queue-6.6/mm-update-memfd-seal-write-check-to-include-f_seal_write.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From stable+bounces-165160-greg=kroah.com@vger.kernel.org Wed Jul 30 03:52:41 2025
 From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
 Date: Tue, 29 Jul 2025 18:51:46 -0700
 Subject: mm: update memfd seal write check to include F_SEAL_WRITE
 To: lorenzo.stoakes@oracle.com, gregkh@linuxfoundation.org,  Muchun Song <muchun.song@linux.dev>, Oscar Salvador <osalvador@suse.de>,  David Hildenbrand <david@redhat.com>, Andrew Morton <akpm@linux-foundation.org>,  "Liam R. Howlett" <Liam.Howlett@oracle.com>, Vlastimil Babka <vbabka@suse.cz>,  Mike Rapoport <rppt@kernel.org>, Suren Baghdasaryan <surenb@google.com>, Michal Hocko <mhocko@suse.com>,  Hugh Dickins <hughd@google.com>, Baolin Wang <baolin.wang@linux.alibaba.com>
 Cc: aliceryhl@google.com, stable@vger.kernel.org,  "Isaac J. Manjarres" <isaacmanjarres@google.com>, kernel-team@android.com,  Lorenzo Stoakes <lstoakes@gmail.com>, Jan Kara <jack@suse.cz>,  Alexander Viro <viro@zeniv.linux.org.uk>, Andy Lutomirski <luto@kernel.org>,  Christian Brauner <brauner@kernel.org>, "Matthew Wilcox (Oracle)" <willy@infradead.org>,  Mike Kravetz <mike.kravetz@oracle.com>, linux-mm@kvack.org, linux-kernel@vger.kernel.org
 Message-ID: <20250730015152.29758-3-isaacmanjarres@google.com>

 From: "Isaac J. Manjarres" <isaacmanjarres@google.com>

 From: Lorenzo Stoakes <lstoakes@gmail.com>

 [ Upstream commit 28464bbb2ddc199433383994bcb9600c8034afa1 ]

 The seal_check_future_write() function is called by shmem_mmap() or
 hugetlbfs_file_mmap() to disallow any future writable mappings of an memfd
 sealed this way.

 The F_SEAL_WRITE flag is not checked here, as that is handled via the
 mapping->i_mmap_writable mechanism and so any attempt at a mapping would
 fail before this could be run.

 However we intend to change this, meaning this check can be performed for
 F_SEAL_WRITE mappings also.

 The logic here is equally applicable to both flags, so update this
 function to accommodate both and rename it accordingly.

 Link: https://lkml.kernel.org/r/913628168ce6cce77df7d13a63970bae06a526e0.1697116581.git.lstoakes@gmail.com
 Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
 Reviewed-by: Jan Kara <jack@suse.cz>
 Cc: Alexander Viro <viro@zeniv.linux.org.uk>
 Cc: Andy Lutomirski <luto@kernel.org>
 Cc: Christian Brauner <brauner@kernel.org>
 Cc: Hugh Dickins <hughd@google.com>
 Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
 Cc: Mike Kravetz <mike.kravetz@oracle.com>
 Cc: Muchun Song <muchun.song@linux.dev>
 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
 Cc: stable@vger.kernel.org
 Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  fs/hugetlbfs/inode.c |    2 +-
  include/linux/mm.h   |   15 ++++++++-------
  mm/shmem.c           |    2 +-
  3 files changed, 10 insertions(+), 9 deletions(-)

 --- a/fs/hugetlbfs/inode.c
 +++ b/fs/hugetlbfs/inode.c
 @@ -136,7 +136,7 @@ static int hugetlbfs_file_mmap(struct fi
  	vm_flags_set(vma, VM_HUGETLB | VM_DONTEXPAND);
  	vma->vm_ops = &hugetlb_vm_ops;

 -	ret = seal_check_future_write(info->seals, vma);
 +	ret = seal_check_write(info->seals, vma);
  	if (ret)
  		return ret;

