCy8JEq7noy/z+UgZr2vA/MXYmD2LsAkwIgX1o 5LaIrtdo6dDpcLUEjDWOteamDBhqpEJiakDfUvPXlSFKNtnDCGtvEM8efdL31Gp9aXR8 g6JTMvLkIGX4W6Yq4oIM1qXrpnujDzZ773CSM/YVL8ran18Tsp9cwQYnksHDz4hlNwSz Y/VYoIJaX5o9QaDuYGmDpDRCxgdmQsf7Ysp4jvdu1JBF6a+Dju9OdcvllukIxfri2kG5 NOB8JSib1rbUQrqJ1w/DVJ+pF9oZr/oTrZEFRYydyyG3mG1j8PI7md/mYzdmqfeqiEhz xdXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:from:subject:mime-version:message-id :date:dkim-signature; bh=ORrb4UEf1wJbypW2W14BtjgaJCMRJSAaiDxPKEJIZ/U=; b=dFHJB5FnYKRWmgkzSV4k/rtwO+mF7GhBU66WIHmQXQ8fekBqgQAz4Z1I9VRpmcd0KJ 1OZJAXMbS10WawRnk6PX0FGWnkUdKnTrQVH6DAedREsxcizli/ESIRIuPyEAwRAKdSaK FMGqWNdxyT8KQV+t9JCPYNj3p3v2Yklo2qXoBu6GcavCbKDzSz/ZGOsgiyVcuAtMNNAD WFBzLz3IQtiRwr2gGOm1HysgB9XaYuHrcWXJxddpVADa2XuIF5rRXG/rMzC2PFAJLbUE qECnAkxImwVoy27XWzRwliqqugBl9+nlru5IafYvMmwmbtgY/2SVfvt/9Q9JlQY2ko7f T08A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=a6ZdhD4y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ot21si405999ejb.351.2020.04.22.17.27.55; Wed, 22 Apr 2020 17:28:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=a6ZdhD4y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726157AbgDWA04 (ORCPT + 99 others); Wed, 22 Apr 2020 20:26:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53846 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1725846AbgDWA04 (ORCPT ); Wed, 22 Apr 2020 20:26:56 -0400 Received: from mail-pj1-x104a.google.com (mail-pj1-x104a.google.com [IPv6:2607:f8b0:4864:20::104a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1DAB2C03C1AA for ; Wed, 22 Apr 2020 17:26:56 -0700 (PDT) Received: by mail-pj1-x104a.google.com with SMTP id y21so3305233pjn.5 for ; Wed, 22 Apr 2020 17:26:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to; bh=ORrb4UEf1wJbypW2W14BtjgaJCMRJSAaiDxPKEJIZ/U=; b=a6ZdhD4yH9iKxDcoTEdxCEcbWBKMpVZeG6AbvnYoX7sNV4cQSrwUQBg9AIH/T9F6nH kVNpHjmu+gPw9LmgmE/wLJXJdEn824WaAQ/otYW9T6Bu5Ki89IVTJZ/E8cMmOFSHPsHw ImwJTISQW/22UftFkX3rAvLV5rEa2YsCiBJT5+mYr43hFx47iMANlRltunFzs4mMc5+9 A2eK67iS98TN38UHrr2gHoQlnVtuAU9liBYE+KT/Tjz4AuhKQrnF1FjxFnG+J6DVZDBt D3xZ050LzhKBg7M3NpIgNea4pPd7lNQ1rmlUDiprNPfLCOrIPX/Y8djvEMO3qHngpCuc AzFw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to; bh=ORrb4UEf1wJbypW2W14BtjgaJCMRJSAaiDxPKEJIZ/U=; b=JH2XHmM168w3k7wqyCuTkMULG3UJppcOBV1jnmq2P0/+f1M2EFGBUUKY1b8XMmJreX /FvSgnAMH63t8Shvf9sYpletflQSqYMAXEI1EAteb16FNba+R/B9fr7iB7SrxMhRAjpr NuBwQPzpNjsb21xRuLdaLKQK1tpNCoKM2WwrMJmRwac3cFTx8/rNvApguTprRHQFdpIG RR3K5vQxTsPaI3VAHUd26cDZ4r7NdpGIRxmd3+QOTEZp+AcleaOPbt8wYzBWm7K2lKfa NjQpNeaxInCaCef8mXdLqIiMqCumRzSfT7SXqh6VYsQpBPF/LpOVNG5BFkbfR7H9THCG 5Rbw== X-Gm-Message-State: AGi0PubSEDWqS2tJDaf22yHSqvqoCxJtHYKLcpocEQ/sNGUm8YLsMFWH XwxERfPz4EvPAprfmfkg7BCkGhqNdRA= X-Received: by 2002:a17:90a:8d02:: with SMTP id c2mr1371093pjo.113.1587601615603; Wed, 22 Apr 2020 17:26:55 -0700 (PDT) Date: Wed, 22 Apr 2020 17:26:30 -0700 Message-Id: <20200423002632.224776-1-dancol@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.26.2.303.gf8c07b1a785-goog Subject: [PATCH 0/2] Control over userfaultfd kernel-fault handling From: Daniel Colascione To: Jonathan Corbet , Alexander Viro , Luis Chamberlain , Kees Cook , Iurii Zaikin , Mauro Carvalho Chehab , Andrew Morton , Andy Shevchenko , Vlastimil Babka , Mel Gorman , Sebastian Andrzej Siewior , Peter Xu , Daniel Colascione , Andrea Arcangeli , Mike Rapoport , Jerome Glisse , Shaohua Li , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, timmurray@google.com, minchan@google.com, sspatil@google.com, lokeshgidra@google.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This small patch series adds a new flag to userfaultfd(2) that allows callers to give up the ability to handle user-mode faults with the resulting UFFD file object. In then add a new sysctl to require unprivileged callers to use this new flag. The purpose of this new interface is to decrease the change of an unprivileged userfaultfd user taking advantage of userfaultfd to enhance security vulnerabilities by lengthening the race window in kernel code. This patch series is split from [1]. [1] https://lore.kernel.org/lkml/20200211225547.235083-1-dancol@google.com/ Daniel Colascione (2): Add UFFD_USER_MODE_ONLY Add a new sysctl knob: unprivileged_userfaultfd_user_mode_only Documentation/admin-guide/sysctl/vm.rst | 13 +++++++++++++ fs/userfaultfd.c | 18 ++++++++++++++++-- include/linux/userfaultfd_k.h | 1 + include/uapi/linux/userfaultfd.h | 9 +++++++++ kernel/sysctl.c | 9 +++++++++ 5 files changed, 48 insertions(+), 2 deletions(-) -- 2.26.2.303.gf8c07b1a785-goog