From patchwork Sat Feb 18 21:14:18 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Edgecombe, Rick P" X-Patchwork-Id: 13145665 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 42994C636CC for ; Sat, 18 Feb 2023 21:16:49 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 520E6280018; Sat, 18 Feb 2023 16:16:24 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4F841280019; Sat, 18 Feb 2023 16:16:24 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 17583280018; Sat, 18 Feb 2023 16:16:24 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id F2875280016 for ; Sat, 18 Feb 2023 16:16:23 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id B038E1204CA for ; Sat, 18 Feb 2023 21:16:23 +0000 (UTC) X-FDA: 80481671046.13.5C05A14 Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by imf25.hostedemail.com (Postfix) with ESMTP id C084BA0006 for ; Sat, 18 Feb 2023 21:16:21 +0000 (UTC) Authentication-Results: imf25.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=fEIGT8bF; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf25.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.43 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1676754982; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:content-type: content-transfer-encoding:in-reply-to:in-reply-to: references:references:dkim-signature; bh=XSFlVqZd719tgVIR5uAh62h+RJ0ve8ohUB9lJ1MzRl4=; b=rUgSYRBLWj6rYO9lrL52tchXFIcFQSO5O9Xr4KI+P44QFYJhZiNg96eSGJ+Ea0Jal5p1dG oRfTQff8frs96kc7ii1e91UcokdBEsaZuvlcG5BY1nMlWfwB2cHUfkKerVrmW+mU6BWBRU c5i1UZFrD4rFoAPyzba6BXIBgSXwLr0= ARC-Authentication-Results: i=1; imf25.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=fEIGT8bF; dmarc=pass (policy=none) header.from=intel.com; spf=pass (imf25.hostedemail.com: domain of rick.p.edgecombe@intel.com designates 192.55.52.43 as permitted sender) smtp.mailfrom=rick.p.edgecombe@intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1676754982; a=rsa-sha256; cv=none; b=VMWobHuWvdtoP9ZaJ5iOxuBvaskCyUs1hGa19YzsJ/FIdC4JRx6ULnMq+0kChAf+CjL6E5 ZUFy7KSw9mJyirbTBYZqWBHDQE9zoE4zBRMhIcbt+kUomH/VhgVWPD3WvdA3iBZDtUHWd+ WgPjddp5Ek57yIFuSdLfazPaDFgUDMQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1676754981; x=1708290981; h=from:to:cc:subject:date:message-id:in-reply-to: references; bh=QFt1nd3j6Yjl0jrlYnYinrJNdu94hS5cjLAeUme4VXo=; b=fEIGT8bFLo5n0viSZ9ndlDFr6O+2myt12JxAYjcv2mO0sK7K8kk7d0iQ oKSv/0qupv3WOz8l12b+yNbkEzTLJxGoWOvtnh5+jCB4+H89IJXbyRBlj uJGOPMwIASEifmeRAN/M4l6tfyniBxHHPRLuSA6va9yBR+450G8rmDG/Y w6aturd4F2xaDEwC6TJJ2ZoBX29HzWi8U359AeqRnusklDC5HeTHQmWVQ td0I2Ge6fItie/AF39zOrJrNTXuzvvIq9GvUPkFuKDFtruGcVehLHqLd2 img8AOfVW3jby8s/j/J0CfIRrHV76LwDWza2QlGv3Y/3vfmOYNXCbpW/T Q==; X-IronPort-AV: E=McAfee;i="6500,9779,10625"; a="418427648" X-IronPort-AV: E=Sophos;i="5.97,309,1669104000"; d="scan'208";a="418427648" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Feb 2023 13:16:17 -0800 X-IronPort-AV: E=McAfee;i="6500,9779,10625"; a="664241695" X-IronPort-AV: E=Sophos;i="5.97,309,1669104000"; d="scan'208";a="664241695" Received: from adityava-mobl1.amr.corp.intel.com (HELO