[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Dan Williams]

Let all the archs that implement CONFIG_STRICT_DEVM use a common
definition in lib/Kconfig.debug.

Note, the 'depends on !SPARC' is due to sparc not implementing
devmem_is_allowed().

Cc: Kees Cook <keescook@chromium.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "David S. Miller" <davem@davemloft.net>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 arch/arm/Kconfig.debug       |   14 --------------
 arch/arm64/Kconfig.debug     |   14 --------------
 arch/powerpc/Kconfig.debug   |   12 ------------
 arch/s390/Kconfig.debug      |   12 ------------
 arch/tile/Kconfig            |    3 ---
 arch/unicore32/Kconfig.debug |   14 --------------
 arch/x86/Kconfig.debug       |   17 -----------------
 lib/Kconfig.debug            |   19 +++++++++++++++++++
 8 files changed, 19 insertions(+), 86 deletions(-)

diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
index 259c0ca9c99a..e356357d86bb 100644
--- a/arch/arm/Kconfig.debug
+++ b/arch/arm/Kconfig.debug
@@ -15,20 +15,6 @@ config ARM_PTDUMP
 	  kernel.
 	  If in doubt, say "N"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	depends on MMU
-	---help---
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to memory mapped peripherals.
-
-          If in doubt, say Y.
-
 # RMK wants arm kernels compiled with frame pointers or stack unwinding.
 # If you know what you are doing and are willing to live without stack
 # traces, you can get a slightly smaller kernel by setting this option to
diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
index 04fb73b973f1..e13c4bf84d9e 100644
--- a/arch/arm64/Kconfig.debug
+++ b/arch/arm64/Kconfig.debug
@@ -14,20 +14,6 @@ config ARM64_PTDUMP
 	  kernel.
 	  If in doubt, say "N"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	depends on MMU
-	help
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to memory mapped peripherals.
-
-	  If in doubt, say Y.
-
 config PID_IN_CONTEXTIDR
 	bool "Write the current PID to the CONTEXTIDR register"
 	help
diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug
index 3a510f4a6b68..a0e44a9c456f 100644
--- a/arch/powerpc/Kconfig.debug
+++ b/arch/powerpc/Kconfig.debug
@@ -335,18 +335,6 @@ config PPC_EARLY_DEBUG_CPM_ADDR
 	  platform probing is done, all platforms selected must
 	  share the same address.
 
-config STRICT_DEVMEM
-	def_bool y
-	prompt "Filter access to /dev/mem"
-	help
-	  This option restricts access to /dev/mem.  If this option is
-	  disabled, you allow userspace access to all memory, including
-	  kernel and userspace memory. Accidental memory access is likely
-	  to be disastrous.
-	  Memory access is required for experts who want to debug the kernel.
-
-	  If you are unsure, say Y.
-
 config FAIL_IOMMU
 	bool "Fault-injection capability for IOMMU"
 	depends on FAULT_INJECTION
diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug
index c56878e1245f..26c5d5beb4be 100644
--- a/arch/s390/Kconfig.debug
+++ b/arch/s390/Kconfig.debug
@@ -5,18 +5,6 @@ config TRACE_IRQFLAGS_SUPPORT
 
 source "lib/Kconfig.debug"
 
-config STRICT_DEVMEM
-	def_bool y
-	prompt "Filter access to /dev/mem"
-	---help---
-	  This option restricts access to /dev/mem.  If this option is
-	  disabled, you allow userspace access to all memory, including
-	  kernel and userspace memory. Accidental memory access is likely
-	  to be disastrous.
-	  Memory access is required for experts who want to debug the kernel.
-
-	  If you are unsure, say Y.
-
 config S390_PTDUMP
 	bool "Export kernel pagetable layout to userspace via debugfs"
 	depends on DEBUG_KERNEL
diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig
index 106c21bd7f44..7b2d40db11fa 100644
--- a/arch/tile/Kconfig
+++ b/arch/tile/Kconfig
@@ -116,9 +116,6 @@ config ARCH_DISCONTIGMEM_DEFAULT
 config TRACE_IRQFLAGS_SUPPORT
 	def_bool y
 
-config STRICT_DEVMEM
-	def_bool y
-
 # SMP is required for Tilera Linux.
 config SMP
 	def_bool y
diff --git a/arch/unicore32/Kconfig.debug b/arch/unicore32/Kconfig.debug
index 1a3626239843..f075bbe1d46f 100644
--- a/arch/unicore32/Kconfig.debug
+++ b/arch/unicore32/Kconfig.debug
@@ -2,20 +2,6 @@ menu "Kernel hacking"
 
 source "lib/Kconfig.debug"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	depends on MMU
-	---help---
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to memory mapped peripherals.
-
-          If in doubt, say Y.
-
 config EARLY_PRINTK
 	def_bool DEBUG_OCD
 	help
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
index 137dfa96aa14..1116452fcfc2 100644
--- a/arch/x86/Kconfig.debug
+++ b/arch/x86/Kconfig.debug
@@ -5,23 +5,6 @@ config TRACE_IRQFLAGS_SUPPORT
 
 source "lib/Kconfig.debug"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	---help---
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel. Note that with PAT support
-	  enabled, even in this case there are restrictions on /dev/mem
-	  use due to the cache aliasing requirements.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to PCI space and the BIOS code and data regions.
-	  This is sufficient for dosemu and X and all common users of
-	  /dev/mem.
-
-	  If in doubt, say Y.
-
 config X86_VERBOSE_BOOTUP
 	bool "Enable verbose x86 bootup info messages"
 	default y
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 8c15b29d5adc..ad85145d0047 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1853,3 +1853,22 @@ source "samples/Kconfig"
 
 source "lib/Kconfig.kgdb"
 
+config STRICT_DEVMEM
+	bool "Filter access to /dev/mem"
+	depends on MMU
+	depends on !SPARC
+	default y if TILE || PPC || S390
+	---help---
+	  If this option is disabled, you allow userspace (root) access to all
+	  of memory, including kernel and userspace memory. Accidental
+	  access to this is obviously disastrous, but specific access can
+	  be used by people debugging the kernel. Note that with PAT support
+	  enabled, even in this case there are restrictions on /dev/mem
+	  use due to the cache aliasing requirements.
+
+	  If this option is switched on, the /dev/mem file only allows
+	  userspace access to PCI space and the BIOS code and data regions.
+	  This is sufficient for dosemu and X and all common users of
+	  /dev/mem.
+
+	  If in doubt, say Y.

[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Dan Williams]

Let all the archs that implement CONFIG_STRICT_DEVM use a common
definition in lib/Kconfig.debug.

Note, the 'depends on !SPARC' is due to sparc not implementing
devmem_is_allowed().

Cc: Kees Cook <keescook@chromium.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "David S. Miller" <davem@davemloft.net>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 arch/arm/Kconfig.debug       |   14 --------------
 arch/arm64/Kconfig.debug     |   14 --------------
 arch/powerpc/Kconfig.debug   |   12 ------------
 arch/s390/Kconfig.debug      |   12 ------------
 arch/tile/Kconfig            |    3 ---
 arch/unicore32/Kconfig.debug |   14 --------------
 arch/x86/Kconfig.debug       |   17 -----------------
 lib/Kconfig.debug            |   19 +++++++++++++++++++
 8 files changed, 19 insertions(+), 86 deletions(-)

diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
index 259c0ca9c99a..e356357d86bb 100644
--- a/arch/arm/Kconfig.debug
+++ b/arch/arm/Kconfig.debug
@@ -15,20 +15,6 @@ config ARM_PTDUMP
 	  kernel.
 	  If in doubt, say "N"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	depends on MMU
-	---help---
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to memory mapped peripherals.
-
-          If in doubt, say Y.
-
 # RMK wants arm kernels compiled with frame pointers or stack unwinding.
 # If you know what you are doing and are willing to live without stack
 # traces, you can get a slightly smaller kernel by setting this option to
diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
index 04fb73b973f1..e13c4bf84d9e 100644
--- a/arch/arm64/Kconfig.debug
+++ b/arch/arm64/Kconfig.debug
@@ -14,20 +14,6 @@ config ARM64_PTDUMP
 	  kernel.
 	  If in doubt, say "N"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	depends on MMU
-	help
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to memory mapped peripherals.
-
-	  If in doubt, say Y.
-
 config PID_IN_CONTEXTIDR
 	bool "Write the current PID to the CONTEXTIDR register"
 	help
diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug
index 3a510f4a6b68..a0e44a9c456f 100644
--- a/arch/powerpc/Kconfig.debug
+++ b/arch/powerpc/Kconfig.debug
@@ -335,18 +335,6 @@ config PPC_EARLY_DEBUG_CPM_ADDR
 	  platform probing is done, all platforms selected must
 	  share the same address.
 
