On Tue, Jul 10, 2018 at 04:10:08PM -0700, Dave Hansen wrote: > On 07/10/2018 03:26 PM, Yu-cheng Yu wrote: > > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx> > > This still needs a changelog, even if you think it's simple. > > --- a/mm/mprotect.c > > +++ b/mm/mprotect.c > > @@ -446,6 +446,15 @@ static int do_mprotect_pkey(unsigned long start, size_t len, > > error = -ENOMEM; > > if (!vma) > > goto out; > > + > > + /* > > + * Do not allow changing shadow stack memory. > > + */ > > + if (vma->vm_flags & VM_SHSTK) { > > + error = -EINVAL; > > + goto out; > > + } > > + > > I think this is a _bit_ draconian. Why shouldn't we be able to use > protection keys with a shadow stack? Or, set it to PROT_NONE? Right, and then there's also madvise() and some of the other accessors. Why do we need to disallow this? AFAICT the worst that can happen is that a process wrecks itself, so what? -- To unsubscribe from this list: send the line "unsubscribe linux-api" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html