From: Dave Hansen <dave.hansen@linux.intel.com>
To: Florian Weimer <fweimer@redhat.com>,
Vlastimil Babka <vbabka@suse.cz>,
linux-x86_64@vger.kernel.org, linux-arch@vger.kernel.org
Cc: linux-mm <linux-mm@kvack.org>, Linux API <linux-api@vger.kernel.org>
Subject: Re: MPK: removing a pkey
Date: Thu, 23 Nov 2017 07:09:13 -0800 [thread overview]
Message-ID: <39ea6607-a013-bd18-b478-3f44fb17caa4@linux.intel.com> (raw)
In-Reply-To: <28f6e430-293d-4b30-dce6-018a2b3c03e8@redhat.com>
On 11/23/2017 04:38 AM, Florian Weimer wrote:
> On 11/22/2017 05:32 PM, Dave Hansen wrote:
>> On 11/22/2017 08:21 AM, Florian Weimer wrote:
>>> On 11/22/2017 05:10 PM, Dave Hansen wrote:
>>>> On 11/22/2017 04:15 AM, Florian Weimer wrote:
>>>>> On 11/22/2017 09:18 AM, Vlastimil Babka wrote:
>>>>>> And, was the pkey == -1 internal wiring supposed to be exposed to the
>>>>>> pkey_mprotect() signal, or should there have been a pre-check
>>>>>> returning
>>>>>> EINVAL in SYSCALL_DEFINE4(pkey_mprotect), before calling
>>>>>> do_mprotect_pkey())? I assume it's too late to change it now
>>>>>> anyway (or
>>>>>> not?), so should we also document it?
>>>>>
>>>>> I think the -1 case to the set the default key is useful because it
>>>>> allows you to use a key value of -1 to mean “MPK is not supported”,
>>>>> and
>>>>> still call pkey_mprotect.
>>>>
>>>> The behavior to not allow 0 to be set was unintentional and is a bug.
>>>> We should fix that.
>>>
>>> On the other hand, x86-64 has no single default protection key due to
>>> the PROT_EXEC emulation.
>>
>> No, the default is clearly 0 and documented to be so. The PROT_EXEC
>> emulation one should be inaccessible in all the APIs so does not even
>> show up as *being* a key in the API.
I should have been more explicit: the EXEC pkey does not show up in the
syscall API.
> I see key 1 in /proc for a PROT_EXEC mapping. If I supply an explicit
> protection key, that key is used, and the page ends up having read
> access enabled.
>
> The key is also visible in the siginfo_t argument on read access to a
> PROT_EXEC mapping with the default key, so it's not just /proc:
>
> page 1 (0x7f008242d000): read access denied
> SIGSEGV address: 0x7f008242d000
> SIGSEGV code: 4
> SIGSEGV key: 1
>
> I'm attaching my test.
Yes, it is exposed there. But, as a non-allocated pkey, the intention
in the kernel was to make sure that it could not be passed to the syscalls.
If that behavior is broken, we should probably fix it.
>> The fact that it's implemented
>> with pkeys should be pretty immaterial other than the fact that you
>> can't touch the high bits in PKRU.
>
> I don't see a restriction for PKRU updates. If I write zero to the PKRU
> register, PROT_EXEC implies PROT_READ, as I would expect.
I'll rephrase:
The fact that it's implemented with pkeys should be pretty
immaterial other than the fact that you must not touch the bits
controlling PROT_EXEC in PKRU if you want to keep it working.
There is no restriction which is *enforced*. It's just documented.
WARNING: multiple messages have this Message-ID (diff)
From: Dave Hansen <dave.hansen@linux.intel.com>
To: Florian Weimer <fweimer@redhat.com>,
Vlastimil Babka <vbabka@suse.cz>,
linux-x86_64@vger.kernel.org, linux-arch@vger.kernel.org
Cc: linux-mm <linux-mm@kvack.org>, Linux API <linux-api@vger.kernel.org>
Subject: Re: MPK: removing a pkey
Date: Thu, 23 Nov 2017 07:09:13 -0800 [thread overview]
Message-ID: <39ea6607-a013-bd18-b478-3f44fb17caa4@linux.intel.com> (raw)
In-Reply-To: <28f6e430-293d-4b30-dce6-018a2b3c03e8@redhat.com>
On 11/23/2017 04:38 AM, Florian Weimer wrote:
> On 11/22/2017 05:32 PM, Dave Hansen wrote:
>> On 11/22/2017 08:21 AM, Florian Weimer wrote:
>>> On 11/22/2017 05:10 PM, Dave Hansen wrote:
>>>> On 11/22/2017 04:15 AM, Florian Weimer wrote:
>>>>> On 11/22/2017 09:18 AM, Vlastimil Babka wrote:
>>>>>> And, was the pkey == -1 internal wiring supposed to be exposed to the
>>>>>> pkey_mprotect() signal, or should there have been a pre-check
>>>>>> returning
>>>>>> EINVAL in SYSCALL_DEFINE4(pkey_mprotect), before calling
>>>>>> do_mprotect_pkey())? I assume it's too late to change it now
>>>>>> anyway (or
>>>>>> not?), so should we also document it?
>>>>>
>>>>> I think the -1 case to the set the default key is useful because it
>>>>> allows you to use a key value of -1 to mean a??MPK is not supporteda??,
>>>>> and
>>>>> still call pkey_mprotect.
>>>>
>>>> The behavior to not allow 0 to be set was unintentional and is a bug.
>>>> We should fix that.
>>>
>>> On the other hand, x86-64 has no single default protection key due to
>>> the PROT_EXEC emulation.
>>
>> No, the default is clearly 0 and documented to be so.A The PROT_EXEC
>> emulation one should be inaccessible in all the APIs so does not even
>> show up as *being* a key in the API.
I should have been more explicit: the EXEC pkey does not show up in the
syscall API.
> I see key 1 in /proc for a PROT_EXEC mapping.A If I supply an explicit
> protection key, that key is used, and the page ends up having read
> access enabled.
>
> The key is also visible in the siginfo_t argument on read access to a
> PROT_EXEC mapping with the default key, so it's not just /proc:
>
> page 1 (0x7f008242d000): read access denied
> A SIGSEGV address: 0x7f008242d000
> A SIGSEGV code: 4
> A SIGSEGV key: 1
>
> I'm attaching my test.
Yes, it is exposed there. But, as a non-allocated pkey, the intention
in the kernel was to make sure that it could not be passed to the syscalls.
If that behavior is broken, we should probably fix it.
>> The fact that it's implemented
>> with pkeys should be pretty immaterial other than the fact that you
>> can't touch the high bits in PKRU.
>
> I don't see a restriction for PKRU updates.A If I write zero to the PKRU
> register, PROT_EXEC implies PROT_READ, as I would expect.
I'll rephrase:
The fact that it's implemented with pkeys should be pretty
immaterial other than the fact that you must not touch the bits
controlling PROT_EXEC in PKRU if you want to keep it working.
There is no restriction which is *enforced*. It's just documented.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2017-11-23 15:09 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-05 10:35 MPK: pkey_free and key reuse Florian Weimer
2017-11-05 10:35 ` Florian Weimer
2017-11-05 10:35 ` Florian Weimer
2017-11-08 20:41 ` Dave Hansen
2017-11-08 20:41 ` Dave Hansen
2017-11-09 14:48 ` Florian Weimer
2017-11-09 14:48 ` Florian Weimer
2017-11-09 14:48 ` Florian Weimer
2017-11-09 16:59 ` Dave Hansen
2017-11-09 16:59 ` Dave Hansen
2017-11-09 16:59 ` Dave Hansen
2017-11-23 12:48 ` Florian Weimer
2017-11-23 12:48 ` Florian Weimer
2017-11-23 13:07 ` Vlastimil Babka
2017-11-23 13:07 ` Vlastimil Babka
2017-11-23 15:25 ` Dave Hansen
2017-11-23 15:25 ` Dave Hansen
2017-11-24 14:55 ` Florian Weimer
2017-11-24 14:55 ` Florian Weimer
[not found] ` <0f006ef4-a7b5-c0cf-5f58-d0fd1f911a54-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-11-22 8:18 ` MPK: removing a pkey (was: pkey_free and key reuse) Vlastimil Babka
2017-11-22 8:18 ` Vlastimil Babka
2017-11-22 8:18 ` Vlastimil Babka
2017-11-22 12:15 ` MPK: removing a pkey Florian Weimer
2017-11-22 12:15 ` Florian Weimer
2017-11-22 12:15 ` Florian Weimer
2017-11-22 12:46 ` Vlastimil Babka
2017-11-22 12:46 ` Vlastimil Babka
2017-11-22 12:46 ` Vlastimil Babka
[not found] ` <f0495f01-9821-ec36-56b4-333f109eb761-AlSwsSmVLrQ@public.gmane.org>
2017-11-22 12:49 ` Florian Weimer
2017-11-22 12:49 ` Florian Weimer
2017-11-22 12:49 ` Florian Weimer
2017-11-22 16:10 ` Dave Hansen
2017-11-22 16:10 ` Dave Hansen
2017-11-22 16:21 ` Florian Weimer
2017-11-22 16:21 ` Florian Weimer
2017-11-22 16:21 ` Florian Weimer
[not found] ` <9ec19ff3-86f6-7cfe-1a07-1ab1c5d9882c-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-11-22 16:32 ` Dave Hansen
2017-11-22 16:32 ` Dave Hansen
2017-11-22 16:32 ` Dave Hansen
2017-11-23 8:11 ` Vlastimil Babka
2017-11-23 8:11 ` Vlastimil Babka
[not found] ` <de93997a-7802-96cf-62e2-e59416e745ca-AlSwsSmVLrQ@public.gmane.org>
2017-11-23 15:00 ` Dave Hansen
2017-11-23 15:00 ` Dave Hansen
2017-11-23 15:00 ` Dave Hansen
2017-11-23 21:42 ` Vlastimil Babka
2017-11-23 21:42 ` Vlastimil Babka
[not found] ` <2d12777f-615a-8101-2156-cf861ec13aa7-AlSwsSmVLrQ@public.gmane.org>
2017-11-23 23:29 ` Dave Hansen
2017-11-23 23:29 ` Dave Hansen
2017-11-23 23:29 ` Dave Hansen
2017-11-24 8:35 ` Florian Weimer
2017-11-24 8:35 ` Florian Weimer
2017-11-24 8:38 ` Vlastimil Babka
2017-11-24 8:38 ` Vlastimil Babka
2017-11-23 12:38 ` Florian Weimer
2017-11-23 12:38 ` Florian Weimer
2017-11-23 15:09 ` Dave Hansen [this message]
2017-11-23 15:09 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=39ea6607-a013-bd18-b478-3f44fb17caa4@linux.intel.com \
--to=dave.hansen@linux.intel.com \
--cc=fweimer@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-x86_64@vger.kernel.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.