search for: vm_write

I have been working on converting Jerome's hmm_dummy driver and self tests into a stand-alone set of tests to be included in tools/testing/selftests/vm and came across these two bug fixes in the process. The tests aren't quite ready to be posted as a patch. I'm posting the fixes now since I thought they shouldn't wait. They should probably have a fixes line but with all the HMM

...ew carefully. diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index 017ce60..b0f9e8f 100644 --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -662,7 +662,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) if (map->flags) { if ((vma->vm_flags & VM_WRITE) && (map->flags & GNTMAP_readonly)) - return -EINVAL; + goto out_unlock_put; } else { map->flags = GNTMAP_host_map; if (!(vma->vm_flags & VM_WRITE)) @@ -700,6 +700,8 @@ unlock_out: spin_unlock(&priv->lock); return err; +out_unlock_put: + spin_u...

...ew carefully. diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index 017ce60..b0f9e8f 100644 --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -662,7 +662,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) if (map->flags) { if ((vma->vm_flags & VM_WRITE) && (map->flags & GNTMAP_readonly)) - return -EINVAL; + goto out_unlock_put; } else { map->flags = GNTMAP_host_map; if (!(vma->vm_flags & VM_WRITE)) @@ -700,6 +700,8 @@ unlock_out: spin_unlock(&priv->lock); return err; +out_unlock_put: + spin_u...

...ew carefully. diff --git a/drivers/xen/gntdev.c b/drivers/xen/gntdev.c index 017ce60..b0f9e8f 100644 --- a/drivers/xen/gntdev.c +++ b/drivers/xen/gntdev.c @@ -662,7 +662,7 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) if (map->flags) { if ((vma->vm_flags & VM_WRITE) && (map->flags & GNTMAP_readonly)) - return -EINVAL; + goto out_unlock_put; } else { map->flags = GNTMAP_host_map; if (!(vma->vm_flags & VM_WRITE)) @@ -700,6 +700,8 @@ unlock_out: spin_unlock(&priv->lock); return err; +out_unlock_put: + spin_u...

Normally, callers to handle_mm_fault() are supposed to check the vma->vm_flags first. hmm_range_fault() checks for VM_READ but doesn't check for VM_WRITE if the caller requests a page to be faulted in with write permission (via the hmm_range.pfns[] value). If the vma is write protected, this can result in an infinite loop: hmm_range_fault() walk_page_range() ... hmm_vma_walk_hole() hmm_vma_walk_hole_() hmm_vma_do_...

...+ b/mm/hmm.c > @@ -292,6 +292,9 @@ static int hmm_vma_walk_hole_(unsigned long addr, unsigned long end, > hmm_vma_walk->last = addr; > i = (addr - range->start) >> PAGE_SHIFT; > > + if (write_fault && walk->vma && !(walk->vma->vm_flags & VM_WRITE)) > + return -EPERM; Can walk->vma be NULL here? hmm_vma_do_fault() touches it unconditionally. Jason

...migrate->src[migrate->npages] = MIGRATE_PFN_MIGRATE | + MIGRATE_PFN_COMPOUND; + migrate->dst[migrate->npages] = 0; + migrate->npages++; + migrate->cpages++; + return migrate_vma_collect_skip(start + PAGE_SIZE, end, walk); } + mpfn = (migrate->vma->vm_flags & VM_WRITE) ? + (MIGRATE_PFN_MIGRATE | MIGRATE_PFN_WRITE) : MIGRATE_PFN_MIGRATE; for (addr = start; addr < end; addr += PAGE_SIZE) { - migrate->src[migrate->npages] = MIGRATE_PFN_MIGRATE; + migrate->src[migrate->npages] = mpfn; migrate->dst[migrate->npages] = 0; migrate->npa...

...abort; + + pgtable = pte_alloc_one(mm); + if (unlikely(!pgtable)) + goto abort; + + __SetPageUptodate(page); + + if (is_zone_device_page(page)) { + if (!is_device_private_page(page)) + goto pgtable_abort; + entry = swp_entry_to_pmd(make_device_private_entry(page, + vma->vm_flags & VM_WRITE)); + } else { + entry = mk_huge_pmd(page, vma->vm_page_prot); + entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma); + } + + ptl = pmd_lock(mm, pmdp); + + if (check_stable_address_space(mm)) + goto unlock_abort; + + /* + * Check for userfaultfd but do not deliver the fault. Instead, + * just...

Any user with shell access, or with access to upload a cgi script can exploit this to make machine thrash badly. Seems to circumvent any limits in the kernel Here are my settings dlai@whale.home.org:/home/dlai?limit cputime unlimited filesize 20000 kbytes datasize 8192 kbytes stacksize 8192 kbytes coredumpsize 1000000 kbytes memoryuse 8192 kbytes descriptors

...static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) vma->vm_private_data = map; map->vma = vma; - map->flags = GNTMAP_host_map | GNTMAP_application_map | GNTMAP_contains_pte; + map->flags = GNTMAP_host_map | GNTMAP_application_map; if (!(vma->vm_flags & VM_WRITE)) map->flags |= GNTMAP_readonly; diff --git a/drivers/xen/hypercall.c b/drivers/xen/hypercall.c index 4eb6b34..054826b 100644 --- a/drivers/xen/hypercall.c +++ b/drivers/xen/hypercall.c @@ -11,6 +11,7 @@ #include <asm/xen/hypercall.h> struct mmap_hypercall { + spinlock_t lock; s...

...if (!is_device_public_page(page)) - return false; - extra++; + return is_device_private_page(page); } /* For file back page */ @@ -2665,11 +2650,6 @@ static void migrate_vma_insert_page(struct migrate_vma *migrate, swp_entry = make_device_private_entry(page, vma->vm_flags & VM_WRITE); entry = swp_entry_to_pte(swp_entry); - } else if (is_device_public_page(page)) { - entry = pte_mkold(mk_pte(page, READ_ONCE(vma->vm_page_prot))); - if (vma->vm_flags & VM_WRITE) - entry = pte_mkwrite(pte_mkdirty(entry)); - entry = pte_mkdevmap(entry); } } else { en...

...@ -292,6 +292,9 @@ static int hmm_vma_walk_hole_(unsigned long addr, unsigned long end, >> hmm_vma_walk->last = addr; >> i = (addr - range->start) >> PAGE_SHIFT; >> >> + if (write_fault && walk->vma && !(walk->vma->vm_flags & VM_WRITE)) >> + return -EPERM; > > Can walk->vma be NULL here? hmm_vma_do_fault() touches it > unconditionally. > > Jason > walk->vma can be NULL. hmm_vma_do_fault() no longer touches it unconditionally, that is what the preceding patch fixes. I suppose I could change hmm_v...

...(unlikely(!pgtable)) > + goto abort; > + > + __SetPageUptodate(page); > + > + if (is_zone_device_page(page)) { > + if (!is_device_private_page(page)) > + goto pgtable_abort; > + entry = swp_entry_to_pmd(make_device_private_entry(page, > + vma->vm_flags & VM_WRITE)); > + } else { > + entry = mk_huge_pmd(page, vma->vm_page_prot); > + entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma); > + } > + > + ptl = pmd_lock(mm, pmdp); > + > + if (check_stable_address_space(mm)) > + goto unlock_abort; > + > + /* > + * Check for...

This series adds support for transparent huge page migration to migrate_vma_*() and adds nouveau SVM and HMM selftests as consumers. Earlier versions were posted previously [1] and [2]. The patches apply cleanly to the linux-mm 5.10.0-rc2 tree. There are a lot of other THP patches being posted. I don't think there are any semantic conflicts but there may be some merge conflicts depending on

...- * page might get reCOWed by userspace write). + * pte_write. We cannot simply drop FOLL_WRITE + * here because the COWed page might be gone by + * the time we do the subsequent page lookups. */ if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE)) - foll_flags &= ~FOLL_WRITE; + foll_flags |= FOLL_COW; cond_resched(); }

On Tue, 25 Oct 2016 10:06:12 +0200 Christian Anthon <anthon at rth.dk> wrote: > What is the best approach on centos 6 to mitigate the problem is > officially patched? As far as I can tell Centos 6 is vulnerable to > attacks using ptrace. I can confirm that c6 is vulnerable, we're running a patched kernel (local build) using a rhel6 adaptation of the upstream fix. Ask

This series adds support for transparent huge page migration to migrate_vma_*() and adds nouveau SVM and HMM selftests as consumers. An earlier version was posted previously [1]. This version now supports splitting a THP midway in the migration process which led to a number of changes. The patches apply cleanly to the current linux-mm tree. Since there are a couple of patches in linux-mm from Dan

...1,10 +1008,6 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) > vma->vm_flags |= VM_DONTCOPY; > > vma->vm_private_data = map; > - > - if (use_ptemod) > - map->vma = vma; > - > if (map->flags) { > if ((vma->vm_flags & VM_WRITE) && > (map->flags & GNTMAP_readonly)) > @@ -1125,8 +1018,28 @@ static int gntdev_mmap(struct file *flip, struct vm_area_struct *vma) > map->flags |= GNTMAP_readonly; > } > > + if (use_ptemod) { > + map->vma = vma; > + err = mmu_range_notif...

These patches apply to linux-5.8.0-rc1. Patches 1-3 should probably go into 5.8, the others can be queued for 5.9. Patches 4-6 improve the HMM self tests. Patch 7-8 prepare nouveau for the meat of this series which adds support and testing for compound page mapping of system memory (patches 9-11) and compound page migration to device private memory (patches 12-16). Since these changes are split

...not mention that this problem only exists on arm64 platform. >> >> Ok, that makes at least a little bit more sense. >> >> >> >>> Because on arm64 platform the PTE_RDONLY is automatically attached >> >>> to the userspace pte entries even through VM_WRITE + VM_SHARE. >> >>> The PTE_RDONLY needs to be cleared in vmf_insert_pfn_prot. However >> >>> vmf_insert_pfn_prot do not make the pte writable passing false >> >>> @mkwrite to insert_pfn. >> >> Question is why is arm64 doing this? As far as I...