 --- a/include/linux/mm.h
 +++ b/include/linux/mm.h
 @@ -4023,25 +4023,26 @@ static inline void mem_dump_obj(void *ob
  #endif

  /**
 - * seal_check_future_write - Check for F_SEAL_FUTURE_WRITE flag and handle it
 + * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
 + *                    handle them.
   * @seals: the seals to check
   * @vma: the vma to operate on
   *
 - * Check whether F_SEAL_FUTURE_WRITE is set; if so, do proper check/handling on
 - * the vma flags.  Return 0 if check pass, or <0 for errors.
 + * Check whether F_SEAL_WRITE or F_SEAL_FUTURE_WRITE are set; if so, do proper
 + * check/handling on the vma flags.  Return 0 if check pass, or <0 for errors.
   */
 -static inline int seal_check_future_write(int seals, struct vm_area_struct *vma)
 +static inline int seal_check_write(int seals, struct vm_area_struct *vma)
  {
 -	if (seals & F_SEAL_FUTURE_WRITE) {
 +	if (seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
  		/*
  		 * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
 -		 * "future write" seal active.
 +		 * write seals are active.
  		 */
  		if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
  			return -EPERM;

  		/*
 -		 * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as
 +		 * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
  		 * MAP_SHARED and read-only, take care to not allow mprotect to
  		 * revert protections on such mappings. Do this only for shared
  		 * mappings. For private mappings, don't need to mask
 --- a/mm/shmem.c
 +++ b/mm/shmem.c
 @@ -2396,7 +2396,7 @@ static int shmem_mmap(struct file *file,
  	struct shmem_inode_info *info = SHMEM_I(inode);
  	int ret;

 -	ret = seal_check_future_write(info->seals, vma);
 +	ret = seal_check_write(info->seals, vma);
  	if (ret)
  		return ret;
	From stable+bounces-165160-greg=kroah.com@vger.kernel.org Wed Jul 30 03:52:41 2025
	From: "Isaac J. Manjarres" <isaacmanjarres@google.com>
	Date: Tue, 29 Jul 2025 18:51:46 -0700
	Subject: mm: update memfd seal write check to include F_SEAL_WRITE
	To: lorenzo.stoakes@oracle.com, gregkh@linuxfoundation.org, Muchun Song <muchun.song@linux.dev>, Oscar Salvador <osalvador@suse.de>, David Hildenbrand <david@redhat.com>, Andrew Morton <akpm@linux-foundation.org>, "Liam R. Howlett" <Liam.Howlett@oracle.com>, Vlastimil Babka <vbabka@suse.cz>, Mike Rapoport <rppt@kernel.org>, Suren Baghdasaryan <surenb@google.com>, Michal Hocko <mhocko@suse.com>, Hugh Dickins <hughd@google.com>, Baolin Wang <baolin.wang@linux.alibaba.com>
	Cc: aliceryhl@google.com, stable@vger.kernel.org, "Isaac J. Manjarres" <isaacmanjarres@google.com>, kernel-team@android.com, Lorenzo Stoakes <lstoakes@gmail.com>, Jan Kara <jack@suse.cz>, Alexander Viro <viro@zeniv.linux.org.uk>, Andy Lutomirski <luto@kernel.org>, Christian Brauner <brauner@kernel.org>, "Matthew Wilcox (Oracle)" <willy@infradead.org>, Mike Kravetz <mike.kravetz@oracle.com>, linux-mm@kvack.org, linux-kernel@vger.kernel.org
	Message-ID: <20250730015152.29758-3-isaacmanjarres@google.com>

	From: "Isaac J. Manjarres" <isaacmanjarres@google.com>

	From: Lorenzo Stoakes <lstoakes@gmail.com>

	[ Upstream commit 28464bbb2ddc199433383994bcb9600c8034afa1 ]

	The seal_check_future_write() function is called by shmem_mmap() or
	hugetlbfs_file_mmap() to disallow any future writable mappings of an memfd
	sealed this way.

