diff mbox series

[v6,20/41] x86/mm: Teach pte_mkwrite() about stack memory

Message ID	20230218211433.26859-21-rick.p.edgecombe@intel.com
State	New
Headers	Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; From: Rick Edgecombe <rick.p.edgecombe@intel.com> To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>, Andy Lutomirski <luto@kernel.org>, Balbir Singh <bsingharora@gmail.com>, Borislav Petkov <bp@alien8.de>, Cyrill Gorcunov <gorcunov@gmail.com>, Dave Hansen <dave.hansen@linux.intel.com>, Eugene Syromiatnikov <esyr@redhat.com>, Florian Weimer <fweimer@redhat.com>, "H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>, Jonathan Corbet <corbet@lwn.net>, Kees Cook <keescook@chromium.org>, Mike Kravetz <mike.kravetz@oracle.com>, Nadav Amit <nadav.amit@gmail.com>, Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>, Peter Zijlstra <peterz@infradead.org>, Randy Dunlap <rdunlap@infradead.org>, Weijiang Yang <weijiang.yang@intel.com>, "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>, John Allen <john.allen@amd.com>, kcc@google.com, eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com, dethoma@microsoft.com, akpm@linux-foundation.org, Andrew.Cooper3@citrix.com, christina.schimpe@intel.com, david@redhat.com, debug@rivosinc.com Cc: rick.p.edgecombe@intel.com Subject: [PATCH v6 20/41] x86/mm: Teach pte_mkwrite() about stack memory Date: Sat, 18 Feb 2023 13:14:12 -0800 Message-Id: <20230218211433.26859-21-rick.p.edgecombe@intel.com> In-Reply-To: <20230218211433.26859-1-rick.p.edgecombe@intel.com> References: <20230218211433.26859-1-rick.p.edgecombe@intel.com> Precedence: bulk
Series	Shadow stacks for userspace \| [v6,00/41] Shadow stacks for userspace [v6,01/41] Documentation/x86: Add CET shadow stack description [v6,02/41] x86/shstk: Add Kconfig option for shadow stack [v6,03/41] x86/cpufeatures: Add CPU feature flags for shadow stacks [v6,04/41] x86/cpufeatures: Enable CET CR4 bit for shadow stack [v6,05/41] x86/fpu/xstate: Introduce CET MSR and XSAVES supervisor states [v6,06/41] x86/fpu: Add helper for modifying xstate [v6,07/41] x86: Move control protection handler to separate file [v6,08/41] x86/shstk: Add user control-protection fault handler [v6,09/41] x86/mm: Remove _PAGE_DIRTY from kernel RO pages [v6,10/41] x86/mm: Move pmd_write(), pud_write() up in the file [v6,11/41] mm: Introduce pte_mkwrite_kernel() [v6,12/41] s390/mm: Introduce pmd_mkwrite_kernel() [v6,13/41] mm: Make pte_mkwrite() take a VMA [v6,14/41] x86/mm: Introduce _PAGE_SAVED_DIRTY [v6,15/41] x86/mm: Update ptep/pmdp_set_wrprotect() for _PAGE_SAVED_DIRTY [v6,16/41] x86/mm: Start actually marking _PAGE_SAVED_DIRTY [v6,17/41] mm: Move VM_UFFD_MINOR_BIT from 37 to 38 [v6,18/41] mm: Introduce VM_SHADOW_STACK for shadow stack memory [v6,19/41] x86/mm: Check shadow stack page fault errors [v6,20/41] x86/mm: Teach pte_mkwrite() about stack memory [v6,21/41] mm: Add guard pages around a shadow stack. [v6,22/41] mm/mmap: Add shadow stack pages to memory accounting [v6,23/41] mm: Re-introduce vm_flags to do_mmap() [v6,24/41] mm: Don't allow write GUPs to shadow stack memory [v6,25/41] x86/mm: Introduce MAP_ABOVE4G [v6,26/41] mm: Warn on shadow stack memory in wrong vma [v6,27/41] x86/mm: Warn if create Write=0,Dirty=1 with raw prot [v6,28/41] x86: Introduce userspace API for shadow stack [v6,29/41] x86/shstk: Add user-mode shadow stack support [v6,30/41] x86/shstk: Handle thread shadow stack [v6,31/41] x86/shstk: Introduce routines modifying shstk [v6,32/41] x86/shstk: Handle signals for shadow stack [v6,33/41] x86/shstk: Introduce map_shadow_stack syscall [v6,34/41] x86/shstk: Support WRSS for userspace [v6,35/41] x86: Expose thread features in /proc/$PID/status [v6,36/41] x86/shstk: Wire in shadow stack interface [v6,37/41] selftests/x86: Add shadow stack test [v6,38/41] x86/fpu: Add helper for initing features [v6,39/41] x86: Add PTRACE interface for shadow stack [v6,40/41] x86/shstk: Add ARCH_SHSTK_UNLOCK [v6,41/41] x86/shstk: Add ARCH_SHSTK_STATUS

