From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5F8BFC04FF6 for ; Tue, 16 Apr 2024 17:25:11 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E19536B0088; Tue, 16 Apr 2024 13:25:10 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D7A836B0089; Tue, 16 Apr 2024 13:25:10 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BCD076B008A; Tue, 16 Apr 2024 13:25:10 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id A46E86B0088 for ; Tue, 16 Apr 2024 13:25:10 -0400 (EDT) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 6490CC0C0B for ; Tue, 16 Apr 2024 17:25:10 +0000 (UTC) X-FDA: 82016070780.28.2F21392 Received: from mx0b-00823401.pphosted.com (mx0b-00823401.pphosted.com [148.163.152.46]) by imf01.hostedemail.com (Postfix) with ESMTP id A930240002 for ; Tue, 16 Apr 2024 17:25:08 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=motorola.com header.s=DKIM202306 header.b=SolvqlvV; spf=pass (imf01.hostedemail.com: domain of mbland@motorola.com designates 148.163.152.46 as permitted sender) smtp.mailfrom=mbland@motorola.com; dmarc=pass (policy=none) header.from=motorola.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1713288308; a=rsa-sha256; cv=none; b=Xnnrpd/1QVLlSLTrPakmf1DaBk1duFEs1o+YRqQxDD9OGb9WM58EDor5crNHVveW5eXJYQ 8wP3HIwEP+GYVMVK+ccU0IiGiozzhJa+0Db5DyZN0puusNANRkxS3TUXMSzr4/ZPUT4BVq jhxGqoZv7sH+rtmgvEQ7fHB7CR97G+A= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=motorola.com header.s=DKIM202306 header.b=SolvqlvV; spf=pass (imf01.hostedemail.com: domain of mbland@motorola.com designates 148.163.152.46 as permitted sender) smtp.mailfrom=mbland@motorola.com; dmarc=pass (policy=none) header.from=motorola.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1713288308; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:dkim-signature; bh=2/+dIqzISm4HW8XR6l5FpwwTpbfMt78jX0a3kMrPooU=; b=2ursJLlJIdJvWWnohJixlksZ8tm6HmIrMmH73MC+52Emc20XCu8siBBrmP4Y0tc0wRVX8r /PVhwo3SbuQuzu6peEQy++WgMAM5RbN0HyCR7NO3Jm5kI1IxNGpcgwtBXea9u45RORi9nW ryAziMn8lohj+1f3XEZ9VYSyUMUuzL8= Received: from pps.filterd (m0355090.ppops.net [127.0.0.1]) by m0355090.ppops.net (8.17.1.24/8.17.1.24) with ESMTP id 43GEXrjS031887; Tue, 16 Apr 2024 17:24:57 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=motorola.com; h= message-id:to:cc:from:date:subject; s=DKIM202306; bh=2/+dIqzISm4 HW8XR6l5FpwwTpbfMt78jX0a3kMrPooU=; b=SolvqlvVeEOjkEw0Mfw/sd/8/ot TsfiEGZZja2kdjDzKEYOW9/aS24NkmlJ6tdI+Cgag2ptvGjbp30Xln2h7funf0gT BLOndgDSy/av5W2JlacRZfEKMPfWmKX+VGLFY8UPm74eDw6DB0NdJHXEt4u0qN1m cQHdsfe+VHO3+k0LVOg8xxeriOjh8wpt7Rt5tkzWSuTlwb28z2IPitn08E3uiFC1 0jYRGM31ajc/4yMeBDn1X/MQXTdLgzUqbEJ0THkaFOcXlplfu1FenxPbVSnBKQ9j Ps8ZT9LJ/VqctuMg8lc5IjxObtHrPNs8v5D7WaR12QE9O8AmxlrTl0qAafg== Received: from va32lpfpp02.lenovo.com ([104.232.228.22]) by m0355090.ppops.net (PPS) with ESMTPS id 3xhrya9dpw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 16 Apr 2024 17:24:57 +0000 (GMT) Received: from va32lmmrp01.lenovo.com (va32lmmrp01.mot.com [10.62.177.113]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by va32lpfpp02.lenovo.com (Postfix) with ESMTPS id 4VJrWs0n42z53xyX; Tue, 16 Apr 2024 17:24:57 +0000 (UTC) Received: from ilclbld243.mot.com (ilclbld243.mot.com [100.64.22.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: mbland) by va32lmmrp01.lenovo.com (Postfix) with ESMTPSA id 4VJrWs0XQ6z2VZRf; Tue, 16 Apr 2024 17:24:57 +0000 (UTC) Message-Id: <20240416122254.868007168-1-mbland@motorola.com> To: linux-mm@kvack.org Cc: Maxwell Bland , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-riscv@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Mark Rutland , Greg Kroah-Hartman , Christoph Hellwig , Christophe Leroy , David Hildenbrand , Conor Dooley From: Maxwell Bland Date: Mon, 15 Apr 2024 15:16:08 -0500 Subject: [PATCH 0/5] mm: code and data partitioning improvements X-Proofpoint-ORIG-GUID: vSRvg_yzr5e2ij9r_RJZHMk7igMKbit5 X-Proofpoint-GUID: vSRvg_yzr5e2ij9r_RJZHMk7igMKbit5 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-16_14,2024-04-16_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 suspectscore=0 bulkscore=0 mlxlogscore=999 mlxscore=0 impostorscore=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2404010003 definitions=main-2404160108 X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: A930240002 X-Stat-Signature: 7d5zb1zmp9eg6u1oh6q1kfdnmtg57ijs X-Rspam-User: X-HE-Tag: 1713288308-452979 X-HE-Meta: U2FsdGVkX18vzi+ZENy7ri8HKMgfjlvmApSJPW+Y0zscI8cYAJtBle/YEuLUfc/XzCZxisTV2nRaZnohIfazUGGGn7xyMNR75xLSJha9yznibEVGq0P5szWfqhaqo+kj2Epwk6tZXGMYUlwnKgEYPiRHFnNgQXv7WaiwnxLxDew1BeUhcEfjoV0ONBr+nzdBLseegE0Yi5QkpKpGszJ2+fmIgKmupCEmr11deGFX+FNZJrJWWCz2grwrx+z/ugT7ZRRLFRMkTqvX61Gi97hvLW8Mkw54M5gS1MbLO5N8G2oys1kfhUh+pE9gnQp4Af1mRcq7an0xj95dm8SnL4hBPsPtbv7h7uGNNawC1pEoAoSfqsuJC3uxrJQh5leD6JQXQ83CdVBX0RkGJTMHkT3PRqDNFeeIit3lQY4wIuoahyAw9udOWM7N2l+RFad/c+uP+NA3Njdj4MHq4Qod+nZEob9RoTZ9nfsfA7rD/ZxGgQxM3lT/0J7RwVlo/SrSI7ydhCrulmEdUeTYuGDPdlc7LcWETMcQfdMyjUGaqk5jRUHWbi7B6E9z+82gZkwu90z7LVE9OJiW5Wubd+g0uYaLdYGkPDADE+d5qwwePTYzTCZFKtvIwKVSqq8Zo+MIJe3qvceVVn7iLoPHBGuS5wJJp6tvwUOJJDIe1CCuZ95KB+3x3z4Gu4rcj7XDG8HfxzUWov0pDpIivMfjkehkOj13q9kKAq0RiW52en2gxbWelDK+nKO29l2DNEEvatQw/z+oO2IfB7TmjM6ixn60x+U5zog3zKBjjcx/p52SECgeoWEf+fuF2p6fSP6N/lp4/+qoohZtcwjO6GQrbqwU6ad9f8xgSpPolN0zHPRs7c/vD7myFwecPkcatbDXrVlDQf55gUjoR2vWqN48f2HdmGqRil/E3npEtt44wXXovxXpiMgrIuaX/AwbYzQbk4JlV4omFRShlmk/2/1pUHLZDJk x/aFZEJX xGL8MOG/9bTDpLuswUr7wSTRJiL6r038j+f+H5LS7UaER+EeObgE+1f7adAdlXDCrc2ugqIkNukjh8KTGhwhj94yz6n4DAkybOFRoHrO3yvRGzmhsMIaxuhHYBioeJc6z5pZcnNX6JsmXduO9qPJ+JGLWULj+NgtV9LeZHWuf8nGAv/h3px95vhVfxWECyVPmye+UP4aDWw1U7Zz4MbdUQUwYndS7Kq7L6r5NI22xnhucOLiblyNqJXveI1VSLcqV0DNZ X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Managing allocations to ensure code and data pages are not interleaved is not possible prior to this patch, as ASLR requires programming a dynamic _text offset while the vmalloc infrastructure maintains static VMALLOC_START and VMALLOC_END constants. In systems where code and data are interleaved at a PTE granularity, kernel improvements targeting the prevention of exploit stages which modify page tables are inefficient and less effective as individual PTE updates