-config STRICT_DEVMEM
-	def_bool y
-	prompt "Filter access to /dev/mem"
-	help
-	  This option restricts access to /dev/mem.  If this option is
-	  disabled, you allow userspace access to all memory, including
-	  kernel and userspace memory. Accidental memory access is likely
-	  to be disastrous.
-	  Memory access is required for experts who want to debug the kernel.
-
-	  If you are unsure, say Y.
-
 config FAIL_IOMMU
 	bool "Fault-injection capability for IOMMU"
 	depends on FAULT_INJECTION
diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug
index c56878e1245f..26c5d5beb4be 100644
--- a/arch/s390/Kconfig.debug
+++ b/arch/s390/Kconfig.debug
@@ -5,18 +5,6 @@ config TRACE_IRQFLAGS_SUPPORT
 
 source "lib/Kconfig.debug"
 
-config STRICT_DEVMEM
-	def_bool y
-	prompt "Filter access to /dev/mem"
-	---help---
-	  This option restricts access to /dev/mem.  If this option is
-	  disabled, you allow userspace access to all memory, including
-	  kernel and userspace memory. Accidental memory access is likely
-	  to be disastrous.
-	  Memory access is required for experts who want to debug the kernel.
-
-	  If you are unsure, say Y.
-
 config S390_PTDUMP
 	bool "Export kernel pagetable layout to userspace via debugfs"
 	depends on DEBUG_KERNEL
diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig
index 106c21bd7f44..7b2d40db11fa 100644
--- a/arch/tile/Kconfig
+++ b/arch/tile/Kconfig
@@ -116,9 +116,6 @@ config ARCH_DISCONTIGMEM_DEFAULT
 config TRACE_IRQFLAGS_SUPPORT
 	def_bool y
 
-config STRICT_DEVMEM
-	def_bool y
-
 # SMP is required for Tilera Linux.
 config SMP
 	def_bool y
diff --git a/arch/unicore32/Kconfig.debug b/arch/unicore32/Kconfig.debug
index 1a3626239843..f075bbe1d46f 100644
--- a/arch/unicore32/Kconfig.debug
+++ b/arch/unicore32/Kconfig.debug
@@ -2,20 +2,6 @@ menu "Kernel hacking"
 
 source "lib/Kconfig.debug"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	depends on MMU
-	---help---
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to memory mapped peripherals.
-
-          If in doubt, say Y.
-
 config EARLY_PRINTK
 	def_bool DEBUG_OCD
 	help
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
index 137dfa96aa14..1116452fcfc2 100644
--- a/arch/x86/Kconfig.debug
+++ b/arch/x86/Kconfig.debug
@@ -5,23 +5,6 @@ config TRACE_IRQFLAGS_SUPPORT
 
 source "lib/Kconfig.debug"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	---help---
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel. Note that with PAT support
-	  enabled, even in this case there are restrictions on /dev/mem
-	  use due to the cache aliasing requirements.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to PCI space and the BIOS code and data regions.
-	  This is sufficient for dosemu and X and all common users of
-	  /dev/mem.
-
-	  If in doubt, say Y.
-
 config X86_VERBOSE_BOOTUP
 	bool "Enable verbose x86 bootup info messages"
 	default y
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 8c15b29d5adc..ad85145d0047 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1853,3 +1853,22 @@ source "samples/Kconfig"
 
 source "lib/Kconfig.kgdb"
 
+config STRICT_DEVMEM
+	bool "Filter access to /dev/mem"
+	depends on MMU
+	depends on !SPARC
+	default y if TILE || PPC || S390
+	---help---
+	  If this option is disabled, you allow userspace (root) access to all
+	  of memory, including kernel and userspace memory. Accidental
+	  access to this is obviously disastrous, but specific access can
+	  be used by people debugging the kernel. Note that with PAT support
+	  enabled, even in this case there are restrictions on /dev/mem
+	  use due to the cache aliasing requirements.
+
+	  If this option is switched on, the /dev/mem file only allows
+	  userspace access to PCI space and the BIOS code and data regions.
+	  This is sufficient for dosemu and X and all common users of
+	  /dev/mem.
+
+	  If in doubt, say Y.

[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Dan Williams]

Let all the archs that implement CONFIG_STRICT_DEVM use a common
definition in lib/Kconfig.debug.

Note, the 'depends on !SPARC' is due to sparc not implementing
devmem_is_allowed().

Cc: Kees Cook <keescook@chromium.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: "David S. Miller" <davem@davemloft.net>
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 arch/arm/Kconfig.debug       |   14 --------------
 arch/arm64/Kconfig.debug     |   14 --------------
 arch/powerpc/Kconfig.debug   |   12 ------------
 arch/s390/Kconfig.debug      |   12 ------------
 arch/tile/Kconfig            |    3 ---
 arch/unicore32/Kconfig.debug |   14 --------------
 arch/x86/Kconfig.debug       |   17 -----------------
 lib/Kconfig.debug            |   19 +++++++++++++++++++
 8 files changed, 19 insertions(+), 86 deletions(-)

diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
index 259c0ca9c99a..e356357d86bb 100644
--- a/arch/arm/Kconfig.debug
+++ b/arch/arm/Kconfig.debug
@@ -15,20 +15,6 @@ config ARM_PTDUMP
 	  kernel.
 	  If in doubt, say "N"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	depends on MMU
-	---help---
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to memory mapped peripherals.
-
-          If in doubt, say Y.
-
 # RMK wants arm kernels compiled with frame pointers or stack unwinding.
 # If you know what you are doing and are willing to live without stack
 # traces, you can get a slightly smaller kernel by setting this option to
diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
index 04fb73b973f1..e13c4bf84d9e 100644
--- a/arch/arm64/Kconfig.debug
+++ b/arch/arm64/Kconfig.debug
@@ -14,20 +14,6 @@ config ARM64_PTDUMP
 	  kernel.
 	  If in doubt, say "N"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	depends on MMU
-	help
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to memory mapped peripherals.
-
-	  If in doubt, say Y.
-
 config PID_IN_CONTEXTIDR
 	bool "Write the current PID to the CONTEXTIDR register"
 	help
diff --git a/arch/powerpc/Kconfig.debug b/arch/powerpc/Kconfig.debug
index 3a510f4a6b68..a0e44a9c456f 100644
--- a/arch/powerpc/Kconfig.debug
+++ b/arch/powerpc/Kconfig.debug
@@ -335,18 +335,6 @@ config PPC_EARLY_DEBUG_CPM_ADDR
 	  platform probing is done, all platforms selected must
 	  share the same address.
 
