From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1711C25B75 for ; Sun, 12 May 2024 16:32:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 568AB6B00FB; Sun, 12 May 2024 12:32:36 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5194A6B0109; Sun, 12 May 2024 12:32:36 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 3E01C6B0128; Sun, 12 May 2024 12:32:36 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 213EB6B00FB for ; Sun, 12 May 2024 12:32:36 -0400 (EDT) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 920D01A01C4 for ; Sun, 12 May 2024 16:32:35 +0000 (UTC) X-FDA: 82110287070.29.2D4C3FB Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by imf11.hostedemail.com (Postfix) with ESMTP id BEF1A40005 for ; Sun, 12 May 2024 16:32:33 +0000 (UTC) Authentication-Results: imf11.hostedemail.com; dkim=none; spf=pass (imf11.hostedemail.com: domain of alex@ghiti.fr designates 217.70.183.194 as permitted sender) smtp.mailfrom=alex@ghiti.fr; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1715531554; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ypFU5wNOe5GCcU2bkOrZyrROdb/7oy/AkE3+ffAOGRs=; b=ilDRLf+/DzfqmayGu9+vcQ91UpyoxbJ1pWf0GjvGK3B8jc8Th3YUhifpUvQIR8fY0/CaD8 JeG2rUCrtIrq12+fiHo4zDv//69QKnN2QDoxbwXIDrS939l+Z3dTFFfNAOHSRjNQPeyfYz N/wp5pYaTqcPV6ilToyD3xOtZFTmKlk= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1715531554; a=rsa-sha256; cv=none; b=i72IZbUv6tyYrrsH3145WFhBHMwDj4a90jNWofAoBZCWlTuW7garNDbh9VDNFj/hQiFO4r ALFAhIhel1mYVirCc0cBgC1EKQCR+zL1C95RWq0M821hsfnIZ/mbOsuPpiVZ37ierXiDYb sOrdxonVceGg/YV2/TvIGqyWI5zmCjk= ARC-Authentication-Results: i=1; imf11.hostedemail.com; dkim=none; spf=pass (imf11.hostedemail.com: domain of alex@ghiti.fr designates 217.70.183.194 as permitted sender) smtp.mailfrom=alex@ghiti.fr; dmarc=none Received: by mail.gandi.net (Postfix) with ESMTPSA id C83DD40004; Sun, 12 May 2024 16:31:25 +0000 (UTC) Message-ID: <276fa17b-cd62-433d-b0ec-fa98c65a46ca@ghiti.fr> Date: Sun, 12 May 2024 18:31:24 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3 13/29] riscv mmu: write protect and shadow stack To: Deepak Gupta , paul.walmsley@sifive.com, rick.p.edgecombe@intel.com, broonie@kernel.org, Szabolcs.Nagy@arm.com, kito.cheng@sifive.com, keescook@chromium.org, ajones@ventanamicro.com, conor.dooley@microchip.com, cleger@rivosinc.com, atishp@atishpatra.org, bjorn@rivosinc.com, alexghiti@rivosinc.com, samuel.holland@sifive.com, conor@kernel.org Cc: linux-doc@vger.kernel.org, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, devicetree@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org, corbet@lwn.net, palmer@dabbelt.com, aou@eecs.berkeley.edu, robh+dt@kernel.org, krzysztof.kozlowski+dt@linaro.org, oleg@redhat.com, akpm@linux-foundation.org, arnd@arndb.de, ebiederm@xmission.com, Liam.Howlett@oracle.com, vbabka@suse.cz, lstoakes@gmail.com, shuah@kernel.org, brauner@kernel.org, andy.chiu@sifive.com, jerry.shih@sifive.com, hankuan.chen@sifive.com, greentime.hu@sifive.com, evan@rivosinc.com, xiao.w.wang@intel.com, charlie@rivosinc.com, apatel@ventanamicro.com, mchitale@ventanamicro.com, dbarboza@ventanamicro.com, sameo@rivosinc.com, shikemeng@huaweicloud.com, willy@infradead.org, vincent.chen@sifive.com, guoren@kernel.org, samitolvanen@google.com, songshuaishuai@tinylab.org, gerg@kernel.org, heiko@sntech.de, bhe@redhat.com, jeeheng.sia@starfivetech.com, cyy@cyyself.name, maskray@google.com, ancientmodern4@gmail.com, mathis.salmen@matsal.de, cuiyunhui@bytedance.com, bgray@linux.ibm.com, mpe@ellerman.id.au, baruch@tkos.co.il, alx@kernel.org, david@redhat.com, catalin.marinas@arm.com, revest@chromium.org, josh@joshtriplett.org, shr@devkernel.io, deller@gmx.de, omosnace@redhat.com, ojeda@kernel.org, jhubbard@nvidia.com References: <20240403234054.2020347-1-debug@rivosinc.com> <20240403234054.2020347-14-debug@rivosinc.com> Content-Language: en-US From: Alexandre Ghiti In-Reply-To: <20240403234054.2020347-14-debug@rivosinc.