On Tue, Dec 12, 2017 at 10:05 AM, Peter Zijlstra <pet...@infradead.org> wrote: > On Tue, Dec 12, 2017 at 10:00:08AM -0800, Andy Lutomirski wrote: >> On Tue, Dec 12, 2017 at 9:32 AM, Thomas Gleixner <t...@linutronix.de> wrote: >> > From: Peter Zijstra <pet...@infradead.org> >> > >> > In order to create VMAs that are not accessible to userspace create a new >> > VM_NOUSER flag. This can be used in conjunction with >> > install_special_mapping() to inject 'kernel' data into the userspace map. >> > >> > Similar to how arch_vm_get_page_prot() allows adding _PAGE_flags to >> > pgprot_t, introduce arch_vm_get_page_prot_excl() which masks >> > _PAGE_flags from pgprot_t and use this to implement VM_NOUSER for x86. >> >> How does this interact with get_user_pages(), etc? > > gup would find the page. These patches do in fact rely on that through > the populate things. >
Blech. So you can write(2) from the LDT to a file and you can even sendfile it, perhaps. What happens if it's get_user_page()'d when modify_ldt() wants to free it? This patch series scares the crap out of me.
