From: Matthew Wilcox <willy@linux.intel.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Matthew Wilcox <matthew.r.wilcox@intel.com>,
Ingo Molnar <mingo@redhat.com>, Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Re: [PATCH 1/3] x86: Honour passed pgprot in track_pfn_insert() and track_pfn_remap()
Date: Fri, 29 Jan 2016 09:49:09 -0500 [thread overview]
Message-ID: <20160129144909.GV2948@linux.intel.com> (raw)
In-Reply-To: <CALCETrXJacX8HB3vahu0AaarE98qkx-wW9tRYQ8nVVbHt=FgzQ@mail.gmail.com>
On Tue, Jan 26, 2016 at 09:44:24PM -0800, Andy Lutomirski wrote:
> On Tue, Jan 26, 2016 at 8:40 PM, Matthew Wilcox <willy@linux.intel.com> wrote:
> > On Mon, Jan 25, 2016 at 09:33:35AM -0800, Andy Lutomirski wrote:
> >> On Mon, Jan 25, 2016 at 9:25 AM, Matthew Wilcox
> >> <matthew.r.wilcox@intel.com> wrote:
> >> > From: Matthew Wilcox <willy@linux.intel.com>
> >> >
> >> > track_pfn_insert() overwrites the pgprot that is passed in with a value
> >> > based on the VMA's page_prot. This is a problem for people trying to
> >> > do clever things with the new vm_insert_pfn_prot() as it will simply
> >> > overwrite the passed protection flags. If we use the current value of
> >> > the pgprot as the base, then it will behave as people are expecting.
> >> >
> >> > Also fix track_pfn_remap() in the same way.
> >>
> >> Well that's embarrassing. Presumably it worked for me because I only
> >> overrode the cacheability bits and lookup_memtype did the right thing.
> >>
> >> But shouldn't the PAT code change the memtype if vm_insert_pfn_prot
> >> requests it? Or are there no callers that actually need that? (HPET
> >> doesn't, because there's a plain old ioremapped mapping.)
> >
> > I'm confused. Here's what I understand:
> >
> > - on x86, the bits in pgprot can be considered as two sets of bits;
> > the 'cacheability bits' -- those in _PAGE_CACHE_MASK and the
> > 'protection bits' -- PRESENT, RW, USER, ACCESSED, NX
> > - The purpose of track_pfn_insert() is to ensure that the cacheability bits
> > are the same on all mappings of a given page, as strongly advised by the
> > Intel manuals [1]. So track_pfn_insert() is really only supposed to
> > modify _PAGE_CACHE_MASK of the passed pgprot, but in fact it ends up
> > modifying the protection bits as well, due to the bug.
> >
> > I don't think you overrode the cacheability bits at all. It looks to
> > me like your patch ends up mapping the HPET into userspace writable.
>
> I sure hope not. If vm_page_prot was writable, something was already
> broken, because this is the vvar mapping, and the vvar mapping is
> VM_READ (and not even VM_MAYREAD).
I do beg yor pardon. I thought you were inserting a readonly page
into the middle of a writable mapping. Instead you're inserting a
non-executable page into the middle of a VM_READ | VM_EXEC mapping.
Sorry for the confusion. I should have written:
"like your patch ends up mapping the HPET into userspace executable"
which is far less exciting.
> > I don't think the vm_insert_pfn_prot() call gets to change the memtype.
> > For one, that page may already be mapped into a differet userspace using
> > the pre-existing memtype, and [1] continues to bite you. Then there
> > may be outstanding kernel users of the page that's being mapped in.
>
> So why was remap_pfn_range different? I'm sure there was a reason.
Yeah, doesn't make sense to me either.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Matthew Wilcox <willy@linux.intel.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Matthew Wilcox <matthew.r.wilcox@intel.com>,
Ingo Molnar <mingo@redhat.com>, Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"linux-mm@kvack.org" <linux-mm@kvack.org>
Subject: Re: [PATCH 1/3] x86: Honour passed pgprot in track_pfn_insert() and track_pfn_remap()
Date: Fri, 29 Jan 2016 09:49:09 -0500 [thread overview]
Message-ID: <20160129144909.GV2948@linux.intel.com> (raw)
In-Reply-To: <CALCETrXJacX8HB3vahu0AaarE98qkx-wW9tRYQ8nVVbHt=FgzQ@mail.gmail.com>
On Tue, Jan 26, 2016 at 09:44:24PM -0800, Andy Lutomirski wrote:
> On Tue, Jan 26, 2016 at 8:40 PM, Matthew Wilcox <willy@linux.intel.com> wrote:
> > On Mon, Jan 25, 2016 at 09:33:35AM -0800, Andy Lutomirski wrote:
> >> On Mon, Jan 25, 2016 at 9:25 AM, Matthew Wilcox
> >> <matthew.r.wilcox@intel.com> wrote:
> >> > From: Matthew Wilcox <willy@linux.intel.com>
> >> >
> >> > track_pfn_insert() overwrites the pgprot that is passed in with a value
> >> > based on the VMA's page_prot. This is a problem for people trying to
> >> > do clever things with the new vm_insert_pfn_prot() as it will simply
> >> > overwrite the passed protection flags. If we use the current value of
> >> > the pgprot as the base, then it will behave as people are expecting.
> >> >
> >> > Also fix track_pfn_remap() in the same way.
> >>
> >> Well that's embarrassing. Presumably it worked for me because I only
> >> overrode the cacheability bits and lookup_memtype did the right thing.
> >>
> >> But shouldn't the PAT code change the memtype if vm_insert_pfn_prot
> >> requests it? Or are there no callers that actually need that? (HPET
> >> doesn't, because there's a plain old ioremapped mapping.)
> >
> > I'm confused. Here's what I understand:
> >
> > - on x86, the bits in pgprot can be considered as two sets of bits;
> > the 'cacheability bits' -- those in _PAGE_CACHE_MASK and the
> > 'protection bits' -- PRESENT, RW, USER, ACCESSED, NX
> > - The purpose of track_pfn_insert() is to ensure that the cacheability bits
> > are the same on all mappings of a given page, as strongly advised by the
> > Intel manuals [1]. So track_pfn_insert() is really only supposed to
> > modify _PAGE_CACHE_MASK of the passed pgprot, but in fact it ends up
> > modifying the protection bits as well, due to the bug.
> >
> > I don't think you overrode the cacheability bits at all. It looks to
> > me like your patch ends up mapping the HPET into userspace writable.
>
> I sure hope not. If vm_page_prot was writable, something was already
> broken, because this is the vvar mapping, and the vvar mapping is
> VM_READ (and not even VM_MAYREAD).
I do beg yor pardon. I thought you were inserting a readonly page
into the middle of a writable mapping. Instead you're inserting a
non-executable page into the middle of a VM_READ | VM_EXEC mapping.
Sorry for the confusion. I should have written:
"like your patch ends up mapping the HPET into userspace executable"
which is far less exciting.
> > I don't think the vm_insert_pfn_prot() call gets to change the memtype.
> > For one, that page may already be mapped into a differet userspace using
> > the pre-existing memtype, and [1] continues to bite you. Then there
> > may be outstanding kernel users of the page that's being mapped in.
>
> So why was remap_pfn_range different? I'm sure there was a reason.
Yeah, doesn't make sense to me either.
next prev parent reply other threads:[~2016-01-29 14:49 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-25 17:25 [PATCH 0/3] Fixes for vm_insert_pfn_prot() Matthew Wilcox
2016-01-25 17:25 ` Matthew Wilcox
2016-01-25 17:25 ` [PATCH 1/3] x86: Honour passed pgprot in track_pfn_insert() and track_pfn_remap() Matthew Wilcox
2016-01-25 17:25 ` Matthew Wilcox
2016-01-25 17:33 ` Andy Lutomirski
2016-01-25 17:33 ` Andy Lutomirski
2016-01-25 17:46 ` Andy Lutomirski
2016-01-25 17:46 ` Andy Lutomirski
2016-01-27 4:40 ` Matthew Wilcox
2016-01-27 4:40 ` Matthew Wilcox
2016-01-27 5:44 ` Andy Lutomirski
2016-01-27 5:44 ` Andy Lutomirski
2016-01-29 14:49 ` Matthew Wilcox [this message]
2016-01-29 14:49 ` Matthew Wilcox
2016-01-29 22:19 ` Andy Lutomirski
2016-01-29 22:19 ` Andy Lutomirski
2016-02-09 14:24 ` Ingo Molnar
2016-02-09 14:24 ` Ingo Molnar
2016-02-10 3:06 ` Andy Lutomirski
2016-02-10 3:06 ` Andy Lutomirski
2016-02-09 16:09 ` [tip:x86/asm] x86/mm: " tip-bot for Matthew Wilcox
2016-01-25 17:25 ` [PATCH 2/3] mm: Convert vm_insert_pfn_prot to vmf_insert_pfn_prot Matthew Wilcox
2016-01-25 17:25 ` Matthew Wilcox
2016-01-25 17:35 ` Andy Lutomirski
2016-01-25 17:35 ` Andy Lutomirski
2016-01-27 4:18 ` Matthew Wilcox
2016-01-27 4:18 ` Matthew Wilcox
2016-01-25 17:25 ` [PATCH 3/3] dax: Handle write faults more efficiently Matthew Wilcox
2016-01-25 17:25 ` Matthew Wilcox
2016-01-25 17:38 ` Andy Lutomirski
2016-01-25 17:38 ` Andy Lutomirski
2016-01-27 4:17 ` Matthew Wilcox
2016-01-27 4:17 ` Matthew Wilcox
2016-01-27 5:22 ` Andy Lutomirski
2016-01-27 5:22 ` Andy Lutomirski
2016-01-27 6:01 ` Andy Lutomirski
2016-01-27 6:01 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160129144909.GV2948@linux.intel.com \
--to=willy@linux.intel.com \
--cc=akpm@linux-foundation.org \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@amacapital.net \
--cc=matthew.r.wilcox@intel.com \
--cc=mingo@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.