occur at high frequency and cannot be coarsely grouped at the PMD level or greater. This patch adds minimal arch-specific callbacks to the initialization of vmalloc and when deciding whether to use a specific virtual memory area to satisfy a vmalloc request to provide the capability to prevent the allocation of specific virtual addresses under specific system states. By default these hooks are unimplemented. To further support the practical use of these callbacks, this patch also adds a virtual address parameter to pmd_populate_kernel, so that this interface matches the equivalent pte-level interface and architectures are not required to perform a reverse page table lookup to determine the vaddr being allocated during pmd creation. To demonstrate the impact and value of these changes, this patch implements support for dynamic PXNTable under aarch64 in 71 lines of code (a single "if" check during memory allocation), by checking the virtual address of a given vmalloc call to determine whether it is code or data. From experience in trying to implement kernel page table immutability and protections in KVM to prevent recent CVEs, e.g. CVE-2024-1086, this is a necessary first step. To better help maintainers and future developers, this patch expands ptdump.c so that non-leaf page table descriptors can be more easily noted in debug output by setting a note_non_leaf bool in the ptdump state. Signed-off-by: Maxwell Bland --- First, thank you to a number of maintainers (Mark Rutland, Greg KH, Christoph Hellwig, Christophe Leroy, David Hildenbrand, Conor Dooley) for their feedback on <20240220203256.31153-1-mbland@motorola.com> and This patch is a further refinement and overhaul of these prior two attempts. Also, apologies for the roughly two months delay between patch submissions! I had Motorola work to do. In support of testing this patch (but not included in this patch), I set note_non_leaf to true under arch/arm64/mm/ptdump.c and added PMD_TABLE_PXN to pte_bits to print out whether the PXNTable bit was set. The txt files under the following directory can be diff'ed to see the result: github.com/maxwell-bland/linux-patch-data/tree/main/code_data_parting/ptdump I also created a script to fetch and cross-compile the kernel for each of the 21 subarchitectures which required fixes to provide a virtual address to pmd_populate_kernel. I have no idea if it is useful and maybe one already exists, but it worked well for me over some alternatives (xcross, buildroot): github.com/maxwell-bland/x-linux As with the last patchset, I also measured performance using Torvald's test-tlb program on an aarch64 QEMU instance, with results here: github.com/maxwell-bland/linux-patch-data/tree/main/code_data_parting/tlbperf As all changes to other arches are effectively no-ops, performance impacts in those domains are negligible. Maxwell Bland (5): mm: allow arch refinement/skip for vmap alloc arm64: mm: code and data partitioning for aslr mm: add vaddr param to pmd_populate_kernel arm64: dynamic enforcement of PXNTable ptdump: add state parameter for non-leaf callback arch/alpha/include/asm/pgalloc.h | 5 +- arch/arc/include/asm/pgalloc.h | 3 +- arch/arc/mm/highmem.c | 2 +- arch/arm/include/asm/kfence.h | 2 +- arch/arm/include/asm/pgalloc.h | 3 +- arch/arm/mm/kasan_init.c | 2 +- arch/arm/mm/mmu.c | 2 +- arch/arm64/include/asm/module.h | 12 ++++ arch/arm64/include/asm/pgalloc.h | 15 ++++- arch/arm64/include/asm/vmalloc.h | 17 ++++- arch/arm64/kernel/Makefile | 2 +- arch/arm64/kernel/module.c | 7 +- arch/arm64/kernel/probes/kprobes.c | 7 +- arch/arm64/kernel/setup.c | 4 ++ arch/arm64/kernel/vmalloc.c | 71 ++++++++++++++++++++ arch/arm64/mm/ptdump.c | 10 +-- arch/arm64/mm/trans_pgd.c | 2 +- arch/arm64/net/bpf_jit_comp.c | 8 ++- arch/csky/include/asm/pgalloc.h | 2 +- arch/hexagon/include/asm/pgalloc.h | 2 +- arch/loongarch/include/asm/pgalloc.h | 3 +- arch/loongarch/mm/init.c | 2 +- arch/loongarch/mm/kasan_init.c | 2 +- arch/m68k/include/asm/mcf_pgalloc.h | 2 +- arch/m68k/include/asm/motorola_pgalloc.h | 3 +- arch/m68k/include/asm/sun3_pgalloc.h | 3 +- arch/microblaze/include/asm/pgalloc.h | 2 +- arch/mips/include/asm/pgalloc.h | 2 +- arch/mips/kvm/mmu.c | 2 +- arch/nios2/include/asm/pgalloc.h | 2 +- arch/openrisc/include/asm/pgalloc.h | 2 +- arch/parisc/include/asm/pgalloc.h | 5 +- arch/parisc/mm/init.c | 6 +- arch/powerpc/include/asm/book3s/32/pgalloc.h | 2 +- arch/powerpc/include/asm/book3s/64/pgalloc.h | 2 +- arch/powerpc/include/asm/nohash/32/pgalloc.h | 2 +- arch/powerpc/include/asm/nohash/64/pgalloc.h | 2 +- arch/powerpc/mm/book3s64/radix_pgtable.c | 2 +- arch/powerpc/mm/kasan/init_32.c | 4 +- arch/powerpc/mm/kasan/init_book3e_64.c | 9 ++- arch/powerpc/mm/kasan/init_book3s_64.c | 7 +- arch/powerpc/mm/nohash/book3e_pgtable.c | 2 +- arch/powerpc/mm/pgtable_32.c | 4 +- arch/powerpc/mm/ptdump/ptdump.c | 2 + arch/riscv/include/asm/pgalloc.h | 2 +- arch/riscv/kernel/hibernate.c | 2 +- arch/riscv/mm/ptdump.c | 6 +- arch/s390/include/asm/pgalloc.h | 2 +- arch/s390/mm/dump_pagetables.c | 6 +- arch/sh/include/asm/pgalloc.h | 2 +- arch/sh/mm/init.c | 2 +- arch/sparc/include/asm/pgalloc_32.h | 3 +- arch/sparc/include/asm/pgalloc_64.h | 4 +- arch/sparc/mm/init_64.c | 8 +-- arch/um/include/asm/pgalloc.h | 4 +- arch/x86/include/asm/pgalloc.h | 3 +- arch/x86/mm/dump_pagetables.c | 3 +- arch/x86/mm/init_64.c | 14 +++- arch/x86/mm/ioremap.c | 2 +- arch/x86/mm/kasan_init_64.c | 2 +- arch/xtensa/include/asm/pgalloc.h | 2 +- include/linux/mm.h | 4 +- include/linux/ptdump.h | 1 + include/linux/vmalloc.h | 24 +++++++ mm/hugetlb_vmemmap.c | 4 +- mm/kasan/init.c | 14 ++-- mm/memory.c | 4 +- mm/percpu.c | 2 +- mm/pgalloc-track.h | 3 +- mm/ptdump.c | 13 ++++ mm/sparse-vmemmap.c | 2 +- mm/vmalloc.c | 16 +++-- 72 files changed, 299 insertions(+), 107 deletions(-) create mode 100644 arch/arm64/kernel/vmalloc.c base-commit: 0bbac3facb5d6cc0171c45c9873a2dc96bea9680 -- 2.39.2 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id DF40DC4345F for ; Tue, 16 Apr 2024 19:19:41 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4AD4D6B009A; Tue, 16 Apr 2024 15:19:41 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 