All of lore.kernel.org
 help / color / mirror / Atom feed
From: Miklos Szeredi <miklos@szeredi.hu>
To: "Christian König" <christian.koenig@amd.com>
Cc: linux-fsdevel@vger.kernel.org, linux-mm <linux-mm@kvack.org>,
	Chengguang Xu <cgxu519@mykernel.net>,
	overlayfs <linux-unionfs@vger.kernel.org>
Subject: Re: [PATCH] ovl: fix mmap denywrite
Date: Fri, 9 Jul 2021 15:48:29 +0200	[thread overview]
Message-ID: <YOhTrVWYi1aFY3o0@miu.piliscsaba.redhat.com> (raw)
In-Reply-To: <8d9ac67c-8e97-3f53-95b8-548a8bec6358@amd.com>

On Wed, Jun 23, 2021 at 01:41:02PM +0200, Christian König wrote:
> 
> 
> Am 22.06.21 um 17:10 schrieb Miklos Szeredi:
> > On Tue, 22 Jun 2021 at 14:43, Christian König <christian.koenig@amd.com> wrote:
> > > Am 22.06.21 um 14:30 schrieb Miklos Szeredi:
> > > > Overlayfs did not honor positive i_writecount on realfile for VM_DENYWRITE
> > > > mappings.  Similarly negative i_mmap_writable counts were ignored for
> > > > VM_SHARED mappings.
> > > > 
> > > > Fix by making vma_set_file() switch the temporary counts obtained and
> > > > released by mmap_region().
> > > Mhm, I don't fully understand the background but that looks like
> > > something specific to overlayfs to me.
> > > 
> > > So why are you changing the common helper?
> > Need to hold the temporary counts until the final ones are obtained in
> > vma_link(), which is out of overlayfs' scope.
> 
> Ah! So basically we need to move the denial counts which mmap_region() added
> to the original file to the new one as well. That's indeed a rather good
> point.
> 
> Can you rather change the vma_set_file() function to return the error and
> add a __must_check?
> 
> I can take care fixing the users in DMA-buf and DRM subsystem.

Okay, but changing to __must_check has to be the last step to avoid compile
errors.  This v2 is with __must_check commented out.

Thanks,
Miklos
---

From: Miklos Szeredi <mszeredi@redhat.com>
Subject: [PATCH v2] ovl: fix mmap denywrite

Overlayfs did not honor positive i_writecount on realfile for VM_DENYWRITE
mappings.  Similarly negative i_mmap_writable counts were ignored for
VM_SHARED mappings.

Fix by making vma_set_file() switch the temporary counts obtained and
released by mmap_region().

Reported-by: Chengguang Xu <cgxu519@mykernel.net>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/overlayfs/file.c |    4 +++-
 include/linux/mm.h  |    2 +-
 mm/mmap.c           |    2 +-
 mm/util.c           |   27 ++++++++++++++++++++++++++-
 4 files changed, 31 insertions(+), 4 deletions(-)

--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -430,7 +430,9 @@ static int ovl_mmap(struct file *file, s
 	if (WARN_ON(file != vma->vm_file))
 		return -EIO;
 
-	vma_set_file(vma, realfile);
+	ret = vma_set_file(vma, realfile);
+	if (ret)
+		return ret;
 
 	old_cred = ovl_override_creds(file_inode(file)->i_sb);
 	ret = call_mmap(vma->vm_file, vma);
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2776,7 +2776,7 @@ static inline void vma_set_page_prot(str
 }
 #endif
 
-void vma_set_file(struct vm_area_struct *vma, struct file *file);
+int /* __must_check */ vma_set_file(struct vm_area_struct *vma, struct file *file);
 
 #ifdef CONFIG_NUMA_BALANCING
 unsigned long change_prot_numa(struct vm_area_struct *vma,
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1807,6 +1807,7 @@ unsigned long mmap_region(struct file *f
 		 */
 		vma->vm_file = get_file(file);
 		error = call_mmap(file, vma);
+		file = vma->vm_file;
 		if (error)
 			goto unmap_and_free_vma;
 
@@ -1868,7 +1869,6 @@ unsigned long mmap_region(struct file *f
 		if (vm_flags & VM_DENYWRITE)
 			allow_write_access(file);
 	}
-	file = vma->vm_file;
 out:
 	perf_event_mmap(vma);
 
--- a/mm/util.c
+++ b/mm/util.c
@@ -314,12 +314,37 @@ int vma_is_stack_for_current(struct vm_a
 /*
  * Change backing file, only valid to use during initial VMA setup.
  */
-void vma_set_file(struct vm_area_struct *vma, struct file *file)
+int vma_set_file(struct vm_area_struct *vma, struct file *file)
 {
+	vm_flags_t vm_flags = vma->vm_flags;
+	int err = 0;
+
 	/* Changing an anonymous vma with this is illegal */
 	get_file(file);
+
+	/* Get temporary denial counts on replacement */
+	if (vm_flags & VM_DENYWRITE) {
+		err = deny_write_access(file);
+		if (err)
+			goto out_put;
+	}
+	if (vm_flags & VM_SHARED) {
+		err = mapping_map_writable(file->f_mapping);
+		if (err)
+			goto out_allow;
+	}
+
 	swap(vma->vm_file, file);
+
+	/* Undo temporary denial counts on replaced */
+	if (vm_flags & VM_SHARED)
+		mapping_unmap_writable(file->f_mapping);
+out_allow:
+	if (vm_flags & VM_DENYWRITE)
+		allow_write_access(file);
+out_put:
 	fput(file);
+	return err;
 }
 EXPORT_SYMBOL(vma_set_file);
 

  reply	other threads:[~2021-07-09 13:48 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-22 12:30 [PATCH] ovl: fix mmap denywrite Miklos Szeredi
2021-06-22 12:43 ` Christian König
2021-06-22 15:10   ` Miklos Szeredi
2021-06-22 15:10     ` Miklos Szeredi
2021-06-23 11:41     ` Christian König
2021-07-09 13:48       ` Miklos Szeredi [this message]
2021-07-12 11:15         ` Christian König
2021-06-23  6:06 ` 回复:[PATCH] " Chengguang Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YOhTrVWYi1aFY3o0@miu.piliscsaba.redhat.com \
    --to=miklos@szeredi.hu \
    --cc=cgxu519@mykernel.net \
    --cc=christian.koenig@amd.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-unionfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.