• Dan Williams's avatar
    mm: introduce MAP_SHARED_VALIDATE, a mechanism to safely define new mmap flags · 1c972597
    Dan Williams authored
    The mmap(2) syscall suffers from the ABI anti-pattern of not validating
    unknown flags. However, proposals like MAP_SYNC need a mechanism to
    define new behavior that is known to fail on older kernels without the
    support. Define a new MAP_SHARED_VALIDATE flag pattern that is
    guaranteed to fail on all legacy mmap implementations.
    
    It is worth noting that the original proposal was for a standalone
    MAP_VALIDATE flag. However, when that  could not be supported by all
    archs Linus observed:
    
        I see why you *think* you want a bitmap. You think you want
        a bitmap because you want to make MAP_VALIDATE be part of MAP_SYNC
        etc, so that people can do
    
        ret = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED
    		    | MAP_SYNC, fd, 0);
    
        and "know" that MAP_SYNC actually takes.
    
        And I'm saying that whole wish is bogus. You're fundamentally
        depending on special semantics, just make it explicit. It's already
        not portable, so don't try to make it so.
    
        Rename that MAP_VALIDATE as MAP_SHARED_VALIDATE, make it have a value
        of 0x3, and make people do
    
        ret = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED_VALIDATE
    		    | MAP_SYNC, fd, 0);
    
        and then the kernel side is easier too (none of that random garbage
        playing games with looking at the "MAP_VALIDATE bit", but just another
        case statement in that map type thing.
    
        Boom. Done.
    
    Similar to ->fallocate() we also want the ability to validate the
    support for new flags on a per ->mmap() 'struct file_operations'
    instance basis.  Towards that end arrange for flags to be generically
    validated against a mmap_supported_flags exported by 'struct
    file_operations'. By default all existing flags are implicitly
    supported, but new flags require MAP_SHARED_VALIDATE and
    per-instance-opt-in.
    
    Cc: Jan Kara <jack@suse.cz>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Suggested-by: default avatarChristoph Hellwig <hch@lst.de>
    Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Reviewed-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
    Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
    Signed-off-by: default avatarJan Kara <jack@suse.cz>
    Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
    1c972597
mman.h 3.38 KB