Commit Message

Edgecombe, Rick P Feb. 18, 2023, 9:14 p.m. UTC

  If a VMA has the VM_SHADOW_STACK flag, it is shadow stack memory. So
when it is made writable with pte_mkwrite(), it should create shadow
stack memory, not conventionally writable memory. Now that pte_mkwrite()
takes a VMA, and places where shadow stack memory might be created pass
one, pte_mkwrite() can know when it should do this.

So make pte_mkwrite() create shadow stack memory when the VMA has the
VM_SHADOW_STACK flag. Do the same thing for pmd_mkwrite().

This requires referencing VM_SHADOW_STACK in these functions, which are
currently defined in pgtable.h, however mm.h (where VM_SHADOW_STACK is
located) can't be pulled in without causing problems for files that
reference pgtable.h. So also move pte/pmd_mkwrite() into pgtable.c, where
they can safely reference VM_SHADOW_STACK.

Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>

---
v6:
 - New patch
---
 arch/x86/include/asm/pgtable.h | 20 ++------------------
 arch/x86/mm/pgtable.c          | 26 ++++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 18 deletions(-)

Comments

Kees Cook Feb. 19, 2023, 8:41 p.m. UTC | #1

On Sat, Feb 18, 2023 at 01:14:12PM -0800, Rick Edgecombe wrote:
> If a VMA has the VM_SHADOW_STACK flag, it is shadow stack memory. So
> when it is made writable with pte_mkwrite(), it should create shadow
> stack memory, not conventionally writable memory. Now that pte_mkwrite()
> takes a VMA, and places where shadow stack memory might be created pass
> one, pte_mkwrite() can know when it should do this.
> 
> So make pte_mkwrite() create shadow stack memory when the VMA has the
> VM_SHADOW_STACK flag. Do the same thing for pmd_mkwrite().
> 
> This requires referencing VM_SHADOW_STACK in these functions, which are
> currently defined in pgtable.h, however mm.h (where VM_SHADOW_STACK is
> located) can't be pulled in without causing problems for files that
> reference pgtable.h. So also move pte/pmd_mkwrite() into pgtable.c, where
> they can safely reference VM_SHADOW_STACK.
> 
> Tested-by: Pengfei Xu <pengfei.xu@intel.com>
> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>

Is there any realistic performance impact from making these not inline
now?

Reviewed-by: Kees Cook <keescook@chromium.org>

Edgecombe, Rick P Feb. 20, 2023, 10:52 p.m. UTC | #2

On Sun, 2023-02-19 at 12:41 -0800, Kees Cook wrote:
> On Sat, Feb 18, 2023 at 01:14:12PM -0800, Rick Edgecombe wrote:
> > If a VMA has the VM_SHADOW_STACK flag, it is shadow stack memory.
> > So
> > when it is made writable with pte_mkwrite(), it should create
> > shadow
> > stack memory, not conventionally writable memory. Now that
> > pte_mkwrite()
> > takes a VMA, and places where shadow stack memory might be created
> > pass
> > one, pte_mkwrite() can know when it should do this.
> > 
> > So make pte_mkwrite() create shadow stack memory when the VMA has
> > the
> > VM_SHADOW_STACK flag. Do the same thing for pmd_mkwrite().
> > 
> > This requires referencing VM_SHADOW_STACK in these functions, which
> > are
> > currently defined in pgtable.h, however mm.h (where VM_SHADOW_STACK
> > is
> > located) can't be pulled in without causing problems for files that
> > reference pgtable.h. So also move pte/pmd_mkwrite() into pgtable.c,
> > where
> > they can safely reference VM_SHADOW_STACK.
> > 
> > Tested-by: Pengfei Xu <pengfei.xu@intel.com>
> > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
> 
> Is there any realistic performance impact from making these not
> inline
> now?

