From: Jeff Xu <jeffxu@chromium.org>
To: Pedro Falcato <pedro.falcato@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
"Liam R. Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@suse.cz>,
Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Shuah Khan <shuah@kernel.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
linux-kselftest@vger.kernel.org, oliver.sang@intel.com,
torvalds@linux-foundation.org,
Michael Ellerman <mpe@ellerman.id.au>,
Kees Cook <kees@kernel.org>
Subject: Re: [PATCH v3 7/7] selftests/mm: add more mseal traversal tests
Date: Wed, 21 Aug 2024 08:56:28 -0700 [thread overview]
Message-ID: <CABi2SkWPiGJTv3FEPxD1OJYUAoePab8jG+CSd58UHqEsBeOYbA@mail.gmail.com> (raw)
In-Reply-To: <20240817-mseal-depessimize-v3-7-d8d2e037df30@gmail.com>
Hi Pedro
On Fri, Aug 16, 2024 at 5:18 PM Pedro Falcato <pedro.falcato@gmail.com> wrote:
>
> Add more mseal traversal tests across VMAs, where we could possibly
> screw up sealing checks. These test more across-vma traversal for
> mprotect, munmap and madvise. Particularly, we test for the case where a
> regular VMA is followed by a sealed VMA.
>
> Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com>
> ---
> tools/testing/selftests/mm/mseal_test.c | 111 +++++++++++++++++++++++++++++++-
> 1 file changed, 110 insertions(+), 1 deletion(-)
>
> diff --git a/tools/testing/selftests/mm/mseal_test.c b/tools/testing/selftests/mm/mseal_test.c
> index 259bef4945e9..0d4d40fb0f88 100644
> --- a/tools/testing/selftests/mm/mseal_test.c
> +++ b/tools/testing/selftests/mm/mseal_test.c
> @@ -766,6 +766,42 @@ static void test_seal_mprotect_partial_mprotect(bool seal)
> REPORT_TEST_PASS();
> }
>
> +static void test_seal_mprotect_partial_mprotect_tail(bool seal)
> +{
> + void *ptr;
> + unsigned long page_size = getpagesize();
> + unsigned long size = 2 * page_size;
> + int ret;
> + int prot;
> +
> + /*
> + * Check if a partial mseal (that results in two vmas) works correctly.
> + * It might mprotect the first, but it'll never touch the second (msealed) vma.
> + */
> +
> + setup_single_address(size, &ptr);
> + FAIL_TEST_IF_FALSE(ptr != (void *)-1);
> +
> + if (seal) {
> + ret = sys_mseal(ptr + page_size, size);
you are allocating 2 pages , and I assume you are sealing the second
page, so the size should be page_size.
ret = sys_mseal(ptr + page_size, page_size);
> + FAIL_TEST_IF_FALSE(!ret);
> + }
> +
> + ret = sys_mprotect(ptr, size, PROT_EXEC);
> + if (seal)
> + FAIL_TEST_IF_FALSE(ret < 0);
> + else
> + FAIL_TEST_IF_FALSE(!ret);
> +
> + if (seal) {
> + FAIL_TEST_IF_FALSE(get_vma_size(ptr + page_size, &prot) > 0);
> + FAIL_TEST_IF_FALSE(prot == 0x4);
To test partial mprotect, the test needs to add the check for the
first page to be changed, Also to avoid the merge, a PROT_NONE page
can to be added in front.
> + }
> +
> + REPORT_TEST_PASS();
> +}
> +
> +
> static void test_seal_mprotect_two_vma_with_gap(bool seal)
> {
> void *ptr;
> @@ -983,6 +1019,41 @@ static void test_seal_munmap_vma_with_gap(bool seal)
> REPORT_TEST_PASS();
> }
>
> +static void test_seal_munmap_partial_across_vmas(bool seal)
> +{
> + void *ptr;
> + unsigned long page_size = getpagesize();
> + unsigned long size = 2 * page_size;
> + int ret;
> + int prot;
> +
> + /*
> + * Check if a partial mseal (that results in two vmas) works correctly.
> + * It might unmap the first, but it'll never unmap the second (msealed) vma.
> + */
> +
> + setup_single_address(size, &ptr);
> + FAIL_TEST_IF_FALSE(ptr != (void *)-1);
> +
> + if (seal) {
> + ret = sys_mseal(ptr + page_size, size);
ret = sys_mseal(ptr + page_size, page_size);
> + FAIL_TEST_IF_FALSE(!ret);
> + }
> +
> + ret = sys_munmap(ptr, size);
> + if (seal)
> + FAIL_TEST_IF_FALSE(ret < 0);
> + else
> + FAIL_TEST_IF_FALSE(!ret);
> +
> + if (seal) {
> + FAIL_TEST_IF_FALSE(get_vma_size(ptr + page_size, &prot) > 0);
> + FAIL_TEST_IF_FALSE(prot == 0x4);
To test partial unmap, the test needs to add the check for the first
page to be freed, Also to avoid the merge, a PROT_NONE page needs to
be in front.
The test_seal_munmap_partial_across_vmas shows the behavior
difference with in-loop approach and out-loop approach. Previously,
both VMAs will not be freed, now the first VMA will be freed, and the
second VMA (sealed) won't.
This brings to the line you previously mentioned: [1] and I quote:
"munmap is atomic and always has been. It's required by POSIX."
So this is no longer true for the current series. Linux doesn't need
to be POSIX compliant, from previous conversation on this topic with
Linus [2], so I'm open to that. If this is accepted by Linus, it would
be better to add comments on munmap code or tests, for future readers
(in case they are curious about reasoning. )
[1] https://lore.kernel.org/linux-mm/CAKbZUD3_3KN4fAyQsD+=p3PV8svAvVyS278umX40Ehsa+zkz3w@mail.gmail.com/
[2] https://lore.kernel.org/linux-mm/CAHk-=wgDv5vPx2xoxNQh+kbvLsskWubGGGK69cqF_i4FkM-GCw@mail.gmail.com/
> + }
> +
> + REPORT_TEST_PASS();
> +}
> +
> static void test_munmap_start_freed(bool seal)
> {
> void *ptr;
> @@ -1735,6 +1806,37 @@ static void test_seal_discard_ro_anon(bool seal)
> REPORT_TEST_PASS();
> }
>
> +static void test_seal_discard_across_vmas(bool seal)
> +{
> + void *ptr;
> + unsigned long page_size = getpagesize();
> + unsigned long size = 2 * page_size;
> + int ret;
> +
> + setup_single_address(size, &ptr);
> + FAIL_TEST_IF_FALSE(ptr != (void *)-1);
> +
> + if (seal) {
> + ret = seal_single_address(ptr + page_size, page_size);
> + FAIL_TEST_IF_FALSE(!ret);
> + }
> +
> + ret = sys_madvise(ptr, size, MADV_DONTNEED);
> + if (seal)
> + FAIL_TEST_IF_FALSE(ret < 0);
> + else
> + FAIL_TEST_IF_FALSE(!ret);
> +
> + ret = sys_munmap(ptr, size);
> + if (seal)
> + FAIL_TEST_IF_FALSE(ret < 0);
> + else
> + FAIL_TEST_IF_FALSE(!ret);
> +
> + REPORT_TEST_PASS();
> +}
> +
> +
> static void test_seal_madvise_nodiscard(bool seal)
> {
> void *ptr;
> @@ -1779,7 +1881,7 @@ int main(int argc, char **argv)
> if (!pkey_supported())
> ksft_print_msg("PKEY not supported\n");
>
> - ksft_set_plan(82);
> + ksft_set_plan(88);
>
> test_seal_addseal();
> test_seal_unmapped_start();
> @@ -1825,12 +1927,17 @@ int main(int argc, char **argv)
> test_seal_mprotect_split(false);
> test_seal_mprotect_split(true);
>
> + test_seal_mprotect_partial_mprotect_tail(false);
> + test_seal_mprotect_partial_mprotect_tail(true);
> +
> test_seal_munmap(false);
> test_seal_munmap(true);
> test_seal_munmap_two_vma(false);
> test_seal_munmap_two_vma(true);
> test_seal_munmap_vma_with_gap(false);
> test_seal_munmap_vma_with_gap(true);
> + test_seal_munmap_partial_across_vmas(false);
> + test_seal_munmap_partial_across_vmas(true);
>
> test_munmap_start_freed(false);
> test_munmap_start_freed(true);
> @@ -1862,6 +1969,8 @@ int main(int argc, char **argv)
> test_seal_madvise_nodiscard(true);
> test_seal_discard_ro_anon(false);
> test_seal_discard_ro_anon(true);
> + test_seal_discard_across_vmas(false);
> + test_seal_discard_across_vmas(true);
> test_seal_discard_ro_anon_on_rw(false);
> test_seal_discard_ro_anon_on_rw(true);
> test_seal_discard_ro_anon_on_shared(false);
>
> --
> 2.46.0
>
>
next prev parent reply other threads:[~2024-08-21 15:56 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-17 0:18 [PATCH v3 0/7] mm: Optimize mseal checks Pedro Falcato
2024-08-17 0:18 ` [PATCH v3 1/7] mm: Move can_modify_vma to mm/vma.h Pedro Falcato
2024-08-19 20:15 ` Liam R. Howlett
2024-08-19 21:00 ` Pedro Falcato
2024-08-21 6:31 ` Lorenzo Stoakes
2024-08-17 0:18 ` [PATCH v3 2/7] mm/munmap: Replace can_modify_mm with can_modify_vma Pedro Falcato
2024-08-19 20:22 ` Liam R. Howlett
2024-08-21 6:40 ` Lorenzo Stoakes
2024-08-21 16:15 ` Jeff Xu
2024-08-21 16:23 ` Pedro Falcato
2024-08-21 16:33 ` Jeff Xu
2024-08-21 17:02 ` Lorenzo Stoakes
2024-08-21 18:25 ` Liam R. Howlett
2024-08-21 17:00 ` Lorenzo Stoakes
2024-08-17 0:18 ` [PATCH v3 3/7] mm/mprotect: " Pedro Falcato
2024-08-19 20:33 ` Liam R. Howlett
2024-08-21 6:51 ` Lorenzo Stoakes
2024-08-17 0:18 ` [PATCH v3 4/7] mm/mremap: " Pedro Falcato
2024-08-19 20:34 ` Liam R. Howlett
2024-08-21 6:53 ` Lorenzo Stoakes
2024-08-17 0:18 ` [PATCH v3 5/7] mseal: Replace can_modify_mm_madv with a vma variant Pedro Falcato
2024-08-19 20:32 ` Liam R. Howlett
2024-08-21 8:41 ` Lorenzo Stoakes
2024-08-17 0:18 ` [PATCH v3 6/7] mm: Remove can_modify_mm() Pedro Falcato
2024-08-19 20:32 ` Liam R. Howlett
2024-08-21 8:42 ` Lorenzo Stoakes
2024-08-17 0:18 ` [PATCH v3 7/7] selftests/mm: add more mseal traversal tests Pedro Falcato
2024-08-18 6:36 ` Pedro Falcato
2024-08-20 15:45 ` Liam R. Howlett
2024-08-21 8:47 ` Lorenzo Stoakes
2024-08-21 15:56 ` Jeff Xu [this message]
2024-08-21 16:20 ` Pedro Falcato
2024-08-21 16:27 ` Jeff Xu
2024-08-21 17:28 ` Pedro Falcato
2024-08-21 17:36 ` Pedro Falcato
2024-08-21 23:37 ` Pedro Falcato
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CABi2SkWPiGJTv3FEPxD1OJYUAoePab8jG+CSd58UHqEsBeOYbA@mail.gmail.com \
--to=jeffxu@chromium.org \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mpe@ellerman.id.au \
--cc=oliver.sang@intel.com \
--cc=pedro.falcato@gmail.com \
--cc=shuah@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).