From nobody Mon Feb 9 13:35:13 2026 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EF85B1474C0 for ; Fri, 12 Apr 2024 15:13:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712934793; cv=none; b=TjEKFIBhuVlj9TnJLnVEeLOB1p3MOMBgt6BTT1Y7an79Eraf/fDoCDXXxdj3KFl6iDsao0dXm8RXz+JHVsXwXWU6ZZNknIMkSFGb7sTSOWXRh7HDNaxWw6B4gjEWjXBzbYPbTVGtB9lnKS+38E7FhkHBV8K1OfVZ2oqylCSWbpM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712934793; c=relaxed/simple; bh=2KZ+Kxd87q0yfIkZmp+1x2DgvHUNsAD7/J2Zjtf9r4U=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=rawdZooDTl1J8AgfmWbUBJ82cl5NRSteiUNaU+sLqnJYhXjO3SbTLmLKpEryf0mU0olTXb++1K+jN/Oywd2nS6DuFshvPukNbi6XRuXqyxKrraY2NsvcO/Xlh9sTH+7yccpoEy8XcvZamCisujnt0CktOxEoo/3nU6Og2hvcOVI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=ZjRsN9RL; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=ZjRsN9RL; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="ZjRsN9RL"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="ZjRsN9RL" Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 2F1505FE6D; Fri, 12 Apr 2024 15:13:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1712934790; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gOjZMMxtEm2r83ujlyaCMb78G694svVceNS313rwkn0=; b=ZjRsN9RLAq9Dr+MmClgjBktyCfMTrOM69fFLgYIRmmFF8AyK/zaEzjLnmSF72VjkI3DXlV mw5yYZZedYVNuhpZRLRRYlagazGeO/3gpzK1i7bcXLMyn6iFirFnKT3Hbs7orU/jw9BBpG mfqCtDD6R3S4m/lkxObeovxNDe4OzpM= Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1712934790; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=gOjZMMxtEm2r83ujlyaCMb78G694svVceNS313rwkn0=; b=ZjRsN9RLAq9Dr+MmClgjBktyCfMTrOM69fFLgYIRmmFF8AyK/zaEzjLnmSF72VjkI3DXlV mw5yYZZedYVNuhpZRLRRYlagazGeO/3gpzK1i7bcXLMyn6iFirFnKT3Hbs7orU/jw9BBpG mfqCtDD6R3S4m/lkxObeovxNDe4OzpM= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 8BE251368B; Fri, 12 Apr 2024 15:13:09 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id sbSSH4VPGWaiAQAAD6G6ig (envelope-from ); Fri, 12 Apr 2024 15:13:09 +0000 From: Juergen Gross To: linux-kernel@vger.kernel.org, x86@kernel.org Cc: Juergen Gross , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "H. Peter Anvin" , Andy Lutomirski , Peter Zijlstra Subject: [PATCH v2 1/4] x86/pat: introduce lookup_address_in_pgd_attr() Date: Fri, 12 Apr 2024 17:12:55 +0200 Message-Id: <20240412151258.9171-2-jgross@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240412151258.9171-1-jgross@suse.com> References: <20240412151258.9171-1-jgross@suse.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Level: X-Spamd-Result: default: False [-2.80 / 50.00]; BAYES_HAM(-3.00)[100.00%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_SEVEN(0.00)[10]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.com:email]; RCVD_TLS_ALL(0.00)[] X-Spam-Score: -2.80 X-Spam-Flag: NO Content-Type: text/plain; charset="utf-8" Add lookup_address_in_pgd_attr() doing the same as the already existing lookup_address_in_pgd(), but returning the effective settings of the NX and RW bits of all walked page table levels, too. This will be needed in order to match hardware behavior when looking for effective access rights, especially for detecting writable code pages. In order to avoid code duplication, let lookup_address_in_pgd() call lookup_address_in_pgd_attr() with dummy parameters. Signed-off-by: Juergen Gross --- V2: - split off from V1 patch (Ingo Molnar) - introduced new function (Ingo Molnar) --- arch/x86/include/asm/pgtable_types.h | 2 ++ arch/x86/mm/pat/set_memory.c | 33 +++++++++++++++++++++++++--- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pg= table_types.h index 0b748ee16b3d..dd05caeeeeaf 100644 --- a/arch/x86/include/asm/pgtable_types.h +++ b/arch/x86/include/asm/pgtable_types.h @@ -566,6 +566,8 @@ static inline void update_page_count(int level, unsigne= d long pages) { } extern pte_t *lookup_address(unsigned long address, unsigned int *level); extern pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, unsigned int *level); +pte_t *lookup_address_in_pgd_attr(pgd_t *pgd, unsigned long address, + unsigned int *level, bool *nx, bool *rw); extern pmd_t *lookup_pmd_address(unsigned long address); extern phys_addr_t slow_virt_to_phys(void *__address); extern int __init kernel_map_pages_in_pgd(pgd_t *pgd, u64 pfn, diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c index 80c9037ffadf..bfa0aae45d48 100644 --- a/arch/x86/mm/pat/set_memory.c +++ b/arch/x86/mm/pat/set_memory.c @@ -657,20 +657,26 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgpro= t_t new, unsigned long star =20 /* * Lookup the page table entry for a virtual address in a specific pgd. - * Return a pointer to the entry and the level of the mapping. + * Return a pointer to the entry, the level of the mapping, and the effect= ive + * NX and RW bits of all page table levels. */ -pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, - unsigned int *level) +pte_t *lookup_address_in_pgd_attr(pgd_t *pgd, unsigned long address, + unsigned int *level, bool *nx, bool *rw) { p4d_t *p4d; pud_t *pud; pmd_t *pmd; =20 *level =3D PG_LEVEL_NONE; + *nx =3D false; + *rw =3D true; =20 if (pgd_none(*pgd)) return NULL; =20 + *nx |=3D pgd_flags(*pgd) & _PAGE_NX; + *rw &=3D pgd_flags(*pgd) & _PAGE_RW; + p4d =3D p4d_offset(pgd, address); if (p4d_none(*p4d)) return NULL; @@ -679,6 +685,9 @@ pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long = address, if (p4d_leaf(*p4d) || !p4d_present(*p4d)) return (pte_t *)p4d; =20 + *nx |=3D p4d_flags(*p4d) & _PAGE_NX; + *rw &=3D p4d_flags(*p4d) & _PAGE_RW; + pud =3D pud_offset(p4d, address); if (pud_none(*pud)) return NULL; @@ -687,6 +696,9 @@ pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long = address, if (pud_leaf(*pud) || !pud_present(*pud)) return (pte_t *)pud; =20 + *nx |=3D pud_flags(*pud) & _PAGE_NX; + *rw &=3D pud_flags(*pud) & _PAGE_RW; + pmd =3D pmd_offset(pud, address); if (pmd_none(*pmd)) return NULL; @@ -695,11 +707,26 @@ pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned lon= g address, if (pmd_leaf(*pmd) || !pmd_present(*pmd)) return (pte_t *)pmd; =20 + *nx |=3D pmd_flags(*pmd) & _PAGE_NX; + *rw &=3D pmd_flags(*pmd) & _PAGE_RW; + *level =3D PG_LEVEL_4K; =20 return pte_offset_kernel(pmd, address); } =20 +/* + * Lookup the page table entry for a virtual address in a specific pgd. + * Return a pointer to the entry and the level of the mapping. + */ +pte_t *lookup_address_in_pgd(pgd_t *pgd, unsigned long address, + unsigned int *level) +{ + bool nx, rw; + + return lookup_address_in_pgd_attr(pgd, address, level, &nx, &rw); +} + /* * Lookup the page table entry for a virtual address. Return a pointer * to the entry and the level of the mapping. --=20 2.35.3 From nobody Mon Feb 9 13:35:13 2026 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48E751474C0 for ; Fri, 12 Apr 2024 15:13:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712934800; cv=none; b=MR0EcCiHgKvluQnwrjSQFRY6oYX0VL8no5TVILNNhrZrphYQclnVP2DpLnROQj9iZE9j25fxdvVMzUCjN9csL7pAILoVqgbG3ExkkAgw0ykfgMtBUcR53ZzJPmswQ+qBzMiWPM/01mNVFI98O1sQebKqwYlwLnZKoiJUueKaZWI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712934800; c=relaxed/simple; bh=Zu3rFat9oWEwa27THa2x3ewitXdjVSlF/ryLxGZm5+k=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=pdp8Hb22EL0s1HohRitO6uYOBmf1isn9ADnLW1oTZSvhT4+cbbc3iV2fXYGyJD91T0Ll8k20mZv5Alypclvjl96qCJHwguit90fkjr9XGbNHC5zPkWN0ffBgUmrzeSMaRlNZv0xOCV4Ny4G0NJiG1jlz3p8yQ0o74jU20WPW1uI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=kGU8L1In; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=kGU8L1In; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="kGU8L1In"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="kGU8L1In" Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 764B25FE6A; Fri, 12 Apr 2024 15:13:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1712934797; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wKKDrPuReVm9V7SbchYzGZK7Z61laQsoQLsr/aCN3lg=; b=kGU8L1InEJtWLSeDy83fLJejkrRi68RG3beqX7sB4+YWspDYdzlqufw+jyxCeNskpHvbvw l08CI1M0Jbvx2si7ufQzyQzOZpmLwZWwDjZqRZmqmCl3HzXdZp0BEPsRP6ScQogKd+y/He ynynti1EkFGAaznuSMmsraz1x3v+vV0= Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1712934797; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=wKKDrPuReVm9V7SbchYzGZK7Z61laQsoQLsr/aCN3lg=; b=kGU8L1InEJtWLSeDy83fLJejkrRi68RG3beqX7sB4+YWspDYdzlqufw+jyxCeNskpHvbvw l08CI1M0Jbvx2si7ufQzyQzOZpmLwZWwDjZqRZmqmCl3HzXdZp0BEPsRP6ScQogKd+y/He ynynti1EkFGAaznuSMmsraz1x3v+vV0= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 2AE781368B; Fri, 12 Apr 2024 15:13:16 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id mQCxBYxPGWarAQAAD6G6ig (envelope-from ); Fri, 12 Apr 2024 15:13:16 +0000 From: Juergen Gross To: linux-kernel@vger.kernel.org, x86@kernel.org Cc: Juergen Gross , Dave Hansen , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" Subject: [PATCH v2 2/4] x86/mm: use lookup_address_in_pgd_attr() in show_fault_oops() Date: Fri, 12 Apr 2024 17:12:56 +0200 Message-Id: <20240412151258.9171-3-jgross@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240412151258.9171-1-jgross@suse.com> References: <20240412151258.9171-1-jgross@suse.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Flag: NO X-Spam-Score: -2.79 X-Spam-Level: X-Spamd-Result: default: False [-2.79 / 50.00]; BAYES_HAM(-2.99)[99.96%]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_SEVEN(0.00)[10]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; FUZZY_BLOCKED(0.00)[rspamd.com]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]; RCVD_TLS_ALL(0.00)[] Content-Type: text/plain; charset="utf-8" Fix show_fault_oops() to not only look at the leaf PTE for detecting NX violations, but to use the effective NX value returned by lookup_address_in_pgd_attr() instead. Signed-off-by: Juergen Gross --- V2: - split off from V1 patch (Ingo Molnar) --- arch/x86/mm/fault.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index 622d12ec7f08..6b2ca8ba75b8 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -514,18 +514,19 @@ show_fault_oops(struct pt_regs *regs, unsigned long e= rror_code, unsigned long ad =20 if (error_code & X86_PF_INSTR) { unsigned int level; + bool nx, rw; pgd_t *pgd; pte_t *pte; =20 pgd =3D __va(read_cr3_pa()); pgd +=3D pgd_index(address); =20 - pte =3D lookup_address_in_pgd(pgd, address, &level); + pte =3D lookup_address_in_pgd_attr(pgd, address, &level, &nx, &rw); =20 - if (pte && pte_present(*pte) && !pte_exec(*pte)) + if (pte && pte_present(*pte) && (!pte_exec(*pte) || nx)) pr_crit("kernel tried to execute NX-protected page - exploit attempt? (= uid: %d)\n", from_kuid(&init_user_ns, current_uid())); - if (pte && pte_present(*pte) && pte_exec(*pte) && + if (pte && pte_present(*pte) && pte_exec(*pte) && !nx && (pgd_flags(*pgd) & _PAGE_USER) && (__read_cr4() & X86_CR4_SMEP)) pr_crit("unable to execute userspace code (SMEP?) (uid: %d)\n", --=20 2.35.3 From nobody Mon Feb 9 13:35:13 2026 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48DEE14B075 for ; Fri, 12 Apr 2024 15:13:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712934812; cv=none; b=eqGbGOjKkgbPpW91RhbsaMsy5dIOJLjV5aOSAIJSiA/a27mxce4SMz7S+K82snZblq1PzLP4mAAkYthTbUY8uXLE5qFXgC/ly1RnVSXUaEJoM3TVqPB2L3k1f9pOwz0SIyINEUwJa8vl873oJ1WanfAHeyHy/Tqeoy/m/Ph2kpU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712934812; c=relaxed/simple; bh=4fuc3osJ0CBfJf2wQwqPRjCvOxcrZi0VVEyxaNwFjus=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=R7HVZh/miAwWXDwEVNrxMLGGAnDBs2Y0wBd+Zi1yh97YlXfcKxcbZyOuzbtPQGDV6KmxJnW4agpNLtpsyjGOlBBwdqpeTSOAPY5dcG5d5aOeQ3D9sj1QJFrRaUoJt7RSVPn5S+9CCoIYwpj0IkKKzTSj7+gaD5qcFQBAUQ4l6FI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=Aip4F99a; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=Aip4F99a; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="Aip4F99a"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="Aip4F99a" Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 859DE5FE6A; Fri, 12 Apr 2024 15:13:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1712934808; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MhbYkWyAf/ESm4SmbTrhfHb/LUX43QTDKtnj/G5DytA=; b=Aip4F99a4oJMUIZ6HReisZ2YSUbFppIqWt6Fga7A5bPQsK83oNwMNhwa0cxFParhGiMIvk u6ADHILCKujpTml+n6DR6jR+B6UJUYQyiFWeeXnZBSzZv2qbxcze5djgV93Skt8fMk8Opz VzkEDgw+kGKPIWBe6FVOwD1QOIiosuk= Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1712934808; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MhbYkWyAf/ESm4SmbTrhfHb/LUX43QTDKtnj/G5DytA=; b=Aip4F99a4oJMUIZ6HReisZ2YSUbFppIqWt6Fga7A5bPQsK83oNwMNhwa0cxFParhGiMIvk u6ADHILCKujpTml+n6DR6jR+B6UJUYQyiFWeeXnZBSzZv2qbxcze5djgV93Skt8fMk8Opz VzkEDgw+kGKPIWBe6FVOwD1QOIiosuk= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id 847541368B; Fri, 12 Apr 2024 15:13:25 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id mh/yF5VPGWa4AQAAD6G6ig (envelope-from ); Fri, 12 Apr 2024 15:13:25 +0000 From: Juergen Gross To: linux-kernel@vger.kernel.org, x86@kernel.org Cc: Juergen Gross , Dave Hansen , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" Subject: [PATCH v2 3/4] x86/pat: restructure _lookup_address_cpa() Date: Fri, 12 Apr 2024 17:12:57 +0200 Message-Id: <20240412151258.9171-4-jgross@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240412151258.9171-1-jgross@suse.com> References: <20240412151258.9171-1-jgross@suse.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Flag: NO X-Spam-Score: 0.19 X-Spam-Level: X-Spamd-Result: default: False [0.19 / 50.00]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; BAYES_HAM(-0.01)[46.79%]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FUZZY_BLOCKED(0.00)[rspamd.com]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_SEVEN(0.00)[10]; RCVD_COUNT_TWO(0.00)[2]; DBL_BLOCKED_OPENRESOLVER(0.00)[imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns,suse.com:email] Content-Type: text/plain; charset="utf-8" Modify _lookup_address_cpa() to no longer use lookup_address(), but only lookup_address_in_pgd(). This is done in preparation of using lookup_address_in_pgd_attr(). No functional change intended. Signed-off-by: Juergen Gross --- V2: - split off from V1 patch (Ingo Molnar) --- arch/x86/mm/pat/set_memory.