From patchwork Wed Mar  9 04:10:40 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Nadav Amit <nadav.amit@gmail.com>
X-Patchwork-Id: 12774734
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 98676C433FE
	for <linux-mm@archiver.kernel.org>; Wed,  9 Mar 2022 04:10:00 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id C2FE98D0005; Tue,  8 Mar 2022 23:09:59 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id BDFC08D0001; Tue,  8 Mar 2022 23:09:59 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id A7FC48D0005; Tue,  8 Mar 2022 23:09:59 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0129.hostedemail.com
 [216.40.44.129])
	by kanga.kvack.org (Postfix) with ESMTP id 94DF68D0001
	for <linux-mm@kvack.org>; Tue,  8 Mar 2022 23:09:59 -0500 (EST)
Received: from smtpin31.hostedemail.com (10.5.19.251.rfc1918.com
 [10.5.19.251])
	by forelay01.hostedemail.com (Postfix) with ESMTP id 2BA0B182890C4
	for <linux-mm@kvack.org>; Wed,  9 Mar 2022 04:09:59 +0000 (UTC)
X-FDA: 79223519718.31.130D3A6
Received: from mail-pl1-f178.google.com (mail-pl1-f178.google.com
 [209.85.214.178])
	by imf23.hostedemail.com (Postfix) with ESMTP id AEBA514000A
	for <linux-mm@kvack.org>; Wed,  9 Mar 2022 04:09:58 +0000 (UTC)
Received: by mail-pl1-f178.google.com with SMTP id r12so898788pla.1
        for <linux-mm@kvack.org>; Tue, 08 Mar 2022 20:09:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=from:to:cc:subject:date:message-id:in-reply-to:references
         :mime-version:content-transfer-encoding;
        bh=2SJwDWdiGMEZCVwB+/7uYYAov/bAs7rI8E5dgDcHCHE=;
        b=ATVTz40hJi2tmeDX85+96Z/GuBi2dfLoScIagjwpTYztYkuWr9vE5ghlLwx5hJOr5f
         PO9KAStO8HI2xQWYX1PW6CrIfi1/OANTsATHA3jYRMhGAxpaFd6HWUpTEazUMro04a3d
         Bcn0qpj0Fx8BFfYvgXR+3/NbOToYqNe3fX8YDBJowKHlp/tIGy/Ez1vkfqwV43+ey/IN
         E37twpo7wWLDkx/9rUbh1ssGjU1o7i2Qn76Ct0RmhWhA05O7CektW1nKBcDCty6Bbanv
         YRvzX6s1L6Yka/lD5dXl75Nyq0hvxqoNeunS+wOV5DQICLE/pYH9+fFiADyfy57o/Q2u
         S5EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=2SJwDWdiGMEZCVwB+/7uYYAov/bAs7rI8E5dgDcHCHE=;
        b=NnFqyCVSxU6wGiRM0fX/1azJP2FsdAeCZz0gLVZg8UV0ti0dOq5f77V6nitwi4DJFL
         xvqTswO/qxCBW1d+oe7extQEtA7LUx6JiI2xGgYkvk7Cq1Lu2aMkGMh4g9QynkL323V5
         pe53FDD7HdJyuic1qmTepCBNRpCO56GAKIFZJu2XWHTsfpeI24uWOj1N4CUtIEgvozle
         VJMxxS1lZiUbezII0Uh9YwhBGtNZPlYxOBIMiFKukI+PbT58M6u1UPwwEc2FsKwYvs6h
         mPBy8TgL0xAJYBZB2GjUQfUAUYk9f8lVFjoNKDjsqkTH1moTOQP3964qb97zow/PnVnh
         4gTQ==
X-Gm-Message-State: AOAM5326fZQtw1IfZQbVdFvqb4VppJhtLyOBtAMTymuIdsJiZtMp4Io6
	GD37pCbLepQmIl7KNVoKBFDw1Zmo8DA=
X-Google-Smtp-Source: 
 ABdhPJzoRyh9dUlZqdCM+iui5NsBCu4xoyMPa/RF2114leOcWaPd45FxGNhhrskQuzehdlyE6kWOuQ==
X-Received: by 2002:a17:90b:1d8a:b0:1be:f9b0:1fca with SMTP id
 pf10-20020a17090b1d8a00b001bef9b01fcamr8344653pjb.137.1646798997095;
        Tue, 08 Mar 2022 20:09:57 -0800 (PST)
Received: from sc2-haas01-esx0118.eng.vmware.com ([66.170.99.1])
        by smtp.gmail.com with ESMTPSA id
 g5-20020a655805000000b003643e405b56sm604343pgr.24.2022.03.08.20.09.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 08 Mar 2022 20:09:56 -0800 (PST)
From: Nadav Amit <nadav.amit@gmail.com>
X-Google-Original-From: Nadav Amit
To: linux-mm@kvack.org
Cc: linux-kernel@vger.kernel.org,
	Andrew Morton <akpm@linux-foundation.org>,
	Nadav Amit <namit@vmware.com>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Andy Lutomirski <luto@kernel.org>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	Peter Xu <peterx@redhat.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Thomas Gleixner <tglx@linutronix.de>,
	Will Deacon <will@kernel.org>,
	Yu Zhao <yuzhao@google.com>,
	Nick Piggin <npiggin@gmail.com>,
	x86@kernel.org
Subject: [PATCH v3 2/5] x86/mm: check exec permissions on fault
Date: Tue,  8 Mar 2022 20:10:40 -0800
Message-Id: <20220309041043.302261-3-namit@vmware.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20220309041043.302261-1-namit@vmware.com>
References: <20220309041043.302261-1-namit@vmware.com>
MIME-Version: 1.0
X-Rspam-User: 
X-Rspamd-Server: rspam02
X-Rspamd-Queue-Id: AEBA514000A
X-Stat-Signature: ko1t5o686dmz8sa7sqmes3hdtztuajw8
Authentication-Results: imf23.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20210112 header.b=ATVTz40h;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=none (imf23.hostedemail.com: domain of mail-pl1-f178.google.com has no
 SPF policy when checking 209.85.214.178) smtp.helo=mail-pl1-f178.google.com
X-HE-Tag: 1646798998-69437
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>

