From: Catalin Marinas <catalin.marinas@arm.com>
To: Jann Horn <jannh@google.com>
Cc: linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
Christoph Hellwig <hch@infradead.org>,
linux-mm@kvack.org, Khalid Aziz <khalid.aziz@oracle.com>,
Paul Mackerras <paulus@samba.org>,
sparclinux@vger.kernel.org,
Anthony Yznaga <anthony.yznaga@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Will Deacon <will@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length
Date: Thu, 8 Oct 2020 11:12:10 +0100 [thread overview]
Message-ID: <20201008101209.GD7661@gaia> (raw)
In-Reply-To: <20201007073932.865218-1-jannh@google.com>
On Wed, Oct 07, 2020 at 09:39:31AM +0200, Jann Horn wrote:
> arch_validate_prot() is a hook that can validate whether a given set of
> protection flags is valid in an mprotect() operation. It is given the set
> of protection flags and the address being modified.
>
> However, the address being modified can currently not actually be used in
> a meaningful way because:
>
> 1. Only the address is given, but not the length, and the operation can
> span multiple VMAs. Therefore, the callee can't actually tell which
> virtual address range, or which VMAs, are being targeted.
> 2. The mmap_lock is not held, meaning that if the callee were to check
> the VMA at @addr, that VMA would be unrelated to the one the
> operation is performed on.
>
> Currently, custom arch_validate_prot() handlers are defined by
> arm64, powerpc and sparc.
> arm64 and powerpc don't care about the address range, they just check the
> flags against CPU support masks.
> sparc's arch_validate_prot() attempts to look at the VMA, but doesn't take
> the mmap_lock.
>
> Change the function signature to also take a length, and move the
> arch_validate_prot() call in mm/mprotect.c down into the locked region.
For arm64 mte, I noticed the arch_validate_prot() issue with multiple
vmas and addressed this in a different way:
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id=c462ac288f2c97e0c1d9ff6a65955317e799f958
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id=0042090548740921951f31fc0c20dcdb96638cb0
Both patches queued for 5.10.
Basically, arch_calc_vm_prot_bits() returns a VM_MTE if PROT_MTE has
been requested. The newly introduced arch_validate_flags() will check
the VM_MTE flag against what the system supports and this covers both
mmap() and mprotect(). Note that arch_validate_prot() only handles the
latter and I don't think it's sufficient for SPARC ADI. For arm64 MTE we
definitely wanted mmap() flags to be validated.
In addition, there's a new arch_calc_vm_flag_bits() which allows us to
set a VM_MTE_ALLOWED on a vma if the conditions are right (MAP_ANONYMOUS
or shmem_mmap():
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id=b3fbbea4c00220f62e6f7e2514466e6ee81f7f60
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Jann Horn <jannh@google.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>,
linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
Christoph Hellwig <hch@infradead.org>,
linux-mm@kvack.org, Khalid Aziz <khalid.aziz@oracle.com>,
Paul Mackerras <paulus@samba.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
sparclinux@vger.kernel.org,
Anthony Yznaga <anthony.yznaga@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Will Deacon <will@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length
Date: Thu, 08 Oct 2020 10:12:10 +0000 [thread overview]
Message-ID: <20201008101209.GD7661@gaia> (raw)
In-Reply-To: <20201007073932.865218-1-jannh@google.com>
On Wed, Oct 07, 2020 at 09:39:31AM +0200, Jann Horn wrote:
> arch_validate_prot() is a hook that can validate whether a given set of
> protection flags is valid in an mprotect() operation. It is given the set
> of protection flags and the address being modified.
>
> However, the address being modified can currently not actually be used in
> a meaningful way because:
>
> 1. Only the address is given, but not the length, and the operation can
> span multiple VMAs. Therefore, the callee can't actually tell which
> virtual address range, or which VMAs, are being targeted.
> 2. The mmap_lock is not held, meaning that if the callee were to check
> the VMA at @addr, that VMA would be unrelated to the one the
> operation is performed on.
>
> Currently, custom arch_validate_prot() handlers are defined by
> arm64, powerpc and sparc.
> arm64 and powerpc don't care about the address range, they just check the
> flags against CPU support masks.
> sparc's arch_validate_prot() attempts to look at the VMA, but doesn't take
> the mmap_lock.
>
> Change the function signature to also take a length, and move the
> arch_validate_prot() call in mm/mprotect.c down into the locked region.
For arm64 mte, I noticed the arch_validate_prot() issue with multiple
vmas and addressed this in a different way:
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&idÄ62ac288f2c97e0c1d9ff6a65955317e799f958
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id\042090548740921951f31fc0c20dcdb96638cb0
Both patches queued for 5.10.
Basically, arch_calc_vm_prot_bits() returns a VM_MTE if PROT_MTE has
been requested. The newly introduced arch_validate_flags() will check
the VM_MTE flag against what the system supports and this covers both
mmap() and mprotect(). Note that arch_validate_prot() only handles the
latter and I don't think it's sufficient for SPARC ADI. For arm64 MTE we
definitely wanted mmap() flags to be validated.
In addition, there's a new arch_calc_vm_flag_bits() which allows us to
set a VM_MTE_ALLOWED on a vma if the conditions are right (MAP_ANONYMOUS
or shmem_mmap():
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id³fbbea4c00220f62e6f7e2514466e6ee81f7f60
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Jann Horn <jannh@google.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>,
linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
Christoph Hellwig <hch@infradead.org>,
linux-mm@kvack.org, Khalid Aziz <khalid.aziz@oracle.com>,
Paul Mackerras <paulus@samba.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
sparclinux@vger.kernel.org,
Anthony Yznaga <anthony.yznaga@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Will Deacon <will@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length
Date: Thu, 8 Oct 2020 11:12:10 +0100 [thread overview]
Message-ID: <20201008101209.GD7661@gaia> (raw)
In-Reply-To: <20201007073932.865218-1-jannh@google.com>
On Wed, Oct 07, 2020 at 09:39:31AM +0200, Jann Horn wrote:
> arch_validate_prot() is a hook that can validate whether a given set of
> protection flags is valid in an mprotect() operation. It is given the set
> of protection flags and the address being modified.
>
> However, the address being modified can currently not actually be used in
> a meaningful way because:
>
> 1. Only the address is given, but not the length, and the operation can
> span multiple VMAs. Therefore, the callee can't actually tell which
> virtual address range, or which VMAs, are being targeted.
> 2. The mmap_lock is not held, meaning that if the callee were to check
> the VMA at @addr, that VMA would be unrelated to the one the
> operation is performed on.
>
> Currently, custom arch_validate_prot() handlers are defined by
> arm64, powerpc and sparc.
> arm64 and powerpc don't care about the address range, they just check the
> flags against CPU support masks.
> sparc's arch_validate_prot() attempts to look at the VMA, but doesn't take
> the mmap_lock.
>
> Change the function signature to also take a length, and move the
> arch_validate_prot() call in mm/mprotect.c down into the locked region.
For arm64 mte, I noticed the arch_validate_prot() issue with multiple
vmas and addressed this in a different way:
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id=c462ac288f2c97e0c1d9ff6a65955317e799f958
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id=0042090548740921951f31fc0c20dcdb96638cb0
Both patches queued for 5.10.
Basically, arch_calc_vm_prot_bits() returns a VM_MTE if PROT_MTE has
been requested. The newly introduced arch_validate_flags() will check
the VM_MTE flag against what the system supports and this covers both
mmap() and mprotect(). Note that arch_validate_prot() only handles the
latter and I don't think it's sufficient for SPARC ADI. For arm64 MTE we
definitely wanted mmap() flags to be validated.
In addition, there's a new arch_calc_vm_flag_bits() which allows us to
set a VM_MTE_ALLOWED on a vma if the conditions are right (MAP_ANONYMOUS
or shmem_mmap():
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id=b3fbbea4c00220f62e6f7e2514466e6ee81f7f60
--
Catalin
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Jann Horn <jannh@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
sparclinux@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
linux-mm@kvack.org, linux-kernel@vger.kernel.org,
Khalid Aziz <khalid.aziz@oracle.com>,
Christoph Hellwig <hch@infradead.org>,
Anthony Yznaga <anthony.yznaga@oracle.com>,
Will Deacon <will@kernel.org>,
linux-arm-kernel@lists.infradead.org,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
linuxppc-dev@lists.ozlabs.org
Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length
Date: Thu, 8 Oct 2020 11:12:10 +0100 [thread overview]
Message-ID: <20201008101209.GD7661@gaia> (raw)
In-Reply-To: <20201007073932.865218-1-jannh@google.com>
On Wed, Oct 07, 2020 at 09:39:31AM +0200, Jann Horn wrote:
> arch_validate_prot() is a hook that can validate whether a given set of
> protection flags is valid in an mprotect() operation. It is given the set
> of protection flags and the address being modified.
>
> However, the address being modified can currently not actually be used in
> a meaningful way because:
>
> 1. Only the address is given, but not the length, and the operation can
> span multiple VMAs. Therefore, the callee can't actually tell which
> virtual address range, or which VMAs, are being targeted.
> 2. The mmap_lock is not held, meaning that if the callee were to check
> the VMA at @addr, that VMA would be unrelated to the one the
> operation is performed on.
>
> Currently, custom arch_validate_prot() handlers are defined by
> arm64, powerpc and sparc.
> arm64 and powerpc don't care about the address range, they just check the
> flags against CPU support masks.
> sparc's arch_validate_prot() attempts to look at the VMA, but doesn't take
> the mmap_lock.
>
> Change the function signature to also take a length, and move the
> arch_validate_prot() call in mm/mprotect.c down into the locked region.
For arm64 mte, I noticed the arch_validate_prot() issue with multiple
vmas and addressed this in a different way:
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id=c462ac288f2c97e0c1d9ff6a65955317e799f958
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id=0042090548740921951f31fc0c20dcdb96638cb0
Both patches queued for 5.10.
Basically, arch_calc_vm_prot_bits() returns a VM_MTE if PROT_MTE has
been requested. The newly introduced arch_validate_flags() will check
the VM_MTE flag against what the system supports and this covers both
mmap() and mprotect(). Note that arch_validate_prot() only handles the
latter and I don't think it's sufficient for SPARC ADI. For arm64 MTE we
definitely wanted mmap() flags to be validated.
In addition, there's a new arch_calc_vm_flag_bits() which allows us to
set a VM_MTE_ALLOWED on a vma if the conditions are right (MAP_ANONYMOUS
or shmem_mmap():
https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git/commit/?h=for-next/mte&id=b3fbbea4c00220f62e6f7e2514466e6ee81f7f60
--
Catalin
next prev parent reply other threads:[~2020-10-08 10:14 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-07 7:39 [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 7:39 ` [PATCH 2/2] sparc: Check VMA range in sparc_validate_prot() Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 12:36 ` Christoph Hellwig
2020-10-07 12:36 ` Christoph Hellwig
2020-10-07 12:36 ` Christoph Hellwig
2020-10-07 12:36 ` Christoph Hellwig
2020-10-07 20:15 ` Khalid Aziz
2020-10-07 20:15 ` Khalid Aziz
2020-10-07 20:15 ` Khalid Aziz
2020-10-07 20:15 ` Khalid Aziz
2020-10-07 12:35 ` [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length Christoph Hellwig
2020-10-07 12:35 ` Christoph Hellwig
2020-10-07 12:35 ` Christoph Hellwig
2020-10-07 12:35 ` Christoph Hellwig
2020-10-07 14:42 ` Jann Horn
2020-10-07 14:42 ` Jann Horn
2020-10-07 14:42 ` Jann Horn
2020-10-07 14:42 ` Jann Horn
2020-10-08 6:21 ` Christoph Hellwig
2020-10-08 6:21 ` Christoph Hellwig
2020-10-08 6:21 ` Christoph Hellwig
2020-10-08 6:21 ` Christoph Hellwig
2020-10-08 10:34 ` Michael Ellerman
2020-10-08 10:34 ` Michael Ellerman
2020-10-08 10:34 ` Michael Ellerman
2020-10-08 10:34 ` Michael Ellerman
2020-10-08 11:03 ` Catalin Marinas
2020-10-08 11:03 ` Catalin Marinas
2020-10-08 11:03 ` Catalin Marinas
2020-10-08 11:03 ` Catalin Marinas
2020-10-07 20:14 ` Khalid Aziz
2020-10-07 20:14 ` Khalid Aziz
2020-10-07 20:14 ` Khalid Aziz
2020-10-07 20:14 ` Khalid Aziz
2020-10-10 11:09 ` Catalin Marinas
2020-10-10 11:09 ` Catalin Marinas
2020-10-10 11:09 ` Catalin Marinas
2020-10-10 11:09 ` Catalin Marinas
2020-10-12 17:03 ` Khalid Aziz
2020-10-12 17:03 ` Khalid Aziz
2020-10-12 17:03 ` Khalid Aziz
2020-10-12 17:03 ` Khalid Aziz
2020-10-12 17:22 ` Catalin Marinas
2020-10-12 17:22 ` Catalin Marinas
2020-10-12 17:22 ` Catalin Marinas
2020-10-12 17:22 ` Catalin Marinas
2020-10-12 19:14 ` Khalid Aziz
2020-10-12 19:14 ` Khalid Aziz
2020-10-12 19:14 ` Khalid Aziz
2020-10-12 19:14 ` Khalid Aziz
2020-10-13 9:16 ` Catalin Marinas
2020-10-13 9:16 ` Catalin Marinas
2020-10-13 9:16 ` Catalin Marinas
2020-10-13 9:16 ` Catalin Marinas
2020-10-14 21:21 ` Khalid Aziz
2020-10-14 21:21 ` Khalid Aziz
2020-10-14 21:21 ` Khalid Aziz
2020-10-14 21:21 ` Khalid Aziz
2020-10-14 22:29 ` Jann Horn
2020-10-14 22:29 ` Jann Horn
2020-10-14 22:29 ` Jann Horn
2020-10-14 22:29 ` Jann Horn
2020-10-15 9:05 ` Catalin Marinas
2020-10-15 9:05 ` Catalin Marinas
2020-10-15 9:05 ` Catalin Marinas
2020-10-15 9:05 ` Catalin Marinas
2020-10-15 14:53 ` Khalid Aziz
2020-10-15 14:53 ` Khalid Aziz
2020-10-15 14:53 ` Khalid Aziz
2020-10-15 14:53 ` Khalid Aziz
2020-10-08 10:12 ` Catalin Marinas [this message]
2020-10-08 10:12 ` Catalin Marinas
2020-10-08 10:12 ` Catalin Marinas
2020-10-08 10:12 ` Catalin Marinas
-- strict thread matches above, loose matches on Subject: below --
2020-10-07 10:08 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201008101209.GD7661@gaia \
--to=catalin.marinas@arm.com \
--cc=akpm@linux-foundation.org \
--cc=anthony.yznaga@oracle.com \
--cc=davem@davemloft.net \
--cc=hch@infradead.org \
--cc=jannh@google.com \
--cc=khalid.aziz@oracle.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=paulus@samba.org \
--cc=sparclinux@vger.kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.