From patchwork Tue Nov 16 22:00:35 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pasha Tatashin <pasha.tatashin@soleen.com>
X-Patchwork-Id: 12623227
Return-Path: <SRS0=fDmo=QD=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A7221C433EF
	for <linux-mm@archiver.kernel.org>; Tue, 16 Nov 2021 22:01:04 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 5134B6140A
	for <linux-mm@archiver.kernel.org>; Tue, 16 Nov 2021 22:01:04 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 5134B6140A
Authentication-Results: mail.kernel.org;
 dmarc=none (p=none dis=none) header.from=soleen.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org
Received: by kanga.kvack.org (Postfix)
	id E0CF16B0071; Tue, 16 Nov 2021 17:00:53 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id DBCE86B0072; Tue, 16 Nov 2021 17:00:53 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C5CB46B0073; Tue, 16 Nov 2021 17:00:53 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0118.hostedemail.com
 [216.40.44.118])
	by kanga.kvack.org (Postfix) with ESMTP id B65006B0071
	for <linux-mm@kvack.org>; Tue, 16 Nov 2021 17:00:53 -0500 (EST)
Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 7D67018233655
	for <linux-mm@kvack.org>; Tue, 16 Nov 2021 22:00:43 +0000 (UTC)
X-FDA: 78816163566.14.CD913B8
Received: from mail-qt1-f171.google.com (mail-qt1-f171.google.com
 [209.85.160.171])
	by imf30.hostedemail.com (Postfix) with ESMTP id 0B756E0016BE
	for <linux-mm@kvack.org>; Tue, 16 Nov 2021 22:00:41 +0000 (UTC)
Received: by mail-qt1-f171.google.com with SMTP id a2so647843qtx.11
        for <linux-mm@kvack.org>; Tue, 16 Nov 2021 14:00:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=soleen.com; s=google;
        h=from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=4dNfZMhPuFcyxePqa0vmlBFT/+rwFJ3uCwWesj1DFsA=;
        b=ly1Rm0wfM5OSyY1KTrTw2dPh6ny3OnlJwVtGy6oD8tYo8mmkmU+BmhrChu8AC/CtpX
         vFTmpUTZi+mJGjufmrs9/WZPAplr3P9y9qHtUknGO6d7NxlBJQofNRkg4qal+F9+5CAl
         nuD75JgslIQKZ86tt5Z+7ud01tCX1RlA4DKc8g/NYxdetRhWGqNl0w1rq83g2svBnbNA
         sIB8Z80zAHsL5eH6+jQg84SF++n3WiwSmM1laayOwXPtBa8QMcKJH3IrIAAoT4nntRbO
         Ql9HSPTFl2NnkRhC2z9Ld4FwgF9R75I5xpQEo7fB/kcbzeL24z9cEl0GE8H98lk2RSsm
         CHtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=4dNfZMhPuFcyxePqa0vmlBFT/+rwFJ3uCwWesj1DFsA=;
        b=Dn1yMYd9gQtl2XmXHPVa+3e1zqlNgn21wUVdYenvDbBOb2THXamNGCWQeYekRFgvRX
         B4VtURVdB6Z1e/ZrGgE/L9nKdUA7JfFlfirnlXZHJ6JZAfl9xt5CG4k8z1wNzUl0fu3t
         gcolbmJ59BJ4zQgEq0+ggoEr2F/xtg4AgdAe6L6JzgES+I6iLCLV59u2ebxhEFVb7qcB
         5+BroZPvpMC4O3S+TvBwp7u6DKO7pZjzDzIrt8rcAUTSNi9FG6O4MmAdgGzknWtMre9k
         14ZY4qnX07IFQiQo8WBjn+82O7yqPenGDOUKZtbNAXwnOPQHf7TzK9irAFrkbsy0OnR2
         Lq0w==
X-Gm-Message-State: AOAM530spu+XqUpSvW8CrrWSo/u+3mkur2ylxwjWxekW4JLwgRYXqJFl
	dioo4VnBgNy45O3QyAzXhDAW9g==
X-Google-Smtp-Source: 
 ABdhPJwEhnmfZvJ0sDvT0M5a2V0uMoBVGB/BxRoRe12S3zBcBJRSoNZjuBNfC7dQnuoAGq7wnW4pUQ==
X-Received: by 2002:ac8:7fd0:: with SMTP id
 b16mr11472042qtk.172.1637100042294;
        Tue, 16 Nov 2021 14:00:42 -0800 (PST)
Received: from soleen.c.googlers.com.com
 (189.216.85.34.bc.googleusercontent.com. [34.85.216.189])
        by smtp.gmail.com with ESMTPSA id
 i11sm2975655qko.116.2021.11.16.14.00.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 16 Nov 2021 14:00:41 -0800 (PST)
From: Pasha Tatashin <pasha.tatashin@soleen.com>
To: pasha.tatashin@soleen.com,
	linux-kernel@vger.kernel.org,
	linux-mm@kvack.org,
	linux-doc@vger.kernel.org,
	akpm@linux-foundation.org,
	rientjes@google.com,
	pjt@google.com,
	weixugc@google.com,
	gthelen@google.com,
	mingo@redhat.com,
	corbet@lwn.net,
	will@kernel.org,
	rppt@kernel.org,
	keescook@chromium.org,
	tglx@linutronix.de,
	peterz@infradead.org,
	masahiroy@kernel.org,
	samitolvanen@google.com,
	dave.hansen@linux.intel.com,
	x86@kernel.org,
	frederic@kernel.org,
	hpa@zytor.com,
	aneesh.kumar@linux.ibm.com
Subject: [RFC 0/3] page table check
Date: Tue, 16 Nov 2021 22:00:35 +0000
Message-Id: <20211116220038.116484-1-pasha.tatashin@soleen.com>
X-Mailer: git-send-email 2.34.0.rc1.387.gb447b232ab-goog
MIME-Version: 1.0
X-Rspamd-Server: rspam03
X-Rspamd-Queue-Id: 0B756E0016BE
X-Stat-Signature: f4aaaic1jxqbwiekbjjp7q1r8p5ariyb
Authentication-Results: imf30.hostedemail.com;
	dkim=pass header.d=soleen.com header.s=google header.b=ly1Rm0wf;
	spf=pass (imf30.hostedemail.com: domain of pasha.tatashin@soleen.com
 designates 209.85.160.171 as permitted sender)
 smtp.mailfrom=pasha.tatashin@soleen.com;
	dmarc=none
X-HE-Tag: 1637100041-986614
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Pasha Tatashin <tatashin@google.com>

