Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[PATCH] arm64: print a fault message when attempting to write RO memory
948 views
Skip to first unread message
Stephen Boyd
Feb 15, 2017, 9:00:06 PM2/15/17
to
If a page is marked read only we should print out that fact,
instead of printing out that there was a page fault. Right now we
get a cryptic error message that something went wrong with an
unhandled fault, but we don't evaluate the esr to figure out that
it was a read/write permission fault.
Instead of seeing:
Unable to handle kernel paging request at virtual address ffff000008e460d8
pgd = ffff800003504000
[ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
we'll see:
Internal error: Attempting to write read-only memory: 9600004f [#1] PREEMPT SMP
Cc: Laura Abbott <lab...@redhat.com>
Cc: Mark Rutland <mark.r...@arm.com>
Signed-off-by: Stephen Boyd <stephe...@linaro.org>
---
arch/arm64/mm/fault.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 156169c6981b..752507fa80ec 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -331,6 +331,11 @@ static int __kprobes do_page_fault(unsigned long addr, unsigned int esr,
if (!search_exception_tables(regs->pc))
die("Accessing user space memory outside uaccess.h routines", regs, esr);
+ } else if (is_permission_fault(esr, regs)) {
+ if (esr & ESR_ELx_WNR)
+ die("Attempting to write read-only memory", regs, esr);
+ else
+ die("Attempting to read unreadable memory", regs, esr);
}
/*
--
2.10.0.297.gf6727b0
instead of printing out that there was a page fault. Right now we
get a cryptic error message that something went wrong with an
unhandled fault, but we don't evaluate the esr to figure out that
it was a read/write permission fault.
Instead of seeing:
Unable to handle kernel paging request at virtual address ffff000008e460d8
pgd = ffff800003504000
[ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
we'll see:
Internal error: Attempting to write read-only memory: 9600004f [#1] PREEMPT SMP
Cc: Laura Abbott <lab...@redhat.com>
Cc: Mark Rutland <mark.r...@arm.com>
Signed-off-by: Stephen Boyd <stephe...@linaro.org>
---
arch/arm64/mm/fault.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 156169c6981b..752507fa80ec 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -331,6 +331,11 @@ static int __kprobes do_page_fault(unsigned long addr, unsigned int esr,
if (!search_exception_tables(regs->pc))
die("Accessing user space memory outside uaccess.h routines", regs, esr);
+ } else if (is_permission_fault(esr, regs)) {
+ if (esr & ESR_ELx_WNR)
+ die("Attempting to write read-only memory", regs, esr);
+ else
+ die("Attempting to read unreadable memory", regs, esr);
}
/*
--
2.10.0.297.gf6727b0
Stephen Boyd
Feb 16, 2017, 8:30:06 PM2/16/17
to
If a page is marked read only we should print out that fact,
instead of printing out that there was a page fault. Right now we
get a cryptic error message that something went wrong with an
unhandled fault, but we don't evaluate the esr to figure out that
it was a read/write permission fault.
Instead of seeing:
Unable to handle kernel paging request at virtual address ffff000008e460d8
pgd = ffff800003504000
[ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
we'll see:
Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
instead of printing out that there was a page fault. Right now we
get a cryptic error message that something went wrong with an
unhandled fault, but we don't evaluate the esr to figure out that
it was a read/write permission fault.
Instead of seeing:
Unable to handle kernel paging request at virtual address ffff000008e460d8
pgd = ffff800003504000
[ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
we'll see:
pgd = ffff80003d3de000
[ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
Cc: James Morse <james...@arm.com>
Cc: Laura Abbott <lab...@redhat.com>
Cc: Mark Rutland <mark.r...@arm.com>
Signed-off-by: Stephen Boyd <stephe...@linaro.org>
---
Changes from v1:
Cc: Mark Rutland <mark.r...@arm.com>
Signed-off-by: Stephen Boyd <stephe...@linaro.org>
---
* Move into __do_kernel_fault() (Mark Rutland)
arch/arm64/mm/fault.c | 47 +++++++++++++++++++++++++++++------------------
1 file changed, 29 insertions(+), 18 deletions(-)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 156169c6981b..8bd4e7f11c70 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -160,12 +160,28 @@ static bool is_el1_instruction_abort(unsigned int esr)
return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_CUR;
}
+static inline bool is_permission_fault(unsigned int esr, struct pt_regs *regs)
+{
+ unsigned int ec = ESR_ELx_EC(esr);
+ unsigned int fsc_type = esr & ESR_ELx_FSC_TYPE;
+
+ if (ec != ESR_ELx_EC_DABT_CUR && ec != ESR_ELx_EC_IABT_CUR)
+ return false;
+
+ if (system_uses_ttbr0_pan())
+ return fsc_type == ESR_ELx_FSC_FAULT &&
+ (regs->pstate & PSR_PAN_BIT);
+ else
+ return fsc_type == ESR_ELx_FSC_PERM;
+}
+
/*
* The kernel tried to access some page that wasn't present.
*/
static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr,
unsigned int esr, struct pt_regs *regs)
{
+ const char *msg;
/*
* Are we prepared to handle this kernel fault?
* We are almost certainly not prepared to handle instruction faults.
@@ -177,9 +193,19 @@ static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr,
* No handler, we'll have to terminate things with extreme prejudice.
*/
bust_spinlocks(1);
- pr_alert("Unable to handle kernel %s at virtual address %08lx\n",
- (addr < PAGE_SIZE) ? "NULL pointer dereference" :
- "paging request", addr);
+
+ if (is_permission_fault(esr, regs)) {
+ if (esr & ESR_ELx_WNR)
+ msg = "write to read-only memory";
+ else
+ msg = "read from unreadable memory";
+ } else if (addr < PAGE_SIZE)
+ msg = "NULL pointer dereference";
+ else
+ msg = "paging request";
+
+ pr_alert("Unable to handle kernel %s at virtual address %08lx\n", msg,
+ addr);
show_pte(mm, addr);
die("Oops", regs, esr);
@@ -269,21 +295,6 @@ static int __do_page_fault(struct mm_struct *mm, unsigned long addr,
return fault;
}
-static inline bool is_permission_fault(unsigned int esr, struct pt_regs *regs)
-{
- unsigned int ec = ESR_ELx_EC(esr);
- unsigned int fsc_type = esr & ESR_ELx_FSC_TYPE;
-
- if (ec != ESR_ELx_EC_DABT_CUR && ec != ESR_ELx_EC_IABT_CUR)
- return false;
-
- if (system_uses_ttbr0_pan())
- return fsc_type == ESR_ELx_FSC_FAULT &&
- (regs->pstate & PSR_PAN_BIT);
- else
- return fsc_type == ESR_ELx_FSC_PERM;
-}
-
static bool is_el0_instruction_abort(unsigned int esr)
{
return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_LOW;
--
2.10.0.297.gf6727b0
James Morse
Feb 17, 2017, 6:10:06 AM2/17/17
to
Hi Stephen,
On 17/02/17 01:19, Stephen Boyd wrote:
> If a page is marked read only we should print out that fact,
> instead of printing out that there was a page fault. Right now we
> get a cryptic error message that something went wrong with an
> unhandled fault, but we don't evaluate the esr to figure out that
> it was a read/write permission fault.
>
> Instead of seeing:
>
> Unable to handle kernel paging request at virtual address ffff000008e460d8
> pgd = ffff800003504000
> [ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> we'll see:
>
> Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
> pgd = ffff80003d3de000
> [ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
This looks like a good idea..
> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
> index 156169c6981b..8bd4e7f11c70 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
is because it assumes software-PAN is relevant.
The corner case is when the kernel accesses TTBR1-mapped memory while
software-PAN happens to have swivelled TTBR0. Translation faults will be matched
by is_permission_fault(), but permission faults won't.
Juggling is_permission_fault() to look something like:
---%<---
if (fsc_type == ESR_ELx_FSC_PERM)
return true;
if (addr < USER_DS && system_uses_ttbr0_pan())
return false;
---%<---
... should fix this.
> + if (esr & ESR_ELx_WNR)
> + msg = "write to read-only memory";
> + else
> + msg = "read from unreadable memory";
> + } else if (addr < PAGE_SIZE)
> + msg = "NULL pointer dereference";
> + else
> + msg = "paging request";
Nit: {} all the way down!
> +
> + pr_alert("Unable to handle kernel %s at virtual address %08lx\n", msg,
> + addr);
>
> show_pte(mm, addr);
> die("Oops", regs, esr);
> @@ -269,21 +295,6 @@ static int __do_page_fault(struct mm_struct *mm, unsigned long addr,
> return fault;
> }
> -static inline bool is_permission_fault(unsigned int esr, struct pt_regs *regs)
> -{
> - unsigned int ec = ESR_ELx_EC(esr);
> - unsigned int fsc_type = esr & ESR_ELx_FSC_TYPE;
> -
> - if (ec != ESR_ELx_EC_DABT_CUR && ec != ESR_ELx_EC_IABT_CUR)
> - return false;
> -
> - if (system_uses_ttbr0_pan())
> - return fsc_type == ESR_ELx_FSC_FAULT &&
> - (regs->pstate & PSR_PAN_BIT);
> - else
> - return fsc_type == ESR_ELx_FSC_PERM;
> -}
Thanks!
James
On 17/02/17 01:19, Stephen Boyd wrote:
> If a page is marked read only we should print out that fact,
> instead of printing out that there was a page fault. Right now we
> get a cryptic error message that something went wrong with an
> unhandled fault, but we don't evaluate the esr to figure out that
> it was a read/write permission fault.
>
> Instead of seeing:
>
> Unable to handle kernel paging request at virtual address ffff000008e460d8
> pgd = ffff800003504000
> [ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> we'll see:
>
> Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
> pgd = ffff80003d3de000
> [ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
> index 156169c6981b..8bd4e7f11c70 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
> /*
> * The kernel tried to access some page that wasn't present.
> */
> static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr,
> unsigned int esr, struct pt_regs *regs)
> {
> + const char *msg;
> /*
> * Are we prepared to handle this kernel fault?
> * We are almost certainly not prepared to handle instruction faults.
> @@ -177,9 +193,19 @@ static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr,
> * No handler, we'll have to terminate things with extreme prejudice.
