From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75545C4338F for ; Tue, 24 Aug 2021 05:34:48 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id EBE8061212 for ; Tue, 24 Aug 2021 05:34:47 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org EBE8061212 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 75BCB6B006C; Tue, 24 Aug 2021 01:34:47 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 70C5D6B0071; Tue, 24 Aug 2021 01:34:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5D3F18D0001; Tue, 24 Aug 2021 01:34:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0166.hostedemail.com [216.40.44.166]) by kanga.kvack.org (Postfix) with ESMTP id 409806B006C for ; Tue, 24 Aug 2021 01:34:47 -0400 (EDT) Received: from smtpin30.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay05.hostedemail.com (Postfix) with ESMTP id D02C918030093 for ; Tue, 24 Aug 2021 05:34:46 +0000 (UTC) X-FDA: 78508859772.30.D823F5A Received: from mail-pj1-f43.google.com (mail-pj1-f43.google.com [209.85.216.43]) by imf24.hostedemail.com (Postfix) with ESMTP id 80290B0000A2 for ; Tue, 24 Aug 2021 05:34:46 +0000 (UTC) Received: by mail-pj1-f43.google.com with SMTP id u11-20020a17090adb4b00b00181668a56d6so1539309pjx.5 for ; Mon, 23 Aug 2021 22:34:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UfCl+JVoy2R6wx1DytMRudnKiR+tf7eTN7VTJ9Bq3Do=; b=iJ6vYi02LKmh06hrXbT039cxyLX8yY1I6/pHi1hIhvNnlB0iJjISto9DzYva66j7F6 e5Mldrh5f4E3u8683DUqv4l9i2zgRgStG7aR0Xan7+diGdFbEpeR2KikG19BcoOModaz 6dCD1OxXO3VzkgBPs2r/9aepDrXthlGSKhJHZaIfoKGiJMPiDyMs+UKG1aFu2tpftFel XjvQcDpDvgCqczHc07qT7wz7fqyAnBWJFvZHwb2odJeB/7DfxGIhk3U8e/E+HSMDr765 wY8L554qfVDe3lsjmRZKaznT4yulCMOcvTBb7oN4Q0Myn93Gq994EmOTDjhRjfIyxgUF uiqA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UfCl+JVoy2R6wx1DytMRudnKiR+tf7eTN7VTJ9Bq3Do=; b=KVZWeeSwcs86ABlWp1t/3YeItVWapamYG+9/FyTPiC6ibNoCCJ7TnRMTTANSViWyCe QPnezdzRkuB4FOdd4Sal8jTTSr3vErdXynwk3xZk4PNFbnB01vk4GZouZcrWFuLRWnhN AbOzGTwo8Dw+2qewPgR6B4XLMPs3cUVBRH+44+N/DTQDVlXjOa7jLW5OnmR7NYtV+ucR VAmMYEmonILmVZVSXPY/HABPwyKjxZtK9duxDOIE0U1RpZEP4CLO2JlZkCm8jcfJ0C2D 61avdVaxZhRirVv417CP2WGzn9aP+eRIVC2rku6htnZHN8ZIP2NI5FBKU9yJA8zzOjx/ 3C8Q== X-Gm-Message-State: AOAM5304v0hFlIdR39z3B1K0lQzvO7W9eAQ1L/QyNlzDyKcduVe3Iglk Ah3vxGvb2x+s5ep9edR5jB8= X-Google-Smtp-Source: ABdhPJzmDxN8J6jzAIHSTWlXsMIUhb55IAwJ2U+T9H0uYoYb59CioKQX+cD2G9gTb1ASI5d1+4YscA== X-Received: by 2002:a17:90a:ba93:: with SMTP id t19mr2610287pjr.4.1629783285412; Mon, 23 Aug 2021 22:34:45 -0700 (PDT) Received: from smtpclient.apple (c-24-6-216-183.hsd1.ca.comcast.net. [24.6.216.183]) by smtp.gmail.com with ESMTPSA id p24sm2546774pfh.136.2021.08.23.22.34.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Aug 2021 22:34:44 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\)) Subject: Re: [RFC PATCH 4/4] x86/mm: write protect (most) page tables From: Nadav Amit In-Reply-To: Date: Mon, 23 Aug 2021 22:34:42 -0700 Cc: Linux-MM , Andrew Morton , Andy Lutomirski , Dave Hansen , Ira Weiny , Kees Cook , Mike Rapoport , Peter Zijlstra , Rick Edgecombe , Vlastimil Babka , x86@kernel.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: 7bit Message-Id: <05242256-4B5F-4AD6-B7DA-46A583335E5C@gmail.com> References: <20210823132513.15836-1-rppt@kernel.org> <20210823132513.15836-5-rppt@kernel.org> To: Mike Rapoport X-Mailer: Apple Mail (2.3654.120.0.1.13) Authentication-Results: imf24.hostedemail.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=iJ6vYi02; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (imf24.hostedemail.com: domain of nadavamit@gmail.com designates 209.85.216.43 as permitted sender) smtp.mailfrom=nadavamit@gmail.com X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: 80290B0000A2 X-Stat-Signature: 8ppbt3qu449ns8totd7air95swbee8zm X-HE-Tag: 1629783286-264677 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Sorry for sending twice. The mail app decided to use HTML for some reason. On Aug 23, 2021, at 10:32 PM, Nadav Amit wrote: > > On Aug 23, 2021, at 6:25 AM, Mike Rapoport wrote: > > From: Mike Rapoport > > Allocate page table using __GFP_PTE_MAPPED so that they will have 4K PTEs > in the direct map. This allows to switch _PAGE_RW bit each time a page > table page needs to be made writable or read-only. > > The writability of the page tables is toggled only in the lowest level page > table modifiction functions and immediately switched off. > > The page tables created early in the boot (including the direct map page > table) are not write protected. > > [ snip ] > +static void pgtable_write_set(void *pg_table, bool set) > +{ > + int level = 0; > + pte_t *pte; > + > + /* > + * Skip the page tables allocated from pgt_buf break area and from > + * memblock > + */ > + if (!after_bootmem) > + return; > + if (!PageTable(virt_to_page(pg_table))) > + return; > + > + pte = lookup_address((unsigned long)pg_table, &level); > + if (!pte || level != PG_LEVEL_4K) > + return; > + > + if (set) { > + if (pte_write(*pte)) > + return; > + > + WRITE_ONCE(*pte, pte_mkwrite(*pte)); I think that the pte_write() test (and the following one) might hide latent bugs. Either you know whether the PTE is write-protected or you need to protect against nested/concurrent calls to pgtable_write_set() by disabling preemption/IRQs. Otherwise, you risk in having someone else write-protecting the PTE after it is write-unprotected and before it is written - causing a crash, or write-unprotecting it after it is protected - which circumvents the protection. Therefore, I would think that instead you should have: VM_BUG_ON(pte_write(*pte)); // (or WARN_ON_ONCE()) In addition, if there are assumptions on the preemptability of the code, it would be nice to have some assertions. I think that the code assumes that all calls to pgtable_write_set() are done while holding the page-table lock. If that is the case, perhaps adding some lockdep assertion would also help to confirm the correctness. [ I put aside the lack of TLB flushes, which make the whole matter of delivered protection questionable. I presume that once PKS is used, this is not an issue. ]