From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 51A79C3DA4A
	for <linux-mm@archiver.kernel.org>; Mon, 19 Aug 2024 09:18:04 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id CAACB6B0082; Mon, 19 Aug 2024 05:18:03 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id C33F06B0083; Mon, 19 Aug 2024 05:18:03 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id AD4506B0085; Mon, 19 Aug 2024 05:18:03 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10])
	by kanga.kvack.org (Postfix) with ESMTP id 8EF8D6B0082
	for <linux-mm@kvack.org>; Mon, 19 Aug 2024 05:18:03 -0400 (EDT)
Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 35B5BC10CC
	for <linux-mm@kvack.org>; Mon, 19 Aug 2024 09:18:03 +0000 (UTC)
X-FDA: 82468443246.18.DA4FC1E
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
	by imf13.hostedemail.com (Postfix) with ESMTP id 1BAA820019
	for <linux-mm@kvack.org>; Mon, 19 Aug 2024 09:18:00 +0000 (UTC)
Authentication-Results: imf13.hostedemail.com;
	dkim=none;
	spf=pass (imf13.hostedemail.com: domain of cmarinas@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=cmarinas@kernel.org;
	dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1724059003;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=BifC804uEVekxREuj9AUJ2LS8eWd5ydxmkMfE+7OTSs=;
	b=gVA6KPJKzqzwRQ5jZNE2QEfHfpablqohY7QXYEW+EZr42DxY6Byn9BEpwJEz9+nwDfTgwF
	YfMKBUt6kzG3I0NwcnEoxFXja5uALTYyRik6LP52xmfs1MNcNd83isa4xbi0ZnQ65N3MIg
	Oipy2EQarYpp0boTeydxrqBMCQFwifs=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1724059003; a=rsa-sha256;
	cv=none;
	b=jA+y4z4OJHO68zE3dR8b3hC6M7WTNEqGr/7l0HNRzq3NZwsJPK2U6oOoeAc27svH/cVHft
	gQkxerzOumk+glGNM2NPYdKM226Nh8uUgaDYa0YfdW3gHgHLxc4C4lhhBiaR3nhc8aVEof
	V73H0QYpz7vhSisE01htmP3mF7AbdYM=
ARC-Authentication-Results: i=1;
	imf13.hostedemail.com;
	dkim=none;
	spf=pass (imf13.hostedemail.com: domain of cmarinas@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=cmarinas@kernel.org;
	dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none)
Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])
	by dfw.source.kernel.org (Postfix) with ESMTP id 3E84860B9E;
	Mon, 19 Aug 2024 09:18:00 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6A8FCC32782;
	Mon, 19 Aug 2024 09:17:54 +0000 (UTC)
Date: Mon, 19 Aug 2024 10:17:52 +0100
From: Catalin Marinas <catalin.marinas@arm.com>
To: Mark Brown <broonie@kernel.org>
Cc: Will Deacon <will@kernel.org>, Jonathan Corbet <corbet@lwn.net>,
	Andrew Morton <akpm@linux-foundation.org>,
	Marc Zyngier <maz@kernel.org>,
	Oliver Upton <oliver.upton@linux.dev>,
	James Morse <james.morse@arm.com>,
	Suzuki K Poulose <suzuki.poulose@arm.com>,
	Arnd Bergmann <arnd@arndb.de>, Oleg Nesterov <oleg@redhat.com>,
	Eric Biederman <ebiederm@xmission.com>,
	Shuah Khan <shuah@kernel.org>,
	"Rick P. Edgecombe" <rick.p.edgecombe@intel.com>,
	Deepak Gupta <debug@rivosinc.com>, Ard Biesheuvel <ardb@kernel.org>,
	Szabolcs Nagy <Szabolcs.Nagy@arm.com>, Kees Cook <kees@kernel.org>,
	"H.J. Lu" <hjl.tools@gmail.com>,
	Paul Walmsley <paul.walmsley@sifive.com>,
	Palmer Dabbelt <palmer@dabbelt.com>,
	Albert Ou <aou@eecs.berkeley.edu>,
	Florian Weimer <fweimer@redhat.com>,
	Christian Brauner <brauner@kernel.org>,
	Thiago Jung Bauermann <thiago.bauermann@linaro.org>,
	Ross Burton <ross.burton@arm.com>,
	linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org,
	kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org,
	linux-arch@vger.kernel.org, linux-mm@kvack.org,
	linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-riscv@lists.infradead.org
Subject: Re: [PATCH v10 18/40] arm64/mm: Handle GCS data aborts
Message-ID: <ZsMNwAsAWr2IxFns@arm.com>
References: <20240801-arm64-gcs-v10-0-699e2bd2190b@kernel.org>
 <20240801-arm64-gcs-v10-18-699e2bd2190b@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240801-arm64-gcs-v10-18-699e2bd2190b@kernel.org>
X-TUID: ycLXmrxDHVW6
X-Rspam-User: 
X-Rspamd-Server: rspam04
X-Rspamd-Queue-Id: 1BAA820019
X-Stat-Signature: nonrsmtrsi9ciuzjri819xi71rft6g6m
X-HE-Tag: 1724059080-636053
X-HE-Meta: U2FsdGVkX19KbT8XW1d1zCNk8xLHfC31jradQzfI7mqkJ6iVOCtk4ajJmZOCc1Cp961PlbKw0dNE+7TJ8r/2teR/extsL0uV80/82Iqafl/syCxAa4+OywvhpAPO67WymHaomJ26nEXx4Bbc5MlvglCa1ynqfxfx8p2W05hId3aLS4PSwBRq+BTAARsG9QzUD20a3JH1mLBfbVDn7VeVKlwRMB58mdtpZRhJg9Ad7Ie3VsDl0dwZz9RIs5TRA8flX/oeNxUGxMBxawmBnkM2PAEvonH96Fos5Syw/rLYjBROa5moO/R+fTBs8As9biqMfNdkT10gFi/IU1dnD9QwLRuQ7s+6hO6Xg8jvPHjKV34Kt6JtCgvvVW+d9K5ftfn0MoaiEB2okQ0TiV1uL1FCnS84pIpwDspzxygkB2t3/fDU9zP1QIliFa7lm0L5uevhZ1i+XXXmNul5HJLhdW4gOJ8tLWcDRuRBls7SPaAVEm8THlfcVcrNuzIe5IuhyygHdXqSy/8FTb+pGttileDigumwHrazPOxsjV4RQ+7d2cfrOIj2ThOuN5RajdjlY8dl4FrmJmbPV0Rohh9vOw/OZrnr3T/5BPA9/Bl3ITQVEOzgCTkwBZcGTNQRV0wor5bKnikZOf5k7NjQfTYZ7BBug4YErqa1TSLUu0Zax+QZQMCl332iuyR2knHa6+sL3k0YAbaqbtZ4owWc7UiF10Hpqbj6N/8T+URrMP9fnplzys1KUX9+gBZkTF4Ra66qD7GzpokkfsQ2h8qdryZAS3hvANCvgGpg9tgQjHAzW6MlFpWEUsnxJRIaVyRALSAnv1TFOZPB0D5g5oK/s8mBQRqrt7hh22b62yLegF3pwdYyJM+l6tbZReuwOkANUDk6pP0UG9UOcLYxLpXIr/i2c4vF2GZnL4+7TD2KF31GKHOnE2w9ZFs4clIDDtNG5x2Lu7mvhuem7y97plpXzt/xbI9
 Fyi5zjRs
 EkkV7gD30xs3DHmvp/QYaPhL7wQwC8HB9K/Hf+idafSgEF1+4L1APNGBwzJIuXhMy/oKm/0Y+uLKv4ST8AUMNxHpU0nQNaTV5M7GPY0f6XgOS/4c1wQtdZIaJo2SMsTbx637prKL9wMc3nunyP+MdEQWF4X/n5vHie8XOsgJpyEDmN0fIQKKBr85y70MhNukM4T5sK3BT+uGEPF+cz/PMvpFfxPjJ0sFxo4jkduV7uSX2Ti9jnCESRTZBfMJp3kZJ7d0+OhQatIdEHk7MgNjfWrJycV7YPVLogFhSEhFGI6Re7h1xffiVE6oLU6OTkeJGImTD8ejxy1beHZyTNmk+lnDPfDfQUCrnw2C4ESxHYuLcR6NQMj4oEwirjvdy6ac6bnYSjaEeRkMdXY4aZkEz2U6D5FoO6W6TUB5A85BdNJ3Pm5w=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Thu, Aug 01, 2024 at 01:06:45PM +0100, Mark Brown wrote:
> diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
> index 451ba7cbd5ad..0973dd09f11a 100644
> --- a/arch/arm64/mm/fault.c
> +++ b/arch/arm64/mm/fault.c
> @@ -486,6 +486,14 @@ static void do_bad_area(unsigned long far, unsigned long esr,
>  	}
>  }
>  
> +static bool is_gcs_fault(unsigned long esr)
> +{
> +	if (!esr_is_data_abort(esr))
> +		return false;
> +
> +	return ESR_ELx_ISS2(esr) & ESR_ELx_GCS;
> +}
> +
>  static bool is_el0_instruction_abort(unsigned long esr)
>  {
>  	return ESR_ELx_EC(esr) == ESR_ELx_EC_IABT_LOW;
> @@ -500,6 +508,25 @@ static bool is_write_abort(unsigned long esr)
>  	return (esr & ESR_ELx_WNR) && !(esr & ESR_ELx_CM);
>  }
>  
> +static bool is_invalid_gcs_access(struct vm_area_struct *vma, u64 esr)
> +{
> +	if (!system_supports_gcs())
> +		return false;
> +
> +	if (unlikely(is_gcs_fault(esr))) {
> +		/* GCS accesses must be performed on a GCS page */
> +		if (!(vma->vm_flags & VM_SHADOW_STACK))
> +			return true;
> +		if (!(vma->vm_flags & VM_WRITE))
> +			return true;

