From: lauraa@codeaurora•org (Laura Abbott)
To: linux-arm-kernel@lists•infradead.org
Subject: [PATCH v2] ARM64: Kernel managed pages are only flushed
Date: Wed, 05 Mar 2014 12:03:58 -0800 [thread overview]
Message-ID: <5317832E.9020809@codeaurora.org> (raw)
In-Reply-To: <06b7685849ef4682878556ea1ea8f9d6@BN1PR03MB266.namprd03.prod.outlook.com>
On 3/5/2014 8:27 AM, Bharat.Bhushan at freescale.com wrote:
>
>
>> -----Original Message-----
>> From: Will Deacon [mailto:will.deacon at arm.com]
>> Sent: Wednesday, March 05, 2014 9:43 PM
>> To: Bhushan Bharat-R65777
>> Cc: Catalin Marinas; linux-arm-kernel at lists.infradead.org; Bhushan Bharat-R65777
>> Subject: Re: [PATCH v2] ARM64: Kernel managed pages are only flushed
>>
>> On Wed, Mar 05, 2014 at 11:25:16AM +0000, Bharat Bhushan wrote:
>>> Kernel can only access pages which maps to managed memory.
>>> So flush only valid kernel pages.
>>>
>>> I observed kernel crash direct assigning a device using VFIO and found
>>> that it was caused because of accessing invalid page
>>>
>>> Signed-off-by: Bharat Bhushan <Bharat.Bhushan@freescale•com>
>>> ---
>>> v1->v2
>>> Getting pfn usin pte_pfn() in pfn_valid.
>>>
>>> arch/arm64/mm/flush.c | 13 ++++++++++++-
>>> 1 files changed, 12 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/arch/arm64/mm/flush.c b/arch/arm64/mm/flush.c index
>>> e4193e3..319826a 100644
>>> --- a/arch/arm64/mm/flush.c
>>> +++ b/arch/arm64/mm/flush.c
>>> @@ -72,7 +72,18 @@ void copy_to_user_page(struct vm_area_struct *vma,
>>> struct page *page,
>>>
>>> void __sync_icache_dcache(pte_t pte, unsigned long addr) {
>>> - struct page *page = pte_page(pte);
>>> + struct page *page;
>>> +
>>> +#ifdef CONFIG_HAVE_ARCH_PFN_VALID
>>> + /*
>>> + * We can only access pages that the kernel maps
>>> + * as memory. Bail out for unmapped ones.
>>> + */
>>> + if (!pfn_valid(pte_pfn(pte)))
>>> + return;
>>> +
>>> +#endif
>>> + page = pte_page(pte);
>>
>> How do you get into this function without a valid, userspace, executable pte?
>>
>> I suspect you've got changes elsewhere and are calling this function in a
>> context where it's not supposed to be called.
>
> Below I will describe the context in which this function is called:
>
> When we direct assign a bus device (we have a different freescale specific bus
> device but we can take PCI device for discussion as this logic
applies equally
> for PCI device I think) to user space using VFIO. Then userspace needs to
> mmap(PCI_BARx_offset: this PCI bar offset in not a kernel visible
memory).
> Then VFIO-kernel mmap() ioctl code calls remap_pfn_range() for mapping the
>requested address. While remap_pfn_range() internally calls this function.
>
As someone who likes calling functions in context where they aren't
supposed to be called, I took a look a this because I was curious.
I can confirm the same problem trying to mmap arbitrary io address space
with remap_pfn_range. We should only be hitting this if the pte is
marked as exec per set_pte_at. With my test case, even mmaping with only
PROT_READ and PROT_WRITE was setting PROT_EXEC as well which was
triggering the bug. This seems to be because READ_IMPLIES_EXEC
personality was set which was derived from
#define elf_read_implies_exec(ex,stk) (stk != EXSTACK_DISABLE_X)
and none of the binaries I'm generating seem to be setting the stack
execute bit either way (all are EXECSTACK_DEFAULT).
It's not obvious what the best solution is here.
Thanks,
Laura
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
hosted by The Linux Foundation
next prev parent reply other threads:[~2014-03-05 20:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-05 11:25 [PATCH v2] ARM64: Kernel managed pages are only flushed Bharat Bhushan
2014-03-05 16:12 ` Will Deacon
2014-03-05 16:27 ` Bharat.Bhushan at freescale.com
2014-03-05 20:03 ` Laura Abbott [this message]
2014-03-06 3:38 ` Bharat.Bhushan at freescale.com
2014-03-06 16:18 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5317832E.9020809@codeaurora.org \
--to=lauraa@codeaurora$(echo .)org \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox