| Message ID | 6f3aea05c9cc46094b029cbd1138d163c1ae7f9d.1682890156.git.lstoakes@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2355150vqo;
Sun, 30 Apr 2023 15:37:40 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ5BJgkgPNT+6/JvYnSHmKuT2gA06gxjqTG5qBvGF7jVBLrBRI6qxklc52Aj2nTLd+rhl8c0
X-Received: by 2002:a17:90a:f581:b0:247:6ec8:7e9b with SMTP id
ct1-20020a17090af58100b002476ec87e9bmr12240603pjb.44.1682894259727;
Sun, 30 Apr 2023 15:37:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1682894259; cv=none;
d=google.com; s=arc-20160816;
b=Ffouf+riyrRmu56rHu9+jEx2u8rjPYbYUUG2TvkvvmHLGfZB1GgUpqeAWWuT9yIFFt
/JP5HPNljRKB7nl9+CUixWiA41cNhN/MDSmIY9TMHPWyyWN7XO1hS5kudV1xEwkBedig
xyaU2hy0bjwta9DTpq9hUqSanymi8xjOkgaJxrYRcT9xQ391bHBIPDhAu9JsfU095Eg/
ycbLXXjVw3yGQlPc2llYDKu2nRA5E/A7zWuYldcowRpkZNfDmSnEpUN1xAWJt28xXoOR
a/ACRa9VqW3/Te9PNI1NFgbJd0kwJTHg8vWNKL+babeoojvh0g55F6PFQQFpy1/QQXI4
hj3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature;
bh=gU5klj4JuCtxBh6JR6WjnJXM2yce7ELIzVSpcWZL9RY=;
b=NnStOsdomo4ukDuC1lSquhcDrKz+hNSaKXi/UNCjQPS6aJ9seJ9Ke003/SPoE3rqHI
LNlmITdMc9T4olCJab/EjvfcssHKgN2x6gnNIA3JLHZau6pivFJ+13BU21KacqRCeZV/
AANGnYp0QWqoKQoyPSpmdLg9Aen/WoaWEtbw3dj54JcWau7HMNRsLjFstF/cM18CMLbZ
fE7qWch/FoyUVGBOydyvbfvYAA1uPIIysPIJjDnABnTm3t1AYHUiur1EPgWMezAbJ5QB
m9zvMKlfPA3AKMDiv8FWvquInJY7e7KDfYWuBO3FLVfxBmIC3BHft+6tppj0KMSxgo5s
Xmrw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20221208 header.b=VXNNdRhL;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
x21-20020a631715000000b0050f6925a400si18338827pgl.589.2023.04.30.15.37.25;
Sun, 30 Apr 2023 15:37:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20221208 header.b=VXNNdRhL;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232115AbjD3W0z (ORCPT <rfc822;rbbytesnap@gmail.com> + 99 others);
Sun, 30 Apr 2023 18:26:55 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42042 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S232079AbjD3W0s (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sun, 30 Apr 2023 18:26:48 -0400
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com
[IPv6:2a00:1450:4864:20::434])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C1B36E4F;
Sun, 30 Apr 2023 15:26:46 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id
ffacd0b85a97d-2f87c5b4635so1749710f8f.1;
Sun, 30 Apr 2023 15:26:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20221208; t=1682893605; x=1685485605;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:from:to:cc:subject:date
:message-id:reply-to;
bh=gU5klj4JuCtxBh6JR6WjnJXM2yce7ELIzVSpcWZL9RY=;
b=VXNNdRhLqJDygRRWBenMw/2sboDt9lMxswc9Klc7vyZ7DUUY8PsRrW4VYJXOKcH18t
qlCJf2sRfxtVrN7OzpZbclacR5lQtGV6yIVIuJ2NYAMZlpbayLltwRM8D6ieUfN6+jkC
FjJMWW2TRyK4N4hEBJ0pllZrGFeL40h545zok0J472IxJ/QO7vIlbUB716nHnopqBlYT
