| Message ID | 20240817-mseal-depessimize-v3-4-d8d2e037df30@gmail.com |
|---|---|
| State | Accepted |
| Commit | 38075679b5f157eeacd46c900e9cfc684bdbc167 |
| Headers | show |
| Series | mm: Optimize mseal checks | expand |
* Pedro Falcato <pedro.falcato@gmail.com> [240816 20:19]: > Delegate all can_modify checks to the proper places. Unmap checks are > done in do_unmap (et al). The source VMA check is done purposefully > before unmapping, to keep the original mseal semantics. > > Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com> Reviewed-by: Liam R. Howlett <Liam.Howlett@Oracle.com> > --- > mm/mremap.c | 32 ++++++-------------------------- > 1 file changed, 6 insertions(+), 26 deletions(-) > > diff --git a/mm/mremap.c b/mm/mremap.c > index e7ae140fc640..24712f8dbb6b 100644 > --- a/mm/mremap.c > +++ b/mm/mremap.c > @@ -902,19 +902,6 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, > if ((mm->map_count + 2) >= sysctl_max_map_count - 3) > return -ENOMEM; > > - /* > - * In mremap_to(). > - * Move a VMA to another location, check if src addr is sealed. > - * > - * Place can_modify_mm here because mremap_to() > - * does its own checking for address range, and we only > - * check the sealing after passing those checks. > - * > - * can_modify_mm assumes we have acquired the lock on MM. > - */ > - if (unlikely(!can_modify_mm(mm, addr, addr + old_len))) > - return -EPERM; > - > if (flags & MREMAP_FIXED) { > /* > * In mremap_to(). > @@ -1052,6 +1039,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, > goto out; > } > > + /* Don't allow remapping vmas when they have already been sealed */ > + if (!can_modify_vma(vma)) { > + ret = -EPERM; > + goto out; > + } > + > if (is_vm_hugetlb_page(vma)) { > struct hstate *h __maybe_unused = hstate_vma(vma); > > @@ -1079,19 +1072,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, > goto out; > } > > - /* > - * Below is shrink/expand case (not mremap_to()) > - * Check if src address is sealed, if so, reject. > - * In other words, prevent shrinking or expanding a sealed VMA. > - * > - * Place can_modify_mm here so we can keep the logic related to > - * shrink/expand together. > - */ > - if (unlikely(!can_modify_mm(mm, addr, addr + old_len))) { > - ret = -EPERM; > - goto out; > - } > - > /* > * Always allow a shrinking remap: that just unmaps > * the unnecessary pages.. > > -- > 2.46.0 > >
On Sat, Aug 17, 2024 at 01:18:31AM GMT, Pedro Falcato wrote: > Delegate all can_modify checks to the proper places. Unmap checks are > done in do_unmap (et al). The source VMA check is done purposefully > before unmapping, to keep the original mseal semantics. > > Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com> > --- > mm/mremap.c | 32 ++++++-------------------------- > 1 file changed, 6 insertions(+), 26 deletions(-) > > diff --git a/mm/mremap.c b/mm/mremap.c > index e7ae140fc640..24712f8dbb6b 100644 > --- a/mm/mremap.c > +++ b/mm/mremap.c > @@ -902,19 +902,6 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, > if ((mm->map_count + 2) >= sysctl_max_map_count - 3) > return -ENOMEM; > > - /* > - * In mremap_to(). > - * Move a VMA to another location, check if src addr is sealed. > - * > - * Place can_modify_mm here because mremap_to() > - * does its own checking for address range, and we only > - * check the sealing after passing those checks. > - * > - * can_modify_mm assumes we have acquired the lock on MM. > - */ > - if (unlikely(!can_modify_mm(mm, addr, addr + old_len))) > - return -EPERM; > - I'm honestly confused as to why the original implementation felt it necessary to split the checks. I guess for the purposes of efficiency? But doesn't seem efficient to me. > if (flags & MREMAP_FIXED) { > /* > * In mremap_to(). > @@ -1052,6 +1039,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, > goto out; > } > > + /* Don't allow remapping vmas when they have already been sealed */ > + if (!can_modify_vma(vma)) { > + ret = -EPERM; > + goto out; > + } > + This is much better, and having it be a VMA check is so obviously correct here. Again confused as to why this implemented at an mm granularity anyway... > if (is_vm_hugetlb_page(vma)) { > struct hstate *h __maybe_unused = hstate_vma(vma); > > @@ -1079,19 +1072,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, > goto out; > } > > - /* > - * Below is shrink/expand case (not mremap_to()) > - * Check if src address is sealed, if so, reject. > - * In other words, prevent shrinking or expanding a sealed VMA. > - * > - * Place can_modify_mm here so we can keep the logic related to > - * shrink/expand together. > - */ > - if (unlikely(!can_modify_mm(mm, addr, addr + old_len))) { > - ret = -EPERM; > - goto out; > - } > - > /* > * Always allow a shrinking remap: that just unmaps > * the unnecessary pages.. > > -- > 2.46.0 > Reviewed-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
diff --git a/mm/mremap.c b/mm/mremap.c index e7ae140fc640..24712f8dbb6b 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -902,19 +902,6 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, if ((mm->map_count + 2) >= sysctl_max_map_count - 3) return -ENOMEM; - /* - * In mremap_to(). - * Move a VMA to another location, check if src addr is sealed. - * - * Place can_modify_mm here because mremap_to() - * does its own checking for address range, and we only - * check the sealing after passing those checks. - * - * can_modify_mm assumes we have acquired the lock on MM. - */ - if (unlikely(!can_modify_mm(mm, addr, addr + old_len))) - return -EPERM; - if (flags & MREMAP_FIXED) { /* * In mremap_to(). @@ -1052,6 +1039,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, goto out; } + /* Don't allow remapping vmas when they have already been sealed */ + if (!can_modify_vma(vma)) { + ret = -EPERM; + goto out; + } + if (is_vm_hugetlb_page(vma)) { struct hstate *h __maybe_unused = hstate_vma(vma); @@ -1079,19 +1072,6 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len, goto out; } - /* - * Below is shrink/expand case (not mremap_to()) - * Check if src address is sealed, if so, reject. - * In other words, prevent shrinking or expanding a sealed VMA. - * - * Place can_modify_mm here so we can keep the logic related to - * shrink/expand together. - */ - if (unlikely(!can_modify_mm(mm, addr, addr + old_len))) { - ret = -EPERM; - goto out; - } - /* * Always allow a shrinking remap: that just unmaps * the unnecessary pages..
Delegate all can_modify checks to the proper places. Unmap checks are done in do_unmap (et al). The source VMA check is done purposefully before unmapping, to keep the original mseal semantics. Signed-off-by: Pedro Falcato <pedro.falcato@gmail.com> --- mm/mremap.c | 32 ++++++-------------------------- 1 file changed, 6 insertions(+), 26 deletions(-)