From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F2BB01C03 for ; Mon, 20 Mar 2023 15:14:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6EA3AC433EF; Mon, 20 Mar 2023 15:14:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1679325270; bh=63PtVO4aVd/7ZfOGEWRKpebX0W6pFFeZKrXfWkCLt9Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=h9Lx49BERAVc88G7pbJR1Zifus1p3ns9EOiVb5hupZj0OB7z1Vr/3E9qGnv6fIo/j Py38MUJOy6OpAtFVQ5jxLR+qBRT8PIvVy5v9LRddIJsrJYTXJ6OCKAr7Hemyio+d2s 08XxaN5xCl0fzcRPtyGAjSLufVWY6jRUmZXEa24I= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, =?UTF-8?q?Michal=20Such=C3=A1nek?= , Benjamin Gray , Russell Currey , Michael Ellerman , Sasha Levin Subject: [PATCH 6.1 062/198] powerpc/mm: Fix false detection of read faults Date: Mon, 20 Mar 2023 15:53:20 +0100 Message-Id: <20230320145510.150651932@linuxfoundation.org> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230320145507.420176832@linuxfoundation.org> References: <20230320145507.420176832@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Russell Currey [ Upstream commit f2c7e3562b4c4f1699acc1538ebf3e75f5cced35 ] To support detection of read faults with Radix execute-only memory, the vma_is_accessible() check in access_error() (which checks for PROT_NONE) was replaced with a check to see if VM_READ was missing, and if so, returns true to assert the fault was caused by a bad read. This is incorrect, as it ignores that both VM_WRITE and VM_EXEC imply read on powerpc, as defined in protection_map[]. This causes mappings containing VM_WRITE or VM_EXEC without VM_READ to misreport the cause of page faults, since the MMU is still allowing reads. Correct this by restoring the original vma_is_accessible() check for PROT_NONE mappings, and adding a separate check for Radix PROT_EXEC-only mappings. Fixes: 395cac7752b9 ("powerpc/mm: Support execute-only memory on the Radix MMU") Reported-by: Michal Suchánek Link: https://lore.kernel.org/r/20230308152702.GR19419@kitsune.suse.cz Tested-by: Benjamin Gray Signed-off-by: Russell Currey Signed-off-by: Michael Ellerman Link: https://msgid.link/20230310050834.63105-1-ruscur@russell.cc Signed-off-by: Sasha Levin --- arch/powerpc/mm/fault.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c index 2bef19cc1b98c..af46aa88422bf 100644 --- a/arch/powerpc/mm/fault.c +++ b/arch/powerpc/mm/fault.c @@ -271,11 +271,16 @@ static bool access_error(bool is_write, bool is_exec, struct vm_area_struct *vma } /* - * Check for a read fault. This could be caused by a read on an - * inaccessible page (i.e. PROT_NONE), or a Radix MMU execute-only page. + * VM_READ, VM_WRITE and VM_EXEC all imply read permissions, as + * defined in protection_map[]. Read faults can only be caused by + * a PROT_NONE mapping, or with a PROT_EXEC-only mapping on Radix. */ - if (unlikely(!(vma->vm_flags & VM_READ))) + if (unlikely(!vma_is_accessible(vma))) return true; + + if (unlikely(radix_enabled() && ((vma->vm_flags & VM_ACCESS_FLAGS) == VM_EXEC))) + return true; + /* * We should ideally do the vma pkey access check here. But in the * fault path, handle_mm_fault() also does the same check. To avoid -- 2.39.2