Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753700AbdLMSVV (ORCPT ); Wed, 13 Dec 2017 13:21:21 -0500 Received: from mga01.intel.com ([192.55.52.88]:32566 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753144AbdLMSVS (ORCPT ); Wed, 13 Dec 2017 13:21:18 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.45,397,1508828400"; d="scan'208";a="17961217" Subject: Re: [patch 05/16] mm: Allow special mappings with user access cleared To: Linus Torvalds , Peter Zijlstra References: <20171212173221.496222173@linutronix.de> <20171212173333.669577588@linutronix.de> <20171213122211.bxcb7xjdwla2bqol@hirez.programming.kicks-ass.net> <20171213125739.fllckbl3o4nonmpx@node.shutemov.name> <20171213153202.qtxnloxoc66lhsbf@hirez.programming.kicks-ass.net> <20171213155427.p24i2xdh2s65e4d2@hirez.programming.kicks-ass.net> Cc: "Kirill A. Shutemov" , Andy Lutomirski , Thomas Gleixner , LKML , X86 ML , Borislav Petkov , Greg KH , Kees Cook , Hugh Dickins , Brian Gerst , Josh Poimboeuf , Denys Vlasenko , Boris Ostrovsky , Juergen Gross , David Laight , Eduardo Valentin , "Liguori, Anthony" , Will Deacon , "linux-mm@kvack.org" , "Kirill A. Shutemov" , "Aneesh Kumar K. V" From: Dave Hansen Message-ID: Date: Wed, 13 Dec 2017 10:21:06 -0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1069 Lines: 25 On 12/13/2017 10:08 AM, Linus Torvalds wrote: > On Wed, Dec 13, 2017 at 7:54 AM, Peter Zijlstr wrote: >> Which is why get_user_pages() _should_ enforce this. >> >> What use are protection keys if you can trivially circumvent them? > No, we will *not* worry about protection keys in get_user_pages(). We did introduce some support for it here: > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=33a709b25a760b91184bb335cf7d7c32b8123013 > They are not "security". They are a debug aid and safety against > random mis-use. Totally agree. It's not about security. As I mentioned in the commit, the goal here was to try to make pkey-protected access behavior consistent with mprotect(). I still think this was nice to do and probably surprises users less than if we didn't have it. > We already allow access to PROT_NONE for gdb and friends, very much on purpose. Yup, exactly, and that's one of the reasons that I tried to call those out as "remote" access that are specicifially no subject to protection keys.