From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dave Hansen Subject: Re: [RFC PATCH v2 16/27] mm: Modify can_follow_write_pte/pmd for shadow stack Date: Fri, 13 Jul 2018 11:26:46 -0700 Message-ID: <45a85b01-e005-8cb6-af96-b23ce9b5fca7@linux.intel.com> References: <20180710222639.8241-1-yu-cheng.yu@intel.com> <20180710222639.8241-17-yu-cheng.yu@intel.com> <1531328731.15351.3.camel@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <1531328731.15351.3.camel@intel.com> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org To: Yu-cheng Yu , x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra List-Id: linux-arch.vger.kernel.org On 07/11/2018 10:05 AM, Yu-cheng Yu wrote: > My understanding is that we don't want to follow write pte if the page > is shared as read-only.  For a SHSTK page, that is (R/O + DIRTY_SW), > which means the SHSTK page has not been COW'ed.  Is that right? Let's look at the code again: > -static inline bool can_follow_write_pte(pte_t pte, unsigned int flags) > +static inline bool can_follow_write_pte(pte_t pte, unsigned int flags, > + bool shstk) > { > + bool pte_cowed = shstk ? is_shstk_pte(pte):pte_dirty(pte); > + > return pte_write(pte) || > - ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte)); > + ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_cowed); > } This is another case where the naming of pte_*() is biting us vs. the perversion of the PTE bits. The lack of comments and explanation inthe patch is compounding the confusion. We need to find a way to differentiate "someone can write to this PTE" from "the write bit is set in this PTE". In this particular hunk, we need to make it clear that pte_write() is *never* true for shadowstack PTEs. In other words, shadow stack VMAs will (should?) never even *see* a pte_write() PTE. I think this is a case where you just need to bite the bullet and bifurcate can_follow_write_pte(). Just separate the shadowstack and non-shadowstack parts. From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga07.intel.com ([134.134.136.100]:57542 "EHLO mga07.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729963AbeGMSmd (ORCPT ); Fri, 13 Jul 2018 14:42:33 -0400 Subject: Re: [RFC PATCH v2 16/27] mm: Modify can_follow_write_pte/pmd for shadow stack References: <20180710222639.8241-1-yu-cheng.yu@intel.com> <20180710222639.8241-17-yu-cheng.yu@intel.com> <1531328731.15351.3.camel@intel.com> From: Dave Hansen Message-ID: <45a85b01-e005-8cb6-af96-b23ce9b5fca7@linux.intel.com> Date: Fri, 13 Jul 2018 11:26:46 -0700 MIME-Version: 1.0 In-Reply-To: <1531328731.15351.3.camel@intel.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-arch-owner@vger.kernel.org List-ID: To: Yu-cheng Yu , x86@kernel.org, "H. Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Cyrill Gorcunov , Florian Weimer , "H.J. Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , "Ravi V. Shankar" , Vedvyas Shanbhogue Message-ID: <20180713182646.0_M9RtpA0poEpjTYz3Qt5G_mmZQT_zBdTlf-Khy7DPU@z> On 07/11/2018 10:05 AM, Yu-cheng Yu wrote: > My understanding is that we don't want to follow write pte if the page > is shared as read-only.  For a SHSTK page, that is (R/O + DIRTY_SW), > which means the SHSTK page has not been COW'ed.  Is that right? Let's look at the code again: > -static inline bool can_follow_write_pte(pte_t pte, unsigned int flags) > +static inline bool can_follow_write_pte(pte_t pte, unsigned int flags, > + bool shstk) > { > + bool pte_cowed = shstk ? is_shstk_pte(pte):pte_dirty(pte); > + > return pte_write(pte) || > - ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte)); > + ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_cowed); > } This is another case where the naming of pte_*() is biting us vs. the perversion of the PTE bits. The lack of comments and explanation inthe patch is compounding the confusion. We need to find a way to differentiate "someone can write to this PTE" from "the write bit is set in this PTE". In this particular hunk, we need to make it clear that pte_write() is *never* true for shadowstack PTEs. In other words, shadow stack VMAs will (should?) never even *see* a pte_write() PTE. I think this is a case where you just need to bite the bullet and bifurcate can_follow_write_pte(). Just separate the shadowstack and non-shadowstack parts.