[Devel] [PATCH RHEL9 COMMIT] mempolicy: prohibit all NUMA API syscalls in VE
Konstantin Khorenko
khorenko at virtuozzo.com
Tue Feb 1 20:07:49 MSK 2022
The commit is pushed to "branch-rh9-5.14.0-4.vz9.12.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh9-5.14.0-4.vz9.12.4
------>
commit 2341a56daab344fe0c970c9cfb89332df1dcb070
Author: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
Date: Tue Feb 1 20:07:49 2022 +0300
mempolicy: prohibit all NUMA API syscalls in VE
Commit 031743575525 ("mempolicy: Prohibit VE processes numa binding
syscalls") partially prohibits NUMA API, but is incomplete.
This patch prohibits all syscalls documented in numa(7) inside VE.
Also, for consistency, all these prohibit operations are moved to the
very beginning of the syscall handlers. This also ensures that -ENOSYS
and not other error is returned.
Fixes: 031743575525 ("mempolicy: Prohibit VE processes numa binding syscalls")
Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
Feature: prohibit NUMA API inside VE
---
mm/mempolicy.c | 15 ++++++++++++---
mm/migrate.c | 6 ++++++
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index fb58cc4cf81b..b4d8f047cf74 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1491,9 +1491,6 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,
int lmode = mode;
int err;
- if (!ve_is_super(get_exec_env()))
- return -ENOSYS;
-
err = sanitize_mpol_flags(&lmode, &mode_flags);
if (err)
return err;
@@ -1508,6 +1505,9 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,
SYSCALL_DEFINE3(set_mempolicy, int, mode, const unsigned long __user *, nmask,
unsigned long, maxnode)
{
+ if (!ve_is_super(get_exec_env()))
+ return -ENOSYS;
+
return kernel_set_mempolicy(mode, nmask, maxnode);
}
@@ -1641,6 +1641,9 @@ SYSCALL_DEFINE5(get_mempolicy, int __user *, policy,
unsigned long __user *, nmask, unsigned long, maxnode,
unsigned long, addr, unsigned long, flags)
{
+ if (!ve_is_super(get_exec_env()))
+ return -ENOSYS;
+
return kernel_get_mempolicy(policy, nmask, maxnode, addr, flags);
}
@@ -1686,6 +1689,9 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
unsigned long nr_bits, alloc_size;
DECLARE_BITMAP(bm, MAX_NUMNODES);
+ if (!ve_is_super(get_exec_env()))
+ return -ENOSYS;
+
nr_bits = min_t(unsigned long, maxnode-1, MAX_NUMNODES);
alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
@@ -1736,6 +1742,9 @@ COMPAT_SYSCALL_DEFINE4(migrate_pages, compat_pid_t, pid,
unsigned long nr_bits;
unsigned long size;
+ if (!ve_is_super(get_exec_env()))
+ return -ENOSYS;
+
nr_bits = min_t(unsigned long, maxnode - 1, MAX_NUMNODES);
size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
if (old_nodes) {
diff --git a/mm/migrate.c b/mm/migrate.c
index 0d18e8e6d1c9..b51417854f22 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -1941,6 +1941,9 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
const int __user *, nodes,
int __user *, status, int, flags)
{
+ if (!ve_is_super(get_exec_env()))
+ return -ENOSYS;
+
return kernel_move_pages(pid, nr_pages, pages, nodes, status, flags);
}
@@ -1954,6 +1957,9 @@ COMPAT_SYSCALL_DEFINE6(move_pages, pid_t, pid, compat_ulong_t, nr_pages,
const void __user * __user *pages;
int i;
+ if (!ve_is_super(get_exec_env()))
+ return -ENOSYS;
+
pages = compat_alloc_user_space(nr_pages * sizeof(void *));
for (i = 0; i < nr_pages; i++) {
compat_uptr_t p;
More information about the Devel
mailing list