Do we need the VM_WRITE check here? Further down in do_page_fault(), we
already do the check as we set vm_flags = VM_WRITE.

> +	} else if (unlikely(vma->vm_flags & VM_SHADOW_STACK)) {
> +		/* Only GCS operations can write to a GCS page */
> +		return is_write_abort(esr);
> +	}
> +
> +	return false;
> +}
> +
>  static int __kprobes do_page_fault(unsigned long far, unsigned long esr,
>  				   struct pt_regs *regs)
>  {
> @@ -535,6 +562,14 @@ static int __kprobes do_page_fault(unsigned long far, unsigned long esr,
>  		/* It was exec fault */
>  		vm_flags = VM_EXEC;
>  		mm_flags |= FAULT_FLAG_INSTRUCTION;
> +	} else if (is_gcs_fault(esr)) {
> +		/*
> +		 * The GCS permission on a page implies both read and
> +		 * write so always handle any GCS fault as a write fault,
> +		 * we need to trigger CoW even for GCS reads.
> +		 */
> +		vm_flags = VM_WRITE;
> +		mm_flags |= FAULT_FLAG_WRITE;
>  	} else if (is_write_abort(esr)) {
>  		/* It was write fault */
>  		vm_flags = VM_WRITE;
> @@ -568,6 +603,13 @@ static int __kprobes do_page_fault(unsigned long far, unsigned long esr,
>  	if (!vma)
>  		goto lock_mmap;
>  
> +	if (is_invalid_gcs_access(vma, esr)) {
> +		vma_end_read(vma);
> +		fault = 0;
> +		si_code = SEGV_ACCERR;
> +		goto bad_area;
> +	}
> +
>  	if (!(vma->vm_flags & vm_flags)) {
>  		vma_end_read(vma);
>  		fault = 0;

This check I mentioned above.

I was wondering whether we should prevent mprotect(PROT_READ) on the GCS
page. But I guess that's fine, we'll SIGSEGV later if we get an invalid
GCS access.

-- 
Catalin