From: rabin@rab.in (Rabin Vincent)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH 2/2] ARM: mm: make text and rodata read-only
Date: Tue, 8 Apr 2014 21:48:15 +0200 [thread overview]
Message-ID: <20140408194815.GA6188@debian> (raw)
In-Reply-To: <CAGXu5jJewy0Xy-qUEF2K6bAcEC8ZdKy0Ad2nLPjGRsq20fSQXQ@mail.gmail.com>
On Tue, Apr 08, 2014 at 09:59:07AM -0700, Kees Cook wrote:
> On Tue, Apr 8, 2014 at 9:12 AM, Jon Medhurst (Tixy) <tixy@linaro.org> wrote:
> > And is the page table being modified unique to the current CPU? I
> > thought a common set of page tables was shared across all of them. If
> > that is the case then one CPU can modify the PTE to be writeable,
> > another CPU take a TLB miss and pull in that writeable entry, which will
> > stay there until it drops out the TLB at some indefinite point in the
> > future. That's the scenario I was getting at with my previous comment.
>
> As I understood it, this would be true for small PTEs, but sections
> are fully duplicated on each CPU so we don't run that risk. This was
> the whole source of my problem with this patch series: even a full
> all-CPU TLB flush wasn't working -- the section permissions were
> unique to the CPU since the entries were duplicated.
The PGD is per-mm_struct. mm_structs can be shared between processes.
So the PGD is not per CPU.
This set_kernel_text_rw() is called from ftrace in stop_machine() on one
CPU. All other CPUs will be spinning in kernel threads inside the loop
in multi_cpu_stop(), with interrupts disabled. Since kernel threads use
the last process' mm, it is possible for the other CPU(s) to be
currently using the same mm as the modifying CPU.
For any other CPU to pull in the writable entry it would have to get a
TLB miss inside the loop in multi_cpu_stop(), after the state transition
to MULTI_STOP_RUN and before the state transition to MULTI_STOP_EXIT.
This is unlikely, but theoretically possible, for example if
multi_cpu_stop() straddles sections.
To prevent any stale entries being used indefinitely, perhaps the all
CPU TLB flush can be inserted into
ftrace_arch_code_modify_post_process(), which is called after the
stop_machine() and which is where x86 for example makes the entries
read-only again.
next prev parent reply other threads:[~2014-04-08 19:48 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-04 2:15 [RFC PATCH] ARM: mm: implement CONFIG_DEBUG_RODATA Kees Cook
2014-04-04 2:15 ` [PATCH 1/2] ARM: mm: mark non-text sections non-executable Kees Cook
2014-04-04 2:15 ` [PATCH 2/2] ARM: mm: make text and rodata read-only Kees Cook
2014-04-04 19:58 ` Rabin Vincent
2014-04-05 0:07 ` Kees Cook
2014-04-08 12:41 ` Jon Medhurst (Tixy)
2014-04-08 16:01 ` Kees Cook
2014-04-08 16:12 ` Jon Medhurst (Tixy)
2014-04-08 16:59 ` Kees Cook
2014-04-08 19:48 ` Rabin Vincent [this message]
2014-04-08 20:19 ` Kees Cook
2014-04-14 21:08 ` Rabin Vincent
2014-04-09 10:29 ` Jon Medhurst (Tixy)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140408194815.GA6188@debian \
--to=rabin@rab.in \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).