From: Michael Ellerman <mpe@ellerman.id.au>
To: Jann Horn <jannh@google.com>,
Christoph Hellwig <hch@infradead.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
linuxppc-dev@lists.ozlabs.org
Cc: "David S. Miller" <davem@davemloft.net>,
sparclinux@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
Linux-MM <linux-mm@kvack.org>,
kernel list <linux-kernel@vger.kernel.org>,
Khalid Aziz <khalid.aziz@oracle.com>,
Anthony Yznaga <anthony.yznaga@oracle.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Dave Kleikamp <shaggy@linux.vnet.ibm.com>
Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length
Date: Thu, 08 Oct 2020 21:34:26 +1100 [thread overview]
Message-ID: <87o8ld0zwt.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <CAG48ez3kjTeVtQcjQerYYRs7sX5qq3O7SU-FEaYLNXisFmAeOg@mail.gmail.com>
Jann Horn <jannh@google.com> writes:
> On Wed, Oct 7, 2020 at 2:35 PM Christoph Hellwig <hch@infradead.org> wrote:
>> On Wed, Oct 07, 2020 at 09:39:31AM +0200, Jann Horn wrote:
>> > diff --git a/arch/powerpc/kernel/syscalls.c b/arch/powerpc/kernel/syscalls.c
>> > index 078608ec2e92..b1fabb97d138 100644
>> > --- a/arch/powerpc/kernel/syscalls.c
>> > +++ b/arch/powerpc/kernel/syscalls.c
>> > @@ -43,7 +43,7 @@ static inline long do_mmap2(unsigned long addr, size_t len,
>> > {
>> > long ret = -EINVAL;
>> >
>> > - if (!arch_validate_prot(prot, addr))
>> > + if (!arch_validate_prot(prot, addr, len))
>>
>> This call isn't under mmap lock. I also find it rather weird as the
>> generic code only calls arch_validate_prot from mprotect, only powerpc
>> also calls it from mmap.
>>
>> This seems to go back to commit ef3d3246a0d0
>> ("powerpc/mm: Add Strong Access Ordering support")
>
> I'm _guessing_ the idea in the generic case might be that mmap()
> doesn't check unknown bits in the protection flags, and therefore
> maybe people wanted to avoid adding new error cases that could be
> caused by random high bits being set?
I suspect it's just that when we added it we updated our do_mmap2() and
didn't touch the generic version because we didn't need to. ie. it's not
intentional it's just a buglet.
I think this is the original submission:
https://lore.kernel.org/linuxppc-dev/20080610220055.10257.84465.sendpatchset@norville.austin.ibm.com/
Which only calls arch_validate_prot() from mprotect and the powerpc
code, and there was no discussion about adding it elsewhere.
> So while the mprotect() case
> checks the flags and refuses unknown values, the mmap() code just lets
> the architecture figure out which bits are actually valid to set (via
> arch_calc_vm_prot_bits()) and silently ignores the rest?
>
> And powerpc apparently decided that they do want to error out on bogus
> prot values passed to their version of mmap(), and in exchange, assume
> in arch_calc_vm_prot_bits() that the protection bits are valid?
I don't think we really decided that, it just happened by accident and
no one noticed/complained.
Seems userspace is pretty well behaved when it comes to passing prot
values to mmap().
> powerpc's arch_validate_prot() doesn't actually need the mmap lock, so
> I think this is fine-ish for now (as in, while the code is a bit
> unclean, I don't think I'm making it worse, and I don't think it's
> actually buggy). In theory, we could move the arch_validate_prot()
> call over into the mmap guts, where we're holding the lock, and gate
> it on the architecture or on some feature CONFIG that powerpc can
> activate in its Kconfig. But I'm not sure whether that'd be helping or
> making things worse, so when I sent this patch, I deliberately left
> the powerpc stuff as-is.
I think what you've done is fine, and anything more elaborate is not
worth the effort.
cheers
WARNING: multiple messages have this Message-ID (diff)
From: Michael Ellerman <mpe@ellerman.id.au>
To: Jann Horn <jannh@google.com>,
Christoph Hellwig <hch@infradead.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
linuxppc-dev@lists.ozlabs.org
Cc: Dave Kleikamp <shaggy@linux.vnet.ibm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
kernel list <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
Khalid Aziz <khalid.aziz@oracle.com>,
sparclinux@vger.kernel.org,
Anthony Yznaga <anthony.yznaga@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Will Deacon <will@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length
Date: Thu, 08 Oct 2020 10:34:26 +0000 [thread overview]
Message-ID: <87o8ld0zwt.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <CAG48ez3kjTeVtQcjQerYYRs7sX5qq3O7SU-FEaYLNXisFmAeOg@mail.gmail.com>
Jann Horn <jannh@google.com> writes:
> On Wed, Oct 7, 2020 at 2:35 PM Christoph Hellwig <hch@infradead.org> wrote:
>> On Wed, Oct 07, 2020 at 09:39:31AM +0200, Jann Horn wrote:
>> > diff --git a/arch/powerpc/kernel/syscalls.c b/arch/powerpc/kernel/syscalls.c
>> > index 078608ec2e92..b1fabb97d138 100644
>> > --- a/arch/powerpc/kernel/syscalls.c
>> > +++ b/arch/powerpc/kernel/syscalls.c
>> > @@ -43,7 +43,7 @@ static inline long do_mmap2(unsigned long addr, size_t len,
>> > {
>> > long ret = -EINVAL;
>> >
>> > - if (!arch_validate_prot(prot, addr))
>> > + if (!arch_validate_prot(prot, addr, len))
>>
>> This call isn't under mmap lock. I also find it rather weird as the
>> generic code only calls arch_validate_prot from mprotect, only powerpc
>> also calls it from mmap.
>>
>> This seems to go back to commit ef3d3246a0d0
>> ("powerpc/mm: Add Strong Access Ordering support")
>
> I'm _guessing_ the idea in the generic case might be that mmap()
> doesn't check unknown bits in the protection flags, and therefore
> maybe people wanted to avoid adding new error cases that could be
> caused by random high bits being set?
I suspect it's just that when we added it we updated our do_mmap2() and
didn't touch the generic version because we didn't need to. ie. it's not
intentional it's just a buglet.
I think this is the original submission:
https://lore.kernel.org/linuxppc-dev/20080610220055.10257.84465.sendpatchset@norville.austin.ibm.com/
Which only calls arch_validate_prot() from mprotect and the powerpc
code, and there was no discussion about adding it elsewhere.
> So while the mprotect() case
> checks the flags and refuses unknown values, the mmap() code just lets
> the architecture figure out which bits are actually valid to set (via
> arch_calc_vm_prot_bits()) and silently ignores the rest?
>
> And powerpc apparently decided that they do want to error out on bogus
> prot values passed to their version of mmap(), and in exchange, assume
> in arch_calc_vm_prot_bits() that the protection bits are valid?
I don't think we really decided that, it just happened by accident and
no one noticed/complained.
Seems userspace is pretty well behaved when it comes to passing prot
values to mmap().
> powerpc's arch_validate_prot() doesn't actually need the mmap lock, so
> I think this is fine-ish for now (as in, while the code is a bit
> unclean, I don't think I'm making it worse, and I don't think it's
> actually buggy). In theory, we could move the arch_validate_prot()
> call over into the mmap guts, where we're holding the lock, and gate
> it on the architecture or on some feature CONFIG that powerpc can
> activate in its Kconfig. But I'm not sure whether that'd be helping or
> making things worse, so when I sent this patch, I deliberately left
> the powerpc stuff as-is.
I think what you've done is fine, and anything more elaborate is not
worth the effort.
cheers
WARNING: multiple messages have this Message-ID (diff)
From: Michael Ellerman <mpe@ellerman.id.au>
To: Jann Horn <jannh@google.com>,
Christoph Hellwig <hch@infradead.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
linuxppc-dev@lists.ozlabs.org
Cc: Dave Kleikamp <shaggy@linux.vnet.ibm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
kernel list <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
Khalid Aziz <khalid.aziz@oracle.com>,
sparclinux@vger.kernel.org,
Anthony Yznaga <anthony.yznaga@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Will Deacon <will@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length
Date: Thu, 08 Oct 2020 21:34:26 +1100 [thread overview]
Message-ID: <87o8ld0zwt.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <CAG48ez3kjTeVtQcjQerYYRs7sX5qq3O7SU-FEaYLNXisFmAeOg@mail.gmail.com>
Jann Horn <jannh@google.com> writes:
> On Wed, Oct 7, 2020 at 2:35 PM Christoph Hellwig <hch@infradead.org> wrote:
>> On Wed, Oct 07, 2020 at 09:39:31AM +0200, Jann Horn wrote:
>> > diff --git a/arch/powerpc/kernel/syscalls.c b/arch/powerpc/kernel/syscalls.c
>> > index 078608ec2e92..b1fabb97d138 100644
>> > --- a/arch/powerpc/kernel/syscalls.c
>> > +++ b/arch/powerpc/kernel/syscalls.c
>> > @@ -43,7 +43,7 @@ static inline long do_mmap2(unsigned long addr, size_t len,
>> > {
>> > long ret = -EINVAL;
>> >
>> > - if (!arch_validate_prot(prot, addr))
>> > + if (!arch_validate_prot(prot, addr, len))
>>
>> This call isn't under mmap lock. I also find it rather weird as the
>> generic code only calls arch_validate_prot from mprotect, only powerpc
>> also calls it from mmap.
>>
>> This seems to go back to commit ef3d3246a0d0
>> ("powerpc/mm: Add Strong Access Ordering support")
>
> I'm _guessing_ the idea in the generic case might be that mmap()
> doesn't check unknown bits in the protection flags, and therefore
> maybe people wanted to avoid adding new error cases that could be
> caused by random high bits being set?
I suspect it's just that when we added it we updated our do_mmap2() and
didn't touch the generic version because we didn't need to. ie. it's not
intentional it's just a buglet.
I think this is the original submission:
https://lore.kernel.org/linuxppc-dev/20080610220055.10257.84465.sendpatchset@norville.austin.ibm.com/
Which only calls arch_validate_prot() from mprotect and the powerpc
code, and there was no discussion about adding it elsewhere.
> So while the mprotect() case
> checks the flags and refuses unknown values, the mmap() code just lets
> the architecture figure out which bits are actually valid to set (via
> arch_calc_vm_prot_bits()) and silently ignores the rest?
>
> And powerpc apparently decided that they do want to error out on bogus
> prot values passed to their version of mmap(), and in exchange, assume
> in arch_calc_vm_prot_bits() that the protection bits are valid?
I don't think we really decided that, it just happened by accident and
no one noticed/complained.
Seems userspace is pretty well behaved when it comes to passing prot
values to mmap().
> powerpc's arch_validate_prot() doesn't actually need the mmap lock, so
> I think this is fine-ish for now (as in, while the code is a bit
> unclean, I don't think I'm making it worse, and I don't think it's
> actually buggy). In theory, we could move the arch_validate_prot()
> call over into the mmap guts, where we're holding the lock, and gate
> it on the architecture or on some feature CONFIG that powerpc can
> activate in its Kconfig. But I'm not sure whether that'd be helping or
> making things worse, so when I sent this patch, I deliberately left
> the powerpc stuff as-is.
I think what you've done is fine, and anything more elaborate is not
worth the effort.
cheers
WARNING: multiple messages have this Message-ID (diff)
From: Michael Ellerman <mpe@ellerman.id.au>
To: Jann Horn <jannh@google.com>,
Christoph Hellwig <hch@infradead.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
linuxppc-dev@lists.ozlabs.org
Cc: Dave Kleikamp <shaggy@linux.vnet.ibm.com>,
Catalin Marinas <catalin.marinas@arm.com>,
kernel list <linux-kernel@vger.kernel.org>,
Linux-MM <linux-mm@kvack.org>,
Khalid Aziz <khalid.aziz@oracle.com>,
sparclinux@vger.kernel.org,
Anthony Yznaga <anthony.yznaga@oracle.com>,
Andrew Morton <akpm@linux-foundation.org>,
Will Deacon <will@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length
Date: Thu, 08 Oct 2020 21:34:26 +1100 [thread overview]
Message-ID: <87o8ld0zwt.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <CAG48ez3kjTeVtQcjQerYYRs7sX5qq3O7SU-FEaYLNXisFmAeOg@mail.gmail.com>
Jann Horn <jannh@google.com> writes:
> On Wed, Oct 7, 2020 at 2:35 PM Christoph Hellwig <hch@infradead.org> wrote:
>> On Wed, Oct 07, 2020 at 09:39:31AM +0200, Jann Horn wrote:
>> > diff --git a/arch/powerpc/kernel/syscalls.c b/arch/powerpc/kernel/syscalls.c
>> > index 078608ec2e92..b1fabb97d138 100644
>> > --- a/arch/powerpc/kernel/syscalls.c
>> > +++ b/arch/powerpc/kernel/syscalls.c
>> > @@ -43,7 +43,7 @@ static inline long do_mmap2(unsigned long addr, size_t len,
>> > {
>> > long ret = -EINVAL;
>> >
>> > - if (!arch_validate_prot(prot, addr))
>> > + if (!arch_validate_prot(prot, addr, len))
>>
>> This call isn't under mmap lock. I also find it rather weird as the
>> generic code only calls arch_validate_prot from mprotect, only powerpc
>> also calls it from mmap.
>>
>> This seems to go back to commit ef3d3246a0d0
>> ("powerpc/mm: Add Strong Access Ordering support")
>
> I'm _guessing_ the idea in the generic case might be that mmap()
> doesn't check unknown bits in the protection flags, and therefore
> maybe people wanted to avoid adding new error cases that could be
> caused by random high bits being set?
I suspect it's just that when we added it we updated our do_mmap2() and
didn't touch the generic version because we didn't need to. ie. it's not
intentional it's just a buglet.
I think this is the original submission:
https://lore.kernel.org/linuxppc-dev/20080610220055.10257.84465.sendpatchset@norville.austin.ibm.com/
Which only calls arch_validate_prot() from mprotect and the powerpc
code, and there was no discussion about adding it elsewhere.
> So while the mprotect() case
> checks the flags and refuses unknown values, the mmap() code just lets
> the architecture figure out which bits are actually valid to set (via
> arch_calc_vm_prot_bits()) and silently ignores the rest?
>
> And powerpc apparently decided that they do want to error out on bogus
> prot values passed to their version of mmap(), and in exchange, assume
> in arch_calc_vm_prot_bits() that the protection bits are valid?
I don't think we really decided that, it just happened by accident and
no one noticed/complained.
Seems userspace is pretty well behaved when it comes to passing prot
values to mmap().
> powerpc's arch_validate_prot() doesn't actually need the mmap lock, so
> I think this is fine-ish for now (as in, while the code is a bit
> unclean, I don't think I'm making it worse, and I don't think it's
> actually buggy). In theory, we could move the arch_validate_prot()
> call over into the mmap guts, where we're holding the lock, and gate
> it on the architecture or on some feature CONFIG that powerpc can
> activate in its Kconfig. But I'm not sure whether that'd be helping or
> making things worse, so when I sent this patch, I deliberately left
> the powerpc stuff as-is.
I think what you've done is fine, and anything more elaborate is not
worth the effort.
cheers
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2020-10-08 10:34 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-07 7:39 [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 7:39 ` [PATCH 2/2] sparc: Check VMA range in sparc_validate_prot() Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 7:39 ` Jann Horn
2020-10-07 12:36 ` Christoph Hellwig
2020-10-07 12:36 ` Christoph Hellwig
2020-10-07 12:36 ` Christoph Hellwig
2020-10-07 12:36 ` Christoph Hellwig
2020-10-07 20:15 ` Khalid Aziz
2020-10-07 20:15 ` Khalid Aziz
2020-10-07 20:15 ` Khalid Aziz
2020-10-07 20:15 ` Khalid Aziz
2020-10-07 12:35 ` [PATCH 1/2] mm/mprotect: Call arch_validate_prot under mmap_lock and with length Christoph Hellwig
2020-10-07 12:35 ` Christoph Hellwig
2020-10-07 12:35 ` Christoph Hellwig
2020-10-07 12:35 ` Christoph Hellwig
2020-10-07 14:42 ` Jann Horn
2020-10-07 14:42 ` Jann Horn
2020-10-07 14:42 ` Jann Horn
2020-10-07 14:42 ` Jann Horn
2020-10-07 14:42 ` Jann Horn
2020-10-08 6:21 ` Christoph Hellwig
2020-10-08 6:21 ` Christoph Hellwig
2020-10-08 6:21 ` Christoph Hellwig
2020-10-08 6:21 ` Christoph Hellwig
2020-10-08 10:34 ` Michael Ellerman [this message]
2020-10-08 10:34 ` Michael Ellerman
2020-10-08 10:34 ` Michael Ellerman
2020-10-08 10:34 ` Michael Ellerman
2020-10-08 11:03 ` Catalin Marinas
2020-10-08 11:03 ` Catalin Marinas
2020-10-08 11:03 ` Catalin Marinas
2020-10-08 11:03 ` Catalin Marinas
2020-10-07 20:14 ` Khalid Aziz
2020-10-07 20:14 ` Khalid Aziz
2020-10-07 20:14 ` Khalid Aziz
2020-10-07 20:14 ` Khalid Aziz
2020-10-10 11:09 ` Catalin Marinas
2020-10-10 11:09 ` Catalin Marinas
2020-10-10 11:09 ` Catalin Marinas
2020-10-10 11:09 ` Catalin Marinas
2020-10-12 17:03 ` Khalid Aziz
2020-10-12 17:03 ` Khalid Aziz
2020-10-12 17:03 ` Khalid Aziz
2020-10-12 17:03 ` Khalid Aziz
2020-10-12 17:22 ` Catalin Marinas
2020-10-12 17:22 ` Catalin Marinas
2020-10-12 17:22 ` Catalin Marinas
2020-10-12 17:22 ` Catalin Marinas
2020-10-12 19:14 ` Khalid Aziz
2020-10-12 19:14 ` Khalid Aziz
2020-10-12 19:14 ` Khalid Aziz
2020-10-12 19:14 ` Khalid Aziz
2020-10-13 9:16 ` Catalin Marinas
2020-10-13 9:16 ` Catalin Marinas
2020-10-13 9:16 ` Catalin Marinas
2020-10-13 9:16 ` Catalin Marinas
2020-10-14 21:21 ` Khalid Aziz
2020-10-14 21:21 ` Khalid Aziz
2020-10-14 21:21 ` Khalid Aziz
2020-10-14 21:21 ` Khalid Aziz
2020-10-14 22:29 ` Jann Horn
2020-10-14 22:29 ` Jann Horn
2020-10-14 22:29 ` Jann Horn
2020-10-14 22:29 ` Jann Horn
2020-10-14 22:29 ` Jann Horn
2020-10-15 9:05 ` Catalin Marinas
2020-10-15 9:05 ` Catalin Marinas
2020-10-15 9:05 ` Catalin Marinas
2020-10-15 9:05 ` Catalin Marinas
2020-10-15 14:53 ` Khalid Aziz
2020-10-15 14:53 ` Khalid Aziz
2020-10-15 14:53 ` Khalid Aziz
2020-10-15 14:53 ` Khalid Aziz
2020-10-08 10:12 ` Catalin Marinas
2020-10-08 10:12 ` Catalin Marinas
2020-10-08 10:12 ` Catalin Marinas
2020-10-08 10:12 ` Catalin Marinas
2020-10-07 10:08 kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87o8ld0zwt.fsf@mpe.ellerman.id.au \
--to=mpe@ellerman.id.au \
--cc=akpm@linux-foundation.org \
--cc=anthony.yznaga@oracle.com \
--cc=benh@kernel.crashing.org \
--cc=catalin.marinas@arm.com \
--cc=davem@davemloft.net \
--cc=hch@infradead.org \
--cc=jannh@google.com \
--cc=khalid.aziz@oracle.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=paulus@samba.org \
--cc=shaggy@linux.vnet.ibm.com \
--cc=sparclinux@vger.kernel.org \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.