mm: gup: activate GUP unsharing with COR
In these two cases the Linux MM always handled the GUP pins wrong:
a) GUP before fork()
b) GUP after fork()
The case (a) is well known as the "fork vs gup vs thread" race condition:
https://lkml.kernel.org/r/20090311165833.GI27823@random.random
Case (a) has more mild security implications because the parent
process is in control, and it can prevent it from happening in many
ways, for example by stopping all O_DIRECT until the child executed
exec().
The case (b) was first reported by Jann Horn on 27 May 2020 and it has
greater security implications because it can happen out of control of
the parent process.
This secures case (b) by un-sharing shared anonymous pages from COW
mappings, before taking any GUP pin.
In addition this provides correct MM coherency to all readonly short
term GUP pins and it remains bug-to-bug compatible with
FOLL_LONGTERM|FOLL_FORCE|FOLL_WRITE.
This doesn't cover hugetlbfs yet.
Co-developed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
2 files changed
