From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FD58C531DC for ; Tue, 20 Aug 2024 14:59:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 7B38D6B007B; Tue, 20 Aug 2024 10:59:37 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 73C516B0082; Tue, 20 Aug 2024 10:59:37 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5B5C26B0083; Tue, 20 Aug 2024 10:59:37 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 39F406B007B for ; Tue, 20 Aug 2024 10:59:37 -0400 (EDT) Received: from smtpin25.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id A03EEA6E3F for ; Tue, 20 Aug 2024 14:59:36 +0000 (UTC) X-FDA: 82472932752.25.8E12019 Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55]) by imf13.hostedemail.com (Postfix) with ESMTP id 5E65C20019 for ; Tue, 20 Aug 2024 14:59:33 +0000 (UTC) Authentication-Results: imf13.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none); spf=pass (imf13.hostedemail.com: domain of cmarinas@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=cmarinas@kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1724165897; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=e7pTyX+E4O/SNjJqzXObcm15rceA7rmSC5d4oxWiUNg=; b=qH5xghZyqFsNR56p9HmCdqq0/GBE+fv83JwGilJF6GtwrEMgKMaEGVwRYC8pH+vaI5Blbq OV8wYbzqZdN8SY5QJvt3nGPGV94xyQ5rvXmApJ1x1g66/xM9WXIqf9QKZ75+hdN+PEoHiR 3YVbb6E9BylVU8B2rDIYSsACaYGD9CE= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1724165897; a=rsa-sha256; cv=none; b=FcUW9eZeRROUQIlFvBSKUXynXB+9WwUqMjLysdxDfFHU6L7LcfGGsKSwzYOjrC7fwply6d MydRnhl96faAyVGfc2hHlf8Agpdhyb4XsjK5jn7y8YtS8B5maJ1Aqzc1h0eV0iwugps568 X+wKhGK6uU2ZZDfwGKA8rH23hRqKVcY= ARC-Authentication-Results: i=1; imf13.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none); spf=pass (imf13.hostedemail.com: domain of cmarinas@kernel.org designates 145.40.73.55 as permitted sender) smtp.mailfrom=cmarinas@kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 371B9CE092D; Tue, 20 Aug 2024 14:59:30 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id DA71FC4AF0F; Tue, 20 Aug 2024 14:59:23 +0000 (UTC) Date: Tue, 20 Aug 2024 15:59:21 +0100 From: Catalin Marinas To: Mark Brown Cc: Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Shuah Khan , "Rick P. Edgecombe" , Deepak Gupta , Ard Biesheuvel , Szabolcs Nagy , Kees Cook , "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , Florian Weimer , Christian Brauner , Thiago Jung Bauermann , Ross Burton , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Subject: Re: [PATCH v10 13/40] arm64/mm: Map pages for guarded control stack Message-ID: References: <20240801-arm64-gcs-v10-0-699e2bd2190b@kernel.org> <20240801-arm64-gcs-v10-13-699e2bd2190b@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Rspamd-Queue-Id: 5E65C20019 X-Stat-Signature: aqawsq5s7mumr56why4xmpkfo5w5xene X-Rspamd-Server: rspam09 X-Rspam-User: X-HE-Tag: 1724165973-931330 X-HE-Meta: U2FsdGVkX1+wKnAjcOj5NDtG6cE/iXXxphvpMrFD6Zp/7NI0CSr3ICqUvP5Jntymf0l5JAbrL4OiJ4N2fu5qxxspiqDbJOtN7vhKD8LM7gcNLoLIcUtViKoLaS2yP0oyCyjotzn8kHOy44f3b5AOI/j3CMscSmKkxPJagBvTj17Es9oEApVGGEXPRcH7JzZtRWt+58EOqFQ7LYAoRHkfcgqmLdt5YChB8XCSyAECcBgF6D5TRGV85St3sq2Va9nHFhxY4DBqOMuPAszDzuWDTSCJbQpOkRiArI4OBbLmZxBxKqfCzn7y1eREE9a/c8663jnOWO12Yb81UtFGjCZzlO/gtXBSLG0WxUiFnwonbUFM9cmIHTyo6LBTwGMf/6zQKpKIIY1WsSirCal4YymaLVYraDycaqrMJOYLJupfuUdBqMyLx6rcIp5ma3xNhbd47V+jA82RXoIzoCSpGdaQIDrnYV9hN9u3AQVnqvMU/D1V49rip9+gw6H6pB9kc7BVqw/3trCH/1sIvlU5rHgYxiUNLJbgJ+/RltvIEXuPH8q3FKjwLAUKS5NUCX6yMYdkd4aD5rERtS1Ng2P4rkonDc9QaFfXb2b6jYJdSJHV1mSUKogGGrhSjY21pw1fgxLOyyccFK8wtQwU3iBFmQYXX9hnqRzERSvTkQQshER2NZYk0Swum3wKp8zbgtMM388TrVfCzRVfTIPtEuP93rtELtDTvpwT/uFnoLq8W559mbERVovkJpoRuUGHARKdzt+DhEtozEL7PhtglMcHc2hUX7m8JHFkq9RTj4Amz6WFTFrU27f35gsoeVHdqstOXrwa0nhM8u55Fwwlwvaeg/fjhj3Xrv5TEuF8zSR9LVRv3AqP4NO+Y25N8wl/RfxYQN5ENaVqfwRTb9Ci4ASXhYBz0gBvs7FTLicR+Gz5yT5jLIZlElzOFqWoGt7svA7z6NjsgOB5xP3NvJgMYbyeCcp