From: Ruihan Li <lrh2000@pku.edu.cn>
To: linux-mm@kvack.org
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
Pasha Tatashin <pasha.tatashin@soleen.com>,
David Hildenbrand <david@redhat.com>,
Matthew Wilcox <willy@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Christoph Hellwig <hch@infradead.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Ruihan Li <lrh2000@pku.edu.cn>,
stable@vger.kernel.org
Subject: [PATCH 3/4] mm: page_table_check: Make it dependent on !DEVMEM
Date: Wed, 10 May 2023 16:55:26 +0800 [thread overview]
Message-ID: <20230510085527.57953-4-lrh2000@pku.edu.cn> (raw)
In-Reply-To: <20230510085527.57953-1-lrh2000@pku.edu.cn>
The special device /dev/mem enables users to map arbitrary physical
memory regions into the user space, which can conflict with the double
mapping detection logic used by the page table check. For instance,
pages may change their properties (e.g., from anonymous pages to named
pages) while they are still being mapped in the user space via /dev/mem,
leading to "corruption" detected by the page table check.
To address this issue, the PAGE_TABLE_CHECK config option is now
dependent on !DEVMM. This ensures that the page table check cannot be
enabled when /dev/mem is used. It should be noted that /dev/mem itself
is a significant security issue, and its conflict with a hardening
technique is understandable.
Cc: <stable@vger.kernel.org> # 5.17
Signed-off-by: Ruihan Li <lrh2000@pku.edu.cn>
---
Documentation/mm/page_table_check.rst | 18 ++++++++++++++++++
mm/Kconfig.debug | 2 +-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/Documentation/mm/page_table_check.rst b/Documentation/mm/page_table_check.rst
index cfd8f4117..b04f29230 100644
--- a/Documentation/mm/page_table_check.rst
+++ b/Documentation/mm/page_table_check.rst
@@ -52,3 +52,21 @@ Build kernel with:
Optionally, build kernel with PAGE_TABLE_CHECK_ENFORCED in order to have page
table support without extra kernel parameter.
+
+Implementation notes
+====================
+
+We specifically decided not to use VMA information in order to avoid relying on
+MM states (except for limited "struct page" info). The page table check is a
+separate from Linux-MM state machine that verifies that the user accessible
+pages are not falsely shared.
+
+As a result, special devices that violate the model cannot live with
+PAGE_TABLE_CHECK. Currently, /dev/mem is the only known example. Given it
+allows users to map arbitrary physical memory regions into the userspace, any
+pages may change their properties (e.g., from anonymous pages to named pages)
+while they are still being mapped in the userspace via /dev/mem, leading to
+"corruption" detected by the page table check. Therefore, the PAGE_TABLE_CHECK
+config option is now dependent on !DEVMEM. It's worth noting that /dev/mem
+itself is a significant security issue, and its conflict with a hardening
+technique is understandable.
diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
index a925415b4..37f3d5b20 100644
--- a/mm/Kconfig.debug
+++ b/mm/Kconfig.debug
@@ -97,7 +97,7 @@ config PAGE_OWNER
config PAGE_TABLE_CHECK
bool "Check for invalid mappings in user page tables"
- depends on ARCH_SUPPORTS_PAGE_TABLE_CHECK
+ depends on ARCH_SUPPORTS_PAGE_TABLE_CHECK && !DEVMEM
select PAGE_EXTENSION
help
Check that anonymous page is not being mapped twice with read write
--
2.40.1
next prev parent reply other threads:[~2023-05-10 8:55 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-10 8:55 [PATCH 0/4] Fix type confusion in page_table_check Ruihan Li
2023-05-10 8:55 ` [PATCH 1/4] usb: usbfs: Enforce page requirements for mmap Ruihan Li
2023-05-10 14:37 ` Alan Stern
2023-05-10 15:38 ` Ruihan Li
2023-05-10 8:55 ` [PATCH 2/4] usb: usbfs: Use consistent mmap functions Ruihan Li
2023-05-10 14:38 ` Alan Stern
2023-05-10 15:41 ` Ruihan Li
2023-05-10 16:34 ` David Hildenbrand
2023-05-10 8:55 ` Ruihan Li [this message]
2023-05-10 16:40 ` [PATCH 3/4] mm: page_table_check: Make it dependent on !DEVMEM David Hildenbrand
2023-05-11 16:07 ` Ruihan Li
2023-05-10 8:55 ` [PATCH 4/4] mm: page_table_check: Ensure user pages are not slab pages Ruihan Li
2023-05-10 22:51 ` [PATCH 0/4] Fix type confusion in page_table_check Greg Kroah-Hartman
2023-05-11 13:44 ` Ruihan Li
2023-05-11 15:32 ` Christoph Hellwig
[not found] ` <zwixiok55avpjvfiknp7tzm7e4aragjj43a46abna4qqegdvdx@suat6sk34lgb>
2023-05-13 9:37 ` Greg Kroah-Hartman
2023-05-14 15:08 ` Ruihan Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230510085527.57953-4-lrh2000@pku.edu.cn \
--to=lrh2000@pku.edu.cn \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-usb@vger.kernel.org \
--cc=pasha.tatashin@soleen.com \
--cc=stable@vger.kernel.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox