From: David Hildenbrand <david@redhat.com>
To: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>
Cc: "Liam R . Howlett" <Liam.Howlett@oracle.com>,
Vlastimil Babka <vbabka@suse.cz>, Jann Horn <jannh@google.com>,
Pedro Falcato <pfalcato@suse.de>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Jeff Xu <jeffxu@chromium.org>
Subject: Re: [PATCH v3 2/5] mm/mseal: update madvise() logic
Date: Fri, 25 Jul 2025 00:12:54 +0200 [thread overview]
Message-ID: <4f66d89a-631a-43eb-b4f9-c9a0b44caaae@redhat.com> (raw)
In-Reply-To: <ec480dc1fd4ce04bb11c0acac6c6da78dc6f4156.1752687069.git.lorenzo.stoakes@oracle.com>
On 16.07.25 19:38, Lorenzo Stoakes wrote:
> The madvise() logic is inexplicably performed in mm/mseal.c - this ought
> to be located in mm/madvise.c.
>
> Additionally can_modify_vma_madv() is inconsistently named and, in
> combination with is_ro_anon(), is very confusing logic.
>
> Put a static function in mm/madvise.c instead - can_madvise_modify() -
> that spells out exactly what's happening. Also explicitly check for an
> anon VMA.
>
> Also add commentary to explain what's going on.
>
> Essentially - we disallow discarding of data in mseal()'d mappings in
> instances where the user couldn't otherwise write to that data.
>
> Shared mappings are always backed, so no discard will actually truly
> discard the data. Read-only anonymous and MAP_PRIVATE file-backed
> mappings are the ones we are interested in.
>
> We make a change to the logic here to correct a mistake - we must disallow
> discard of read-only MAP_PRIVATE file-backed mappings, which previously we
> were not.
>
> The justification for this change is to account for the case where:
>
> 1. A MAP_PRIVATE R/W file-backed mapping is established.
> 2. The mapping is written to, which backs it with anonymous memory.
> 3. The mapping is mprotect()'d read-only.
> 4. The mapping is mseal()'d.
Thinking about this a bit (should have realized this implication
earlier) ... assuming we have:
1. A MAP_PRIVATE R/O file-backed mapping.
2. The mapping is mseal()'d.
We only really have anon folios in there with things like (a) uprobe (b)
debugger access (c) similarly weird FOLL_FORCE stuff.
Now, most executables/libraries are mapped that way. If someone would
rely on MADV_DONTNEED to zap pages in there (to free up memory), that
would get rejected.
Does something like that rely on MADV_DONTNEED working? Good question.
Checking for anon_vma in addition, ad mentioned in the other thread,
would be a "cheap" check to rule out that there are currently anon vmas
in there.
Well, not 100% reliable, because MADV_DONTNEED can race with page faults ...
--
Cheers,
David / dhildenb
next prev parent reply other threads:[~2025-07-24 22:13 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-16 17:38 [PATCH v3 0/5] mseal cleanups, fixup MAP_PRIVATE file-backed case Lorenzo Stoakes
2025-07-16 17:38 ` [PATCH v3 1/5] mm/mseal: always define VM_SEALED Lorenzo Stoakes
2025-07-24 18:34 ` Jeff Xu
2025-07-24 18:44 ` Lorenzo Stoakes
2025-07-16 17:38 ` [PATCH v3 2/5] mm/mseal: update madvise() logic Lorenzo Stoakes
2025-07-24 18:39 ` Jeff Xu
2025-07-24 18:56 ` David Hildenbrand
2025-07-24 22:18 ` David Hildenbrand
2025-07-24 19:07 ` Lorenzo Stoakes
2025-07-24 21:53 ` David Hildenbrand
2025-07-25 6:17 ` Lorenzo Stoakes
2025-07-25 16:22 ` Jeff Xu
2025-07-24 21:15 ` Kees Cook
2025-07-24 21:32 ` David Hildenbrand
2025-07-24 21:41 ` David Hildenbrand
2025-07-24 22:29 ` Kees Cook
2025-07-24 22:47 ` David Hildenbrand
2025-07-25 7:41 ` David Hildenbrand
2025-07-25 5:49 ` Lorenzo Stoakes
2025-07-25 16:21 ` Jeff Xu
2025-07-24 22:12 ` David Hildenbrand [this message]
2025-07-25 7:01 ` Lorenzo Stoakes
2025-07-25 7:38 ` David Hildenbrand
2025-07-25 8:53 ` Lorenzo Stoakes
2025-07-25 9:46 ` David Hildenbrand
2025-07-25 10:05 ` Lorenzo Stoakes
2025-07-25 10:10 ` David Hildenbrand
2025-07-25 10:17 ` Lorenzo Stoakes
2025-07-16 17:38 ` [PATCH v3 3/5] mm/mseal: small cleanups Lorenzo Stoakes
2025-07-24 18:40 ` Jeff Xu
2025-07-16 17:38 ` [PATCH v3 4/5] mm/mseal: Simplify and rename VMA gap check Lorenzo Stoakes
2025-07-24 18:40 ` Jeff Xu
2025-07-25 5:33 ` Lorenzo Stoakes
2025-07-16 17:38 ` [PATCH v3 5/5] mm/mseal: rework mseal apply logic Lorenzo Stoakes
2025-07-24 18:41 ` Jeff Xu
2025-07-24 18:32 ` [PATCH v3 0/5] mseal cleanups, fixup MAP_PRIVATE file-backed case Jeff Xu
2025-07-24 19:10 ` Lorenzo Stoakes
2025-07-25 6:40 ` Lorenzo Stoakes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4f66d89a-631a-43eb-b4f9-c9a0b44caaae@redhat.com \
--to=david@redhat.com \
--cc=Liam.Howlett@oracle.com \
--cc=akpm@linux-foundation.org \
--cc=jannh@google.com \
--cc=jeffxu@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=pfalcato@suse.de \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).