From: Michael Ellerman <mpe@ellerman•id.au>
To: "Aneesh Kumar K.V" <aneesh.kumar@linux•vnet.ibm.com>,
Andrew Donnellan <andrew.donnellan@au1•ibm.com>,
linuxppc-dev@lists•ozlabs.org
Cc: imunsie@au1•ibm.com
Subject: Re: cxl: fix setting of _PAGE_USER bit when handling page faults
Date: Tue, 12 Apr 2016 21:42:48 +1000 [thread overview]
Message-ID: <1460461368.23581.1.camel@ellerman.id.au> (raw)
In-Reply-To: <87y48kfeja.fsf@linux.vnet.ibm.com>
On Mon, 2016-04-11 at 19:12 +0530, Aneesh Kumar K.V wrote:
> Michael Ellerman <mpe@ellerman•id.au> writes:
> >
> > In this case it *looks* like we have a giant hole in the mm handling for CAPI
> > contexts, which would let userspace create mappings of kernel memory with
> > _PAGE_USER set. I think I agree with Ian that in fact that's not true, but it's
> > not clear from the diff that is the case. So I'd really like someone to write a
> > good commit message demonstrating that we understand what the bug is and why
> > it's not a big deal, despite the patch looking scary at first glance.
>
> That confused me.
Sorry :)
> Do you agree that the current code won't allow
> "userspace create mappings of kernel memory with _PAGE_USER set" ?
Yes. My point is that the diff doesn't make that clear - and at first glance it
looks like it could be a bad bug. So it needs a good change log explaning
why it's not possible.
> Or are you suggesting that we do and this need to be documented ?
>
> If it is later, that is not true. The current code will set _PAGE_USER
> to the access flags for any fault address. ie, because ~ operation will
> be true for all address we take fault on. But setting _PAGE_USER also means
> that the fault will be handled only if the page table have _PAGE_USER
> set.
>
> Now if it is an user space access, then the change really don't have an
> impact because we have (!ctx->kernel) true for that case and we take
> that if condition true.
Right. And if it was a userspace access of a kernel address it should never have
got that far, because copro_handle_mm_fault() should have failed IIUIC.
>
> Now if kernel is faulting, which I am not sure capi can result such a
> fault and it is faulting on a adress in the kernel range, then the
> current code will result in a loop fault, because we will not insert
> hash pte due to access and pte permission mismatch. So there is
> no security hole in the fault handling AFAIU.
>
> Are you suggesting that the above should be documented in the commit
> message ?
Yep.
cheers
next prev parent reply other threads:[~2016-04-12 11:42 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-18 4:01 [PATCH] cxl: fix setting of _PAGE_USER bit when handling page faults Andrew Donnellan
2016-03-18 6:30 ` Ian Munsie
2016-03-21 4:38 ` Andrew Donnellan
2016-03-25 10:01 ` Michael Ellerman
2016-03-25 17:15 ` Ian Munsie
2016-03-28 13:42 ` Aneesh Kumar K.V
2016-03-28 18:00 ` Aneesh Kumar K.V
2016-04-11 4:10 ` Andrew Donnellan
2016-04-11 4:27 ` Michael Ellerman
2016-04-11 4:31 ` Aneesh Kumar K.V
2016-04-11 11:14 ` Michael Ellerman
2016-04-11 13:42 ` Aneesh Kumar K.V
2016-04-12 11:42 ` Michael Ellerman [this message]
2016-03-29 22:08 ` [PATCH] " Matthew R. Ochs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1460461368.23581.1.camel@ellerman.id.au \
--to=mpe@ellerman$(echo .)id.au \
--cc=andrew.donnellan@au1$(echo .)ibm.com \
--cc=aneesh.kumar@linux$(echo .)vnet.ibm.com \
--cc=imunsie@au1$(echo .)ibm.com \
--cc=linuxppc-dev@lists$(echo .)ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox