Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2964719imm; Tue, 4 Sep 2018 12:57:51 -0700 (PDT) X-Google-Smtp-Source: ANB0VdbizBRB1yVSNtI4x4v/70TKWxM2g75ZQ1xGofZbTTYznic6uT0dBXMKVDNKq8JJiEYD0KSs X-Received: by 2002:a65:62d8:: with SMTP id m24-v6mr18165118pgv.307.1536091071656; Tue, 04 Sep 2018 12:57:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536091071; cv=none; d=google.com; s=arc-20160816; b=OjGeeGrjOTLBtfxOPBOu2yxltRETuP3bvWFXrzM0ukeKdP4t6vqGp1NTjlzsoD/HpR muHbtufq48IGXnUbw/D6sY2hNjineNOU2HqmhicPQuBY4qEQC+0E938U4Q7BeTjlA6i6 J/zL4e1igzVjlcg9yINVwvT5Pac3pc0e0Ozi9bpe+MSpLmpqnQlReZKXe0bPYQkIojke 7DogAbyjiHj8DBPX7sGfaA/rr2uTgXzYYI4jE/qF4yP1MN2bFYlxVCyE9cKdoCkw25Vn YBuEN/6mrv0NQ5qQMt39q7rEWG7CTWm5wLL3GKeCfbZTxviOieHBjtRRHhauT3TS3LoG 5ElA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=69R/UBWP4zZxglD0sD0soKQxcj1JfTyNN/q89og7qbg=; b=IXs4SbDQAB43PpufhiXhHuWDNjBkoGlKQfG+Wgu1I7xPNZgUl887Hde0AuoDTAhFqT +3Jc3AYVFKmQX3Afone7c63//jA4iBSShoVm0nZax6UkwpPIKqkLCmUw5n7o/fT4qw4L rqUeYZYmLvLRV8iJRM1hqeQjRZrjLA51kh0L73QzmcU6BcAO0/D/lSK3MB5RFOMoVYAS wwvsNVyTZP08bf0Yrg57QIgYW8DNU7XIvab1+ld57tsSHWMkZk0G/ingBiU5Y64v51Mx 5wYyrsq+HZBq8feCgU0kDSm3neoeoLSuLJx/iPrwQgPgilMWRd8nBwuOI0VhsGKzZMjW 2auA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pNLEKOCK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y74-v6si22047949pfg.124.2018.09.04.12.57.36; Tue, 04 Sep 2018 12:57:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=pNLEKOCK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728156AbeIEAXO (ORCPT + 99 others); Tue, 4 Sep 2018 20:23:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:60156 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727688AbeIEAXN (ORCPT ); Tue, 4 Sep 2018 20:23:13 -0400 Received: from mail-wm0-f45.google.com (mail-wm0-f45.google.com [74.125.82.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3EE8620869 for ; Tue, 4 Sep 2018 19:56:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1536090995; bh=A4epN5Ye3M/shXurfeqmxOfZ7lb3DSWp9WpeSyZBBsU=; h=In-Reply-To:References:From:Date:Subject:To:Cc:From; b=pNLEKOCKThxHecZu69Ty34gZVzQJQpHcc8hRumpl8NkeQcxORuDU2Ewy1fRG+1AAy 4LLvBx+lX2AvOK3s8kwCqdSBceoKd+9dxeYqGxM3nksB1w52udSgMQexg4jlmHV2v0 6YS/iW8JagdUFuhgkjggVjw9zaWRYOVrsfBp2AbI= Received: by mail-wm0-f45.google.com with SMTP id r1-v6so10003433wmh.0 for ; Tue, 04 Sep 2018 12:56:35 -0700 (PDT) X-Gm-Message-State: APzg51DTxnDwVe2nVx5jGuxwdHqHSkmLJs+Ljo/1nUuIOdJJg/aOaUbM ZlQFRlJ0m/uJPeyM86cdElArEm71ifQY8RMl76krbQ== X-Received: by 2002:a1c:d1c3:: with SMTP id i186-v6mr9369265wmg.5.1536090993667; Tue, 04 Sep 2018 12:56:33 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a1c:b156:0:0:0:0:0 with HTTP; Tue, 4 Sep 2018 12:56:13 -0700 (PDT) In-Reply-To: <20180904195030.GA6269@linux.intel.com> References: <20180807172920.8766-1-sean.j.christopherson@intel.com> <20180904195030.GA6269@linux.intel.com> From: Andy Lutomirski Date: Tue, 4 Sep 2018 12:56:13 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] x86/pkeys: Explicitly treat PK #PF on kernel address as a bad area To: Sean Christopherson Cc: LKML , Dave Hansen , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , X86 ML , Andy Lutomirski , Jann Horn Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 4, 2018 at 12:50 PM, Sean Christopherson wrote: > Cc-ing Jann and Andy. > > On Tue, Aug 07, 2018 at 10:29:20AM -0700, Sean Christopherson wrote: >> Kernel addresses are always mapped with _PAGE_USER=0, i.e. PKRU >> isn't enforced, and so we should never see X86_PF_PK set on a >> kernel address fault. WARN once to capture the issue in case we >> somehow don't die, e.g. the access originated in userspace. >> >> Remove a similar check and its comment from spurious_fault_check(). >> The intent of the comment (and later code[1]) was simply to document >> that spurious faults due to protection keys should be impossible, but >> that's irrelevant and a bit of a red herring since we should never >> get a protection keys fault on a kernel address regardless of the >> kernel's TLB flushing behavior. >> >> [1] http://lists-archives.com/linux-kernel/28407455-x86-pkeys-new-page-fault-error-code-bit-pf_pk.html >> >> Signed-off-by: Sean Christopherson >> Cc: Dave Hansen >> --- >> There's no indication that this condition has ever been encountered. >> I came across the code in spurious_fault_check() and was confused as >> to why we would unconditionally treat a protection keys fault as >> spurious when the comment explicitly stated that such a case should >> be impossible. >> >> Dave Hansen suggested adding a WARN_ON_ONCE in spurious_fault_check(), >> but it seemed more appropriate to freak out on any protection keys >> fault on a kernel address since that would imply a hardware issue or >> kernel bug. I omitted a Suggested-by since this isn't necessarily >> what Dave had in mind. >> >> arch/x86/mm/fault.c | 16 ++++++++++------ >> 1 file changed, 10 insertions(+), 6 deletions(-) >> >> diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c >> index 2aafa6ab6103..f19a55972136 100644 >> --- a/arch/x86/mm/fault.c >> +++ b/arch/x86/mm/fault.c >> @@ -1040,12 +1040,6 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte) >> >> if ((error_code & X86_PF_INSTR) && !pte_exec(*pte)) >> return 0; >> - /* >> - * Note: We do not do lazy flushing on protection key >> - * changes, so no spurious fault will ever set X86_PF_PK. >> - */ >> - if ((error_code & X86_PF_PK)) >> - return 1; >> >> return 1; >> } >> @@ -1241,6 +1235,14 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code, >> * protection error (error_code & 9) == 0. >> */ >> if (unlikely(fault_in_kernel_space(address))) { >> + /* >> + * We should never encounter a protection keys fault on a >> + * kernel address as kernel address are always mapped with >> + * _PAGE_USER=0, i.e. PKRU isn't enforced. >> + */ >> + if (WARN_ON_ONCE(error_code & X86_PF_PK)) >> + goto bad_kernel_address; >> + >> if (!(error_code & (X86_PF_RSVD | X86_PF_USER | X86_PF_PROT))) { >> if (vmalloc_fault(address) >= 0) >> return; >> @@ -1253,6 +1255,8 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code, >> /* kprobes don't want to hook the spurious faults: */ >> if (kprobes_fault(regs)) >> return; >> + >> +bad_kernel_address: >> /* >> * Don't take the mm semaphore here. If we fixup a prefetch >> * fault we could otherwise deadlock: I have no objection to this patch. Dave, why did you think that we could get a PK fault on the vsyscall page, even on kernels that still marked it executable? Sure, you could get an instruction in the vsyscall page to get a PK fault, but CR2 wouldn't point to the vsyscall page, right? >> -- >> 2.18.0 >>