Received: by 10.223.164.202 with SMTP id h10csp288875wrb;
        Mon, 6 Nov 2017 06:41:39 -0800 (PST)
X-Google-Smtp-Source: ABhQp+Qhse8faZnUV4q8rqiGmCZNjHDz5LRVZbZU3PPSXnrv58nViNfbl0zUt6cZJD+8VyDqeMcy
X-Received: by 10.84.240.12 with SMTP id y12mr14868924plk.249.1509979299542;
        Mon, 06 Nov 2017 06:41:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1509979299; cv=none;
        d=google.com; s=arc-20160816;
        b=Z+k4R1d5NVSVzRu8nZymV4peW2Nyd4a4QMxNlQbAO7yeknpXUJ/KfZHnPbKsXcKXEY
         gmx56RSOCOR3DNjVJVmsf6xulEce7gGo0yDckRLcK700Nk4EhUS/hPBgrSpJBML1iLMK
         g1N8Wcg8pUkcflfTZ7zphOA3OjoW6la0hJOj5sDoD10NKzR7/+XA+q2WpKx3Ir3nU1W3
         1kwB22URcHkTHe9jRR2k1I/b60DCqQ6kQpilozQR5S8oQL29k6ju//+3ofqYBSGiD+k5
         UrXXxliF5FVrVRYs8bzfBDNbTsATxCjI2f9cvffpAdZlu09MggfPmwo8O4hLrRCzPqeQ
         rB+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dmarc-filter:arc-authentication-results;
        bh=4iBRRRdAJa2PciQBXN+xK2jwO0qctEfQo1d2MUziiSY=;
        b=f+AKj6TpocVOJSi/GQxShhLVPJv8UpG1kmD5K0PBX+sMLXimBAsvvbvoNVKLWIvhHG
         pS5S2jf9GzkQKjwd+z2kQduLsqwR29mqLa7/qfw+ohjo1kL/lKRfWuGhlp6QNoyveDJX
         o80PjxLP6cctvbCvBu95LyGvADNjcOVmxrOoeXsAUcqp3AC2flODAK7Mf0+8H9IFxevz
         oZd6sDYR9mdHEEAq/PM7wyP9/Buulq7pk/f7QbjWYjrSN17LKYyamRv4GPhbJAD/TBIn
         WEKrAbQDXHeUoxjAZOJ/YW/Qr+khaj8il2wkjy9lJ+RMk9XmJZiqu9QXTc9mOQYTR2Bo
         nnnw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v187si11214090pgb.474.2017.11.06.06.41.25;
        Mon, 06 Nov 2017 06:41:39 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753653AbdKFOkQ (ORCPT <rfc822;tuxbino@gmail.com> + 97 others);
        Mon, 6 Nov 2017 09:40:16 -0500
Received: from mx1.redhat.com ([209.132.183.28]:52124 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1753625AbdKFOkL (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 6 Nov 2017 09:40:11 -0500
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 09B8BC058ECA;
        Mon,  6 Nov 2017 14:40:11 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 09B8BC058ECA
Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=marcandre.lureau@redhat.com
Received: from localhost (ovpn-112-67.ams2.redhat.com [10.36.112.67])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 88BB060C95;
        Mon,  6 Nov 2017 14:40:04 +0000 (UTC)
From:   =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
To:     linux-mm@kvack.org, linux-kernel@vger.kernel.org
Cc:     aarcange@redhat.com, hughd@google.com, nyc@holomorphy.com,
        mike.kravetz@oracle.com,
        =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v2 4/9] hugetlbfs: implement memfd sealing
Date:   Mon,  6 Nov 2017 15:39:39 +0100
Message-Id: <20171106143944.13821-5-marcandre.lureau@redhat.com>
In-Reply-To: <20171106143944.13821-1-marcandre.lureau@redhat.com>
References: <20171106143944.13821-1-marcandre.lureau@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 06 Nov 2017 14:40:11 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Implements memfd sealing, similar to shmem:
- WRITE: deny fallocate(PUNCH_HOLE). mmap() write is denied in
  memfd_add_seals(). write() doesn't exist for hugetlbfs.
- SHRINK: added similar check as shmem_setattr()
- GROW: added similar check as shmem_setattr() & shmem_fallocate()

