June 2024 - Linux-kselftest-mirror

kselftest/next kselftest-seccomp: 5 runs, 5 regressions (v6.10-rc1-2-g64f5bc57b24e)

by kernelci.org bot

kselftest/next kselftest-seccomp: 5 runs, 5 regressions (v6.10-rc1-2-g64f5bc57b24e) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions -----------------------------+-------+---------------+----------+------------------------------+------------ mt8173-elm-hana | arm64 | lab-collabora | gcc-10 | defconfig+kse...4-chromebook | 2 mt8183-kukui-...uniper-sku16 | arm64 | lab-collabora | gcc-10 | defconfig+kse...4-chromebook | 3 Details: https://kernelci.org/test/job/kselftest/branch/next/kernel/v6.10-rc1-2-g64f… Test: kselftest-seccomp Tree: kselftest Branch: next Describe: v6.10-rc1-2-g64f5bc57b24e URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git SHA: 64f5bc57b24e8c7935d51732571d405acfcf4b99 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions -----------------------------+-------+---------------+----------+------------------------------+------------ mt8173-elm-hana | arm64 | lab-collabora | gcc-10 | defconfig+kse...4-chromebook | 2 Details: https://kernelci.org/test/plan/id/666902b8b345dd39097e7147 Results: 105 PASS, 2 FAIL, 0 SKIP Full config: defconfig+kselftest+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm6… HTML log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm6… Rootfs: http://storage.kernelci.org/images/rootfs/debian/bookworm-kselftest/2024031… * kselftest-seccomp.seccomp_seccomp_benchmark: https://kernelci.org/test/case/id/666902b8b345dd39097e7149 new failure (last pass: v6.10-rc1) * kselftest-seccomp.seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4: https://kernelci.org/test/case/id/666902b8b345dd39097e714e new failure (last pass: v6.10-rc1) platform | arch | lab | compiler | defconfig | regressions -----------------------------+-------+---------------+----------+------------------------------+------------ mt8183-kukui-...uniper-sku16 | arm64 | lab-collabora | gcc-10 | defconfig+kse...4-chromebook | 3 Details: https://kernelci.org/test/plan/id/666906510673daf6a77e706d Results: 101 PASS, 3 FAIL, 3 SKIP Full config: defconfig+kselftest+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm6… HTML log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm6… Rootfs: http://storage.kernelci.org/images/rootfs/debian/bookworm-kselftest/2024031… * kselftest-seccomp.seccomp_seccomp_benchmark: https://kernelci.org/test/case/id/666906510673daf6a77e706f new failure (last pass: v6.10-rc1) * kselftest-seccomp.seccomp_seccomp_benchmark_1_bitmapped_2_bitmapped: https://kernelci.org/test/case/id/666906510673daf6a77e7073 new failure (last pass: v6.10-rc1) * kselftest-seccomp.seccomp_seccomp_benchmark_per-filter_last_2_diff_per-filter_filters_4: https://kernelci.org/test/case/id/666906510673daf6a77e7074 new failure (last pass: v6.10-rc1)

7 months, 1 week

1
0
0 0

kselftest/next kselftest-lkdtm: 5 runs, 2 regressions (v6.10-rc1-2-g64f5bc57b24e)