rpedgeco-desk.amr.corp.intel.com) ([10.209.80.223]) by orsmga007-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Feb 2023 13:16:17 -0800 From: Rick Edgecombe To: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com Cc: rick.p.edgecombe@intel.com Subject: [PATCH v6 26/41] mm: Warn on shadow stack memory in wrong vma Date: Sat, 18 Feb 2023 13:14:18 -0800 Message-Id: <20230218211433.26859-27-rick.p.edgecombe@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20230218211433.26859-1-rick.p.edgecombe@intel.com> References: <20230218211433.26859-1-rick.p.edgecombe@intel.com> X-Rspamd-Queue-Id: C084BA0006 X-Rspamd-Server: rspam09 X-Rspam-User: X-Stat-Signature: t7nwfxd67gsuwxc47wbpohzuce7pi1q6 X-HE-Tag: 1676754981-502750 X-HE-Meta: U2FsdGVkX1+nlkOPavksfiR/RjcCYS/EHN5GPeE8Xok60BQZclLmjbUFlOaCCWQ+WSMSb7NkXyY+66f6RqKMxGYaLUJKWtdnjfS+KJZLopYDtpWeB4GubhplSHZxG7ATvVkcCklrcwyATi9MD5We15RXSwJQLNFExs4IXTwAC6Jnjzfj+z0dQtxoIJfuFy65hefOU/GuXO6iO49q4176/efcllCGS3hO8EWLAXX96EM/tV3znYWH2aDESBBrCe7VvcMPU/PEpPyYc6K/tEqCd3RuQJ0nFubRg+9V6nUyqGIA6BNiw2n13JH8xvrDssUe3awGitsOSY+kSVXQ29bt3B0xCCg7yia2rgf83mH8kaRs4tVLcFyn0rnYvC8GhEb8BsvCG5z1xj3P1EGDpFsuuP56Cew8YrQX6gUjZusOc+wAqCqwYe+t2cE03UKtPMc/LThXzHOwLAyau1qHyM8iJKLfWhdvkUkb8kQiD1s+2kF4x2K3P/dZUfFkWJ4mtU8x45izNixf5PHRm9MvbLsYXcsc4ARMjj5q8gENr0LXZEwqJNAZkWfr5/pDJdhDYIJ/Y4FtcxpJhdy89MhM4H1AFAGQRWtHj8oRsqOb6GBQDqu0h3EvbwbvIuPNcW/5z2NUGU5PbCgXWm38Fixn0hJSseqBT/Rco8mSjQZmnesiTwhOZqgLYlp1K+q0x3fn1DyRJN4F/MlddzkalOkHEESi6vP1//7hdWGoLo+FesD9TKi4xEmsTqrcNZr+TBH6ElGhfewzXaeasJEDRCq08lM4CLpyBNnkbZP7yg8XdtrikZsusx8DAuGbReO96W35SeeK92RQ4T6w0568wAG+AlwFXzZyv+SMyY9Wzl2DEIrKp5ZZAwKRJv+U6owSD6jdXasW3jG589CBiJtBc/AlxnI17spzDVh4FgzfQl7fpUJnV9Lck//Um96lKqH/n2fBuaZ6+qaSry5WcoUOykyu0j1 Xvds2tSB 70meCSXitlJoB9PQADHdchXJuZTVZ0L9bJfKQQOweYCM5ccn+5PFQIoXJfmHufgvHRFV/ZPTKjNFdxxdGBvlLKjGNzBaaE0ZeE1vmMhYSEq1FlbWT9MdHGZeLbockXGWNAfH8gUG2GOYoaj0XCmEUa84X/C/5btk/9Ycj7lXf5RyT5Q4lc5oyzt+AJMYRYwPr4YppkJq0sYTJ6+a0zvwatBxa1bbMa7ws/HPIOHk3+8dT10HvXuvkN5cCOsahqT0eJuzQEJcGsy8pg16wJh1UlhJoKX4lW3MLgBYj X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: The x86 Control-flow Enforcement Technology (CET) feature includes a new type of memory called shadow stack. This shadow stack memory has some unusual properties, which requires some core mm changes to function properly. One sharp edge is that PTEs that are both Write=0 and Dirty=1 are treated as shadow by the CPU, but this combination used to be created by the kernel on x86. Previous patches have changed the kernel to now avoid creating these PTEs unless they are for shadow stack memory. In case any missed corners of the kernel are still creating PTEs like this for non-shadow stack memory, and to catch any re-introductions of the logic, warn if any shadow stack PTEs (Write=0, Dirty=1) are found in non-shadow stack VMAs when they are being zapped. This won't catch transient cases but should have decent coverage. It will be compiled out when shadow stack is not configured. In order to check if a pte is shadow stack in core mm code, add two arch breakouts arch_check_zapped_pte/pmd(). This will