[PATCH v2 01/22] powerpc/pkeys: Avoid using lockless page table walk

Aneesh Kumar K.V aneesh.kumar at linux.ibm.com
Sun Apr 5 23:37:40 AEST 2020 

Ram Pai <linuxram at us.ibm.com> writes:

> On Thu, Mar 19, 2020 at 09:25:48AM +0530, Aneesh Kumar K.V wrote:
>> Fetch pkey from vma instead of linux page table. Also document the fact that in
>> some cases the pkey returned in siginfo won't be the same as the one we took
>> keyfault on. Even with linux page table walk, we can end up in a similar scenario.
>
> There is no way to correctly ensure that the key returned through
> siginfo is actually the key that took the fault.  Either get it
> from page table or get it from the corresponding vma.

That is correct.

>
> So we had to choose the lesser evil. Getting it from the page table was
> faster, and did not involve taking any locks.

That is because you are locks which need to be held on page table walk.

>Getting it from the vma
> was slower, since it needed locks.  Also I faintly recall, there
> is a scenario where the address that gets a key fault, has no
> corresponding VMA associated with it yet.

I would be interested in this. For now IIUC even x86 fetch the key from
VMA.

>
> Hence the logic used was --
> 	if it is key-fault, than procure the key quickly
> 	from the page table.  In the unlikely event that the fault is
> 	something else, but still has a non-permissive key associated
> 	with it, get the key from the vma.


I am fixing that logic further in the next patch. I do have a test case
attached for that. We always check for the key in the vma and if it
allows access, then we retry.


>
> A well written application should avoid changing the key of an address
> space without synchronizing the corresponding threads that operate in
> that address range.  However, if the application ignores to do so, than
> it is vulnerable to a undefined behavior. There is no way to prove that
> the reported key is correct or incorrect, since there is no provable
> order between the two events; the key-fault event and the key-change
> event.
>
> Hence I think the change proposed in this patch may not be necessary.
> RP

The change is needed so that we can make the page table walk safer.


-aneesh

More information about the Linuxppc-dev mailing list