> */
> bust_spinlocks(1);
> - pr_alert("Unable to handle kernel %s at virtual address %08lx\n",
> - (addr < PAGE_SIZE) ? "NULL pointer dereference" :
> - "paging request", addr);
> +
> + if (is_permission_fault(esr, regs)) {
is_permission_fault() was previously guarded with a 'addr<USER_DS' check, this
> * The kernel tried to access some page that wasn't present.
> */
> static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr,
> unsigned int esr, struct pt_regs *regs)
> {
> + const char *msg;
> /*
> * Are we prepared to handle this kernel fault?
> * We are almost certainly not prepared to handle instruction faults.
> @@ -177,9 +193,19 @@ static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr,
> * No handler, we'll have to terminate things with extreme prejudice.
> */
> bust_spinlocks(1);
> - pr_alert("Unable to handle kernel %s at virtual address %08lx\n",
> - (addr < PAGE_SIZE) ? "NULL pointer dereference" :
> - "paging request", addr);
> +
> + if (is_permission_fault(esr, regs)) {
is because it assumes software-PAN is relevant.
The corner case is when the kernel accesses TTBR1-mapped memory while
software-PAN happens to have swivelled TTBR0. Translation faults will be matched
by is_permission_fault(), but permission faults won't.
Juggling is_permission_fault() to look something like:
---%<---
if (fsc_type == ESR_ELx_FSC_PERM)
return true;
if (addr < USER_DS && system_uses_ttbr0_pan())
return fsc_type == ESR_ELx_FSC_FAULT &&
(regs->pstate & PSR_PAN_BIT);
return false;
---%<---
... should fix this.
> + if (esr & ESR_ELx_WNR)
> + msg = "write to read-only memory";
> + else
> + msg = "read from unreadable memory";
> + } else if (addr < PAGE_SIZE)
> + msg = "NULL pointer dereference";
> + else
> + msg = "paging request";
> +
> + pr_alert("Unable to handle kernel %s at virtual address %08lx\n", msg,
> + addr);
>
> show_pte(mm, addr);
> die("Oops", regs, esr);
> @@ -269,21 +295,6 @@ static int __do_page_fault(struct mm_struct *mm, unsigned long addr,
> return fault;
> }
> -static inline bool is_permission_fault(unsigned int esr, struct pt_regs *regs)
> -{
> - unsigned int ec = ESR_ELx_EC(esr);
> - unsigned int fsc_type = esr & ESR_ELx_FSC_TYPE;
> -
> - if (ec != ESR_ELx_EC_DABT_CUR && ec != ESR_ELx_EC_IABT_CUR)
> - return false;
> -
> - if (system_uses_ttbr0_pan())
> - return fsc_type == ESR_ELx_FSC_FAULT &&
> - (regs->pstate & PSR_PAN_BIT);
> - else
> - return fsc_type == ESR_ELx_FSC_PERM;
> -}
James
James Morse
Feb 20, 2017, 6:20:05 AM2/20/17
to
Hi Stephen,
On 17/02/17 15:53, Stephen Boyd wrote:
> Quoting James Morse (2017-02-17 03:00:39)
> quite a few combinations, you're saying that __do_kernel_fault() could
> be called if the kernel attempts to access some userspace address with
> software PAN? That won't be caught in do_page_fault() with the previous
> is_permission_fault() check?
You're right the user-address side of things will get caught in do_page_fault().
I was trying to badly-explain 'is_permission_fault(esr)' isn't as general
purpose as its name and prototype suggest, it only gives the results that the
PAN checks expect when called with a user address.
>> Juggling is_permission_fault() to look something like:
>> ---%<---
>> if (fsc_type == ESR_ELx_FSC_PERM)
>> return true;
>>
>> if (addr < USER_DS && system_uses_ttbr0_pan())
>> return fsc_type == ESR_ELx_FSC_FAULT &&
>> (regs->pstate & PSR_PAN_BIT);
>>
>> return false;
>> ---%<---
>> ... should fix this.
>
> But we don't need to check ec anymore?
Sorry, I was being sloppy, something like the above could replace the if/else
block at the end of is_permission_fault(). You're right we still need the ec check!
Thanks,
James
On 17/02/17 15:53, Stephen Boyd wrote:
> Quoting James Morse (2017-02-17 03:00:39)
>> On 17/02/17 01:19, Stephen Boyd wrote:
>>> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
>>> index 156169c6981b..8bd4e7f11c70 100644
>>> --- a/arch/arm64/mm/fault.c
>>> +++ b/arch/arm64/mm/fault.c
>>> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
>>> index 156169c6981b..8bd4e7f11c70 100644
>>> --- a/arch/arm64/mm/fault.c
>>> +++ b/arch/arm64/mm/fault.c
>>> @@ -177,9 +193,19 @@ static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr,
>>> * No handler, we'll have to terminate things with extreme prejudice.
>>> */
>>> bust_spinlocks(1);
>>> - pr_alert("Unable to handle kernel %s at virtual address %08lx\n",
>>> - (addr < PAGE_SIZE) ? "NULL pointer dereference" :
>>> - "paging request", addr);
>>> +
>>> + if (is_permission_fault(esr, regs)) {
>>
>> is_permission_fault() was previously guarded with a 'addr<USER_DS' check, this
>> is because it assumes software-PAN is relevant.
