From patchwork Thu Feb 15 23:13:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 13559257 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE07CC4829E for ; Thu, 15 Feb 2024 23:14:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 56C818D0001; Thu, 15 Feb 2024 18:14:43 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4F3A78D000E; Thu, 15 Feb 2024 18:14:43 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 36E828D0001; Thu, 15 Feb 2024 18:14:43 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 2052E8D000E for ; Thu, 15 Feb 2024 18:14:43 -0500 (EST) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 17B7680899 for ; Thu, 15 Feb 2024 23:14:42 +0000 (UTC) X-FDA: 81795594804.05.5B5C5B8 Received: from mgamail.intel.com (mgamail.intel.com [198.175.65.21]) by imf16.hostedemail.com (Postfix) with ESMTP id 984B6180003 for ; Thu, 15 Feb 2024 23:14:39 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=mjbIMd8M; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf16.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 198.175.65.21 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1708038880; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=jDzs7ikzDfIEaza939+Ppgea9L/g/AoX04zwY5UzkLY=; b=iFeVyNkj+U8WY32LPeE+hTTV+iOmuKnXCCdbtx0PQ5AH2F72h1MW54dC61jBMbchVcUwZi RMTZKSxdHwfFxl/sVYtmNy6Kbj7JjXv1ll7MZtOj8PNtnPIGEMamZ46xDu+GYkjtZZQguE 8l94EyrmLOpqJ7HxGrPROAukeZhq0zk= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=mjbIMd8M; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf16.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 198.175.65.21 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1708038880; a=rsa-sha256; cv=none; b=c/yF5uOLfKQ1NcSjwnY0dJEl0pyY/5ydO17zXcoJwx2oZtDPQ0AWq1vljnhwFt1E7b+Sds rBaLFtKXEmK5AkQDjzWS219LmrXhRb9leaBfsPK8ygoFgNqqLYOQnOKhrBjyv+GMkB+Lvw 4gRCDEy3+ZDByvqHR2g6e28Nr8oJvng= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1708038880; x=1739574880; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=Jt1Mpx1uMY7XnHlh/3E2LCtQ+SRD+/n8kJk/hjL1Z1k=; b=mjbIMd8MQLNesFWqmYhLxMC7SAALBN5+4LLUpM6q34oFMP4sGVgJRDJO /DrqF8ZJY5lTWh0CKNwUKE9JPKIC0txvtwmNmlSAGwIXm4PzxFH2OjPhW l4vB32ydKM89qpUT94poyQWHvtA6LWuvjNU0h0yqUyh2G7gRXAzbhKo4i ovjbC3Y+D870SHKO/NfX5hashquDyDXfc8A3MU7X6Ga5l3oJbtbGPM5AR PM07WpMsTtNxLdByoJN6HHn91g1x9OmYYf3Ztay2Y6nAx1Afue6xl1AOT tfRpQpNxoXsGAsb/Esogylj2JKPEMreOaGXi+aDmvOPCwdq/FFSaBsruO w==; X-IronPort-AV: E=McAfee;i="6600,9927,10985"; a="2066301" X-IronPort-AV: E=Sophos;i="6.06,162,1705392000"; d="scan'208";a="2066301" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orvoesa113.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Feb 2024 15:14:38 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6600,9927,10985"; a="912250184" X-IronPort-AV: E=Sophos;i="6.06,162,1705392000"; d="scan'208";a="912250184" Received: from yshin-mobl1.amr.corp.intel.com (HELO rpedgeco-desk4.intel.com) ([10.209.95.133]) by fmsmga002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Feb 2024 15:14:36 -0800 From: Rick Edgecombe To: Liam.Howlett@oracle.com, akpm@linux-foundation.org, debug@rivosinc.com, broonie@kernel.org, kirill.shutemov@linux.intel.com, keescook@chromium.org, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, luto@kernel.org, peterz@infradead.org, hpa@zytor.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org Cc: rick.p.edgecombe@intel.com Subject: [RFC PATCH 0/8] Cover a guard gap corner case Date: Thu, 15 Feb 2024 15:13:24 -0800 Message-Id: <20240215231332.1556787-1-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Rspamd-Queue-Id: 984B6180003 X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: 3pacuit3s3khseihq11gddrarsckb67d X-HE-Tag: 1708038879-137666 X-HE-Meta: U2FsdGVkX192xF061q4qYhhXq6Hp60hAP53cX7Tdj7AqcdUzO0o5MYrfij64dEDXHqInsWqlNMrbIs8xkEj3xnebfjmd+zFJj7MgHlT23i55momOHTWtMcoUqAfJeBSOoeAdMZmn1f9vb5B2SpoQqdYy/zZ+lCRLSdT4BUPjrKNmdO/CXSN2FtUN8Z3+m4UDX4/dKjrwJKuWg52qukBKi86Ni9Iwf6wgf1YHbYTOSU8LqIaEYAjo7VC8Z6HWzuE5h+4p5mcLG0H32gYKZ/rUFG4Mgzr1moGf2jS5jmOvhbCH2nnTMR8SjErxADlVq7LMihhDfhh3wuiQUBUpeeyphQ9SoX4OWzFY85/H7XYwCzJi5M9UZkCaUk7XAek7yHFYJJVR8n1Wi3kfDrmGJFD5jGg+zKGQbprKF397lgHIPs3GoaFL5MT/R9UqULqYZEukfgkCSbHfISOStGYXjNILlf3z6vM7iz69z4G5XVnLIhSgjS1SKQXjsZydzDgWBpOfnye7zyhF4pRruJqIbIkvVHsHDjR/XGdXRzu+r8NN8ORaWzlocJtzo24MvyUl9V0MVbRziy5W/dqIEdszItW2wdM9M83iRvhoxplJBnLzRoaaG1MkkT4TLNWhnMc2PfoW7xad39D/U5IDSnPsk+2P+Dyh9xh+7ER1x6YSyr8ZVynDfLvxncvBo6eXM3Xrp4LNyWxhR6puAnwzhO2SwK0dCwI+HlpSIA6yKhBn0wKI6mPqMsyZSstgUMv549Ag6boC6b/DTK9PX4UD3R+N6L/LhiGxmHQIS+z2pcfn5LBfg83HSkoFkavoFr7FnwUU9qrmgcw3oVYAX8fKC01tOwKdUOU6EWJKHvYaGvX2g83SA6pkH92YT0uRfBJdJByOxeaQxMoIbj9IySkCZcFjltOf1qoJrtIbnWgDv1J9sVcPhbrSP69ZtBRTbio8J3Sj38hN1TxlpfpZ3VHrWh9zFwE 194sxRSG VTFyKBvF0F8+kgVSKdqPkQCtkXGIeyKZWNPKn9peHKSsyI0sXpHo9VX+4ivJf1DiZnTvipqM/gOZwdtMrvwa6pQDGqzWu0sVHHl8q0R8in00OUNNg1DiXglNwkzxsMOrIOv8C5rXlTvbGx7hGDYpdMYtP6Bir2ytjlZq/iJ2VsuMB7B7vNT4MorqFtryIPYc5hbjS X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Hi, In working on x86’s shadow stack feature, I came across some limitations around the kernel’s handling of guard gaps. AFAICT these limitations are not too important for the traditional stack usage of guard gaps, but have bigger impact on shadow stack’s usage. And now in addition to x86, we have two other architectures implementing shadow stack like features that plan to use guard gaps. I wanted to see about addressing them, but I have not worked on mmap() placement related code before, so would greatly appreciate if people could take a look and point me in the right direction. The nature of the limitations of concern is as follows. In order to ensure guard gaps between mappings, mmap() would need to consider two things: 1. That the new mapping isn’t placed in an any existing mapping’s guard gap. 2. That the new mapping isn’t placed such that any existing mappings are not in *its* guard gaps Currently mmap never considers (2), and (1) is not considered in some situations. When not passing an address hint, or passing one without MAP_FIXED_NOREPLACE, (1) is enforced. With MAP_FIXED_NOREPLACE, (1) is not enforced. With MAP_FIXED, (1) is not considered, but this seems to be expected since MAP_FIXED can already clobber existing mappings. For MAP_FIXED_NOREPLACE I would have guessed it should respect the guard gaps of existing mappings, but it is probably a little ambiguous. In this RFC I just tried to add enforcement of (2) for the normal (no address hint) case and only for the newer shadow stack memory (not stacks). The reason is that with the no-address-hint situation, landing next to a guard gap could come up naturally and so be more influencable by attackers such that two shadow stacks could be adjacent without a guard gap. Where as the address-hint scenarios would require more control - being able to call mmap() with specific arguments. As for why not just fix the other corner cases anyway, I thought it might have some greater possibility of affecting existing apps. Thanks, Rick Rick Edgecombe (8): mm: Switch mm->get_unmapped_area() to a flag mm: Introduce arch_get_unmapped_area_vmflags() mm: Use get_unmapped_area_vmflags() thp: Add thp_get_unmapped_area_vmflags() mm: Take placement mappings gap into account x86/mm: Implement HAVE_ARCH_UNMAPPED_AREA_VMFLAGS x86/mm: Care about shadow stack guard gap during placement selftests/x86: Add placement guard gap test for shstk arch/s390/mm/hugetlbpage.c | 2 +- arch/s390/mm/mmap.c | 4 +- arch/sparc/kernel/sys_sparc_64.c | 15 +-- arch/sparc/mm/hugetlbpage.c | 2 +- arch/x86/include/asm/pgtable_64.h | 1 + arch/x86/kernel/cpu/sgx/driver.c | 2 +- arch/x86/kernel/sys_x86_64.c | 43 +++++-- arch/x86/mm/hugetlbpage.c | 2 +- arch/x86/mm/mmap.c | 4 +- drivers/char/mem.c | 2 +- drivers/dax/device.c | 6 +- fs/hugetlbfs/inode.c | 2 +- fs/proc/inode.c | 15 +-- fs/ramfs/file-mmu.c | 2 +- include/linux/huge_mm.h | 11 ++ include/linux/mm.h | 4 + include/linux/mm_types.h | 6 +- include/linux/sched/coredump.h | 1 + include/linux/sched/mm.h | 22 ++++ io_uring/io_uring.c | 2 +- mm/debug.c | 6 - mm/huge_memory.c | 23 ++-- mm/mmap.c | 108 ++++++++++++++---- mm/shmem.c | 11 +- mm/util.c | 6 +- .../testing/selftests/x86/test_shadow_stack.c | 67 ++++++++++- 26 files changed, 273 insertions(+), 96 deletions(-)