Re: [bug?] Access was denied by memory protection keys in execute-only address

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Wed, Mar 21, 2018 at 5:58 AM, Ram Pai <linuxram@xxxxxxxxxx> wrote:
On Fri, Mar 09, 2018 at 11:43:00AM +0800, Li Wang wrote:
>    On Fri, Mar 9, 2018 at 12:45 AM, Ram Pai <[1]linuxram@xxxxxxxxxx> wrote:
>
>      On Thu, Mar 08, 2018 at 11:19:12PM +1100, Michael Ellerman wrote:
>      > Li Wang <[2]liwang@xxxxxxxxxx> writes:
>      > > Hi,
>      > >
>      > > ltp/mprotect04[1] crashed by SEGV_PKUERR on ppc64(LPAR on P730,
>      Power 8
>      > > 8247-22L) with kernel-v4.16.0-rc4.
>      > >
>      > > 10000000-10020000 r-xp 00000000 fd:00 167223           mprotect04
>      > > 10020000-10030000 r--p 00010000 fd:00 167223           mprotect04
>      > > 10030000-10040000 rw-p 00020000 fd:00 167223           mprotect04
>      > > 1001a380000-1001a3b0000 rw-p 00000000 00:00 0          [heap]
>      > > 7fffa6c60000-7fffa6c80000 --xp 00000000 00:00 0 ​
>      > >
>      > > ​&exec_func = 0x10030170​
>      > >
>      > > ​&func = 0x7fffa6c60170​
>      > >
>      > > ​While perform ​
>      > > "(*func)();" we get the
>      > > ​segmentation fault.
>      > > ​
>      > >
>      > > ​strace log:​
>      > >
>      > > -------------------
>      > > ​mprotect(0x7fffaed00000, 131072, PROT_EXEC) = 0
>      > > rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
>      > > --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_PKUERR,
>      si_addr=0x7fffaed00170}
>      > > ---​
>      >
>      > Looks like a bug to me.
>      >
>      > Please Cc linuxppc-dev on powerpc bugs.
>      >
>      > I also can't reproduce this failure on my machine.
>      > Not sure what's going on?
>
>      I could reproduce it on a power7 lpar.  But not on a power8 lpar.
>
>      The problem seems to be that the cpu generates a key exception if
>      the page with Read/Write-disable-but-execute-enable key is executed
>      on power7. If I enable read on that key, the exception disappears.
>
>    After adding read permission on that key, reproducer get PASS on my power8
>    machine too.​
>    ​(​mprotect(..,PROT_READ | PROT_EXEC))​
>     
>
>      BTW: the testcase executes
>      ​​mprotect(..,PROT_EXEC).
>      The mprotect(, PROT_EXEC) system call internally generates a
>      execute-only key and associates it with the pages in the address-range. 
>
>      Now since Li Wang claims that he can reproduce it on power8 as well, i
>      am wondering if the slightly different cpu behavior is dependent on the
>      version of the firmware/microcode?
>
>    ​I also run this reproducer on series ppc kvm machines, but none of them
>    get the FAIL.
>    If you need some more HW info, pls let me know.​

Hi Li,

   Can you try the following patch and see if it solves your problem.

​It only works on power7 lpar machine.

But for p8 lpar, it still get failure as that before, the thing I wondered is
that why not disable the pkey_execute_disable_supported on p8 machine?

I tried to modify your patch and get PASS with the mprotect04 test on power8 lpar machine.

--- a/arch/powerpc/mm/pkeys.c
+++ b/arch/powerpc/mm/pkeys.c
@@ -105,7 +105,9 @@ int pkey_initialize(void)
         * The device tree cannot be relied to indicate support for
         * execute_disable support. Instead we use a PVR check.
         */
-       if (pvr_version_is(PVR_POWER7) || pvr_version_is(PVR_POWER7p))
+       if (pvr_version_is(PVR_POWER7) || pvr_version_is(PVR_POWER7p) \
+               || pvr_version_is(PVR_POWER8E) || pvr_version_is(PVR_POWER8NVL) \
+               || pvr_version_is(PVR_POWER8))
                pkey_execute_disable_supported = false;
        else
                pkey_execute_disable_supported = true;
@@ -395,7 +397,7 @@ int __arch_override_mprotect_pkey(struct vm_area_struct *vma, int prot,
         * The requested protection is execute-only. Hence let's use an
         * execute-only pkey.
         */
-       if (prot == PROT_EXEC) {
+       if (prot == PROT_EXEC && pkey_execute_disable_supported) {
                pkey = execute_only_pkey(vma->vm_mm);
                if (pkey > 0)
                        return pkey;


 


diff --git a/arch/powerpc/mm/pkeys.c b/arch/powerpc/mm/pkeys.c
index c269817..184a10a 100644
--- a/arch/powerpc/mm/pkeys.c
+++ b/arch/powerpc/mm/pkeys.c
@@ -421,7 +421,7 @@ int __arch_override_mprotect_pkey(struct vm_area_struct *vma, int prot,
         * The requested protection is execute-only. Hence let's use an
         * execute-only pkey.
         */
-       if (prot == PROT_EXEC) {
​​
+       if (prot == PROT_EXEC && pkey_execute_disable_supported) {
                pkey = execute_only_pkey(vma->vm_mm);
                if (pkey > 0)
                        return pkey;


Thanks
RP




--

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux