[Devel] [PATCH vz9] mempolicy: prohibit all NUMA API syscalls in VE
Kirill Tkhai
ktkhai at virtuozzo.com
Mon Jan 31 16:58:29 MSK 2022
On 28.01.2022 13:35, Nikita Yushchenko wrote:
> Commit 031743575525 ("mempolicy: Prohibit VE processes numa binding
> syscalls") partially prohibits NUMA API, but is incomplete.
>
> This patch prohibits all syscalls documented in numa(7) inside VE.
>
> Also, for consistency, all these prohibit operations are moved to the
> very beginning of the syscall handlers. This also ensures that -ENOSYS
> and not other error is returned.
>
> Fixes: 031743575525 ("mempolicy: Prohibit VE processes numa binding syscalls")
> Signed-off-by: Nikita Yushchenko <nikita.yushchenko at virtuozzo.com>
> Feature: prohibit NUMA API inside VE
Reviewed-by: Kirill Tkhai <ktkhai at virtuozzo.com>
> ---
> mm/mempolicy.c | 15 ++++++++++++---
> mm/migrate.c | 6 ++++++
> 2 files changed, 18 insertions(+), 3 deletions(-)
>
> diff --git a/mm/mempolicy.c b/mm/mempolicy.c
> index fb58cc4cf81b..b4d8f047cf74 100644
> --- a/mm/mempolicy.c
> +++ b/mm/mempolicy.c
> @@ -1491,9 +1491,6 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,
> int lmode = mode;
> int err;
>
> - if (!ve_is_super(get_exec_env()))
> - return -ENOSYS;
> -
> err = sanitize_mpol_flags(&lmode, &mode_flags);
> if (err)
> return err;
> @@ -1508,6 +1505,9 @@ static long kernel_set_mempolicy(int mode, const unsigned long __user *nmask,
> SYSCALL_DEFINE3(set_mempolicy, int, mode, const unsigned long __user *, nmask,
> unsigned long, maxnode)
> {
> + if (!ve_is_super(get_exec_env()))
> + return -ENOSYS;
> +
> return kernel_set_mempolicy(mode, nmask, maxnode);
> }
>
> @@ -1641,6 +1641,9 @@ SYSCALL_DEFINE5(get_mempolicy, int __user *, policy,
> unsigned long __user *, nmask, unsigned long, maxnode,
> unsigned long, addr, unsigned long, flags)
> {
> + if (!ve_is_super(get_exec_env()))
> + return -ENOSYS;
> +
> return kernel_get_mempolicy(policy, nmask, maxnode, addr, flags);
> }
>
> @@ -1686,6 +1689,9 @@ COMPAT_SYSCALL_DEFINE3(set_mempolicy, int, mode, compat_ulong_t __user *, nmask,
> unsigned long nr_bits, alloc_size;
> DECLARE_BITMAP(bm, MAX_NUMNODES);
>
> + if (!ve_is_super(get_exec_env()))
> + return -ENOSYS;
> +
> nr_bits = min_t(unsigned long, maxnode-1, MAX_NUMNODES);
> alloc_size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
>
> @@ -1736,6 +1742,9 @@ COMPAT_SYSCALL_DEFINE4(migrate_pages, compat_pid_t, pid,
> unsigned long nr_bits;
> unsigned long size;
>
> + if (!ve_is_super(get_exec_env()))
> + return -ENOSYS;
> +
> nr_bits = min_t(unsigned long, maxnode - 1, MAX_NUMNODES);
> size = ALIGN(nr_bits, BITS_PER_LONG) / 8;
> if (old_nodes) {
> diff --git a/mm/migrate.c b/mm/migrate.c
> index 0d18e8e6d1c9..b51417854f22 100644
> --- a/mm/migrate.c
> +++ b/mm/migrate.c
> @@ -1941,6 +1941,9 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
> const int __user *, nodes,
> int __user *, status, int, flags)
> {
> + if (!ve_is_super(get_exec_env()))
> + return -ENOSYS;
> +
> return kernel_move_pages(pid, nr_pages, pages, nodes, status, flags);
> }
>
> @@ -1954,6 +1957,9 @@ COMPAT_SYSCALL_DEFINE6(move_pages, pid_t, pid, compat_ulong_t, nr_pages,
> const void __user * __user *pages;
> int i;
>
> + if (!ve_is_super(get_exec_env()))
> + return -ENOSYS;
> +
> pages = compat_alloc_user_space(nr_pages * sizeof(void *));
> for (i = 0; i < nr_pages; i++) {
> compat_uptr_t p;
More information about the Devel
mailing list