AU9clybB/l7GCTu17p2ip6WlBxT18xR8ZMTJtAAINBnTkPXLceuKXkyumwE13HR/zkw0
FQBZimSmFtGej5L5shtV9NLrlZgp5R7ELWLyd7VcsucF2yrHASTmMy4DhE48LvmZWGDv
Hfpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1682893605; x=1685485605;
h=content-transfer-encoding:mime-version:references:in-reply-to
:message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=gU5klj4JuCtxBh6JR6WjnJXM2yce7ELIzVSpcWZL9RY=;
b=B8N3Ca6449HJNpoeH4LsML0/NC8YO3cGlSHSsb1D55/KOd1LewPQpuXywT5GDqABXS
tLVq2K0o13EyAYSo3CFr0kvKVQJnS23HWn+jDJ3Brpz+5G0QEROf8zU/CUcp9UgtXV0m
l5PlY8ZEbXuDgR/FKQsqGDVu/MEIEYnuwmW1tKHOPulm+j2q5FxBsVGQ4iD4OJBHs1Qr
AhI3YPy8yBqUwTMyL9HvpXNG8/Im/nkTE6+KDJzmEw5sVlsk71TqRFtj+vIZ7WMCTdDc
i+Ht75zIhS2FS9divxHKnwwUp1ivmeZlk/JcRllBx6F03K8Iks/YDKV8F7Rbcw3a0T2p
WpoQ==
X-Gm-Message-State: AC+VfDx24mJDWRd0L0racLid7KnSo2bUzhzSrXvB3dsmvb1AlsjudUIZ
+aGbwZz0h/jX2Czvj1x9qcY=
X-Received: by 2002:adf:db8e:0:b0:2fe:f2d1:dcab with SMTP id
u14-20020adfdb8e000000b002fef2d1dcabmr8764207wri.58.1682893605108;
Sun, 30 Apr 2023 15:26:45 -0700 (PDT)
Received: from lucifer.home ([2a00:23c5:dc8c:8701:1663:9a35:5a7b:1d76])
by smtp.googlemail.com with ESMTPSA id
g2-20020a5d5402000000b002da75c5e143sm26699865wrv.29.2023.04.30.15.26.44
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sun, 30 Apr 2023 15:26:44 -0700 (PDT)
From: Lorenzo Stoakes <lstoakes@gmail.com>
To: linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>
Cc: Matthew Wilcox <willy@infradead.org>,
Mike Kravetz <mike.kravetz@oracle.com>,
Muchun Song <muchun.song@linux.dev>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
linux-fsdevel@vger.kernel.org, Jan Kara <jack@suse.cz>,
Hugh Dickins <hughd@google.com>,
Lorenzo Stoakes <lstoakes@gmail.com>
Subject: [PATCH v2 3/3] mm: perform the mapping_map_writable() check after
call_mmap()
Date: Sun, 30 Apr 2023 23:26:07 +0100
Message-Id:
<6f3aea05c9cc46094b029cbd1138d163c1ae7f9d.1682890156.git.lstoakes@gmail.com>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <cover.1682890156.git.lstoakes@gmail.com>
References: <cover.1682890156.git.lstoakes@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1764642530805935022?=
X-GMAIL-MSGID: =?utf-8?q?1764642530805935022?=
|
| Series |
permit write-sealed memfd read-only shared mappings
|
|
Commit Message
Lorenzo Stoakes
April 30, 2023, 10:26 p.m. UTC
In order for a F_SEAL_WRITE sealed memfd mapping to have an opportunity to
clear VM_MAYWRITE, we must be able to invoke the appropriate vm_ops->mmap()
handler to do so. We would otherwise fail the mapping_map_writable() check
before we had the opportunity to avoid it.
This patch moves this check after the call_mmap() invocation. Only memfd
actively denies write access causing a potential failure here (in
memfd_add_seals()), so there should be no impact on non-memfd cases.
This patch makes the userland-visible change that MAP_SHARED, PROT_READ
mappings of an F_SEAL_WRITE sealed memfd mapping will now succeed.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217238
Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
---
mm/mmap.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--
2.40.1
Comments
On Sun, Apr 30, 2023 at 3:26 PM Lorenzo Stoakes <lstoakes@gmail.com> wrote: > > In order for a F_SEAL_WRITE sealed memfd mapping to have an opportunity to > clear VM_MAYWRITE, we must be able to invoke the appropriate vm_ops->mmap() > handler to do so. We would otherwise fail the mapping_map_writable() check > before we had the opportunity to avoid it. Is there any reason this can't go before patch 3? If I'm understanding correctly, a comment like the following might make this a lot more comprehensible: > > This patch moves this check after the call_mmap() invocation. Only memfd > actively denies write access causing a potential failure here (in > memfd_add_seals()), so there should be no impact on non-memfd cases. > > This patch makes the userland-visible change that MAP_SHARED, PROT_READ > mappings of an F_SEAL_WRITE sealed memfd mapping will now succeed. > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=217238 > Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com> > --- > mm/mmap.c | 12 ++++++------ > 1 file changed, 6 insertions(+), 6 deletions(-) > > diff --git a/mm/mmap.c b/mm/mmap.c > index 646e34e95a37..1608d7f5a293 100644 > --- a/mm/mmap.c > +++ b/mm/mmap.c > @@ -2642,17 +2642,17 @@ unsigned long mmap_region(struct file *file, unsigned long addr, > vma->vm_pgoff = pgoff; > > if (file) { > - if (is_shared_maywrite(vm_flags)) { > - error = mapping_map_writable(file->f_mapping); > - if (error) > - goto free_vma; > - } > - > vma->vm_file = get_file(file); > error = call_mmap(file, vma); > if (error) > goto unmap_and_free_vma; > /* vm_ops->mmap() may have changed vma->flags. Check for writability now. */ > + if (vma_is_shared_maywrite(vma)) { > + error = mapping_map_writable(file->f_mapping); > + if (error) > + goto close_and_free_vma; > + } > + Alternatively, if anyone is nervous about the change in ordering here, there could be a whole new vm_op like adjust_vma_flags() that happens before any of this. --Andy
On Mon, May 01, 2023 at 12:02:00PM -0700, Andy Lutomirski wrote: > On Sun, Apr 30, 2023 at 3:26 PM Lorenzo Stoakes <lstoakes@gmail.com> wrote: > > > > In order for a F_SEAL_WRITE sealed memfd mapping to have an opportunity to > > clear VM_MAYWRITE, we must be able to invoke the appropriate vm_ops->mmap() > > handler to do so. We would otherwise fail the mapping_map_writable() check > > before we had the opportunity to avoid it. > > Is there any reason this can't go before patch 3? I don't quite understand what you mean by this? I mean sure, we could, but intent was to build to this point and leave the most controversial change for last :) > > If I'm understanding correctly, a comment like the following might > make this a lot more comprehensible: > > > > > This patch moves this check after the call_mmap() invocation. Only memfd > > actively denies write access causing a potential failure here (in > > memfd_add_seals()), so there should be no impact on non-memfd cases. > > > > This patch makes the userland-visible change that MAP_SHARED, PROT_READ > > mappings of an F_SEAL_WRITE sealed memfd mapping will now succeed. > > > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=217238 > > Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com> > > --- > > mm/mmap.c | 12 ++++++------ > > 1 file changed, 6 insertions(+), 6 deletions(-) > > > > diff --git a/mm/mmap.c b/mm/mmap.c > > index 646e34e95a37..1608d7f5a293 100644 > > --- a/mm/mmap.c > > +++ b/mm/mmap.c > > @@ -2642,17 +2642,17 @@ unsigned long mmap_region(struct file *file, unsigned long addr, > > vma->vm_pgoff = pgoff; > > > > if (file) { > > - if (is_shared_maywrite(vm_flags)) { > > - error = mapping_map_writable(file->f_mapping); > > - if (error) > > - goto free_vma; > > - } > > - > > vma->vm_file = get_file(file); > > error = call_mmap(file, vma); > > if (error) > > goto unmap_and_free_vma; > > > > /* vm_ops->mmap() may have changed vma->flags. Check for writability now. */ > Ack, will add on next spin. > > + if (vma_is_shared_maywrite(vma)) { > > + error = mapping_map_writable(file->f_mapping); > > + if (error) > > + goto close_and_free_vma; > > + } > > + > > Alternatively, if anyone is nervous about the change in ordering here, > there could be a whole new vm_op like adjust_vma_flags() that happens > before any of this. Agreed, clearly this change is the most controversial thing here. I did look around and couldn't find any instance where this could cause an issue, since it is purely the mapping_map_writable() that gets run at a different point, but this is certainly an alterative. I have a feeling people might find adding a new op there possibly _more_ nerve-inducing :) but it's an option. > > --Andy
Hello,
kernel test robot noticed "assertion_failure" on:
commit: a0e22a91f487957346732c6613eb6bd1b7c72ab1 ("[PATCH v2 3/3] mm: perform the mapping_map_writable() check after call_mmap()")
url: https://github.com/intel-lab-lkp/linux/commits/Lorenzo-Stoakes/mm-drop-the-assumption-that-VM_SHARED-always-implies-writable/20230501-062815
base: https://git.kernel.org/cgit/linux/kernel/git/akpm/mm.git mm-everything
patch link: https://lore.kernel.org/all/6f3aea05c9cc46094b029cbd1138d163c1ae7f9d.1682890156.git.lstoakes@gmail.com/
patch subject: [PATCH v2 3/3] mm: perform the mapping_map_writable() check after call_mmap()
in testcase: igt
version: igt-x86_64-9e9cd7e6-1_20230506
with following parameters:
group: group-11
compiler: gcc-11
test machine: 20 threads 1 sockets (Commet Lake) with 16G memory
(please refer to attached dmesg/kmsg for entire log/backtrace)
If you fix the issue, kindly add following tag
| Reported-by: kernel test robot <yujie.liu@intel.com>
| Link: https://lore.kernel.org/oe-lkp/202305161044.bba89e76-yujie.liu@intel.com
2023-05-11 12:29:38 build/tests/gem_mmap_gtt --run-subtest basic-copy
IGT-Version: 1.27.1-g9e9cd7e6 (x86_64) (Linux: 6.3.0-10673-ga0e22a91f487 x86_64)
Starting subtest: basic-copy
(gem_mmap_gtt:1138) i915/gem_mman-CRITICAL: Test assertion failure function gem_mmap__gtt, file ../lib/i915/gem_mman.c:146:
(gem_mmap_gtt:1138) i915/gem_mman-CRITICAL: Failed assertion: ptr
(gem_mmap_gtt:1138) i915/gem_mman-CRITICAL: Last errno: 1, Operation not permitted
Subtest basic-copy failed.
**** DEBUG ****
(gem_mmap_gtt:1138) i915/gem_mman-CRITICAL: Test assertion failure function gem_mmap__gtt, file ../lib/i915/gem_mman.c:146:
(gem_mmap_gtt:1138) i915/gem_mman-CRITICAL: Failed assertion: ptr
(gem_mmap_gtt:1138) i915/gem_mman-CRITICAL: Last errno: 1, Operation not permitted
(gem_mmap_gtt:1138) igt_core-INFO: Stack trace:
(gem_mmap_gtt:1138) igt_core-INFO: #0 [__igt_fail_assert+0x106]
(gem_mmap_gtt:1138) igt_core-INFO: #1 [gem_mmap__gtt+0x3c]
(gem_mmap_gtt:1138) igt_core-INFO: #2 ../tests/i915/gem_mmap_gtt.c:89 create_pointer_size()
(gem_mmap_gtt:1138) igt_core-INFO: #3 ../tests/i915/gem_mmap_gtt.c:97 __igt_unique____real_main1261()
(gem_mmap_gtt:1138) igt_core-INFO: #4 ../tests/i915/gem_mmap_gtt.c:1261 main()
(gem_mmap_gtt:1138) igt_core-INFO: #5 ../csu/libc-start.c:308 __libc_start_main()
(gem_mmap_gtt:1138) igt_core-INFO: #6 [_start+0x2a]
**** END ****
Stack trace:
#0 [__igt_fail_assert+0x106]
#1 [gem_mmap__gtt+0x3c]
#2 ../tests/i915/gem_mmap_gtt.c:89 create_pointer_size()
#3 ../tests/i915/gem_mmap_gtt.c:97 __igt_unique____real_main1261()
#4 ../tests/i915/gem_mmap_gtt.c:1261 main()
#5 ../csu/libc-start.c:308 __libc_start_main()
#6 [_start+0x2a]
Subtest basic-copy: FAIL (0.039s)
...
To reproduce:
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
sudo bin/lkp install job.yaml # job file is attached in this email
bin/lkp split-job --compatible job.yaml # generate the yaml file for lkp run
sudo bin/lkp run generated-yaml-file
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
On Tue, May 16, 2023 at 01:52:06PM +0800, kernel test robot wrote: > Hello, > > kernel test robot noticed "assertion_failure" on: > > commit: a0e22a91f487957346732c6613eb6bd1b7c72ab1 ("[PATCH v2 3/3] mm: perform the mapping_map_writable() check after call_mmap()") > url: https://github.com/intel-lab-lkp/linux/commits/Lorenzo-Stoakes/mm-drop-the-assumption-that-VM_SHARED-always-implies-writable/20230501-062815 > base: https://git.kernel.org/cgit/linux/kernel/git/akpm/mm.git mm-everything > patch link: https://lore.kernel.org/all/6f3aea05c9cc46094b029cbd1138d163c1ae7f9d.1682890156.git.lstoakes@gmail.com/ > patch subject: [PATCH v2 3/3] mm: perform the mapping_map_writable() check after call_mmap() > > in testcase: igt > version: igt-x86_64-9e9cd7e6-1_20230506 > with following parameters: > > group: group-11 > > compiler: gcc-11 > test machine: 20 threads 1 sockets (Commet Lake) with 16G memory > > (please refer to attached dmesg/kmsg for entire log/backtrace) > > > If you fix the issue, kindly add following tag > | Reported-by: kernel test robot <yujie.liu@intel.com> > | Link: https://lore.kernel.org/oe-lkp/202305161044.bba89e76-yujie.liu@intel.com > > > 2023-05-11 12:29:38 build/tests/gem_mmap_gtt --run-subtest basic-copy > IGT-Version: 1.27.1-g9e9cd7e6 (x86_64) (Linux: 6.3.0-10673-ga0e22a91f487 x86_64) > Starting subtest: basic-copy > (gem_mmap_gtt:1138) i915/gem_mman-CRITICAL: Test assertion failure function gem_mmap__gtt, file ../lib/i915/gem_mman.c:146: > (gem_mmap_gtt:1138) i915/gem_mman-CRITICAL: Failed assertion: ptr > (gem_mmap_gtt:1138) i915/gem_mman-CRITICAL: Last errno: 1, Operation not permitted > Subtest basic-copy failed. [snip] I don't have the hardware to test this (the repro steps don't work and manually running the test indicates the actual hardware is required) but I suspect it's a result of i915_gem_mmap() somehow causing mapping_unmap_writable() to be invoked, which sets mapping->i_mmap_writable negative, and thus the check after call_mmap() is performed reports the error. In v3 I will change this to continue to mark the file writable before invoking call_mmap() which should fix this issue.
diff --git a/mm/mmap.c b/mm/mmap.c index 646e34e95a37..1608d7f5a293 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -2642,17 +2642,17 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vma->vm_pgoff = pgoff; if (file) { - if (is_shared_maywrite(vm_flags)) { - error = mapping_map_writable(file->f_mapping); - if (error) - goto free_vma; - } - vma->vm_file = get_file(file); error = call_mmap(file, vma); if (error) goto unmap_and_free_vma; + if (vma_is_shared_maywrite(vma)) { + error = mapping_map_writable(file->f_mapping); + if (error) + goto close_and_free_vma; + } + /* * Expansion is handled above, merging is handled below. * Drivers should not alter the address of the VMA.