45D386B009B; Tue, 16 Apr 2024 15:19:41 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2D70C6B009C; Tue, 16 Apr 2024 15:19:41 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 0E2126B009A for ; Tue, 16 Apr 2024 15:19:41 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay05.hostedemail.com (Postfix) with ESMTP id C4044409BC for ; Tue, 16 Apr 2024 19:19:40 +0000 (UTC) X-FDA: 82016359320.13.280363A Received: from mx0b-00823401.pphosted.com (mx0b-00823401.pphosted.com [148.163.152.46]) by imf23.hostedemail.com (Postfix) with ESMTP id 10C05140010 for ; Tue, 16 Apr 2024 19:19:38 +0000 (UTC) Authentication-Results: imf23.hostedemail.com; dkim=pass header.d=motorola.com header.s=DKIM202306 header.b=4+Btd8dy; spf=pass (imf23.hostedemail.com: domain of mbland@motorola.com designates 148.163.152.46 as permitted sender) smtp.mailfrom=mbland@motorola.com; dmarc=pass (policy=none) header.from=motorola.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1713295179; a=rsa-sha256; cv=none; b=Cr7n4UQQ6ap4Fq4/NwtqOr7kpvoI+eYQGYhdkGZl18JSQ04yJ2BeF6SWIszp2VYxy/BNAr hpqrYTnwa2A8ZiJTAskCKjhzDkzhsbbaRzkFb2AFASa1WOpa+uEMz9Tpoh0aV+HbaOWTIo JIrKJtdckIdHvNvuypiVuLMLcgmp8x8= ARC-Authentication-Results: i=1; imf23.hostedemail.com; dkim=pass header.d=motorola.com header.s=DKIM202306 header.b=4+Btd8dy; spf=pass (imf23.hostedemail.com: domain of mbland@motorola.com designates 148.163.152.46 as permitted sender) smtp.mailfrom=mbland@motorola.com; dmarc=pass (policy=none) header.from=motorola.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1713295179; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:references:dkim-signature; bh=nPCNGDgUTjFUct67CoPadwCT/CFTexpW/OoeIwZTdjg=; b=qkx0sIDzM8sqwbkJk/AqXmQhyxloEj88i5SDsArVVskigB05kHJs8pryWP+0FZl4MFQIGr eMDbFIwgAKBGJPzuMVWMKdy6ks2R1Cjel/6dsPquhoX0KA7/zvNuWL7aiZn4ANQ4upj2V+ YmmOM/ieMK6rw9wUSLN4rjTMZHJYdIA= Received: from pps.filterd (m0355090.ppops.net [127.0.0.1]) by m0355090.ppops.net (8.17.1.24/8.17.1.24) with ESMTP id 43GJGh1x031887; Tue, 16 Apr 2024 19:19:23 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=motorola.com; h= message-id:to:cc:from:subject:date; s=DKIM202306; bh=nPCNGDgUTjF Uct67CoPadwCT/CFTexpW/OoeIwZTdjg=; b=4+Btd8dy1CjItEc9rwZIbiDJX0O IryHFnpJrw5oe4DQPENGAs7ttmfQJzDZwnXLDSnXwY7wftIvMkeFgbRc5OAVnmZ2 ix5LoQH/x4NIA2VyWXGzNdxZmgF9SSKEhtfsc2FcxkawKWoSNHnP+5OrnxNUzCBb Y5TUGLzunEELVHJ0QqX4ck5OnO+Ac2BZvGjgXY5cNRqbEndmoKVo4lV1x4xpnlDc +H3k6Z8rVz3mO2lU2p9oKAVrPTbHlMFK7GNnKNGrUemibsB2vO94HCm2IYpA5bVj maFQTyviLAD7CoUYzPzWJNJysHcnZv14m/bxl7CsUucHEQ6PZMZNbvA0aaA== Received: from ilclpfpp01.lenovo.com ([144.188.128.67]) by m0355090.ppops.net (PPS) with ESMTPS id 3xhrya9mbx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 16 Apr 2024 19:19:22 +0000 (GMT) Received: from va32lmmrp02.lenovo.com (va32lmmrp02.mot.com [10.62.176.191]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ilclpfpp01.lenovo.com (Postfix) with ESMTPS id 4VJv3t16vZzfBZq; Tue, 16 Apr 2024 19:19:22 +0000 (UTC) Received: from ilclbld243.mot.com (ilclbld243.mot.com [100.64.22.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: mbland) by va32lmmrp02.lenovo.com (Postfix) with ESMTPSA id 4VJv3s72K5z2Sl9H; Tue, 16 Apr 2024 19:19:21 +0000 (UTC) Message-ID: <20240416122254.868007168-1-mbland@motorola.com> To: linux-mm@kvack.org Cc: Maxwell Bland , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-riscv@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, Mark Rutland , Greg Kroah-Hartman , Christoph Hellwig , Christophe Leroy , David Hildenbrand , Conor Dooley From: Maxwell Bland Subject: [PATCH 0/5 RESEND] mm: code and data partitioning improvements Date: Tue, 16 Apr 2024 14:18:14 -0500 X-Proofpoint-ORIG-GUID: -WDqzSxHhbjwHU89TvM11yY6SxcxElaL X-Proofpoint-GUID: -WDqzSxHhbjwHU89TvM11yY6SxcxElaL X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-16_17,2024-04-16_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 suspectscore=0 bulkscore=0 mlxlogscore=999 mlxscore=0 impostorscore=0 malwarescore=0 spamscore=0 phishscore=0 adultscore=0 clxscore=1015 lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2404010003 definitions=main-2404160122 X-Rspamd-Server: rspam09 X-Rspamd-Queue-Id: 10C05140010 X-Stat-Signature: 689nm6aggqd4ydq8dtxfnxh8iq1zrx8x X-Rspam-User: X-HE-Tag: 1713295178-517193 X-HE-Meta: U2FsdGVkX1+Ip/h9E2W1B6iOUaOHmWgL/htho5xI/KZsQftyAdeDOL2JZcs+JYEXQ3DUQjPFefmH4Iithi23EL/9I00lHeHpCi6LNdiWN70hnXG2dkMl9EgXZ66fnLD2qycsIqF4maHBL9AbJEM2vwJpY77YTniq7xI7QAVvnFbMup3g3Y4HjeVeCzEx87fnDzw6VAf7asU6kBP3FG2OHqS85bAhsJzCTIP31zzgr+m0j0vO1WGtBmi7XiHpAaNHiq/s8QTQDYhtdil4xiBtRU+w8eND0/faFqKAGtV922DZrhId1Y590eStk5ntpVnq4fP4LFPRP0oOT+rN/P/UGcnG/saVYBnGJOkSTtGpriXz7hNAR2IUOs2G6Tay03fCNLKuYJAxDtduAsC/y5UAHztvJ0PFwKRWRIK5dzCVeRBjVAv1iTjHDHr6GTWaovvVK3oqhXo/iVNwILV8gh82thz5kvN6kp7Xh7p21/ZGxRuN3GI3C2H7YEWf58TiSGdG5oVJIrKS/KWkGr9umnZA9YHYeq2OfVdYJ7Q4qkEjox2H7kzafc2qDwb2c6/uOaw113jsK9B4zV+T+9ekJjRRrw5D/kg2cKY3sxVkLwyHLlMtlF1RUtRA649E9wzw/ESoMtM/3uB/wVERXWrsDcMhhAqNrQIjQCXAh4ofLiOiCTK1uKyuD3SLNIrN24OM7vH069MR8fzFOcS/jirLZpJKvS16dqvGip0HulkbEaocxNjItq+ZdKKpDPoTdIb92F9r1E1Xu4RQCR8pXh5MOW1SQQU5O03N1bZR9Ptkz9M296PQ1Aaqyl2X7gwfEwGLsCgoSCgVeemA8Vz1VtHSUlB3fggA/xguCyqodjFe58+BlRK8pY+/uyNbDimJR8p4jD4lfd2znU5Ayx2V8D8UPnoA+F5gW6HroWSeV94Z7QcIJ2eZeS0tsPJE9tDF5QDQRiLDh8wrJtSicUnBgzMq+7O jH7E/552 GAjMyhbqxq25czYsOp2hVootL4rncL+TMvKPpbOv/z/SLoMGYqgsKjPP/ubR20F/C+OR5OoRr/L2ePrpLgu8L9I4bXt/3BRud+SLDhSbyiYY/45xveFLJtlwzL76DxO8SpgBCdW1qjvZMNAJsVQR+gdi/11dG5UnQ9jczi3JH+fdVeXb8gucDbRorZGmu/7zVMXMs3uKw4YQknXJ5JFFqXuh18L1PYRpAXxKL9ENgfdlzzrBK+52y/ejXpj+pUdDL+bQe X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Message-ID: <20240416191814.MfglSSm6RAyBHkcz5wcBEWjWWeWBqSrsnc6UFkQSC04@z> Managing allocations to ensure code and data pages are not interleaved is not possible prior to this patch, as ASLR requires programming a dynamic _text offset while the vmalloc infrastructure maintains static VMALLOC_START and VMALLOC_END constants. In systems where code and data are interleaved at a PTE granularity, kernel improvements targeting the prevention of exploit stages which modify page tables are inefficient and less effective as individual PTE updates