-config STRICT_DEVMEM
-	def_bool y
-	prompt "Filter access to /dev/mem"
-	help
-	  This option restricts access to /dev/mem.  If this option is
-	  disabled, you allow userspace access to all memory, including
-	  kernel and userspace memory. Accidental memory access is likely
-	  to be disastrous.
-	  Memory access is required for experts who want to debug the kernel.
-
-	  If you are unsure, say Y.
-
 config FAIL_IOMMU
 	bool "Fault-injection capability for IOMMU"
 	depends on FAULT_INJECTION
diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug
index c56878e1245f..26c5d5beb4be 100644
--- a/arch/s390/Kconfig.debug
+++ b/arch/s390/Kconfig.debug
@@ -5,18 +5,6 @@ config TRACE_IRQFLAGS_SUPPORT
 
 source "lib/Kconfig.debug"
 
-config STRICT_DEVMEM
-	def_bool y
-	prompt "Filter access to /dev/mem"
-	---help---
-	  This option restricts access to /dev/mem.  If this option is
-	  disabled, you allow userspace access to all memory, including
-	  kernel and userspace memory. Accidental memory access is likely
-	  to be disastrous.
-	  Memory access is required for experts who want to debug the kernel.
-
-	  If you are unsure, say Y.
-
 config S390_PTDUMP
 	bool "Export kernel pagetable layout to userspace via debugfs"
 	depends on DEBUG_KERNEL
diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig
index 106c21bd7f44..7b2d40db11fa 100644
--- a/arch/tile/Kconfig
+++ b/arch/tile/Kconfig
@@ -116,9 +116,6 @@ config ARCH_DISCONTIGMEM_DEFAULT
 config TRACE_IRQFLAGS_SUPPORT
 	def_bool y
 
-config STRICT_DEVMEM
-	def_bool y
-
 # SMP is required for Tilera Linux.
 config SMP
 	def_bool y
diff --git a/arch/unicore32/Kconfig.debug b/arch/unicore32/Kconfig.debug
index 1a3626239843..f075bbe1d46f 100644
--- a/arch/unicore32/Kconfig.debug
+++ b/arch/unicore32/Kconfig.debug
@@ -2,20 +2,6 @@ menu "Kernel hacking"
 
 source "lib/Kconfig.debug"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	depends on MMU
-	---help---
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to memory mapped peripherals.
-
-          If in doubt, say Y.
-
 config EARLY_PRINTK
 	def_bool DEBUG_OCD
 	help
diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
index 137dfa96aa14..1116452fcfc2 100644
--- a/arch/x86/Kconfig.debug
+++ b/arch/x86/Kconfig.debug
@@ -5,23 +5,6 @@ config TRACE_IRQFLAGS_SUPPORT
 
 source "lib/Kconfig.debug"
 
-config STRICT_DEVMEM
-	bool "Filter access to /dev/mem"
-	---help---
-	  If this option is disabled, you allow userspace (root) access to all
-	  of memory, including kernel and userspace memory. Accidental
-	  access to this is obviously disastrous, but specific access can
-	  be used by people debugging the kernel. Note that with PAT support
-	  enabled, even in this case there are restrictions on /dev/mem
-	  use due to the cache aliasing requirements.
-
-	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to PCI space and the BIOS code and data regions.
-	  This is sufficient for dosemu and X and all common users of
-	  /dev/mem.
-
-	  If in doubt, say Y.
-
 config X86_VERBOSE_BOOTUP
 	bool "Enable verbose x86 bootup info messages"
 	default y
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 8c15b29d5adc..ad85145d0047 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1853,3 +1853,22 @@ source "samples/Kconfig"
 
 source "lib/Kconfig.kgdb"
 
+config STRICT_DEVMEM
+	bool "Filter access to /dev/mem"
+	depends on MMU
+	depends on !SPARC
+	default y if TILE || PPC || S390
+	---help---
+	  If this option is disabled, you allow userspace (root) access to all
+	  of memory, including kernel and userspace memory. Accidental
+	  access to this is obviously disastrous, but specific access can
+	  be used by people debugging the kernel. Note that with PAT support
+	  enabled, even in this case there are restrictions on /dev/mem
+	  use due to the cache aliasing requirements.
+
+	  If this option is switched on, the /dev/mem file only allows
+	  userspace access to PCI space and the BIOS code and data regions.
+	  This is sufficient for dosemu and X and all common users of
+	  /dev/mem.
+
+	  If in doubt, say Y.

[PATCH 2/2] restrict /dev/mem to idle io memory ranges

[Dan Williams]

This effectively promotes IORESOURCE_BUSY to IORESOURCE_EXCLUSIVE
semantics by default.  If userspace really believes it is safe to access
the memory region it can also perform the extra step of disabling an
active driver.  This protects device address ranges with read side
effects and otherwise directs userspace to use the driver.

Persistent memory presents a large "mistake surface" to /dev/mem as now
accidental writes can corrupt a filesystem.

Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 kernel/resource.c |    3 +++
 lib/Kconfig.debug |   23 ++++++++++++++++++++---
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/kernel/resource.c b/kernel/resource.c
index f150dbbe6f62..03a8b09f68a8 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -1498,6 +1498,9 @@ int iomem_is_exclusive(u64 addr)
 			break;
 		if (p->end < addr)
 			continue;
+		if (IS_ENABLED(CONFIG_IO_STRICT_DEVMEM)
+				&& p->flags & IORESOURCE_BUSY)
+			break;
 		if (p->flags & IORESOURCE_BUSY &&
 		     p->flags & IORESOURCE_EXCLUSIVE) {
 			err = 1;
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index ad85145d0047..be47f99fb191 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1866,9 +1866,26 @@ config STRICT_DEVMEM
 	  enabled, even in this case there are restrictions on /dev/mem
 	  use due to the cache aliasing requirements.
 
+	  If this option is switched on, and IO_STRICT_DEVMEM=n, the /dev/mem
+	  file only allows userspace access to PCI space and the BIOS code and
+	  data regions.  This is sufficient for dosemu and X and all common
+	  users of /dev/mem.
+
+	  If in doubt, say Y.
+
+config IO_STRICT_DEVMEM
+	bool "Filter I/O access to /dev/mem"
+	depends on STRICT_DEVMEM
+	default STRICT_DEVMEM
+	---help---
+	  If this option is disabled, you allow userspace (root) access to all
+	  io-memory regardless of whether a driver is actively using that
+	  range.  Accidental access to this is obviously disastrous, but
+	  specific access can be used by people debugging kernel drivers.
+
 	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to PCI space and the BIOS code and data regions.
-	  This is sufficient for dosemu and X and all common users of
-	  /dev/mem.
+	  userspace access to *idle* io-memory ranges (see /proc/iomem) This
+	  may break traditional users of /dev/mem (dosemu, legacy X, etc...)
+	  if the driver using a given range cannot be disabled.
 
 	  If in doubt, say Y.

[PATCH 2/2] restrict /dev/mem to idle io memory ranges

[Dan Williams]

This effectively promotes IORESOURCE_BUSY to IORESOURCE_EXCLUSIVE
semantics by default.  If userspace really believes it is safe to access
the memory region it can also perform the extra step of disabling an
active driver.  This protects device address ranges with read side
effects and otherwise directs userspace to use the driver.

Persistent memory presents a large "mistake surface" to /dev/mem as now
accidental writes can corrupt a filesystem.

Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 kernel/resource.c |    3 +++
 lib/Kconfig.debug |   23 ++++++++++++++++++++---
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/kernel/resource.c b/kernel/resource.c
index f150dbbe6f62..03a8b09f68a8 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -1498,6 +1498,9 @@ int iomem_is_exclusive(u64 addr)
 			break;
 		if (p->end < addr)
 			continue;
+		if (IS_ENABLED(CONFIG_IO_STRICT_DEVMEM)
+				&& p->flags & IORESOURCE_BUSY)
+			break;
 		if (p->flags & IORESOURCE_BUSY &&
 		     p->flags & IORESOURCE_EXCLUSIVE) {
 			err = 1;
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index ad85145d0047..be47f99fb191 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1866,9 +1866,26 @@ config STRICT_DEVMEM
 	  enabled, even in this case there are restrictions on /dev/mem
 	  use due to the cache aliasing requirements.
 
