From: Minchan Kim <minchan@kernel.org>
To: Jann Horn <jannh@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-mm <linux-mm@kvack.org>,
Linux API <linux-api@vger.kernel.org>,
Oleksandr Natalenko <oleksandr@redhat.com>,
Suren Baghdasaryan <surenb@google.com>,
Tim Murray <timmurray@google.com>,
Daniel Colascione <dancol@google.com>,
Sandeep Patil <sspatil@google.com>,
Sonny Rao <sonnyrao@google.com>,
Brian Geffon <bgeffon@google.com>, Michal Hocko <mhocko@suse.com>,
Johannes Weiner <hannes@cmpxchg.org>,
Shakeel Butt <shakeelb@google.com>,
John Dias <joaodias@google.com>,
Joel Fernandes <joel@joelfernandes.org>,
Alexander Duyck <alexander.h.duyck@linux.intel.com>
Subject: Re: [PATCH v4 2/8] mm: introduce external memory hinting API
Date: Thu, 13 Feb 2020 08:10:07 -0800 [thread overview]
Message-ID: <20200213161007.GA24649@google.com> (raw)
In-Reply-To: <CAG48ez27=pwm5m_N_988xT1huO7g7h6arTQL44zev6TD-h-7Tg@mail.gmail.com>
Hi Jann,
On Thu, Feb 13, 2020 at 03:08:59PM +0100, Jann Horn wrote:
> On Thu, Feb 13, 2020 at 12:40 AM Minchan Kim <minchan@kernel.org> wrote:
> > To solve the issue, this patch introduces a new syscall process_madvise(2).
> > It uses pidfd of an external process to give the hint.
> [...]
> > + mm = mm_access(task, PTRACE_MODE_ATTACH_FSCREDS);
> > + if (IS_ERR_OR_NULL(mm)) {
> > + ret = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
> > + goto release_task;
> > + }
> > +
> > + ret = do_madvise(task, start, len_in, behavior);
>
> When you're accessing another task, you should ensure that the other
> task doesn't gain new privileges by executing a setuid binary in the
> middle of being accessed. mm_access() does that for you; it holds the
> ->cred_guard_mutex while it is looking up the task's ->mm and doing
> the security check. mm_access() then returns you an mm pointer that
> you're allowed to access without worrying about such things; an
> mm_struct never gains privileges, since a setuid execution creates a
> fresh mm_struct. However, the task may still execute setuid binaries
> and such things.
>
> This means that after you've looked up the mm with mm_access(), you
> have to actually *use* that pointer. You're not allowed to simply read
> task->mm yourself.
>
> Therefore, I think you should:
>
> - change patch 1/8 ("mm: pass task to do_madvise") to also pass an
> mm_struct* to do_madvise (but keep the task_struct* for patch 4/8)
> - in this patch, pass the mm_struct* from mm_access() into do_madvise()
> - drop patch 3/8 ("mm: validate mm in do_madvise"); it just papers
> over a symptom without addressing the underlying problem
Actually, it was what this patch series was doing until last version
but I changed it to reduce just *a parameter* to do_madvise.
And then, this time, I got a good advise I was not familiar.
I will fix it again.
Thanks for the review!
next prev parent reply other threads:[~2020-02-13 16:10 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-12 23:39 [PATCH v4 0/8] introduce memory hinting API for external process Minchan Kim
2020-02-12 23:39 ` Minchan Kim
2020-02-12 23:39 ` [PATCH v4 1/8] mm: pass task to do_madvise Minchan Kim
2020-02-12 23:39 ` Minchan Kim
2020-02-13 0:21 ` Alexander Duyck
2020-02-13 0:21 ` Alexander Duyck
2020-02-13 0:21 ` Alexander Duyck
2020-02-13 17:02 ` Minchan Kim
2020-02-13 17:35 ` Jann Horn
2020-02-13 17:35 ` Jann Horn
2020-02-12 23:39 ` [PATCH v4 2/8] mm: introduce external memory hinting API Minchan Kim
2020-02-13 14:08 ` Jann Horn
2020-02-13 14:08 ` Jann Horn
2020-02-13 16:10 ` Minchan Kim [this message]
2020-02-12 23:39 ` [PATCH v4 3/8] mm: validate mm in do_madvise Minchan Kim
2020-02-12 23:39 ` [PATCH v4 4/8] mm: check fatal signal pending of target process Minchan Kim
2020-02-12 23:39 ` Minchan Kim
2020-02-12 23:39 ` [PATCH v4 5/8] mm/madvise: employ mmget_still_valid for write lock Minchan Kim
2020-02-12 23:39 ` [PATCH v4 6/8] mm/madvise: allow KSM hints for remote API Minchan Kim
2020-02-12 23:39 ` [PATCH v4 7/8] pid: export pidfd_get_pid Minchan Kim
2020-02-12 23:39 ` Minchan Kim
2020-02-13 0:25 ` Alexander Duyck
2020-02-13 0:25 ` Alexander Duyck
2020-02-13 0:25 ` Alexander Duyck
2020-02-13 17:08 ` Minchan Kim
2020-02-12 23:39 ` [PATCH v4 8/8] mm: support both pid and pidfd for process_madvise Minchan Kim
2020-02-13 0:28 ` Alexander Duyck
2020-02-13 0:28 ` Alexander Duyck
2020-02-13 0:28 ` Alexander Duyck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200213161007.GA24649@google.com \
--to=minchan@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=alexander.h.duyck@linux.intel.com \
--cc=bgeffon@google.com \
--cc=dancol@google.com \
--cc=hannes@cmpxchg.org \
--cc=jannh@google.com \
--cc=joaodias@google.com \
--cc=joel@joelfernandes.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@suse.com \
--cc=oleksandr@redhat.com \
--cc=shakeelb@google.com \
--cc=sonnyrao@google.com \
--cc=sspatil@google.com \
--cc=surenb@google.com \
--cc=timmurray@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.