From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7B7F3C3ABAC for ; Tue, 6 May 2025 09:53:03 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4C1666B0089; Tue, 6 May 2025 05:53:02 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 46FAA6B008A; Tue, 6 May 2025 05:53:02 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 338986B008C; Tue, 6 May 2025 05:53:02 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 16FD36B0089 for ; Tue, 6 May 2025 05:53:02 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 3FAA4B7203 for ; Tue, 6 May 2025 09:53:02 +0000 (UTC) X-FDA: 83412019404.29.695E4B6 Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by imf13.hostedemail.com (Postfix) with ESMTP id 52D4B20013 for ; Tue, 6 May 2025 09:53:00 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=nma79ay+; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf13.hostedemail.com: domain of revest@chromium.org designates 209.85.128.49 as permitted sender) smtp.mailfrom=revest@chromium.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1746525180; a=rsa-sha256; cv=none; b=ZQ0LIOjQka05zzWkfvQIwu88WUTDnS/yFBFRf6sekk1zLFzlNr2Hj464HKXMeKGZKnZBep JKlLaV8TlOKTLb12TSP0JXwv8AoLzscWqhuBlI2amY1ssDJ6Pb8mEYROiCHlBkdOfHOXOp jYa6Ej7m8Ajto86nJEkhHL6003++kH4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1746525180; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=yhaFKze9VG1/eFCN9G58dM2RFBh4W36ZYcYCtz7qr9g=; b=WMFNEa7kEMyeKFdRG3+RhVi5ACi3SQZQKnNGeAsj4BJmuAl0PacJ+aYL/YWpeyxqP0N481 Ynxmydn4oKiWjpaD45lxcJyT9b50z7E2t89fJSzTLlJSTvzLBOEAhqn22YELFqsU6Yr/i+ lMmO5yrtA8/teKsC3RYfONGSaFjlBIY= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=pass header.d=chromium.org header.s=google header.b=nma79ay+; dmarc=pass (policy=none) header.from=chromium.org; spf=pass (imf13.hostedemail.com: domain of revest@chromium.org designates 209.85.128.49 as permitted sender) smtp.mailfrom=revest@chromium.org Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-43f106a3591so5142295e9.3 for ; Tue, 06 May 2025 02:53:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; t=1746525179; x=1747129979; darn=kvack.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yhaFKze9VG1/eFCN9G58dM2RFBh4W36ZYcYCtz7qr9g=; b=nma79ay+KthiUh2jCtN2Rlq6YGVevYMoe5eiAOOyaUzyQ3fU1pmDGNt1dDE2nP3nQd aBy8FFIFSt2Ke5kbrAgtFBIFGCxsT9U5mL/ya/UtMrXO77Pa9CHuz0NCkFd0Ng+6UOvk pHm0+iNXC488BsHtAzuAnHUWXm3fLs3AZtgn0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746525179; x=1747129979; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yhaFKze9VG1/eFCN9G58dM2RFBh4W36ZYcYCtz7qr9g=; b=tW9AhWjEeGWm4IBQAR9jYOZEfint5vQeyLH+2dkqnqHjAr+6H8bnEigTVfbYPerOdq