Re: [PATCH 6.6.y] mm: split critical region in remap_file_pages() and invoke LSMs in between

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 17 Mar 2025 12:40:17 -0400

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 58a039e679fe72bd0efa8b2abe669a7914bb4429

WARNING: Author mismatch between patch and upstream commit:
Backport author: <jianqi.ren.cn@xxxxxxxxxxxxx>
Commit author: Kirill A. Shutemov<kirill.shutemov@xxxxxxxxxxxxxxx>

Status in newer kernel trees:
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)

Note: The patch differs from the upstream commit:
---
1:  58a039e679fe7 ! 1:  8ef52303f2705 mm: split critical region in remap_file_pages() and invoke LSMs in between
    @@ Metadata
      ## Commit message ##
         mm: split critical region in remap_file_pages() and invoke LSMs in between

    +    [ Upstream commit 58a039e679fe72bd0efa8b2abe669a7914bb4429 ]
    +
         Commit ea7e2d5e49c0 ("mm: call the security_mmap_file() LSM hook in
         remap_file_pages()") fixed a security issue, it added an LSM check when
         trying to remap file pages, so that LSMs have the opportunity to evaluate
    @@ Commit message
         Cc: Shu Han <ebpqwerty472123@xxxxxxxxx>
         Cc: Vlastimil Babka <vbabka@xxxxxxx>
         Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
    +    Signed-off-by: Jianqi Ren <jianqi.ren.cn@xxxxxxxxxxxxx>
    +    Signed-off-by: He Zhe <zhe.he@xxxxxxxxxxxxx>

      ## mm/mmap.c ##
     @@ mm/mmap.c: SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
    @@ mm/mmap.c: SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long

     -	if (mmap_write_lock_killable(mm))
     +	if (mmap_read_lock_killable(mm))
    - 		return -EINTR;
    - 
    ++		return -EINTR;
    ++
     +	/*
     +	 * Look up VMA under read lock first so we can perform the security
     +	 * without holding locks (which can be problematic). We reacquire a
     +	 * write lock later and check nothing changed underneath us.
     +	 */
    - 	vma = vma_lookup(mm, start);
    - 
    --	if (!vma || !(vma->vm_flags & VM_SHARED))
    ++	vma = vma_lookup(mm, start);
    ++
     +	if (!vma || !(vma->vm_flags & VM_SHARED)) {
     +		mmap_read_unlock(mm);
     +		return -EINVAL;
    @@ mm/mmap.c: SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long
     +	/* OK security check passed, take write lock + let it rip. */
     +	if (mmap_write_lock_killable(mm)) {
     +		fput(file);
    -+		return -EINTR;
    + 		return -EINTR;
     +	}
    -+
    -+	vma = vma_lookup(mm, start);
    -+
    + 
    + 	vma = vma_lookup(mm, start);
    + 
    +-	if (!vma || !(vma->vm_flags & VM_SHARED))
     +	if (!vma)
     +		goto out;
     +
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.6.y        |  Success    |  Success   |