Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3600470pxb; Sun, 31 Jan 2021 22:40:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJzVLe/wwHdBEnnI6VqcfE2hpLHC6cYOCJZvlEU57WBDlKn81XBj99xxWm9wBvcadVK/bwU1 X-Received: by 2002:a17:906:1288:: with SMTP id k8mr16141417ejb.206.1612161637642; Sun, 31 Jan 2021 22:40:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612161637; cv=none; d=google.com; s=arc-20160816; b=sprkY3mCGba+7h/xdiuzc0o3g3XOX5qxURZ4/wUInKITStxJPhSJ37vKTd8shN4p+Y +Uiw844TEFXL6i+3zpf9qoi9KuIJNzAEwFZqi5tYR7tZvLegt0bGoy+mq2Pk1vDu0rww 8whNlhdDI98AddBIVxQXfRXxCN+s/azYLBHC8huVbaCBCJj7Ijpeus2wx4dsFR01LdoL l60+r9jxO/KPx5idDxGiHF4bgKQDOkcxTm8Jbvav3g001R4Fxx9+TelfQcpKWr823b93 yafVyNxurpteQfxRGZvOBySkmcK4+ggSj6xT920WKeKB1gDUBe24iyCmI2f721Bj9eLm maJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:date:cc:to:subject:from:message-id; bh=eSVuSmyPoSS7+DHk+kKezXDKqFGi0N72/YjuMUZV/DE=; b=t+5DWrITJgZOB00e3X+2ZR+wNU/ndf42a5Beraqc9h1m5yoZdPxjALDlDZ2yNSoaCl /APHhKiQg5kS3VENP4DG9XaOXt1oBAhUgPCy5I062krX0C8V364fEM8yFTkVJ1sdiFTe 77BecHRNG+n1+zwVS9JXtk4D7H/mboFccf/2jaHnPepmw99BXU883Wu1rbE3kW7bDyEw lq4NP0Cg2gB3+y60MCBioTLN4pQLzPWWU9c4AA0ATl8Sw2LmqyCJ0j/+MV1ZxneFoXDk qbnYuOd/sRlNOUhI7/L0WkoxOUQdpMxgRTUCM80QyDsWQZRbq5h4GK7IzGtMsNpwdfw0 HrRA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s21si9805197edd.135.2021.01.31.22.40.13; Sun, 31 Jan 2021 22:40:37 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231934AbhBAGhM (ORCPT + 99 others); Mon, 1 Feb 2021 01:37:12 -0500 Received: from pegase1.c-s.fr ([93.17.236.30]:60313 "EHLO pegase1.c-s.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231794AbhBAGbB (ORCPT ); Mon, 1 Feb 2021 01:31:01 -0500 Received: from localhost (mailhub1-int [192.168.12.234]) by localhost (Postfix) with ESMTP id 4DTdMs6KSQz9ty3Z; Mon, 1 Feb 2021 07:29:45 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at c-s.fr Received: from pegase1.c-s.fr ([192.168.12.234]) by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024) with ESMTP id dm3KCNoZYkNq; Mon, 1 Feb 2021 07:29:45 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase1.c-s.fr (Postfix) with ESMTP id 4DTdMs5CGVz9ty3Y; Mon, 1 Feb 2021 07:29:45 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 5F18F8B777; Mon, 1 Feb 2021 07:29:50 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id INx2U6gSzvaF; Mon, 1 Feb 2021 07:29:50 +0100 (CET) Received: from po16121vm.idsi0.si.c-s.fr (po15451.idsi0.si.c-s.fr [172.25.230.103]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 31B3E8B766; Mon, 1 Feb 2021 07:29:50 +0100 (CET) Received: by po16121vm.idsi0.si.c-s.fr (Postfix, from userid 0) id 170A766B27; Mon, 1 Feb 2021 06:29:50 +0000 (UTC) Message-Id: <4a0c6e3bb8f0c162457bf54d9bc6fd8d7b55129f.1612160907.git.christophe.leroy@csgroup.eu> From: Christophe Leroy Subject: [PATCH] powerpc/603: Fix protection of user pages mapped with PROT_NONE To: Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman , Christoph Plattner Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org Date: Mon, 1 Feb 2021 06:29:50 +0000 (UTC) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On book3s/32, page protection is defined by the PP bits in the PTE which provide the following protection depending on the access keys defined in the matching segment register: - PP 00 means RW with key 0 and N/A with key 1. - PP 01 means RW with key 0 and RO with key 1. - PP 10 means RW with both key 0 and key 1. - PP 11 means RO with both key 0 and key 1. Since the implementation of kernel userspace access protection, PP bits have been set as follows: - PP00 for pages without _PAGE_USER - PP01 for pages with _PAGE_USER and _PAGE_RW - PP11 for pages with _PAGE_USER and without _PAGE_RW For kernelspace segments, kernel accesses are performed with key 0 and user accesses are performed with key 1. As PP00 is used for non _PAGE_USER pages, user can't access kernel pages not flagged _PAGE_USER while kernel can. For userspace segments, both kernel and user accesses are performed with key 0, therefore pages not flagged _PAGE_USER are still accessible to the user. This shouldn't be an issue, because userspace is expected to be accessible to the user. But unlike most other architectures, powerpc implements PROT_NONE protection by removing _PAGE_USER flag instead of flagging the page as not valid. This means that pages in userspace that are not flagged _PAGE_USER shall remain inaccessible. To get the expected behaviour, just mimic other architectures in the TLB miss handler by checking _PAGE_USER permission on userspace accesses as if it was the _PAGE_PRESENT bit. Note that this problem only is only for 603 cores. The 604+ have an hash table, and hash_page() function already implement the verification of _PAGE_USER permission on userspace pages. Reported-by: Christoph Plattner Fixes: f342adca3afc ("powerpc/32s: Prepare Kernel Userspace Access Protection") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy --- arch/powerpc/kernel/head_book3s_32.S | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/kernel/head_book3s_32.S b/arch/powerpc/kernel/head_book3s_32.S index 858fbc8b19f3..0004e8a6a58e 100644 --- a/arch/powerpc/kernel/head_book3s_32.S +++ b/arch/powerpc/kernel/head_book3s_32.S @@ -453,11 +453,12 @@ InstructionTLBMiss: cmplw 0,r1,r3 #endif mfspr r2, SPRN_SDR1 - li r1,_PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_EXEC + li r1,_PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_EXEC | _PAGE_USER rlwinm r2, r2, 28, 0xfffff000 #ifdef CONFIG_MODULES bgt- 112f lis r2, (swapper_pg_dir - PAGE_OFFSET)@ha /* if kernel address, use */ + li r1,_PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_EXEC addi r2, r2, (swapper_pg_dir - PAGE_OFFSET)@l /* kernel page table */ #endif 112: rlwimi r2,r3,12,20,29 /* insert top 10 bits of address */ @@ -516,10 +517,11 @@ DataLoadTLBMiss: lis r1, TASK_SIZE@h /* check if kernel address */ cmplw 0,r1,r3 mfspr r2, SPRN_SDR1 - li r1, _PAGE_PRESENT | _PAGE_ACCESSED + li r1, _PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_USER rlwinm r2, r2, 28, 0xfffff000 bgt- 112f lis r2, (swapper_pg_dir - PAGE_OFFSET)@ha /* if kernel address, use */ + li r1, _PAGE_PRESENT | _PAGE_ACCESSED addi r2, r2, (swapper_pg_dir - PAGE_OFFSET)@l /* kernel page table */ 112: rlwimi r2,r3,12,20,29 /* insert top 10 bits of address */ lwz r2,0(r2) /* get pmd entry */ @@ -593,10 +595,11 @@ DataStoreTLBMiss: lis r1, TASK_SIZE@h /* check if kernel address */ cmplw 0,r1,r3 mfspr r2, SPRN_SDR1 - li r1, _PAGE_RW | _PAGE_DIRTY | _PAGE_PRESENT | _PAGE_ACCESSED + li r1, _PAGE_RW | _PAGE_DIRTY | _PAGE_PRESENT | _PAGE_ACCESSED | _PAGE_USER rlwinm r2, r2, 28, 0xfffff000 bgt- 112f lis r2, (swapper_pg_dir - PAGE_OFFSET)@ha /* if kernel address, use */ + li r1, _PAGE_RW | _PAGE_DIRTY | _PAGE_PRESENT | _PAGE_ACCESSED addi r2, r2, (swapper_pg_dir - PAGE_OFFSET)@l /* kernel page table */ 112: rlwimi r2,r3,12,20,29 /* insert top 10 bits of address */ lwz r2,0(r2) /* get pmd entry */ -- 2.25.0