From: Masami Hiramatsu <mhiramat@kernel.org>
To: Andy Lutomirski <luto@kernel.org>
Cc: Nadav Amit <nadav.amit@gmail.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Paolo Bonzini <pbonzini@redhat.com>,
Jiri Kosina <jkosina@suse.cz>,
Masami Hiramatsu <mhiramat@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Will Deacon <will.deacon@arm.com>,
Benjamin Herrenschmidt <benh@au1.ibm.com>,
Nick Piggin <npiggin@gmail.com>,
the arch/x86 maintainers <x86@kernel.org>,
Borislav Petkov <bp@alien8.de>, Rik van Riel <riel@surriel.com>,
Jann Horn <jannh@google.com>,
Adin Scannell <ascannell@google.com>,
Dave Hansen <dave.hansen@intel.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-mm <linux-mm@kvack.org>, David Miller <davem@davemloft.net>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Michael Ellerman <mpe@ellerman.id.au>
Subject: Re: TLB flushes on fixmap changes
Date: Sun, 26 Aug 2018 11:23:41 +0900 [thread overview]
Message-ID: <20180826112341.f77a528763e297cbc36058fa@kernel.org> (raw)
In-Reply-To: <CALCETrWdeKBcEs7zAbpEM1YdYiT2UBXwPtF0mMTvcDX_KRpz1A@mail.gmail.com>
On Fri, 24 Aug 2018 21:23:26 -0700
Andy Lutomirski <luto@kernel.org> wrote:
> On Fri, Aug 24, 2018 at 7:29 PM, <nadav.amit@gmail.com> wrote:
> >
> >
> > On August 24, 2018 5:58:43 PM PDT, Linus Torvalds <torvalds@linux-foundation.org> wrote:
> >>Adding a few people to the cc.
> >>
> >>On Fri, Aug 24, 2018 at 1:24 PM Nadav Amit <nadav.amit@gmail.com>
> >>wrote:
> >>> >
> >>> > Can you actually find something that changes the fixmaps after boot
> >>> > (again, ignoring kmap)?
> >>>
> >>> At least the alternatives mechanism appears to do so.
> >>>
> >>> IIUC the following path is possible when adding a module:
> >>>
> >>> jump_label_add_module()
> >>> ->__jump_label_update()
> >>> ->arch_jump_label_transform()
> >>> ->__jump_label_transform()
> >>> ->text_poke_bp()
> >>> ->text_poke()
> >>> ->set_fixmap()
> >>
> >>Yeah, that looks a bit iffy.
> >>
> >>But making the tlb flush global wouldn't help. This is running on a
> >>local core, and if there are other CPU's that can do this at the same
> >>time, then they'd just fight about the same mapping.
> >>
> >>Honestly, I think it's ok just because I *hope* this is all serialized
> >>anyway (jump_label_lock? But what about other users of text_poke?).
> >
> > The users should hold text_mutex.
> >
> >>
> >>But I'd be a lot happier about it if it either used an explicit lock
> >>to make sure, or used per-cpu fixmap entries.
> >
> > My concern is that despite the lock, one core would do a speculative page walk and cache a translation that soon after would become stale.
> >
> >>
> >>And the tlb flush is done *after* the address is used, which is bogus
> >>anyway.
> >
> > It seems to me that it is intended to remove the mapping that might be a security issue.
> >
> > But anyhow, set_fixmap and clear_fixmap perform a local TLB flush, (in __set_pte_vaddr()) so locally things should be fine.
> >
> >>
> >>> And a similar path can happen when static_key_enable/disable() is
> >>called.
> >>
> >>Same comments.
> >>
> >>How about replacing that
> >>
> >> local_irq_save(flags);
> >> ... do critical things here ...
> >> local_irq_restore(flags);
> >>
> >>in text_poke() with
> >>
> >> static DEFINE_SPINLOCK(poke_lock);
> >>
> >> spin_lock_irqsave(&poke_lock, flags);
> >> ... do critical things here ...
> >> spin_unlock_irqrestore(&poke_lock, flags);
> >>
> >>and moving the local_flush_tlb() to after the set_fixmaps, but before
> >>the access through the virtual address.
> >>
> >>But changing things to do a global tlb flush would just be wrong.
> >
> > As I noted, I think that locking and local flushes as they are right now are fine (besides the redundant flush).
> >
> > My concern is merely that speculative page walks on other cores would cache stale entries.
> >
> >
>
> This is almost certainly a bug, or even two bugs. Bug 1: why on
> Earth do we flush in __set_pte_vaddr()? We should flush when
> *clearing* or when modifying an existing fixmap entry. Right now, if
> we do text_poke() after boot, then the TLB entry will stick around and
> will be a nice exploit target.
>
> Bug 2: what you're describing. It's racy.
>
> Couldn't text_poke() use kmap_atomic()? Or, even better, just change CR3?
No, since kmap_atomic() is only for x86_32 and highmem support kernel.
In x86-64, it seems that returns just a page address. That is not
good for text_poke, since it needs to make a writable alias for RO
code page. Hmm, maybe, can we mimic copy_oldmem_page(), it uses ioremap_cache?
Thank you,
--
Masami Hiramatsu <mhiramat@kernel.org>
next prev parent reply other threads:[~2018-08-26 2:23 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-22 15:30 [PATCH 0/4] x86: TLB invalidate fixes Peter Zijlstra
2018-08-22 15:30 ` [PATCH 1/4] x86/mm/tlb: Revert the recent lazy TLB patches Peter Zijlstra
2018-08-22 21:37 ` Linus Torvalds
2018-08-22 22:11 ` Rik van Riel
2018-08-22 15:30 ` [PATCH 2/4] mm/tlb: Remove tlb_remove_table() non-concurrent condition Peter Zijlstra
2018-08-23 3:31 ` Nicholas Piggin
2018-08-23 3:35 ` Linus Torvalds
2018-08-23 3:44 ` Linus Torvalds
2018-08-23 4:16 ` Nicholas Piggin
2018-08-23 4:54 ` Linus Torvalds
2018-08-23 5:15 ` Nicholas Piggin
2018-08-24 8:42 ` Peter Zijlstra
2018-08-23 13:40 ` Will Deacon
2018-08-22 15:30 ` [PATCH 3/4] mm/tlb, x86/mm: Support invalidating TLB caches for RCU_TABLE_FREE Peter Zijlstra
2018-08-22 15:55 ` Peter Zijlstra
2018-08-23 3:45 ` Nicholas Piggin
2018-08-23 3:59 ` Linus Torvalds
2018-08-23 4:33 ` Nicholas Piggin
2018-08-23 5:03 ` Linus Torvalds
2018-08-23 5:58 ` Nicholas Piggin
2018-08-23 4:54 ` Benjamin Herrenschmidt
2018-08-23 5:11 ` Linus Torvalds
2018-08-23 5:20 ` Linus Torvalds
2018-08-23 6:48 ` Martin Schwidefsky
2018-08-23 5:21 ` Benjamin Herrenschmidt
2018-08-23 6:15 ` Nicholas Piggin
2018-08-23 13:39 ` Will Deacon
2018-08-24 8:47 ` Peter Zijlstra
2018-08-24 11:32 ` Peter Zijlstra
2018-08-24 11:39 ` Peter Zijlstra
2018-08-27 5:00 ` Nicholas Piggin
2018-08-27 7:47 ` Peter Zijlstra
2018-08-27 8:04 ` Nicholas Piggin
2018-08-27 8:09 ` Benjamin Herrenschmidt
2018-08-27 8:20 ` Peter Zijlstra
2018-08-27 8:54 ` Nicholas Piggin
