From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 242F2C83F27 for ; Wed, 16 Jul 2025 07:54:21 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 9B8ED6B0096; Wed, 16 Jul 2025 03:54:20 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 969A26B0098; Wed, 16 Jul 2025 03:54:20 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 87F266B0099; Wed, 16 Jul 2025 03:54:20 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 768556B0096 for ; Wed, 16 Jul 2025 03:54:20 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 17C9012C7AF for ; Wed, 16 Jul 2025 07:54:20 +0000 (UTC) X-FDA: 83669365080.12.18AFCED Received: from nyc.source.kernel.org (nyc.source.kernel.org [147.75.193.91]) by imf29.hostedemail.com (Postfix) with ESMTP id 9709F120006 for ; Wed, 16 Jul 2025 07:54:18 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=h2dySIp3; spf=pass (imf29.hostedemail.com: domain of rppt@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=rppt@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1752652458; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:dkim-signature; bh=e6RKGMVgwZ0c97P0ryqnWLssmTRwBPSgrQiVijmogZg=; b=YzG3u/ofqG9uDY4WA29Cdwf6PK4BtEX/eHe//1tawC/OoOu3NdSjYT5b+8nkn63vfzNfxq FIqvmXuuiXr8fowEhcbNKTYD7EwySpSUJzcaXsoHSTNsbDCFrMPb7nxWw2oXoIWOEHTHPB zWf8Owg5zAWw5BjrwKPlxwyrFERm4Dg= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1752652458; a=rsa-sha256; cv=none; b=kerd7nFgeNsiO1ooxoUWlD1EOg/JGFhgRWX1rm5oGaGTSVf85wujvH2yy/9cvKwT4J7etO x/nnrlq+usI/oFkBgv/r3swQeVazp6zAkg5FIyr0SLEcV7+fWthNdxC5mc+bHNModUcxTq Vky2wk9V3SUDWTv6YWi3Er1edJIcMGY= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=h2dySIp3; spf=pass (imf29.hostedemail.com: domain of rppt@kernel.org designates 147.75.193.91 as permitted sender) smtp.mailfrom=rppt@kernel.org; dmarc=pass (policy=quarantine) header.from=kernel.org Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id E9351A5215B; Wed, 16 Jul 2025 07:54:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id AC652C4CEF0; Wed, 16 Jul 2025 07:54:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1752652457; bh=eOQfVfK9c0d6cPAF8dxhvIlkA+51E8dV5o03YAVgnTE=; h=From:To:Cc:Subject:Date:From; b=h2dySIp3kNXTqozrOT3mpGqSA+uw/eUKeg7DxLIhHCTjXdDTFXIPXZ02bA5O2/NEW pF0fruvWiZ4dZFiDvyPG2MLvneYm+o5+YvwVN/nOD6ZwfWp9G4r4UfkYlxHkUg0MTM MaevLZz+zQIUnPa6xRG/C1a1rYtUvUwPppP3ARaUnU5+iJhw/vku4WyAi9JEFA3DBr Jejlb4E5IhUcyw4BO4odNVLGdX5DgpdcJlhFoI/Azdt9yrM48A7VSh5snI6qEbw27T uu1/fE2brBZsltdevOoj0qjvFeflym3faAywkg93Ik9PCzkuGH5qsu+HtkQ8oTo4R5 T2wtjktPVvMIg== From: Mike Rapoport To: Peter Zijlstra Cc: Borislav Petkov , Dan Moulding , Dave Hansen , Ingo Molnar , Mike Rapoport , "H. Peter Anvin" , Thomas Gleixner , linux-kernel@vger.kernel.org, linux-mm@kvack.org, x86@kernel.org Subject: [PATCH] x86/Kconfig: enable ROX cache in execmem when STRICT_KERNEL_RWX is set Date: Wed, 16 Jul 2025 10:54:10 +0300 Message-ID: <20250716075410.82578-1-rppt@kernel.org> X-Mailer: git-send-email 2.47.