Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2960023imm;
        Tue, 4 Sep 2018 12:51:52 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdaHV9Vt2owDK6nisOuKRrJVp5b+HZlabSApCLozKMqZdMtno8tWUqo636d5Qzj5e+RCKl9B
X-Received: by 2002:a65:4d42:: with SMTP id j2-v6mr32193024pgt.232.1536090712063;
        Tue, 04 Sep 2018 12:51:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536090712; cv=none;
        d=google.com; s=arc-20160816;
        b=AOSN9zBZkYsvIq9/P6a+vjMuuunT3KUo7t7Z3ERhID68j+eUbGaT9ktC7gk63RG+k0
         ZTAA27eNh4uiraI8ianenggI8V9qdibTLomxA9U4ebaxYZjwvGHDFftUWOUzQw109Uyq
         lL5BKsdNRz46S74D0jWWLaEuok1B40QYIXg6O2iigyBrfQjJnHag7n+wPMA8L/A06EoG
         jjLtw76F6PxJPSphcidCpWrT3gL83Th3/wtBLC6aBCZ0KVa0YvE6qJjJrRM+LcDLNaa4
         CfqZ8I9u+9SQmhkN6m5k2iXxP4c6M63YZwgUK/Mc6Ijlz29qDpiNhyJE7hkMLmkV1fhi
         AzEA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=vAzLOJOkTcOgds47S2CIlXaF2pwPJFSO4Q36R5Fe4e8=;
        b=UvX6Ah5Unm3wGtTEp8yP0KtRm69zyHZ1yQKY/c0COZ5dn7WlqC8xoOpGRId8zE0AWb
         AYVbefLaUDgxCz9rOuUhuKbqS8c4Fl5hRv6tqmOQH8acafxty4OvyaQTKYKN3AfBQslY
         bVG3rHr436U6+k5ZYlQHFkXMejD+47jkCUKaj7Tw6UUFi1L1dT+KrSvMnK1321gqXZqH
         9hDEmvgin9bAMmtY3z6UMYOeu9yFZxBvD16vfmNaj8vjr/50DUaACSehFJ2sav0WZKeQ
         5LVVTJ60xBwFUeVJvgU2B4NekTVtn/eUtk9n9setcnY/UPoUhfepI6nVwK8Prl7HxgUT
         QQeA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m3-v6si21794158pld.90.2018.09.04.12.51.36;
        Tue, 04 Sep 2018 12:51:52 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728035AbeIEARI (ORCPT <rfc822;zzmahb@gmail.com> + 99 others);
        Tue, 4 Sep 2018 20:17:08 -0400
Received: from mga07.intel.com ([134.134.136.100]:63929 "EHLO mga07.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726749AbeIEARH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 4 Sep 2018 20:17:07 -0400
X-Amp-Result: UNSCANNABLE
X-Amp-File-Uploaded: False
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Sep 2018 12:50:30 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.53,330,1531810800"; 
   d="scan'208";a="259816882"
Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.20])
  by fmsmga005.fm.intel.com with ESMTP; 04 Sep 2018 12:50:30 -0700
Date:   Tue, 4 Sep 2018 12:50:30 -0700
From:   Sean Christopherson <sean.j.christopherson@intel.com>
To:     linux-kernel@vger.kernel.org
Cc:     Dave Hansen <dave.hansen@intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ingo Molnar <mingo@redhat.com>,
        "H. Peter Anvin" <hpa@zytor.com>, x86@kernel.org,
        Andy Lutomirski <luto@kernel.org>, Jann Horn <jannh@google.com>
Subject: Re: [PATCH] x86/pkeys: Explicitly treat PK #PF on kernel address as
 a bad area
Message-ID: <20180904195030.GA6269@linux.intel.com>
References: <20180807172920.8766-1-sean.j.christopherson@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180807172920.8766-1-sean.j.christopherson@intel.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Cc-ing Jann and Andy.

On Tue, Aug 07, 2018 at 10:29:20AM -0700, Sean Christopherson wrote:
> Kernel addresses are always mapped with _PAGE_USER=0, i.e. PKRU
> isn't enforced, and so we should never see X86_PF_PK set on a
> kernel address fault.  WARN once to capture the issue in case we
> somehow don't die, e.g. the access originated in userspace.
> 
> Remove a similar check and its comment from spurious_fault_check().
> The intent of the comment (and later code[1]) was simply to document
> that spurious faults due to protection keys should be impossible, but
> that's irrelevant and a bit of a red herring since we should never
> get a protection keys fault on a kernel address regardless of the
> kernel's TLB flushing behavior.
> 
> [1] http://lists-archives.com/linux-kernel/28407455-x86-pkeys-new-page-fault-error-code-bit-pf_pk.html
> 
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> Cc: Dave Hansen <dave.hansen@intel.com>
> ---
> There's no indication that this condition has ever been encountered.
> I came across the code in spurious_fault_check() and was confused as
> to why we would unconditionally treat a protection keys fault as
> spurious when the comment explicitly stated that such a case should
> be impossible.
> 
> Dave Hansen suggested adding a WARN_ON_ONCE in spurious_fault_check(),
> but it seemed more appropriate to freak out on any protection keys
> fault on a kernel address since that would imply a hardware issue or
> kernel bug.  I omitted a Suggested-by since this isn't necessarily
> what Dave had in mind.
> 
>  arch/x86/mm/fault.c | 16 ++++++++++------
>  1 file changed, 10 insertions(+), 6 deletions(-)
> 
> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
> index 2aafa6ab6103..f19a55972136 100644
> --- a/arch/x86/mm/fault.c
> +++ b/arch/x86/mm/fault.c
> @@ -1040,12 +1040,6 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
>  
>  	if ((error_code & X86_PF_INSTR) && !pte_exec(*pte))
>  		return 0;
> -	/*
> -	 * Note: We do not do lazy flushing on protection key
> -	 * changes, so no spurious fault will ever set X86_PF_PK.
> -	 */
> -	if ((error_code & X86_PF_PK))
> -		return 1;
>  
>  	return 1;
>  }
> @@ -1241,6 +1235,14 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
>  	 * protection error (error_code & 9) == 0.
>  	 */
>  	if (unlikely(fault_in_kernel_space(address))) {
> +		/*
> +		 * We should never encounter a protection keys fault on a
> +		 * kernel address as kernel address are always mapped with
> +		 * _PAGE_USER=0, i.e. PKRU isn't enforced.
> +		 */
> +		if (WARN_ON_ONCE(error_code & X86_PF_PK))
> +			goto bad_kernel_address;
> +
>  		if (!(error_code & (X86_PF_RSVD | X86_PF_USER | X86_PF_PROT))) {
>  			if (vmalloc_fault(address) >= 0)
>  				return;
> @@ -1253,6 +1255,8 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
>  		/* kprobes don't want to hook the spurious faults: */
>  		if (kprobes_fault(regs))
>  			return;
> +
> +bad_kernel_address:
>  		/*
>  		 * Don't take the mm semaphore here. If we fixup a prefetch
>  		 * fault we could otherwise deadlock:
> -- 
> 2.18.0
>