Linux filesystem development
 help / color / mirror / Atom feed
From: Matthew Wilcox <willy@infradead.org>
To: Pedro Falcato <pfalcato@suse.de>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, linux-hardening@vger.kernel.org,
	Kees Cook <kees@kernel.org>, Mateusz Guzik <mjguzik@gmail.com>
Subject: Re: [RFC PATCH] fs/splice: allow for a way to block splice() with read-only files
Date: Sun, 17 May 2026 23:30:23 +0100	[thread overview]
Message-ID: <agpBf3PUA3fW5Nv5@casper.infradead.org> (raw)
In-Reply-To: <agmDiAY-mmlvjX0m@pedro-suse.lan>

On Sun, May 17, 2026 at 10:01:30AM +0100, Pedro Falcato wrote:
> On Sun, May 17, 2026 at 02:17:18AM +0100, Matthew Wilcox wrote:
> > If we have a buggy user which
> > can write to read-only file pages, then it should also be prevented from
> > writing to KSM pages.
> 
> Hmm, I see. Are you suggesting we unshare KSM pages here? Or just straight
> up reject them?
> 
> Rejecting would be relatively sane if only we had access to the VMA here
> (in normal GUP), testing on folio_test_ksm() is less robust :/

I think we have to unshare?  As I understand KSM, it's done to a task,
so it wouldn't be aware that it's done something potentially dangerous
(unlike mapping a read-only file then splicing from it).  Also, it'll be
non-deterministic whether any given splice might fail.

Bleh.  Maybe just declare KSM to be vulnerable.

  reply	other threads:[~2026-05-17 22:30 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-16 18:21 [RFC PATCH] fs/splice: allow for a way to block splice() with read-only files Pedro Falcato
2026-05-16 23:07 ` Matthew Wilcox
2026-05-17  0:59   ` Pedro Falcato
2026-05-17  1:17     ` Matthew Wilcox
2026-05-17  9:01       ` Pedro Falcato
2026-05-17 22:30         ` Matthew Wilcox [this message]
2026-05-16 23:51 ` Mateusz Guzik
2026-05-17  0:52   ` Pedro Falcato
2026-05-18 11:44   ` Christian Brauner
2026-05-18 12:20 ` Christian Brauner
2026-05-18 13:02   ` Pedro Falcato
2026-05-18 18:59   ` Jann Horn
2026-05-19  6:39     ` Christoph Hellwig
2026-05-19  9:49     ` Christian Brauner
2026-05-19 10:51       ` Mateusz Guzik
2026-05-19 10:59         ` Christian Brauner
2026-05-19 11:56           ` Mateusz Guzik
2026-05-22 13:11             ` Christian Brauner
2026-05-28 12:59               ` Pedro Falcato
2026-05-19 13:28         ` James Bottomley
2026-05-19 16:28         ` Jann Horn
2026-05-23 20:41       ` Askar Safin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=agpBf3PUA3fW5Nv5@casper.infradead.org \
    --to=willy@infradead.org \
    --cc=brauner@kernel.org \
    --cc=jack@suse.cz \
    --cc=kees@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mjguzik@gmail.com \
    --cc=pfalcato@suse.de \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox