From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=zZF4=IK=lists.infradead.org=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E110CC433E0
	for <linux-arm-kernel@archiver.kernel.org>; Fri, 12 Mar 2021 12:25:12 +0000 (UTC)
Received: from desiato.infradead.org (desiato.infradead.org [90.155.92.199])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 8634764F6C
	for <linux-arm-kernel@archiver.kernel.org>; Fri, 12 Mar 2021 12:25:12 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8634764F6C
Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com
Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=desiato.20200630; h=Sender:Content-Transfer-Encoding
	:Content-Type:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References:Message-ID:
	Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner;
	 bh=p+bUdfSeWELiB4YCShnRACKR1dnVN1NyXo9D0ZS2E0o=; b=eKwSQ/d/AGlIEI5bkWyLKB/mh
	SxmgSVZM07ABcUHUDFkhAFd+saSnshXNij5HmBsI9sfrxmq9DZ9qIvI+rLaarGjuMv2VbjsPNDAWi
	59qHIc6UjKIdpH/i9soWzcUekJY6xp97lUApILP9zq7BBfL937s9+vd8WpEaDugBjuAn6aarx0eGM
	rpaumW0W+eOhA9Ehf/KBCYoMyKZWS822VmTumrfsx2F115ebVHuUK+UZQjrlq+pVCK6HPVeoyspZh
	Rk6YL0pBC3EPymwtMIRLCB6edeytPXQ2ER8FLywMJqX9RttAmWw6b1kZR7pTln7XLLvWfnqcKwULU
	NPkYz9SdQ==;
Received: from localhost ([::1] helo=desiato.infradead.org)
	by desiato.infradead.org with esmtp (Exim 4.94 #2 (Red Hat Linux))
	id 1lKgpV-00BO73-Pg; Fri, 12 Mar 2021 12:23:45 +0000
Received: from mail.kernel.org ([198.145.29.99])
 by desiato.infradead.org with esmtps (Exim 4.94 #2 (Red Hat Linux))
 id 1lKgpR-00BO6f-7g
 for linux-arm-kernel@lists.infradead.org; Fri, 12 Mar 2021 12:23:43 +0000
Received: by mail.kernel.org (Postfix) with ESMTPSA id D509C64F33;
 Fri, 12 Mar 2021 12:23:36 +0000 (UTC)
Date: Fri, 12 Mar 2021 12:23:34 +0000
From: Catalin Marinas <catalin.marinas@arm.com>
To: Vladimir Murzin <vladimir.murzin@arm.com>
Cc: Will Deacon <will@kernel.org>, linux-arm-kernel@lists.infradead.org,
 keescook@chromium.org, dave.martin@arm.com
Subject: Re: [PATCH v3 1/2] arm64: Support execute-only permissions with
 Enhanced PAN
Message-ID: <20210312122333.GA24210@arm.com>
References: <20210119160723.116983-1-vladimir.murzin@arm.com>
 <20210119160723.116983-2-vladimir.murzin@arm.com>
 <20210126110305.GA29467@willie-the-truck>
 <20210126120542.GA20158@gaia>
 <20210126122330.GA29613@willie-the-truck>
 <2424c35d-3e88-de1e-89b6-11439f1d15c6@arm.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <2424c35d-3e88-de1e-89b6-11439f1d15c6@arm.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20210312_122341_570490_CAC36EAF 
X-CRM114-Status: GOOD (  23.53  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

On Fri, Mar 12, 2021 at 11:19:02AM +0000, Vladimir Murzin wrote:
> On 1/26/21 12:23 PM, Will Deacon wrote:
> > On Tue, Jan 26, 2021 at 12:05:42PM +0000, Catalin Marinas wrote:
> >> On Tue, Jan 26, 2021 at 11:03:06AM +0000, Will Deacon wrote:
> >>> On Tue, Jan 19, 2021 at 04:07:22PM +0000, Vladimir Murzin wrote:
> >>>>  #define pte_valid_not_user(pte) \
> >>>> -	((pte_val(pte) & (PTE_VALID | PTE_USER)) == PTE_VALID)
> >>>> +	((pte_val(pte) & (PTE_VALID | PTE_USER | PTE_UXN)) == (PTE_VALID | PTE_UXN))
> >>>>  #define pte_valid_user(pte) \
> >>>>  	((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER))
> >>>
> >>> Won't pte_valid_user() go wrong for exec-only mappings now?
> >>
> >> I wondered about the same in November (and reproducing my comment
> >> below):
> >>
> >> https://lore.kernel.org/linux-arm-kernel/20201119182236.GN4376@gaia/
> >>
> >> pte_valid_user() checks for both PTE_VALID and PTE_USER. In theory, a
> >> !PTE_UXN is also user-accessible but it's only used in gup_pte_range()
> >> via pte_access_permitted(). If "access" in the latter means only
> >> read/write, we should be ok. If we keep it as is, a comment would
> >> be useful.
> > 
> > I think we should ensure that:
> > 
> >   pte_valid(pte) && (pte_valid_not_user(pte) || pte_valid_user(pte))
> > 
> > is always true, but I don't think it is after this patch. It reminds me
> > of some of the tests that Anshuman wrote.
> 
> Something like
> 
> /*
>  * Most of user mappings would have PTE_USER bit set except Execute-only
>  * where both PTE_USER and PTE_UXN bits not set
>  */
> #define pte_valid_user(pte)                                            \
>       (((pte_val(pte) & (PTE_VALID | PTE_USER)) == (PTE_VALID | PTE_USER)) || \
>          ((pte_val(pte) & (PTE_VALID | PTE_UXN)) == PTE_VALID))

This is equivalent to (valid && (user || !uxn)) which matches how the
EPAN is now specified.

However, I think this change breaks pte_access_permitted() which would
now return true even for execute-only mappings. Since such pages are not
readable, nor writable by user, get_user_pages_fast() should fail. For
example, if we have a futex in such execute-only mapping,
get_futex_key() succeeds with the above. Similarly for the
iov_iter_get_pages().

The slow-path get_user_pages() does the checks on the vma flags and this
can be overridden with FOLL_FORCE (it doesn't use
pte_access_permitted()). I haven't seen any get_user_pages_fast() called
with FOLL_FORCE but even if it does, it looks like it's ignored as the
code relies on pte_access_permitted() only.

I'd say lets scrap pte_valid_user() altogether and move the original
logic to pte_access_permitted() with a comment that it must return false
for execute-only user mappings.

-- 
Catalin

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel