kernel virtual memory access (from app) does not generatesegfault

Jamie Lokier jamie at shareable.org
Wed Apr 21 17:00:13 EDT 2010


Russell King - ARM Linux wrote:
> On Wed, Apr 21, 2010 at 08:16:00PM +0100, Jamie Lokier wrote:
> > The two-liner proposed earlier should fix all ARMs doing userspace
> > execution > TASK_SIZE - the problem which started this thread.  But
> > not kernel space accidentally executing an NX page > TASK_SIZE due to
> > some bug, which can only occur on ARMv6/v7 due to NX.
> 
> Sorry James, that's wrong.

It's Jamie, btw.  Always has been.

> ARMv6 and ARMv7 use the IFSR, which gives us the error code - and
> that distinguishes between a translation fault and a permission
> fault.  An attempt to execute a NX page generates a permission
> fault, and therefore we end up calling do_page_fault() rather than
> indirecting via do_translation_fault().

That's a fine explanation, but I'd already grokked it, thanks to your
earlier hint.  So what's wrong about what I said above?  Rephrased as:

Kernel executes NX page > TASK_SIZE:

    Without patch, loops calling do_translation_fault() which
    just returns because the pte is already mapped and valid.
    With patch, goes to do_page_fault().

    -> Fixed by the IFSR patch.

User executes NX page > TASK_SIZE

    -> Fixed by the two-liner or IFSR patch, it doesn't matter.
       Either one directs these to do_page_fault().

Kernel executes NX page < TASK_SIZE:

    -> Already caught by PROT_EXEC + FSR_LNF_PX check in
       do_translation_fault -> do_page-fault -> access_error.

User executes NX page < TASK_SIZE:

    -> Already caught by PROT_EXEC + FSR_LNF_PX check in
       do_translation_fault -> do_page-fault -> access_error.

-- Jamie



More information about the linux-arm-kernel mailing list