Re: [patch 05/16] mm: Allow special mappings with user access cleared

From: Dave Hansen
Date: Wed Dec 13 2017 - 10:47:52 EST

Next message: Maxime Ripard: "Re: [PATCH v4 1/4] dt-bindings: pwm: binding allwinner sun8i R40/V40/T3."
Previous message: Mark Brown: "Applied "regmap: rename regmap_lock_unlock_empty() to regmap_lock_unlock_none()" to the regmap tree"
In reply to: Peter Zijlstra: "Re: [patch 05/16] mm: Allow special mappings with user access cleared"
Next in thread: Peter Zijlstra: "Re: [patch 05/16] mm: Allow special mappings with user access cleared"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/13/2017 07:32 AM, Peter Zijlstra wrote:
>> This will fault writing a byte to 'addr':
>>
>> char *addr = malloc(PAGE_SIZE);
>> pkey_mprotect(addr, PAGE_SIZE, 13);
>> pkey_deny_access(13);
>> *addr[0] = 'f';
>>
>> But this will write one byte to addr successfully (if it uses the kernel
>> mapping of the physical page backing 'addr'):
>>
>> char *addr = malloc(PAGE_SIZE);
>> pkey_mprotect(addr, PAGE_SIZE, 13);
>> pkey_deny_access(13);
>> read(fd, addr, 1);
>>
> This seems confused to me; why are these two cases different?

Protection keys doesn't work in the kernel direct map, so if the read()
was implemented by writing to the direct map alias of 'addr' then this
would bypass protection keys.

Next message: Maxime Ripard: "Re: [PATCH v4 1/4] dt-bindings: pwm: binding allwinner sun8i R40/V40/T3."
Previous message: Mark Brown: "Applied "regmap: rename regmap_lock_unlock_empty() to regmap_lock_unlock_none()" to the regmap tree"
In reply to: Peter Zijlstra: "Re: [patch 05/16] mm: Allow special mappings with user access cleared"
Next in thread: Peter Zijlstra: "Re: [patch 05/16] mm: Allow special mappings with user access cleared"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]