Received: by 2002:a05:6358:489b:b0:bb:da1:e618 with SMTP id x27csp2100071rwn; Fri, 9 Sep 2022 08:31:28 -0700 (PDT) X-Google-Smtp-Source: AA6agR7PoMAk8Imy20r6K5Nag4q6Zt1eO5imw6akmmNgNalhbB2otfjn8IDb0izPAXJn+q1V5p6Y X-Received: by 2002:a50:baa1:0:b0:43e:5e95:3eda with SMTP id x30-20020a50baa1000000b0043e5e953edamr12140380ede.340.1662737488186; Fri, 09 Sep 2022 08:31:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662737488; cv=none; d=google.com; s=arc-20160816; b=08lqLvq9RnxydeEa/T9rL9iH0PMovWRqmpCsmNlDKSisWYO7Vtn5mwE0rToGX1wO5q uHsL+wQqVdaBQMmflQOw63yg9m2icvuG0J48jA/4S+9gZ9nIR3zL5S/EnXHRVbbGH4bb XEkd36w4zp0G+fhn44hTfx10TYTK9IIWjirErjkeP9lbPgQ02tcErYUCLdE8NqQhJ3K5 ib0QeDfWrKNhECIXuHbItVe47fJU2IHdb1xDH2KBwBrmRiFeZIu36iWURIIA9bo6LngS pVIB3i7XvDZx79Y33gzaeO7FNYe9HEwcYOKjYulhieE75Ld+p/hIaWLEcY1NFqTPFoca BUMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=pkkVHpxNti+LsS3RaFIJvYPZ50QQRqshmqnZyXM7B3w=; b=aL2wpeZknwHezCxt5k2FkiLayOrHPRtBqq724EAHTJA4h/hjilk5rytCaLg3zk1Vtw uFcQMqCaaDE1dLmExIhUww3IQGstAscEguyTVwq/7pfjNF0m0FVxIqr/hNn10SkN1m3A SbkNZ37FdfaC3+o0bbzgmUCo1rk+UdLpXRFHic2ycr4M2I4C0WSWnRQD50s3VdGIMGmM y4bVl3GYP+ABv9Hn0uc/nixUx93uco5wiEnSc12DVtvIdo8hlg+C0mXNBHO5wYf2/FQs +HAW5jz10pykRmmOJr6XtIFNRJb/ezhXrWrvHKulf20fEbjNLV29vN1h3IX5nxskLMBU y80w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=6ol+C+uU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hz5-20020a1709072ce500b00774afdfb3f2si699273ejc.495.2022.09.09.08.31.00; Fri, 09 Sep 2022 08:31:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@rivosinc-com.20210112.gappssmtp.com header.s=20210112 header.b=6ol+C+uU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232157AbiIIPQy (ORCPT + 99 others); Fri, 9 Sep 2022 11:16:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35868 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230372AbiIIPQx (ORCPT ); Fri, 9 Sep 2022 11:16:53 -0400 Received: from mail-pg1-x52b.google.com (mail-pg1-x52b.google.com [IPv6:2607:f8b0:4864:20::52b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92E6313BC41 for ; Fri, 9 Sep 2022 08:16:51 -0700 (PDT) Received: by mail-pg1-x52b.google.com with SMTP id s206so1869863pgs.3 for ; Fri, 09 Sep 2022 08:16:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rivosinc-com.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=pkkVHpxNti+LsS3RaFIJvYPZ50QQRqshmqnZyXM7B3w=; b=6ol+C+uUDiV63QxAnyAd+FdZy3jMWxRuxeIc7GvOQ1jyxLQw+/rRNPhQeUcjI0dsSh EZPZzZkrB6l3ZWBTUpMvgIoF1YKWQ639NuucTNTS1p2Wre/1OlD+bhmYJ0YYt8PDtGcS TH3F7N0o2E3DlnYd38f6XbuuPlVjfyNWoEid7zeSU7b6Rk2r2r84wOA1Mzylbkk+U2px m3V8XWG6+zA9jyni1v/sSFtvFOVDi8ZEVBRFJTEd+WhV2q4jp1b2cn4DxB3UQ+CajZRK 6xl5I93Gp1vTaKbsM5aCwU6g+Aqa08DYT82e2P1xn1fLyqg3oeFHWW6HzqBfMmRFd2O7 KYZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=pkkVHpxNti+LsS3RaFIJvYPZ50QQRqshmqnZyXM7B3w=; b=7SSiW/ayoUhSVEiV1n7NXbODz/+9g715BVAgFfTpaED0mnq0TdqNthLvtDakIMTdCu neylojZ5aJ1WNxTWGsUlpbE7yWqD9R9geH1g/Qjxa9f7K1BLe55hF+kq7M5ApM1eaJ/w 1+xIVHlv3CUqWAU9Yjal0inXW/CsLUYXCycjEgEXrfxT6oaEjlQLbFHroqBDpzwe0Utf WJMo8auGznegK4GF7zjvnvX3INdkWdoGN5BA3FW4bgisKAjCkJmyylK/aGpaSSIL46lZ J5mCZUgjvAgkDRTZBxjhqkswmUBSnhZ+/6LtXs3Ik+a7KUsjfr1i38Jkw7FZXS0M5f6y 7nDw== X-Gm-Message-State: ACgBeo1aaVNU96zxjZF0YOvM8LuQc6HJ/4/26E+m8eRQ0bSGdCoSp+Hs N9xax4lWlCQX7SdcKrziUIQMDPXbJDfsVLJDwgK2ag== X-Received: by 2002:a63:8a4a:0:b0:434:c99c:6fd4 with SMTP id y71-20020a638a4a000000b00434c99c6fd4mr12302087pgd.24.1662736611033; Fri, 09 Sep 2022 08:16:51 -0700 (PDT) MIME-Version: 1.0 References: <20220908170133.1159747-1-abrestic@rivosinc.com> <20220908185006.1212126-1-abrestic@rivosinc.com> <2f5059f6-b024-1ee8-b961-5aa0b4e4c116@gmail.com> In-Reply-To: From: Andrew Bresticker Date: Fri, 9 Sep 2022 11:16:40 -0400 Message-ID: Subject: Re: [PATCH v2] riscv: Make mmap() with PROT_WRITE imply PROT_READ To: Coelacanthus Cc: Palmer Dabbelt , Paul Walmsley , Atish Patra , dram , Ruizhe Pan , linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 9, 2022 at 7:42 AM Coelacanthus wrote: > > On 2022/9/9 11:01, Celeste Liu wrote: > > On 2022/9/9 02:50, Andrew Bresticker wrote: > >> Commit 2139619bcad7 ("riscv: mmap with PROT_WRITE but no PROT_READ is > >> invalid") made mmap() return EINVAL if PROT_WRITE was set