Hmm, I can't say definitively. I would think in write protecting
operations, the big cost would not be the PTE setters. For mapping
things read-only from the beginning (user text, etc), I'm not sure. I
guess it gives the compiler less flexibility, but also gives it the
option to have one copy and so less text size overall for the kernel.

Are there any specific microbenchmarks we could run?

Deepak Gupta March 1, 2023, 3:42 p.m. UTC | #3

On Sat, Feb 18, 2023 at 01:14:12PM -0800, Rick Edgecombe wrote:
>If a VMA has the VM_SHADOW_STACK flag, it is shadow stack memory. So
>when it is made writable with pte_mkwrite(), it should create shadow
>stack memory, not conventionally writable memory. Now that pte_mkwrite()
>takes a VMA, and places where shadow stack memory might be created pass
>one, pte_mkwrite() can know when it should do this.
>
>So make pte_mkwrite() create shadow stack memory when the VMA has the
>VM_SHADOW_STACK flag. Do the same thing for pmd_mkwrite().
>
>This requires referencing VM_SHADOW_STACK in these functions, which are
>currently defined in pgtable.h, however mm.h (where VM_SHADOW_STACK is
>located) can't be pulled in without causing problems for files that
>reference pgtable.h. So also move pte/pmd_mkwrite() into pgtable.c, where
>they can safely reference VM_SHADOW_STACK.
>
>Tested-by: Pengfei Xu <pengfei.xu@intel.com>
>Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
>

Acked-by: Deepak Gupta <debug@rivosinc.com>

diff mbox series

Patch

diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
index 292a3b75d7fa..6b7106457bfb 100644
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -456,15 +456,7 @@  static inline pte_t pte_mkwrite_kernel(pte_t pte)
 
 struct vm_area_struct;
 
-static inline pte_t pte_mkwrite(pte_t pte, struct vm_area_struct *vma)
-{
-	pte = pte_mkwrite_kernel(pte);
-
-	if (pte_dirty(pte))
-		pte = pte_clear_saveddirty(pte);
-
-	return pte;
-}
+pte_t pte_mkwrite(pte_t pte, struct vm_area_struct *vma);
 
 static inline pte_t pte_mkhuge(pte_t pte)
 {
@@ -601,15 +593,7 @@  static inline pmd_t pmd_mkyoung(pmd_t pmd)
 	return pmd_set_flags(pmd, _PAGE_ACCESSED);
 }
 
-static inline pmd_t pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma)
-{
-	pmd = pmd_set_flags(pmd, _PAGE_RW);
-
-	if (pmd_dirty(pmd))
-		pmd = pmd_clear_saveddirty(pmd);
-
-	return pmd;
-}
+pmd_t pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma);
 
 static inline pud_t pud_set_flags(pud_t pud, pudval_t set)
 {
diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
index e4f499eb0f29..98856bcc8102 100644
--- a/arch/x86/mm/pgtable.c
+++ b/arch/x86/mm/pgtable.c
@@ -880,3 +880,29 @@  int pmd_free_pte_page(pmd_t *pmd, unsigned long addr)
 
 #endif /* CONFIG_X86_64 */
 #endif	/* CONFIG_HAVE_ARCH_HUGE_VMAP */
+
+pte_t pte_mkwrite(pte_t pte, struct vm_area_struct *vma)
+{
+	if (vma->vm_flags & VM_SHADOW_STACK)
+		return pte_mkwrite_shstk(pte);
+
+	pte = pte_mkwrite_kernel(pte);
+
+	if (pte_dirty(pte))
+		pte = pte_clear_saveddirty(pte);
+
+	return pte;
+}
+
+pmd_t pmd_mkwrite(pmd_t pmd, struct vm_area_struct *vma)
+{
+	if (vma->vm_flags & VM_SHADOW_STACK)
+		return pmd_mkwrite_shstk(pmd);
+
+	pmd = pmd_set_flags(pmd, _PAGE_RW);
+
+	if (pmd_dirty(pmd))
+		pmd = pmd_clear_saveddirty(pmd);
+
+	return pmd;
+}