From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>,
linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org,
linux-mm@kvack.org, linux-arch@vger.kernel.org,
linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
Andy Lutomirski <luto@kernel.org>,
Balbir Singh <bsingharora@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Eugene Syromiatnikov <esyr@redhat.com>,
Florian Weimer <fweimer@redhat.com>,
"H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
Peter Zijlstra <peterz@infradead.org>,
Randy Dunlap <rdunlap@infradead.org>,
Weijiang Yang <weijiang.yang@intel.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
John Allen <john.allen@amd.com>,
kcc@google.com, eranian@google.com, rppt@kernel.org,
jamorris@linux.microsoft.com, dethoma@microsoft.com,
akpm@linux-foundation.org, Andrew.Cooper3@citrix.com,
christina.schimpe@intel.com, david@redhat.com,
debug@rivosinc.com, szabolcs.nagy@arm.com,
torvalds@linux-foundation.org, broonie@kernel.org
Cc: rick.p.edgecombe@intel.com, linux-arm-kernel@lists.infradead.org,
linux-s390@vger.kernel.org, xen-devel@lists.xenproject.org
Subject: [PATCH v9 02/42] mm: Move pte/pmd_mkwrite() callers with no VMA to _novma()
Date: Mon, 12 Jun 2023 17:10:28 -0700 [thread overview]
Message-ID: <20230613001108.3040476-3-rick.p.edgecombe@intel.com> (raw)
In-Reply-To: <20230613001108.3040476-1-rick.p.edgecombe@intel.com>
The x86 Shadow stack feature includes a new type of memory called shadow
stack. This shadow stack memory has some unusual properties, which requires
some core mm changes to function properly.
One of these unusual properties is that shadow stack memory is writable,
but only in limited ways. These limits are applied via a specific PTE
bit combination. Nevertheless, the memory is writable, and core mm code
will need to apply the writable permissions in the typical paths that
call pte_mkwrite(). Future patches will make pte_mkwrite() take a VMA, so
that the x86 implementation of it can know whether to create regular
writable memory or shadow stack memory.
But there are a couple of challenges to this. Modifying the signatures of
each arch pte_mkwrite() implementation would be error prone because some
are generated with macros and would need to be re-implemented. Also, some
pte_mkwrite() callers operate on kernel memory without a VMA.
So this can be done in a three step process. First pte_mkwrite() can be
renamed to pte_mkwrite_novma() in each arch, with a generic pte_mkwrite()
added that just calls pte_mkwrite_novma(). Next callers without a VMA can
be moved to pte_mkwrite_novma(). And lastly, pte_mkwrite() and all callers
can be changed to take/pass a VMA.
Previous patches have done the first step, so next move the callers that
don't have a VMA to pte_mkwrite_novma(). Also do the same for
pmd_mkwrite(). This will be ok for the shadow stack feature, as these
callers are on kernel memory which will not need to be made shadow stack,
and the other architectures only currently support one type of memory
in pte_mkwrite()
Cc: linux-doc@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-s390@vger.kernel.org
Cc: xen-devel@lists.xenproject.org
Cc: linux-arch@vger.kernel.org
Cc: linux-mm@kvack.org
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
---
Hi Non-x86 Arch’s,
x86 has a feature that allows for the creation of a special type of
writable memory (shadow stack) that is only writable in limited specific
ways. Previously, changes were proposed to core MM code to teach it to
decide when to create normally writable memory or the special shadow stack
writable memory, but David Hildenbrand suggested[0] to change
pXX_mkwrite() to take a VMA, so awareness of shadow stack memory can be
moved into x86 code. Later Linus suggested a less error-prone way[1] to go
about this after the first attempt had a bug.
Since pXX_mkwrite() is defined in every arch, it requires some tree-wide
changes. So that is why you are seeing some patches out of a big x86
series pop up in your arch mailing list. There is no functional change.
After this refactor, the shadow stack series goes on to use the arch
helpers to push arch memory details inside arch/x86 and other arch's
with upcoming shadow stack features.
