From: Jisheng Zhang <jszhang3@mail.ustc.edu.cn>
To: Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Alexandre Ghiti <alex@ghiti.fr>
Cc: linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH] riscv: mm: Fix W+X mappings at boot
Date: Sun, 16 May 2021 17:00:38 +0800 [thread overview]
Message-ID: <20210516170038.7de9c866@xhacker> (raw)
From: Jisheng Zhang <jszhang@kernel.org>
When the kernel mapping was moved the last 2GB of the address space,
(__va(PFN_PHYS(max_low_pfn))) is much smaller than the .data section
start address, the last set_memory_nx() in protect_kernel_text_data()
will fail, thus the .data section is still mapped as W+X. This results
in below W+X mapping waring at boot. Fix it by passing the correct
.data section page num to the set_memory_nx().
[ 0.396516] ------------[ cut here ]------------
[ 0.396889] riscv/mm: Found insecure W+X mapping at address (____ptrval____)/0xffffffff80c00000
[ 0.398347] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/ptdump.c:258 note_page+0x244/0x24a
[ 0.398964] Modules linked in:
[ 0.399459] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc1+ #14
[ 0.400003] Hardware name: riscv-virtio,qemu (DT)
[ 0.400591] epc : note_page+0x244/0x24a
[ 0.401368] ra : note_page+0x244/0x24a
[ 0.401772] epc : ffffffff80007c86 ra : ffffffff80007c86 sp : ffffffe000e7bc30
[ 0.402304] gp : ffffffff80caae88 tp : ffffffe000e70000 t0 : ffffffff80cb80cf
[ 0.402800] t1 : ffffffff80cb80c0 t2 : 0000000000000000 s0 : ffffffe000e7bc80
[ 0.403310] s1 : ffffffe000e7bde8 a0 : 0000000000000053 a1 : ffffffff80c83ff0
[ 0.403805] a2 : 0000000000000010 a3 : 0000000000000000 a4 : 6c7e7a5137233100
[ 0.404298] a5 : 6c7e7a5137233100 a6 : 0000000000000030 a7 : ffffffffffffffff
[ 0.404849] s2 : ffffffff80e00000 s3 : 0000000040000000 s4 : 0000000000000000
[ 0.405393] s5 : 0000000000000000 s6 : 0000000000000003 s7 : ffffffe000e7bd48
[ 0.405935] s8 : ffffffff81000000 s9 : ffffffffc0000000 s10: ffffffe000e7bd48
[ 0.406476] s11: 0000000000001000 t3 : 0000000000000072 t4 : ffffffffffffffff
[ 0.407016] t5 : 0000000000000002 t6 : ffffffe000e7b978
[ 0.407435] status: 0000000000000120 badaddr: 0000000000000000 cause: 0000000000000003
[ 0.408052] Call Trace:
[ 0.408343] [<ffffffff80007c86>] note_page+0x244/0x24a
[ 0.408855] [<ffffffff8010c5a6>] ptdump_hole+0x14/0x1e
[ 0.409263] [<ffffffff800f65c6>] walk_pgd_range+0x2a0/0x376
[ 0.409690] [<ffffffff800f6828>] walk_page_range_novma+0x4e/0x6e
[ 0.410146] [<ffffffff8010c5f8>] ptdump_walk_pgd+0x48/0x78
[ 0.410570] [<ffffffff80007d66>] ptdump_check_wx+0xb4/0xf8
[ 0.410990] [<ffffffff80006738>] mark_rodata_ro+0x26/0x2e
[ 0.411407] [<ffffffff8031961e>] kernel_init+0x44/0x108
[ 0.411814] [<ffffffff80002312>] ret_from_exception+0x0/0xc
[ 0.412309] ---[ end trace 7ec3459f2547ea83 ]---
[ 0.413141] Checked W+X mappings: failed, 512 W+X pages found
Fixes: 2bfc6cd81bd17e43 ("riscv: Move kernel mapping outside of linear mapping")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
---
