From: Matthew Wilcox <willy@infradead.org>
To: Pedro Falcato <pfalcato@suse.de>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, linux-hardening@vger.kernel.org,
Kees Cook <kees@kernel.org>, Mateusz Guzik <mjguzik@gmail.com>
Subject: Re: [RFC PATCH] fs/splice: allow for a way to block splice() with read-only files
Date: Sun, 17 May 2026 23:30:23 +0100 [thread overview]
Message-ID: <agpBf3PUA3fW5Nv5@casper.infradead.org> (raw)
In-Reply-To: <agmDiAY-mmlvjX0m@pedro-suse.lan>
On Sun, May 17, 2026 at 10:01:30AM +0100, Pedro Falcato wrote:
> On Sun, May 17, 2026 at 02:17:18AM +0100, Matthew Wilcox wrote:
> > If we have a buggy user which
> > can write to read-only file pages, then it should also be prevented from
> > writing to KSM pages.
>
> Hmm, I see. Are you suggesting we unshare KSM pages here? Or just straight
> up reject them?
>
> Rejecting would be relatively sane if only we had access to the VMA here
> (in normal GUP), testing on folio_test_ksm() is less robust :/
I think we have to unshare? As I understand KSM, it's done to a task,
so it wouldn't be aware that it's done something potentially dangerous
(unlike mapping a read-only file then splicing from it). Also, it'll be
non-deterministic whether any given splice might fail.
Bleh. Maybe just declare KSM to be vulnerable.
next prev parent reply other threads:[~2026-05-17 22:30 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-16 18:21 [RFC PATCH] fs/splice: allow for a way to block splice() with read-only files Pedro Falcato
2026-05-16 23:07 ` Matthew Wilcox
2026-05-17 0:59 ` Pedro Falcato
2026-05-17 1:17 ` Matthew Wilcox
2026-05-17 9:01 ` Pedro Falcato
2026-05-17 22:30 ` Matthew Wilcox [this message]
2026-05-16 23:51 ` Mateusz Guzik
2026-05-17 0:52 ` Pedro Falcato
2026-05-18 11:44 ` Christian Brauner
2026-05-18 12:20 ` Christian Brauner
2026-05-18 13:02 ` Pedro Falcato
2026-05-18 18:59 ` Jann Horn
2026-05-19 6:39 ` Christoph Hellwig
2026-05-19 9:49 ` Christian Brauner
2026-05-19 10:51 ` Mateusz Guzik
2026-05-19 10:59 ` Christian Brauner
2026-05-19 11:56 ` Mateusz Guzik
2026-05-22 13:11 ` Christian Brauner
2026-05-28 12:59 ` Pedro Falcato
2026-05-19 13:28 ` James Bottomley
2026-05-19 16:28 ` Jann Horn
2026-05-23 20:41 ` Askar Safin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=agpBf3PUA3fW5Nv5@casper.infradead.org \
--to=willy@infradead.org \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=kees@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mjguzik@gmail.com \
--cc=pfalcato@suse.de \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox