From: Jiri Kosina <jikos@kernel.org>
To: Dominique Martinet <asmadeus@codewreck.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Andy Lutomirski <luto@amacapital.net>,
Josh Snyder <joshs@netflix.com>,
Dave Chinner <david@fromorbit.com>,
Matthew Wilcox <willy@infradead.org>,
Jann Horn <jannh@google.com>,
Andrew Morton <akpm@linux-foundation.org>,
Greg KH <gregkh@linuxfoundation.org>,
Peter Zijlstra <peterz@infradead.org>,
Michal Hocko <mhocko@suse.com>, Linux-MM <linux-mm@kvack.org>,
kernel list <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>
Subject: Re: [PATCH] mm/mincore: allow for making sys_mincore() privileged
Date: Thu, 24 Jan 2019 15:25:53 +0100 (CET) [thread overview]
Message-ID: <nycvar.YFH.7.76.1901241523500.6626@cbobk.fhfr.pm> (raw)
Message-ID: <20190124142553.TuUd9QgBsUy4K_JgJbPiKmzLxU7sXn73IRtDP0CP3_I@z> (raw)
In-Reply-To: <20190124124501.GA18012@nautica>
[-- Attachment #1: Type: text/plain, Size: 591 bytes --]
On Thu, 24 Jan 2019, Dominique Martinet wrote:
> Jiri, you've offered resubmitting the last two patches properly, can you
> incorporate this change or should I just send this directly? (I'd take
> most of your commit message and add your name somewhere)
I've been running some basic smoke testing with the kernel from
https://git.kernel.org/pub/scm/linux/kernel/git/jikos/jikos.git/log/?h=pagecache-sidechannel-v2
(attaching the respective two patches to apply on top of latest Linus'
tree to this mail as well), and everything looks good so far.
Thanks,
--
Jiri Kosina
SUSE Labs
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: Type: text/x-patch; name=0001-mm-mincore-make-mincore-more-conservative.patch, Size: 2335 bytes --]
From 9810565f1d5f966a84900cdcb85e33aa7571afbe Mon Sep 17 00:00:00 2001
From: Jiri Kosina <jkosina@suse.cz>
Date: Wed, 16 Jan 2019 20:53:17 +0100
Subject: [PATCH 1/2] mm/mincore: make mincore() more conservative
The semantics of what mincore() considers to be resident is not completely
clear, but Linux has always (since 2.3.52, which is when mincore() was
initially done) treated it as "page is available in page cache".
That's potentially a problem, as that [in]directly exposes meta-information
about pagecache / memory mapping state even about memory not strictly belonging
to the process executing the syscall, opening possibilities for sidechannel
attacks.
Change the semantics of mincore() so that it only reveals pagecache information
for non-anonymous mappings that belog to files that the calling process could
(if it tried to) successfully open for writing.
Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
Originally-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
mm/mincore.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/mm/mincore.c b/mm/mincore.c
index 218099b5ed31..747a4907a3ac 100644
--- a/mm/mincore.c
+++ b/mm/mincore.c
@@ -169,6 +169,14 @@ static int mincore_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
return 0;
}
+static inline bool can_do_mincore(struct vm_area_struct *vma)
+{
+ return vma_is_anonymous(vma) ||
+ (vma->vm_file &&
+ (inode_owner_or_capable(file_inode(vma->vm_file))
+ || inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0));
+}
+
/*
* Do a chunk of "sys_mincore()". We've already checked
* all the arguments, we hold the mmap semaphore: we should
@@ -189,8 +197,13 @@ static long do_mincore(unsigned long addr, unsigned long pages, unsigned char *v
vma = find_vma(current->mm, addr);
if (!vma || addr < vma->vm_start)
return -ENOMEM;
- mincore_walk.mm = vma->vm_mm;
end = min(vma->vm_end, addr + (pages << PAGE_SHIFT));
+ if (!can_do_mincore(vma)) {
+ unsigned long pages = (end - addr) >> PAGE_SHIFT;
+ memset(vec, 1, pages);
+ return pages;
+ }
+ mincore_walk.mm = vma->vm_mm;
err = walk_page_range(addr, end, &mincore_walk);
if (err < 0)
return err;
--
2.12.3
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: Type: text/x-patch; name=0002-mm-filemap-initiate-readahead-even-if-IOCB_NOWAIT-is.patch, Size: 1368 bytes --]
From f287185fc5e0ffbbb380f2d68dd19290715829a8 Mon Sep 17 00:00:00 2001
From: Jiri Kosina <jkosina@suse.cz>
Date: Wed, 16 Jan 2019 21:06:58 +0100
Subject: [PATCH 2/2] mm/filemap: initiate readahead even if IOCB_NOWAIT is set
for the I/O
preadv2(RWF_NOWAIT) can be used to open a side-channel to pagecache contents, as
it reveals metadata about residency of pages in pagecache.
If preadv2(RWF_NOWAIT) returns immediately, it provides a clear "page not
resident" information, and vice versa.
Close that sidechannel by always initiating readahead on the cache if we
encounter a cache miss for preadv2(RWF_NOWAIT); with that in place, probing
the pagecache residency itself will actually populate the cache, making the
sidechannel useless.
Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
---
mm/filemap.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/mm/filemap.c b/mm/filemap.c
index 9f5e323e883e..7bcdd36e629d 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2075,8 +2075,6 @@ static ssize_t generic_file_buffered_read(struct kiocb *iocb,
page = find_get_page(mapping, index);
if (!page) {
- if (iocb->ki_flags & IOCB_NOWAIT)
- goto would_block;
page_cache_sync_readahead(mapping,
ra, filp,
index, last_index - index);
--
2.12.3
next prev parent reply other threads:[~2019-01-24 14:25 UTC|newest]
Thread overview: 215+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-05 17:27 [PATCH] mm/mincore: allow for making sys_mincore() privileged Jiri Kosina
2019-01-05 17:27 ` Jiri Kosina
2019-01-05 19:14 ` Vlastimil Babka
2019-01-05 19:24 ` Jiri Kosina
2019-01-05 19:24 ` Jiri Kosina
2019-01-05 19:38 ` Vlastimil Babka
2019-01-08 9:14 ` Bernd Petrovitsch
2019-01-08 11:37 ` Jiri Kosina
2019-01-08 11:37 ` Jiri Kosina
2019-01-08 13:53 ` Bernd Petrovitsch
2019-01-08 14:08 ` Kirill A. Shutemov
2019-01-05 19:44 ` kbuild test robot
2019-01-05 19:46 ` Linus Torvalds
2019-01-05 19:46 ` Linus Torvalds
2019-01-05 20:12 ` Jiri Kosina
2019-01-05 20:12 ` Jiri Kosina
2019-01-05 20:17 ` Linus Torvalds
2019-01-05 20:17 ` Linus Torvalds
2019-01-05 20:43 ` Jiri Kosina
2019-01-05 20:43 ` Jiri Kosina
2019-01-05 21:54 ` Linus Torvalds
2019-01-05 21:54 ` Linus Torvalds
2019-01-06 11:33 ` Kevin Easton
2019-01-08 8:50 ` Kevin Easton
2019-01-18 14:23 ` Tejun Heo
2019-01-05 20:13 ` Linus Torvalds
2019-01-05 20:13 ` Linus Torvalds
2019-01-05 19:56 ` kbuild test robot
2019-01-05 22:54 ` Jann Horn
2019-01-05 22:54 ` Jann Horn
2019-01-05 23:05 ` Linus Torvalds
2019-01-05 23:05 ` Linus Torvalds
2019-01-05 23:16 ` Linus Torvalds
2019-01-05 23:16 ` Linus Torvalds
2019-01-05 23:28 ` Linus Torvalds
2019-01-05 23:28 ` Linus Torvalds
2019-01-05 23:39 ` Linus Torvalds
2019-01-05 23:39 ` Linus Torvalds
2019-01-06 0:11 ` Matthew Wilcox
2019-01-06 0:22 ` Linus Torvalds
2019-01-06 0:22 ` Linus Torvalds
2019-01-06 1:50 ` Linus Torvalds
2019-01-06 1:50 ` Linus Torvalds
2019-01-06 21:46 ` Linus Torvalds
2019-01-06 21:46 ` Linus Torvalds
2019-01-08 4:43 ` Dave Chinner
2019-01-08 17:57 ` Linus Torvalds
2019-01-08 17:57 ` Linus Torvalds
2019-01-09 2:24 ` Dave Chinner
2019-01-09 2:31 ` Jiri Kosina
2019-01-09 2:31 ` Jiri Kosina
2019-01-09 4:39 ` Dave Chinner
2019-01-09 10:08 ` Jiri Kosina
2019-01-09 10:08 ` Jiri Kosina
2019-01-10 1:15 ` Dave Chinner
2019-01-10 7:54 ` Jiri Kosina
2019-01-10 7:54 ` Jiri Kosina
2019-01-09 18:25 ` Linus Torvalds
2019-01-09 18:25 ` Linus Torvalds
2019-01-10 0:44 ` Dave Chinner
2019-01-10 1:18 ` Linus Torvalds
2019-01-10 1:18 ` Linus Torvalds
2019-01-10 5:26 ` Andy Lutomirski
2019-01-10 5:26 ` Andy Lutomirski
2019-01-10 14:47 ` Matthew Wilcox
2019-01-10 21:44 ` Dave Chinner
2019-01-10 21:59 ` Linus Torvalds
2019-01-10 21:59 ` Linus Torvalds
2019-01-11 1:47 ` Dave Chinner
2019-01-10 7:03 ` Dave Chinner
2019-01-10 11:47 ` Linus Torvalds
2019-01-10 11:47 ` Linus Torvalds
2019-01-10 12:24 ` Dominique Martinet
2019-01-10 12:24 ` Dominique Martinet
2019-01-10 22:11 ` Linus Torvalds
2019-01-10 22:11 ` Linus Torvalds
2019-01-11 2:03 ` Dave Chinner
2019-01-11 2:18 ` Linus Torvalds
2019-01-11 2:18 ` Linus Torvalds
2019-01-11 4:04 ` Dave Chinner
2019-01-11 4:08 ` Andy Lutomirski
2019-01-11 7:20 ` Dave Chinner
2019-01-11 7:08 ` Linus Torvalds
2019-01-11 7:08 ` Linus Torvalds
2019-01-11 7:36 ` Dave Chinner
2019-01-11 16:26 ` Linus Torvalds
2019-01-11 16:26 ` Linus Torvalds
2019-01-15 23:45 ` Dave Chinner
2019-01-16 4:54 ` Linus Torvalds
2019-01-16 4:54 ` Linus Torvalds
2019-01-16 5:49 ` Linus Torvalds
2019-01-16 5:49 ` Linus Torvalds
2019-01-17 1:26 ` Dave Chinner
2019-02-20 15:49 ` Nicolai Stange
2019-01-11 4:57 ` Dominique Martinet
2019-01-11 7:11 ` Linus Torvalds
2019-01-11 7:11 ` Linus Torvalds
2019-01-11 7:32 ` Dominique Martinet
2019-01-16 0:42 ` Josh Snyder
2019-01-16 5:00 ` Linus Torvalds
2019-01-16 5:00 ` Linus Torvalds
2019-01-16 5:25 ` Andy Lutomirski
2019-01-16 5:34 ` Linus Torvalds
2019-01-16 5:34 ` Linus Torvalds
2019-01-16 5:46 ` Dominique Martinet
2019-01-16 5:58 ` Linus Torvalds
2019-01-16 5:58 ` Linus Torvalds
2019-01-16 6:34 ` Dominique Martinet
2019-01-16 7:52 ` Josh Snyder
2019-01-16 7:52 ` Josh Snyder
2019-01-16 12:18 ` Kevin Easton
2019-01-17 21:45 ` Vlastimil Babka
2019-01-18 4:49 ` Linus Torvalds
2019-01-18 4:49 ` Linus Torvalds
2019-01-18 18:58 ` Vlastimil Babka
2019-01-16 16:12 ` Jiri Kosina
2019-01-16 16:12 ` Jiri Kosina
2019-01-16 17:48 ` Linus Torvalds
2019-01-16 17:48 ` Linus Torvalds
2019-01-16 20:23 ` Jiri Kosina
2019-01-16 20:23 ` Jiri Kosina
2019-01-16 21:37 ` Matthew Wilcox
2019-01-16 21:41 ` Jiri Kosina
2019-01-16 21:41 ` Jiri Kosina
2019-01-17 9:52 ` Cyril Hrubis
2019-01-28 13:49 ` Cyril Hrubis
2019-01-17 4:51 ` Linus Torvalds
2019-01-17 4:51 ` Linus Torvalds
2019-01-18 4:54 ` Linus Torvalds
2019-01-18 4:54 ` Linus Torvalds
2019-01-17 1:49 ` Dominique Martinet
2019-01-23 20:27 ` Linus Torvalds
2019-01-23 20:27 ` Linus Torvalds
2019-01-23 20:35 ` Linus Torvalds
2019-01-23 20:35 ` Linus Torvalds
2019-01-23 23:12 ` Jiri Kosina
2019-01-23 23:12 ` Jiri Kosina
2019-01-24 0:20 ` Linus Torvalds
2019-01-24 0:20 ` Linus Torvalds
2019-01-24 0:24 ` Dominique Martinet
2019-01-24 12:45 ` Dominique Martinet
2019-01-24 14:25 ` Jiri Kosina [this message]
2019-01-24 14:25 ` Jiri Kosina
2019-01-27 22:35 ` Jiri Kosina
2019-01-27 22:35 ` Jiri Kosina
2019-01-28 0:05 ` Dominique Martinet
2019-01-29 23:52 ` Jiri Kosina
2019-01-30 9:09 ` Michal Hocko
2019-01-30 12:29 ` Jiri Kosina
2019-01-16 12:36 ` Matthew Wilcox
2019-01-10 14:50 ` Matthew Wilcox
2019-01-11 7:36 ` Jiri Kosina
2019-01-11 7:36 ` Jiri Kosina
2019-01-17 2:22 ` Dave Chinner
2019-01-17 8:18 ` Jiri Kosina
2019-01-17 8:18 ` Jiri Kosina
2019-01-17 21:06 ` Dave Chinner
2019-01-07 4:32 ` Dominique Martinet
2019-01-07 10:33 ` Vlastimil Babka
2019-01-07 11:08 ` Dominique Martinet
2019-01-07 11:59 ` Vlastimil Babka
2019-01-07 13:29 ` Daniel Gruss
2019-01-07 10:10 ` Michael Ellerman
2019-01-05 23:09 ` Jiri Kosina
2019-01-05 23:09 ` Jiri Kosina
2019-01-30 12:44 ` [PATCH 0/3] mincore() and IOCB_NOWAIT adjustments Vlastimil Babka
2019-01-30 12:44 ` [PATCH 1/3] mm/mincore: make mincore() more conservative Vlastimil Babka
2019-01-31 9:43 ` Michal Hocko
2019-01-31 9:51 ` Dominique Martinet
2019-01-31 17:46 ` Josh Snyder
2019-02-01 8:56 ` Vlastimil Babka
2019-03-06 23:13 ` Andrew Morton
2019-03-07 0:01 ` Jiri Kosina
2019-03-07 0:40 ` Dominique Martinet
2019-03-07 5:46 ` Jiri Kosina
2019-01-30 12:44 ` [PATCH 2/3] mm/filemap: initiate readahead even if IOCB_NOWAIT is set for the I/O Vlastimil Babka
2019-01-30 15:04 ` Florian Weimer
2019-01-30 15:15 ` Jiri Kosina
2019-01-31 10:47 ` Florian Weimer
2019-01-31 11:34 ` Jiri Kosina
2019-01-31 9:56 ` Michal Hocko
2019-01-31 10:15 ` Jiri Kosina
2019-01-31 10:23 ` Michal Hocko
2019-01-31 10:30 ` Jiri Kosina
2019-01-31 11:32 ` Michal Hocko
2019-01-31 17:54 ` Linus Torvalds
2019-02-01 5:13 ` Dave Chinner
2019-02-01 7:05 ` Linus Torvalds
2019-02-01 7:21 ` Linus Torvalds
2019-02-01 1:44 ` Dave Chinner
2019-02-12 15:48 ` Jiri Kosina
2019-01-31 12:04 ` Daniel Gruss
2019-01-31 12:06 ` Vlastimil Babka
2019-01-31 12:08 ` Jiri Kosina
2019-01-31 12:57 ` Daniel Gruss
2019-01-30 12:44 ` [PATCH 3/3] mm/mincore: provide mapped status when cached status is not allowed Vlastimil Babka
2019-01-31 10:09 ` Michal Hocko
2019-02-01 9:04 ` Vlastimil Babka
2019-02-01 9:11 ` Michal Hocko
2019-02-01 9:27 ` Vlastimil Babka
2019-02-06 20:14 ` Jiri Kosina
2019-02-12 3:44 ` Jiri Kosina
2019-02-12 6:36 ` Michal Hocko
2019-02-12 13:09 ` Jiri Kosina
2019-02-12 14:01 ` Michal Hocko
2019-03-06 12:11 ` [PATCH 0/3] mincore() and IOCB_NOWAIT adjustments Jiri Kosina
2019-03-06 22:35 ` Andrew Morton
2019-03-06 22:48 ` Jiri Kosina
2019-03-06 23:23 ` Andrew Morton
2019-03-06 23:32 ` Dominique Martinet
2019-03-06 23:38 ` Andrew Morton
2019-03-09 16:53 ` Linus Torvalds
2019-03-12 14:17 ` [PATCH v2 0/2] prevent mincore() page cache leaks Vlastimil Babka
2019-03-12 14:17 ` [PATCH v2 1/2] mm/mincore: make mincore() more conservative Vlastimil Babka
2019-03-12 14:17 ` [PATCH v2 2/2] mm/mincore: provide mapped status when cached status is not allowed Vlastimil Babka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=nycvar.YFH.7.76.1901241523500.6626@cbobk.fhfr.pm \
--to=jikos@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=asmadeus@codewreck.org \
--cc=david@fromorbit.com \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=joshs@netflix.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=mhocko@suse.com \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).