>>
>> The corner case is when the kernel accesses TTBR1-mapped memory while
>> software-PAN happens to have swivelled TTBR0. Translation faults will be matched
>> by is_permission_fault(), but permission faults won't.
>
> If I understand correctly, and I most definitely don't because there are
>>> * No handler, we'll have to terminate things with extreme prejudice.
>>> */
>>> bust_spinlocks(1);
>>> - pr_alert("Unable to handle kernel %s at virtual address %08lx\n",
>>> - (addr < PAGE_SIZE) ? "NULL pointer dereference" :
>>> - "paging request", addr);
>>> +
>>> + if (is_permission_fault(esr, regs)) {
>>
>> is_permission_fault() was previously guarded with a 'addr<USER_DS' check, this
>> is because it assumes software-PAN is relevant.
>>
>> The corner case is when the kernel accesses TTBR1-mapped memory while
>> software-PAN happens to have swivelled TTBR0. Translation faults will be matched
>> by is_permission_fault(), but permission faults won't.
>
> quite a few combinations, you're saying that __do_kernel_fault() could
> be called if the kernel attempts to access some userspace address with
> software PAN? That won't be caught in do_page_fault() with the previous
> is_permission_fault() check?
You're right the user-address side of things will get caught in do_page_fault().
I was trying to badly-explain 'is_permission_fault(esr)' isn't as general
purpose as its name and prototype suggest, it only gives the results that the
PAN checks expect when called with a user address.
>> Juggling is_permission_fault() to look something like:
>> ---%<---
>> if (fsc_type == ESR_ELx_FSC_PERM)
>> return true;
>>
>> if (addr < USER_DS && system_uses_ttbr0_pan())
>> return fsc_type == ESR_ELx_FSC_FAULT &&
>> (regs->pstate & PSR_PAN_BIT);
>>
>> return false;
>> ---%<---
>> ... should fix this.
>
Sorry, I was being sloppy, something like the above could replace the if/else
block at the end of is_permission_fault(). You're right we still need the ec check!
Thanks,
James
Stephen Boyd
Feb 24, 2017, 8:50:05 PM2/24/17
to
Quoting James Morse (2017-02-20 03:10:10)
Ok. I'd rather not change the function in this patch because I'm only
moving the code around to use it higher up in the file. But if you
prefer I can combine the code movement with the addition of a new 'addr'
argument to this function and rework things based on that.
moving the code around to use it higher up in the file. But if you
prefer I can combine the code movement with the addition of a new 'addr'
argument to this function and rework things based on that.
Will Deacon
Mar 23, 2017, 10:30:06 AM3/23/17
to
Hi Stephen,
On Fri, Feb 24, 2017 at 05:39:08PM -0800, Stephen Boyd wrote:
> Quoting James Morse (2017-02-20 03:10:10)
Are you planning to send a v3 of this?
Will
On Fri, Feb 24, 2017 at 05:39:08PM -0800, Stephen Boyd wrote:
> Quoting James Morse (2017-02-20 03:10:10)
Will
Stephen Boyd
Apr 4, 2017, 2:30:05 AM4/4/17
to
Quoting Will Deacon (2017-03-23 07:22:39)
preference one way or the other. I suppose no reply means "yes" here, so
I'll go ahead and fold everything together into one patch and resend.
> On Fri, Feb 24, 2017 at 05:39:08PM -0800, Stephen Boyd wrote:
> > Quoting James Morse (2017-02-20 03:10:10)
> > >
> > Quoting James Morse (2017-02-20 03:10:10)
> > >
> > > You're right the user-address side of things will get caught in do_page_fault().
> > > I was trying to badly-explain 'is_permission_fault(esr)' isn't as general
> > > purpose as its name and prototype suggest, it only gives the results that the
> > > PAN checks expect when called with a user address.
> >
> > Ok. I'd rather not change the function in this patch because I'm only
> > moving the code around to use it higher up in the file. But if you
> > prefer I can combine the code movement with the addition of a new 'addr'
> > argument to this function and rework things based on that.
>
> Are you planning to send a v3 of this?
>
Sorry for the late reply. I was hoping that James would indicate
> > > I was trying to badly-explain 'is_permission_fault(esr)' isn't as general
> > > purpose as its name and prototype suggest, it only gives the results that the
> > > PAN checks expect when called with a user address.
> >
> > Ok. I'd rather not change the function in this patch because I'm only
> > moving the code around to use it higher up in the file. But if you
> > prefer I can combine the code movement with the addition of a new 'addr'
> > argument to this function and rework things based on that.
>
> Are you planning to send a v3 of this?
>
preference one way or the other. I suppose no reply means "yes" here, so
I'll go ahead and fold everything together into one patch and resend.
Stephen Boyd
Apr 4, 2017, 3:00:05 AM4/4/17
to
If a page is marked read only we should print out that fact,
instead of printing out that there was a page fault. Right now we
get a cryptic error message that something went wrong with an
unhandled fault, but we don't evaluate the esr to figure out that
it was a read/write permission fault.