arch/riscv/mm/init.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index 4faf8bd157ea..4c4c92ce0bb8 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -746,14 +746,18 @@ void __init protect_kernel_text_data(void)
unsigned long init_data_start = (unsigned long)__init_data_begin;
unsigned long rodata_start = (unsigned long)__start_rodata;
unsigned long data_start = (unsigned long)_data;
- unsigned long max_low = (unsigned long)(__va(PFN_PHYS(max_low_pfn)));
+#if defined(CONFIG_64BIT) && defined(CONFIG_MMU)
+ unsigned long end_va = kernel_virt_addr + load_sz;
+#else
+ unsigned long end_va = (unsigned long)(__va(PFN_PHYS(max_low_pfn)));
+#endif
set_memory_ro(text_start, (init_text_start - text_start) >> PAGE_SHIFT);
set_memory_ro(init_text_start, (init_data_start - init_text_start) >> PAGE_SHIFT);
set_memory_nx(init_data_start, (rodata_start - init_data_start) >> PAGE_SHIFT);
/* rodata section is marked readonly in mark_rodata_ro */
set_memory_nx(rodata_start, (data_start - rodata_start) >> PAGE_SHIFT);
- set_memory_nx(data_start, (max_low - data_start) >> PAGE_SHIFT);
+ set_memory_nx(data_start, (end_va - data_start) >> PAGE_SHIFT);
}
void mark_rodata_ro(void)
--
2.31.0
WARNING: multiple messages have this Message-ID (diff)
From: Jisheng Zhang <jszhang3@mail.ustc.edu.cn>
To: Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
Alexandre Ghiti <alex@ghiti.fr>
Cc: linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org
Subject: [PATCH] riscv: mm: Fix W+X mappings at boot
Date: Sun, 16 May 2021 17:00:38 +0800 [thread overview]
Message-ID: <20210516170038.7de9c866@xhacker> (raw)
From: Jisheng Zhang <jszhang@kernel.org>
When the kernel mapping was moved the last 2GB of the address space,
(__va(PFN_PHYS(max_low_pfn))) is much smaller than the .data section
start address, the last set_memory_nx() in protect_kernel_text_data()
will fail, thus the .data section is still mapped as W+X. This results
in below W+X mapping waring at boot. Fix it by passing the correct
.data section page num to the set_memory_nx().
[ 0.396516] ------------[ cut here ]------------
[ 0.396889] riscv/mm: Found insecure W+X mapping at address (____ptrval____)/0xffffffff80c00000
[ 0.398347] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/ptdump.c:258 note_page+0x244/0x24a
[ 0.398964] Modules linked in:
[ 0.399459] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc1+ #14
[ 0.400003] Hardware name: riscv-virtio,qemu (DT)
[ 0.400591] epc : note_page+0x244/0x24a
[ 0.401368] ra : note_page+0x244/0x24a
[ 0.401772] epc : ffffffff80007c86 ra : ffffffff80007c86 sp : ffffffe000e7bc30
[ 0.402304] gp : ffffffff80caae88 tp : ffffffe000e70000 t0 : ffffffff80cb80cf
[ 0.402800] t1 : ffffffff80cb80c0 t2 : 0000000000000000 s0 : ffffffe000e7bc80
[ 0.403310] s1 : ffffffe000e7bde8 a0 : 0000000000000053 a1 : ffffffff80c83ff0
[ 0.403805] a2 : 0000000000000010 a3 : 0000000000000000 a4 : 6c7e7a5137233100
[ 0.404298] a5 : 6c7e7a5137233100 a6 : 0000000000000030 a7 : ffffffffffffffff
[ 0.404849] s2 : ffffffff80e00000 s3 : 0000000040000000 s4 : 0000000000000000
[ 0.405393] s5 : 0000000000000000 s6 : 0000000000000003 s7 : ffffffe000e7bd48
[ 0.405935] s8 : ffffffff81000000 s9 : ffffffffc0000000 s10: ffffffe000e7bd48
[ 0.406476] s11: 0000000000001000 t3 : 0000000000000072 t4 : ffffffffffffffff
[ 0.407016] t5 : 0000000000000002 t6 : ffffffe000e7b978
[ 0.407435] status: 0000000000000120 badaddr: 0000000000000000 cause: 0000000000000003
[ 0.408052] Call Trace:
[ 0.408343] [<ffffffff80007c86>] note_page+0x244/0x24a
[ 0.408855] [<ffffffff8010c5a6>] ptdump_hole+0x14/0x1e
[ 0.409263] [<ffffffff800f65c6>] walk_pgd_range+0x2a0/0x376
[ 0.409690] [<ffffffff800f6828>] walk_page_range_novma+0x4e/0x6e
[ 0.410146] [<ffffffff8010c5f8>] ptdump_walk_pgd+0x48/0x78
[ 0.410570] [<ffffffff80007d66>] ptdump_check_wx+0xb4/0xf8
[ 0.410990] [<ffffffff80006738>] mark_rodata_ro+0x26/0x2e
[ 0.411407] [<ffffffff8031961e>] kernel_init+0x44/0x108
[ 0.411814] [<ffffffff80002312>] ret_from_exception+0x0/0xc
[ 0.412309] ---[ end trace 7ec3459f2547ea83 ]---
[ 0.413141] Checked W+X mappings: failed, 512 W+X pages found
Fixes: 2bfc6cd81bd17e43 ("riscv: Move kernel mapping outside of linear mapping")
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
---
arch/riscv/mm/init.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index 4faf8bd157ea..4c4c92ce0bb8 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -746,14 +746,18 @@ void __init protect_kernel_text_data(void)
unsigned long init_data_start = (unsigned long)__init_data_begin;
unsigned long rodata_start = (unsigned long)__start_rodata;
unsigned long data_start = (unsigned long)_data;
- unsigned long max_low = (unsigned long)(__va(PFN_PHYS(max_low_pfn)));
+#if defined(CONFIG_64BIT) && defined(CONFIG_MMU)
+ unsigned long end_va = kernel_virt_addr + load_sz;
+#else
+ unsigned long end_va = (unsigned long)(__va(PFN_PHYS(max_low_pfn)));
+#endif
set_memory_ro(text_start, (init_text_start - text_start) >> PAGE_SHIFT);
set_memory_ro(init_text_start, (init_data_start - init_text_start) >> PAGE_SHIFT);
set_memory_nx(init_data_start, (rodata_start - init_data_start) >> PAGE_SHIFT);
/* rodata section is marked readonly in mark_rodata_ro */
set_memory_nx(rodata_start, (data_start - rodata_start) >> PAGE_SHIFT);
- set_memory_nx(data_start, (max_low - data_start) >> PAGE_SHIFT);
+ set_memory_nx(data_start, (end_va - data_start) >> PAGE_SHIFT);
}
void mark_rodata_ro(void)
--
2.31.0
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next reply other threads:[~2021-05-16 9:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-16 9:00 Jisheng Zhang [this message]
2021-05-16 9:00 ` [PATCH] riscv: mm: Fix W+X mappings at boot Jisheng Zhang
2021-05-18 15:26 ` Alex Ghiti
2021-05-18 15:26 ` Alex Ghiti
2021-05-19 15:23 ` Jisheng Zhang
2021-05-19 15:23 ` Jisheng Zhang
2021-05-20 4:55 ` Drew Fustini
2021-05-20 4:55 ` Drew Fustini
2021-05-20 9:38 ` Jisheng Zhang
2021-05-20 9:38 ` Jisheng Zhang
2021-05-29 20:38 ` Palmer Dabbelt
2021-05-29 20:38 ` Palmer Dabbelt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210516170038.7de9c866@xhacker \
--to=jszhang3@mail.ustc.edu.cn \
--cc=alex@ghiti.fr \
--cc=aou@eecs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.