From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mm-commits-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6BE02C07E95
	for <mm-commits@archiver.kernel.org>; Thu,  8 Jul 2021 03:13:41 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by mail.kernel.org (Postfix) with ESMTP id 55D3661158
	for <mm-commits@archiver.kernel.org>; Thu,  8 Jul 2021 03:13:41 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230417AbhGHDQV (ORCPT <rfc822;mm-commits@archiver.kernel.org>);
        Wed, 7 Jul 2021 23:16:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40850 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230244AbhGHDQV (ORCPT
        <rfc822;mm-commits@vger.kernel.org>); Wed, 7 Jul 2021 23:16:21 -0400
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A29EC061574
        for <mm-commits@vger.kernel.org>; Wed,  7 Jul 2021 20:13:39 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id p1so10443621lfr.12
        for <mm-commits@vger.kernel.org>; Wed, 07 Jul 2021 20:13:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=O55ZQycEnXNCbtVr7Ti0xhqPfnDuHqlpxZ+e4ib1qa0=;
        b=ATYyFZVgIXYRxSSxG9UhCSlgfGO5Y8qN8rbztQQV9mVx0LF+/XIt+7Wehpnw8ybvuz
         BPz0EA991MUrEdapqxxqTVfjfFhIgiaRpjySsCUmIvoPEPu3FhwmGEzFxs3RpIag/RC+
         +aC7Fauzc4YkGO00TiOBXlZhI/LxhHBDOD5U0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=O55ZQycEnXNCbtVr7Ti0xhqPfnDuHqlpxZ+e4ib1qa0=;
        b=MFaugpuhPXgbLhsy0e3ElUaDUy0ApOgt0dv5W4oQlEsW8dKVgJd1+Ny4IHvOsEOiQc
         9oEI6w/521z3MN7VZIPzS4sKV+tn2pL7C/N0MZr0QVZ6Ahp3VvatzgC3KmyVRkJOoHqX
         77xDktMeGqySzbFKV9duf7oB0tKz23vZPeSz7Jl+255ktmd2MBaY0Z3J7dqc45RwV/nK
         TDIdepxdmQn6dCSnv/DEAEnj8NwosmzqOC/GHMf4LB2pAzog88yx5C2A/uGyKul6QMjc
         DfhJHfQbOT+JGom2kRzqnkxek+8Gd8oHXUT5AH0oWrBRgM9QMzIu2JqDYbn0zpXqAZLu
         zioQ==
X-Gm-Message-State: AOAM533odt+M/3Y3q6Bj5Ll1Pp877bOE+zXfRyhDWp83Yj3bqamTw4Zv
        ZHFCn+leF0IGvl9478wsjFEIYHLXKjyFyPb1zE4=
X-Google-Smtp-Source: ABdhPJzzUUdtyWgnLxfI5Ddr1UP5yhAvurUls3q+AHGD0lCyGrWKQCee+SaERaQzWYDZ3CUb4pZ/Aw==
X-Received: by 2002:a05:6512:3c83:: with SMTP id h3mr16718096lfv.387.1625714017477;
        Wed, 07 Jul 2021 20:13:37 -0700 (PDT)
Received: from mail-lf1-f46.google.com (mail-lf1-f46.google.com. [209.85.167.46])
        by smtp.gmail.com with ESMTPSA id m7sm94072ljh.118.2021.07.07.20.13.37
        for <mm-commits@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 07 Jul 2021 20:13:37 -0700 (PDT)
Received: by mail-lf1-f46.google.com with SMTP id n14so10465148lfu.8
        for <mm-commits@vger.kernel.org>; Wed, 07 Jul 2021 20:13:37 -0700 (PDT)
X-Received: by 2002:a05:6512:374b:: with SMTP id a11mr21266526lfs.377.1625714006574;
 Wed, 07 Jul 2021 20:13:26 -0700 (PDT)
MIME-Version: 1.0
References: <20210707175950.eceddb86c6c555555d4730e2@linux-foundation.org> <20210708010803.i6RiDHM3L%akpm@linux-foundation.org>
In-Reply-To: <20210708010803.i6RiDHM3L%akpm@linux-foundation.org>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Wed, 7 Jul 2021 20:13:10 -0700
X-Gmail-Original-Message-ID: <CAHk-=whWxnQW=2Rx8uj01nGMGK3oOS9fJZCe6atVP7and5DkWg@mail.gmail.com>
Message-ID: <CAHk-=whWxnQW=2Rx8uj01nGMGK3oOS9fJZCe6atVP7and5DkWg@mail.gmail.com>
Subject: Re: [patch 11/54] mm: introduce memfd_secret system call to create
 "secret" memory areas
To:     Andrew Morton <akpm@linux-foundation.org>
Cc:     Arnd Bergmann <arnd@arndb.de>, Borislav Petkov <bp@alien8.de>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Christoph Lameter <cl@linux.com>,
        Dan Williams <dan.j.williams@intel.com>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        David Hildenbrand <david@redhat.com>,
        "Reshetova, Elena" <elena.reshetova@intel.com>,
        Roman Gushchin <guro@fb.com>,
        Hagen Paul Pfeifer <hagen@jauu.net>,
        Peter Anvin <hpa@zytor.com>,
        James Bottomley <James.Bottomley@hansenpartnership.com>,
        James Bottomley <jejb@linux.ibm.com>,
        "Kirill A . Shutemov" <kirill@shutemov.name>,
        Linux-MM <linux-mm@kvack.org>, kernel test robot <lkp@intel.com>,
        Andrew Lutomirski <luto@kernel.org>,
        Mark Rutland <mark.rutland@arm.com>,
        Ingo Molnar <mingo@redhat.com>, mm-commits@vger.kernel.org,
        Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
        Palmer Dabbelt <palmer@dabbelt.com>,
        Palmer Dabbelt <palmerdabbelt@google.com>,
        Paul Walmsley <paul.walmsley@sifive.com>,
        Peter Zijlstra <peterz@infradead.org>,
        "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
        Mike Rapoport <rppt@linux.ibm.com>,
        Shakeel Butt <shakeelb@google.com>,
        Shuah Khan <shuah@kernel.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Tycho Andersen <tycho@tycho.ws>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Will Deacon <will@kernel.org>,
        Matthew Wilcox <willy@infradead.org>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
Reply-To: linux-kernel@vger.kernel.org
List-ID: <mm-commits.vger.kernel.org>
X-Mailing-List: mm-commits@vger.kernel.org

On Wed, Jul 7, 2021 at 6:08 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> From: Mike Rapoport <rppt@linux.ibm.com>
> Subject: mm: introduce memfd_secret system call to create "secret" memory areas
>
> Introduce "memfd_secret" system call with the ability to create memory
> areas visible only in the context of the owning process and not mapped not
> only to other processes but in the kernel page tables as well.

Am I missing something?

>From what I can't tell, this must not be enabled for regular users,
because the secret mapping is effectively mlock'ed into the address
space.

But there does not seem to be any permission checks or any limits, so
this looks like a trivial way for a bad user to force the kernel to
run out of memory.

So this looks entirely unacceptable.

Please tell me what I'm not getting...

             Linus

From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=OeGd=MA=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 19983C07E95
	for <linux-mm@archiver.kernel.org>; Thu,  8 Jul 2021 03:19:29 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 85D7561C9C
	for <linux-mm@archiver.kernel.org>; Thu,  8 Jul 2021 03:19:28 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 85D7561C9C
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id 5783A6B0011; Wed,  7 Jul 2021 23:19:28 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 5009F6B005D; Wed,  7 Jul 2021 23:19:28 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3527E6B006C; Wed,  7 Jul 2021 23:19:28 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0104.hostedemail.com [216.40.44.104])
	by kanga.kvack.org (Postfix) with ESMTP id 09EC96B0011
	for <linux-mm@kvack.org>; Wed,  7 Jul 2021 23:19:28 -0400 (EDT)
Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay04.hostedemail.com (Postfix) with ESMTP id 53D2026DE3
	for <linux-mm@kvack.org>; Thu,  8 Jul 2021 03:19:27 +0000 (UTC)
X-FDA: 78337965174.30.3C11FC7
Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45])
	by imf14.hostedemail.com (Postfix) with ESMTP id DFB966001AAB
	for <linux-mm@kvack.org>; Thu,  8 Jul 2021 03:19:26 +0000 (UTC)
Received: by mail-ed1-f45.google.com with SMTP id s15so6285454edt.13
        for <linux-mm@kvack.org>; Wed, 07 Jul 2021 20:19:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=O55ZQycEnXNCbtVr7Ti0xhqPfnDuHqlpxZ+e4ib1qa0=;
        b=ATYyFZVgIXYRxSSxG9UhCSlgfGO5Y8qN8rbztQQV9mVx0LF+/XIt+7Wehpnw8ybvuz
         BPz0EA991MUrEdapqxxqTVfjfFhIgiaRpjySsCUmIvoPEPu3FhwmGEzFxs3RpIag/RC+
         +aC7Fauzc4YkGO00TiOBXlZhI/LxhHBDOD5U0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=O55ZQycEnXNCbtVr7Ti0xhqPfnDuHqlpxZ+e4ib1qa0=;
        b=YBXN5XGHbfEuuJMEr0vcmqVQSRRKZHcY3HrKT4eKHNoxUAwLWLk+1J6Xo15PeytR0y
         l9Hv47vvTK2eFk8aF8K3ezATGUaaKm43RQUp8kD3in9KGMFfDHTt0EMzJ6nxi6utLM/q
         C9RIfbKUQ4uWj5WS7TkxWLJ51c7+KnTrEUzcvrV+Gr4hrPZ6vphs74UBf87TO9EY+Q7K
         /ISWrzy779wxmyklnkC75fkORtW7UjSlLtz1Bcqmovbmi+F0ccxUWCEHM0Y45An6NUXd
         Hp9sa+aiqinIc0SYGiFc186YebwGwAv6ijffSOf5/wdPsESBFNAfOU3qO2WOpvvrjhdZ
         PqWg==
X-Gm-Message-State: AOAM533kKk7LfdLy/ixxI2dTe+Yku6MbmaJliFrlnTxik7F5bGgUJt22
	UMwBTkNYaKSHjv6jwVVl+qZVwmcMBQFE8J2W1Dc=
X-Google-Smtp-Source: ABdhPJweUQcItLpY/qK8kEY2S8tRzUd9qKrWO+GyxpVQtaBwysGJs1VFhkJdLDhFsuBpvw7tPvTD/g==
X-Received: by 2002:aa7:db94:: with SMTP id u20mr34645215edt.381.1625714365439;
        Wed, 07 Jul 2021 20:19:25 -0700 (PDT)
Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com. [209.85.208.47])
        by smtp.gmail.com with ESMTPSA id x2sm414288edv.61.2021.07.07.20.19.25
        for <linux-mm@kvack.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 07 Jul 2021 20:19:25 -0700 (PDT)
Received: by mail-ed1-f47.google.com with SMTP id t3so6331914edc.7
        for <linux-mm@kvack.org>; Wed, 07 Jul 2021 20:19:25 -0700 (PDT)
X-Received: by 2002:a05:6512:374b:: with SMTP id a11mr21266526lfs.377.1625714006574;
 Wed, 07 Jul 2021 20:13:26 -0700 (PDT)
MIME-Version: 1.0
References: <20210707175950.eceddb86c6c555555d4730e2@linux-foundation.org> <20210708010803.i6RiDHM3L%akpm@linux-foundation.org>
In-Reply-To: <20210708010803.i6RiDHM3L%akpm@linux-foundation.org>
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Wed, 7 Jul 2021 20:13:10 -0700
X-Gmail-Original-Message-ID: <CAHk-=whWxnQW=2Rx8uj01nGMGK3oOS9fJZCe6atVP7and5DkWg@mail.gmail.com>
Message-ID: <CAHk-=whWxnQW=2Rx8uj01nGMGK3oOS9fJZCe6atVP7and5DkWg@mail.gmail.com>
Subject: Re: [patch 11/54] mm: introduce memfd_secret system call to create
 "secret" memory areas
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Arnd Bergmann <arnd@arndb.de>, Borislav Petkov <bp@alien8.de>, 
	Catalin Marinas <catalin.marinas@arm.com>, Christoph Lameter <cl@linux.com>, 
	Dan Williams <dan.j.williams@intel.com>, Dave Hansen <dave.hansen@linux.intel.com>, 
	David Hildenbrand <david@redhat.com>, "Reshetova, Elena" <elena.reshetova@intel.com>, 
	Roman Gushchin <guro@fb.com>, Hagen Paul Pfeifer <hagen@jauu.net>, Peter Anvin <hpa@zytor.com>, 
	James Bottomley <James.Bottomley@hansenpartnership.com>, 
	James Bottomley <jejb@linux.ibm.com>, "Kirill A . Shutemov" <kirill@shutemov.name>, Linux-MM <linux-mm@kvack.org>, 
	kernel test robot <lkp@intel.com>, Andrew Lutomirski <luto@kernel.org>, Mark Rutland <mark.rutland@arm.com>, 
	Ingo Molnar <mingo@redhat.com>, mm-commits@vger.kernel.org, 
	Michael Kerrisk-manpages <mtk.manpages@gmail.com>, Palmer Dabbelt <palmer@dabbelt.com>, 
	Palmer Dabbelt <palmerdabbelt@google.com>, Paul Walmsley <paul.walmsley@sifive.com>, 
	Peter Zijlstra <peterz@infradead.org>, "Edgecombe, Rick P" <rick.p.edgecombe@intel.com>, 
	Mike Rapoport <rppt@linux.ibm.com>, Shakeel Butt <shakeelb@google.com>, Shuah Khan <shuah@kernel.org>, 
	Thomas Gleixner <tglx@linutronix.de>, Tycho Andersen <tycho@tycho.ws>, Al Viro <viro@zeniv.linux.org.uk>, 
	Will Deacon <will@kernel.org>, Matthew Wilcox <willy@infradead.org>
Content-Type: text/plain; charset="UTF-8"
X-Stat-Signature: fq6yrrf4m9mi8x6m4qr6jyn4umsytp68
X-Rspamd-Queue-Id: DFB966001AAB
X-Rspamd-Server: rspam01
X-Rspam-User: nil
Authentication-Results: imf14.hostedemail.com;
	dkim=pass header.d=linux-foundation.org header.s=google header.b=ATYyFZVg;
	dmarc=none;
	spf=pass (imf14.hostedemail.com: domain of torvalds@linuxfoundation.org designates 209.85.208.45 as permitted sender) smtp.mailfrom=torvalds@linuxfoundation.org
X-HE-Tag: 1625714366-331032
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

On Wed, Jul 7, 2021 at 6:08 PM Andrew Morton <akpm@linux-foundation.org> wrote:
>
> From: Mike Rapoport <rppt@linux.ibm.com>
> Subject: mm: introduce memfd_secret system call to create "secret" memory areas
>
> Introduce "memfd_secret" system call with the ability to create memory
> areas visible only in the context of the owning process and not mapped not
> only to other processes but in the kernel page tables as well.

Am I missing something?

>From what I can't tell, this must not be enabled for regular users,
because the secret mapping is effectively mlock'ed into the address
space.

But there does not seem to be any permission checks or any limits, so
this looks like a trivial way for a bad user to force the kernel to
run out of memory.

So this looks entirely unacceptable.

Please tell me what I'm not getting...

             Linus