Instead of seeing:
Unable to handle kernel paging request at virtual address ffff000008e460d8
pgd = ffff800003504000
[ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
we'll see:
Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
pgd = ffff80003d3de000
[ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
We also fold the userspace address check into is_permission_fault()
instead of printing out that there was a page fault. Right now we
get a cryptic error message that something went wrong with an
unhandled fault, but we don't evaluate the esr to figure out that
it was a read/write permission fault.
Instead of seeing:
Unable to handle kernel paging request at virtual address ffff000008e460d8
pgd = ffff800003504000
[ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
we'll see:
Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
pgd = ffff80003d3de000
[ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
instead of at the current callsite so that the function can't be
abused with software PAN and a kernel space address.
Cc: James Morse <james...@arm.com>
Cc: Laura Abbott <lab...@redhat.com>
Cc: Mark Rutland <mark.r...@arm.com>
Signed-off-by: Stephen Boyd <stephe...@linaro.org>
---
* Fold addr check into is_permission_fault() (James Morse)
Changes from v1:
* Move into __do_kernel_fault() (Mark Rutland)
1 file changed, 35 insertions(+), 19 deletions(-)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 156169c6981b..c6560cb4ef50 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -160,12 +160,32 @@ static bool is_el1_instruction_abort(unsigned int esr)
return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_CUR;
}
+static inline bool is_permission_fault(unsigned int esr, struct pt_regs *regs,
+ unsigned long addr)
+{
+ unsigned int ec = ESR_ELx_EC(esr);
+ unsigned int fsc_type = esr & ESR_ELx_FSC_TYPE;
+
+ if (ec != ESR_ELx_EC_DABT_CUR && ec != ESR_ELx_EC_IABT_CUR)
+ return false;
+
+ if (fsc_type == ESR_ELx_FSC_PERM)
+ unsigned int ec = ESR_ELx_EC(esr);
+ unsigned int fsc_type = esr & ESR_ELx_FSC_TYPE;
+
+ if (ec != ESR_ELx_EC_DABT_CUR && ec != ESR_ELx_EC_IABT_CUR)
+ return false;
+
+ return true;
+
+ if (addr < USER_DS && system_uses_ttbr0_pan())
+ return fsc_type == ESR_ELx_FSC_FAULT &&
+ (regs->pstate & PSR_PAN_BIT);
+
+ (regs->pstate & PSR_PAN_BIT);
+
+ return false;
+}
+
+}
+
/*
* The kernel tried to access some page that wasn't present.
*/
* The kernel tried to access some page that wasn't present.
*/
static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr,
unsigned int esr, struct pt_regs *regs)
{
+ const char *msg;
/*
* Are we prepared to handle this kernel fault?
* We are almost certainly not prepared to handle instruction faults.
@@ -177,9 +197,20 @@ static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr,
{
+ const char *msg;
/*
* Are we prepared to handle this kernel fault?
* We are almost certainly not prepared to handle instruction faults.
* No handler, we'll have to terminate things with extreme prejudice.
*/
bust_spinlocks(1);
- pr_alert("Unable to handle kernel %s at virtual address %08lx\n",
- (addr < PAGE_SIZE) ? "NULL pointer dereference" :
- "paging request", addr);
+
+ if (is_permission_fault(esr, regs, addr)) {
*/
bust_spinlocks(1);
- pr_alert("Unable to handle kernel %s at virtual address %08lx\n",
- (addr < PAGE_SIZE) ? "NULL pointer dereference" :
- "paging request", addr);
+
+ if (esr & ESR_ELx_WNR)
+ msg = "write to read-only memory";
+ else
+ msg = "read from unreadable memory";
+ } else if (addr < PAGE_SIZE) {
+ msg = "NULL pointer dereference";
+ } else {
+ msg = "paging request";
+ }
+ msg = "write to read-only memory";
+ else
+ msg = "read from unreadable memory";
+ } else if (addr < PAGE_SIZE) {
+ msg = "NULL pointer dereference";
+ } else {
+ msg = "paging request";
+
+ pr_alert("Unable to handle kernel %s at virtual address %08lx\n", msg,
+ addr);
show_pte(mm, addr);
die("Oops", regs, esr);
@@ -269,21 +300,6 @@ static int __do_page_fault(struct mm_struct *mm, unsigned long addr,
+ pr_alert("Unable to handle kernel %s at virtual address %08lx\n", msg,
+ addr);
show_pte(mm, addr);
die("Oops", regs, esr);
return fault;
}
-static inline bool is_permission_fault(unsigned int esr, struct pt_regs *regs)
-{
- unsigned int ec = ESR_ELx_EC(esr);
- unsigned int fsc_type = esr & ESR_ELx_FSC_TYPE;
-
- if (ec != ESR_ELx_EC_DABT_CUR && ec != ESR_ELx_EC_IABT_CUR)
- return false;
-
- if (system_uses_ttbr0_pan())
- return fsc_type == ESR_ELx_FSC_FAULT &&
- (regs->pstate & PSR_PAN_BIT);
- else
- return fsc_type == ESR_ELx_FSC_PERM;
-}
}
-static inline bool is_permission_fault(unsigned int esr, struct pt_regs *regs)
-{
- unsigned int ec = ESR_ELx_EC(esr);
- unsigned int fsc_type = esr & ESR_ELx_FSC_TYPE;
-
- if (ec != ESR_ELx_EC_DABT_CUR && ec != ESR_ELx_EC_IABT_CUR)
