Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932693AbcCCQxg (ORCPT <rfc822;w@1wt.eu>);
	Thu, 3 Mar 2016 11:53:36 -0500
Received: from torg.zytor.com ([198.137.202.12]:48350 "EHLO terminus.zytor.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1753865AbcCCQxe (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Thu, 3 Mar 2016 11:53:34 -0500
Date: Thu, 3 Mar 2016 08:52:48 -0800
From: tip-bot for Dave Hansen <tipbot@zytor.com>
Message-ID: <tip-e21555436f196c241503c7c6240272e57783235c@git.kernel.org>
Cc: mingo@kernel.org, dave@sr71.net, linux-kernel@vger.kernel.org,
        torvalds@linux-foundation.org, hpa@zytor.com, tglx@linutronix.de,
        kirill.shutemov@linux.intel.com, dave.hansen@linux.intel.com,
        peterz@infradead.org, kirill@shutemov.name
Reply-To: dave.hansen@linux.intel.com, kirill@shutemov.name,
        peterz@infradead.org, mingo@kernel.org, dave@sr71.net,
        linux-kernel@vger.kernel.org, torvalds@linux-foundation.org,
        hpa@zytor.com, tglx@linutronix.de, kirill.shutemov@linux.intel.com
In-Reply-To: <20160301194133.65D0110C@viggo.jf.intel.com>
References: <20160301194133.65D0110C@viggo.jf.intel.com>
To: linux-tip-commits@vger.kernel.org
Subject: [tip:mm/pkeys] x86/mm/pkeys: Fix access_error() denial of writes to
 write-only VMA
Git-Commit-ID: e21555436f196c241503c7c6240272e57783235c
X-Mailer: tip-git-log-daemon
Robot-ID: <tip-bot.git.kernel.org>
Robot-Unsubscribe: Contact <mailto:hpa@kernel.org> to get blacklisted from
 these emails
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset=UTF-8
Content-Disposition: inline
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 3430
Lines: 95

Commit-ID:  e21555436f196c241503c7c6240272e57783235c
Gitweb:     http://git.kernel.org/tip/e21555436f196c241503c7c6240272e57783235c
Author:     Dave Hansen <dave.hansen@linux.intel.com>
AuthorDate: Tue, 1 Mar 2016 11:41:33 -0800
Committer:  Ingo Molnar <mingo@kernel.org>
CommitDate: Thu, 3 Mar 2016 16:34:56 +0100

x86/mm/pkeys: Fix access_error() denial of writes to write-only VMA

Andrey Wagin reported that a simple test case was broken by:

	2b5f7d013fc ("mm/core, x86/mm/pkeys: Add execute-only protection keys support")

This test case creates an unreadable VMA and my patch assumed
that all writes must be to readable VMAs.

The simplest fix for this is to remove the pkey-related bits
in access_error().  For execute-only support, I believe the
existing version is sufficient because the permissions we
are trying to enforce are entirely expressed in vma->vm_flags.
We just depend on pkeys to get *an* exception, it does not
matter that PF_PK was set, or even what state PKRU is in.

I will re-add the necessary bits with the full pkeys
implementation that includes the new syscalls.

The three cases that matter are:

1. If a write to an execute-only VMA occurs, we will see PF_WRITE
   set, but !VM_WRITE on the VMA, and return 1.  All execute-only
   VMAs have VM_WRITE clear by definition.
2. If a read occurs on a present PTE, we will fall in to the "read,
   present" case and return 1.
3. If a read occurs to a non-present PTE, we will miss the "read,
   not present" case, because the execute-only VMA will have
   VM_EXEC set, and we will properly return 0 allowing the PTE to
   be populated.

Test program:

 int main()
 {
	int *p;
	p = mmap(NULL, 4096, PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	p[0] = 1;

	return 0;
 }

Reported-by: Andrey Wagin <avagin@gmail.com>,
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Dave Hansen <dave@sr71.net>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-mm@kvack.org
Cc: linux-next@vger.kernel.org
Fixes: 62b5f7d013fc ("mm/core, x86/mm/pkeys: Add execute-only protection keys support")
Link: http://lkml.kernel.org/r/20160301194133.65D0110C@viggo.jf.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
---
 arch/x86/mm/fault.c | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index 5877b92..6138db4 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1101,24 +1101,6 @@ access_error(unsigned long error_code, struct vm_area_struct *vma)
 	/* This is only called for the current mm, so: */
 	bool foreign = false;
 	/*
-	 * Access or read was blocked by protection keys. We do
-	 * this check before any others because we do not want
-	 * to, for instance, confuse a protection-key-denied
-	 * write with one for which we should do a COW.
-	 */
-	if (error_code & PF_PK)
-		return 1;
-
-	if (!(error_code & PF_INSTR)) {
-		/*
-		 * Assume all accesses require either read or execute
-		 * permissions.  This is not an instruction access, so
-		 * it requires read permissions.
-		 */
-		if (!(vma->vm_flags & VM_READ))
-			return 1;
-	}
-	/*
 	 * Make sure to check the VMA so that we do not perform
 	 * faults just to hit a PF_PK as soon as we fill in a
 	 * page.