From: Christoph Hellwig <hch@lst.de>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Christoph Hellwig <hch@lst.de>, Dexuan Cui <decui@microsoft.com>,
vkuznets <vkuznets@redhat.com>,
Stephen Hemminger <stephen@networkplumber.org>,
Andy Lutomirski <luto@kernel.org>,
Andy Lutomirski <luto@amacapital.net>,
Michael Kelley <mikelley@microsoft.com>,
Ju-Hyoung Lee <juhlee@microsoft.com>,
"x86@kernel.org" <x86@kernel.org>,
"linux-hyperv@vger.kernel.org" <linux-hyperv@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
KY Srinivasan <kys@microsoft.com>,
Tom Lendacky <thomas.lendacky@amd.com>
Subject: Re: hv_hypercall_pg page permissios
Date: Tue, 16 Jun 2020 12:24:12 +0200 [thread overview]
Message-ID: <20200616102412.GB29684@lst.de> (raw)
In-Reply-To: <20200616102350.GA29684@lst.de>
On Tue, Jun 16, 2020 at 12:23:50PM +0200, Christoph Hellwig wrote:
> On Tue, Jun 16, 2020 at 12:18:07PM +0200, Peter Zijlstra wrote:
> > > It does. But it also means every other user of PAGE_KERNEL_EXEC
> > > should trigger this, of which there are a few (kexec, tboot, hibernate,
> > > early xen pv mapping, early SEV identity mapping)
> >
> > There are only 3 users in the entire tree afaict:
> >
> > arch/arm64/kernel/probes/kprobes.c: page = vmalloc_exec(PAGE_SIZE);
> > arch/x86/hyperv/hv_init.c: hv_hypercall_pg = vmalloc_exec(PAGE_SIZE);
> > kernel/module.c: return vmalloc_exec(size);
> >
> > And that last one is a weak function that any arch that has STRICT_RWX
> > ought to override.
> >
> > > We really shouldn't create mappings like this by default. Either we
> > > need to flip PAGE_KERNEL_EXEC itself based on the needs of the above
> > > users, or add another define to overload vmalloc_exec as there is no
> > > other user of that for x86.
> >
> > We really should get rid of the two !module users of this though; both
> > x86 and arm64 have STRICT_RWX and sufficient primitives to DTRT.
> >
> > What is HV even trying to do with that page? AFAICT it never actually
> > writes to it, it seens to give the physica address to an MSR (which I
> > suspect then writes crud into the page for us from host context).
> >
> > Suggesting the page really only needs to be RX.
> >
> > On top of that, vmalloc_exec() gets us a page from the entire vmalloc
> > range, which can be outside of the 2G executable range, which seems to
> > suggest vmalloc_exec() is wrong too and all this works by accident.
> >
> > How about something like this:
> >
> >
> > diff --git a/arch/x86/hyperv/hv_init.c b/arch/x86/hyperv/hv_init.c
> > index a54c6a401581..82a3a4a9481f 100644
> > --- a/arch/x86/hyperv/hv_init.c
> > +++ b/arch/x86/hyperv/hv_init.c
> > @@ -375,12 +375,15 @@ void __init hyperv_init(void)
> > guest_id = generate_guest_id(0, LINUX_VERSION_CODE, 0);
> > wrmsrl(HV_X64_MSR_GUEST_OS_ID, guest_id);
> >
> > - hv_hypercall_pg = vmalloc_exec(PAGE_SIZE);
> > + hv_hypercall_pg = module_alloc(PAGE_SIZE);
> > if (hv_hypercall_pg == NULL) {
> > wrmsrl(HV_X64_MSR_GUEST_OS_ID, 0);
> > goto remove_cpuhp_state;
> > }
> >
> > + set_memory_ro((unsigned long)hv_hypercall_pg, 1);
> > + set_memory_x((unsigned long)hv_hypercall_pg, 1);
>
> The changing of the permissions sucks. I thought about adding
> a module_alloc_prot with an explicit pgprot_t argument. On x86
> alone at least ftrace would also benefit from that.
The above is also missing a set_vm_flush_reset_perms.
next prev parent reply other threads:[~2020-06-16 10:24 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-07 6:55 hv_hypercall_pg page permissios Christoph Hellwig
2020-04-07 7:28 ` Vitaly Kuznetsov
2020-04-07 7:38 ` Christoph Hellwig
2020-04-07 21:01 ` Andy Lutomirski
2020-06-12 7:48 ` Dexuan Cui
2020-06-15 8:35 ` Vitaly Kuznetsov
2020-06-15 17:41 ` Dexuan Cui
2020-06-15 19:49 ` Dexuan Cui
2020-06-16 7:23 ` Christoph Hellwig
2020-06-16 10:18 ` Peter Zijlstra
2020-06-16 10:23 ` Christoph Hellwig
2020-06-16 10:24 ` Christoph Hellwig [this message]
2020-06-16 10:31 ` Peter Zijlstra
2020-06-16 10:33 ` Christoph Hellwig
2020-06-16 10:40 ` Peter Zijlstra
2020-06-16 10:42 ` Christoph Hellwig
2020-06-16 10:52 ` Christoph Hellwig
2020-06-16 11:24 ` Peter Zijlstra
2020-06-16 14:39 ` Christoph Hellwig
2020-06-16 9:29 ` Vitaly Kuznetsov
2020-06-16 9:33 ` Christoph Hellwig
2020-06-16 9:55 ` Christoph Hellwig
2020-06-16 10:08 ` Christoph Hellwig
2020-06-16 10:50 ` Vitaly Kuznetsov
2020-06-16 10:20 ` Peter Zijlstra
2020-04-07 18:10 ` Dexuan Cui
2020-04-07 20:42 ` Wei Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200616102412.GB29684@lst.de \
--to=hch@lst.de \
--cc=decui@microsoft.com \
--cc=juhlee@microsoft.com \
--cc=kys@microsoft.com \
--cc=linux-hyperv@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=mikelley@microsoft.com \
--cc=peterz@infradead.org \
--cc=stephen@networkplumber.org \
--cc=thomas.lendacky@amd.com \
--cc=vkuznets@redhat.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.