On Sun, 25 Sep 2016, Linus Torvalds wrote:
> On Sun, Sep 25, 2016 at 3:34 PM, Rik van Riel <r...@redhat.com> wrote:
> >
> > The patch looks good to me, too.
> >
> > Acked-by: Rik van Riel <r...@redhat.com>
>
> Thanks, amended the commit since I hadn't pushed out yet.
>
> Btw, the only reason this bug could happen is that we do that
> "force=1" for remote vm accesses, which turns into FOLL_FORCE, which
> in turn will turn into us allowing an access even when we technically
> shouldn't.
>
> I'd really like to re-open the "drop FOLL_FORCE entirely" discussion,
> because the thing really is disgusting.
>
> I realize that debuggers etc sometimes would want to punch through
> PROT_NONE protections, and I also realize that right now we only have
> a read/write flag, and we have that whole issue with "what if it's
> executable but not readable", which currently FOLL_FORCE makes a
> non-issue.
>
> But at the same time, FOLL_FORCE really is a major nasty thing. It
> shouldn't be a security issue (we still do check VM_MAY_READ/WRITE etc
> to verify that even if something isn't readable or writable we *could*
> have had permissions to do this), but this bug is a prime example of
> how it violates our deeply held beliefs of how VM permissions *should*
> work, and it screwed up the numa case as a result.
>
> So how about we consider getting rid of FOLL_FORCE? Addign Hugh
> Dickins to the cc, because I think he argued for that many moons ago..
No. You do remember half-right, because there was a bizarre aspect
of write,force that Nick and I campaigned to remove, which in the end
cda540ace6a1 ("mm: get_user_pages(write,force) refuse to COW in shared areas")
got rid of - see that commit for details.
I don't have any objections to force now, though I haven't been reading
this thread to see if it would change my mind (and now I must dash out).
But someone else who had concerns about it, I forget whether resolved
or not by cda5, was Konstantin - baton passed.
Hugh