e1YQTSik 4daGgLToVFDS1wU0fT4IgjauGhFrq11IOFCKQm2UpFaut9xI6ALSmNBZ2VHT0xMCTwef6LR4NCCTeVmJnXO6I6fOWjGRVvRjWjOOnkkQ0AYlFUF91KCr1qtsn1NMmjE1uhUYNsJ+j+HuWuPp7M5sOjMXLnDF0AhiGDZ+vYT+T7qqjWfLn3/v7pFhPeVRn+jA37IXelr0mhmNMGFVo5nerEXfj0qLiHmLSFAvFF8T9FfKIxv4sg5UigwQJy4a2pBI8Vvm1eN2pHrOk6EuihnHwkSp0OpiR9F3f7yyzzdRX7P2ZCMyd+lkGaPNGJeeBY5Wg2N/Vdv1e/k5Z6Cc7pMks6t7Fj+d6hAIwhOTq7OoZfX+U4ZnCvMyvWDh2KeNwaBm7eb/JalIf1mq+D008nxuSkUOr4ugjLh6E7+cs X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Aug 19, 2024 at 05:33:24PM +0100, Mark Brown wrote: > On Mon, Aug 19, 2024 at 10:10:36AM +0100, Catalin Marinas wrote: > > On Thu, Aug 01, 2024 at 01:06:40PM +0100, Mark Brown wrote: > > > + if (system_supports_gcs() && (vm_flags & VM_SHADOW_STACK)) { > > > + /* > > > + * An executable GCS isn't a good idea, and the mm > > > + * core can't cope with a shared GCS. > > > + */ > > > + if (vm_flags & (VM_EXEC | VM_ARM64_BTI | VM_SHARED)) > > > + return false; > > > + } > > > I wonder whether we should clear VM_MAYEXEC early on during the vma > > creation. This way the mprotect() case will be handled in the core code. > > At a quick look, do_mmap() seems to always set VM_MAYEXEC but discard it > > for non-executable file mmap. Last time I looked (when doing MTE) there > > wasn't a way for the arch code to clear specific VM_* flags, only to > > validate them. But I think we should just clear VM_MAYEXEC and also > > return an error for VM_EXEC in the core do_mmap() if VM_SHADOW_STACK. It > > would cover the other architectures doing shadow stacks. > > Yes, I think adding something generic would make sense here. That feels > like a cleanup which could be split out? It can be done separately. It doesn't look like x86 has such checks. Adding it generically would be a slight ABI tightening but I doubt it matters, no sane software would use an executable shadow stack. > > Regarding VM_SHARED, how do we even end up with this via the > > map_shadow_stack() syscall? I can't see how one can pass MAP_SHARED to > > do_mmap() on this path. I'm fine with a VM_WARN_ON() if you want the > > check (and there's no way a user can trigger it). > > It's just a defenesive programming thing, I'm not aware of any way in > which it should be possible to trigger this. > > > Is there any arch restriction with setting BTI and GCS? It doesn't make > > sense but curious if it matters. We block the exec permission anyway > > (unless the BTI pages moved to PIE as well, I don't remember). > > As you say BTI should be meaningless for a non-executable page like GCS, > I'm not aware of any way in which it matters. BTI is separate to PIE. My thoughts were whether we can get rid of this hunk entirely by handling it in the core code. We'd allow BTI if one wants such useless combination but clear VM_MAYEXEC in the core code (and ignore VM_SHARED since you can't set it anyway). -- Catalin