From: Nadav Amit <namit@vmware.com>

access_error() currently does not check for execution permission
violation. As a result, spurious page-faults due to execution permission
violation cause SIGSEGV.

It appears not to be an issue so far, but the next patches avoid TLB
flushes on permission promotion, which can lead to this scenario. nodejs
for instance crashes when TLB flush is avoided on permission promotion.

Add a check to prevent access_error() from returning mistakenly that
spurious page-faults due to instruction fetch are a reason for an access
error.

It is assumed that error code bits of "instruction fetch" and "write" in
the hardware error code are mutual exclusive, and the change assumes so.
However, to be on the safe side, especially if hypervisors misbehave,
assert this is the case and warn otherwise.

Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Deacon <will@kernel.org>
Cc: Yu Zhao <yuzhao@google.com>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: x86@kernel.org
Signed-off-by: Nadav Amit <namit@vmware.com>
---
 arch/x86/mm/fault.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index d0074c6ed31a..ad0ef0a6087a 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -1107,10 +1107,28 @@ access_error(unsigned long error_code, struct vm_area_struct *vma)
 				       (error_code & X86_PF_INSTR), foreign))
 		return 1;
 
-	if (error_code & X86_PF_WRITE) {
+	if (error_code & (X86_PF_WRITE | X86_PF_INSTR)) {
+		/*
+		 * CPUs are not expected to set the two error code bits
+		 * together, but to ensure that hypervisors do not misbehave,
+		 * run an additional sanity check.
+		 */
+		if ((error_code & (X86_PF_WRITE|X86_PF_INSTR)) ==
+					(X86_PF_WRITE|X86_PF_INSTR)) {
+			WARN_ON_ONCE(1);
+			return 1;
+		}
+
 		/* write, present and write, not present: */
-		if (unlikely(!(vma->vm_flags & VM_WRITE)))
+		if ((error_code & X86_PF_WRITE) &&
+		    unlikely(!(vma->vm_flags & VM_WRITE)))
+			return 1;
+
+		/* exec, present and exec, not present: */
+		if ((error_code & X86_PF_INSTR) &&
+		    unlikely(!(vma->vm_flags & VM_EXEC)))
 			return 1;
+
 		return 0;
 	}