From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0C87C77B7F for ; Thu, 11 May 2023 16:08:48 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 02AA16B0072; Thu, 11 May 2023 12:08:48 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id F1DC36B0074; Thu, 11 May 2023 12:08:47 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id E0C3F6B0075; Thu, 11 May 2023 12:08:47 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id D24E96B0072 for ; Thu, 11 May 2023 12:08:47 -0400 (EDT) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 820AFA0C30 for ; Thu, 11 May 2023 16:08:47 +0000 (UTC) X-FDA: 80778457494.13.C1FF855 Received: from zg8tmtu5ljg5lje1ms4xmtka.icoremail.net (zg8tmtu5ljg5lje1ms4xmtka.icoremail.net [159.89.151.119]) by imf04.hostedemail.com (Postfix) with ESMTP id 4A6D640040 for ; Thu, 11 May 2023 16:08:09 +0000 (UTC) Authentication-Results: imf04.hostedemail.com; dkim=pass header.d=pku.edu.cn header.s=dkim header.b=Fdx2N8F9; spf=pass (imf04.hostedemail.com: domain of lrh2000@pku.edu.cn designates 159.89.151.119 as permitted sender) smtp.mailfrom=lrh2000@pku.edu.cn; dmarc=pass (policy=none) header.from=pku.edu.cn ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1683821291; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=GA6F6KLMupm3XEAOfoKLPP9S98jmf1urQ4v3ILsS6CM=; b=OXN/ooO1BOjVoVGG1HTFXrmIq9AO7a2TGJBaWfVmKw8XTsckxpRQtCWMgs62dV1sWsv4vU Y7HiWrW0oKOK4rFXmZH2L5yPP1oDBHQvr8qdpjYhdlOW51RbaBzs7LKxDni2favC/oAlcT nMNFhqx0cPPMc0qDgA7GsJuJK8eQUkc= ARC-Authentication-Results: i=1; imf04.hostedemail.com; dkim=pass header.d=pku.edu.cn header.s=dkim header.b=Fdx2N8F9; spf=pass (imf04.hostedemail.com: domain of lrh2000@pku.edu.cn designates 159.89.151.119 as permitted sender) smtp.mailfrom=lrh2000@pku.edu.cn; dmarc=pass (policy=none) header.from=pku.edu.cn ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1683821291; a=rsa-sha256; cv=none; b=xop9GhWFBGwybK0wjW1mX9urewjHbizXL0kjzTYtX3XmXHf97TD2AySWO79kqztn+/+u0K 3RdI3flesHi0U3YNI6SnAjTnimavkmSZjFzb92jhUdRpnl07Za1Yd3fFmXGnwXTzGvVGym WCplvlVzqS4SFxLt0DmBi7qw1QWwfAU= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pku.edu.cn; s=dkim; h=Received:Date:From:To:Cc:Subject: Message-ID:References:MIME-Version:Content-Type: Content-Disposition:In-Reply-To; bh=GA6F6KLMupm3XEAOfoKLPP9S98jm f1urQ4v3ILsS6CM=; b=Fdx2N8F9i2gJ+IcjtOz+X0+1pGGLoCfW5dS9MZiTvOYJ WCFu8MAy53XsgprExggCeB+zbDDBkG9B9VuRs+LMK6+iiRID+5qT2+ElUOepUINa A3Yjl58cWo251/STtzbf/ONYcSgw2x0u6CRspE3AANPoHG8X0E+0jXCrrjWdvMw= Received: from localhost (unknown [10.7.101.92]) by front02 (Coremail) with SMTP id 54FpogBnYrnfEl1kJK2TEw--.22381S2; Fri, 12 May 2023 00:08:04 +0800 (CST) Date: Fri, 12 May 2023 00:07:59 +0800 From: Ruihan Li To: David Hildenbrand Cc: linux-mm@kvack.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Pasha Tatashin , Matthew Wilcox , Andrew Morton , Christoph Hellwig , Greg Kroah-Hartman , stable@vger.kernel.org, Ruihan Li Subject: Re: [PATCH 3/4] mm: page_table_check: Make it dependent on !DEVMEM Message-ID: References: <20230510085527.57953-1-lrh2000@pku.edu.cn> <20230510085527.57953-4-lrh2000@pku.