allow shadow stack specific code to be kept in arch/x86. Tested-by: Pengfei Xu Tested-by: John Allen Reviewed-by: Kees Cook Signed-off-by: Rick Edgecombe --- v6: - Add arch breakout to remove shstk from core MM code. v5: - Fix typo in commit log v3: - New patch --- arch/x86/include/asm/pgtable.h | 6 ++++++ arch/x86/mm/pgtable.c | 12 ++++++++++++ include/linux/pgtable.h | 14 ++++++++++++++ mm/huge_memory.c | 1 + mm/memory.c | 1 + 5 files changed, 34 insertions(+) diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h index 20d0df494269..f3dc16fc4389 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -1687,6 +1687,12 @@ static inline bool arch_has_hw_pte_young(void) return true; } +#define arch_check_zapped_pte arch_check_zapped_pte +void arch_check_zapped_pte(struct vm_area_struct *vma, pte_t pte); + +#define arch_check_zapped_pmd arch_check_zapped_pmd +void arch_check_zapped_pmd(struct vm_area_struct *vma, pmd_t pmd); + #ifdef CONFIG_XEN_PV #define arch_has_hw_nonleaf_pmd_young arch_has_hw_nonleaf_pmd_young static inline bool arch_has_hw_nonleaf_pmd_young(void) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 98856bcc8102..afab0bc7862b 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -906,3 +906,15 @@ pmd_t pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma) return pmd; } + +void arch_check_zapped_pte(struct vm_area_struct *vma, pte_t pte) +{ + VM_WARN_ON_ONCE(!(vma->vm_flags & VM_SHADOW_STACK) && + pte_shstk(pte)); +} + +void arch_check_zapped_pmd(struct vm_area_struct *vma, pmd_t pmd) +{ + VM_WARN_ON_ONCE(!(vma->vm_flags & VM_SHADOW_STACK) && + pmd_shstk(pmd)); +} diff --git a/include/linux/pgtable.h b/include/linux/pgtable.h index 1159b25b0542..22787c86c8f2 100644 --- a/include/linux/pgtable.h +++ b/include/linux/pgtable.h @@ -291,6 +291,20 @@ static inline bool arch_has_hw_pte_young(void) } #endif +#ifndef arch_check_zapped_pte +static inline void arch_check_zapped_pte(struct vm_area_struct *vma, + pte_t pte) +{ +} +#endif + +#ifndef arch_check_zapped_pmd +static inline void arch_check_zapped_pmd(struct vm_area_struct *vma, + pmd_t pmd) +{ +} +#endif + #ifndef __HAVE_ARCH_PTEP_GET_AND_CLEAR static inline pte_t ptep_get_and_clear(struct mm_struct *mm, unsigned long address, diff --git a/mm/huge_memory.c b/mm/huge_memory.c index a216129e6a7c..842925f7fa9e 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1696,6 +1696,7 @@ int zap_huge_pmd(struct mmu_gather *tlb, struct vm_area_struct *vma, */ orig_pmd = pmdp_huge_get_and_clear_full(vma, addr, pmd, tlb->fullmm); + arch_check_zapped_pmd(vma, orig_pmd); tlb_remove_pmd_tlb_entry(tlb, pmd, addr); if (vma_is_special_huge(vma)) { if (arch_needs_pgtable_deposit()) diff --git a/mm/memory.c b/mm/memory.c index 6ad031d5cfb0..29e8f043b603 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1377,6 +1377,7 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb, continue; ptent = ptep_get_and_clear_full(mm, addr, pte, tlb->fullmm); + arch_check_zapped_pte(vma, ptent); tlb_remove_tlb_entry(tlb, pte, addr); zap_install_uffd_wp_if_needed(vma, addr, pte, details, ptent);