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 9709F120006 X-Rspam-User: X-Rspamd-Server: rspam09 X-Stat-Signature: kt88hp4cruj3jndg49iftd5rend5b4rk X-HE-Tag: 1752652458-391558 X-HE-Meta: U2FsdGVkX18OCw80HTXKfAQKvXUUFTTneyeuzPRh7973nAHOf8sdXoSPvSTTDoRAUOkmx2QMGwJsxS7t2qCHGV9G6WJRdz30A4GIGc0fqkJpePazWKpVQqAqrHM/TP1aWnzuKGUzRAql4LjK5l0wObKOP3UpMmyiArcBqLnZVd/oHfFfDlOHtru7EmqazNO8ocYTWRSYL3qtMBnGPfMsC4Lbt90jE/VDjA02cBjdwJj2iD/HJRv5vE6JKW7OPW18H2J0Q9bpe9FynzzNo/6ZRN6GTOCAo0+UuimvYEIuoeO+PeRPdKbAh3aytPmNirs6YkHeDqM/bpznTlETAy4SyDY7UwA+iIXcnWuarLiL8Ax5344T0r6ZI4QuCqDCNNHx5yfeorq5Vf4foVGG2udvrDdgaKwL8FP3PsKxzncCJJJ2f91QcBy2xC27LtcBukB7D5SJvPmaLQAPGZmAGE2zxR3Di33JEc2D9MUrcch1CFlz8X1B7zk0EjGTTAjRWsvftLSm0G1A/TdcWGvssT8GzioclOpQl+AhTH2TjDhzo9j9+L293NFdb5g44sou96YGnUQHt5ZiJwQtygJ2Eha8n3YqEIUusN3Va6ghT8wXmrYCkj5IDHOIO0EHgMpO/GFP8lx4CKhobnl0LKnylkOm7TjaUJRr00ANoCSrvvn+s4awG6sH8yu1SFttsCsZggBcGdHFzmTouSZtGCHrCiA+tC4EUTzjTwJ8aVOG31TLPMff6EmCFPccMZEVKhP6WIdsbUlVJ+NfG69eJhcYeWRrOd1s9sE67aR8TwuYCGYZwcek3/pWM7NLFgNxXN/UIH3C2Vty86sVzMUaAjjBU7fWyICbq5/2mAcUuodXXNFk3u3wicB2Qrub/aGxRRgkOeRaj88dGgsWRHlso2G2Lcfl6uc6PaWr2Bx3rAdyW/Wp/3ihAI+lC9wAJY3rPQ+yHK6MOWb2NotV8lho5lWjctu ZFAesJS6 Zhc7edVMhRaXG/OHZZZfLIJFXIxvtTdwI0OZvU1tjlHYDGjy9Tu76zVGUZ0w3dI3eRWZhuL3EVOKgCBvv2K8LO8jm6VLAhPT0Sh9Gg1bbjrQHlcQC4N0TiWMZ8b9UcKSnI7ifa4KUY16sSMyAX1X6mNQTkpz3tbsSMi24/twSzxYqId8n3y3KAeiednkKliuhmAuecmA7CdB5H1OKVzPEfJ468n8aLljkSDF5pK/AUXFlZB7JNz3pnwLLEIKMwlch9YN78i+yTgZhIBfKDfkDsZG7OXN6SWM3jplfP24m2EWlX6zYzzFF88ckd1TSBbOOWiE4j6NwEbmfdedMmcNIjvaJ6g== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: "Mike Rapoport (Microsoft)" Dan Moulding reported that kernel configured without modules produces "Found insecure W+X mapping at address 0xffffffffc0247000" warining: [ 6.022847] ------------[ cut here ]------------ [ 6.023020] x86/mm: Found insecure W+X mapping at address 0xffffffffc0247000 [ 6.023200] WARNING: CPU: 5 PID: 1 at arch/x86/mm/dump_pagetables.c:246 note_page+0x6ec/0x790 [ 6.023381] CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Tainted: G T 6.16.0-rc6 #1 PREEMPT [ 6.023558] Tainted: [T]=RANDSTRUCT ... [ 6.031153] x86/mm: Checked W+X mappings: FAILED, 10 W+X pages found. The 10 W+X pages are the pages allocated for ITS thunks. With CONFIG_MODULES disabled, CONFIG_STRICT_MODULE_RWX does not exist and ROX cache in execmem is not enabled so execmem_restore_rox() becomes an empty stub. Enabling ROX cache when CONFIG_STRICT_KERNEL_RWX is set solves the issue and makes ITS thunks memory properly protected. It also ensures that memory containing ITS thunks is mapped with 2M pages for kernels compiled without modules. Reported-by: Dan Moulding Signed-off-by: Mike Rapoport (Microsoft) --- arch/x86/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index 8bed9030ad47..d6d8050683ae 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -89,7 +89,7 @@ config X86 select ARCH_HAS_DMA_OPS if GART_IOMMU || XEN select ARCH_HAS_EARLY_DEBUG if KGDB select ARCH_HAS_ELF_RANDOMIZE - select ARCH_HAS_EXECMEM_ROX if X86_64 && STRICT_MODULE_RWX + select ARCH_HAS_EXECMEM_ROX if X86_64 && (STRICT_KERNEL_RWX || STRICT_MODULE_RWX) select ARCH_HAS_FAST_MULTIPLIER select ARCH_HAS_FORTIFY_SOURCE select ARCH_HAS_GCOV_PROFILE_ALL base-commit: 347e9f5043c89695b01e66b3ed111755afcf1911 -- 2.47.2