From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 331DFC3ABB2
	for <linux-mm@archiver.kernel.org>; Wed, 28 May 2025 17:51:40 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id B32656B007B; Wed, 28 May 2025 13:51:39 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id B0A906B0082; Wed, 28 May 2025 13:51:39 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 9D3C16B0083; Wed, 28 May 2025 13:51:39 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 790896B007B
	for <linux-mm@kvack.org>; Wed, 28 May 2025 13:51:39 -0400 (EDT)
Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id 1D1E71D4A58
	for <linux-mm@kvack.org>; Wed, 28 May 2025 17:51:39 +0000 (UTC)
X-FDA: 83493059118.07.6B59140
Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42])
	by imf12.hostedemail.com (Postfix) with ESMTP id 097AE40019
	for <linux-mm@kvack.org>; Wed, 28 May 2025 17:51:36 +0000 (UTC)
Authentication-Results: imf12.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=0xBv63HV;
	spf=pass (imf12.hostedemail.com: domain of jannh@google.com designates 209.85.128.42 as permitted sender) smtp.mailfrom=jannh@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1748454697;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:in-reply-to:
	 references:dkim-signature; bh=55FMsb0cwa1+Vd+YNKVeq/wppFASh01jHLV4Ak09g0s=;
	b=XcG7zPrP/YQoh6uozDu5+Sb5yRSZu9epsK8gsS5ShMNVn4JDVIkzyLrNE2R50DC7O2o54d
	1GVGewyfxBy5K+LbctMMm9SzcAY4AahfqB+bDwFe25aHf5gYAO2wF1Lu3hRgolNAt29H6d
	jwiGVQcbnTGiXfHsZMGQ//fu1PwsbhY=
ARC-Authentication-Results: i=1;
	imf12.hostedemail.com;
	dkim=pass header.d=google.com header.s=20230601 header.b=0xBv63HV;
	spf=pass (imf12.hostedemail.com: domain of jannh@google.com designates 209.85.128.42 as permitted sender) smtp.mailfrom=jannh@google.com;
	dmarc=pass (policy=reject) header.from=google.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1748454697; a=rsa-sha256;
	cv=none;
	b=PY4QcJiQJiHOTq+vvwFVJlJ2mijmiGG/VSS2nKlTpA3nKw5yifmmgfA3v6xNc81+95nZCD
	8elcxFeTFuOQE25+r8XCYtWQq+pNWrVEoLoiJY56FwfUrEQFQ6v1h8UyRQ9yXRd97RcrrP
	O9nZXxarGofYWLiek0AN1soCaUC0KN8=
Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-443d4bff5dfso4575e9.1
        for <linux-mm@kvack.org>; Wed, 28 May 2025 10:51:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1748454695; x=1749059495; darn=kvack.org;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:from:to:cc:subject:date:message-id:reply-to;
        bh=55FMsb0cwa1+Vd+YNKVeq/wppFASh01jHLV4Ak09g0s=;
        b=0xBv63HVd3lFaao44dSy+qes3qb99TODzU8ddw5DRMEJOTANJ5UZqaANwsueKNB0p2
         ps+aybsiJjZoYwBoiucoOy6T2vKD14w3jdZBPKn42m4ZlT+2jQBbZskjPJx119jLX65e
         vDCYfbD+2MbJqpGlsR2kCozLPCX8JX6H+wZWouDjsnf9YkYidwR79dA2fiEy/SkNKx+3
         B3crkLiD5N6XsPbepvwB3dmGwBi856j0SDADjoAUh1Gh/tvTzJbpnAUldV+f8LgRpWUH
         4DXZqM59ydWrMs2WaTT367NcJqQsFvOYD7q9sz8r66YGSjNVrZUILP2z/fXqNjcdk8E/
         0aHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1748454695; x=1749059495;
        h=cc:to:message-id:content-transfer-encoding:mime-version:subject
         :date:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=55FMsb0cwa1+Vd+YNKVeq/wppFASh01jHLV4Ak09g0s=;
        b=t5NW6qhV7VYBEqH67UXyNtMa+iqWUYzDq3iSZPvMwqlEi5wH3opY8d4N6CmJi54OZ/
         05l6PsdUhFCTI8+G5/szwCUYRll5fU/WoophKL90pjG5gwno2D2P5ZrjD2JSFzGnDafL
         PQX6Ig4/NpWR7kDYy1gs9BdkcO7kmBW7TLC41xlcpYJAfUPfZVwlPaUVadGsgKMyBb47
         66fRyx0b2sltdjMyCjHYD7clNGO/J51FO83cBo4dH+xziDvZpptS+6YpeBqECixdrXFf
         iRU/F27Ww+ajv1+gWTGyumgWY9BuUxSA+fwSLTiRhbHGM8SC3z04MeI3h7vsGdDZPR4P
         fPgQ==
X-Forwarded-Encrypted: i=1; AJvYcCW4vJg3IqigCtGTs1f3+MJN2yTwXnKz9R6gKI+cMTY872zAxdzHMPmo8zLYafZ6CRl04FFnTlAL4g==@kvack.org
X-Gm-Message-State: AOJu0YzQ1bukForn8iSPKpTeSwJKMOw60/zTMyGH7oO2AXUmPoFz3owr
	Th9C7gsWEsvOsWDsoYW3oWAtEd48CFjIut0M0BNF2ZZRfZh5H2sX+9uFh38qgEmD7CrfECC+jv5
	TLy4wuFDn
X-Gm-Gg: ASbGncsXSejCtWBnrPsWFTIDhxWp80A4iV9VyRICHnaE9/rzVyH0ILxCOI2p+XXleYs
	by80QIJ9gHgcRze3plGHoxyojyfM5DCk9O6D9yoiCfkc40ZdXcAwc1wJETXIee0gyCWLhJKx6sl
	SxI0cr2GhQPo6kzE5qQsPaoIf5yHhV5//ucZ33VNnXD2uIzwV08EqVM8sAZegGPiW5V/sH4OdO6
	MtXR9yIFla9Veyb1/l60BPTXKSBKO3ObSiBrnjNzCkXJk2UTz8LvYEnvfds4Vm8Y8kAT06D16Dg
	/71qdL0kqcEdRNLDXAUemhpbOArxNvicJNKpw6wLiCr8BocJm/w=
X-Google-Smtp-Source: AGHT+IHM7bC2m2dXdJAZ8vITjGAdc5yrH/nsn/wZwfklsHtIpTbrhgLzLTliD6shL5O6CNjIZaDexQ==
X-Received: by 2002:a05:600c:a304:b0:439:8f59:2c56 with SMTP id 5b1f17b1804b1-450cf2d88e3mr8565e9.2.1748454695153;
        Wed, 28 May 2025 10:51:35 -0700 (PDT)
Received: from localhost ([2a00:79e0:9d:4:8e02:75c1:e352:cd00])
        by smtp.gmail.com with UTF8SMTPSA id 5b1f17b1804b1-450064a1bdbsm29388135e9.14.2025.05.28.10.51.34
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 28 May 2025 10:51:34 -0700 (PDT)
From: Jann Horn <jannh@google.com>
Date: Wed, 28 May 2025 19:51:29 +0200
Subject: [PATCH] hugetlb: block hugetlb file creation if hugetlb is not set
 up
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <20250528-hugetlb-nerf-v1-1-a404ca33e819@google.com>
X-B4-Tracking: v=1; b=H4sIACBNN2gC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE
 vPSU3UzU4B8JSMDI1MDUyMT3YzS9NSSnCTdvNSiNN3kZEMj0zTztGRDC3MloJaCotS0zAqwcdG
 xtbUAXchlg14AAAA=
X-Change-ID: 20250524-hugetlb-nerf-cc125f7fc187
To: Muchun Song <muchun.song@linux.dev>, Oscar Salvador <osalvador@suse.de>, 
 linux-mm@kvack.org, Andrew Morton <akpm@linux-foundation.org>
Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>, 
 Jann Horn <jannh@google.com>
X-Mailer: b4 0.15-dev
X-Developer-Signature: v=1; a=ed25519-sha256; t=1748454691; l=3551;
 i=jannh@google.com; s=20240730; h=from:subject:message-id;
 bh=CuUW2rSf7UHepKatvR/hCcaykZ7fDqtj5G7O46XZ/cw=;
 b=C8HKmGI6GZDdWiYiU/2YgOlpKbi0jDkhUwaL23Q6fJ6U710n3rhezynMMPRTUyhSYjDQt6x4z
 50w6Yrr/ItYCqDOcqUl1Chz2ppQqZ3e0d+VLYK3rpAj9r/QREaQaVeB
X-Developer-Key: i=jannh@google.com; a=ed25519;
 pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8=
X-Stat-Signature: hce3cyjdkwisnjcwdhkycpj8woa7wotj
X-Rspamd-Queue-Id: 097AE40019
X-Rspam-User: 
X-Rspamd-Server: rspam02
X-HE-Tag: 1748454696-520116
X-HE-Meta: U2FsdGVkX1+RSvieiBkLuui4fFTnPaC8hqms/YCMC4mPEVePFIXZCDf2YVUbN22G+8ewXZQ8hRndr6swXJmu7ZPLZkZ6IacpNyxwJJrZNOWtoEIXmmW5s7ORdRbqWcD2UF/njEVaBWSqM8FS7qMZi+dVJ+Hz7dvW2GROp/LB5xvfh9Y+4IWW+SieVvse+FEI+UjEZb1NR3Yv8n6QAAfosZLei+rCUVUguL9aUEp3Pi00rodgvE6Z2X3yLKO5HKUk5vE7tuJC4mx+4n0//JfdUBVNBofIvCUmiEUHkdpWAN/9NShqbb9osXK6bIyeLwkLRpzgvT4vWyr+kvGLGLW+zQxeqY5FewnOZseQdAzLXnXVYhrKkgXQqEcS4wcuNwGIrP/LADI0OSJvG3SgHx+TxXDGsyMj4uABaNlpDuRrDNhsLV+KpbwIbnJs4jMQsV6U+bNuvZPEgu9gzIeA8q3Lnsmy/XFSPCd+BFWwQaxkCzGp+o4FkAuOyd6jAfrDMay/d5ctVRgqlUVr65kPHoZW2DlfgiFk6MkKBdv4fm5dLICoLQAQaFTz0uuleQvb658ejOUdKPD2329Yumx02mCCScntt1C8GkX0CRbcpW/sFNdgZ0lPoYoph70v+L/KUnZj6cl2oYVaVNvyjTpgaFL5wOF3kDpKuuPgvs8yuQdnpAofYkOpD2CCJBTF65JUFbRPM+9iDYwPjoxFo3a2tM1DEZVn0B/yg70tNXWdrIwdnbNldi1tY8a7cCd2E5BR/0YX/Qxs6FmtTRfMcXT8QGrg2i03Z+wBRXn9OVocMKFVZtC1yqPMaGwaQhpwuA7+jRteNyHDORKtzWe5MMeR7dK+P8pzS5SNbHsEwaoq8/s/Sdg/RmhkISBwzKKz5WOqPPeuw2pBjfVj5MCJZzSQz8jq5fvfG9FBDjr5Tu1QyB+D1DS/68UBcMC2ZsTAYzrpuPOs+KOob1Kex9Q3+SeSnSX
 eDtqOdFx
 UsdxlDVPINME6dnLO1Tya9Py7v9vRQEfApSx0b3Riki1Gtk+WmraUXbivlDYBfqZrSEJLmpamSd/JZsfj/0yHYS5YLQQ0lX/6USvYsdtNrsODN3DitDVG56GUfr8tTB9riRE6F2cq+jkvICV3AqRStLYNiX+xXD0nE62OQi2HKBDL2jr8GKAd8ya90tujvJFD+LdueYsQ740fqxdyWE8LDFnawcYhZoTFOCulYx0Gsgzh1beZWVeK9WE607A+M6u0YLr/aFCKGikYTDxyC7NKin8qrzL7AkFEcRo8i+5rohtO1cAhW2HGn34Lb8isIH1T3bagB9EXcjaQkRM=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Many distro kernels enable hugetlb support, but most systems running
those kernels never actually allocate hugepages or enable hugetlb
overcommit.

On such systems, hugetlb is unusable for any legitimate usecase, but it
is still possible to exercise a lot of hugetlb-specific code by creating
MAP_HUGETLB|MAP_NORESERVE VMAs - for example, it is still possible to
create page tables shared across processes.

This is exposed through the mmap() syscall, with no privileges required,
so from a security perspective, this is interesting attack surface.

Lock it down by completely denying creation of hugetlb files if no huge
pages for the hstate could be allocated without administratively
changing huge page limits.

hstate_is_enabled() is written based on documentation in
Documentation/admin-guide/sysctl/vm.rst and
Documentation/admin-guide/mm/hugetlbpage.rst , in particular this:

> nr_overcommit_hugepages
> =======================
>
> Change the maximum size of the hugepage pool. The maximum is
> nr_hugepages + nr_overcommit_hugepages.

and this:

> As long as this condition holds--that is, until
> ``nr_hugepages+nr_overcommit_hugepages`` is increased sufficiently, or
> the surplus huge pages go out of use and are freed-- no more surplus
> huge pages will be allowed to be allocated.

Note that, in the userspace API:

 - `h->nr_overcommit_huge_pages` is called "nr_overcommit_hugepages"
 - `h->max_huge_pages` is called "nr_hugepages"

I am not explicitly marking this for stable backport yet at this point,
but I will want to backport this once it's landed in a point release and
nobody's complained for a while.

Signed-off-by: Jann Horn <jannh@google.com>
---
@akpm: no rush with this one; probably makes sense to wait for an ack
from a hugetlb person before queueing it up, and then send it through
mm-unstable like a feature patch.

@Lorenzo: I'm just CCing you as an FYI in case you're interested, it
doesn't touch any code outside hugetlb
---
 fs/hugetlbfs/inode.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
index e4de5425838d..fc03dd541b4d 100644
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -1517,6 +1517,16 @@ static int get_hstate_idx(int page_size_log)
 	return hstate_index(h);
 }
 
+static bool hstate_is_enabled(struct hstate *h)
+{
+	bool is_enabled;
+
+	spin_lock_irq(&hugetlb_lock);
+	is_enabled = h->nr_overcommit_huge_pages || h->max_huge_pages;
+	spin_unlock_irq(&hugetlb_lock);
+	return is_enabled;
+}
+
 /*
  * Note that size should be aligned to proper hugepage size in caller side,
  * otherwise hugetlb_reserve_pages reserves one less hugepages than intended.
@@ -1549,6 +1559,15 @@ struct file *hugetlb_file_setup(const char *name, size_t size,
 		return ERR_PTR(-EPERM);
 	}
 
+	/*
+	 * If no hugetlb pages of this size are supposed to exist, then don't
+	 * even allow creating a hugetlb file (even if the file has size 0 or
+	 * userspace requests MAP_NORESERVE).
+	 * This limits attack surface for systems that don't use hugetlb.
+	 */
+	if (!hstate_is_enabled(HUGETLBFS_SB(mnt->mnt_sb)->hstate))
+		return ERR_PTR(-ENOMEM);
+
 	file = ERR_PTR(-ENOSPC);
 	/* hugetlbfs_vfsmount[] mounts do not use idmapped mounts.  */
 	inode = hugetlbfs_get_inode(mnt->mnt_sb, &nop_mnt_idmap, NULL,

---
base-commit: b1456f6dc167f7f101746e495bede2bac3d0e19f
change-id: 20250524-hugetlb-nerf-cc125f7fc187

-- 
Jann Horn <jannh@google.com>