zp/8s2ypYsSA4GpUM41/U//L4MNeGkHmiwI40DFJ5HhScH+s8YhFE98FpSgdXRwqbc6i NdoODzVGHIdEmJG4C8AvVK10a5hCWGebHPIOTXywWzCc/hC5B6/PxJBpxSmOoM4ptAKC u4m+hwsahgWdJqkZ3CCYUWR4T9JhK1gKzTRTAtNYhfSfkI7Suy/8YEPKq++lupxh/Cec 6uvfR36GLwVRR5LSM1lExZcasLk46c/NRspEEC31Wd+aqee6zrBGWIMSS59iCMUxtQbs 07Zw== X-Forwarded-Encrypted: i=1; AJvYcCXlNzPM/4/r5nx1UohqRctpXZNlspZpuDTOyx7oDxHUkOvBXQ6LxaVqgn8EMPkcRi9fFd/pu7zQvg==@kvack.org X-Gm-Message-State: AOJu0Yy2KmhgQZaSkfwHFIvB1VFCVSWwqLDOzJ19piKqCPEHr19GM6JP aH3Q1vLkLRN6k6agDqhzosDIuUmDKLrjcWMcuproghzjnYKUHBSZkXeHKwA7rQ== X-Gm-Gg: ASbGncsiYJORXtrmNv7Yix+0iVbiO17tRborqExKbusHy9I6k4T35F3v2pJqgEpcobH ZU0Hp/VnMOQsqdY1AwD1KKFueG+2GHUZRd9h08CYSVCwoR8yZjEup5cNsUKih/AZMuHn1CrAmys zwhkTOTqzBCmRNnZoYqBxPNBx/zub0xR7xt0sD7HFyRAnEUMkqoXVHt7l7FRrcztpTRayMH/pf7 hQmnVm5rKhkz3MpvUDDTb3s9wbBk+rZX40rKNw8WnYttetQd33jxDUpTmfINYlYqQlmxQl1JcZs kaHNP8ILGV6Snz1ko4LFPOpCUnZtAWmStWwCTGNM0aPVG6Sfb4EJFSKP X-Google-Smtp-Source: AGHT+IHeK+dFXjh9OrxfzRPfPF/LOpOuNNkj7QNpkKx/cJ7vvnj2X+5i334G41Ez0rqAejsL1kXepA== X-Received: by 2002:a05:600c:1382:b0:439:9c0e:36e6 with SMTP id 5b1f17b1804b1-441bbec38b2mr52734125e9.3.1746525178968; Tue, 06 May 2025 02:52:58 -0700 (PDT) Received: from revest.zrh.corp.google.com ([2a00:79e0:9d:6:7196:3093:b0e3:1016]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3a099ae7a46sm12879860f8f.44.2025.05.06.02.52.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 06 May 2025 02:52:58 -0700 (PDT) From: Florent Revest To: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org Cc: catalin.marinas@arm.com, will@kernel.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, akpm@linux-foundation.org, broonie@kernel.org, thiago.bauermann@linaro.org, jackmanb@google.com, Florent Revest , stable@vger.kernel.org Subject: [PATCH 1/4] mm: fix VM_UFFD_MINOR == VM_SHADOW_STACK on USERFAULTFD=y && ARM64_GCS=y Date: Tue, 6 May 2025 11:52:21 +0200 Message-ID: <20250506095224.176085-2-revest@chromium.org> X-Mailer: git-send-email 2.49.0.967.g6a0df3ecc3-goog In-Reply-To: <20250506095224.176085-1-revest@chromium.org> References: <20250506095224.176085-1-revest@chromium.