- return false;
-
- if (system_uses_ttbr0_pan())
- return fsc_type == ESR_ELx_FSC_FAULT &&
- (regs->pstate & PSR_PAN_BIT);
- else
- return fsc_type == ESR_ELx_FSC_PERM;
-}
-
static bool is_el0_instruction_abort(unsigned int esr)
{
return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_LOW;
@@ -321,7 +337,7 @@ static int __kprobes do_page_fault(unsigned long addr, unsigned int esr,
static bool is_el0_instruction_abort(unsigned int esr)
{
return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_LOW;
mm_flags |= FAULT_FLAG_WRITE;
}
- if (addr < USER_DS && is_permission_fault(esr, regs)) {
+ if (is_permission_fault(esr, regs, addr)) {
/* regs->orig_addr_limit may be 0 if we entered from EL0 */
if (regs->orig_addr_limit == KERNEL_DS)
die("Accessing user space memory with fs=KERNEL_DS", regs, esr);
--
2.10.0.297.gf6727b0
James Morse
Apr 4, 2017, 7:30:05 AM4/4/17
to
Hi Stephen,
On 04/04/17 07:58, Stephen Boyd wrote:
> If a page is marked read only we should print out that fact,
> instead of printing out that there was a page fault. Right now we
> get a cryptic error message that something went wrong with an
> unhandled fault, but we don't evaluate the esr to figure out that
> it was a read/write permission fault.
>
> Instead of seeing:
>
> Unable to handle kernel paging request at virtual address ffff000008e460d8
> pgd = ffff800003504000
> [ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> we'll see:
>
> Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
> pgd = ffff80003d3de000
> [ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> We also fold the userspace address check into is_permission_fault()
> instead of at the current callsite so that the function can't be
> abused with software PAN and a kernel space address.
too, we need to keep the addr check for these. (sorry, I missed this detail
first time round)
When I tried lkdtm's 'WRITE_RO' test it gave:
> [ 2114.718807] Internal error: Accessing user space memory outside uaccess.h
> routines: 9600004e [#1] PREEMPT SMP
With this hunk omitted I got the expected:
> [ 1476.243296] Unable to handle kernel write to read-only memory at virtual
> address ffff000008a11f10
I also gave this a spin on software-models with PAN and PAN+UAO, and TTBR0-PAN
on Juno.
With that hunk omitted:
Reviewed-by: James Morse <james...@arm.com>
Tested-by: James Morse <james...@arm.com>
Thanks,
James
On 04/04/17 07:58, Stephen Boyd wrote:
> If a page is marked read only we should print out that fact,
> instead of printing out that there was a page fault. Right now we
> get a cryptic error message that something went wrong with an
> unhandled fault, but we don't evaluate the esr to figure out that
> it was a read/write permission fault.
>
> Instead of seeing:
>
> Unable to handle kernel paging request at virtual address ffff000008e460d8
> pgd = ffff800003504000
> [ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> we'll see:
>
> Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
> pgd = ffff80003d3de000
> [ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> We also fold the userspace address check into is_permission_fault()
> instead of at the current callsite so that the function can't be
> abused with software PAN and a kernel space address.
> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
> index 156169c6981b..c6560cb4ef50 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
> index 156169c6981b..c6560cb4ef50 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
> @@ -321,7 +337,7 @@ static int __kprobes do_page_fault(unsigned long addr, unsigned int esr,
> mm_flags |= FAULT_FLAG_WRITE;
> }
>
> - if (addr < USER_DS && is_permission_fault(esr, regs)) {
> + if (is_permission_fault(esr, regs, addr)) {
> /* regs->orig_addr_limit may be 0 if we entered from EL0 */
> if (regs->orig_addr_limit == KERNEL_DS)
> die("Accessing user space memory with fs=KERNEL_DS", regs, esr);
>
This change means the PAN checks claim permission faults on kernel addresses
> mm_flags |= FAULT_FLAG_WRITE;
> }
>
> - if (addr < USER_DS && is_permission_fault(esr, regs)) {
> + if (is_permission_fault(esr, regs, addr)) {
> /* regs->orig_addr_limit may be 0 if we entered from EL0 */
> if (regs->orig_addr_limit == KERNEL_DS)
> die("Accessing user space memory with fs=KERNEL_DS", regs, esr);
>
too, we need to keep the addr check for these. (sorry, I missed this detail
first time round)
When I tried lkdtm's 'WRITE_RO' test it gave:
> [ 2114.718807] Internal error: Accessing user space memory outside uaccess.h
> routines: 9600004e [#1] PREEMPT SMP
With this hunk omitted I got the expected:
> [ 1476.243296] Unable to handle kernel write to read-only memory at virtual
> address ffff000008a11f10
I also gave this a spin on software-models with PAN and PAN+UAO, and TTBR0-PAN
on Juno.
