WARNING: Found insecure W+X mapping in v6.16-rc6 (Bisected)

WARNING: Found insecure W+X mapping in v6.16-rc6 (Bisected)

[Dan Moulding]

Hello memory management folks,

I just recently started testing the v6.16-rc6 kernel, and started
getting a new warning about insecure W+X mappings:

[    6.022847] ------------[ cut here ]------------
[    6.023020] x86/mm: Found insecure W+X mapping at address 0xffffffffc0247000
[    6.023200] WARNING: CPU: 5 PID: 1 at arch/x86/mm/dump_pagetables.c:246 note_page+0x6ec/0x790
[    6.023381] CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Tainted: G                T   6.16.0-rc6 #1 PREEMPT 
[    6.023558] Tainted: [T]=RANDSTRUCT
[    6.023734] Hardware name: Dell Inc. XPS 8930/0T2HR0, BIOS 1.1.31 11/21/2023
[    6.023913] RIP: 0010:note_page+0x6ec/0x790
[    6.024094] Code: 85 6c ff ff ff e9 ed fb ff ff 80 3d ae a9 c3 01 00 0f 85 c5 f9 ff ff 48 c7 c7 40 3c 5d 8c c6 05 9a a9 c3 01 01 e8 84 01 02 00 <0f> 0b e9 ab f9 ff ff 48 c7 c6 2d 2e 65 8c 4c 89 e7 e8 2e f7 20 00
[    6.024290] RSP: 0000:ffffc15fc0033bf0 EFLAGS: 00010246
[    6.024486] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000
[    6.024684] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[    6.024884] RBP: ffffffffc0248000 R08: 0000000000000000 R09: 0000000000000000
[    6.025082] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
[    6.025277] R13: 0000000000000000 R14: 0000000000000000 R15: ffffc15fc0033e38
[    6.025475] FS:  0000000000000000(0000) GS:ffff9b54736ba000(0000) knlGS:0000000000000000
[    6.025674] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    6.025874] CR2: 0000000000000000 CR3: 00000004ab818001 CR4: 00000000003726f0
[    6.026076] Call Trace:
[    6.026277]  <TASK>
[    6.026474]  ptdump_pte_entry+0x30/0x50
[    6.026678]  walk_pte_range_inner+0x9c/0xe0
[    6.026882]  walk_pgd_range+0x5c7/0xc10
[    6.027082]  ? __pfx_ptdump_pte_entry+0x10/0x10
[    6.027284]  walk_page_range_novma+0x9f/0xc0
[    6.027484]  ptdump_walk_pgd+0x4f/0x90
[    6.027684]  ptdump_walk_pgd_level_core+0x1b0/0x1f0
[    6.027886]  ? __pfx_note_page_pte+0x10/0x10
[    6.028085]  ? __pfx_note_page_pmd+0x10/0x10
[    6.028281]  ? __pfx_note_page_pud+0x10/0x10
[    6.028474]  ? __pfx_note_page_p4d+0x10/0x10
[    6.028666]  ? __pfx_note_page_pgd+0x10/0x10
[    6.028858]  ? __pfx_note_page_flush+0x10/0x10
[    6.029046]  ? __pfx_effective_prot_pte+0x10/0x10
[    6.029233]  ? __pfx_effective_prot_pmd+0x10/0x10
[    6.029418]  ? __pfx_effective_prot_pud+0x10/0x10
[    6.029601]  ? __pfx_effective_prot_p4d+0x10/0x10
[    6.029780]  ? __pfx_effective_prot_pgd+0x10/0x10
[    6.029957]  ? __pfx_kernel_init+0x10/0x10
[    6.030133]  kernel_init+0x3d/0x120
[    6.030306]  ret_from_fork+0x71/0xc0
[    6.030476]  ? __pfx_kernel_init+0x10/0x10
[    6.030642]  ret_from_fork_asm+0x1a/0x30
[    6.030811]  </TASK>
[    6.030972] ---[ end trace 0000000000000000 ]---
[    6.031153] x86/mm: Checked W+X mappings: FAILED, 10 W+X pages found.

I bisected it and git-bisect identified one of three possible commits
(I couldn't test these individually because builds at those points
fail to boot on my machine):

    There are only 'skip'ped commits left to test.
    The first bad commit could be any of:
    0b0cae7119a0ec9449d7261b5e672a5fed765068
    47410d839fcda6890cb82828f874f97710982f24
    a82b26451de126a5ae130361081986bc459afe9b
    We cannot bisect more!

