From patchwork Mon May 21 06:42:35 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 10414031 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 347CB60365 for ; Mon, 21 May 2018 06:44:31 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 256B32876B for ; Mon, 21 May 2018 06:44:31 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 18E0E28791; Mon, 21 May 2018 06:44:31 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 4A3162876B for ; Mon, 21 May 2018 06:44:30 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 775F26B026E; Mon, 21 May 2018 02:44:29 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 74BBA6B026F; Mon, 21 May 2018 02:44:29 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 663816B0270; Mon, 21 May 2018 02:44:29 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pg0-f72.google.com (mail-pg0-f72.google.com [74.125.83.72]) by kanga.kvack.org (Postfix) with ESMTP id 25DB46B026E for ; Mon, 21 May 2018 02:44:29 -0400 (EDT) Received: by mail-pg0-f72.google.com with SMTP id k1-v6so4052560pgq.20 for ; Sun, 20 May 2018 23:44:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:subject:to:cc:from:date :message-id:mime-version:content-transfer-encoding; bh=LC/QsDsaw15Ot8u8gnFSQLNdFocJaabhp+vaqyE+3gM=; b=B6rAKz6mqlehIrKJVwu2aN5/QotqP2Sy+JWoKsWfmbs8RJgKwuWLLoDE9jsphVoNJ7 SdcXOfWsQKY84dK1XROSyPEzAplvZXWw4ZRx6cQiS+JqVFOpI+9BTSwQGAvnKDXMu3fc hyofGQJpEneDYCuAixKc3woNTPq2e+OpZrrQPRI+h/rXd6hnaNBbZoKEowNF61cagNcr Z8sm38RHDdlLU2N3OJUd0x5GVOgZHzNKdDEFVHCoUEwFfw9T19QAEv+XA3Ynl7EudQpw oD891Ef3AqMglLN+BruANAOnSeywtKnlyokOtG/qhGMCAjtwOXywGhmDTPbfRVmtFYC7 EJVw== X-Gm-Message-State: ALKqPwfRKQDPOlf+n3S6Kt7YuMRorxAk0cQ+q/VzCN9a6cMDhzSy0Siu vH1AD43vNiWW2IzIHXUeuaMq2zPveSTT3MyWSs2U5iqDXz2xKsrUau1YWXUQ2S3Tb3NP5f6j2K1 1h7SLYOQXYvYizr8TqnSCX7DzIa724IEcAgnyAQclZvCgEh3aGhvrTa5naCrYmco= X-Received: by 2002:a17:902:6006:: with SMTP id r6-v6mr18926941plj.70.1526885068813; Sun, 20 May 2018 23:44:28 -0700 (PDT) X-Google-Smtp-Source: AB8JxZofoBtxhpOIr4o33IgW3BEBxcB07NHfcOICveRwNO2W1TUH30osfl+gYA5kEcWqHEjw97bS X-Received: by 2002:a17:902:6006:: with SMTP id r6-v6mr18926915plj.70.1526885068137; Sun, 20 May 2018 23:44:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526885068; cv=none; d=google.com; s=arc-20160816; b=AwlRvChizTZPrghQPfQa/0jsXjGQAVohnJ6VTgd/KjP2rBSBNOFxCnGkYHB4q4vU7t Vla3my2zkvVfsLhmwUoKUG7q4pLzIbRSwhNyB9XIxfMLs1Mr4BVMfFIpZ1xdF/aP+NXV HUR8UvWHPh0HkvS2WDlEVmrP3OGaptSb7Z1eGbFmg5ufVs8v/cdyDf4oAamXnW0lEx0Q oYWIlIvNEO74G4JIlCPoN2YCkmLEAB1L8FtrrjDXogUEbgRI0b+aAZ9wjVR7inT8r+7d 7gHqYcWtRiyPM1fCOABdmoyMbimnJiLz5yZZRObnMAmbBkhA1i1NvNy/9iHfoeNzsenT Glcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:from:cc:to :subject:dkim-signature:arc-authentication-results; bh=LC/QsDsaw15Ot8u8gnFSQLNdFocJaabhp+vaqyE+3gM=; b=QpkC/+vXyaMtQ6hoC/HyAFzXO6/qe7rmTjelTIEjvrlHF2iTn96h91LRTCV6/FYUfp Qdf36McpolKyy2ThdB5OW4NFw0IV4TJBmI+FoIkrv6mHt2JW3bkafrwnm5dTdMU4JxLR gnGp4u7/iTO18Ah6NI3ekXMUdI0D7K1eFFD3Adjy2WHc6iyidFItAHsuAPYisG0df8g2 r/bWtULcStqnqaAidc5+cLoDUs3HMvr24mKtqSr3ocbU+3mQcFDadNjQFfqBXQhWReRf uqLa9sttxHFwiVd8qAe9ifmpnx6I6yNQ2pPNt7wXs/2gL8pxeNLxyz6qOn797Q/62sAk XU9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Nd5/54DP; spf=pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=nia/=II=linuxfoundation.org=gregkh@kernel.org Received: from mail.kernel.org (mail.kernel.org. [198.145.29.99]) by mx.google.com with ESMTPS id 70-v6si14179952pfu.274.2018.05.20.23.44.27 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 20 May 2018 23:44:28 -0700 (PDT) Received-SPF: pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) client-ip=198.145.29.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Nd5/54DP; spf=pass (google.com: domain of srs0=nia/=ii=linuxfoundation.org=gregkh@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=SRS0=nia/=II=linuxfoundation.org=gregkh@kernel.org Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DC4A520878; Mon, 21 May 2018 06:44:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526885067; bh=EsW9ruiV0Tz9XrVSDjXWrJpnrSsdOJvsAZikL+cWVgU=; h=Subject:To:Cc:From:Date:From; b=Nd5/54DPoFo9CQxFpEZ7hnXyT/6gsenn2b2YVl3uJ5A36ygkE3VQpVbz5Fyg0RIir 7w897lynchP83gS/sFLtjeP6LHkrRBArEpb/CHRmvDNMM2wy8pRvGRwjSCZLM0nwcj 5JnGWmcnVWuxxoAFBGWyakPhSUJolJggFk9AOgko= Subject: Patch "x86/pkeys: Do not special case protection key 0" has been added to the 4.9-stable tree To: 1522112702-27853-1-git-send-email-linuxram@us.ibm.com, 20180509171358.47FD785E@viggo.jf.intel.com, akpm@linux-foundation.org, dave.hansen@intel.com, dave.hansen@linux.intel.com, gregkh@linuxfoundation.org, linux-mm@kvack.org, linuxram@us.ibm.com, mingo@kernel.org, mpe@ellerman.id.au, peterz@infradead.org, shuah@kernel.org, tglx@linutronix.de, torvalds@linux-foundation.org Cc: From: Date: Mon, 21 May 2018 08:42:35 +0200 Message-ID: <1526884955235104@kroah.com> MIME-Version: 1.0 X-stable: commit X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP This is a note to let you know that I've just added the patch titled x86/pkeys: Do not special case protection key 0 to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: x86-pkeys-do-not-special-case-protection-key-0.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. From 2fa9d1cfaf0e02f8abef0757002bff12dfcfa4e6 Mon Sep 17 00:00:00 2001 From: Dave Hansen Date: Wed, 9 May 2018 10:13:58 -0700 Subject: x86/pkeys: Do not special case protection key 0 From: Dave Hansen commit 2fa9d1cfaf0e02f8abef0757002bff12dfcfa4e6 upstream. mm_pkey_is_allocated() treats pkey 0 as unallocated. That is inconsistent with the manpages, and also inconsistent with mm->context.pkey_allocation_map. Stop special casing it and only disallow values that are actually bad (< 0). The end-user visible effect of this is that you can now use mprotect_pkey() to set pkey=0. This is a bit nicer than what Ram proposed[1] because it is simpler and removes special-casing for pkey 0. On the other hand, it does allow applications to pkey_free() pkey-0, but that's just a silly thing to do, so we are not going to protect against it. The scenario that could happen is similar to what happens if you free any other pkey that is in use: it might get reallocated later and used to protect some other data. The most likely scenario is that pkey-0 comes back from pkey_alloc(), an access-disable or write-disable bit is set in PKRU for it, and the next stack access will SIGSEGV. It's not horribly different from if you mprotect()'d your stack or heap to be unreadable or unwritable, which is generally very foolish, but also not explicitly prevented by the kernel. 1. http://lkml.kernel.org/r/1522112702-27853-1-git-send-email-linuxram@us.ibm.com Signed-off-by: Dave Hansen Cc: Andrew Morton p Cc: Dave Hansen Cc: Linus Torvalds Cc: Michael Ellermen Cc: Peter Zijlstra Cc: Ram Pai Cc: Shuah Khan Cc: Thomas Gleixner Cc: linux-mm@kvack.org Cc: stable@vger.kernel.org Fixes: 58ab9a088dda ("x86/pkeys: Check against max pkey to avoid overflows") Link: http://lkml.kernel.org/r/20180509171358.47FD785E@viggo.jf.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/mmu_context.h | 2 +- arch/x86/include/asm/pkeys.h | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) Patches currently in stable-queue which might be from dave.hansen@linux.intel.com are queue-4.9/x86-pkeys-override-pkey-when-moving-away-from-prot_exec.patch queue-4.9/x86-pkeys-do-not-special-case-protection-key-0.patch --- a/arch/x86/include/asm/mmu_context.h +++ b/arch/x86/include/asm/mmu_context.h @@ -113,7 +113,7 @@ static inline int init_new_context(struc #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS if (cpu_feature_enabled(X86_FEATURE_OSPKE)) { - /* pkey 0 is the default and always allocated */ + /* pkey 0 is the default and allocated implicitly */ mm->context.pkey_allocation_map = 0x1; /* -1 means unallocated or invalid */ mm->context.execute_only_pkey = -1; --- a/arch/x86/include/asm/pkeys.h +++ b/arch/x86/include/asm/pkeys.h @@ -50,10 +50,10 @@ bool mm_pkey_is_allocated(struct mm_stru { /* * "Allocated" pkeys are those that have been returned - * from pkey_alloc(). pkey 0 is special, and never - * returned from pkey_alloc(). + * from pkey_alloc() or pkey 0 which is allocated + * implicitly when the mm is created. */ - if (pkey <= 0) + if (pkey < 0) return false; if (pkey >= arch_max_pkey()) return false;