With that hunk omitted:
Reviewed-by: James Morse <james...@arm.com>
Tested-by: James Morse <james...@arm.com>
Thanks,
James
Laura Abbott
Apr 4, 2017, 12:10:06 PM4/4/17
to
On 04/03/2017 11:58 PM, Stephen Boyd wrote:
> If a page is marked read only we should print out that fact,
> instead of printing out that there was a page fault. Right now we
> get a cryptic error message that something went wrong with an
> unhandled fault, but we don't evaluate the esr to figure out that
> it was a read/write permission fault.
>
> Instead of seeing:
>
> Unable to handle kernel paging request at virtual address ffff000008e460d8
> pgd = ffff800003504000
> [ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> we'll see:
>
> Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
> pgd = ffff80003d3de000
> [ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> We also fold the userspace address check into is_permission_fault()
> instead of at the current callsite so that the function can't be
> abused with software PAN and a kernel space address.
>
> Cc: James Morse <james...@arm.com>
> Cc: Laura Abbott <lab...@redhat.com>
> Cc: Mark Rutland <mark.r...@arm.com>
> Signed-off-by: Stephen Boyd <stephe...@linaro.org>
Acked-by: Laura Abbott <lab...@redhat.com>
> If a page is marked read only we should print out that fact,
> instead of printing out that there was a page fault. Right now we
> get a cryptic error message that something went wrong with an
> unhandled fault, but we don't evaluate the esr to figure out that
> it was a read/write permission fault.
>
> Instead of seeing:
>
> Unable to handle kernel paging request at virtual address ffff000008e460d8
> pgd = ffff800003504000
> [ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> we'll see:
>
> Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
> pgd = ffff80003d3de000
> [ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> We also fold the userspace address check into is_permission_fault()
> instead of at the current callsite so that the function can't be
> abused with software PAN and a kernel space address.
>
> Cc: James Morse <james...@arm.com>
> Cc: Laura Abbott <lab...@redhat.com>
> Cc: Mark Rutland <mark.r...@arm.com>
> Signed-off-by: Stephen Boyd <stephe...@linaro.org>
Stephen Boyd
Apr 5, 2017, 3:20:05 PM4/5/17
to
If a page is marked read only we should print out that fact,
instead of printing out that there was a page fault. Right now we
get a cryptic error message that something went wrong with an
unhandled fault, but we don't evaluate the esr to figure out that
it was a read/write permission fault.
Instead of seeing:
Unable to handle kernel paging request at virtual address ffff000008e460d8
pgd = ffff800003504000
[ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
we'll see:
Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
pgd = ffff80003d3de000
[ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
We also add a userspace address check into is_permission_fault()
instead of printing out that there was a page fault. Right now we
get a cryptic error message that something went wrong with an
unhandled fault, but we don't evaluate the esr to figure out that
it was a read/write permission fault.
Instead of seeing:
Unable to handle kernel paging request at virtual address ffff000008e460d8
pgd = ffff800003504000
[ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
we'll see:
Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
pgd = ffff80003d3de000
[ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
Internal error: Oops: 9600004f [#1] PREEMPT SMP
so that the function doesn't return true for ttbr0 PAN faults
when it shouldn't.
Acked-by: Laura Abbott <lab...@redhat.com>
---
Changes from v3:
* Don't drop addr check in do_page_fault() (James Morse)
Changes from v2:
* Fold addr check into is_permission_fault() (James Morse)
Changes from v1:
* Move into __do_kernel_fault() (Mark Rutland)
1 file changed, 36 insertions(+), 19 deletions(-)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 156169c6981b..3bde99769679 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -160,12 +160,33 @@ static bool is_el1_instruction_abort(unsigned int esr)
/*
* Are we prepared to handle this kernel fault?
* We are almost certainly not prepared to handle instruction faults.
@@ -177,9 +198,20 @@ static void __do_kernel_fault(struct mm_struct *mm, unsigned long addr,
* Are we prepared to handle this kernel fault?
* We are almost certainly not prepared to handle instruction faults.
* No handler, we'll have to terminate things with extreme prejudice.
*/
bust_spinlocks(1);
- pr_alert("Unable to handle kernel %s at virtual address %08lx\n",
- (addr < PAGE_SIZE) ? "NULL pointer dereference" :
- "paging request", addr);
+
+ if (is_permission_fault(esr, regs, addr)) {
+ if (esr & ESR_ELx_WNR)
+ msg = "write to read-only memory";
+ else
+ msg = "read from unreadable memory";
+ } else if (addr < PAGE_SIZE) {
+ msg = "NULL pointer dereference";
+ } else {
+ msg = "paging request";
+ }
+
+ pr_alert("Unable to handle kernel %s at virtual address %08lx\n", msg,
+ addr);
show_pte(mm, addr);
die("Oops", regs, esr);
@@ -269,21 +301,6 @@ static int __do_page_fault(struct mm_struct *mm, unsigned long addr,
*/
bust_spinlocks(1);
- pr_alert("Unable to handle kernel %s at virtual address %08lx\n",
- (addr < PAGE_SIZE) ? "NULL pointer dereference" :
- "paging request", addr);
+
+ if (is_permission_fault(esr, regs, addr)) {
+ if (esr & ESR_ELx_WNR)
+ msg = "write to read-only memory";
+ else
+ msg = "read from unreadable memory";
+ } else if (addr < PAGE_SIZE) {
+ msg = "NULL pointer dereference";
+ } else {
+ msg = "paging request";
+ }
+
+ pr_alert("Unable to handle kernel %s at virtual address %08lx\n", msg,
+ addr);
show_pte(mm, addr);
die("Oops", regs, esr);
return fault;
}
-static inline bool is_permission_fault(unsigned int esr, struct pt_regs *regs)
-{
- unsigned int ec = ESR_ELx_EC(esr);
- unsigned int fsc_type = esr & ESR_ELx_FSC_TYPE;
-
- if (ec != ESR_ELx_EC_DABT_CUR && ec != ESR_ELx_EC_IABT_CUR)
- return false;
-
- if (system_uses_ttbr0_pan())
- return fsc_type == ESR_ELx_FSC_FAULT &&
- (regs->pstate & PSR_PAN_BIT);
- else
- return fsc_type == ESR_ELx_FSC_PERM;
-}
-
static bool is_el0_instruction_abort(unsigned int esr)
{
return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_LOW;
@@ -321,7 +338,7 @@ static int __kprobes do_page_fault(unsigned long addr, unsigned int esr,
}
-static inline bool is_permission_fault(unsigned int esr, struct pt_regs *regs)
-{
- unsigned int ec = ESR_ELx_EC(esr);
- unsigned int fsc_type = esr & ESR_ELx_FSC_TYPE;
-
- if (ec != ESR_ELx_EC_DABT_CUR && ec != ESR_ELx_EC_IABT_CUR)
- return false;
-
- if (system_uses_ttbr0_pan())
- return fsc_type == ESR_ELx_FSC_FAULT &&
- (regs->pstate & PSR_PAN_BIT);
- else
- return fsc_type == ESR_ELx_FSC_PERM;
-}
-
static bool is_el0_instruction_abort(unsigned int esr)
{
return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_LOW;
mm_flags |= FAULT_FLAG_WRITE;
}
- if (addr < USER_DS && is_permission_fault(esr, regs)) {
+ if (addr < USER_DS && is_permission_fault(esr, regs, addr)) {
}
- if (addr < USER_DS && is_permission_fault(esr, regs)) {
/* regs->orig_addr_limit may be 0 if we entered from EL0 */
if (regs->orig_addr_limit == KERNEL_DS)
die("Accessing user space memory with fs=KERNEL_DS", regs, esr);
--
if (regs->orig_addr_limit == KERNEL_DS)
die("Accessing user space memory with fs=KERNEL_DS", regs, esr);
2.10.0.297.gf6727b0
Catalin Marinas
Apr 6, 2017, 12:40:06 PM4/6/17
to
On Wed, Apr 05, 2017 at 12:18:31PM -0700, Stephen Boyd wrote:
> If a page is marked read only we should print out that fact,
> instead of printing out that there was a page fault. Right now we
> get a cryptic error message that something went wrong with an
> unhandled fault, but we don't evaluate the esr to figure out that
> it was a read/write permission fault.
>
> Instead of seeing:
>
> Unable to handle kernel paging request at virtual address ffff000008e460d8
> pgd = ffff800003504000
> [ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> we'll see:
>
> Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
> pgd = ffff80003d3de000
> [ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> We also add a userspace address check into is_permission_fault()
> so that the function doesn't return true for ttbr0 PAN faults
> when it shouldn't.
>
> Reviewed-by: James Morse <james...@arm.com>
> Tested-by: James Morse <james...@arm.com>
> Acked-by: Laura Abbott <lab...@redhat.com>
> Cc: Mark Rutland <mark.r...@arm.com>
> Signed-off-by: Stephen Boyd <stephe...@linaro.org>
Queued for 4.12. Thanks.
> If a page is marked read only we should print out that fact,
> instead of printing out that there was a page fault. Right now we
> get a cryptic error message that something went wrong with an
> unhandled fault, but we don't evaluate the esr to figure out that
> it was a read/write permission fault.
>
> Instead of seeing:
>
> Unable to handle kernel paging request at virtual address ffff000008e460d8
> pgd = ffff800003504000
> [ffff000008e460d8] *pgd=0000000083473003, *pud=0000000083503003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> we'll see:
>
> Unable to handle kernel write to read-only memory at virtual address ffff000008e760d8
> pgd = ffff80003d3de000
> [ffff000008e760d8] *pgd=0000000083472003, *pud=0000000083435003, *pmd=0000000000000000
> Internal error: Oops: 9600004f [#1] PREEMPT SMP
>
> We also add a userspace address check into is_permission_fault()
> so that the function doesn't return true for ttbr0 PAN faults
> when it shouldn't.
>
> Reviewed-by: James Morse <james...@arm.com>
> Tested-by: James Morse <james...@arm.com>
> Acked-by: Laura Abbott <lab...@redhat.com>
> Cc: Mark Rutland <mark.r...@arm.com>
> Signed-off-by: Stephen Boyd <stephe...@linaro.org>
--
Catalin
0 new messages