Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753786AbdLMSci (ORCPT ); Wed, 13 Dec 2017 13:32:38 -0500 Received: from bombadil.infradead.org ([65.50.211.133]:41383 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753737AbdLMScg (ORCPT ); Wed, 13 Dec 2017 13:32:36 -0500 Date: Wed, 13 Dec 2017 19:32:09 +0100 From: Peter Zijlstra To: Linus Torvalds Cc: Dave Hansen , "Kirill A. Shutemov" , Andy Lutomirski , Thomas Gleixner , LKML , X86 ML , Borislav Petkov , Greg KH , Kees Cook , Hugh Dickins , Brian Gerst , Josh Poimboeuf , Denys Vlasenko , Boris Ostrovsky , Juergen Gross , David Laight , Eduardo Valentin , "Liguori, Anthony" , Will Deacon , "linux-mm@kvack.org" , "Kirill A. Shutemov" , "Aneesh Kumar K. V" Subject: Re: [patch 05/16] mm: Allow special mappings with user access cleared Message-ID: <20171213183209.GZ3165@worktop.lehotels.local> References: <20171212173221.496222173@linutronix.de> <20171212173333.669577588@linutronix.de> <20171213122211.bxcb7xjdwla2bqol@hirez.programming.kicks-ass.net> <20171213125739.fllckbl3o4nonmpx@node.shutemov.name> <20171213153202.qtxnloxoc66lhsbf@hirez.programming.kicks-ass.net> <20171213155427.p24i2xdh2s65e4d2@hirez.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.22.1 (2013-10-16) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1522 Lines: 36 On Wed, Dec 13, 2017 at 10:08:30AM -0800, Linus Torvalds wrote: > On Wed, Dec 13, 2017 at 7:54 AM, Peter Zijlstra wrote: > > > > Which is why get_user_pages() _should_ enforce this. > > > > What use are protection keys if you can trivially circumvent them? > > No, we will *not* worry about protection keys in get_user_pages(). > > They are not "security". They are a debug aid and safety against random mis-use. > > In particular, they are very much *NOT* about "trivially circumvent > them". The user could just change their mapping thing, for chrissake! > > We already allow access to PROT_NONE for gdb and friends, very much on purpose. > > We're not going to make the VM more complex for something that > absolutely nobody cares about, and has zero security issues. OK, that might have been my phrasing that was off -- mostly because I was looking at it from the VM_NOUSER angle, but currently: - gup_pte_range() has pte_access_permitted() - follow_page_pte() has pte_access_permitted() for FOLL_WRITE only All I'm saying is that that is inconsistent and we should change follow_page_pte() to use pte_access_permitted() for FOLL_GET, such that __get_user_pages_fast() and __get_user_pages() have matching semantics. Now, if VM_NOUSER were to live, the above change would ensure write(2) cannot read from such VMAs, where the existing test for FOLL_WRITE already disallows read(2) from writing to them. But even without VM_NOUSER it makes the VM more consistent than it is today.