Testing was just 0-day build testing.
Hopefully that is enough context. Thanks!
[0] https://lore.kernel.org/lkml/0e29a2d0-08d8-bcd6-ff26-4bea0e4037b0@redhat.com/
[1] https://lore.kernel.org/lkml/CAHk-=wiZjSu7c9sFYZb3q04108stgHff2wfbokGCCgW7riz+8Q@mail.gmail.com/
---
arch/arm64/mm/trans_pgd.c | 4 ++--
arch/s390/mm/pageattr.c | 4 ++--
arch/x86/xen/mmu_pv.c | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/mm/trans_pgd.c b/arch/arm64/mm/trans_pgd.c
index 4ea2eefbc053..a01493f3a06f 100644
--- a/arch/arm64/mm/trans_pgd.c
+++ b/arch/arm64/mm/trans_pgd.c
@@ -40,7 +40,7 @@ static void _copy_pte(pte_t *dst_ptep, pte_t *src_ptep, unsigned long addr)
* read only (code, rodata). Clear the RDONLY bit from
* the temporary mappings we use during restore.
*/
- set_pte(dst_ptep, pte_mkwrite(pte));
+ set_pte(dst_ptep, pte_mkwrite_novma(pte));
} else if (debug_pagealloc_enabled() && !pte_none(pte)) {
/*
* debug_pagealloc will removed the PTE_VALID bit if
@@ -53,7 +53,7 @@ static void _copy_pte(pte_t *dst_ptep, pte_t *src_ptep, unsigned long addr)
*/
BUG_ON(!pfn_valid(pte_pfn(pte)));
- set_pte(dst_ptep, pte_mkpresent(pte_mkwrite(pte)));
+ set_pte(dst_ptep, pte_mkpresent(pte_mkwrite_novma(pte)));
}
}
diff --git a/arch/s390/mm/pageattr.c b/arch/s390/mm/pageattr.c
index 5ba3bd8a7b12..6931d484d8a7 100644
--- a/arch/s390/mm/pageattr.c
+++ b/arch/s390/mm/pageattr.c
@@ -97,7 +97,7 @@ static int walk_pte_level(pmd_t *pmdp, unsigned long addr, unsigned long end,
if (flags & SET_MEMORY_RO)
new = pte_wrprotect(new);
else if (flags & SET_MEMORY_RW)
- new = pte_mkwrite(pte_mkdirty(new));
+ new = pte_mkwrite_novma(pte_mkdirty(new));
if (flags & SET_MEMORY_NX)
new = set_pte_bit(new, __pgprot(_PAGE_NOEXEC));
else if (flags & SET_MEMORY_X)
@@ -155,7 +155,7 @@ static void modify_pmd_page(pmd_t *pmdp, unsigned long addr,
if (flags & SET_MEMORY_RO)
new = pmd_wrprotect(new);
else if (flags & SET_MEMORY_RW)
- new = pmd_mkwrite(pmd_mkdirty(new));
+ new = pmd_mkwrite_novma(pmd_mkdirty(new));
if (flags & SET_MEMORY_NX)
new = set_pmd_bit(new, __pgprot(_SEGMENT_ENTRY_NOEXEC));
else if (flags & SET_MEMORY_X)
diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c
index b3b8d289b9ab..63fced067057 100644
--- a/arch/x86/xen/mmu_pv.c
+++ b/arch/x86/xen/mmu_pv.c
@@ -150,7 +150,7 @@ void make_lowmem_page_readwrite(void *vaddr)
if (pte == NULL)
return; /* vaddr missing */
- ptev = pte_mkwrite(*pte);
+ ptev = pte_mkwrite_novma(*pte);
if (HYPERVISOR_update_va_mapping(address, ptev, 0))
BUG();
--
2.34.1
next prev parent reply other threads:[~2023-06-13 0:12 UTC|newest]
Thread overview: 150+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-13 0:10 [PATCH v9 00/42] Shadow stacks for userspace Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 01/42] mm: Rename arch pte_mkwrite()'s to pte_mkwrite_novma() Rick Edgecombe
2023-06-13 7:19 ` Geert Uytterhoeven
2023-06-13 16:14 ` Edgecombe, Rick P
2023-06-13 7:43 ` Mike Rapoport
2023-06-13 16:14 ` Edgecombe, Rick P
2023-06-13 12:26 ` David Hildenbrand
2023-06-13 16:14 ` Edgecombe, Rick P
2023-07-14 22:57 ` Mark Brown
2023-07-17 15:55 ` Edgecombe, Rick P
2023-07-17 16:51 ` Mark Brown
2023-06-13 0:10 ` Rick Edgecombe [this message]
2023-06-13 7:44 ` [PATCH v9 02/42] mm: Move pte/pmd_mkwrite() callers with no VMA to _novma() Mike Rapoport
2023-06-13 16:19 ` Edgecombe, Rick P
2023-06-13 17:00 ` David Hildenbrand
2023-06-14 17:00 ` Edgecombe, Rick P
2023-06-13 12:27 ` David Hildenbrand
2023-06-13 16:20 ` Edgecombe, Rick P
2023-06-13 0:10 ` [PATCH v9 03/42] mm: Make pte_mkwrite() take a VMA Rick Edgecombe
2023-06-13 7:42 ` Mike Rapoport
2023-06-13 16:20 ` Edgecombe, Rick P
2023-06-13 12:28 ` David Hildenbrand
2023-06-13 16:21 ` Edgecombe, Rick P
2023-06-13 0:10 ` [PATCH v9 04/42] mm: Re-introduce vm_flags to do_mmap() Rick Edgecombe
2023-06-14 8:49 ` David Hildenbrand
2023-06-14 23:30 ` Mark Brown
2023-06-13 0:10 ` [PATCH v9 05/42] mm: Move VM_UFFD_MINOR_BIT from 37 to 38 Rick Edgecombe
2023-06-14 8:50 ` David Hildenbrand
2023-06-13 0:10 ` [PATCH v9 06/42] x86/shstk: Add Kconfig option for shadow stack Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 07/42] x86/traps: Move control protection handler to separate file Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 08/42] x86/cpufeatures: Add CPU feature flags for shadow stacks Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 09/42] x86/mm: Move pmd_write(), pud_write() up in the file Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 10/42] x86/mm: Introduce _PAGE_SAVED_DIRTY Rick Edgecombe
2023-06-13 16:01 ` Edgecombe, Rick P
2023-06-13 17:58 ` Linus Torvalds
2023-06-13 19:37 ` Edgecombe, Rick P
2023-06-13 0:10 ` [PATCH v9 11/42] x86/mm: Update ptep/pmdp_set_wrprotect() for _PAGE_SAVED_DIRTY Rick Edgecombe
2023-06-13 18:01 ` Linus Torvalds
2023-06-13 0:10 ` [PATCH v9 12/42] x86/mm: Start actually marking _PAGE_SAVED_DIRTY Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 13/42] x86/mm: Remove _PAGE_DIRTY from kernel RO pages Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 14/42] mm: Introduce VM_SHADOW_STACK for shadow stack memory Rick Edgecombe
2023-06-14 8:50 ` David Hildenbrand
2023-06-14 23:31 ` Mark Brown
2023-06-13 0:10 ` [PATCH v9 15/42] x86/mm: Check shadow stack page fault errors Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 16/42] mm: Add guard pages around a shadow stack Rick Edgecombe
2023-06-14 23:34 ` Mark Brown
2023-06-22 18:21 ` Matthew Wilcox
2023-06-22 18:27 ` Edgecombe, Rick P
2023-06-23 7:40 ` Mike Rapoport
2023-06-23 12:17 ` Mark Brown
2023-06-25 16:44 ` Edgecombe, Rick P
2023-06-26 12:45 ` Mark Brown
2023-07-06 23:32 ` [PATCH] x86/shstk: Move arch detail comment out of core mm Rick Edgecombe
2023-07-07 15:08 ` Mark Brown
2023-08-01 16:52 ` Mike Rapoport
2023-06-13 0:10 ` [PATCH v9 17/42] mm: Warn on shadow stack memory in wrong vma Rick Edgecombe
2023-06-14 23:35 ` Mark Brown
2023-06-13 0:10 ` [PATCH v9 18/42] x86/mm: Warn if create Write=0,Dirty=1 with raw prot Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 19/42] mm/mmap: Add shadow stack pages to memory accounting Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 20/42] x86/mm: Introduce MAP_ABOVE4G Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 21/42] x86/mm: Teach pte_mkwrite() about stack memory Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 22/42] mm: Don't allow write GUPs to shadow " Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 23/42] Documentation/x86: Add CET shadow stack description Rick Edgecombe
2023-06-13 11:55 ` Mark Brown
2023-06-13 12:37 ` Florian Weimer
2023-06-13 15:15 ` Mark Brown
2023-06-13 17:11 ` Edgecombe, Rick P
2023-06-13 17:57 ` Mark Brown
2023-06-13 19:57 ` Edgecombe, Rick P
2023-06-14 10:43 ` szabolcs.nagy
2023-06-14 16:57 ` Edgecombe, Rick P
2023-06-19 8:47 ` szabolcs.nagy
2023-06-19 16:44 ` Edgecombe, Rick P
2023-06-20 9:17 ` szabolcs.nagy
2023-06-20 19:34 ` Edgecombe, Rick P
2023-06-21 11:36 ` szabolcs.nagy
2023-06-21 18:54 ` Edgecombe, Rick P
2023-06-21 22:22 ` Edgecombe, Rick P
2023-06-21 23:05 ` H.J. Lu
2023-06-21 23:15 ` Edgecombe, Rick P
2023-06-22 1:07 ` Edgecombe, Rick P
2023-06-22 3:23 ` H.J. Lu
2023-06-22 8:27 ` szabolcs.nagy
2023-06-22 16:47 ` Edgecombe, Rick P
2023-06-23 16:25 ` szabolcs.nagy
2023-06-25 18:48 ` Edgecombe, Rick P
2023-06-21 23:02 ` H.J. Lu
2023-06-22 7:40 ` szabolcs.nagy
2023-06-22 16:46 ` Edgecombe, Rick P
2023-06-26 14:08 ` szabolcs.nagy
2023-06-28 1:23 ` Edgecombe, Rick P
2023-06-22 9:18 ` szabolcs.nagy
2023-06-22 15:26 ` Andy Lutomirski
2023-06-22 16:42 ` szabolcs.nagy
2023-06-22 23:18 ` Edgecombe, Rick P
2023-06-29 16:07 ` szabolcs.nagy
2023-07-02 18:03 ` Edgecombe, Rick P
2023-07-03 13:32 ` Mark Brown
2023-07-03 18:19 ` szabolcs.nagy
2023-07-03 18:38 ` Mark Brown
2023-07-03 18:49 ` Florian Weimer
2023-07-04 11:33 ` Szabolcs Nagy
2023-07-05 18:45 ` Edgecombe, Rick P
2023-07-05 19:10 ` Mark Brown
2023-07-05 19:17 ` Edgecombe, Rick P
2023-07-05 19:29 ` Mark Brown
2023-07-06 13:14 ` szabolcs.nagy
2023-07-06 14:24 ` Mark Brown
2023-07-06 16:59 ` Edgecombe, Rick P
2023-07-06 19:03 ` Mark Brown
2023-07-06 13:07 ` szabolcs.nagy
2023-07-06 18:25 ` Edgecombe, Rick P
2023-07-07 15:25 ` szabolcs.nagy
2023-07-07 17:37 ` Edgecombe, Rick P
2023-07-10 16:54 ` szabolcs.nagy
2023-07-10 22:56 ` Edgecombe, Rick P
2023-07-11 8:08 ` szabolcs.nagy
2023-07-12 9:39 ` Szabolcs Nagy
2023-06-25 23:52 ` Andy Lutomirski
2023-06-14 13:12 ` Mark Brown
2023-07-18 19:32 ` Szabolcs Nagy
2023-06-13 0:10 ` [PATCH v9 24/42] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 25/42] x86/fpu: Add helper for modifying xstate Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 26/42] x86: Introduce userspace API for shadow stack Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 27/42] x86/shstk: Add user control-protection fault handler Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 28/42] x86/shstk: Add user-mode shadow stack support Rick Edgecombe
2023-06-27 17:20 ` Mark Brown
2023-06-27 23:46 ` Dave Hansen
2023-06-28 0:37 ` Edgecombe, Rick P
2023-07-06 23:38 ` [PATCH] x86/shstk: Don't retry vm_munmap() on -EINTR Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 29/42] x86/shstk: Handle thread shadow stack Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 30/42] x86/shstk: Introduce routines modifying shstk Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 31/42] x86/shstk: Handle signals for shadow stack Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 32/42] x86/shstk: Check that SSP is aligned on sigreturn Rick Edgecombe
2023-06-13 0:10 ` [PATCH v9 33/42] x86/shstk: Check that signal frame is shadow stack mem Rick Edgecombe
2023-06-13 0:11 ` [PATCH v9 34/42] x86/shstk: Introduce map_shadow_stack syscall Rick Edgecombe
2023-06-13 0:11 ` [PATCH v9 35/42] x86/shstk: Support WRSS for userspace Rick Edgecombe
2023-06-13 0:11 ` [PATCH v9 36/42] x86: Expose thread features in /proc/$PID/status Rick Edgecombe
2023-06-13 0:11 ` [PATCH v9 37/42] x86/shstk: Wire in shadow stack interface Rick Edgecombe
2023-06-13 0:11 ` [PATCH v9 38/42] x86/cpufeatures: Enable CET CR4 bit for shadow stack Rick Edgecombe
2023-06-13 0:11 ` [PATCH v9 39/42] selftests/x86: Add shadow stack test Rick Edgecombe
2023-06-13 0:11 ` [PATCH v9 40/42] x86: Add PTRACE interface for shadow stack Rick Edgecombe
2023-06-13 0:11 ` [PATCH v9 41/42] x86/shstk: Add ARCH_SHSTK_UNLOCK Rick Edgecombe
2023-06-13 0:11 ` [PATCH v9 42/42] x86/shstk: Add ARCH_SHSTK_STATUS Rick Edgecombe
2023-06-13 1:34 ` [PATCH v9 00/42] Shadow stacks for userspace Linus Torvalds
2023-06-13 3:12 ` Edgecombe, Rick P
2023-06-13 17:44 ` Linus Torvalds
2023-06-13 18:27 ` Linus Torvalds
2023-06-13 19:38 ` Edgecombe, Rick P
2023-06-14 23:45 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230613001108.3040476-3-rick.p.edgecombe@intel.com \
--to=rick.p.edgecombe@intel.com \
--cc=Andrew.Cooper3@citrix.com \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=broonie@kernel.org \
--cc=bsingharora@gmail.com \
--cc=christina.schimpe@intel.com \
--cc=corbet@lwn.net \
--cc=dave.hansen@linux.intel.com \
--cc=david@redhat.com \
--cc=debug@rivosinc.com \
--cc=dethoma@microsoft.com \
--cc=eranian@google.com \
--cc=esyr@redhat.com \
--cc=fweimer@redhat.com \
--cc=gorcunov@gmail.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jamorris@linux.microsoft.com \
--cc=jannh@google.com \
--cc=john.allen@amd.com \
--cc=kcc@google.com \
--cc=keescook@chromium.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-s390@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mike.kravetz@oracle.com \
--cc=mingo@redhat.com \
--cc=nadav.amit@gmail.com \
--cc=oleg@redhat.com \
--cc=pavel@ucw.cz \
--cc=peterz@infradead.org \
--cc=rdunlap@infradead.org \
--cc=rppt@kernel.org \
--cc=szabolcs.nagy@arm.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=weijiang.yang@intel.com \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox