Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 33a709b2 authored by Dave Hansen's avatar Dave Hansen Committed by Ingo Molnar
Browse files

mm/gup, x86/mm/pkeys: Check VMAs and PTEs for protection keys 



Today, for normal faults and page table walks, we check the VMA
and/or PTE to ensure that it is compatible with the action.  For
instance, if we get a write fault on a non-writeable VMA, we
SIGSEGV.

We try to do the same thing for protection keys.  Basically, we
try to make sure that if a user does this:

	mprotect(ptr, size, PROT_NONE);
	*ptr = foo;

they see the same effects with protection keys when they do this:

	mprotect(ptr, size, PROT_READ|PROT_WRITE);
	set_pkey(ptr, size, 4);
	wrpkru(0xffffff3f); // access disable pkey 4
	*ptr = foo;

The state to do that checking is in the VMA, but we also
sometimes have to do it on the page tables only, like when doing
a get_user_pages_fast() where we have no VMA.

We add two functions and expose them to generic code:

	arch_pte_access_permitted(pte_flags, write)
	arch_vma_access_permitted(vma, write)

These are, of course, backed up in x86 arch code with checks
against the PTE or VMA's protection key.

But, there are also cases where we do not want to respect
protection keys.  When we ptrace(), for instance, we do not want
to apply the tracer's PKRU permissions to the PTEs from the
process being traced.

Signed-off-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Boaz Harrosh <boaz@plexistor.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Hansen <dave@sr71.net>
Cc: David Gibson <david@gibson.dropbear.id.au>
Cc: David Hildenbrand <dahi@linux.vnet.ibm.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Dominik Dingel <dingel@linux.vnet.ibm.com>
Cc: Dominik Vogt <vogt@linux.vnet.ibm.com>
Cc: Guan Xuetao <gxt@mprc.pku.edu.cn>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Jason Low <jason.low2@hp.com>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Matthew Wilcox <willy@linux.intel.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: Shachar Raindel <raindel@mellanox.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Toshi Kani <toshi.kani@hpe.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: linux-arch@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: linux-s390@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Link: http://lkml.kernel.org/r/20160212210219.14D5D715@viggo.jf.intel.com


Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
parent 1874f689

arch/powerpc/include/asm/mmu_context.h

+11 −0
Original line number Diff line number Diff line
@@ -148,5 +148,16 @@ static inline void arch_bprm_mm_init(struct mm_struct *mm, 
{

}



static inline bool arch_vma_access_permitted(struct vm_area_struct *vma, bool write)

{

	/* by default, allow everything */

	return true;

}



static inline bool arch_pte_access_permitted(pte_t pte, bool write)

{

	/* by default, allow everything */

	return true;

}

#endif /* __KERNEL__ */

#endif /* __ASM_POWERPC_MMU_CONTEXT_H */

arch/s390/include/asm/mmu_context.h

+11 −0
Original line number Diff line number Diff line
@@ -130,4 +130,15 @@ static inline void arch_bprm_mm_init(struct mm_struct *mm, 
{

}



static inline bool arch_vma_access_permitted(struct vm_area_struct *vma, bool write)

{

	/* by default, allow everything */

	return true;

}



static inline bool arch_pte_access_permitted(pte_t pte, bool write)

{

	/* by default, allow everything */

	return true;

}

#endif /* __S390_MMU_CONTEXT_H */

arch/unicore32/include/asm/mmu_context.h

+11 −0
Original line number Diff line number Diff line
@@ -97,4 +97,15 @@ static inline void arch_bprm_mm_init(struct mm_struct *mm, 
{

}



static inline bool arch_vma_access_permitted(struct vm_area_struct *vma, bool write)

{

	/* by default, allow everything */

	return true;

}



static inline bool arch_pte_access_permitted(pte_t pte, bool write)

{

	/* by default, allow everything */

	return true;

}

#endif

arch/x86/include/asm/mmu_context.h

+49 −0
Original line number Diff line number Diff line
@@ -286,4 +286,53 @@ static inline int vma_pkey(struct vm_area_struct *vma) 
	return pkey;

}



static inline bool __pkru_allows_pkey(u16 pkey, bool write)

{

	u32 pkru = read_pkru();



	if (!__pkru_allows_read(pkru, pkey))

		return false;

	if (write && !__pkru_allows_write(pkru, pkey))

		return false;



	return true;

}



/*

 * We only want to enforce protection keys on the current process

 * because we effectively have no access to PKRU for other

 * processes or any way to tell *which * PKRU in a threaded

 * process we could use.

 *

 * So do not enforce things if the VMA is not from the current

 * mm, or if we are in a kernel thread.

 */

static inline bool vma_is_foreign(struct vm_area_struct *vma)

{

	if (!current->mm)

		return true;

	/*

	 * Should PKRU be enforced on the access to this VMA?  If

	 * the VMA is from another process, then PKRU has no

	 * relevance and should not be enforced.

	 */

	if (current->mm != vma->vm_mm)

		return true;



	return false;

}



static inline bool arch_vma_access_permitted(struct vm_area_struct *vma, bool write)

{

	/* allow access if the VMA is not one from this process */

	if (vma_is_foreign(vma))

		return true;

	return __pkru_allows_pkey(vma_pkey(vma), write);

}



static inline bool arch_pte_access_permitted(pte_t pte, bool write)

{

	return __pkru_allows_pkey(pte_flags_pkey(pte_flags(pte)), write);

}



#endif /* _ASM_X86_MMU_CONTEXT_H */

arch/x86/include/asm/pgtable.h

+29 −0
Original line number Diff line number Diff line
@@ -919,6 +919,35 @@ static inline pte_t pte_swp_clear_soft_dirty(pte_t pte) 
}

#endif



#define PKRU_AD_BIT 0x1

#define PKRU_WD_BIT 0x2



static inline bool __pkru_allows_read(u32 pkru, u16 pkey)

{

	int pkru_pkey_bits = pkey * 2;

	return !(pkru & (PKRU_AD_BIT << pkru_pkey_bits));

}



static inline bool __pkru_allows_write(u32 pkru, u16 pkey)

{

	int pkru_pkey_bits = pkey * 2;

	/*

	 * Access-disable disables writes too so we need to check

	 * both bits here.

	 */

	return !(pkru & ((PKRU_AD_BIT|PKRU_WD_BIT) << pkru_pkey_bits));

}



static inline u16 pte_flags_pkey(unsigned long pte_flags)

{

#ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS

	/* ifdef to avoid doing 59-bit shift on 32-bit values */

	return (pte_flags & _PAGE_PKEY_MASK) >> _PAGE_BIT_PKEY_BIT0;

#else

	return 0;

#endif

}



#include <asm-generic/pgtable.h>

#endif	/* __ASSEMBLY__ */