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 52D4B20013 X-Stat-Signature: 7rjz9fteuacs7m4hiowyj3e1tp6jwey1 X-Rspam-User: X-HE-Tag: 1746525180-97217 X-HE-Meta: U2FsdGVkX18abCMCkHGZrEuI9lHzwf8uj8nEaYHY+XTc9Pklyfm3R/FEb9OuDxKIQaf0FuJ64p9Lb1VTHmfUPHoUPrdZ091v5hsqylLnohmdi3ZG9zdArFTLDqUnWeFrN/PmBgivKWCvfnKRHxI09+gfZtyDoXyK61hajgzyw50UaolCo7J2qMcPPfv+kq4PfW+cMo1gifEENVGLOABJaEnCEplKEYn3yC0o6/Nu5PjdAIM4lJ9jCl/2rMrKhg9orwy7Q4UNj4N8KJMQfZqn/P/7JP9Zny/dKMpBGyZ4GPpWWYHuaOCr9YttSKzNEJtVi9i0ou8UV4ez5yM2nSYvIvLf6XT7/qEvNQrWkzW3jayss0W2lCSptQTgL7yMeuJB50DoO7ZAWTF88Z1tmGdRJspUoslHpoonU9VDAKKOUVz2XOv4QG3NdXYL4/J7bNF74gqfHWwNcsIZVOi0hd9IgNEX03Tdg8+1KDGiXs6iCSH1mdF0MKoQ43nrDwT7ErcJUr12mKUOp4nUmKRFuEm3o4HaO11IWooQV7T2iRffBWRabOArFFJuqFI2gxohRa2p2ypSau4XSDeeAyF/dGgqHKq25QYOSmYpawdG9ALslmEBtSs65funSinjQ/Uk2DaLtSv7jk8vP5+0yQkm6t98+tnPzKkvvQakXixlHH55m7eAqQYrEvD6+vOTv/OrWx4i259iinhGZQ0D8eM2Pm0i2thT63KmB57kN6pCY8qxK4cUIllXRZew3ueKvPdYk4WyCtZ/e70jaK9uNxAfk4YPA44xCzFuj1QQA8SWHUptnbX828n8w1vSxjDoGk8HRlkoAJYNqn+XgPrCfLOCokwsx/cEoIjv93IoYYn1kaT2xTCJTM/sg0msWXLKRoZnyHoJd4BfntSsNSk2Weqa33/30ClDdegcmdZHtUhoPNNPM4JYPMhRgwKPq5I6jXiriN2vRLECZUciL82Nle9WC6L UeQH1rWg at5lYt7tkb47GG7Z5oIbnJmIGQoDxvn7OFvDQQklKpRjtz7mZKaXyT+pNmhWBRAbfmhtkyOKjeuJ79YzqTHWgUxXJFnyO19y7HskmwPF3f8KxPBPqv2JxRO6io2wtHGYfNd32VbpAGYIsyI7gNHdYGBoNVQc7uT7Iv9KnzMi/Ozbb5J0UiQf6+8eZNfj5dmYT2TnISryYZ9mYZc8I3pzeXYTaUXqIpEwt4VdWEN4Z87OQ2Yo2T5tWmxKXpwBlPMZWz7PqF5f8AFEqjIwEqArLlxboobgz6g6Py9tXhLPIdnnSmbtunkAiTbkM/SzkcvHDYM616gIRUaH9NZgUeqRWP5IaZQRs3KpTtDjIL2LrcTqaj87r2Hz6k1NKyYnk0w1r2vgY X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On configs with CONFIG_ARM64_GCS=y, VM_SHADOW_STACK is bit 38. On configs with CONFIG_HAVE_ARCH_USERFAULTFD_MINOR=y (selected by CONFIG_ARM64 when CONFIG_USERFAULTFD=y), VM_UFFD_MINOR is _also_ bit 38. This bit being shared by two different VMA flags could lead to all sorts of unintended behaviors. Presumably, a process could maybe call into userfaultfd in a way that disables the shadow stack vma flag. I can't think of any attack where this would help (presumably, if an attacker tries to disable shadow stacks, they are trying to hijack control flow so can't arbitrarily call into userfaultfd yet anyway) but this still feels somewhat scary. Fixes: ae80e1629aea ("mm: Define VM_SHADOW_STACK for arm64 when we support GCS") Cc: Signed-off-by: Florent Revest --- include/linux/mm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index bf55206935c46..fdda6b16263b3 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -385,7 +385,7 @@ extern unsigned int kobjsize(const void *objp); #endif #ifdef CONFIG_HAVE_ARCH_USERFAULTFD_MINOR -# define VM_UFFD_MINOR_BIT 38 +# define VM_UFFD_MINOR_BIT 41 # define VM_UFFD_MINOR BIT(VM_UFFD_MINOR_BIT) /* UFFD minor faults */ #else /* !CONFIG_HAVE_ARCH_USERFAULTFD_MINOR */ # define VM_UFFD_MINOR VM_NONE -- 2.49.0.967.g6a0df3ecc3-goog