Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp689630rdg; Wed, 11 Oct 2023 02:46:53 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFUcxlPcZ4qSJr4Uh5vH++QvqUPJz2y2WM1TsXSE1oqkcFg4qP6DrlKvMKcegQuM1Wvmdw9 X-Received: by 2002:a05:6870:c692:b0:1d6:4ade:1170 with SMTP id cv18-20020a056870c69200b001d64ade1170mr22758011oab.59.1697017612874; Wed, 11 Oct 2023 02:46:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697017612; cv=none; d=google.com; s=arc-20160816; b=jYxkENgdPx+vqc+1D6I3XG6E7qLfUuXDJngL2os03rzpZy2a2WDXO55/PYpQ/aMuXz 81ogLDsNcp8BhISQnfSTABZM6MNOTTv3u6KziKkiapz7NDgvDPEbP9pFApm4AIEKFLf/ YY3Qam1QAn707gpd8DrXicf59wvzFqQlh/Gv3vWCCA0fKdng9lkr0BqO9u0v1ZmuAC1C UlH/A6dgr/X0kxb8OYKuTV84BZehivGpCvokw+5NOWVng102f+hiaSyiLR9Mt63y18gp D6RM5UmqvIraTQAo9FZ2If1cVve+3Var3a1FAAinZENyPSRTuv9PCWRtoUK0RUz3BAjO 92CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature :dkim-signature; bh=soXVte2VbxPbbCiLRCQN5td7yB/rAeQqYWLQLBxTIFU=; fh=iP9c+pkoT24Gd4H8x/60K9qv6D+xJDeXR1RjrziWPvI=; b=Cs56poZHhbmZH35QUMIigVksDazylpntWpzNgOkgOx3u6pbLihiDG5Y44KpWaAXq1I hFmROLnNJY3AbJMv2aRkw5mwGCkE00DZTN9oZlVVN0x4hTQW1Hiq/+YupsuUwtx1F6n1 9J6I9R7MU/nmEsIgExyzAUqbSGEN6OjR/dbUvQ0qEX0JNji2tKi00IZL8bCQDmNjplNf 7GYZ8tOzWCMUXEUFSJJUzvcua7PRCUfoOebGPo2/aPg8ZjJfhQCa65yDhc1J8UzKvEE1 4qVL8sBgU+RJTBsGhHFk5VN55BYjALZFuNPAhlviW3tb7kVc0U9EwLluCSPIEwELLpPv 2ptQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=MINSzmiM; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=PuflIjs6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id r199-20020a632bd0000000b00578d7a3a4fdsi14170326pgr.563.2023.10.11.02.46.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Oct 2023 02:46:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=MINSzmiM; dkim=neutral (no key) header.i=@suse.cz header.s=susede2_ed25519 header.b=PuflIjs6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id A33D9808BD21; Wed, 11 Oct 2023 02:46:49 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231346AbjJKJqd (ORCPT + 99 others); Wed, 11 Oct 2023 05:46:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45704 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231196AbjJKJqc (ORCPT ); Wed, 11 Oct 2023 05:46:32 -0400 Received: from smtp-out1.suse.de (smtp-out1.suse.de [IPv6:2001:67c:2178:6::1c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99C2E92; Wed, 11 Oct 2023 02:46:29 -0700 (PDT) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out1.suse.de (Postfix) with ESMTPS id 4CBEE21846; Wed, 11 Oct 2023 09:46:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1697017588; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=soXVte2VbxPbbCiLRCQN5td7yB/rAeQqYWLQLBxTIFU=; b=MINSzmiMBqPcCbrrb5vPVjQ4FAleRRJnE1hYr+yINv0F92u7+T9emi+0wjSB8uUZUd69D0 zh4gFBG77P84Bzd6iajzSLr+gqwv8cUjeCNuBJedY1ICnaMghUIWuVEjc4F1Obrx6fG7bM fXwXQ2CAmNnHT3yKSi8LykyvJd3qaN0= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1697017588; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=soXVte2VbxPbbCiLRCQN5td7yB/rAeQqYWLQLBxTIFU=; b=PuflIjs6dBQNsSmZ34SZrkDPJN2uCfXBS9AiB4CipN0nI/vA5+5fZYmJ2XDxUn5d3P7yKC 9X6t0U2qgkZGmDCg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 3EDD6134F5; Wed, 11 Oct 2023 09:46:28 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id 5E5TD/RuJmWnSwAAMHmgww (envelope-from ); Wed, 11 Oct 2023 09:46:28 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id C200BA05BC; Wed, 11 Oct 2023 11:46:27 +0200 (CEST) Date: Wed, 11 Oct 2023 11:46:27 +0200 From: Jan Kara To: Lorenzo Stoakes Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Andrew Morton , Mike Kravetz , Muchun Song , Alexander Viro , Christian Brauner , Matthew Wilcox , Hugh Dickins , Andy Lutomirski , Jan Kara , linux-fsdevel@vger.kernel.org, bpf@vger.kernel.org Subject: Re: [PATCH v3 3/3] mm: enforce the mapping_map_writable() check after call_mmap() Message-ID: <20231011094627.3xohlpe4gm2idszm@quack3> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=2.7 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Wed, 11 Oct 2023 02:46:50 -0700 (PDT) X-Spam-Level: ** On Sat 07-10-23 21:51:01, Lorenzo Stoakes wrote: > In order for an F_SEAL_WRITE sealed memfd mapping to have an opportunity to > clear VM_MAYWRITE in seal_check_write() we must be able to invoke either > the shmem_mmap() or hugetlbfs_file_mmap() f_ops->mmap() handler to do so. > > We would otherwise fail the mapping_map_writable() check before we had > the opportunity to clear VM_MAYWRITE. > > However, the existing logic in mmap_region() performs this check BEFORE > calling call_mmap() (which invokes file->f_ops->mmap()). We must enforce > this check AFTER the function call. > > In order to avoid any risk of breaking call_mmap() handlers which assume > this will have been done first, we continue to mark the file writable > first, simply deferring enforcement of it failing until afterwards. > > This enables mmap(..., PROT_READ, MAP_SHARED, fd, 0) mappings for memfd's > sealed via F_SEAL_WRITE to succeed, whereas previously they were not > permitted. > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=217238 > Signed-off-by: Lorenzo Stoakes ... > diff --git a/mm/mmap.c b/mm/mmap.c > index 6f6856b3267a..9fbee92aaaee 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -2767,17 +2767,25 @@ unsigned long mmap_region(struct file *file, unsigned long addr, > vma->vm_pgoff = pgoff; > > if (file) { > - if (is_shared_maywrite(vm_flags)) { > - error = mapping_map_writable(file->f_mapping); > - if (error) > - goto free_vma; > - } > + int writable_error = 0; > + > + if (vma_is_shared_maywrite(vma)) > + writable_error = mapping_map_writable(file->f_mapping); > > vma->vm_file = get_file(file); > error = call_mmap(file, vma); > if (error) > goto unmap_and_free_vma; > > + /* > + * call_mmap() may have changed VMA flags, so retry this check > + * if it failed before. > + */ > + if (writable_error && vma_is_shared_maywrite(vma)) { > + error = writable_error; > + goto close_and_free_vma; > + } Hum, this doesn't quite give me a peace of mind ;). One bug I can see is that if call_mmap() drops the VM_MAYWRITE flag, we seem to forget to drop i_mmap_writeable counter here? I've checked why your v2 version broke i915 and I think the reason maybe has nothing to do with i915. Just in case call_mmap() failed, it ended up jumping to unmap_and_free_vma which calls mapping_unmap_writable() but we didn't call mapping_map_writable() yet so the counter became imbalanced. So I'd be for returning to v2 version, just fix up the error handling paths... Honza > + > /* > * Expansion is handled above, merging is handled below. > * Drivers should not alter the address of the VMA. > -- > 2.42.0 > -- Jan Kara SUSE Labs, CR