by kernelci.org bot

kselftest/next kselftest-lkdtm: 5 runs, 2 regressions (v6.10-rc1-2-g64f5bc57b24e) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+------------------------------+------------ imx6q-sabrelite | arm | lab-collabora | gcc-10 | multi_v7_defconfig+kselftest | 1 mt8192-asurada-spherion-r0 | arm64 | lab-collabora | gcc-10 | defconfig+kse...4-chromebook | 1 Details: https://kernelci.org/test/job/kselftest/branch/next/kernel/v6.10-rc1-2-g64f… Test: kselftest-lkdtm Tree: kselftest Branch: next Describe: v6.10-rc1-2-g64f5bc57b24e URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git SHA: 64f5bc57b24e8c7935d51732571d405acfcf4b99 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+------------------------------+------------ imx6q-sabrelite | arm | lab-collabora | gcc-10 | multi_v7_defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/666901b3232cbea21a7e706e Results: 62 PASS, 4 FAIL, 21 SKIP Full config: multi_v7_defconfig+kselftest Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm/… HTML log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm/… Rootfs: http://storage.kernelci.org/images/rootfs/debian/bookworm-kselftest/2024031… * kselftest-lkdtm.lkdtm_VMALLOC_LINEAR_OVERFLOW_sh: https://kernelci.org/test/case/id/666901b3232cbea21a7e70a4 new failure (last pass: v6.10-rc1-1-ga567885b1ecc9) platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+------------------------------+------------ mt8192-asurada-spherion-r0 | arm64 | lab-collabora | gcc-10 | defconfig+kse...4-chromebook | 1 Details: https://kernelci.org/test/plan/id/666908f1c1df1ae62c7e707b Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm6… HTML log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm6… Rootfs: http://storage.kernelci.org/images/rootfs/debian/bookworm-kselftest/2024031… * kselftest-lkdtm.login: https://kernelci.org/test/case/id/666908f1c1df1ae62c7e707c new failure (last pass: v6.10-rc1)

7 months, 1 week

1
0
0 0

kselftest/next kselftest-livepatch: 2 runs, 1 regressions (v6.10-rc1-2-g64f5bc57b24e)

by kernelci.org bot

kselftest/next kselftest-livepatch: 2 runs, 1 regressions (v6.10-rc1-2-g64f5bc57b24e) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ----------------+------+---------------+----------+------------------------------+------------ imx6q-sabrelite | arm | lab-collabora | gcc-10 | multi_v7_defconfig+kselftest | 1 Details: https://kernelci.org/test/job/kselftest/branch/next/kernel/v6.10-rc1-2-g64f… Test: kselftest-livepatch Tree: kselftest Branch: next Describe: v6.10-rc1-2-g64f5bc57b24e URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git SHA: 64f5bc57b24e8c7935d51732571d405acfcf4b99 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ----------------+------+---------------+----------+------------------------------+------------ imx6q-sabrelite | arm | lab-collabora | gcc-10 | multi_v7_defconfig+kselftest | 1 Details: https://kernelci.org/test/plan/id/6669009c63cd4b2b267e7091 Results: 1 PASS, 1 FAIL, 0 SKIP Full config: multi_v7_defconfig+kselftest Compiler: gcc-10 (arm-linux-gnueabihf-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm/… HTML log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm/… Rootfs: http://storage.kernelci.org/images/rootfs/debian/bookworm-kselftest/2024031… * kselftest-livepatch.shardfile-livepatch: https://kernelci.org/test/case/id/6669009c63cd4b2b267e7093 failing since 118 days (last pass: v6.8-rc1, first fail: v6.8-rc1-32-g345e8abe4c355) 2024-06-12T01:57:13.452100 / # 2024-06-12T01:57:13.462271 2024-06-12T01:57:18.601719 / # export NFS_ROOTFS='/var/lib/lava/dispatcher/tmp/14295387/extract-nfsrootfs-ngjfxq8b' 2024-06-12T01:57:18.612548 export NFS_ROOTFS='/var/lib/lava/dispatcher/tmp/14295387/extract-nfsrootfs-ngjfxq8b' 2024-06-12T01:57:20.846234 / # export NFS_SERVER_IP='192.168.201.1' 2024-06-12T01:57:20.857036 export NFS_SERVER_IP='192.168.201.1' 2024-06-12T01:57:20.975780 / # # 2024-06-12T01:57:20.984683 # 2024-06-12T01:57:21.102030 / # export SHELL=/bin/bash 2024-06-12T01:57:21.112406 export SHELL=/bin/bash ... (85 line(s) more)

7 months, 1 week

1
0
0 0

kselftest/next kselftest-cpufreq: 4 runs, 1 regressions (v6.10-rc1-2-g64f5bc57b24e)

by kernelci.org bot

kselftest/next kselftest-cpufreq: 4 runs, 1 regressions (v6.10-rc1-2-g64f5bc57b24e) Regressions Summary ------------------- platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+------------------------------+------------ mt8192-asurada-spherion-r0 | arm64 | lab-collabora | gcc-10 | defconfig+kse...4-chromebook | 1 Details: https://kernelci.org/test/job/kselftest/branch/next/kernel/v6.10-rc1-2-g64f… Test: kselftest-cpufreq Tree: kselftest Branch: next Describe: v6.10-rc1-2-g64f5bc57b24e URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git SHA: 64f5bc57b24e8c7935d51732571d405acfcf4b99 Test Regressions ---------------- platform | arch | lab | compiler | defconfig | regressions ---------------------------+-------+---------------+----------+------------------------------+------------ mt8192-asurada-spherion-r0 | arm64 | lab-collabora | gcc-10 | defconfig+kse...4-chromebook | 1 Details: https://kernelci.org/test/plan/id/66690987f94e1c493c7e707e Results: 0 PASS, 1 FAIL, 0 SKIP Full config: defconfig+kselftest+arm64-chromebook Compiler: gcc-10 (aarch64-linux-gnu-gcc (Debian 10.2.1-6) 10.2.1 20210110) Plain log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm6… HTML log: https://storage.kernelci.org//kselftest/next/v6.10-rc1-2-g64f5bc57b24e/arm6… Rootfs: http://storage.kernelci.org/images/rootfs/debian/bookworm-kselftest/2024031… * kselftest-cpufreq.login: https://kernelci.org/test/case/id/66690987f94e1c493c7e707f failing since 14 days (last pass: v6.9-8287-g31a59b76b978, first fail: v6.10-rc1)

7 months, 1 week

1
0
0 0

kselftest/fixes build: 5 builds: 0 failed, 5 passed, 1 warning (linux_kselftest-fixes-6.10-rc3-4-ged3994ac847e)

by kernelci.org bot

kselftest/fixes build: 5 builds: 0 failed, 5 passed, 1 warning (linux_kselftest-fixes-6.10-rc3-4-ged3994ac847e) Full Build Summary: https://kernelci.org/build/kselftest/branch/fixes/kernel/linux_kselftest-fi… Tree: kselftest Branch: fixes Git Describe: linux_kselftest-fixes-6.10-rc3-4-ged3994ac847e Git Commit: ed3994ac847e0d6605f248e7f6776b1d4f445f4b Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git Built: 3 unique architectures Warnings Detected: arm64: i386: x86_64: x86_64_defconfig+kselftest (clang-16): 1 warning Warnings summary: 1 vmlinux.o: warning: objtool: set_ftrace_ops_ro+0x39: relocation to !ENDBR: .text+0x14cf94 ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- defconfig+kselftest (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- defconfig+kselftest+arm64-chromebook (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- i386_defconfig+kselftest (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, clang-16) — PASS, 0 errors, 1 warning, 0 section mismatches Warnings: vmlinux.o: warning: objtool: set_ftrace_ops_ro+0x39: relocation to !ENDBR: .text+0x14cf94 --- For more info write to <info(a)kernelci.org>

7 months, 1 week

1
0
0 0

[PATCH net-next v6 0/2] Add F_SETFL for fcntl in test_sockmap

by Geliang Tang

From: Geliang Tang <tanggeliang(a)kylinos.cn> v6: - add a fix for tls_sw_recvmsg(). v5: - add a new patch "Check recv lengths in test_sockmap" instead of using "continue" in msg_loop. v4: - address Martin's comments for v3. (thanks.) - add Yonghong's "Acked-by" tags. (thanks.) - update subject-prefix from "bpf-next" to "bpf". Patch 1, v3 of "selftests/bpf: Add F_SETFL for fcntl": - detect nonblock flag automatically, then test_sockmap can run in both block and nonblock modes. - use continue instead of again in v2. Patch 2, fix for umount cgroup2 error. Geliang Tang (2): tls: wait for receiving next skb for sk_redirect selftests/bpf: Add F_SETFL for fcntl in test_sockmap net/tls/tls_sw.c | 2 ++ tools/testing/selftests/bpf/test_sockmap.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) -- 2.43.0

7 months, 1 week

2
3
0 0

kselftest/next build: 5 builds: 0 failed, 5 passed, 1 warning (v6.10-rc1-2-g64f5bc57b24e)

by kernelci.org bot

kselftest/next build: 5 builds: 0 failed, 5 passed, 1 warning (v6.10-rc1-2-g64f5bc57b24e) Full Build Summary: https://kernelci.org/build/kselftest/branch/next/kernel/v6.10-rc1-2-g64f5bc… Tree: kselftest Branch: next Git Describe: v6.10-rc1-2-g64f5bc57b24e Git Commit: 64f5bc57b24e8c7935d51732571d405acfcf4b99 Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest.git Built: 4 unique architectures Warnings Detected: arm64: arm: i386: x86_64: x86_64_defconfig+kselftest (clang-16): 1 warning Warnings summary: 1 vmlinux.o: warning: objtool: set_ftrace_ops_ro+0x39: relocation to !ENDBR: .text+0x14cf94 ================================================================================ Detailed per-defconfig build reports: -------------------------------------------------------------------------------- defconfig+kselftest+arm64-chromebook (arm64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- i386_defconfig+kselftest (i386, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- multi_v7_defconfig+kselftest (arm, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, gcc-10) — PASS, 0 errors, 0 warnings, 0 section mismatches -------------------------------------------------------------------------------- x86_64_defconfig+kselftest (x86_64, clang-16) — PASS, 0 errors, 1 warning, 0 section mismatches Warnings: vmlinux.o: warning: objtool: set_ftrace_ops_ro+0x39: relocation to !ENDBR: .text+0x14cf94 --- For more info write to <info(a)kernelci.org>

7 months, 1 week

1
0
0 0

[PATCH v2] KVM: selftest: Add a common check to identify AMD cpu in perf event filter test

by Manali Shukla

PMU event filter test fails on zen4 architecture because of the unavailability of family and model check for zen4 in use_amd_pmu(). use_amd_pmu() is added to detect architectures that supports event select 0xc2 umask 0 as "retired branch instructions". Model ranges in is_zen1(), is_zen2() and is_zen3() are used only for sever SOCs, so they might not cover all the model ranges which supports retired branch instructions. X86_FEATURE_ZEN is a synthetic feature flag specifically added to recognize all Zen generations by commit 232afb557835d ("x86/CPU/AMD: Add X86_FEATURE_ZEN1"). init_amd_zen_common() uses family >= 0x17 check to enable X86_FEATURE_ZEN. Family 17h+ is where Zen and its successors start and that event 0xc2,0 is supported on all currently released F17h+ processors as branch instruction retired and it is true going forward to maintain the backward compatibility for the branch instruction retired. Since X86_FEATURE_ZEN is not recognized in selftest framework, instead of checking family and model value for all zen architecture, "family >= 0x17" check is added in use_amd_pmu(). Fixes: bef9a701f3eb ("selftests: kvm/x86: Add test for KVM_SET_PMU_EVENT_FILTER") Suggested-by: Sandipan Das <sandipan.das(a)amd.com> Signed-off-by: Manali Shukla <manali.shukla(a)amd.com> --- .../kvm/x86_64/pmu_event_filter_test.c | 32 +++---------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/tools/testing/selftests/kvm/x86_64/pmu_event_filter_test.c b/tools/testing/selftests/kvm/x86_64/pmu_event_filter_test.c index 26b3e7efe5dd..f65033fab0c0 100644 --- a/tools/testing/selftests/kvm/x86_64/pmu_event_filter_test.c +++ b/tools/testing/selftests/kvm/x86_64/pmu_event_filter_test.c @@ -353,38 +353,16 @@ static bool use_intel_pmu(void) kvm_pmu_has(X86_PMU_FEATURE_BRANCH_INSNS_RETIRED); } -static bool is_zen1(uint32_t family, uint32_t model) -{ - return family == 0x17 && model <= 0x0f; -} - -static bool is_zen2(uint32_t family, uint32_t model) -{ - return family == 0x17 && model >= 0x30 && model <= 0x3f; -} - -static bool is_zen3(uint32_t family, uint32_t model) -{ - return family == 0x19 && model <= 0x0f; -} - /* - * Determining AMD support for a PMU event requires consulting the AMD - * PPR for the CPU or reference material derived therefrom. The AMD - * test code herein has been verified to work on Zen1, Zen2, and Zen3. - * - * Feel free to add more AMD CPUs that are documented to support event - * select 0xc2 umask 0 as "retired branch instructions." + * Family 17h+ is where Zen and its successors start and that event + * 0xc2,0 is supported on all currently released F17h+ processors as + * branch instruction retired and it is true going forward to maintain + * the backward compatibility for the branch instruction retired. */ static bool use_amd_pmu(void) { uint32_t family = kvm_cpu_family(); - uint32_t model = kvm_cpu_model(); - - return host_cpu_is_amd && - (is_zen1(family, model) || - is_zen2(family, model) || - is_zen3(family, model)); + return family >= 0x17; } /* -- 2.34.1

