From patchwork Wed May 9 17:13:58 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dave Hansen X-Patchwork-Id: 10390269 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id ACE0660318 for ; Wed, 9 May 2018 17:19:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9CCF32851A for ; Wed, 9 May 2018 17:19:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 91B752851E; Wed, 9 May 2018 17:19:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=unavailable version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 212702851A for ; Wed, 9 May 2018 17:19:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id EBB0D6B026A; Wed, 9 May 2018 13:19:06 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id E91FA6B0276; Wed, 9 May 2018 13:19:06 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id DAC736B029A; Wed, 9 May 2018 13:19:06 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pf0-f199.google.com (mail-pf0-f199.google.com [209.85.192.199]) by kanga.kvack.org (Postfix) with ESMTP id 8DDD96B026A for ; Wed, 9 May 2018 13:19:06 -0400 (EDT) Received: by mail-pf0-f199.google.com with SMTP id d20so6134325pfn.16 for ; Wed, 09 May 2018 10:19:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-original-authentication-results:x-gm-message-state:subject:to:cc :from:date:references:in-reply-to:message-id; bh=ICZYMRaHioJrTTQRJCcjCLaoKqWpEQ3cJ1mG1fWVWKU=; b=hsdwhhp+B3bosSWOvp7r18KmdBFVJCAlmb+9zkGB2dNLd+2B5kq8QPuSIZg7M0a8HC qQtnSvcnPfE9ePEauQHd/I8Hv+Byk+fU+koEERx7p1PAZBRb/+kJvdBgIB6fCoP0CpdK QtaI4zKFCXJBnBof+tZLBH1OlzjaVtDx/v13AdNm/f43yKLrHgUrAp8sb/2VCjiS4zFP Y2mOG1g7g6JH1Rz+YWrCuriilz7lMmtcYPGU2B+le/l3Y5CDppFUqTxxk4499esCGheP xFU/O1U9MDNmlwhChA7CxO+kZUNxRUqRI0B0ygCZ10CVi5JmhseLccolb6h/q2HSZ02C OGtg== X-Original-Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of dave.hansen@linux.intel.com designates 134.134.136.24 as permitted sender) smtp.mailfrom=dave.hansen@linux.intel.com X-Gm-Message-State: ALQs6tD7Kb9f+rZWSjE4Fv93XK6iSxcjcXVZZLNG0WVZcauDqh7DzUTA EeMud1+/u5i2T9L35L2fv7vxEztmlsqN/vYdC+jqwH/JPxrei8h1TWlIjK34B13vZnuAI/sMcdd T8LYCYmGXIQj9/l9OIwfgQqgF9dtl5Nge5chbpPCdmgPicRb9YTdXcMiiaTjboIM4Yg== X-Received: by 2002:a17:902:822:: with SMTP id 31-v6mr46907312plk.172.1525886346269; Wed, 09 May 2018 10:19:06 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrsrOx9Ao0m4exUN9il4MzZgL31Xo/omobrcP8ZY6C/XKO1CaMcqHIqTybpGtf/nOdxZL0r X-Received: by 2002:a17:902:822:: with SMTP id 31-v6mr46907245plk.172.1525886345140; Wed, 09 May 2018 10:19:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525886345; cv=none; d=google.com; s=arc-20160816; b=WfjpL7dGb4nvPg8YbVSWJW1Kzzf//uLA5ryPmi9cd/UyKjaQagwPU/kg1WTUDCz15d CswbqKCp2AbAI4Gf67Jx1sBdCT27FvxkqMEOvwiTtWSlOuyGDvb/zEPidLaWEJl3lcNf qUskdkMC37yF4bAkXoO0d74aF4UmrrbE7i/4klcKwcWaZvm+HuFjX41SJwlsrJmbKlBF +T9upTJjkPVxigul9qoRvuKl2X1PfqMfh5ZHxw6BHNQD36SXJ3UHQrKc4Bf8r1MsY3oS h0WrbdH7pTKW5X5M8D8fjMIsyEaWQqLy5v97p9HA8NUeqb+XOL5Yk8jpMuBR6wpwK+JC 9ytg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=message-id:in-reply-to:references:date:from:cc:to:subject :arc-authentication-results; bh=ICZYMRaHioJrTTQRJCcjCLaoKqWpEQ3cJ1mG1fWVWKU=; b=z43n11Z1uIR7EwMjDKirbzPSdwFtRqCq3zl5vZ7bBIIBifR4PtGMxOR4+btJ6LHmMI QmgC8PvaLFdDjkoZb905xBk9umuJfkFWUjM5RbTDpcpEuWjnUGo3YNZ8R9zK0zlRK7N7 xWEZMho6gDWLrR10Qm4gYz138jePCDLPUtKSnG0gH0Ke49XqiuJv+q7pn+ea9u4mOV2j V0XtmmEjDdsjSiQuMmIrxoP/2i2NnC1JouERpzzITx3OD+uQFCKXreyFFyd7LLvUf5ty 9FSrHBqT0r8dvY9qVMCi/KQUYOA59REwbdGBvojXHyuH8qrgP98HFrB6WatpoG+Kb5qi uWMw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of dave.hansen@linux.intel.com designates 134.134.136.24 as permitted sender) smtp.mailfrom=dave.hansen@linux.intel.com Received: from mga09.intel.com (mga09.intel.com. [134.134.136.24]) by mx.google.com with ESMTPS id t19-v6si24162258plo.287.2018.05.09.10.19.04 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 09 May 2018 10:19:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of dave.hansen@linux.intel.com designates 134.134.136.24 as permitted sender) client-ip=134.134.136.24; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of dave.hansen@linux.intel.com designates 134.134.136.24 as permitted sender) smtp.mailfrom=dave.hansen@linux.intel.com X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 May 2018 10:19:04 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.49,382,1520924400"; d="scan'208";a="38654860" Received: from viggo.jf.intel.com (HELO localhost.localdomain) ([10.54.39.119]) by fmsmga008.fm.intel.com with ESMTP; 09 May 2018 10:19:03 -0700 Subject: [PATCH 13/13] x86/pkeys: Do not special case protection key 0 To: linux-kernel@vger.kernel.org Cc: linux-mm@kvack.org, Dave Hansen , stable@vger.kernel.org, linuxram@us.ibm.com, tglx@linutronix.de, dave.hansen@intel.com, mpe@ellerman.id.au, mingo@kernel.org, akpm@linux-foundation.org, shuah@kernel.org From: Dave Hansen Date: Wed, 09 May 2018 10:13:58 -0700 References: <20180509171336.76636D88@viggo.jf.intel.com> In-Reply-To: <20180509171336.76636D88@viggo.jf.intel.com> Message-Id: <20180509171358.47FD785E@viggo.jf.intel.com> X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Dave Hansen mm_pkey_is_allocated() treats pkey 0 as unallocated. That is inconsistent with the manpages, and also inconsistent with mm->context.pkey_allocation_map. Stop special casing it and only disallow values that are actually bad (< 0). The end-user visible effect of this is that you can now use mprotect_pkey() to set pkey=0. This is a bit nicer than what Ram proposed[1] because it is simpler and removes special-casing for pkey 0. On the other hand, it does allow applications to pkey_free() pkey-0, but that's just a silly thing to do, so we are not going to protect against it. The scenario that could happen is similar to what happens if you free any other pkey that is in use: it might get reallocated later and used to protect some other data. The most likely scenario is that pkey-0 comes back from pkey_alloc(), an access-disable or write-disable bit is set in PKRU for it, and the next stack access will SIGSEGV. It's not horribly different from if you mprotect()'d your stack or heap to be unreadable or unwritable, which is generally very foolish, but also not explicitly prevented by the kernel. 1. http://lkml.kernel.org/r/1522112702-27853-1-git-send-email-linuxram@us.ibm.com Signed-off-by: Dave Hansen Fixes: 58ab9a088dda ("x86/pkeys: Check against max pkey to avoid overflows") Cc: stable@vger.kernel.org Cc: Ram Pai Cc: Thomas Gleixner Cc: Dave Hansen Cc: Michael Ellermen Cc: Ingo Molnar Cc: Andrew Morton p Cc: Shuah Khan --- b/arch/x86/include/asm/mmu_context.h | 2 +- b/arch/x86/include/asm/pkeys.h | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff -puN arch/x86/include/asm/mmu_context.h~x86-pkey-0-default-allocated arch/x86/include/asm/mmu_context.h --- a/arch/x86/include/asm/mmu_context.h~x86-pkey-0-default-allocated 2018-05-09 09:20:24.362698393 -0700 +++ b/arch/x86/include/asm/mmu_context.h 2018-05-09 09:20:24.367698393 -0700 @@ -193,7 +193,7 @@ static inline int init_new_context(struc #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS if (cpu_feature_enabled(X86_FEATURE_OSPKE)) { - /* pkey 0 is the default and always allocated */ + /* pkey 0 is the default and allocated implicitly */ mm->context.pkey_allocation_map = 0x1; /* -1 means unallocated or invalid */ mm->context.execute_only_pkey = -1; diff -puN arch/x86/include/asm/pkeys.h~x86-pkey-0-default-allocated arch/x86/include/asm/pkeys.h --- a/arch/x86/include/asm/pkeys.h~x86-pkey-0-default-allocated 2018-05-09 09:20:24.364698393 -0700 +++ b/arch/x86/include/asm/pkeys.h 2018-05-09 09:20:24.367698393 -0700 @@ -51,10 +51,10 @@ bool mm_pkey_is_allocated(struct mm_stru { /* * "Allocated" pkeys are those that have been returned - * from pkey_alloc(). pkey 0 is special, and never - * returned from pkey_alloc(). + * from pkey_alloc() or pkey 0 which is allocated + * implicitly when the mm is created. */ - if (pkey <= 0) + if (pkey < 0) return false; if (pkey >= arch_max_pkey()) return false;