The patch titled Subject: selftests/vm: anon_cow: add mprotect() optimization tests has been added to the -mm mm-unstable branch. Its filename is selftests-vm-anon_cow-add-mprotect-optimization-tests.patch This patch will shortly appear at https://git.kernel.org/pub/scm/linux/kernel/git/akpm/25-new.git/tree/patches/selftests-vm-anon_cow-add-mprotect-optimization-tests.patch This patch will later appear in the mm-unstable branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next via the mm-everything branch at git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm and is updated there every 2-3 working days ------------------------------------------------------ From: David Hildenbrand <david@xxxxxxxxxx> Subject: selftests/vm: anon_cow: add mprotect() optimization tests Date: Tue, 8 Nov 2022 18:46:52 +0100 Let's extend the test to cover the possible mprotect() optimization when removing write-protection. mprotect() must not allow write-access to a COW-shared page by accident. Link: https://lkml.kernel.org/r/20221108174652.198904-8-david@xxxxxxxxxx Signed-off-by: David Hildenbrand <david@xxxxxxxxxx> Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx> Cc: Anshuman Khandual <anshuman.khandual@xxxxxxx> Cc: Dave Chinner <david@xxxxxxxxxxxxx> Cc: Hugh Dickins <hughd@xxxxxxxxxx> Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Cc: Mel Gorman <mgorman@xxxxxxxxxxxxxxxxxxx> Cc: Michael Ellerman <mpe@xxxxxxxxxxxxxx> Cc: Mike Rapoport <rppt@xxxxxxxxxx> Cc: Nadav Amit <namit@xxxxxxxxxx> Cc: Nicholas Piggin <npiggin@xxxxxxxxx> Cc: Peter Xu <peterx@xxxxxxxxxx> Cc: Vlastimil Babka <vbabka@xxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- tools/testing/selftests/vm/anon_cow.c | 49 ++++++++++++++++++++++-- 1 file changed, 46 insertions(+), 3 deletions(-) --- a/tools/testing/selftests/vm/anon_cow.c~selftests-vm-anon_cow-add-mprotect-optimization-tests +++ a/tools/testing/selftests/vm/anon_cow.c @@ -190,7 +190,8 @@ static int child_vmsplice_memcmp_fn(char typedef int (*child_fn)(char *mem, size_t size, struct comm_pipes *comm_pipes); -static void do_test_cow_in_parent(char *mem, size_t size, child_fn fn) +static void do_test_cow_in_parent(char *mem, size_t size, bool do_mprotect, + child_fn fn) { struct comm_pipes comm_pipes; char buf; @@ -212,6 +213,22 @@ static void do_test_cow_in_parent(char * while (read(comm_pipes.child_ready[0], &buf, 1) != 1) ; + + if (do_mprotect) { + /* + * mprotect() optimizations might try avoiding + * write-faults by directly mapping pages writable. + */ + ret = mprotect(mem, size, PROT_READ); + ret |= mprotect(mem, size, PROT_READ|PROT_WRITE); + if (ret) { + ksft_test_result_fail("mprotect() failed\n"); + write(comm_pipes.parent_ready[1], "0", 1); + wait(&ret); + goto close_comm_pipes; + } + } + /* Modify the page. */ memset(mem, 0xff, size); write(comm_pipes.parent_ready[1], "0", 1); @@ -229,12 +246,22 @@ close_comm_pipes: static void test_cow_in_parent(char *mem, size_t size) { - do_test_cow_in_parent(mem, size, child_memcmp_fn); + do_test_cow_in_parent(mem, size, false, child_memcmp_fn); +} + +static void test_cow_in_parent_mprotect(char *mem, size_t size) +{ + do_test_cow_in_parent(mem, size, true, child_memcmp_fn); } static void test_vmsplice_in_child(char *mem, size_t size) { - do_test_cow_in_parent(mem, size, child_vmsplice_memcmp_fn); + do_test_cow_in_parent(mem, size, false, child_vmsplice_memcmp_fn); +} + +static void test_vmsplice_in_child_mprotect(char *mem, size_t size) +{ + do_test_cow_in_parent(mem, size, true, child_vmsplice_memcmp_fn); } static void do_test_vmsplice_in_parent(char *mem, size_t size, @@ -970,6 +997,14 @@ static const struct test_case test_cases test_cow_in_parent, }, /* + * Basic test, but do an additional mprotect(PROT_READ)+ + * mprotect(PROT_READ|PROT_WRITE) in the parent before write access. + */ + { + "Basic COW after fork() with mprotect() optimization", + test_cow_in_parent_mprotect, + }, + /* * vmsplice() [R/O GUP] + unmap in the child; modify in the parent. If * we miss to break COW, the child observes modifications by the parent. * This is CVE-2020-29374 reported by Jann Horn. @@ -979,6 +1014,14 @@ static const struct test_case test_cases test_vmsplice_in_child }, /* + * vmsplice() test, but do an additional mprotect(PROT_READ)+ + * mprotect(PROT_READ|PROT_WRITE) in the parent before write access. + */ + { + "vmsplice() + unmap in child with mprotect() optimization", + test_vmsplice_in_child_mprotect + }, + /* * vmsplice() [R/O GUP] in parent before fork(), unmap in parent after * fork(); modify in the child. If we miss to break COW, the parent * observes modifications by the child. _ Patches currently in -mm which might be from david@xxxxxxxxxx are selftests-vm-anon_cow-test-cow-handling-of-anonymous-memory.patch selftests-vm-anon_cow-test-cow-handling-of-anonymous-memory-fix.patch selftests-vm-factor-out-pagemap_is_populated-into-vm_util.patch selftests-vm-anon_cow-thp-tests.patch selftests-vm-anon_cow-hugetlb-tests.patch selftests-vm-anon_cow-add-liburing-test-cases.patch selftests-vm-anon_cow-add-liburing-test-cases-fix.patch mm-gup_test-start-stop-read-functionality-for-pin-longterm-test.patch mm-gup_test-start-stop-read-functionality-for-pin-longterm-test-fix.patch selftests-vm-anon_cow-add-r-o-longterm-tests-via-gup_test.patch selftests-vm-add-ksm-unmerge-tests.patch mm-pagewalk-dont-trigger-test_walk-in-walk_page_vma.patch selftests-vm-add-test-to-measure-madv_unmergeable-performance.patch mm-ksm-simplify-break_ksm-to-not-rely-on-vm_fault_write.patch mm-remove-vm_fault_write.patch mm-ksm-fix-ksm-cow-breaking-with-userfaultfd-wp-via-fault_flag_unshare.patch mm-pagewalk-add-walk_page_range_vma.patch mm-ksm-convert-break_ksm-to-use-walk_page_range_vma.patch mm-gup-remove-foll_migration.patch mm-mprotect-minor-can_change_pte_writable-cleanups.patch mm-huge_memory-try-avoiding-write-faults-when-changing-pmd-protection.patch mm-mprotect-factor-out-check-whether-manual-pte-write-upgrades-are-required.patch mm-autonuma-use-can_change_ptepmd_writable-to-replace-savedwrite.patch mm-remove-unused-savedwrite-infrastructure.patch selftests-vm-anon_cow-add-mprotect-optimization-tests.patch