Except write() operation that doesn't exist with hugetlbfs, that
should make sealing as close as it can be to shmem support.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
---
 fs/hugetlbfs/inode.c    | 29 +++++++++++++++++++++++++++--
 include/linux/hugetlb.h |  1 +
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index f57aab929e41..01f5aa6ea57a 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -510,8 +510,16 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len)
 
 	if (hole_end > hole_start) {
 		struct address_space *mapping = inode->i_mapping;
+		struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
 
 		inode_lock(inode);
+
+		/* protected by i_mutex */
+		if (info->seals & F_SEAL_WRITE) {
+			inode_unlock(inode);
+			return -EPERM;
+		}
+
 		i_mmap_lock_write(mapping);
 		if (!RB_EMPTY_ROOT(&mapping->i_mmap.rb_root))
 			hugetlb_vmdelete_list(&mapping->i_mmap,
@@ -529,6 +537,7 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset,
 				loff_t len)
 {
 	struct inode *inode = file_inode(file);
+	struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
 	struct address_space *mapping = inode->i_mapping;
 	struct hstate *h = hstate_inode(inode);
 	struct vm_area_struct pseudo_vma;
@@ -560,6 +569,11 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset,
 	if (error)
 		goto out;
 
+	if ((info->seals & F_SEAL_GROW) && offset + len > inode->i_size) {
+		error = -EPERM;
+		goto out;
+	}
+
 	/*
 	 * Initialize a pseudo vma as this is required by the huge page
 	 * allocation routines.  If NUMA is configured, use page index
@@ -650,6 +664,7 @@ static int hugetlbfs_setattr(struct dentry *dentry, struct iattr *attr)
 	struct hstate *h = hstate_inode(inode);
 	int error;
 	unsigned int ia_valid = attr->ia_valid;
+	struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
 
 	BUG_ON(!inode);
 
@@ -658,10 +673,17 @@ static int hugetlbfs_setattr(struct dentry *dentry, struct iattr *attr)
 		return error;
 
 	if (ia_valid & ATTR_SIZE) {
+		loff_t oldsize = inode->i_size;
+		loff_t newsize = attr->ia_size;
+
 		error = -EINVAL;
-		if (attr->ia_size & ~huge_page_mask(h))
+		if (newsize & ~huge_page_mask(h))
 			return -EINVAL;
-		error = hugetlb_vmtruncate(inode, attr->ia_size);
+		/* protected by i_mutex */
+		if ((newsize < oldsize && (info->seals & F_SEAL_SHRINK)) ||
+		    (newsize > oldsize && (info->seals & F_SEAL_GROW)))
+			return -EPERM;
+		error = hugetlb_vmtruncate(inode, newsize);
 		if (error)
 			return error;
 	}
@@ -713,6 +735,8 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb,
 
 	inode = new_inode(sb);
 	if (inode) {
+		struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
+
 		inode->i_ino = get_next_ino();
 		inode_init_owner(inode, dir, mode);
 		lockdep_set_class(&inode->i_mapping->i_mmap_rwsem,
@@ -720,6 +744,7 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb,
 		inode->i_mapping->a_ops = &hugetlbfs_aops;
 		inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
 		inode->i_mapping->private_data = resv_map;
+		info->seals = F_SEAL_SEAL;
 		switch (mode & S_IFMT) {
 		default:
 			init_special_inode(inode, mode, dev);
diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
index 590a77433a14..2a21c59a9952 100644
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -282,6 +282,7 @@ static inline struct hugetlbfs_sb_info *HUGETLBFS_SB(struct super_block *sb)
 struct hugetlbfs_inode_info {
 	struct shared_policy policy;
 	struct inode vfs_inode;
+	unsigned int seals;
 };
 
 static inline struct hugetlbfs_inode_info *HUGETLBFS_I(struct inode *inode)
-- 
2.15.0.rc0.40.gaefcc5f6f


From 1583352154941910527@xxx Mon Nov 06 21:04:43 +0000 2017
X-GM-THRID: 1583352154941910527
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread