From nobody Sat Feb 7 20:47:51 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D5DC12EBE7 for ; Mon, 25 Mar 2024 13:41:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711374095; cv=none; b=ZUTWvYjTnVablrg+CBv3U5iVsPsK0ojNHBU7DyDXdLbJaU3WSW89j3iPw+L/IgWOTQORI3WdLbio40fp5nOerwumlEYrqmWlQmi97Z5HLkAvz/Z1y7/6dnfLiqXjojV0GJxFmCV9Tip12oba97Wl7+4lhryZvXf8v+cqIRlXB1Y= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711374095; c=relaxed/simple; bh=PiNEWr5x90esMmfh7ZHofO9+fLGzeXqEHD3NoBMXM3I=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GQjgAu7oQJa+kFIztyTzQHXm9NpwR6U0VMpcPBiJcZDFTfLkx3UaRC3z3tmuA1Q+x8pMzEQYE8llIWkyCRtJapuGiyDJ1mBrUNrQfiDgIT4F2msHmXJzEH0ZOETtlN/s/K5usgLrYw5KOCcwOB5SCTbvIWbIjCV5JmJNxUK3ZAo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=M2DBbpap; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="M2DBbpap" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1711374092; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jIOwlwxzzcSMslwXLrjLWmaoHhvyTmqwx/xJnqLqn6Y=; b=M2DBbpapGnLzEPs+bXuQwUrOy3YBy/lVizcbrp4SaDqtF2Xo2u3Hv++dgg9U4/x8RV1eeu vDEIM6cyrikrsdYBsF6tsv4IerHL+JDxgHxyvU0nJxDiVchItsPFcqQUCHHK/YH11ucz4Z OJOoToS/g6QWZmHRktd8eoUrZzYD3sY= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-556-beZWhhHSNDqBQcS9cJvtwA-1; Mon, 25 Mar 2024 09:41:29 -0400 X-MC-Unique: beZWhhHSNDqBQcS9cJvtwA-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A6DE438035AB; Mon, 25 Mar 2024 13:41:28 +0000 (UTC) Received: from t14s.redhat.com (unknown [10.39.193.143]) by smtp.corp.redhat.com (Postfix) with ESMTP id AAFEF2166B5D; Mon, 25 Mar 2024 13:41:25 +0000 (UTC) From: David Hildenbrand To: linux-kernel@vger.kernel.org Cc: linux-mm@kvack.org, David Hildenbrand , Andrew Morton , Mike Rapoport , Miklos Szeredi , Lorenzo Stoakes , xingwei lee , yue sun , Miklos Szeredi , stable@vger.kernel.org Subject: [PATCH v1 1/3] mm/secretmem: fix GUP-fast succeeding on secretmem folios Date: Mon, 25 Mar 2024 14:41:12 +0100 Message-ID: <20240325134114.257544-2-david@redhat.com> In-Reply-To: <20240325134114.257544-1-david@redhat.com> References: <20240325134114.257544-1-david@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6 Content-Type: text/plain; charset="utf-8" folio_is_secretmem() states that secretmem folios cannot be LRU folios: so we may only exit early if we find an LRU folio. Yet, we exit early if we find a folio that is not a secretmem folio. Consequently, folio_is_secretmem() fails to detect secretmem folios and, therefore, we can succeed in grabbing a secretmem folio during GUP-fast, crashing the kernel when we later try reading/writing to the folio, because the folio has been unmapped from the directmap. Reported-by: xingwei lee Reported-by: yue sun Closes: https://lore.kernel.org/lkml/CABOYnLyevJeravW=3DQrH0JUPYEcDN160aZFb= 7kwndm-J2rmz0HQ@mail.gmail.com/ Debugged-by: Miklos Szeredi Reviewed-by: Mike Rapoport (IBM) Tested-by: Miklos Szeredi Fixes: 1507f51255c9 ("mm: introduce memfd_secret system call to create "sec= ret" memory areas") Cc: Signed-off-by: David Hildenbrand --- include/linux/secretmem.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h index 35f3a4a8ceb1..6996f1f53f14 100644 --- a/include/linux/secretmem.h +++ b/include/linux/secretmem.h @@ -16,7 +16,7 @@ static inline bool folio_is_secretmem(struct folio *folio) * We know that secretmem pages are not compound and LRU so we can * save a couple of cycles here. */ - if (folio_test_large(folio) || !folio_test_lru(folio)) + if (folio_test_large(folio) || folio_test_lru(folio)) return false; =20 mapping =3D (struct address_space *) --=20 2.43.2 From nobody Sat Feb 7 20:47:51 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 32F1412F36E for ; Mon, 25 Mar 2024 13:41:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711374099; cv=none; b=saYcXHWbinDY+HvzYPdg9VtcM7cuianlD60crQRlVIBNxsGB3bs5/V9114lGm+mnCnRZJ0Bemx4sw3Yi7SoYjACbx/NuQmfHgS8G5QrfaJURChTJy0F/L4qN2OK+4p5UCO8iKSZP0PjKfNpInueFHkK8K69m6Z9b3WGDcPkJCvY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711374099; c=relaxed/simple; bh=rZ16SU0IrCGHRKMpmlvaaUlMrrEbSltSWDadSv6s3XM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NGCXMkOLM2qqOeJhXRQbSyenNy7Q5VqZEYbtc4K3ZwqhKsdLE0bC8LVAX3OOA1rBm+RlVdFDsgQptlCaeDH3H4mi+dOrivGvI6vhOznPpZ3WFZR8XHUgYtBFOwDGFuuKI98LfvfgoCUpQdeq6ZJW6gy3QGS+J5i0xSSe/MzIObc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=iSZkONXR; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="iSZkONXR" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1711374097; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=cpEPWSpCeTwbxNQN5JgorLS4hcdt0dP0Q44OLrNb3L4=; b=iSZkONXRerQZMTaJGM8WiKLxH/0EghWhtQl6tgElHySIQCM2p2IAxlOfAI3ielGGgf/3y4 hUOmwDu8HyjJpf0u4H1CiDiEwEpbEegBofatjbj42GlBoO4kRBk5v6J/I+0nXdWAMM58Fa APWkkEaJhvwMTh00yT/yAyohqTuCd8s= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-398-TiJUf4AYOGuuhRDZm9FyBA-1; Mon, 25 Mar 2024 09:41:31 -0400 X-MC-Unique: TiJUf4AYOGuuhRDZm9FyBA-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 696A73CBD4E7; Mon, 25 Mar 2024 13:41:31 +0000 (UTC) Received: from t14s.redhat.com (unknown [10.39.193.143]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0EA692166B31; Mon, 25 Mar 2024 13:41:28 +0000 (UTC) From: David Hildenbrand To: linux-kernel@vger.kernel.org Cc: linux-mm@kvack.org, David Hildenbrand , Andrew Morton , Mike Rapoport , Miklos Szeredi , Lorenzo Stoakes , xingwei lee , yue sun Subject: [PATCH v1 2/3] selftests/memfd_secret: add vmsplice() test Date: Mon, 25 Mar 2024 14:41:13 +0100 Message-ID: <20240325134114.257544-3-david@redhat.com> In-Reply-To: <20240325134114.257544-1-david@redhat.com> References: <20240325134114.257544-1-david@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6 Content-Type: text/plain; charset="utf-8" Let's add a simple reproducer for a scneario where GUP-fast could succeed on secretmem folios, making vmsplice() succeed instead of failing. The reproducer is based on a reproducer [1] by Miklos Szeredi. Perform the ftruncate() only once, and check the return value. For some reason, vmsplice() reliably fails (making the test succeed) when we move the test_vmsplice() call after test_process_vm_read() / test_ptrace(). Properly cleaning up in test_remote_access(), which is not part of this change, won't change that behavior. Therefore, run the vmsplice() test for now first -- something is a bit off once we involve fork(). [1] https://lkml.kernel.org/r/CAJfpegt3UCsMmxd0taOY11Uaw5U=3DeS1fE5dn0wZX3H= F0oy8-oQ@mail.gmail.com Signed-off-by: David Hildenbrand Reviewed-by: Mike Rapoport (IBM) --- tools/testing/selftests/mm/memfd_secret.c | 44 +++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/mm/memfd_secret.c b/tools/testing/self= tests/mm/memfd_secret.c index 9b298f6a04b3..0acbdcf8230e 100644 --- a/tools/testing/selftests/mm/memfd_secret.c +++ b/tools/testing/selftests/mm/memfd_secret.c @@ -20,6 +20,7 @@ #include #include #include +#include =20 #include "../kselftest.h" =20 @@ -83,6 +84,43 @@ static void test_mlock_limit(int fd) pass("mlock limit is respected\n"); } =20 +static void test_vmsplice(int fd) +{ + ssize_t transferred; + struct iovec iov; + int pipefd[2]; + char *mem; + + if (pipe(pipefd)) { + fail("pipe failed: %s\n", strerror(errno)); + return; + } + + mem =3D mmap(NULL, page_size, prot, mode, fd, 0); + if (mem =3D=3D MAP_FAILED) { + fail("Unable to mmap secret memory\n"); + goto close_pipe; + } + + /* + * vmsplice() may use GUP-fast, which must also fail. Prefault the + * page table, so GUP-fast could find it. + */ + memset(mem, PATTERN, page_size); + + iov.iov_base =3D mem; + iov.iov_len =3D page_size; + transferred =3D vmsplice(pipefd[1], &iov, 1, 0); + + ksft_test_result(transferred < 0 && errno =3D=3D EFAULT, + "vmsplice is blocked as expected\n"); + + munmap(mem, page_size); +close_pipe: + close(pipefd[0]); + close(pipefd[1]); +} + static void try_process_vm_read(int fd, int pipefd[2]) { struct iovec liov, riov; @@ -187,7 +225,6 @@ static void test_remote_access(int fd, const char *name, return; } =20 - ftruncate(fd, page_size); memset(mem, PATTERN, page_size); =20 if (write(pipefd[1], &mem, sizeof(mem)) < 0) { @@ -258,7 +295,7 @@ static void prepare(void) strerror(errno)); } =20 -#define NUM_TESTS 4 +#define NUM_TESTS 5 =20 int main(int argc, char *argv[]) { @@ -277,9 +314,12 @@ int main(int argc, char *argv[]) ksft_exit_fail_msg("memfd_secret failed: %s\n", strerror(errno)); } + if (ftruncate(fd, page_size)) + ksft_exit_fail_msg("ftruncate failed: %s\n", strerror(errno)); =20 test_mlock_limit(fd); test_file_apis(fd); + test_vmsplice(fd); test_process_vm_read(fd); test_ptrace(fd); =20 --=20 2.43.2 From nobody Sat Feb 7 20:47:51 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 73D7F12EBF5 for ; Mon, 25 Mar 2024 13:41:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711374098; cv=none; b=pODqu2AeGLjMoVaWCS+YatGWgnrU6qEO01unTSMA2E3OBgbKSiuMp0aSqDfAltzlRVlqyzecaGwfS2iCOqNSwNpdRgGiTVbElUkiPY+an4Y+i7GfMV11XYSzzPeIpjwjNecn1ddHc0K0k+ezV5Kbi788D39Bt7+NoJNGiR/xfoo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711374098; c=relaxed/simple; bh=ufmhHPno35Aswdh7/D26+ER0Egnsv57oShMgoyo921A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=ZrM1SdzckvzVxhd7ExTONAOXQKhUjbXf+aCd6PY3rh/bPaRWmFvEYrjTx7b9hGznGUVzdDTvNWDalqHzCWg1GJm/fWhFYRhyJvyMbSeTo+8BCzTG2eAObfh9Ii12gQqu1esKxCWSGU78Af+9MATx5BuNuDd6h41i4q/Uab+0Nvc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=VVw8RsVd; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="VVw8RsVd" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1711374095; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CokJpVlNHQkDeOM8Ax0bVh3dvCSI52pFoSUWrkagN08=; b=VVw8RsVdD4AFEcUu4arvjMGNaTtSAkqd9JbZufWzX5IKIcmXUQBcHjtQ9brMAkpjtRlPts UaxMJRi4HuN3ZVOwHgFJuxOrlpxqKyGSEDSsUzZcopKh3euBHcnuk1sQZ6d+OzeSzAkUzn 6VojpoQqAmu4i1ovgGNDVQ9f/cn8CvA= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-373-tEBRYUiQPDClGkgaC9S8ug-1; Mon, 25 Mar 2024 09:41:33 -0400 X-MC-Unique: tEBRYUiQPDClGkgaC9S8ug-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 4A2D5891E69; Mon, 25 Mar 2024 13:41:33 +0000 (UTC) Received: from t14s.redhat.com (unknown [10.39.193.143]) by smtp.corp.redhat.com (Postfix) with ESMTP id B5DA62166B35; Mon, 25 Mar 2024 13:41:31 +0000 (UTC) From: David Hildenbrand To: linux-kernel@vger.kernel.org Cc: linux-mm@kvack.org, David Hildenbrand , Andrew Morton , Mike Rapoport , Miklos Szeredi , Lorenzo Stoakes , xingwei lee , yue sun Subject: [PATCH v1 3/3] mm: merge folio_is_secretmem() into folio_fast_pin_allowed() Date: Mon, 25 Mar 2024 14:41:14 +0100 Message-ID: <20240325134114.257544-4-david@redhat.com> In-Reply-To: <20240325134114.257544-1-david@redhat.com> References: <20240325134114.257544-1-david@redhat.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.6 Content-Type: text/plain; charset="utf-8" folio_is_secretmem() is currently only used during GUP-fast, and using it in wrong context where concurrent truncation might happen, could be problematic. Nowadays, folio_fast_pin_allowed() performs similar checks during GUP-fast and contains a lot of careful handling -- READ_ONCE( -- ), sanity checks -- lockdep_assert_irqs_disabled() -- and helpful comments on how this handling is safe and correct. So let's merge folio_is_secretmem() into folio_fast_pin_allowed(), still avoiding checking the actual mapping only if really required. Signed-off-by: David Hildenbrand Reviewed-by: Mike Rapoport (IBM) --- include/linux/secretmem.h | 21 ++------------------- mm/gup.c | 33 +++++++++++++++++++++------------ 2 files changed, 23 insertions(+), 31 deletions(-) diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h index 6996f1f53f14..e918f96881f5 100644 --- a/include/linux/secretmem.h +++ b/include/linux/secretmem.h @@ -6,25 +6,8 @@ =20 extern const struct address_space_operations secretmem_aops; =20 -static inline bool folio_is_secretmem(struct folio *folio) +static inline bool secretmem_mapping(struct address_space *mapping) { - struct address_space *mapping; - - /* - * Using folio_mapping() is quite slow because of the actual call - * instruction. - * We know that secretmem pages are not compound and LRU so we can - * save a couple of cycles here. - */ - if (folio_test_large(folio) || folio_test_lru(folio)) - return false; - - mapping =3D (struct address_space *) - ((unsigned long)folio->mapping & ~PAGE_MAPPING_FLAGS); - - if (!mapping || mapping !=3D folio->mapping) - return false; - return mapping->a_ops =3D=3D &secretmem_aops; } =20 @@ -38,7 +21,7 @@ static inline bool vma_is_secretmem(struct vm_area_struct= *vma) return false; } =20 -static inline bool folio_is_secretmem(struct folio *folio) +static inline bool secretmem_mapping(struct address_space *mapping) { return false; } diff --git a/mm/gup.c b/mm/gup.c index e7510b6ce765..69d8bc8e4451 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -2472,6 +2472,8 @@ EXPORT_SYMBOL(get_user_pages_unlocked); * This call assumes the caller has pinned the folio, that the lowest page= table * level still points to this folio, and that interrupts have been disable= d. * + * GUP-fast must reject all secretmem folios. + * * Writing to pinned file-backed dirty tracked folios is inherently proble= matic * (see comment describing the writable_file_mapping_allowed() function). = We * therefore try to avoid the most egregious case of a long-term mapping d= oing @@ -2484,22 +2486,32 @@ EXPORT_SYMBOL(get_user_pages_unlocked); static bool folio_fast_pin_allowed(struct folio *folio, unsigned int flags) { struct address_space *mapping; + bool check_secretmem =3D false; + bool reject_file_backed =3D false; unsigned long mapping_flags; =20 /* * If we aren't pinning then no problematic write can occur. A long term * pin is the most egregious case so this is the one we disallow. */ - if ((flags & (FOLL_PIN | FOLL_LONGTERM | FOLL_WRITE)) !=3D + if ((flags & (FOLL_PIN | FOLL_LONGTERM | FOLL_WRITE)) =3D=3D (FOLL_PIN | FOLL_LONGTERM | FOLL_WRITE)) - return true; + reject_file_backed =3D true; + + /* We hold a folio reference, so we can safely access folio fields. */ =20 - /* The folio is pinned, so we can safely access folio fields. */ + /* secretmem folios are only order-0 folios and never LRU folios. */ + if (IS_ENABLED(CONFIG_SECRETMEM) && !folio_test_large(folio) && + !folio_test_lru(folio)) + check_secretmem =3D true; + + if (!reject_file_backed && !check_secretmem) + return true; =20 if (WARN_ON_ONCE(folio_test_slab(folio))) return false; =20 - /* hugetlb mappings do not require dirty-tracking. */ + /* hugetlb neither requires dirty-tracking nor can be secretmem. */ if (folio_test_hugetlb(folio)) return true; =20 @@ -2535,10 +2547,12 @@ static bool folio_fast_pin_allowed(struct folio *fo= lio, unsigned int flags) =20 /* * At this point, we know the mapping is non-null and points to an - * address_space object. The only remaining whitelisted file system is - * shmem. + * address_space object. */ - return shmem_mapping(mapping); + if (check_secretmem && secretmem_mapping(mapping)) + return false; + /* The only remaining allowed file system is shmem. */ + return !reject_file_backed || shmem_mapping(mapping); } =20 static void __maybe_unused undo_dev_pagemap(int *nr, int nr_start, @@ -2624,11 +2638,6 @@ static int gup_pte_range(pmd_t pmd, pmd_t *pmdp, uns= igned long addr, if (!folio) goto pte_unmap; =20 - if (unlikely(folio_is_secretmem(folio))) { - gup_put_folio(folio, 1, flags); - goto pte_unmap; - } - if (unlikely(pmd_val(pmd) !=3D pmd_val(*pmdp)) || unlikely(pte_val(pte) !=3D pte_val(ptep_get(ptep)))) { gup_put_folio(folio, 1, flags); --=20 2.43.2