| Message ID | 20230227222957.24501-23-rick.p.edgecombe@intel.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp2682737wrd;
Mon, 27 Feb 2023 14:34:39 -0800 (PST)
X-Google-Smtp-Source:
AK7set/9eLRI646WJQ6rI5jF7ooSv4crqITai65hIsmV26B1lN8tE93/LbHr7LI+l5ux168+CHyC
X-Received: by 2002:aa7:c715:0:b0:4ac:bdf7:dffd with SMTP id
i21-20020aa7c715000000b004acbdf7dffdmr1111244edq.12.1677537279620;
Mon, 27 Feb 2023 14:34:39 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1677537279; cv=none;
d=google.com; s=arc-20160816;
b=fX2AKw6svnkLv06tybJO8C+6sgQhxBtrp5OqfjSjubaV6bxBPG7IOCFzANTiwpj6xx
GRYKfDj1jJFhj9RHlErmEdMIKjo/4fKIC65HxlhUoiUBVkGwGrYsPCwBMsXC/4KKAcVt
/HsaLVreMUAf8zfw11gdZUX3lOqzJ6Xmrd81gjZ3/xsJtNg3OVtVuvMvCboqDmt7h0/R
4ZY2R3MLoxnkCR7bx05vYrjyVJWAWcJRlrGKRs1EWER/GUyhOD1YKkIb/nzWMR2Ad2eE
l9PmdH26iaG4woI0Q7FHAW4JL90U55y2Z1lD6lGzZm7NVaKAmXHutDD7R1NRJFhb60O9
LJUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:references:in-reply-to:message-id:date:subject
:cc:to:from:dkim-signature;
bh=+kqsDAD87DHH8at7rwF6//m6V9jqq8z7byrF3dP8xHg=;
b=QaARb7p2aa7F374iyvRFmQFlNqHiJMQh347J76SuGrKTvBJc8DFrpQIqbLGPtFmPjT
H9kTKTpzbK76QOZVoqprEVaxjnEJ1EvRb+AzkcWkGNq1fZBkWWFlxMUYOIFIS97a1g8i
xOmVWeFjjGSrsqieGOlizQbRaxzlV9XHAYnA6eBJ6D5M19YSocetSlK7UYECX1AwZvEC
upDJKEfyfAMrgGTn+LFhcvJtbnaqEc9fcjEAUp790zlJ2TCrirTxAI+WlFU/S0FjjKzV
rIRxKTDjFQ0Rpf/V19wXigLppefZ/tJ7jxxME3NnXhzMzRNH19GhsFcZ1f+BOdMYuHZK
E0jw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=Mrl5nwOM;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
d11-20020a056402078b00b004af62584abbsi8834158edy.66.2023.02.27.14.34.11;
Mon, 27 Feb 2023 14:34:39 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@intel.com header.s=Intel header.b=Mrl5nwOM;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229992AbjB0WdQ (ORCPT <rfc822;wenzhi022@gmail.com> + 99 others);
Mon, 27 Feb 2023 17:33:16 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37686 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S230267AbjB0Wbw (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 27 Feb 2023 17:31:52 -0500
Received: from mga12.intel.com (mga12.intel.com [192.55.52.136])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id F107F28D2D;
Mon, 27 Feb 2023 14:31:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
t=1677537109; x=1709073109;
h=from:to:cc:subject:date:message-id:in-reply-to:
references;
bh=ZIfeT04mKir/YNhHsgsFjFvjvr/0UP7Swg3kZIhAJQw=;
b=Mrl5nwOMuKKAo9wkPfvKEB+7neim1lcySms1JrkKaU9ySLztoefFugoK
/ZelKfl+A8yoaohyfVIC4qqjl6ItI3scq0VopnndwGxUgGSBc6rQ0XLS9
kCrDnCZIOd4EMCz+A/YyNTfzedOU05BkU62MDFg/xqVwsiHLTXksCwTy2
YRSbys5vN2oL4uRl/HhyeRb+qqQPYH2sfgUBdgm0T97H+H6+DxyjvwXNF
I/sw3NrHy95O679WaTAm4pmusC2J2WaVWlXZTmW9oW+165/7LkyP4djS8
Yp6lCNTk7xATIw1zLFvlpsnJduH8D3+GPOj1uafbFodrYH/MRnPWpotHp
A==;
X-IronPort-AV: E=McAfee;i="6500,9779,10634"; a="313657504"
X-IronPort-AV: E=Sophos;i="5.98,220,1673942400";
d="scan'208";a="313657504"
Received: from orsmga005.jf.intel.com ([10.7.209.41])
by fmsmga106.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
27 Feb 2023 14:31:24 -0800
X-IronPort-AV: E=McAfee;i="6500,9779,10634"; a="848024631"
X-IronPort-AV: E=Sophos;i="5.98,220,1673942400";
d="scan'208";a="848024631"
Received: from leonqu-mobl1.amr.corp.intel.com (HELO
rpedgeco-desk.amr.corp.intel.com) ([10.209.72.19])
by orsmga005-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
27 Feb 2023 14:31:23 -0800
From: Rick Edgecombe <rick.p.edgecombe@intel.com>
To: x86@kernel.org, "H . Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, linux-kernel@vger.kernel.org,
linux-doc@vger.kernel.org, linux-mm@kvack.org,
linux-arch@vger.kernel.org, linux-api@vger.kernel.org,
Arnd Bergmann <arnd@arndb.de>,
Andy Lutomirski <luto@kernel.org>,
Balbir Singh <bsingharora@gmail.com>,
Borislav Petkov <bp@alien8.de>,
Cyrill Gorcunov <gorcunov@gmail.com>,
Dave Hansen <dave.hansen@linux.intel.com>,
Eugene Syromiatnikov <esyr@redhat.com>,
Florian Weimer <fweimer@redhat.com>,
"H . J . Lu" <hjl.tools@gmail.com>, Jann Horn <jannh@google.com>,
Jonathan Corbet <corbet@lwn.net>,
Kees Cook <keescook@chromium.org>,
Mike Kravetz <mike.kravetz@oracle.com>,
Nadav Amit <nadav.amit@gmail.com>,
Oleg Nesterov <oleg@redhat.com>, Pavel Machek <pavel@ucw.cz>,
Peter Zijlstra <peterz@infradead.org>,
Randy Dunlap <rdunlap@infradead.org>,
Weijiang Yang <weijiang.yang@intel.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
John Allen <john.allen@amd.com>, kcc@google.com,
eranian@google.com, rppt@kernel.org, jamorris@linux.microsoft.com,
dethoma@microsoft.com, akpm@linux-foundation.org,
Andrew.Cooper3@citrix.com, christina.schimpe@intel.com,
david@redhat.com, debug@rivosinc.com
Cc: rick.p.edgecombe@intel.com, Yu-cheng Yu <yu-cheng.yu@intel.com>
Subject: [PATCH v7 22/41] mm/mmap: Add shadow stack pages to memory accounting
Date: Mon, 27 Feb 2023 14:29:38 -0800
Message-Id: <20230227222957.24501-23-rick.p.edgecombe@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
References: <20230227222957.24501-1-rick.p.edgecombe@intel.com>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
SPF_HELO_PASS,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1759025330892533806?=
X-GMAIL-MSGID: =?utf-8?q?1759025330892533806?=
|
| Series |
Shadow stacks for userspace
|
|
Commit Message
Edgecombe, Rick P
Feb. 27, 2023, 10:29 p.m. UTC
From: Yu-cheng Yu <yu-cheng.yu@intel.com> The x86 Control-flow Enforcement Technology (CET) feature includes a new type of memory called shadow stack. This shadow stack memory has some unusual properties, which requires some core mm changes to function properly. Account shadow stack pages to stack memory. Do this by adding a VM_SHADOW_STACK check in is_stack_mapping(). Tested-by: Pengfei Xu <pengfei.xu@intel.com> Tested-by: John Allen <john.allen@amd.com> Tested-by: Kees Cook <keescook@chromium.org> Acked-by: Mike Rapoport (IBM) <rppt@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> Co-developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> Cc: Kees Cook <keescook@chromium.org> --- v7: - Change is_stack_mapping() to know about VM_SHADOW_STACK so the additions in vm_stat_account() can be dropped. (David Hildenbrand) v3: - Remove unneeded VM_SHADOW_STACK check in accountable_mapping() (Kirill) v2: - Remove is_shadow_stack_mapping() and just change it to directly bitwise and VM_SHADOW_STACK. Yu-cheng v26: - Remove redundant #ifdef CONFIG_MMU. Yu-cheng v25: - Remove #ifdef CONFIG_ARCH_HAS_SHADOW_STACK for is_shadow_stack_mapping(). --- mm/internal.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
Comments
On Mon, Feb 27, 2023 at 02:29:38PM -0800, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > The x86 Control-flow Enforcement Technology (CET) feature includes a new > type of memory called shadow stack. This shadow stack memory has some > unusual properties, which requires some core mm changes to function > properly. > > Account shadow stack pages to stack memory. Do this by adding a > VM_SHADOW_STACK check in is_stack_mapping(). That last sentence is superfluous.
On Mon, 2023-03-06 at 14:01 +0100, Borislav Petkov wrote: > On Mon, Feb 27, 2023 at 02:29:38PM -0800, Rick Edgecombe wrote: > > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > > > The x86 Control-flow Enforcement Technology (CET) feature includes > > a new > > type of memory called shadow stack. This shadow stack memory has > > some > > unusual properties, which requires some core mm changes to function > > properly. > > > > Account shadow stack pages to stack memory. Do this by adding a > > VM_SHADOW_STACK check in is_stack_mapping(). > > That last sentence is superfluous. Before this version it was open coded, but David Hildenbrand suggested this is_stack_mapping() solution. Should it be explained more, or just dropped?
On Mon, Mar 06, 2023 at 06:11:32PM +0000, Edgecombe, Rick P wrote: > Before this version it was open coded, but David Hildenbrand suggested > this is_stack_mapping() solution. Should it be explained more, or just > dropped? Well, "adding a VM_SHADOW_STACK check in is_stack_mapping()" is what's in the diff already and it is kinda obvious. So why write what the patch does when one can simply look at the diff?
On 27.02.23 23:29, Rick Edgecombe wrote: > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > The x86 Control-flow Enforcement Technology (CET) feature includes a new > type of memory called shadow stack. This shadow stack memory has some > unusual properties, which requires some core mm changes to function > properly. > > Account shadow stack pages to stack memory. Do this by adding a > VM_SHADOW_STACK check in is_stack_mapping(). > > Tested-by: Pengfei Xu <pengfei.xu@intel.com> > Tested-by: John Allen <john.allen@amd.com> > Tested-by: Kees Cook <keescook@chromium.org> > Acked-by: Mike Rapoport (IBM) <rppt@kernel.org> > Reviewed-by: Kees Cook <keescook@chromium.org> > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > Co-developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > Cc: Kees Cook <keescook@chromium.org> > > --- > v7: > - Change is_stack_mapping() to know about VM_SHADOW_STACK so the > additions in vm_stat_account() can be dropped. (David Hildenbrand) > > v3: > - Remove unneeded VM_SHADOW_STACK check in accountable_mapping() > (Kirill) > > v2: > - Remove is_shadow_stack_mapping() and just change it to directly bitwise > and VM_SHADOW_STACK. > > Yu-cheng v26: > - Remove redundant #ifdef CONFIG_MMU. > > Yu-cheng v25: > - Remove #ifdef CONFIG_ARCH_HAS_SHADOW_STACK for is_shadow_stack_mapping(). > --- > mm/internal.h | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/mm/internal.h b/mm/internal.h > index 7920a8b7982e..1d13d5580f64 100644 > --- a/mm/internal.h > +++ b/mm/internal.h > @@ -491,14 +491,14 @@ static inline bool is_exec_mapping(vm_flags_t flags) > } > > /* > - * Stack area - automatically grows in one direction > + * Stack area Maybe "Stack area (including shadow stacks)" Acked-by: David Hildenbrand <david@redhat.com>
On Mon, Feb 27, 2023 at 2:31 PM Rick Edgecombe <rick.p.edgecombe@intel.com> wrote: > > From: Yu-cheng Yu <yu-cheng.yu@intel.com> > > The x86 Control-flow Enforcement Technology (CET) feature includes a new > type of memory called shadow stack. This shadow stack memory has some > unusual properties, which requires some core mm changes to function > properly. > > Account shadow stack pages to stack memory. Do this by adding a > VM_SHADOW_STACK check in is_stack_mapping(). > > Tested-by: Pengfei Xu <pengfei.xu@intel.com> > Tested-by: John Allen <john.allen@amd.com> > Tested-by: Kees Cook <keescook@chromium.org> > Acked-by: Mike Rapoport (IBM) <rppt@kernel.org> > Reviewed-by: Kees Cook <keescook@chromium.org> > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@intel.com> > Co-developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > Signed-off-by: Rick Edgecombe <rick.p.edgecombe@intel.com> > Cc: Kees Cook <keescook@chromium.org> > > --- > v7: > - Change is_stack_mapping() to know about VM_SHADOW_STACK so the > additions in vm_stat_account() can be dropped. (David Hildenbrand) > > v3: > - Remove unneeded VM_SHADOW_STACK check in accountable_mapping() > (Kirill) > > v2: > - Remove is_shadow_stack_mapping() and just change it to directly bitwise > and VM_SHADOW_STACK. > > Yu-cheng v26: > - Remove redundant #ifdef CONFIG_MMU. > > Yu-cheng v25: > - Remove #ifdef CONFIG_ARCH_HAS_SHADOW_STACK for is_shadow_stack_mapping(). > --- > mm/internal.h | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/mm/internal.h b/mm/internal.h > index 7920a8b7982e..1d13d5580f64 100644 > --- a/mm/internal.h > +++ b/mm/internal.h > @@ -491,14 +491,14 @@ static inline bool is_exec_mapping(vm_flags_t flags) > } > > /* > - * Stack area - automatically grows in one direction > + * Stack area > * > - * VM_GROWSUP / VM_GROWSDOWN VMAs are always private anonymous: > - * do_mmap() forbids all other combinations. > + * VM_GROWSUP, VM_GROWSDOWN VMAs are always private > + * anonymous. do_mmap() forbids all other combinations. > */ > static inline bool is_stack_mapping(vm_flags_t flags) > { > - return (flags & VM_STACK) == VM_STACK; > + return ((flags & VM_STACK) == VM_STACK) || (flags & VM_SHADOW_STACK); Same comment here. `VM_SHADOW_STACK` is an x86 specific way of encoding a shadow stack. Instead let's have a proxy here which allows architectures to have their own encodings to represent a shadow stack. > } > > /* > -- > 2.17.1 >
On 3/17/23 10:12, Deepak Gupta wrote: >> /* >> - * Stack area - automatically grows in one direction >> + * Stack area >> * >> - * VM_GROWSUP / VM_GROWSDOWN VMAs are always private anonymous: >> - * do_mmap() forbids all other combinations. >> + * VM_GROWSUP, VM_GROWSDOWN VMAs are always private >> + * anonymous. do_mmap() forbids all other combinations. >> */ >> static inline bool is_stack_mapping(vm_flags_t flags) >> { >> - return (flags & VM_STACK) == VM_STACK; >> + return ((flags & VM_STACK) == VM_STACK) || (flags & VM_SHADOW_STACK); > Same comment here. `VM_SHADOW_STACK` is an x86 specific way of > encoding a shadow stack. > Instead let's have a proxy here which allows architectures to have > their own encodings to represent a shadow stack. This doesn't _preclude_ another architecture from coming along and doing that, right? I'd just prefer that shadow stack architecture #2 comes along and refactors this in precisely the way _they_ need it.
On Fri, Mar 17, 2023 at 10:16 AM Dave Hansen <dave.hansen@intel.com> wrote: > > On 3/17/23 10:12, Deepak Gupta wrote: > >> /* > >> - * Stack area - automatically grows in one direction > >> + * Stack area > >> * > >> - * VM_GROWSUP / VM_GROWSDOWN VMAs are always private anonymous: > >> - * do_mmap() forbids all other combinations. > >> + * VM_GROWSUP, VM_GROWSDOWN VMAs are always private > >> + * anonymous. do_mmap() forbids all other combinations. > >> */ > >> static inline bool is_stack_mapping(vm_flags_t flags) > >> { > >> - return (flags & VM_STACK) == VM_STACK; > >> + return ((flags & VM_STACK) == VM_STACK) || (flags & VM_SHADOW_STACK); > > Same comment here. `VM_SHADOW_STACK` is an x86 specific way of > > encoding a shadow stack. > > Instead let's have a proxy here which allows architectures to have > > their own encodings to represent a shadow stack. > > This doesn't _preclude_ another architecture from coming along and doing > that, right? I'd just prefer that shadow stack architecture #2 comes > along and refactors this in precisely the way _they_ need it. There are two issues here - Encoding of shadow stack: Another arch can choose different encoding. And yes, another architecture can come in and re-factor it. But so much thought and work has been given to x86 implementation to keep shadow stack to not impact arch agnostic parts of the kernel. So why creep it in here. - VM_SHADOW_STACK is coming out of the VM_HIGH_ARCH_XX bit position which makes it arch specific. If re-factor takes care then I would say the 2nd issue still exists, it's better to keep it away from arch agnostic code.
On Fri, 2023-03-17 at 10:28 -0700, Deepak Gupta wrote: > On Fri, Mar 17, 2023 at 10:16 AM Dave Hansen <dave.hansen@intel.com> > wrote: > > > > On 3/17/23 10:12, Deepak Gupta wrote: > > > > /* > > > > - * Stack area - automatically grows in one direction > > > > + * Stack area > > > > * > > > > - * VM_GROWSUP / VM_GROWSDOWN VMAs are always private > > > > anonymous: > > > > - * do_mmap() forbids all other combinations. > > > > + * VM_GROWSUP, VM_GROWSDOWN VMAs are always private > > > > + * anonymous. do_mmap() forbids all other combinations. > > > > */ > > > > static inline bool is_stack_mapping(vm_flags_t flags) > > > > { > > > > - return (flags & VM_STACK) == VM_STACK; > > > > + return ((flags & VM_STACK) == VM_STACK) || (flags & > > > > VM_SHADOW_STACK); > > > > > > Same comment here. `VM_SHADOW_STACK` is an x86 specific way of > > > encoding a shadow stack. > > > Instead let's have a proxy here which allows architectures to > > > have > > > their own encodings to represent a shadow stack. > > > > This doesn't _preclude_ another architecture from coming along and > > doing > > that, right? I'd just prefer that shadow stack architecture #2 > > comes > > along and refactors this in precisely the way _they_ need it. > > There are two issues here > - Encoding of shadow stack: Another arch can choose different > encoding. > And yes, another architecture can come in and re-factor it. But so > much thought and work has been given to x86 implementation to keep > shadow stack to not impact arch agnostic parts of the kernel. So > why creep it in here. > > - VM_SHADOW_STACK is coming out of the VM_HIGH_ARCH_XX bit position > which makes it arch specific. > > VM_SHADOW_STACK is defined like this (trimmed for clarity): #ifdef CONFIG_X86_USER_SHADOW_STACK # define VM_SHADOW_STACK VM_HIGH_ARCH_5 #else # define VM_SHADOW_STACK VM_NONE #endif Also, we actually had an is_shadow_stack_mapping(vma) in the past, but it was dropped from other feedback. I think it might be too soon to say whether other implementations won't end up with a similar vma flag, so this would be premature refactoring. If not though, a helper like that seems like a reasonable solution.
On Fri, Mar 17, 2023 at 10:42 AM Edgecombe, Rick P <rick.p.edgecombe@intel.com> wrote: > > On Fri, 2023-03-17 at 10:28 -0700, Deepak Gupta wrote: > > On Fri, Mar 17, 2023 at 10:16 AM Dave Hansen <dave.hansen@intel.com> > > wrote: > > > > > > On 3/17/23 10:12, Deepak Gupta wrote: > > > > > /* > > > > > - * Stack area - automatically grows in one direction > > > > > + * Stack area > > > > > * > > > > > - * VM_GROWSUP / VM_GROWSDOWN VMAs are always private > > > > > anonymous: > > > > > - * do_mmap() forbids all other combinations. > > > > > + * VM_GROWSUP, VM_GROWSDOWN VMAs are always private > > > > > + * anonymous. do_mmap() forbids all other combinations. > > > > > */ > > > > > static inline bool is_stack_mapping(vm_flags_t flags) > > > > > { > > > > > - return (flags & VM_STACK) == VM_STACK; > > > > > + return ((flags & VM_STACK) == VM_STACK) || (flags & > > > > > VM_SHADOW_STACK); > > > > > > > > Same comment here. `VM_SHADOW_STACK` is an x86 specific way of > > > > encoding a shadow stack. > > > > Instead let's have a proxy here which allows architectures to > > > > have > > > > their own encodings to represent a shadow stack. > > > > > > This doesn't _preclude_ another architecture from coming along and > > > doing > > > that, right? I'd just prefer that shadow stack architecture #2 > > > comes > > > along and refactors this in precisely the way _they_ need it. > > > > There are two issues here > > - Encoding of shadow stack: Another arch can choose different > > encoding. > > And yes, another architecture can come in and re-factor it. But so > > much thought and work has been given to x86 implementation to keep > > shadow stack to not impact arch agnostic parts of the kernel. So > > why creep it in here. > > > > - VM_SHADOW_STACK is coming out of the VM_HIGH_ARCH_XX bit position > > which makes it arch specific. > > > > > > VM_SHADOW_STACK is defined like this (trimmed for clarity): > #ifdef CONFIG_X86_USER_SHADOW_STACK > # define VM_SHADOW_STACK VM_HIGH_ARCH_5 > #else > # define VM_SHADOW_STACK VM_NONE > #endif Ok. > > Also, we actually had an is_shadow_stack_mapping(vma) in the past, but > it was dropped from other feedback. looks like I've been late to the party. IMHO, that was the right approach. > >
diff --git a/mm/internal.h b/mm/internal.h index 7920a8b7982e..1d13d5580f64 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -491,14 +491,14 @@ static inline bool is_exec_mapping(vm_flags_t flags) } /* - * Stack area - automatically grows in one direction + * Stack area * - * VM_GROWSUP / VM_GROWSDOWN VMAs are always private anonymous: - * do_mmap() forbids all other combinations. + * VM_GROWSUP, VM_GROWSDOWN VMAs are always private + * anonymous. do_mmap() forbids all other combinations. */ static inline bool is_stack_mapping(vm_flags_t flags) { - return (flags & VM_STACK) == VM_STACK; + return ((flags & VM_STACK) == VM_STACK) || (flags & VM_SHADOW_STACK); } /*