From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 67BCEC433FE
	for <linux-mm@archiver.kernel.org>; Sat,  8 Jan 2022 16:44:51 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 16C846B0092; Sat,  8 Jan 2022 11:44:39 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 0A5A16B0093; Sat,  8 Jan 2022 11:44:38 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id DEA3B6B0095; Sat,  8 Jan 2022 11:44:38 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0101.hostedemail.com [216.40.44.101])
	by kanga.kvack.org (Postfix) with ESMTP id CF9436B0092
	for <linux-mm@kvack.org>; Sat,  8 Jan 2022 11:44:38 -0500 (EST)
Received: from smtpin08.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay03.hostedemail.com (Postfix) with ESMTP id 9A08A81050AA
	for <linux-mm@kvack.org>; Sat,  8 Jan 2022 16:44:38 +0000 (UTC)
X-FDA: 79007693436.08.9B3FBCE
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
	by imf07.hostedemail.com (Postfix) with ESMTP id 335004000D
	for <linux-mm@kvack.org>; Sat,  8 Jan 2022 16:44:37 +0000 (UTC)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by dfw.source.kernel.org (Postfix) with ESMTPS id 6071260DE1;
	Sat,  8 Jan 2022 16:44:37 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 0E5CDC36AE0;
	Sat,  8 Jan 2022 16:44:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1641660277;
	bh=4/phD45ccBwKpoEpuFHVuaC4/6+F9ASvK+hhO/SU8Fo=;
	h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
	b=fXxmmXTBkFoFc6QR/NgokKjHl/kD2AA7EmiuQeyFtV6de+D5/klMZnZR18SFCwNat
	 nlYbn+f/Tj+XDTl9Kc/6FfiMbDc0dBF52mcyPFq0Y+WWUDSHsabaUQAlKtbjXoc7yK
	 xsNL10IiLydVRUmGKmf7kx6c7EOS7Sgrenl5SStfYcVnvAxxBUcI91U0xxjRgFJitT
	 DsBmXeKzpJVHu/fSNV+EV4FM2LYmnjvFRJDhm+ly7uXb5284aUJdaXoalZOMVpE8ER
	 jSwt8bkjFo1QGts8nHMiMNpb3hb4t3eOkaCRIAFVqVEColWw53avbh4E7vzularl3k
	 hGh9mVafpDgIA==
From: Andy Lutomirski <luto@kernel.org>
To: Andrew Morton <akpm@linux-foundation.org>,
	Linux-MM <linux-mm@kvack.org>
Cc: Nicholas Piggin <npiggin@gmail.com>,
	Anton Blanchard <anton@ozlabs.org>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>,
	Paul Mackerras <paulus@ozlabs.org>,
	Randy Dunlap <rdunlap@infradead.org>,
	linux-arch <linux-arch@vger.kernel.org>,
	x86@kernel.org,
	Rik van Riel <riel@surriel.com>,
	Dave Hansen <dave.hansen@intel.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Nadav Amit <nadav.amit@gmail.com>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	Andy Lutomirski <luto@kernel.org>
Subject: [PATCH 18/23] x86/mm: Allow temporary mms when IRQs are on
Date: Sat,  8 Jan 2022 08:44:03 -0800
Message-Id: <a8a92ce490b57447ef56898c55133473e481896e.1641659630.git.luto@kernel.org>
X-Mailer: git-send-email 2.33.1
In-Reply-To: <cover.1641659630.git.luto@kernel.org>
References: <cover.1641659630.git.luto@kernel.org>
MIME-Version: 1.0
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: 335004000D
X-Stat-Signature: fm3kxymzs4oh1tafdn4wajx1me6uao78
Authentication-Results: imf07.hostedemail.com;
	dkim=pass header.d=kernel.org header.s=k20201202 header.b=fXxmmXTB;
	dmarc=pass (policy=none) header.from=kernel.org;
	spf=pass (imf07.hostedemail.com: domain of luto@kernel.org designates 139.178.84.217 as permitted sender) smtp.mailfrom=luto@kernel.org
X-HE-Tag: 1641660277-159901
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

EFI runtime services should use temporary mms, but EFI runtime services
want IRQs on.  Preemption must still be disabled in a temporary mm contex=
t.

At some point, the entirely temporary mm mechanism should be moved out of
arch code.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
---
 arch/x86/mm/tlb.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
index 4e371f30e2ab..36ce9dffb963 100644
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -708,18 +708,23 @@ void enter_lazy_tlb(struct mm_struct *mm, struct ta=
sk_struct *tsk)
  * that override the kernel memory protections (e.g., W^X), without expo=
sing the
  * temporary page-table mappings that are required for these write opera=
tions to
  * other CPUs. Using a temporary mm also allows to avoid TLB shootdowns =
when the
- * mapping is torn down.
+ * mapping is torn down.  Temporary mms can also be used for EFI runtime=
 service
+ * calls or similar functionality.
  *
- * Context: The temporary mm needs to be used exclusively by a single co=
re. To
- *          harden security IRQs must be disabled while the temporary mm=
 is
- *          loaded, thereby preventing interrupt handler bugs from overr=
iding
- *          the kernel memory protection.
+ * It is illegal to schedule while using a temporary mm -- the context s=
witch
+ * code is unaware of the temporary mm and does not know how to context =
switch.
+ * Use a real (non-temporary) mm in a kernel thread if you need to sleep=
.
+ *
+ * Note: For sensitive memory writes, the temporary mm needs to be used
+ *       exclusively by a single core, and IRQs should be disabled while=
 the
+ *       temporary mm is loaded, thereby preventing interrupt handler bu=
gs from
+ *       overriding the kernel memory protection.
  */
 temp_mm_state_t use_temporary_mm(struct mm_struct *mm)
 {
 	temp_mm_state_t temp_state;
=20
-	lockdep_assert_irqs_disabled();
+	lockdep_assert_preemption_disabled();
=20
 	/*
 	 * Make sure not to be in TLB lazy mode, as otherwise we'll end up
@@ -751,7 +756,7 @@ temp_mm_state_t use_temporary_mm(struct mm_struct *mm=
)
=20
 void unuse_temporary_mm(temp_mm_state_t prev_state)
 {
-	lockdep_assert_irqs_disabled();
+	lockdep_assert_preemption_disabled();
 	switch_mm_irqs_off(NULL, prev_state.mm, current);
=20
 	/*
--=20
2.33.1