occur at high frequency and cannot be coarsely grouped at the PMD level or greater. This patch adds minimal arch-specific callbacks to the initialization of vmalloc and when deciding whether to use a specific virtual memory area to satisfy a vmalloc request to provide the capability to prevent the allocation of specific virtual addresses under specific system states. By default these hooks are unimplemented. To further support the practical use of these callbacks, this patch also adds a virtual address parameter to pmd_populate_kernel, so that this interface matches the equivalent pte-level interface and architectures are not required to perform a reverse page table lookup to determine the vaddr being allocated during pmd creation. To demonstrate the impact and value of these changes, this patch implements support for dynamic PXNTable under aarch64 in 71 lines of code (a single "if" check during memory allocation), by checking the virtual address of a given vmalloc call to determine whether it is code or data. From experience in trying to implement kernel page table immutability and protections in KVM to prevent recent CVEs, e.g. CVE-2024-1086, this is a necessary first step. To better help maintainers and future developers, this patch expands ptdump.c so that non-leaf page table descriptors can be more easily noted in debug output by setting a note_non_leaf bool in the ptdump state. Signed-off-by: Maxwell Bland --- Zero-eth, apologies for the triple mail of these patches. I am in the process of setting up a new SMTP/mail server for Motorola, but until then I've needed to script the raw SMTP in order to send appropriately formatted patch emails. First, thank you to a number of maintainers (Mark Rutland, Greg KH, Christoph Hellwig, Christophe Leroy, David Hildenbrand, Conor Dooley) for their feedback on <20240220203256.31153-1-mbland@motorola.com> and This patch is a further refinement and overhaul of these prior two attempts. Also, apologies for the roughly two months delay between patch submissions! I had Motorola work to do. In support of testing this patch (but not included in this patch), I set note_non_leaf to true under arch/arm64/mm/ptdump.c and added PMD_TABLE_PXN to pte_bits to print out whether the PXNTable bit was set. The txt files under the following directory can be diff'ed to see the result: github.com/maxwell-bland/linux-patch-data/tree/main/code_data_parting/ptdump I also created a script to fetch and cross-compile the kernel for each of the 21 subarchitectures which required fixes to provide a virtual address to pmd_populate_kernel. I have no idea if it is useful and maybe one already exists, but it worked well for me over some alternatives (xcross, buildroot): github.com/maxwell-bland/x-linux As with the last patchset, I also measured performance using Torvald's test-tlb program on an aarch64 QEMU instance, with results here: github.com/maxwell-bland/linux-patch-data/tree/main/code_data_parting/tlbperf As all changes to other arches are effectively no-ops, performance impacts in those domains are