wihtout > >> PROT_READ with the justification that a write-only PTE is considered a > >> reserved PTE permission bit pattern in the privileged spec. This check > >> is unnecessary since RISC-V defines its protection_map such that PROT_WRITE > >> maps to the same PTE permissions as PROT_WRITE|PROT_READ, and it is > >> inconsistent with other architectures that don't support write-only PTEs, > >> creating a potential software portability issue. Just remove the check > >> altogether and let PROT_WRITE imply PROT_READ as is the case on other > >> architectures. > >> > >> Note that this also allows PROT_WRITE|PROT_EXEC mappings which were > >> disallowed prior to the aforementioned commit; PROT_READ is implied in > >> such mappings as well. > >> > >> Fixes: 2139619bcad7 ("riscv: mmap with PROT_WRITE but no PROT_READ is invalid") > >> Signed-off-by: Andrew Bresticker > >> --- > >> v1 -> v2: Update access_error() to account for write-implies-read > >> --- > >> arch/riscv/kernel/sys_riscv.c | 3 --- > >> arch/riscv/mm/fault.c | 3 ++- > >> 2 files changed, 2 insertions(+), 4 deletions(-) > >> > >> diff --git a/arch/riscv/kernel/sys_riscv.c b/arch/riscv/kernel/sys_riscv.c > >> index 571556bb9261..5d3f2fbeb33c 100644 > >> --- a/arch/riscv/kernel/sys_riscv.c > >> +++ b/arch/riscv/kernel/sys_riscv.c > >> @@ -18,9 +18,6 @@ static long riscv_sys_mmap(unsigned long addr, unsigned long len, > >> if (unlikely(offset & (~PAGE_MASK >> page_shift_offset))) > >> return -EINVAL; > >> > >> - if (unlikely((prot & PROT_WRITE) && !(prot & PROT_READ))) > >> - return -EINVAL; > >> - > >> return ksys_mmap_pgoff(addr, len, prot, flags, fd, > >> offset >> (PAGE_SHIFT - page_shift_offset)); > >> } > >> diff --git a/arch/riscv/mm/fault.c b/arch/riscv/mm/fault.c > >> index f2fbd1400b7c..d86f7cebd4a7 100644 > >> --- a/arch/riscv/mm/fault.c > >> +++ b/arch/riscv/mm/fault.c > >> @@ -184,7 +184,8 @@ static inline bool access_error(unsigned long cause, struct vm_area_struct *vma) > >> } > >> break; > >> case EXC_LOAD_PAGE_FAULT: > >> - if (!(vma->vm_flags & VM_READ)) { > >> + /* Write implies read */ > >> + if (!(vma->vm_flags & (VM_READ | VM_WRITE))) { > >> return true; > >> } > >> break; > > > > Hi, this did solve the problem and achieved consistency between > > architectures, but I have a question. > > > > Such a change specifies behavior for a state that should not exist, > > and if, in the future, RISC-V spec specifies a different behavior > > for that state (I mean, RVI itself has a history of not caring about > > downstream, like Zicsr and Zifencei), it will create inconsistencies, > > which is bad. > > > > If we reject the "write but not read" state, the user gets the most direct > > response: the state is not allowed so that they do not and cannot rely > > on the behavior of the state. This will bring better time consistency > > to the application if the spec specifies the behavior in the future. > > But it lost architecture consistency. > > > > How do you think this situation should be handled properly? > > > > Yours, > > Celeste Liu > > Oops! > > I found a mistake in my previous understanding: PTE permission!=vma permission. > So your modification makes sense, no matter how we handle the mapping of input > permissions to PTEs, as long as we don't use the reserved permission combinations, > the behavior is reasonable and also independent of the architecture's definition > of PTEs. > > But I think this mapping relationship should be well documented. If we have > such a mapping behavior in all architectures, then we should change this line in > the mmap documentation > On some hardware architectures (e.g., i386), PROT_WRITE implies PROT_READ. > to apply all architectures. According to my read about code, all the vm_get_page_prot > will do the protection_map mapping to have this feature. I think leaving the PROT_WRITE-implies-PROT_READ as being specified as architecture-dependent is reasonable, but of course portable programs shouldn't rely on this behavior. There are CPUs out there that support write-only mappings -- MIPS with RI/XI comes to mind and indeed mmap(PROT_WRITE) on such CPUs results in write-only mappings. -Andrew > > Yours, > Celeste Liu