Ensure that some memory corruptions are prevented by checking at the
time of insertion of entries into user page tables that there is no
illegal sharing.

We have recently found a problem [1] that existed in kernel since 4.14.
The problem was caused by broken page ref count and led to memory
leaking from one process into another. The problem was accidentally
detected by studying a dump of one process and noticing that one page
contains memory that should not belong to this process.

There are some other page->_refcount related problems that were recently
fixed: [2], [3] which potentially could also lead to illegal sharing.

In addition to hardening refcount [4] itself, this work is an attempt to
prevent this class of memory corruption issues.

It uses a simple state machine that is independent from regular MM logic
to check for illegal sharing at time pages are inserted and removed 
from page tables.

[1] https://lore.kernel.org/all/xr9335nxwc5y.fsf@gthelen2.svl.corp.google.com
[2] https://lore.kernel.org/all/1582661774-30925-2-git-send-email-akaher@vmware.com
[3] https://lore.kernel.org/all/20210622021423.154662-3-mike.kravetz@oracle.com
[4] https://lore.kernel.org/all/20211026173822.502506-1-pasha.tatashin@soleen.com

Pasha Tatashin (3):
  mm: ptep_clear() page table helper
  mm: page table check
  x86: mm: add x86_64 support for page table check

 Documentation/vm/arch_pgtable_helpers.rst |   6 +-
 Documentation/vm/page_table_check.rst     |  53 +++++
 MAINTAINERS                               |   9 +
 arch/Kconfig                              |   3 +
 arch/x86/Kconfig                          |   1 +
 arch/x86/include/asm/pgtable.h            |  27 ++-
 include/linux/page_table_check.h          | 147 ++++++++++++
 include/linux/pgtable.h                   |   8 +
 mm/Kconfig.debug                          |  24 ++
 mm/Makefile                               |   1 +
 mm/khugepaged.c                           |  12 +-
 mm/page_alloc.c                           |   4 +
 mm/page_ext.c                             |   4 +
 mm/page_table_check.c                     | 264 ++++++++++++++++++++++
 14 files changed, 549 insertions(+), 14 deletions(-)
 create mode 100644 Documentation/vm/page_table_check.rst
 create mode 100644 include/linux/page_table_check.h
 create mode 100644 mm/page_table_check.c