negligible. Maxwell Bland (5): mm: allow arch refinement/skip for vmap alloc arm64: mm: code and data partitioning for aslr mm: add vaddr param to pmd_populate_kernel arm64: dynamic enforcement of PXNTable ptdump: add state parameter for non-leaf callback arch/alpha/include/asm/pgalloc.h | 5 +- arch/arc/include/asm/pgalloc.h | 3 +- arch/arc/mm/highmem.c | 2 +- arch/arm/include/asm/kfence.h | 2 +- arch/arm/include/asm/pgalloc.h | 3 +- arch/arm/mm/kasan_init.c | 2 +- arch/arm/mm/mmu.c | 2 +- arch/arm64/include/asm/module.h | 12 ++++ arch/arm64/include/asm/pgalloc.h | 15 ++++- arch/arm64/include/asm/vmalloc.h | 17 ++++- arch/arm64/kernel/Makefile | 2 +- arch/arm64/kernel/module.c | 7 +- arch/arm64/kernel/probes/kprobes.c | 7 +- arch/arm64/kernel/setup.c | 4 ++ arch/arm64/kernel/vmalloc.c | 71 ++++++++++++++++++++ arch/arm64/mm/ptdump.c | 10 +-- arch/arm64/mm/trans_pgd.c | 2 +- arch/arm64/net/bpf_jit_comp.c | 8 ++- arch/csky/include/asm/pgalloc.h | 2 +- arch/hexagon/include/asm/pgalloc.h | 2 +- arch/loongarch/include/asm/pgalloc.h | 3 +- arch/loongarch/mm/init.c | 2 +- arch/loongarch/mm/kasan_init.c | 2 +- arch/m68k/include/asm/mcf_pgalloc.h | 2 +- arch/m68k/include/asm/motorola_pgalloc.h | 3 +- arch/m68k/include/asm/sun3_pgalloc.h | 3 +- arch/microblaze/include/asm/pgalloc.h | 2 +- arch/mips/include/asm/pgalloc.h | 2 +- arch/mips/kvm/mmu.c | 2 +- arch/nios2/include/asm/pgalloc.h | 2 +- arch/openrisc/include/asm/pgalloc.h | 2 +- arch/parisc/include/asm/pgalloc.h | 5 +- arch/parisc/mm/init.c | 6 +- arch/powerpc/include/asm/book3s/32/pgalloc.h | 2 +- arch/powerpc/include/asm/book3s/64/pgalloc.h | 2 +- arch/powerpc/include/asm/nohash/32/pgalloc.h | 2 +- arch/powerpc/include/asm/nohash/64/pgalloc.h | 2 +- arch/powerpc/mm/book3s64/radix_pgtable.c | 2 +- arch/powerpc/mm/kasan/init_32.c | 4 +- arch/powerpc/mm/kasan/init_book3e_64.c | 9 ++- arch/powerpc/mm/kasan/init_book3s_64.c | 7 +- arch/powerpc/mm/nohash/book3e_pgtable.c | 2 +- arch/powerpc/mm/pgtable_32.c | 4 +- arch/powerpc/mm/ptdump/ptdump.c | 2 + arch/riscv/include/asm/pgalloc.h | 2 +- arch/riscv/kernel/hibernate.c | 2 +- arch/riscv/mm/ptdump.c | 6 +- arch/s390/include/asm/pgalloc.h | 2 +- arch/s390/mm/dump_pagetables.c | 6 +- arch/sh/include/asm/pgalloc.h | 2 +- arch/sh/mm/init.c | 2 +- arch/sparc/include/asm/pgalloc_32.h | 3 +- arch/sparc/include/asm/pgalloc_64.h | 4 +- arch/sparc/mm/init_64.c | 8 +-- arch/um/include/asm/pgalloc.h | 4 +- arch/x86/include/asm/pgalloc.h | 3 +- arch/x86/mm/dump_pagetables.c | 3 +- arch/x86/mm/init_64.c | 14 +++- arch/x86/mm/ioremap.c | 2 +- arch/x86/mm/kasan_init_64.c | 2 +- arch/xtensa/include/asm/pgalloc.h | 2 +- include/linux/mm.h | 4 +- include/linux/ptdump.h | 1 + include/linux/vmalloc.h | 24 +++++++ mm/hugetlb_vmemmap.c | 4 +- mm/kasan/init.c | 14 ++-- mm/memory.c | 4 +- mm/percpu.c | 2 +- mm/pgalloc-track.h | 3 +- mm/ptdump.c | 13 ++++ mm/sparse-vmemmap.c | 2 +- mm/vmalloc.c | 16 +++-- 72 files changed, 299 insertions(+), 107 deletions(-) create mode 100644 arch/arm64/kernel/vmalloc.c base-commit: 0bbac3facb5d6cc0171c45c9873a2dc96bea9680 -- 2.39.2