From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32828C433EF for ; Wed, 17 Nov 2021 16:48:08 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id A141461C32 for ; Wed, 17 Nov 2021 16:48:07 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A141461C32 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=soleen.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id EC5F96B0071; Wed, 17 Nov 2021 11:47:56 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id E747C6B0073; Wed, 17 Nov 2021 11:47:56 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D15236B0074; Wed, 17 Nov 2021 11:47:56 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id C35136B0071 for ; Wed, 17 Nov 2021 11:47:56 -0500 (EST) Received: from smtpin27.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id 8913A8479E for ; Wed, 17 Nov 2021 16:47:46 +0000 (UTC) X-FDA: 78819003690.27.3BED4CE Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com [209.85.208.51]) by imf10.hostedemail.com (Postfix) with ESMTP id F3003600199E for ; Wed, 17 Nov 2021 16:47:45 +0000 (UTC) Received: by mail-ed1-f51.google.com with SMTP id w1so13867413edd.10 for ; Wed, 17 Nov 2021 08:47:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=soleen.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ScuePVig2+6JEGtMxOXcRDUBeyhJaT5Z7Na+LqxWaRI=; b=OuPAkQjhwu1zOCBjeWzGpGZPYHqv1O5iU93TRNAUDap1urYSr4crwZ85VM/LJ45Lq9 RTd5nQ/dt0pvO6Q6ECsB1sVB1p2zfFSCMramPV2SHAVV7jZVSP2Bj5H+0t7D4HI7ir1P RA/OHuxebKX94zZLVe6OAKGRtLcxbqxqkK4yrBnJ1W2OWwN+o3SWasHe4uQspSxq5tyO xgvcqhB55OC1h5WEqEoYVeDlP/CHBzUtjmnZ1jaMjdslEhoD9VP2I+i8NyGFHOKw/jdy n0QJdCqjMEoKoWHkY9qY3uNcFY6omoPIItWhQEWdlK3V2rFUPkCBoSoD67vofLnFwgDF tbRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ScuePVig2+6JEGtMxOXcRDUBeyhJaT5Z7Na+LqxWaRI=; b=eEHKxBc0whZ/yyKXNWvdTSss2PzpwvyH85sBdPzsng+CM6csTDo3v4CUZtd6ujeSjj CMfeSOJ41F9FMeh7BbjMaHpYxdIqnI58ZKP3NvbP+1eK4kR5xvL68ECCpM8tKP0u/YkO a5MR5IpjfoMLfis6AbWyZ97TVFUjGsR392X0tv9K/m6/z0b8fYmmc/pwrrtnrCXLDCHn XevcX0C0QgClQ0i0J5t2px9+pbiB/kVi0ke7nAkFOB7AwMe6SiT3soiCOmZG1nUYJa26 h4vM8l/rfuH0lCALkZ91LruWiP+q+NGuJz0ileE4RQxorGpQeCp1dmap/6tXmCtP12a/ ktGQ== X-Gm-Message-State: AOAM530JqhDtGZQpTUhpDjnBQRRmwb3IzCQZGXH2SRMVok5L0fXH2dUf zO08UL+cJ/dm9bhALCJeZM4d/HRzxtMPTBl8F7nuUA== X-Google-Smtp-Source: ABdhPJyAGNTWz9a3U4XU4978MbGu9P5P8hAtsQiHg+kzEeQtvN6JAJ7Sc1+xsI1+tr2jObUZ6jHciI3iHnf6pYUC2aA= X-Received: by 2002:a50:c212:: with SMTP id n18mr6606edf.211.1637167664600; Wed, 17 Nov 2021 08:47:44 -0800 (PST) MIME-Version: 1.0 References: <20211116220038.116484-1-pasha.tatashin@soleen.com> <20211116220038.116484-3-pasha.tatashin@soleen.com> <878rxngq6g.fsf@meer.lwn.net> In-Reply-To: <878rxngq6g.fsf@meer.lwn.net> From: Pasha Tatashin Date: Wed, 17 Nov 2021 11:47:08 -0500 Message-ID: Subject: Re: [RFC 2/3] mm: page table check To: Jonathan Corbet Cc: LKML , linux-mm , Linux Doc Mailing List , Andrew Morton , David Rientjes , Paul Turner , weixugc@google.com, Greg Thelen , Ingo Molnar , Will Deacon , Mike Rapoport , Kees Cook , Thomas Gleixner , Peter Zijlstra , masahiroy@kernel.org, Sami Tolvanen , Dave Hansen , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , frederic@kernel.org, "H. Peter Anvin" , "Aneesh Kumar K.V" Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: F3003600199E X-Stat-Signature: txc3ddkbsir1ga5u6edz3nps66mio1qy Authentication-Results: imf10.hostedemail.com; dkim=pass header.d=soleen.com header.s=google header.b=OuPAkQjh; dmarc=none; spf=pass (imf10.hostedemail.com: domain of pasha.tatashin@soleen.com designates 209.85.208.51 as permitted sender) smtp.mailfrom=pasha.tatashin@soleen.com X-HE-Tag: 1637167665-447231 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: > > Documentation/vm/page_table_check.rst | 53 ++++++ > > Thanks for documenting this feature! When you add a new RST file, > though, you need to add it to the index.rst file as well so that it is > included in the docs build. I will add the index.rst changes. > > > MAINTAINERS | 9 + > > arch/Kconfig | 3 + > > include/linux/page_table_check.h | 147 ++++++++++++++ > > mm/Kconfig.debug | 24 +++ > > mm/Makefile | 1 + > > mm/page_alloc.c | 4 + > > mm/page_ext.c | 4 + > > mm/page_table_check.c | 264 ++++++++++++++++++++++++++ > > 9 files changed, 509 insertions(+) > > create mode 100644 Documentation/vm/page_table_check.rst > > create mode 100644 include/linux/page_table_check.h > > create mode 100644 mm/page_table_check.c > > > > diff --git a/Documentation/vm/page_table_check.rst b/Documentation/vm/page_table_check.rst > > new file mode 100644 > > index 000000000000..41435a45869f > > --- /dev/null > > +++ b/Documentation/vm/page_table_check.rst > > @@ -0,0 +1,53 @@ > > +.. SPDX-License-Identifier: GPL-2.0 > > + > > +.. _page_table_check: > > Do you need this label for anything? As-is it's just added visual > clutter and could come out. Sure, I will remove it > > > +================ > > +Page Table Check > > +================ > > + > > +Page table check allows to hardern the kernel by ensuring that some types of > > +memory corruptions are prevented. > > + > > +Page table check performs extra verifications at the time when new pages become > > +accessible from userspace by getting their page table entries (PTEs PMDs etc.) > > +added into the table. > > + > > +In case of detected corruption, the kernel is crashed. There is a small > > +performance and memory overhead associated with page table check. Thereofre, it > > +is disabled by default but can be optionally enabled on systems where extra > > +hardening outweighs the costs. Also, because page table check is synchronous, it > > +can help with debugging double map memory corruption issues, by crashing kernel > > +at the time wrong mapping occurs instead of later which is often the case with > > +memory corruptions bugs. > > + > > +============================== > > +Double mapping detection logic > > +============================== > > I'd use subsection markup (single "==========" line underneath) for the > subsections. I will change to subsection. Thanks, Pasha On Wed, Nov 17, 2021 at 3:08 AM Jonathan Corbet wrote: > > Pasha Tatashin writes: > > > Check user page table entries at the time they are added and removed. > > > > Allows to synchronously catch memory corruption issues related to > > double mapping. > > > > When a pte for an anonymous page is added into page table, we verify > > that this pte does not already point to a file backed page, and vice > > versa if this is a file backed page that is being added we verify that > > this page does not have an anonymous mapping > > > > We also enforce that read-only sharing for anonymous pages is allowed > > (i.e. cow after fork). All other sharing must be for file pages. > > > > Page table check allows to protect and debug cases where "struct page" > > metadata became corrupted for some reason. For example, when refcnt or > > mapcount become invalid. > > > > Signed-off-by: Pasha Tatashin > > --- > > Documentation/vm/page_table_check.rst | 53 ++++++ > > Thanks for documenting this feature! When you add a new RST file, > though, you need to add it to the index.rst file as well so that it is > included in the docs build. > > > MAINTAINERS | 9 + > > arch/Kconfig | 3 + > > include/linux/page_table_check.h | 147 ++++++++++++++ > > mm/Kconfig.debug | 24 +++ > > mm/Makefile | 1 + > > mm/page_alloc.c | 4 + > > mm/page_ext.c | 4 + > > mm/page_table_check.c | 264 ++++++++++++++++++++++++++ > > 9 files changed, 509 insertions(+) > > create mode 100644 Documentation/vm/page_table_check.rst > > create mode 100644 include/linux/page_table_check.h > > create mode 100644 mm/page_table_check.c > > > > diff --git a/Documentation/vm/page_table_check.rst b/Documentation/vm/page_table_check.rst > > new file mode 100644 > > index 000000000000..41435a45869f > > --- /dev/null > > +++ b/Documentation/vm/page_table_check.rst > > @@ -0,0 +1,53 @@ > > +.. SPDX-License-Identifier: GPL-2.0 > > + > > +.. _page_table_check: > > Do you need this label for anything? As-is it's just added visual > clutter and could come out. > > > +================ > > +Page Table Check > > +================ > > + > > +Page table check allows to hardern the kernel by ensuring that some types of > > +memory corruptions are prevented. > > + > > +Page table check performs extra verifications at the time when new pages become > > +accessible from userspace by getting their page table entries (PTEs PMDs etc.) > > +added into the table. > > + > > +In case of detected corruption, the kernel is crashed. There is a small > > +performance and memory overhead associated with page table check. Thereofre, it > > +is disabled by default but can be optionally enabled on systems where extra > > +hardening outweighs the costs. Also, because page table check is synchronous, it > > +can help with debugging double map memory corruption issues, by crashing kernel > > +at the time wrong mapping occurs instead of later which is often the case with > > +memory corruptions bugs. > > + > > +============================== > > +Double mapping detection logic > > +============================== > > I'd use subsection markup (single "==========" line underneath) for the > subsections. > > > ++-------------------+-------------------+-------------------+------------------+ > > +| Current Mapping | New mapping | Permissions | Rule | > > ++===================+===================+===================+==================+ > > +| Anonymous | Anonymous | Read | Allow | > > ++-------------------+-------------------+-------------------+------------------+ > > +| Anonymous | Anonymous | Read / Write | Prohibit | > > ++-------------------+-------------------+-------------------+------------------+ > > +| Anonymous | Named | Any | Prohibit | > > ++-------------------+-------------------+-------------------+------------------+ > > +| Named | Anonymous | Any | Prohibit | > > ++-------------------+-------------------+-------------------+------------------+ > > +| Named | Named | Any | Allow | > > ++-------------------+-------------------+-------------------+------------------+ > > + > > +========================= > > +Enabling Page Table Check > > +========================= > > + > > +Build kernel with: > > + > > +- PAGE_TABLE_CHECK=y > > +Note, it can only be enabled on platforms where ARCH_SUPPORTS_PAGE_TABLE_CHECK > > +is available. > > +- Boot with 'page_table_check=on' kernel parameter. > > + > > +Optionally, build kernel with PAGE_TABLE_CHECK_ENFORCED in order to have page > > +table support without extra kernel parameter. > > Thanks, > > jon