7 months, 1 week

2
2
0 0

[PATCH v3 0/1] mm/memfd: add documentation for MFD_NOEXEC_SEAL

by jeffxu＠chromium.org

From: Jeff Xu <jeffxu(a)chromium.org> When MFD_NOEXEC_SEAL was introduced, there was one big mistake: it didn't have proper documentation. This led to a lot of confusion, especially about whether or not memfd created with the MFD_NOEXEC_SEAL flag is sealable. Before MFD_NOEXEC_SEAL, memfd had to explicitly set MFD_ALLOW_SEALING to be sealable, so it's a fair question. As one might have noticed, unlike other flags in memfd_create, MFD_NOEXEC_SEAL is actually a combination of multiple flags. The idea is to make it easier to use memfd in the most common way, which is NOEXEC + F_SEAL_EXEC + MFD_ALLOW_SEALING. This works with sysctl vm.noexec to help existing applications move to a more secure way of using memfd. Proposals have been made to put MFD_NOEXEC_SEAL non-sealable, unless MFD_ALLOW_SEALING is set, to be consistent with other flags [1] [2], Those are based on the viewpoint that each flag is an atomic unit, which is a reasonable assumption. However, MFD_NOEXEC_SEAL was designed with the intent of promoting the most secure method of using memfd, therefore a combination of multiple functionalities into one bit. Furthermore, the MFD_NOEXEC_SEAL has been added for more than one year, and multiple applications and distributions have backported and utilized it. Altering ABI now presents a degree of risk and may lead to disruption. MFD_NOEXEC_SEAL is a new flag, and applications must change their code to use it. There is no backward compatibility problem. When sysctl vm.noexec == 1 or 2, applications that don't set MFD_NOEXEC_SEAL or MFD_EXEC will get MFD_NOEXEC_SEAL memfd. And old-application might break, that is by-design, in such a system vm.noexec = 0 shall be used. Also no backward compatibility problem. I propose to include this documentation patch to assist in clarifying the semantics of MFD_NOEXEC_SEAL, thereby preventing any potential future confusion. This patch supersede previous patch which is trying different direction [3], and please remove [2] from mm-unstable branch when applying this patch. Finally, I would like to express my gratitude to David Rheinsberg and Barnabás Pőcze for initiating the discussion on the topic of sealability. [1] https://lore.kernel.org/lkml/20230714114753.170814-1-david@readahead.eu/ [2] https://lore.kernel.org/lkml/20240513191544.94754-1-pobrn@protonmail.com/ [3] https://lore.kernel.org/lkml/20240524033933.135049-1-jeffxu@google.com/ v3: Additional Randy Dunlap' comments. v2: Update according to Randy Dunlap' comments. https://lore.kernel.org/linux-mm/20240611034903.3456796-1-jeffxu@chromium.o… v1: https://lore.kernel.org/linux-mm/20240607203543.2151433-1-jeffxu@google.com/ Jeff Xu (1): mm/memfd: add documentation for MFD_NOEXEC_SEAL MFD_EXEC Documentation/userspace-api/index.rst | 1 + Documentation/userspace-api/mfd_noexec.rst | 86 ++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 Documentation/userspace-api/mfd_noexec.rst -- 2.45.2.505.gda0bf45e8d-goog

