From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F3C5EC7EE32 for ; Fri, 3 Mar 2023 14:39:20 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 79E456B0078; Fri, 3 Mar 2023 09:39:20 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 74F546B007D; Fri, 3 Mar 2023 09:39:20 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 616936B0080; Fri, 3 Mar 2023 09:39:20 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 5432B6B0078 for ; Fri, 3 Mar 2023 09:39:20 -0500 (EST) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 006F480D7C for ; Fri, 3 Mar 2023 14:39:19 +0000 (UTC) X-FDA: 80527844838.24.6356B23 Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by imf17.hostedemail.com (Postfix) with ESMTP id A522F4000E for ; Fri, 3 Mar 2023 14:39:16 +0000 (UTC) Authentication-Results: imf17.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=d2U4LqJ0; spf=pass (imf17.hostedemail.com: domain of dave.hansen@intel.com designates 192.55.52.151 as permitted sender) smtp.mailfrom=dave.hansen@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1677854357; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=JbzYYvQGn44tKLKK+ZTHJCu0GI7LiuPq0oRyEBWejLY=; b=4qWhkQ1voebUcL/OyK+DpYMvvoue695Kdo1G5U1isCnXBNwcaYl3ZxPDa73MkfG2GBuIxG ig3n5HFqvi+Weo90jo7U1xFJPaOQsAXiLCt/UD8fV7Z0MouXg2D/QyEbHyqUy8Dm9C7HVU gLHWQLNxQpL1T7IZrbUeYs9w2HHW6m0= ARC-Authentication-Results: i=1; imf17.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=d2U4LqJ0; spf=pass (imf17.hostedemail.com: domain of dave.hansen@intel.com designates 192.55.52.151 as permitted sender) smtp.mailfrom=dave.hansen@intel.com; dmarc=pass (policy=none) header.from=intel.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1677854357; a=rsa-sha256; cv=none; b=qROA/+buwfCht3Pgn9DUUnqgslyPzhHsBnJ/75wcHIqfgGwD5sAIFO4tinORTs5Dou1Dtl Ggnq8rJVFfr8YdFZ2whytIA6q1ZqiUGSJvZDJpzmXzaW80Ipu94YHU16YvUnXchY0iycn9 ej3M3NsUr93fTu/KnQJ0bI+epNsQisY= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1677854356; x=1709390356; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=enM9fqPmmUCNjfregnTQTxVlem+fBlV9uM7hLOVjTZk=; b=d2U4LqJ0Lkh87/VC9TtmfoAtgKvT7OPeH/SKALdqvSzvTeVVTluUMhUW b107dZWesSa4j0qfYbroTqWV2gm2TOq2iNyoAyuyqVfq9wry9TgHKZMrs yz5AHWFcGInWj2uwe3XJ3W1eMgqsoQUOPvgIvzJMq0Za55kUiabQPwIgb AxDSGANkATO+xmgn0NfIIlcSVvTZS8VWYlmICCCHJzSErnWvzfe5nB1hK TI7xVP2OxB8tg1P0VGX8D6k1ukEfD0GFrR2Qg62STK9J4rPJ53XDtI23C fPYJlTcMhBcQrfVqy80XTMsfkqAMB2wqAkKJXiVtgP32Z5v39uvjZK5Ef w==; X-IronPort-AV: E=McAfee;i="6500,9779,10638"; a="315454041" X-IronPort-AV: E=Sophos;i="5.98,230,1673942400"; d="scan'208";a="315454041" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Mar 2023 06:39:13 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10638"; a="818491545" X-IronPort-AV: E=Sophos;i="5.98,230,1673942400"; d="scan'208";a="818491545" Received: from ppatil1-mobl3.amr.corp.intel.com (HELO [10.252.140.187]) ([10.252.140.187]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 03 Mar 2023 06:39:11 -0800 Message-ID: Date: Fri, 3 Mar 2023 06:39:11 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1 Subject: Re: [PATCH v7 19/41] x86/mm: Check shadow stack page fault errors Content-Language: en-US To: Borislav Petkov , Rick Edgecombe Cc: x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , Weijiang Yang , "Kirill A . Shutemov" , John Allen , kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com, Yu-cheng Yu References: <20230227222957.24501-1-rick.p.edgecombe@intel.com> <20230227222957.24501-20-rick.p.edgecombe@intel.com> From: Dave Hansen In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: A522F4000E X-Stat-Signature: f7yzsqq951ugjrc744bjyw7inmy5iwty X-Rspam-User: X-HE-Tag: 1677854356-167620 X-HE-Meta: U2FsdGVkX19hvKxSXljfPJ2FBPrQtlZrRqAx4isSbM5c/7uWf6MaBdojr0MtdZV9p4abI9mCBVJ0btt17otAAewL7OzlH7PFnG+LIGRbPy73A89eV+qTq3eHR3c2531mnIFijsZ2b44bEpyAf20aQKhZ3brc+5/82tt8aAqc5dKwK79/zxIxdwzPK66mi4MDME4WrwmvX501o06gaJBj4I9ec7o+iuHn1jdEFoQARz1JKjzajIUUFXXAxWa7ihlkS0DSfQDKHntnNkcI+42eX0JHoI/OiMpffez3Xt5//SXpF2qAKyBOiDo3awk+zs5gdeIM2Ide+r9as2YgXGVvxudYsBTDaueNJu7Ka5gP9Wkezeq9b0SELNOdeyjmuwPte/Yuc6EPKS1+qUZFvHcnzSbFjcQNFBDMq4J0Pan/VRHx0/K0N8C/u7ziEalKoHGPmx8WGJbVDhu+mFEc+/IZ+WH253iC/+PdGmkbTEN3uYTLdUMlPc9ChT+w8gZnW0BW9s7lNSir8PbLujz5Ur2TubYgLkmj/Z07zRIUYM4sT01bk54LfkihbwSA7axUiiPTb1qmBDX9VvBohn87sJRUw5jOpGg/CRcqKinrSMSvFe3lqkOdzB/bQBXBxeRM8pHHj8qp1LMbRTUzPp6pxxqBmQW2UE7b20dIcHep7V7VMTqWdc+CoGP87RUzww7MPUuWvzQT9m3BBigp6GtWlh2I+GV9yzFw2xr41qibgjrxnOQ8dewhAeKSfB9J4x/xvvINOmJQxjBg5p0ibXvGbJXdAeohyNWKUiMpPCWjjStevPfudsxGbDYoBY22DQJjPbz39vWTOHxG4Oy0OWBFV5p/OA8QCqjFdgK7bGU4Deumzb3xuJW9vf+y0443nzTEaKNwLIgttKIzt4qC2IOv7+SCbVvGX3w1F1PBUjJCbwgUrOpQP4j7YPaVY10Xek5Z+0dv8wozP/UlR521wQnblTD ZcKEBRtS MMfV205+0z8H0YZl/QhgpKsGDFliOMWJH30RmiKZN3ibxY+AN7hNYW6J/Jv1GoLpR2k8Z2xsdbYDPL+0oWyZ1b9uZA5qhcW56mHDJHtbSoRnyKjkvjVtipCfw1f6tJdQavl0Oh8N+AUF79vywCUXP1ufEn2uUv38RD4FXVLTQEvMArWY68WOvDr0R4ehowMhe3NDHB2gAIJ46VoqIMOhOOxMhBIRSAKG+kBRAjF7GhtD+PuY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 3/3/23 06:00, Borislav Petkov wrote: > On Mon, Feb 27, 2023 at 02:29:35PM -0800, Rick Edgecombe wrote: >> @@ -1310,6 +1324,23 @@ void do_user_addr_fault(struct pt_regs *regs, >> >> perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address); >> >> + /* >> + * For conventionally writable pages, a read can be serviced with a >> + * read only PTE. But for shadow stack, there isn't a concept of >> + * read-only shadow stack memory. If it a PTE has the shadow stack > s/it // > >> + * permission, it can be modified via CALL and RET instructions. So >> + * core MM needs to fault in a writable PTE and do things it already >> + * does for write faults. >> + * >> + * Shadow stack accesses (read or write) need to be serviced with >> + * shadow stack permission memory, which always include write >> + * permissions. So in the case of a shadow stack read access, treat it >> + * as a WRITE fault. This will make sure that MM will prepare >> + * everything (e.g., break COW) such that maybe_mkwrite() can create a >> + * proper shadow stack PTE. I ended up just chopping that top paragraph out and rewording it a bit. I think this still expresses the intent in a lot less space: /* * Read-only permissions can not be expressed in shadow stack PTEs. * Treat all shadow stack accesses as WRITE faults. This ensures * that the MM will prepare everything (e.g., break COW) such that * maybe_mkwrite() can create a proper shadow stack PTE. */