2018-08-27 9:02 ` Nicholas Piggin
2018-08-27 22:13 ` Benjamin Herrenschmidt
2018-08-27 13:36 ` Rik van Riel
2018-08-27 14:29 ` Nicholas Piggin
2018-08-27 8:57 ` removig ia64, was: " Christoph Hellwig
2018-08-27 11:28 ` Peter Zijlstra
2018-08-27 11:45 ` Jason Duerstock
2018-08-27 11:00 ` Peter Zijlstra
2018-08-30 0:13 ` Vineet Gupta
2018-08-30 10:23 ` Peter Zijlstra
2018-08-24 17:26 ` Nadav Amit
2018-08-24 18:04 ` Peter Zijlstra
2018-08-24 18:35 ` TLB flushes on fixmap changes Nadav Amit
2018-08-24 19:31 ` Linus Torvalds
2018-08-24 20:24 ` Nadav Amit
2018-08-25 0:58 ` Linus Torvalds
2018-08-25 2:16 ` Nadav Amit
2018-08-25 2:29 ` nadav.amit
2018-08-25 4:23 ` Andy Lutomirski
2018-08-26 2:23 ` Masami Hiramatsu [this message]
2018-08-26 4:21 ` Andy Lutomirski
2018-08-26 4:43 ` Kees Cook
2018-08-26 5:53 ` Nadav Amit
2018-08-26 14:20 ` Andy Lutomirski
2018-08-26 16:47 ` Kees Cook
2018-08-26 17:25 ` Andy Lutomirski
2018-08-26 20:15 ` Thomas Gleixner
2018-08-26 22:03 ` Kees Cook
2018-08-26 22:15 ` Matthew Wilcox
2018-08-26 22:29 ` Jann Horn
2018-08-26 9:09 ` Peter Zijlstra
2018-08-27 3:03 ` Masami Hiramatsu
2018-08-27 3:26 ` Nadav Amit
2018-08-27 8:05 ` Masami Hiramatsu
2018-08-27 17:34 ` Nadav Amit
2018-08-27 18:45 ` Andy Lutomirski
2018-08-27 18:54 ` Nadav Amit
2018-08-27 18:58 ` Andy Lutomirski
2018-08-27 19:10 ` Nadav Amit
2018-08-27 19:43 ` Nadav Amit
2018-08-27 19:58 ` Andy Lutomirski
2018-08-27 20:16 ` Nadav Amit
2018-08-27 21:55 ` Nadav Amit
2018-08-27 22:32 ` Andy Lutomirski
2018-08-27 22:54 ` Nadav Amit
2018-08-27 23:01 ` Andy Lutomirski
2018-08-28 8:49 ` Masami Hiramatsu
2018-08-28 17:33 ` Nadav Amit
2018-08-27 8:13 ` Peter Zijlstra
2018-08-27 9:39 ` Masami Hiramatsu
2018-08-27 9:55 ` Jann Horn
2018-08-26 22:48 ` Jann Horn
2018-08-24 8:35 ` [PATCH 3/4] mm/tlb, x86/mm: Support invalidating TLB caches for RCU_TABLE_FREE Peter Zijlstra
2018-08-24 13:13 ` Peter Zijlstra
2018-08-24 13:14 ` Peter Zijlstra
2018-08-24 15:49 ` Will Deacon
2018-08-23 23:31 ` Will Deacon
2018-08-22 21:34 ` Linus Torvalds
2018-08-23 8:46 ` Nicholas Piggin
2018-08-22 15:30 ` [PATCH 4/4] x86/mm: Only use tlb_remove_table() for paravirt Peter Zijlstra
2018-08-22 22:12 ` Eduardo Valentin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180826112341.f77a528763e297cbc36058fa@kernel.org \
--to=mhiramat@kernel.org \
--cc=ascannell@google.com \
--cc=benh@au1.ibm.com \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=davem@davemloft.net \
--cc=jannh@google.com \
--cc=jkosina@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nadav.amit@gmail.com \
--cc=npiggin@gmail.com \
--cc=pbonzini@redhat.com \
--cc=peterz@infradead.org \
--cc=riel@surriel.com \
--cc=schwidefsky@de.ibm.com \
--cc=torvalds@linux-foundation.org \
--cc=will.deacon@arm.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).