7 months, 1 week

1
1
0 0

[PATCH v2 0/1] mm/memfd: add documentation for MFD_NOEXEC_SEAL

by jeffxu＠chromium.org

From: Jeff Xu <jeffxu(a)chromium.org> When MFD_NOEXEC_SEAL was introduced, there was one big mistake: it didn't have proper documentation. This led to a lot of confusion, especially about whether or not memfd created with the MFD_NOEXEC_SEAL flag is sealable. Before MFD_NOEXEC_SEAL, memfd had to explicitly set MFD_ALLOW_SEALING to be sealable, so it's a fair question. As one might have noticed, unlike other flags in memfd_create, MFD_NOEXEC_SEAL is actually a combination of multiple flags. The idea is to make it easier to use memfd in the most common way, which is NOEXEC + F_SEAL_EXEC + MFD_ALLOW_SEALING. This works with sysctl vm.noexec to help existing applications move to a more secure way of using memfd. Proposals have been made to put MFD_NOEXEC_SEAL non-sealable, unless MFD_ALLOW_SEALING is set, to be consistent with other flags [1] [2], Those are based on the viewpoint that each flag is an atomic unit, which is a reasonable assumption. However, MFD_NOEXEC_SEAL was designed with the intent of promoting the most secure method of using memfd, therefore a combination of multiple functionalities into one bit. Furthermore, the MFD_NOEXEC_SEAL has been added for more than one year, and multiple applications and distributions have backported and utilized it. Altering ABI now presents a degree of risk and may lead to disruption. MFD_NOEXEC_SEAL is a new flag, and applications must change their code to use it. There is no backward compatibility problem. When sysctl vm.noexec == 1 or 2, applications that don't set MFD_NOEXEC_SEAL or MFD_EXEC will get MFD_NOEXEC_SEAL memfd. And old-application might break, that is by-design, in such a system vm.noexec = 0 shall be used. Also no backward compatibility problem. I propose to include this documentation patch to assist in clarifying the semantics of MFD_NOEXEC_SEAL, thereby preventing any potential future confusion. This patch supersede previous patch which is trying different direction [3], and please remove [2] from mm-unstable branch when applying this patch. Finally, I would like to express my gratitude to David Rheinsberg and Barnabás Pőcze for initiating the discussion on the topic of sealability. [1] https://lore.kernel.org/lkml/20230714114753.170814-1-david@readahead.eu/ [2] https://lore.kernel.org/lkml/20240513191544.94754-1-pobrn@protonmail.com/ [3] https://lore.kernel.org/lkml/20240524033933.135049-1-jeffxu@google.com/ v2: Update according to Randy Dunlap' comments. v1: https://lore.kernel.org/linux-mm/20240607203543.2151433-1-jeffxu@google.com/ Jeff Xu (1): mm/memfd: add documentation for MFD_NOEXEC_SEAL MFD_EXEC Documentation/userspace-api/index.rst | 1 + Documentation/userspace-api/mfd_noexec.rst | 86 ++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 Documentation/userspace-api/mfd_noexec.rst -- 2.45.2.505.gda0bf45e8d-goog

7 months, 1 week

3
3
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror June 2024