Received: by 10.223.164.202 with SMTP id h10csp236890wrb;
        Tue, 7 Nov 2017 05:44:27 -0800 (PST)
X-Google-Smtp-Source: ABhQp+Q/OakFcGK9eslf1PLOyfrALBE3DptK7fO+7Py0/KUkZM6ZoQAaNvHKuPySp9IK41RqDhN0
X-Received: by 10.159.253.65 with SMTP id b1mr17954319plx.330.1510062267049;
        Tue, 07 Nov 2017 05:44:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1510062267; cv=none;
        d=google.com; s=arc-20160816;
        b=ZqlDXHpJBhQ3TPw3N6NWwSam9vz9jIYZNH+5wa05GAj0yuGqQ6km9DWJu9uoyqBzpd
         kbcTXVQl+R8c09qmJU+Sz5R2q/QgCBpRZGrtbop/wQTKWhNz7C8XDMdWSRIUkGygvqk1
         pd3tA36YN0OInZYwRQzGDa/vB8SrBXfCeS7IwlbofZ9HuCC7hK3+PcGFkaxuy2i5oDTk
         qMXUwD1lY1drUZmz33Mj4DA1BlUK1EmPK4/7OPukhVsP828dPKfZwfsk6iUPWvB7CjEZ
         BOp8SgofcA09vu08i5kkGgPnL435G2dx4ks46KWkeryhoF5Wefcnw01RNGMGxEApMOly
         03TA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dmarc-filter:arc-authentication-results;
        bh=lR5s4pSrHFdBCp9v+6KqgyWQpcjtCtNcfIPDVfzoBSw=;
        b=Um82PxkbQpXa301JrqGt92IeU+7PwWVwnG/Qc3S5kzUEtXFgnjhFP4JM+ZbIwvTxXI
         7JZmYu0vHrArNDHCHs0w6D0k1J+WkwIjsGgX69TjZkyq0tLFaGPHAKbhyuWZaeAx9AIJ
         e+ePeQkI4dNxaeEyBZhHKAvJpad8bv668PkXM54OCtr87rVRl/336r1bg9A5OPVK4Uja
         0gChMibQwyRcjBxp7Rd2HttwUb52RDw0hxxydxEdl3U/NnB55KYU3tt754fSxPO5VVBP
         seiJiRezQRaoOfn0GZ7XWCvzpMtsLTF3na2mooIR5eArmiln8Dq2EC6l+/iP/1eMuIms
         qHFw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t24si1363251pfe.48.2017.11.07.05.44.13;
        Tue, 07 Nov 2017 05:44:27 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1757637AbdKGM2W (ORCPT <rfc822;schlichte.alexander@gmail.com>
        + 91 others); Tue, 7 Nov 2017 07:28:22 -0500
Received: from mx1.redhat.com ([209.132.183.28]:46482 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1757623AbdKGM2T (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 7 Nov 2017 07:28:19 -0500
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id BBB5C3B73A;
        Tue,  7 Nov 2017 12:28:18 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com BBB5C3B73A
Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx06.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=marcandre.lureau@redhat.com
Received: from localhost (ovpn-112-38.ams2.redhat.com [10.36.112.38])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 87C52600D2;
        Tue,  7 Nov 2017 12:28:15 +0000 (UTC)
From:   =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
To:     linux-mm@kvack.org, linux-kernel@vger.kernel.org
Cc:     aarcange@redhat.com, hughd@google.com, nyc@holomorphy.com,
        mike.kravetz@oracle.com,
        =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau@redhat.com>
Subject: [PATCH v3 4/9] hugetlb: implement memfd sealing
Date:   Tue,  7 Nov 2017 13:27:55 +0100
Message-Id: <20171107122800.25517-5-marcandre.lureau@redhat.com>
In-Reply-To: <20171107122800.25517-1-marcandre.lureau@redhat.com>
References: <20171107122800.25517-1-marcandre.lureau@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Tue, 07 Nov 2017 12:28:18 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Implements memfd sealing, similar to shmem:
- WRITE: deny fallocate(PUNCH_HOLE). mmap() write is denied in
  memfd_add_seals(). write() doesn't exist for hugetlbfs.
- SHRINK: added similar check as shmem_setattr()
- GROW: added similar check as shmem_setattr() & shmem_fallocate()

