On Wed, Dec 13, 2017 at 07:47:46AM -0800, Dave Hansen wrote: > On 12/13/2017 07:32 AM, Peter Zijlstra wrote: > >> This will fault writing a byte to 'addr': > >> > >> char *addr = malloc(PAGE_SIZE); > >> pkey_mprotect(addr, PAGE_SIZE, 13); > >> pkey_deny_access(13); > >> *addr[0] = 'f'; > >> > >> But this will write one byte to addr successfully (if it uses the kernel > >> mapping of the physical page backing 'addr'): > >> > >> char *addr = malloc(PAGE_SIZE); > >> pkey_mprotect(addr, PAGE_SIZE, 13); > >> pkey_deny_access(13); > >> read(fd, addr, 1); > >> > > This seems confused to me; why are these two cases different? > > Protection keys doesn't work in the kernel direct map, so if the read() > was implemented by writing to the direct map alias of 'addr' then this > would bypass protection keys. Which is why get_user_pages() _should_ enforce this. What use are protection keys if you can trivially circumvent them? -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx"> email@xxxxxxxxx </a>