From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 1D896C25B75 for ; Tue, 14 May 2024 10:53:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=rclcUn5z6YmZRllJZ9h3jst+jM1ZOVtv5Y+CMrNcwMY=; b=XkSQ+QV6JeD5Ne Mvh8pJonehpgysO6/BfhOrxc8UnBy8LdW0IJEjTs7tIsiFVSQbNfzUp4VLYvZtvJ4EaYdrwG52sDN HuQKbmyWkIkTNczMCTahw9nK9J/PYvwtkgvTjEwFMox8LqwsddcitmcS1PmQC2rZIiX/L+yNyCeut Uf9EcaZnMF9u/y8kUx1vS0sdPWQEhe/cpA+hTya8LgUes+mG0ADKLYJHfXQpb5Tzr7F0vt21NV/Fk 4aRiygdu9CTRA5ina9YJQnvnqYE5PeABiEcaNDVAm2U9lqSP19trQqe2dAelsirpOxqaInKqQWzRZ p/FecHlsU8/G9mmIOE3g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1s6pn0-0000000Fdr4-37xw; Tue, 14 May 2024 10:53:46 +0000 Received: from sin.source.kernel.org ([145.40.73.55]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1s6pmx-0000000FdqA-2WMM for linux-arm-kernel@lists.infradead.org; Tue, 14 May 2024 10:53:45 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by sin.source.kernel.org (Postfix) with ESMTP id 478F3CE123E; Tue, 14 May 2024 10:53:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 40EF2C2BD10; Tue, 14 May 2024 10:53:39 +0000 (UTC) Date: Tue, 14 May 2024 11:53:37 +0100 From: Catalin Marinas To: Yang Shi Cc: will@kernel.org, scott@os.amperecomputing.com, cl@gentwo.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] arm64: mm: force write fault for atomic RMW instructions Message-ID: References: <20240507223558.3039562-1-yang@os.amperecomputing.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240514_035343_841558_290A4781 X-CRM114-Status: GOOD ( 12.67 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Mon, May 13, 2024 at 09:19:39PM -0600, Yang Shi wrote: > > That said, I'm not keen on this kernel workaround. If openjdk decides to > > improve some security and goes for PROT_EXEC-only mappings of its text > > sections, the above trick will no longer work. > > I noticed futex does replace insns. IIUC, the below sequence should > can do the trick for exec-only, right? > > disable privileged > read insn with ldxr > enable privileged Do you mean not using the unprivileged LDTR as in get_user()? You don't even need an LDXR, just plain LDR but with the extable entry etc. However, with PIE we got proper execute-only permission (not the kind of fake one where we disabled the PTE_USER bit while keeping PTE_UXN as 0). So the futex-style approach won't work unless we changed the PIE_E1 entry for _PAGE_EXECONLY to be PIE_R by the kernel. -- Catalin _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9BC0C12F384 for ; Tue, 14 May 2024 10:53:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715684020; cv=none; b=iM8FyKVXs1XNTY7WJTq/8AA8CXCoPRoetf64PlT9SFr11o25PslAQviklCHOyVTWVgvcLdJL0Ral2023ixoDBNY+vNqqL+FV8oxFkt4P4qnFA9J8lU89HI2r2b8a+nwx6GPnWa4PyTGFpw9iCZyd1SmV4VYvhk5+mX+SOHmrWrQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715684020; c=relaxed/simple; bh=EdSoPuNL/ZHfLKbZlYhh8ep6nO2cbQb3toaneVwtv8w=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=K/WhKAseYyrMvpzxW+cze5q7sEj0Tj10yviKwd85PycMTOc7fBzUGjQ/jDsTMc1lZ/dRDvWKuUKvp7EL32jJUhBPXGnn/DL4IaHa+EgkIcF0X0WfXiNl1CyqHR5mJFeip0M8j1XL2V5sePUPQUmd+QpqHPIduDVIv2GHaq1EzyY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 40EF2C2BD10; Tue, 14 May 2024 10:53:39 +0000 (UTC) Date: Tue, 14 May 2024 11:53:37 +0100 From: Catalin Marinas To: Yang Shi Cc: will@kernel.org, scott@os.amperecomputing.com, cl@gentwo.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] arm64: mm: force write fault for atomic RMW instructions Message-ID: References: <20240507223558.3039562-1-yang@os.amperecomputing.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Mon, May 13, 2024 at 09:19:39PM -0600, Yang Shi wrote: > > That said, I'm not keen on this kernel workaround. If openjdk decides to > > improve some security and goes for PROT_EXEC-only mappings of its text > > sections, the above trick will no longer work. > > I noticed futex does replace insns. IIUC, the below sequence should > can do the trick for exec-only, right? > > disable privileged > read insn with ldxr > enable privileged Do you mean not using the unprivileged LDTR as in get_user()? You don't even need an LDXR, just plain LDR but with the extable entry etc. However, with PIE we got proper execute-only permission (not the kind of fake one where we disabled the PTE_USER bit while keeping PTE_UXN as 0). So the futex-style approach won't work unless we changed the PIE_E1 entry for _PAGE_EXECONLY to be PIE_R by the kernel. -- Catalin