+	  If this option is switched on, and IO_STRICT_DEVMEM=n, the /dev/mem
+	  file only allows userspace access to PCI space and the BIOS code and
+	  data regions.  This is sufficient for dosemu and X and all common
+	  users of /dev/mem.
+
+	  If in doubt, say Y.
+
+config IO_STRICT_DEVMEM
+	bool "Filter I/O access to /dev/mem"
+	depends on STRICT_DEVMEM
+	default STRICT_DEVMEM
+	---help---
+	  If this option is disabled, you allow userspace (root) access to all
+	  io-memory regardless of whether a driver is actively using that
+	  range.  Accidental access to this is obviously disastrous, but
+	  specific access can be used by people debugging kernel drivers.
+
 	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to PCI space and the BIOS code and data regions.
-	  This is sufficient for dosemu and X and all common users of
-	  /dev/mem.
+	  userspace access to *idle* io-memory ranges (see /proc/iomem) This
+	  may break traditional users of /dev/mem (dosemu, legacy X, etc...)
+	  if the driver using a given range cannot be disabled.
 
 	  If in doubt, say Y.

[PATCH 2/2] restrict /dev/mem to idle io memory ranges

[Dan Williams]

This effectively promotes IORESOURCE_BUSY to IORESOURCE_EXCLUSIVE
semantics by default.  If userspace really believes it is safe to access
the memory region it can also perform the extra step of disabling an
active driver.  This protects device address ranges with read side
effects and otherwise directs userspace to use the driver.

Persistent memory presents a large "mistake surface" to /dev/mem as now
accidental writes can corrupt a filesystem.

Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
---
 kernel/resource.c |    3 +++
 lib/Kconfig.debug |   23 ++++++++++++++++++++---
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/kernel/resource.c b/kernel/resource.c
index f150dbbe6f62..03a8b09f68a8 100644
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -1498,6 +1498,9 @@ int iomem_is_exclusive(u64 addr)
 			break;
 		if (p->end < addr)
 			continue;
+		if (IS_ENABLED(CONFIG_IO_STRICT_DEVMEM)
+				&& p->flags & IORESOURCE_BUSY)
+			break;
 		if (p->flags & IORESOURCE_BUSY &&
 		     p->flags & IORESOURCE_EXCLUSIVE) {
 			err = 1;
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index ad85145d0047..be47f99fb191 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1866,9 +1866,26 @@ config STRICT_DEVMEM
 	  enabled, even in this case there are restrictions on /dev/mem
 	  use due to the cache aliasing requirements.
 
+	  If this option is switched on, and IO_STRICT_DEVMEM=n, the /dev/mem
+	  file only allows userspace access to PCI space and the BIOS code and
+	  data regions.  This is sufficient for dosemu and X and all common
+	  users of /dev/mem.
+
+	  If in doubt, say Y.
+
+config IO_STRICT_DEVMEM
+	bool "Filter I/O access to /dev/mem"
+	depends on STRICT_DEVMEM
+	default STRICT_DEVMEM
+	---help---
+	  If this option is disabled, you allow userspace (root) access to all
+	  io-memory regardless of whether a driver is actively using that
+	  range.  Accidental access to this is obviously disastrous, but
+	  specific access can be used by people debugging kernel drivers.
+
 	  If this option is switched on, the /dev/mem file only allows
-	  userspace access to PCI space and the BIOS code and data regions.
-	  This is sufficient for dosemu and X and all common users of
-	  /dev/mem.
+	  userspace access to *idle* io-memory ranges (see /proc/iomem) This
+	  may break traditional users of /dev/mem (dosemu, legacy X, etc...)
+	  if the driver using a given range cannot be disabled.
 
 	  If in doubt, say Y.

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Ingo Molnar]

* Dan Williams <dan.j.williams@intel.com> wrote:

> Let all the archs that implement CONFIG_STRICT_DEVM use a common
> definition in lib/Kconfig.debug.

For the x86 bit:

Acked-by: Ingo Molnar <mingo@kernel.org>

> Note, the 'depends on !SPARC' is due to sparc not implementing
> devmem_is_allowed().

Maybe that should be converted into a helper Kconfig switch for architectures to 
opt in to /dev/mem restrictions?

Thanks,

	Ingo

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Ingo Molnar]

* Dan Williams <dan.j.williams@intel.com> wrote:

> Let all the archs that implement CONFIG_STRICT_DEVM use a common
> definition in lib/Kconfig.debug.

For the x86 bit:

Acked-by: Ingo Molnar <mingo@kernel.org>

> Note, the 'depends on !SPARC' is due to sparc not implementing
> devmem_is_allowed().

Maybe that should be converted into a helper Kconfig switch for architectures to 
opt in to /dev/mem restrictions?

Thanks,

	Ingo

[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Ingo Molnar]

* Dan Williams <dan.j.williams@intel.com> wrote:

> Let all the archs that implement CONFIG_STRICT_DEVM use a common
> definition in lib/Kconfig.debug.

For the x86 bit:

Acked-by: Ingo Molnar <mingo@kernel.org>

> Note, the 'depends on !SPARC' is due to sparc not implementing
> devmem_is_allowed().

Maybe that should be converted into a helper Kconfig switch for architectures to 
opt in to /dev/mem restrictions?

Thanks,

	Ingo

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Heiko Carstens]

On Sat, Nov 21, 2015 at 07:57:02PM -0800, Dan Williams wrote:
> Let all the archs that implement CONFIG_STRICT_DEVM use a common
> definition in lib/Kconfig.debug.
> 
> Note, the 'depends on !SPARC' is due to sparc not implementing
> devmem_is_allowed().
> 
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Russell King <linux@arm.linux.org.uk>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
> Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Suggested-by: Arnd Bergmann <arnd@arndb.de>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  arch/arm/Kconfig.debug       |   14 --------------
>  arch/arm64/Kconfig.debug     |   14 --------------
>  arch/powerpc/Kconfig.debug   |   12 ------------
>  arch/s390/Kconfig.debug      |   12 ------------
>  arch/tile/Kconfig            |    3 ---
>  arch/unicore32/Kconfig.debug |   14 --------------
>  arch/x86/Kconfig.debug       |   17 -----------------
>  lib/Kconfig.debug            |   19 +++++++++++++++++++
>  8 files changed, 19 insertions(+), 86 deletions(-)

For s390

Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>

> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
> index 8c15b29d5adc..ad85145d0047 100644
> --- a/lib/Kconfig.debug
> +++ b/lib/Kconfig.debug
> @@ -1853,3 +1853,22 @@ source "samples/Kconfig"
> 
>  source "lib/Kconfig.kgdb"
> 
> +config STRICT_DEVMEM
> +	bool "Filter access to /dev/mem"
> +	depends on MMU
> +	depends on !SPARC
> +	default y if TILE || PPC || S390

I wouldn't mind if you would remove s390 from this list.

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Heiko Carstens]

On Sat, Nov 21, 2015 at 07:57:02PM -0800, Dan Williams wrote:
> Let all the archs that implement CONFIG_STRICT_DEVM use a common
> definition in lib/Kconfig.debug.
> 
> Note, the 'depends on !SPARC' is due to sparc not implementing
> devmem_is_allowed().
> 
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Russell King <linux@arm.linux.org.uk>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
> Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Suggested-by: Arnd Bergmann <arnd@arndb.de>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  arch/arm/Kconfig.debug       |   14 --------------
>  arch/arm64/Kconfig.debug     |   14 --------------
>  arch/powerpc/Kconfig.debug   |   12 ------------
>  arch/s390/Kconfig.debug      |   12 ------------
>  arch/tile/Kconfig            |    3 ---
>  arch/unicore32/Kconfig.debug |   14 --------------
>  arch/x86/Kconfig.debug       |   17 -----------------
>  lib/Kconfig.debug            |   19 +++++++++++++++++++
>  8 files changed, 19 insertions(+), 86 deletions(-)

For s390

Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>

> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
> index 8c15b29d5adc..ad85145d0047 100644
> --- a/lib/Kconfig.debug
> +++ b/lib/Kconfig.debug
> @@ -1853,3 +1853,22 @@ source "samples/Kconfig"
> 
>  source "lib/Kconfig.kgdb"
> 
> +config STRICT_DEVMEM
> +	bool "Filter access to /dev/mem"
> +	depends on MMU
> +	depends on !SPARC
> +	default y if TILE || PPC || S390

I wouldn't mind if you would remove s390 from this list.

[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Heiko Carstens]

On Sat, Nov 21, 2015 at 07:57:02PM -0800, Dan Williams wrote:
> Let all the archs that implement CONFIG_STRICT_DEVM use a common
> definition in lib/Kconfig.debug.
> 
> Note, the 'depends on !SPARC' is due to sparc not implementing
> devmem_is_allowed().
> 
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Russell King <linux@arm.linux.org.uk>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
> Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: Ingo Molnar <mingo@redhat.com>
> Cc: "H. Peter Anvin" <hpa@zytor.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Suggested-by: Arnd Bergmann <arnd@arndb.de>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
> ---
>  arch/arm/Kconfig.debug       |   14 --------------
>  arch/arm64/Kconfig.debug     |   14 --------------
>  arch/powerpc/Kconfig.debug   |   12 ------------
>  arch/s390/Kconfig.debug      |   12 ------------
>  arch/tile/Kconfig            |    3 ---
>  arch/unicore32/Kconfig.debug |   14 --------------
>  arch/x86/Kconfig.debug       |   17 -----------------
>  lib/Kconfig.debug            |   19 +++++++++++++++++++
>  8 files changed, 19 insertions(+), 86 deletions(-)

For s390

Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>

> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
> index 8c15b29d5adc..ad85145d0047 100644
> --- a/lib/Kconfig.debug
> +++ b/lib/Kconfig.debug
> @@ -1853,3 +1853,22 @@ source "samples/Kconfig"
> 
>  source "lib/Kconfig.kgdb"
> 
> +config STRICT_DEVMEM
> +	bool "Filter access to /dev/mem"
> +	depends on MMU
> +	depends on !SPARC
> +	default y if TILE || PPC || S390

I wouldn't mind if you would remove s390 from this list.

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Catalin Marinas]

On Sat, Nov 21, 2015 at 07:57:02PM -0800, Dan Williams wrote:
> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
> index 04fb73b973f1..e13c4bf84d9e 100644
> --- a/arch/arm64/Kconfig.debug
> +++ b/arch/arm64/Kconfig.debug
> @@ -14,20 +14,6 @@ config ARM64_PTDUMP
>  	  kernel.
>  	  If in doubt, say "N"
>  
> -config STRICT_DEVMEM
> -	bool "Filter access to /dev/mem"
> -	depends on MMU
> -	help
> -	  If this option is disabled, you allow userspace (root) access to all
> -	  of memory, including kernel and userspace memory. Accidental
> -	  access to this is obviously disastrous, but specific access can
> -	  be used by people debugging the kernel.
> -
> -	  If this option is switched on, the /dev/mem file only allows
> -	  userspace access to memory mapped peripherals.
> -
> -	  If in doubt, say Y.
> -
>  config PID_IN_CONTEXTIDR
>  	bool "Write the current PID to the CONTEXTIDR register"
>  	help

For arm64:

Acked-by: Catalin Marinas <catalin.marinas@arm.com>

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Catalin Marinas]

On Sat, Nov 21, 2015 at 07:57:02PM -0800, Dan Williams wrote:
> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
> index 04fb73b973f1..e13c4bf84d9e 100644
> --- a/arch/arm64/Kconfig.debug
> +++ b/arch/arm64/Kconfig.debug
> @@ -14,20 +14,6 @@ config ARM64_PTDUMP
>  	  kernel.
>  	  If in doubt, say "N"
>  
> -config STRICT_DEVMEM
> -	bool "Filter access to /dev/mem"
> -	depends on MMU
> -	help
> -	  If this option is disabled, you allow userspace (root) access to all
> -	  of memory, including kernel and userspace memory. Accidental
> -	  access to this is obviously disastrous, but specific access can
> -	  be used by people debugging the kernel.
> -
> -	  If this option is switched on, the /dev/mem file only allows
> -	  userspace access to memory mapped peripherals.
> -
> -	  If in doubt, say Y.
> -
>  config PID_IN_CONTEXTIDR
>  	bool "Write the current PID to the CONTEXTIDR register"
>  	help

For arm64:

Acked-by: Catalin Marinas <catalin.marinas@arm.com>

[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Catalin Marinas]

On Sat, Nov 21, 2015 at 07:57:02PM -0800, Dan Williams wrote:
> diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
> index 04fb73b973f1..e13c4bf84d9e 100644
> --- a/arch/arm64/Kconfig.debug
> +++ b/arch/arm64/Kconfig.debug
> @@ -14,20 +14,6 @@ config ARM64_PTDUMP
>  	  kernel.
>  	  If in doubt, say "N"
>  
> -config STRICT_DEVMEM
> -	bool "Filter access to /dev/mem"
> -	depends on MMU
> -	help
> -	  If this option is disabled, you allow userspace (root) access to all
> -	  of memory, including kernel and userspace memory. Accidental
> -	  access to this is obviously disastrous, but specific access can
> -	  be used by people debugging the kernel.
> -
> -	  If this option is switched on, the /dev/mem file only allows
> -	  userspace access to memory mapped peripherals.
> -
> -	  If in doubt, say Y.
> -
>  config PID_IN_CONTEXTIDR
>  	bool "Write the current PID to the CONTEXTIDR register"
>  	help

For arm64:

Acked-by: Catalin Marinas <catalin.marinas@arm.com>

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Dan Williams]

On Mon, Nov 23, 2015 at 1:53 AM, Heiko Carstens
<heiko.carstens@de.ibm.com> wrote:
> On Sat, Nov 21, 2015 at 07:57:02PM -0800, Dan Williams wrote:
>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
>> definition in lib/Kconfig.debug.
>>
>> Note, the 'depends on !SPARC' is due to sparc not implementing
>> devmem_is_allowed().
>>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Russell King <linux@arm.linux.org.uk>
>> Cc: Catalin Marinas <catalin.marinas@arm.com>
>> Cc: Will Deacon <will.deacon@arm.com>
>> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
>> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
>> Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
>> Cc: Thomas Gleixner <tglx@linutronix.de>
>> Cc: Ingo Molnar <mingo@redhat.com>
>> Cc: "H. Peter Anvin" <hpa@zytor.com>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> Cc: "David S. Miller" <davem@davemloft.net>
>> Suggested-by: Arnd Bergmann <arnd@arndb.de>
>> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> ---
>>  arch/arm/Kconfig.debug       |   14 --------------
>>  arch/arm64/Kconfig.debug     |   14 --------------
>>  arch/powerpc/Kconfig.debug   |   12 ------------
>>  arch/s390/Kconfig.debug      |   12 ------------
>>  arch/tile/Kconfig            |    3 ---
>>  arch/unicore32/Kconfig.debug |   14 --------------
>>  arch/x86/Kconfig.debug       |   17 -----------------
>>  lib/Kconfig.debug            |   19 +++++++++++++++++++
>>  8 files changed, 19 insertions(+), 86 deletions(-)
>
> For s390
>
> Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
>
>> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
>> index 8c15b29d5adc..ad85145d0047 100644
>> --- a/lib/Kconfig.debug
>> +++ b/lib/Kconfig.debug
>> @@ -1853,3 +1853,22 @@ source "samples/Kconfig"
>>
>>  source "lib/Kconfig.kgdb"
>>
>> +config STRICT_DEVMEM
>> +     bool "Filter access to /dev/mem"
>> +     depends on MMU
>> +     depends on !SPARC
>> +     default y if TILE || PPC || S390
>
> I wouldn't mind if you would remove s390 from this list.
>

Will do. Thanks.

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Dan Williams]

On Mon, Nov 23, 2015 at 1:53 AM, Heiko Carstens
<heiko.carstens@de.ibm.com> wrote:
> On Sat, Nov 21, 2015 at 07:57:02PM -0800, Dan Williams wrote:
>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
>> definition in lib/Kconfig.debug.
>>
>> Note, the 'depends on !SPARC' is due to sparc not implementing
>> devmem_is_allowed().
>>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Russell King <linux@arm.linux.org.uk>
>> Cc: Catalin Marinas <catalin.marinas@arm.com>
>> Cc: Will Deacon <will.deacon@arm.com>
>> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
>> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
>> Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
>> Cc: Thomas Gleixner <tglx@linutronix.de>
>> Cc: Ingo Molnar <mingo@redhat.com>
>> Cc: "H. Peter Anvin" <hpa@zytor.com>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> Cc: "David S. Miller" <davem@davemloft.net>
>> Suggested-by: Arnd Bergmann <arnd@arndb.de>
>> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> ---
>>  arch/arm/Kconfig.debug       |   14 --------------
>>  arch/arm64/Kconfig.debug     |   14 --------------
>>  arch/powerpc/Kconfig.debug   |   12 ------------
>>  arch/s390/Kconfig.debug      |   12 ------------
>>  arch/tile/Kconfig            |    3 ---
>>  arch/unicore32/Kconfig.debug |   14 --------------
>>  arch/x86/Kconfig.debug       |   17 -----------------
>>  lib/Kconfig.debug            |   19 +++++++++++++++++++
>>  8 files changed, 19 insertions(+), 86 deletions(-)
>
> For s390
>
> Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
>
>> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
>> index 8c15b29d5adc..ad85145d0047 100644
>> --- a/lib/Kconfig.debug
>> +++ b/lib/Kconfig.debug
>> @@ -1853,3 +1853,22 @@ source "samples/Kconfig"
>>
>>  source "lib/Kconfig.kgdb"
>>
>> +config STRICT_DEVMEM
>> +     bool "Filter access to /dev/mem"
>> +     depends on MMU
>> +     depends on !SPARC
>> +     default y if TILE || PPC || S390
>
> I wouldn't mind if you would remove s390 from this list.
>

Will do. Thanks.

[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Dan Williams]

On Mon, Nov 23, 2015 at 1:53 AM, Heiko Carstens
<heiko.carstens@de.ibm.com> wrote:
> On Sat, Nov 21, 2015 at 07:57:02PM -0800, Dan Williams wrote:
>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
>> definition in lib/Kconfig.debug.
>>
>> Note, the 'depends on !SPARC' is due to sparc not implementing
>> devmem_is_allowed().
>>
>> Cc: Kees Cook <keescook@chromium.org>
>> Cc: Russell King <linux@arm.linux.org.uk>
>> Cc: Catalin Marinas <catalin.marinas@arm.com>
>> Cc: Will Deacon <will.deacon@arm.com>
>> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
>> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
>> Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
>> Cc: Thomas Gleixner <tglx@linutronix.de>
>> Cc: Ingo Molnar <mingo@redhat.com>
>> Cc: "H. Peter Anvin" <hpa@zytor.com>
>> Cc: Andrew Morton <akpm@linux-foundation.org>
>> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> Cc: "David S. Miller" <davem@davemloft.net>
>> Suggested-by: Arnd Bergmann <arnd@arndb.de>
>> Signed-off-by: Dan Williams <dan.j.williams@intel.com>
>> ---
>>  arch/arm/Kconfig.debug       |   14 --------------
>>  arch/arm64/Kconfig.debug     |   14 --------------
>>  arch/powerpc/Kconfig.debug   |   12 ------------
>>  arch/s390/Kconfig.debug      |   12 ------------
>>  arch/tile/Kconfig            |    3 ---
>>  arch/unicore32/Kconfig.debug |   14 --------------
>>  arch/x86/Kconfig.debug       |   17 -----------------
>>  lib/Kconfig.debug            |   19 +++++++++++++++++++
>>  8 files changed, 19 insertions(+), 86 deletions(-)
>
> For s390
>
> Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com>
>
>> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
>> index 8c15b29d5adc..ad85145d0047 100644
>> --- a/lib/Kconfig.debug
>> +++ b/lib/Kconfig.debug
>> @@ -1853,3 +1853,22 @@ source "samples/Kconfig"
>>
>>  source "lib/Kconfig.kgdb"
>>
>> +config STRICT_DEVMEM
>> +     bool "Filter access to /dev/mem"
>> +     depends on MMU
>> +     depends on !SPARC
>> +     default y if TILE || PPC || S390
>
> I wouldn't mind if you would remove s390 from this list.
>

Will do. Thanks.

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Dan Williams]

On Mon, Nov 23, 2015 at 12:12 AM, Ingo Molnar <mingo@kernel.org> wrote:
>
> * Dan Williams <dan.j.williams@intel.com> wrote:
>
>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
>> definition in lib/Kconfig.debug.
>
> For the x86 bit:
>
> Acked-by: Ingo Molnar <mingo@kernel.org>
>
>> Note, the 'depends on !SPARC' is due to sparc not implementing
>> devmem_is_allowed().
>
> Maybe that should be converted into a helper Kconfig switch for architectures to
> opt in to /dev/mem restrictions?

Sure, easy enough to add a ARCH_HAS_DEVMEM_IS_ALLOWED opt-in.

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Dan Williams]

On Mon, Nov 23, 2015 at 12:12 AM, Ingo Molnar <mingo@kernel.org> wrote:
>
> * Dan Williams <dan.j.williams@intel.com> wrote:
>
>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
>> definition in lib/Kconfig.debug.
>
> For the x86 bit:
>
> Acked-by: Ingo Molnar <mingo@kernel.org>
>
>> Note, the 'depends on !SPARC' is due to sparc not implementing
>> devmem_is_allowed().
>
> Maybe that should be converted into a helper Kconfig switch for architectures to
> opt in to /dev/mem restrictions?

Sure, easy enough to add a ARCH_HAS_DEVMEM_IS_ALLOWED opt-in.

[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Dan Williams]

On Mon, Nov 23, 2015 at 12:12 AM, Ingo Molnar <mingo@kernel.org> wrote:
>
> * Dan Williams <dan.j.williams@intel.com> wrote:
>
>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
>> definition in lib/Kconfig.debug.
>
> For the x86 bit:
>
> Acked-by: Ingo Molnar <mingo@kernel.org>
>
>> Note, the 'depends on !SPARC' is due to sparc not implementing
>> devmem_is_allowed().
>
> Maybe that should be converted into a helper Kconfig switch for architectures to
> opt in to /dev/mem restrictions?

Sure, easy enough to add a ARCH_HAS_DEVMEM_IS_ALLOWED opt-in.

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Kees Cook]

On Mon, Nov 23, 2015 at 9:12 AM, Dan Williams <dan.j.williams@intel.com> wrote:
> On Mon, Nov 23, 2015 at 12:12 AM, Ingo Molnar <mingo@kernel.org> wrote:
>>
>> * Dan Williams <dan.j.williams@intel.com> wrote:
>>
>>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
>>> definition in lib/Kconfig.debug.
>>
>> For the x86 bit:
>>
>> Acked-by: Ingo Molnar <mingo@kernel.org>
>>
>>> Note, the 'depends on !SPARC' is due to sparc not implementing
>>> devmem_is_allowed().
>>
>> Maybe that should be converted into a helper Kconfig switch for architectures to
>> opt in to /dev/mem restrictions?
>
> Sure, easy enough to add a ARCH_HAS_DEVMEM_IS_ALLOWED opt-in.

Is there some hidden meaning about the difference between ARCH_HAS_...
and HAVE_ARCH_... and HAVE_... ?

-Kees

-- 
Kees Cook
Chrome OS Security

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Kees Cook]

On Mon, Nov 23, 2015 at 9:12 AM, Dan Williams <dan.j.williams@intel.com> wrote:
> On Mon, Nov 23, 2015 at 12:12 AM, Ingo Molnar <mingo@kernel.org> wrote:
>>
>> * Dan Williams <dan.j.williams@intel.com> wrote:
>>
>>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
>>> definition in lib/Kconfig.debug.
>>
>> For the x86 bit:
>>
>> Acked-by: Ingo Molnar <mingo@kernel.org>
>>
>>> Note, the 'depends on !SPARC' is due to sparc not implementing
>>> devmem_is_allowed().
>>
>> Maybe that should be converted into a helper Kconfig switch for architectures to
>> opt in to /dev/mem restrictions?
>
> Sure, easy enough to add a ARCH_HAS_DEVMEM_IS_ALLOWED opt-in.

Is there some hidden meaning about the difference between ARCH_HAS_...
and HAVE_ARCH_... and HAVE_... ?

-Kees

-- 
Kees Cook
Chrome OS Security

[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Kees Cook]

On Mon, Nov 23, 2015 at 9:12 AM, Dan Williams <dan.j.williams@intel.com> wrote:
> On Mon, Nov 23, 2015 at 12:12 AM, Ingo Molnar <mingo@kernel.org> wrote:
>>
>> * Dan Williams <dan.j.williams@intel.com> wrote:
>>
>>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
>>> definition in lib/Kconfig.debug.
>>
>> For the x86 bit:
>>
>> Acked-by: Ingo Molnar <mingo@kernel.org>
>>
>>> Note, the 'depends on !SPARC' is due to sparc not implementing
>>> devmem_is_allowed().
>>
>> Maybe that should be converted into a helper Kconfig switch for architectures to
>> opt in to /dev/mem restrictions?
>
> Sure, easy enough to add a ARCH_HAS_DEVMEM_IS_ALLOWED opt-in.

Is there some hidden meaning about the difference between ARCH_HAS_...
and HAVE_ARCH_... and HAVE_... ?

-Kees

-- 
Kees Cook
Chrome OS Security

Re: [PATCH 2/2] restrict /dev/mem to idle io memory ranges

[Kees Cook]

On Sat, Nov 21, 2015 at 7:57 PM, Dan Williams <dan.j.williams@intel.com> wrote:
> This effectively promotes IORESOURCE_BUSY to IORESOURCE_EXCLUSIVE
> semantics by default.  If userspace really believes it is safe to access
> the memory region it can also perform the extra step of disabling an
> active driver.  This protects device address ranges with read side
> effects and otherwise directs userspace to use the driver.
>
> Persistent memory presents a large "mistake surface" to /dev/mem as now
> accidental writes can corrupt a filesystem.
>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Russell King <linux@arm.linux.org.uk>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>

Acked-by: Kees Cook <keescook@chromium.org>

Thanks!

-Kees

> ---
>  kernel/resource.c |    3 +++
>  lib/Kconfig.debug |   23 ++++++++++++++++++++---
>  2 files changed, 23 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/resource.c b/kernel/resource.c
> index f150dbbe6f62..03a8b09f68a8 100644
> --- a/kernel/resource.c
> +++ b/kernel/resource.c
> @@ -1498,6 +1498,9 @@ int iomem_is_exclusive(u64 addr)
>                         break;
>                 if (p->end < addr)
>                         continue;
> +               if (IS_ENABLED(CONFIG_IO_STRICT_DEVMEM)
> +                               && p->flags & IORESOURCE_BUSY)
> +                       break;
>                 if (p->flags & IORESOURCE_BUSY &&
>                      p->flags & IORESOURCE_EXCLUSIVE) {
>                         err = 1;
> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
> index ad85145d0047..be47f99fb191 100644
> --- a/lib/Kconfig.debug
> +++ b/lib/Kconfig.debug
> @@ -1866,9 +1866,26 @@ config STRICT_DEVMEM
>           enabled, even in this case there are restrictions on /dev/mem
>           use due to the cache aliasing requirements.
>
> +         If this option is switched on, and IO_STRICT_DEVMEM=n, the /dev/mem
> +         file only allows userspace access to PCI space and the BIOS code and
> +         data regions.  This is sufficient for dosemu and X and all common
> +         users of /dev/mem.
> +
> +         If in doubt, say Y.
> +
> +config IO_STRICT_DEVMEM
> +       bool "Filter I/O access to /dev/mem"
> +       depends on STRICT_DEVMEM
> +       default STRICT_DEVMEM
> +       ---help---
> +         If this option is disabled, you allow userspace (root) access to all
> +         io-memory regardless of whether a driver is actively using that
> +         range.  Accidental access to this is obviously disastrous, but
> +         specific access can be used by people debugging kernel drivers.
> +
>           If this option is switched on, the /dev/mem file only allows
> -         userspace access to PCI space and the BIOS code and data regions.
> -         This is sufficient for dosemu and X and all common users of
> -         /dev/mem.
> +         userspace access to *idle* io-memory ranges (see /proc/iomem) This
> +         may break traditional users of /dev/mem (dosemu, legacy X, etc...)
> +         if the driver using a given range cannot be disabled.
>
>           If in doubt, say Y.
>



-- 
Kees Cook
Chrome OS Security

Re: [PATCH 2/2] restrict /dev/mem to idle io memory ranges

[Kees Cook]

On Sat, Nov 21, 2015 at 7:57 PM, Dan Williams <dan.j.williams@intel.com> wrote:
> This effectively promotes IORESOURCE_BUSY to IORESOURCE_EXCLUSIVE
> semantics by default.  If userspace really believes it is safe to access
> the memory region it can also perform the extra step of disabling an
> active driver.  This protects device address ranges with read side
> effects and otherwise directs userspace to use the driver.
>
> Persistent memory presents a large "mistake surface" to /dev/mem as now
> accidental writes can corrupt a filesystem.
>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Russell King <linux@arm.linux.org.uk>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>

Acked-by: Kees Cook <keescook@chromium.org>

Thanks!

-Kees

> ---
>  kernel/resource.c |    3 +++
>  lib/Kconfig.debug |   23 ++++++++++++++++++++---
>  2 files changed, 23 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/resource.c b/kernel/resource.c
> index f150dbbe6f62..03a8b09f68a8 100644
> --- a/kernel/resource.c
> +++ b/kernel/resource.c
> @@ -1498,6 +1498,9 @@ int iomem_is_exclusive(u64 addr)
>                         break;
>                 if (p->end < addr)
>                         continue;
> +               if (IS_ENABLED(CONFIG_IO_STRICT_DEVMEM)
> +                               && p->flags & IORESOURCE_BUSY)
> +                       break;
>                 if (p->flags & IORESOURCE_BUSY &&
>                      p->flags & IORESOURCE_EXCLUSIVE) {
>                         err = 1;
> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
> index ad85145d0047..be47f99fb191 100644
> --- a/lib/Kconfig.debug
> +++ b/lib/Kconfig.debug
> @@ -1866,9 +1866,26 @@ config STRICT_DEVMEM
>           enabled, even in this case there are restrictions on /dev/mem
>           use due to the cache aliasing requirements.
>
> +         If this option is switched on, and IO_STRICT_DEVMEM=n, the /dev/mem
> +         file only allows userspace access to PCI space and the BIOS code and
> +         data regions.  This is sufficient for dosemu and X and all common
> +         users of /dev/mem.
> +
> +         If in doubt, say Y.
> +
> +config IO_STRICT_DEVMEM
> +       bool "Filter I/O access to /dev/mem"
> +       depends on STRICT_DEVMEM
> +       default STRICT_DEVMEM
> +       ---help---
> +         If this option is disabled, you allow userspace (root) access to all
> +         io-memory regardless of whether a driver is actively using that
> +         range.  Accidental access to this is obviously disastrous, but
> +         specific access can be used by people debugging kernel drivers.
> +
>           If this option is switched on, the /dev/mem file only allows
> -         userspace access to PCI space and the BIOS code and data regions.
> -         This is sufficient for dosemu and X and all common users of
> -         /dev/mem.
> +         userspace access to *idle* io-memory ranges (see /proc/iomem) This
> +         may break traditional users of /dev/mem (dosemu, legacy X, etc...)
> +         if the driver using a given range cannot be disabled.
>
>           If in doubt, say Y.
>



-- 
Kees Cook
Chrome OS Security

[PATCH 2/2] restrict /dev/mem to idle io memory ranges

[Kees Cook]

On Sat, Nov 21, 2015 at 7:57 PM, Dan Williams <dan.j.williams@intel.com> wrote:
> This effectively promotes IORESOURCE_BUSY to IORESOURCE_EXCLUSIVE
> semantics by default.  If userspace really believes it is safe to access
> the memory region it can also perform the extra step of disabling an
> active driver.  This protects device address ranges with read side
> effects and otherwise directs userspace to use the driver.
>
> Persistent memory presents a large "mistake surface" to /dev/mem as now
> accidental writes can corrupt a filesystem.
>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Russell King <linux@arm.linux.org.uk>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Signed-off-by: Dan Williams <dan.j.williams@intel.com>

Acked-by: Kees Cook <keescook@chromium.org>

Thanks!

-Kees

> ---
>  kernel/resource.c |    3 +++
>  lib/Kconfig.debug |   23 ++++++++++++++++++++---
>  2 files changed, 23 insertions(+), 3 deletions(-)
>
> diff --git a/kernel/resource.c b/kernel/resource.c
> index f150dbbe6f62..03a8b09f68a8 100644
> --- a/kernel/resource.c
> +++ b/kernel/resource.c
> @@ -1498,6 +1498,9 @@ int iomem_is_exclusive(u64 addr)
>                         break;
>                 if (p->end < addr)
>                         continue;
> +               if (IS_ENABLED(CONFIG_IO_STRICT_DEVMEM)
> +                               && p->flags & IORESOURCE_BUSY)
> +                       break;
>                 if (p->flags & IORESOURCE_BUSY &&
>                      p->flags & IORESOURCE_EXCLUSIVE) {
>                         err = 1;
> diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
> index ad85145d0047..be47f99fb191 100644
> --- a/lib/Kconfig.debug
> +++ b/lib/Kconfig.debug
> @@ -1866,9 +1866,26 @@ config STRICT_DEVMEM
>           enabled, even in this case there are restrictions on /dev/mem
>           use due to the cache aliasing requirements.
>
> +         If this option is switched on, and IO_STRICT_DEVMEM=n, the /dev/mem
> +         file only allows userspace access to PCI space and the BIOS code and
> +         data regions.  This is sufficient for dosemu and X and all common
> +         users of /dev/mem.
> +
> +         If in doubt, say Y.
> +
> +config IO_STRICT_DEVMEM
> +       bool "Filter I/O access to /dev/mem"
> +       depends on STRICT_DEVMEM
> +       default STRICT_DEVMEM
> +       ---help---
> +         If this option is disabled, you allow userspace (root) access to all
> +         io-memory regardless of whether a driver is actively using that
> +         range.  Accidental access to this is obviously disastrous, but
> +         specific access can be used by people debugging kernel drivers.
> +
>           If this option is switched on, the /dev/mem file only allows
> -         userspace access to PCI space and the BIOS code and data regions.
> -         This is sufficient for dosemu and X and all common users of
> -         /dev/mem.
> +         userspace access to *idle* io-memory ranges (see /proc/iomem) This
> +         may break traditional users of /dev/mem (dosemu, legacy X, etc...)
> +         if the driver using a given range cannot be disabled.
>
>           If in doubt, say Y.
>



-- 
Kees Cook
Chrome OS Security

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Ingo Molnar]

* Kees Cook <keescook@chromium.org> wrote:

> On Mon, Nov 23, 2015 at 9:12 AM, Dan Williams <dan.j.williams@intel.com> wrote:
> > On Mon, Nov 23, 2015 at 12:12 AM, Ingo Molnar <mingo@kernel.org> wrote:
> >>
> >> * Dan Williams <dan.j.williams@intel.com> wrote:
> >>
> >>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
> >>> definition in lib/Kconfig.debug.
> >>
> >> For the x86 bit:
> >>
> >> Acked-by: Ingo Molnar <mingo@kernel.org>
> >>
> >>> Note, the 'depends on !SPARC' is due to sparc not implementing
> >>> devmem_is_allowed().
> >>
> >> Maybe that should be converted into a helper Kconfig switch for architectures to
> >> opt in to /dev/mem restrictions?
> >
> > Sure, easy enough to add a ARCH_HAS_DEVMEM_IS_ALLOWED opt-in.
> 
> Is there some hidden meaning about the difference between ARCH_HAS_...
> and HAVE_ARCH_... and HAVE_... ?

There's also the double underscore variants such as __HAVE_ARCH_STRNCASECMP! ;-)

It's all just nonsensical historic muck: because no-one ever was confronted with 
the messy global picture.

Today you can run Documentation/features/list-arch.sh and wonder at the zoo of 
options ;-)

Thanks,

	Ingo

Re: [PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Ingo Molnar]

* Kees Cook <keescook@chromium.org> wrote:

> On Mon, Nov 23, 2015 at 9:12 AM, Dan Williams <dan.j.williams@intel.com> wrote:
> > On Mon, Nov 23, 2015 at 12:12 AM, Ingo Molnar <mingo@kernel.org> wrote:
> >>
> >> * Dan Williams <dan.j.williams@intel.com> wrote:
> >>
> >>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
> >>> definition in lib/Kconfig.debug.
> >>
> >> For the x86 bit:
> >>
> >> Acked-by: Ingo Molnar <mingo@kernel.org>
> >>
> >>> Note, the 'depends on !SPARC' is due to sparc not implementing
> >>> devmem_is_allowed().
> >>
> >> Maybe that should be converted into a helper Kconfig switch for architectures to
> >> opt in to /dev/mem restrictions?
> >
> > Sure, easy enough to add a ARCH_HAS_DEVMEM_IS_ALLOWED opt-in.
> 
> Is there some hidden meaning about the difference between ARCH_HAS_...
> and HAVE_ARCH_... and HAVE_... ?

There's also the double underscore variants such as __HAVE_ARCH_STRNCASECMP! ;-)

It's all just nonsensical historic muck: because no-one ever was confronted with 
the messy global picture.

Today you can run Documentation/features/list-arch.sh and wonder at the zoo of 
options ;-)

Thanks,

	Ingo

[PATCH 1/2] arch: consolidate CONFIG_STRICT_DEVM in lib/Kconfig.debug

[Ingo Molnar]

* Kees Cook <keescook@chromium.org> wrote:

> On Mon, Nov 23, 2015 at 9:12 AM, Dan Williams <dan.j.williams@intel.com> wrote:
> > On Mon, Nov 23, 2015 at 12:12 AM, Ingo Molnar <mingo@kernel.org> wrote:
> >>
> >> * Dan Williams <dan.j.williams@intel.com> wrote:
> >>
> >>> Let all the archs that implement CONFIG_STRICT_DEVM use a common
> >>> definition in lib/Kconfig.debug.
> >>
> >> For the x86 bit:
> >>
> >> Acked-by: Ingo Molnar <mingo@kernel.org>
> >>
> >>> Note, the 'depends on !SPARC' is due to sparc not implementing
> >>> devmem_is_allowed().
> >>
> >> Maybe that should be converted into a helper Kconfig switch for architectures to
> >> opt in to /dev/mem restrictions?
> >
> > Sure, easy enough to add a ARCH_HAS_DEVMEM_IS_ALLOWED opt-in.
> 
> Is there some hidden meaning about the difference between ARCH_HAS_...
> and HAVE_ARCH_... and HAVE_... ?

There's also the double underscore variants such as __HAVE_ARCH_STRNCASECMP! ;-)

It's all just nonsensical historic muck: because no-one ever was confronted with 
the messy global picture.

Today you can run Documentation/features/list-arch.sh and wonder at the zoo of 
options ;-)

Thanks,

	Ingo