Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
MIME-Version: 1.0
References: <CABi2SkWx_BnEHzGqqqbDMJi+vi-5a7XkQUCkyesN5PUtk23SgQ@mail.gmail.com>
 <CABi2SkXw6ZD-M1ZrcXNL7abtM=RzQXv716PPM_k=1Tay=5rUFA@mail.gmail.com>
 <ZIjOlU5EfVNt6NRU@x1n> <CABi2SkXE4pUhHucZ_c-_4Ux-VcLKic0+HY_DN2wUEC6DGkDvQQ@mail.gmail.com>
 <20230614011814.sz2l6z6wbaubabk2@revolver> <20230614125731.GY52412@kernel.org>
In-Reply-To: <20230614125731.GY52412@kernel.org>
From:   Jeff Xu <jeffxu@chromium.org>
Date:   Tue, 20 Jun 2023 15:29:34 -0700
Message-ID: <CABi2SkXySaoRxB0dfhhTQz6P5jCL8iWpY_ti=LC7Qi49+2F01w@mail.gmail.com>
Subject: Re: inconsistence in mprotect_fixup mlock_fixup madvise_update_vma
To:     Mike Rapoport <rppt@kernel.org>
Cc:     "Liam R. Howlett" <Liam.Howlett@oracle.com>,
        Peter Xu <peterx@redhat.com>, linux-mm@kvack.org,
        linux-hardening@vger.kernel.org, zhangpeng.00@bytedance.com,
        akpm@linux-foundation.org, koct9i@gmail.com, david@redhat.com,
        ak@linux.intel.com, hughd@google.com, emunson@akamai.com,
        rppt@linux.ibm.com, aarcange@redhat.com,
        linux-kernel@vger.kernel.org, Lorenzo Stoakes <lstoakes@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Precedence: bulk

On Wed, Jun 14, 2023 at 5:58=E2=80=AFAM Mike Rapoport <rppt@kernel.org> wro=
te:
>
> On Tue, Jun 13, 2023 at 09:18:14PM -0400, Liam R. Howlett wrote:
> > * Jeff Xu <jeffxu@chromium.org> [230613 17:29]:
> > > Hello Peter,
> > >
> > > Thanks for responding.
> > >
> > > On Tue, Jun 13, 2023 at 1:16=E2=80=AFPM Peter Xu <peterx@redhat.com> =
wrote:
> > > >
> > > > Hi, Jeff,
> > > >
> > > > On Tue, Jun 13, 2023 at 08:26:26AM -0700, Jeff Xu wrote:
> > > > > + more ppl to the list.
> > > > >
> > > > > On Mon, Jun 12, 2023 at 6:04=E2=80=AFPM Jeff Xu <jeffxu@chromium.=
org> wrote:
> > > > > >
> > > > > > Hello,
> > > > > >
> > > > > > There seems to be inconsistency in different VMA fixup
> > > > > > implementations, for example:
> > > > > > mlock_fixup will skip VMA that is hugettlb, etc, but those chec=
ks do
> > > > > > not exist in mprotect_fixup and madvise_update_vma. Wouldn't th=
is be a
> > > > > > problem? the merge/split skipped by mlock_fixup, might get acte=
d on in
> > > > > > the madvice/mprotect case.
> > > > > >
> > > > > > mlock_fixup currently check for
> > > > > > if (newflags =3D=3D oldflags ||
> >
> > newflags =3D=3D oldflags, then we don't need to do anything here, it's
> > already at the desired mlock.  mprotect does this, madvise does this..
> > probably.. it's ugly.
> >
> > > > > > (oldflags & VM_SPECIAL) ||
> >
> > It's special, merging will fail always.  I don't know about splitting,
> > but I guess we don't want to alter the mlock state on special mappings.
> >
> > > > > > is_vm_hugetlb_page(vma) || vma =3D=3D get_gate_vma(current->mm)=
 ||
> > > > > > vma_is_dax(vma) || vma_is_secretmem(vma))
> > > >
> > > > The special handling you mentioned in mlock_fixup mostly makes sens=
e to me.
> > > >
> > > > E.g., I think we can just ignore mlock a hugetlb page if it won't b=
e
> > > > swapped anyway.
> > > >
> > > > Do you encounter any issue with above?
> > > >
> > > > > > Should there be a common function to handle VMA merge/split ?
> > > >
> > > > IMHO vma_merge() and split_vma() are the "common functions".  Copy =
Lorenzo
> > > > as I think he has plan to look into the interface to make it even e=
asier to
> > > > use.
> > > >
> > > The mprotect_fixup doesn't have the same check as mlock_fixup. When
> > > userspace calls mlock(), two VMAs might not merge or split because of
> > > vma_is_secretmem check, However, when user space calls mprotect() wit=
h
> > > the same address range, it will merge/split.  If mlock() is doing the
> > > right thing to merge/split the VMAs, then mprotect() is not ?
> >
> > It looks like secretmem is mlock'ed to begin with so they don't want it
> > to be touched.  So, I think they will be treated differently and I thin=
k
> > it is correct.
>
> Right, they don't :)
>
> secretmem VMAs are always mlocked, they cannot be munlocked and there is =
no
> point trying to mlock them again.
>
> The mprotect for secretmem is Ok though, so e.g. if we (unlikely) have tw=
o
> adjacent secretmem VMAs in a range passed to mprotect, it's fine to merge
> them.
>

I m thinking/brainstorming below, assuming:
Address range 1: 0x5000 to 0x6000 (regular mmap)
Address range 2: 0x6000 to 0x7000 (allocated to secretmem)
Address range 3: 0x7000 to 0x8000 (regular mmap)

User space call: mlock(0x5000,0x3000)
range 1 and 2 won't merge.
range 2 and 3  could merge, when mlock_fixup  checks current vma
(range 3), it is not secretmem, so it will merge with prev vma.

user space call: mprotect(0x5000,0x3000)
range 1 2 3 could merge,  all three can have the same flags.
Note: vma_is_secretmem() isn't checked in mprotect_fixup, same for
vma_is_dax and get_gate_vma, those doesn't have included in
vma->vm_flags

Once 1 and 2 are merged, maybe user space is able to use
munlock(0x5000,0x3000)
to unlock range 1 to 3, this will include 2, right ? (haven't used the
code to prove it)

I'm using secretmem as an example here, having 3 different _fixup
implementations seems to be error prone to me.

Thanks
-Jeff


> > Although, it would have been nice to have the comment above the functio=
n
> > kept up to date on why certain VMAs are filtered out.
> >
> > >
> > > Also skipping merge of VMA might be OK, but skipping split doesn't,
> > > wouldn't that cause inconsistent between vma->vm_flags and what is
> > > provisioned in the page ?
> >
> > I don't quite follow what you mean.  It seems like the mlock_fixup() is
> > skipped when we don't want the flag to be altered on a particular VMA.
> > Where do they get out of sync?
> >
> >
>
> --
> Sincerely yours,
> Mike.