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-GND-Sasl: alex@ghiti.fr X-Rspam-User: X-Stat-Signature: wybu3p6rkpfqcrsu6rwmm9zfq5czwfdh X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: BEF1A40005 X-HE-Tag: 1715531553-691181 X-HE-Meta: U2FsdGVkX19POj6Cmi0owgnrfq4fxXTIRxepjSPzgm2Ihuzb7ZDL/VmCTQO6q48Wx+LvDZUsMKQVIzysCpxxROaUqmpeXYXpWEEAcI85Tnkn2IkvZbxsgXdQ74999buvrCh/HcB0gDwjikbnPbelX8K/r4AEDkUTJvyoMW5yG2sdYcEVVxLg9AdakQ4QYqGJ14OYTtM10MDtdSfzhC67jj1im6zRL10NmBHxzENtxryDD8l3ce8nm6wy10F9ff1C70r3Jks/VREo93Lo4W5vlREnVXD4x+78cWlNce4J35tO+vcCsO9Z+r7S9BuaNThjHqk94zGy7XqaC2g/zrQkFbINYrE2KFiM3FlHWQIPYS+Dr/jbu1H042b0HIzCbwP5jbAvM8CBMb322tO12wymJ3kfkdTu8GZiUWd3bEHtHwYd3BRk8nWYPKfI0fTvrnkROmUuGcjGocIn1i3D/5wcTGl0bPrHRyagJmX6Aw7e0JrozYXps6kpmpz9JmmEDuG7Clbflqiba0G9WAIKi2fPnZ+yvaejR2fLc4lAQPaE1Emo4djgWL5ssoBwlenanTTqaGiEtbWnVEj+NaV+AQT2LgnBqWx71agY7+yokmCVX4/ac98PNJz/gNudw84jHDRShRE93JAhVmTsLnUbnlYhvZPiA+sSX035YzyX6SlctJWeWln6LrMKLVYN32y8KTTaYmjDUzahO+z3g5kjauoqm288hXbm8OMHd/sVHLn7jR0tgNCj9d+KnWtje9p4cBhJR54qLiFnW1AdUX/FvPAberxsJJ90wOdy76iNa2qjG7irgIfsovb7VHDVAqTj/2v/i+YlAYKzo3xCFJbAXP6CbB0MK1oxvwAlFny59UJMCjU5qOzHgJmu1pd1MgEvjI79RO9dzWS0Q1YjK8ho8bgx+6+HzFfmGR7aV4+Zwv9WJzvogsEZNVilWgYOqjdkYe8Ecw8F/9NpOH8jjhNi6Pn kmqev/Er Baz4K1q+S0RBX5jxTBFAynjDry9+P/ukPXub8QLgLP53M8zcE00DfQKieos5tgpButOITvSu7PLKlSnhls2DcwKz6HVlOrZvkI5i3FZ9hlfS97MGSww7xMxcMerdJxjE9o3UX75tr3QUi7XaEbTKBi3ZBgZ09+NYwvX8JL1ZQ69HWanJnlxKyHWBGVlZWHRiKbbC8CE/f90NlSim3gsmO3Y4AMYp38ZRBZCDc X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 04/04/2024 01:35, Deepak Gupta wrote: > `fork` implements copy on write (COW) by making pages readonly in child > and parent both. > > ptep_set_wrprotect and pte_wrprotect clears _PAGE_WRITE in PTE. > Assumption is that page is readable and on fault copy on write happens. > > To implement COW on such pages, I guess you mean "shadow stack pages" here. > clearing up W bit makes them XWR = 000. > This will result in wrong PTE setting which says no perms but V=1 and PFN > field pointing to final page. Instead desired behavior is to turn it into > a readable page, take an access (load/store) fault on sspush/sspop > (shadow stack) and then perform COW on such pages. > This way regular reads > would still be allowed and not lead to COW maintaining current behavior > of COW on non-shadow stack but writeable memory. > > On the other hand it doesn't interfere with existing COW for read-write > memory. Assumption is always that _PAGE_READ must have been set and thus > setting _PAGE_READ is harmless. > > Signed-off-by: Deepak Gupta > --- > arch/riscv/include/asm/pgtable.h | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > > diff --git a/arch/riscv/include/asm/pgtable.h b/arch/riscv/include/asm/pgtable.h > index 9b837239d3e8..7a1c2a98d272 100644 > --- a/arch/riscv/include/asm/pgtable.h > +++ b/arch/riscv/include/asm/pgtable.h > @@ -398,7 +398,7 @@ static inline int pte_special(pte_t pte) > > static inline pte_t pte_wrprotect(pte_t pte) > { > - return __pte(pte_val(pte) & ~(_PAGE_WRITE)); > + return __pte((pte_val(pte) & ~(_PAGE_WRITE)) | (_PAGE_READ)); > } > > /* static inline pte_t pte_mkread(pte_t pte) */ > @@ -581,7 +581,15 @@ static inline pte_t ptep_get_and_clear(struct mm_struct *mm, > static inline void ptep_set_wrprotect(struct mm_struct *mm, > unsigned long address, pte_t *ptep) > { > - atomic_long_and(~(unsigned long)_PAGE_WRITE, (atomic_long_t *)ptep); > + volatile pte_t read_pte = *ptep; > + /* > + * ptep_set_wrprotect can be called for shadow stack ranges too. > + * shadow stack memory is XWR = 010 and thus clearing _PAGE_WRITE will lead to > + * encoding 000b which is wrong encoding with V = 1. This should lead to page fault > + * but we dont want this wrong configuration to be set in page tables. > + */ > + atomic_long_set((atomic_long_t *)ptep, > + ((pte_val(read_pte) & ~(unsigned long)_PAGE_WRITE) | _PAGE_READ)); > } > > #define __HAVE_ARCH_PTEP_CLEAR_YOUNG_FLUSH Doesn't making the shadow stack page readable allow "normal" loads to access the page? If it does, isn't that an issue (security-wise)?