Except write() operation that doesn't exist with hugetlbfs, that
should make sealing as close as it can be to shmem support.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
---
 fs/hugetlbfs/inode.c    | 29 +++++++++++++++++++++++++++--
 include/linux/hugetlb.h |  1 +
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index f57aab929e41..01f5aa6ea57a 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -510,8 +510,16 @@ static long hugetlbfs_punch_hole(struct inode *inode, loff_t offset, loff_t len)
 
 	if (hole_end > hole_start) {
 		struct address_space *mapping = inode->i_mapping;
+		struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
 
 		inode_lock(inode);
+
+		/* protected by i_mutex */
+		if (info->seals & F_SEAL_WRITE) {
+			inode_unlock(inode);
+			return -EPERM;
+		}
+
 		i_mmap_lock_write(mapping);
 		if (!RB_EMPTY_ROOT(&mapping->i_mmap.rb_root))
 			hugetlb_vmdelete_list(&mapping->i_mmap,
@@ -529,6 +537,7 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset,
 				loff_t len)
 {
 	struct inode *inode = file_inode(file);
+	struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
 	struct address_space *mapping = inode->i_mapping;
 	struct hstate *h = hstate_inode(inode);
 	struct vm_area_struct pseudo_vma;
@@ -560,6 +569,11 @@ static long hugetlbfs_fallocate(struct file *file, int mode, loff_t offset,
 	if (error)
 		goto out;
 
+	if ((info->seals & F_SEAL_GROW) && offset + len > inode->i_size) {
+		error = -EPERM;
+		goto out;
+	}
+
 	/*
 	 * Initialize a pseudo vma as this is required by the huge page
 	 * allocation routines.  If NUMA is configured, use page index
@@ -650,6 +664,7 @@ static int hugetlbfs_setattr(struct dentry *dentry, struct iattr *attr)
 	struct hstate *h = hstate_inode(inode);
 	int error;
 	unsigned int ia_valid = attr->ia_valid;
+	struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
 
 	BUG_ON(!inode);
 
@@ -658,10 +673,17 @@ static int hugetlbfs_setattr(struct dentry *dentry, struct iattr *attr)
 		return error;
 
 	if (ia_valid & ATTR_SIZE) {
+		loff_t oldsize = inode->i_size;
+		loff_t newsize = attr->ia_size;
+
 		error = -EINVAL;
-		if (attr->ia_size & ~huge_page_mask(h))
+		if (newsize & ~huge_page_mask(h))
 			return -EINVAL;
-		error = hugetlb_vmtruncate(inode, attr->ia_size);
+		/* protected by i_mutex */
+		if ((newsize < oldsize && (info->seals & F_SEAL_SHRINK)) ||
+		    (newsize > oldsize && (info->seals & F_SEAL_GROW)))
+			return -EPERM;
+		error = hugetlb_vmtruncate(inode, newsize);
 		if (error)
 			return error;
 	}
@@ -713,6 +735,8 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb,
 
 	inode = new_inode(sb);
 	if (inode) {
+		struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
+
 		inode->i_ino = get_next_ino();
 		inode_init_owner(inode, dir, mode);
 		lockdep_set_class(&inode->i_mapping->i_mmap_rwsem,
@@ -720,6 +744,7 @@ static struct inode *hugetlbfs_get_inode(struct super_block *sb,
 		inode->i_mapping->a_ops = &hugetlbfs_aops;
 		inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
 		inode->i_mapping->private_data = resv_map;
+		info->seals = F_SEAL_SEAL;
 		switch (mode & S_IFMT) {
 		default:
 			init_special_inode(inode, mode, dev);
diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h
index 590a77433a14..2a21c59a9952 100644
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -282,6 +282,7 @@ static inline struct hugetlbfs_sb_info *HUGETLBFS_SB(struct super_block *sb)
 struct hugetlbfs_inode_info {
 	struct shared_policy policy;
 	struct inode vfs_inode;
+	unsigned int seals;
 };
 
 static inline struct hugetlbfs_inode_info *HUGETLBFS_I(struct inode *inode)
-- 
2.15.0.125.g8f49766d64


From 1583018360824688686@xxx Fri Nov 03 04:39:13 +0000 2017
X-GM-THRID: 1579656416160844925
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread