From patchwork Mon May 21 21:11:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 10416369 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 201C060365 for ; Mon, 21 May 2018 21:14:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0F49328A4E for ; Mon, 21 May 2018 21:14:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 03EEE28A6C; Mon, 21 May 2018 21:14:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 512F528A4E for ; Mon, 21 May 2018 21:14:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 499146B0006; Mon, 21 May 2018 17:14:43 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 47E176B0007; Mon, 21 May 2018 17:14:43 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 35FC56B0008; Mon, 21 May 2018 17:14:43 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pf0-f197.google.com (mail-pf0-f197.google.com [209.85.192.197]) by kanga.kvack.org (Postfix) with ESMTP id E87816B0006 for ; Mon, 21 May 2018 17:14:42 -0400 (EDT) Received: by mail-pf0-f197.google.com with SMTP id q15-v6so9824815pff.17 for ; Mon, 21 May 2018 14:14:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:from:to:cc:subject:date :message-id:in-reply-to:references:user-agent:mime-version; bh=eqbDwS/kAI6f7Euas/NrTHUqGboGg8peX0ZmzSTSwWo=; b=caUXe7J/pFXiO0ZcVATTfwQJmyMNHG0jTKI+lTZx39qqo7HhJY51okAjgNLGrxpFVd FuD6KmvJpK8Lcqc5G5/8KtqxBjRCVdOOgZPzPh3Qc9AwvUsIBHo5MeJ0cnUpqsLj0o6F 3zOCKt1NNoaWfjN6fTYdtarFNupS+vQNhudF3TwEpOrb6NBJN+eO4U3+U2unpvOkfcaF tAse+QbsgdDAMtb8RtOdfEGVhE6jqxunR6gtdr+2XysLPX/VGimI9S4N+UH3nGmI1NHu CM1+CmYAVGS+xfKHr84KUiCEZMFKWnt20ufURmABVW1+K+lghFIUUHiDG/BnY5nEt+Se Q9hg== X-Gm-Message-State: ALKqPwfmG+tzWKJ2c21Ok8t4qxia4+bYNIGRLcqenZ1BdGYQrEkcGDSt S1pivhEucd6VMiDKNMazfVkF/3vATuug2f+T2G4ENd10YZOUP23dvPhBeJV7pU72iPuB6/l1vN7 ITeRIvAxTkjgV9kMbPk8PmTQ1RmuK2jlYYqrBDfbL57MuiAeUVIF4/dECZo0CVIk= X-Received: by 2002:a17:902:1e2:: with SMTP id b89-v6mr22088537plb.279.1526937282614; Mon, 21 May 2018 14:14:42 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoSOtI2BybtpyE1z09Z/+h3Ie0IA9UxT5TtiDrCCubuyNrI9lbW+eIZ3B8mk527X/ujo2mg X-Received: by 2002:a17:902:1e2:: with SMTP id b89-v6mr22088496plb.279.1526937281807; Mon, 21 May 2018 14:14:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526937281; cv=none; d=google.com; s=arc-20160816; b=XzXWBkvUfQ1stBv+13jYj93zmNqHBsWQrIZ4LHr7+0xM8sOtBwEmUambHKyHuye9RK RVyYXUGHcEUBKI9tiNtSYQ3Gbn2LY86j/6yWhNGH5RaoHZsrqxOMtqaTG3cxpuyUG/7V WNXyqdT5T+CLgRR+j0WGouNkXs2P+wuLpoE6WSc6GugSBMVLgfrH+LWyd+GX/GJcCjeZ H2rgw7iJq9ZI2P8ixJ2dZmtiCK0s504j8xGNHDyWKFOVJqmUGBBQkUfXL5Q5gag4Z2MP jEL7A7gwcwTcH7os2J4jgrpEZ8DPQH1jPDO+YCfRa8cnRjn6SfjFlUXFcP2gRTkZGMUm 55UA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=eqbDwS/kAI6f7Euas/NrTHUqGboGg8peX0ZmzSTSwWo=; b=uJKLm3oRovwPUuzsCFXBeVLvdJW9uXt2s/9gbiMlZ/2Z89PHq2yTsotxS+nDNnb5R7 7letQuMiBWjoIs0A3XIyf1fy2KrgWZuRNE0fMNSiKu3MMZwDhqi3CekjMjH6iYbX8mhN uudbUJVzPz/zl0yUtxFLYecrb7YNQn9j8+4dNpqyUGQ68eVXqfJC5IsOh7LolyymjAAC BhERQ6QX7xt9N2Vua9SacKyOk6phJaEB8zPFk5NaJWHLERdtTomB2ukIADpKSEiSpVBd Mxys5oszd96znvxIBBjBZ/F5VkrNX48bD+AEv171djKHIVot7p610yDqsmcBpCe6BdUI dHZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ff/YTRip; spf=pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=nia/=II=linuxfoundation.org=gregkh@kernel.org Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id l24-v6si4656255pgo.303.2018.05.21.14.14.41 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 May 2018 14:14:41 -0700 (PDT) Received-SPF: pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) client-ip=198.145.29.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ff/YTRip; spf=pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=nia/=II=linuxfoundation.org=gregkh@kernel.org Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C470A20870; Mon, 21 May 2018 21:14:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526937281; bh=eplTznfPMC4e3fOatiCH1cX0IolVCLuyMJB3/ssLaAA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ff/YTRipXDcb9oimE2oz9o7CRnFlInEHEldomJ5yAELjfbmeHxsIc+ucsIWMxt/Kq QJiedta7HulfRjQtFkMG0sO84DQOlKPmqnmIiA6F92YjBESsCafRGxHwZewdH2AkXl 4fTcRKxzIj1KDyAb0Hvo4gbrT1rRtkux/+92F6JQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dave Hansen , Dave Hansen , Linus Torvalds , Michael Ellermen , Peter Zijlstra , Ram Pai , Shuah Khan , Thomas Gleixner , linux-mm@kvack.org, Ingo Molnar , Andrew Morton Subject: [PATCH 4.9 25/87] x86/pkeys: Do not special case protection key 0 Date: Mon, 21 May 2018 23:11:01 +0200 Message-Id: <20180521210422.659351219@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180521210420.222671977@linuxfoundation.org> References: <20180521210420.222671977@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Dave Hansen commit 2fa9d1cfaf0e02f8abef0757002bff12dfcfa4e6 upstream. mm_pkey_is_allocated() treats pkey 0 as unallocated. That is inconsistent with the manpages, and also inconsistent with mm->context.pkey_allocation_map. Stop special casing it and only disallow values that are actually bad (< 0). The end-user visible effect of this is that you can now use mprotect_pkey() to set pkey=0. This is a bit nicer than what Ram proposed[1] because it is simpler and removes special-casing for pkey 0. On the other hand, it does allow applications to pkey_free() pkey-0, but that's just a silly thing to do, so we are not going to protect against it. The scenario that could happen is similar to what happens if you free any other pkey that is in use: it might get reallocated later and used to protect some other data. The most likely scenario is that pkey-0 comes back from pkey_alloc(), an access-disable or write-disable bit is set in PKRU for it, and the next stack access will SIGSEGV. It's not horribly different from if you mprotect()'d your stack or heap to be unreadable or unwritable, which is generally very foolish, but also not explicitly prevented by the kernel. 1. http://lkml.kernel.org/r/1522112702-27853-1-git-send-email-linuxram@us.ibm.com Signed-off-by: Dave Hansen Cc: Andrew Morton p Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Fixes: 58ab9a088dda ("x86/pkeys: Check against max pkey to avoid overflows") Link: http://lkml.kernel.org/r/20180509171358.47FD785E@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/mmu_context.h | 2 +- arch/x86/include/asm/pkeys.h | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) --- a/arch/x86/include/asm/mmu_context.h +++ b/arch/x86/include/asm/mmu_context.h @@ -113,7 +113,7 @@ static inline int init_new_context(struc #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS if (cpu_feature_enabled(X86_FEATURE_OSPKE)) { - /* pkey 0 is the default and always allocated */ + /* pkey 0 is the default and allocated implicitly */ mm->context.pkey_allocation_map = 0x1; /* -1 means unallocated or invalid */ mm->context.execute_only_pkey = -1; --- a/arch/x86/include/asm/pkeys.h +++ b/arch/x86/include/asm/pkeys.h @@ -50,10 +50,10 @@ bool mm_pkey_is_allocated(struct mm_stru { /* * "Allocated" pkeys are those that have been returned - * from pkey_alloc(). pkey 0 is special, and never - * returned from pkey_alloc(). + * from pkey_alloc() or pkey 0 which is allocated + * implicitly when the mm is created. */ - if (pkey <= 0) + if (pkey < 0) return false; if (pkey >= arch_max_pkey()) return false;