	The F_SEAL_WRITE flag is not checked here, as that is handled via the
	mapping->i_mmap_writable mechanism and so any attempt at a mapping would
	fail before this could be run.

	However we intend to change this, meaning this check can be performed for
	F_SEAL_WRITE mappings also.

	The logic here is equally applicable to both flags, so update this
	function to accommodate both and rename it accordingly.

	Link: https://lkml.kernel.org/r/913628168ce6cce77df7d13a63970bae06a526e0.1697116581.git.lstoakes@gmail.com
	Signed-off-by: Lorenzo Stoakes <lstoakes@gmail.com>
	Reviewed-by: Jan Kara <jack@suse.cz>
	Cc: Alexander Viro <viro@zeniv.linux.org.uk>
	Cc: Andy Lutomirski <luto@kernel.org>
	Cc: Christian Brauner <brauner@kernel.org>
	Cc: Hugh Dickins <hughd@google.com>
	Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
	Cc: Mike Kravetz <mike.kravetz@oracle.com>
	Cc: Muchun Song <muchun.song@linux.dev>
	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	Cc: stable@vger.kernel.org
	Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	fs/hugetlbfs/inode.c \| 2 +-
	include/linux/mm.h \| 15 ++++++++-------
	mm/shmem.c \| 2 +-
	3 files changed, 10 insertions(+), 9 deletions(-)

	--- a/fs/hugetlbfs/inode.c
	+++ b/fs/hugetlbfs/inode.c
	@@ -136,7 +136,7 @@ static int hugetlbfs_file_mmap(struct fi
	vm_flags_set(vma, VM_HUGETLB \| VM_DONTEXPAND);
	vma->vm_ops = &hugetlb_vm_ops;

	- ret = seal_check_future_write(info->seals, vma);
	+ ret = seal_check_write(info->seals, vma);
	if (ret)
	return ret;

	--- a/include/linux/mm.h
	+++ b/include/linux/mm.h
	@@ -4023,25 +4023,26 @@ static inline void mem_dump_obj(void *ob
	#endif

	/**
	- * seal_check_future_write - Check for F_SEAL_FUTURE_WRITE flag and handle it
	+ * seal_check_write - Check for F_SEAL_WRITE or F_SEAL_FUTURE_WRITE flags and
	+ * handle them.
	* @seals: the seals to check
	* @vma: the vma to operate on
	*
	- * Check whether F_SEAL_FUTURE_WRITE is set; if so, do proper check/handling on
	- * the vma flags. Return 0 if check pass, or <0 for errors.
	+ * Check whether F_SEAL_WRITE or F_SEAL_FUTURE_WRITE are set; if so, do proper
	+ * check/handling on the vma flags. Return 0 if check pass, or <0 for errors.
	*/
	-static inline int seal_check_future_write(int seals, struct vm_area_struct *vma)
	+static inline int seal_check_write(int seals, struct vm_area_struct *vma)
	{
	- if (seals & F_SEAL_FUTURE_WRITE) {
	+ if (seals & (F_SEAL_WRITE \| F_SEAL_FUTURE_WRITE)) {
	/*
	* New PROT_WRITE and MAP_SHARED mmaps are not allowed when
	- * "future write" seal active.
	+ * write seals are active.
	*/
	if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
	return -EPERM;

	/*
	- * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as
	+ * Since an F_SEAL_[FUTURE_]WRITE sealed memfd can be mapped as
	* MAP_SHARED and read-only, take care to not allow mprotect to
	* revert protections on such mappings. Do this only for shared
	* mappings. For private mappings, don't need to mask
	--- a/mm/shmem.c
	+++ b/mm/shmem.c
	@@ -2396,7 +2396,7 @@ static int shmem_mmap(struct file *file,
	struct shmem_inode_info *info = SHMEM_I(inode);
	int ret;

	- ret = seal_check_future_write(info->seals, vma);
	+ ret = seal_check_write(info->seals, vma);
	if (ret)
	return ret;