I then tried individually reverting each of these and found that if I
revert 47410d839fcd ("x86/Kconfig: only enable ROX cache in execmem
when STRICT_MODULE_RWX is set") on top of v6.16-rc6 then the warning
goes away. I looked at the change a little to understand why it might
be causing a problem, and I think it might be because my kernel
configuration does not enable loadable module support at all, so in my
configuration STRICT_MODULE_RWX isn't enabled and is probably
irrelevant given I don't build loadable modules.

Please let me know if there are any additional details I can provide
or if I should run additional tests with debugging options enabled, etc.

Cheers,

-- Dan

Re: WARNING: Found insecure W+X mapping in v6.16-rc6 (Bisected)

[Mike Rapoport]

Hi,

On Tue, Jul 15, 2025 at 11:43:25AM -0600, Dan Moulding wrote:
> Hello memory management folks,
> 
> I just recently started testing the v6.16-rc6 kernel, and started
> getting a new warning about insecure W+X mappings:
> 
> [    6.022847] ------------[ cut here ]------------
> [    6.023020] x86/mm: Found insecure W+X mapping at address 0xffffffffc0247000
> [    6.023200] WARNING: CPU: 5 PID: 1 at arch/x86/mm/dump_pagetables.c:246 note_page+0x6ec/0x790
...
> [    6.031153] x86/mm: Checked W+X mappings: FAILED, 10 W+X pages found.
> 
> I bisected it and git-bisect identified one of three possible commits
> (I couldn't test these individually because builds at those points
> fail to boot on my machine):
> 
>     There are only 'skip'ped commits left to test.
>     The first bad commit could be any of:
>     0b0cae7119a0ec9449d7261b5e672a5fed765068
>     47410d839fcda6890cb82828f874f97710982f24
>     a82b26451de126a5ae130361081986bc459afe9b

I'd say this one is the culprit: a82b26451de1 ("x86/its: explicitly manage
permissions for ITS pages")

>     We cannot bisect more!
> 
> I then tried individually reverting each of these and found that if I
> revert 47410d839fcd ("x86/Kconfig: only enable ROX cache in execmem
> when STRICT_MODULE_RWX is set") on top of v6.16-rc6 then the warning
> goes away. I looked at the change a little to understand why it might
> be causing a problem, and I think it might be because my kernel
> configuration does not enable loadable module support at all, so in my
> configuration STRICT_MODULE_RWX isn't enabled and is probably
> irrelevant given I don't build loadable modules.
> 
> Please let me know if there are any additional details I can provide
> or if I should run additional tests with debugging options enabled, etc.

Can you please try this patch:

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 71019b3b54ea..f97e0a50e60a 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -89,7 +89,7 @@ config X86
 	select ARCH_HAS_DMA_OPS			if GART_IOMMU || XEN
 	select ARCH_HAS_EARLY_DEBUG		if KGDB
 	select ARCH_HAS_ELF_RANDOMIZE
-	select ARCH_HAS_EXECMEM_ROX		if X86_64 && STRICT_MODULE_RWX
+	select ARCH_HAS_EXECMEM_ROX		if X86_64 && (STRICT_KERNEL_RWX || STRICT_MODULE_RWX)
 	select ARCH_HAS_FAST_MULTIPLIER
 	select ARCH_HAS_FORTIFY_SOURCE
 	select ARCH_HAS_GCOV_PROFILE_ALL
 
> Cheers,
> 
> -- Dan

-- 
Sincerely yours,
Mike.

Re: WARNING: Found insecure W+X mapping in v6.16-rc6 (Bisected)

[Dan Moulding]

> Can you please try this patch:
>
> diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
> index 71019b3b54ea..f97e0a50e60a 100644
> --- a/arch/x86/Kconfig
> +++ b/arch/x86/Kconfig
> @@ -89,7 +89,7 @@ config X86
>  	select ARCH_HAS_DMA_OPS			if GART_IOMMU || XEN
>  	select ARCH_HAS_EARLY_DEBUG		if KGDB
>  	select ARCH_HAS_ELF_RANDOMIZE
> -	select ARCH_HAS_EXECMEM_ROX		if X86_64 && STRICT_MODULE_RWX
> +	select ARCH_HAS_EXECMEM_ROX		if X86_64 && (STRICT_KERNEL_RWX || STRICT_MODULE_RWX)
>  	select ARCH_HAS_FAST_MULTIPLIER
>  	select ARCH_HAS_FORTIFY_SOURCE
>  	select ARCH_HAS_GCOV_PROFILE_ALL

Yep, this patch works. I applied it directly to v6.16-rc6 and the
warning goes away.

Thanks!

-- Dan