linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Peter Zijlstra <peterz@infradead.org>
To: Andy Lutomirski <luto@kernel.org>
Cc: Igor Stoppa <igor.stoppa@gmail.com>,
	linux-arch <linux-arch@vger.kernel.org>,
	linux-s390 <linux-s390@vger.kernel.org>,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	Heiko Carstens <heiko.carstens@de.ibm.com>,
	Benjamin Herrenschmidt <benh@kernel.crashing.org>,
	Kees Cook <keescook@chromium.org>,
	Matthew Wilcox <willy@infradead.org>,
	Igor Stoppa <igor.stoppa@huawei.com>,
	Nadav Amit <nadav.amit@gmail.com>,
	Dave Hansen <dave.hansen@linux.intel.com>,
	linux-integrity <linux-integrity@vger.kernel.org>,
	Kernel Hardening <kernel-hardening@lists.openwall.com>,
	Linux-MM <linux-mm@kvack.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 2/6] __wr_after_init: write rare for static allocation
Date: Thu, 6 Dec 2018 10:44:51 +0100	[thread overview]
Message-ID: <20181206094451.GC13538@hirez.programming.kicks-ass.net> (raw)
In-Reply-To: <CALCETrVvoui0vksdt0Y9rdGL5ipEn_FtSXVVUFdH03ZC93cy_A@mail.gmail.com>

On Wed, Dec 05, 2018 at 03:13:56PM -0800, Andy Lutomirski wrote:

> > +       if (op == WR_MEMCPY)
> > +               memcpy((void *)wr_poking_addr, (void *)src, len);
> > +       else if (op == WR_MEMSET)
> > +               memset((u8 *)wr_poking_addr, (u8)src, len);
> > +       else if (op == WR_RCU_ASSIGN_PTR)
> > +               /* generic version of rcu_assign_pointer */
> > +               smp_store_release((void **)wr_poking_addr,
> > +                                 RCU_INITIALIZER((void **)src));
> > +       kasan_enable_current();
> 
> Hmm.  I suspect this will explode quite badly on sane architectures
> like s390.  (In my book, despite how weird s390 is, it has a vastly
> nicer model of "user" memory than any other architecture I know
> of...).  I think you should use copy_to_user(), etc, instead.  I'm not
> entirely sure what the best smp_store_release() replacement is.
> Making this change may also mean you can get rid of the
> kasan_disable_current().

If you make the MEMCPY one guarantee single-copy atomicity for native
words then you're basically done.

smp_store_release() can be implemented with:

	smp_mb();
	WRITE_ONCE();

So if we make MEMCPY provide the WRITE_ONCE(), all we need is that
barrier, which we can easily place at the call site and not overly
complicate our interface with this.

Because performance is down the drain already, an additional full
memory barrier is peanuts here (and in fact already implied by the x86
CR3 munging).

  reply	other threads:[~2018-12-06  9:45 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-12-04 12:17 [RFC v1 PATCH 0/6] hardening: statically allocated protected memory Igor Stoppa
2018-12-04 12:18 ` [PATCH 1/6] __wr_after_init: linker section and label Igor Stoppa
2018-12-04 12:18 ` [PATCH 2/6] __wr_after_init: write rare for static allocation Igor Stoppa
2018-12-05 23:13   ` Andy Lutomirski
2018-12-06  9:44     ` Peter Zijlstra [this message]
2018-12-09 22:32       ` Igor Stoppa
2018-12-10  9:59         ` Peter Zijlstra
2018-12-09 22:09     ` Igor Stoppa
2018-12-12  9:49     ` Martin Schwidefsky
2018-12-19 22:50       ` Igor Stoppa
2018-12-06  4:44   ` Matthew Wilcox
2018-12-09 22:22     ` Igor Stoppa
2018-12-04 12:18 ` [PATCH 3/6] rodata_test: refactor tests Igor Stoppa
2018-12-04 12:18 ` [PATCH 4/6] rodata_test: add verification for __wr_after_init Igor Stoppa
2018-12-04 12:18 ` [PATCH 5/6] __wr_after_init: test write rare functionality Igor Stoppa
2018-12-04 12:18 ` [PATCH 6/6] __wr_after_init: lkdtm test Igor Stoppa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181206094451.GC13538@hirez.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=benh@kernel.crashing.org \
    --cc=dave.hansen@linux.intel.com \
    --cc=heiko.carstens@de.ibm.com \
    --cc=igor.stoppa@gmail.com \
    --cc=igor.stoppa@huawei.com \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=luto@kernel.org \
    --cc=nadav.amit@gmail.com \
    --cc=schwidefsky@de.ibm.com \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).