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-CM-TRANSID:54FpogBnYrnfEl1kJK2TEw--.22381S2 X-Coremail-Antispam: 1UD129KBjvJXoWxur48JrW7Gry7Jw4xJrW5Wrg_yoWrGF47pa s7JayS9r45G345ur1xZwn2gr1rCrs3Gay5ur9akry5Cas8Ar92kr1agry5Z3WUC393Ca4D ZFWYga4aya15ZaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBI1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2 z280aVAFwI0_Cr0_Gr1UM28EF7xvwVC2z280aVCY1x0267AKxVW8Jr0_Cr1UM2vYz4IE04 k24VAvwVAKI4IrM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40E x7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x 0Yz7v_Jr0_Gr1lF7xvr2IY64vIr41lF7I21c0EjII2zVCS5cI20VAGYxC7M4IIrI8v6xkF 7I0E8cxan2IY04v7MxkIecxEwVCm-wCF04k20xvY0x0EwIxGrwCF04k20xvE74AGY7Cv6c x26w4UJr1UMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2Iq xVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42 IY6xIIjxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY 6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aV CY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7VUbHa0DUUUUU== X-CM-SenderInfo: yssqiiarrvmko6sn3hxhgxhubq/1tbiAgEHBVPy772BUwAPsv X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 4A6D640040 X-Stat-Signature: xjfr98w9ci4isgj6agcsu5mp5qo8t4ti X-HE-Tag: 1683821289-105737 X-HE-Meta: U2FsdGVkX1+L5R3lO3M7WzTKGtByFYVqCKtlMl3v/SLqbQHaNGyECENRIq1Xb7l2phs9plzjG0u6EMlrMuBmg26ggESvnqsPPVRijoDeDGuQnQq5VAu0WsmrcOXDoFgVd+6tb6csk0oBarp5tCtUqKommJHSQsGnhxKc4jAdhtuMWIsndu7zUZISIXklLn3a9cs65KDhZTrMD+mvi4komkAM/dO+dgS/148bUlNahitx35DmtzJd0jYohbiYqGJjTvRWIw1KQtBQtQlLn69homQEunrQB83G3t3VivHW3+O+OfLPvb26USV2k1CRfZTNCcN0XoBCo/N80Bi/SETy+HZzVDo6eGVcqpqMWZKg/IPrlIr5q8EC8zqTQawXkcgqBbQHIrtKi4jvI6Kw9HrLsFL6go9YCcMC8oOnCL9HjXicLoQtFgA7BHcZQeGMgYW0Lij4RWIOCNGu/JroZ8d1slhx4TdL3LpEnm3QUlYA2pHz9778ctXD4nFSGX4Lr1RHlHd6FnpGcQY5olQ3/R4PyB72PWmlUBpde8XBk0PQ5A2b5b0XiQM6e3MQe43X9JAAuF0EA3sZn2hbPjliSb9P3N7svC6gWNxKaD4bs6GsU/uxplG+vWstWuy2nPEOkjqJHkHIP71FcIstkTgcaIPCFPBfNwwj0npogAKJEhig9ZMERVN/Jf8YoesU33gvI9GvQ8jSFAn4WacCL21By5yWBJpb5o1C6FAFZfSspzW/Aub4GaBeZzDTTrO+Cm5wN6uBLpxSx/iQxjN9KeJLDFwo9bBxs9em4UKmuTiZUtTC7ZgYjzdOoIDdN9Cncm/ti0krZagQ4jXRjGSK7PrZG7j6MojkQsrsCkxdsR8Cx6LnA+CdaofLI1bOiapOIUWC6J9Av1llu0+PZPuPjMJpsHzFb84JNOynijeIKtgA60eG57K52tunqClia+z3AYlXAtpmV2NCK1OAu0TrmC05axD G1RHYPqa b58umR8d9P222I5eOwCdNEHnkmYz61kcM4eX3n+79tPPWkc1VokhgrATKF0pFZ+6Gc48GiC45tm6TCQYd4aI0uo0Amh6tPz9Ey0NaR8vXJGR9SpShcWsnHmMblUFYct82yF+aK75x81siiB2EExkXYH+8uLUWkqDb/xgMUrqjnheJVRieZ7mi51cIj8Vsgj9RGN0qnd45gUdFEW4HRiwiDCv1oPyBdSFWMH2suQRf0DvtZYgBuozncGVh7hXeUOFBrCetKr/s+aMVc8y4gpViL+eIGJf2UsBPHD/Z/NeAuDE18Eg6Qh1NTkfnJRUkdh5oXimR X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Wed, May 10, 2023 at 06:40:31PM +0200, David Hildenbrand wrote: > On 10.05.23 10:55, Ruihan Li wrote: > > The special device /dev/mem enables users to map arbitrary physical > > memory regions into the user space, which can conflict with the double > > mapping detection logic used by the page table check. For instance, > > pages may change their properties (e.g., from anonymous pages to named > > pages) while they are still being mapped in the user space via /dev/mem, > > leading to "corruption" detected by the page table check. > > > > To address this issue, the PAGE_TABLE_CHECK config option is now > > dependent on !DEVMM. This ensures that the page table check cannot be > > enabled when /dev/mem is used. It should be noted that /dev/mem itself > > is a significant security issue, and its conflict with a hardening > > technique is understandable. > > > > Cc: # 5.17 > > Signed-off-by: Ruihan Li > > --- > > Documentation/mm/page_table_check.rst | 18 ++++++++++++++++++ > > mm/Kconfig.debug | 2 +- > > 2 files changed, 19 insertions(+), 1 deletion(-) > > > > diff --git a/Documentation/mm/page_table_check.rst b/Documentation/mm/page_table_check.rst > > index cfd8f4117..b04f29230 100644 > > --- a/Documentation/mm/page_table_check.rst > > +++ b/Documentation/mm/page_table_check.rst > > @@ -52,3 +52,21 @@ Build kernel with: > > Optionally, build kernel with PAGE_TABLE_CHECK_ENFORCED in order to have page > > table support without extra kernel parameter. > > + > > +Implementation notes > > +==================== > > + > > +We specifically decided not to use VMA information in order to avoid relying on > > +MM states (except for limited "struct page" info). The page table check is a > > +separate from Linux-MM state machine that verifies that the user accessible > > +pages are not falsely shared. > > + > > +As a result, special devices that violate the model cannot live with > > +PAGE_TABLE_CHECK. Currently, /dev/mem is the only known example. Given it > > +allows users to map arbitrary physical memory regions into the userspace, any > > +pages may change their properties (e.g., from anonymous pages to named pages) > > +while they are still being mapped in the userspace via /dev/mem, leading to > > +"corruption" detected by the page table check. Therefore, the PAGE_TABLE_CHECK > > +config option is now dependent on !DEVMEM. It's worth noting that /dev/mem > > +itself is a significant security issue, and its conflict with a hardening > > +technique is understandable. > > diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug > > index a925415b4..37f3d5b20 100644 > > --- a/mm/Kconfig.debug > > +++ b/mm/Kconfig.debug > > @@ -97,7 +97,7 @@ config PAGE_OWNER > > config PAGE_TABLE_CHECK > > bool "Check for invalid mappings in user page tables" > > - depends on ARCH_SUPPORTS_PAGE_TABLE_CHECK > > + depends on ARCH_SUPPORTS_PAGE_TABLE_CHECK && !DEVMEM > > select PAGE_EXTENSION > > help > > Check that anonymous page is not being mapped twice with read write > > That might disable it in a lot of environments I'm afraid. I wonder if we > could allow it for STRICT_DEVMEM. Hm ... > -- > Thanks, > > David / dhildenb That sounds pretty reasonable. However, I'm not quite sure if PageAnon makes sense of (and is guaranteed to work well with) I/O memory pages, which should be the only pages allowed to be accessed via /dev/mem under STRICT_DEVMEM. A quick test has shown that PageAnon (by accident or design?) results in "false" for I/O memory pages. Meanwhile, the logic used in the page table check allows named (i.e., non-anonymous) pages to be shared arbitrarily (i.e. in both read-only and read-write modes) between processes. So it looks that everything works fine. But is it a coincidence? Thanks, Ruihan Li