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c index bfa0aae45d48..4ebccaf29bf2 100644 --- a/arch/x86/mm/pat/set_memory.c +++ b/arch/x86/mm/pat/set_memory.c @@ -744,11 +744,14 @@ EXPORT_SYMBOL_GPL(lookup_address); static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long addr= ess, unsigned int *level) { - if (cpa->pgd) - return lookup_address_in_pgd(cpa->pgd + pgd_index(address), - address, level); + pgd_t *pgd; + + if (!cpa->pgd) + pgd =3D pgd_offset_k(address); + else + pgd =3D cpa->pgd + pgd_index(address); =20 - return lookup_address(address, level); + return lookup_address_in_pgd(pgd, address, level); } =20 /* --=20 2.35.3 From nobody Mon Feb 9 13:35:13 2026 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BFA3B1482ED for ; Fri, 12 Apr 2024 15:13:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=195.135.223.131 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712934819; cv=none; b=gllRK1sUrDejbkCRtPInHRUQdQ8yV43HfcRoTqtnNq9a6/+Xo9txOy6ISP4eKkK7UmlVSl31BXZ1XUkEMs+YHDOMck1Fq88PtHxR5/VPIcCjkPjCZ5GREzrv4spO0paGIC1NkFOshPfh/pkxh2krssaV/sH1hdqTEyvK4eCu9jk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712934819; c=relaxed/simple; bh=7ZATv9FDwuL7DkpjJIpgT4aYqLVn3V0wxJUMj5+sp6w=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=uk7t6XiQGBupdOfRUrau8iFHVGRKnhQ4Tn065gVq9RuUd9zOGJnjCGnwspOQkHy1CZ7xhFWZXQJup0H+14FEnMtbi6E1cTtIySWRg5vnnnbJA+NnsTc9qvgeEs4ZLRAHTRbvZyao45pDBRbRBOpjqyCcDOHFj3kcnk0XlyCwehg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=jH6DHQ21; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b=jH6DHQ21; arc=none smtp.client-ip=195.135.223.131 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="jH6DHQ21"; dkim=pass (1024-bit key) header.d=suse.com header.i=@suse.com header.b="jH6DHQ21" Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [10.150.64.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 34A065FE6E; Fri, 12 Apr 2024 15:13:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1712934816; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uPYxr/Er+fWtv8wZe5AP8h36917nOHnZyZPf9ZFqN/I=; b=jH6DHQ21N/Q5KuPdBFHykQKzyWAp3ww+K0ijb/3kTFifHOv1xhXmP2SJZ3Eytkw8FnNg+1 Tya2cG8kp1tR/AsYPQr0kEmrFSrqJi9EyIqcuNAZaMikUmB77ifzsNaFACYqEEM6kbqM53 T6Il3To6krAhyLz2HetKtbZ6t+fsFJU= Authentication-Results: smtp-out2.suse.de; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=susede1; t=1712934816; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=uPYxr/Er+fWtv8wZe5AP8h36917nOHnZyZPf9ZFqN/I=; b=jH6DHQ21N/Q5KuPdBFHykQKzyWAp3ww+K0ijb/3kTFifHOv1xhXmP2SJZ3Eytkw8FnNg+1 Tya2cG8kp1tR/AsYPQr0kEmrFSrqJi9EyIqcuNAZaMikUmB77ifzsNaFACYqEEM6kbqM53 T6Il3To6krAhyLz2HetKtbZ6t+fsFJU= Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id D21FF1368B; Fri, 12 Apr 2024 15:13:34 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id zxaPLp5PGWbDAQAAD6G6ig (envelope-from ); Fri, 12 Apr 2024 15:13:34 +0000 From: Juergen Gross To: linux-kernel@vger.kernel.org, x86@kernel.org Cc: Juergen Gross , Dave Hansen , Andy Lutomirski , Peter Zijlstra , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Jason Andryuk Subject: [PATCH v2 4/4] x86/pat: fix W^X violation false-positives when running as Xen PV guest Date: Fri, 12 Apr 2024 17:12:58 +0200 Message-Id: <20240412151258.9171-5-jgross@suse.com> X-Mailer: git-send-email 2.35.3 In-Reply-To: <20240412151258.9171-1-jgross@suse.com> References: <20240412151258.9171-1-jgross@suse.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Flag: NO X-Spam-Score: -2.80 X-Spam-Level: X-Spamd-Result: default: False [-2.80 / 50.00]; BAYES_HAM(-3.00)[100.00%]; NEURAL_HAM_LONG(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; R_MISSING_CHARSET(0.50)[]; NEURAL_HAM_SHORT(-0.20)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_CC(0.00)[suse.com,linux.intel.com,kernel.org,infradead.org,linutronix.de,redhat.com,alien8.de,zytor.com,gmail.com]; DBL_BLOCKED_OPENRESOLVER(0.00)[suse.com:email,imap1.dmz-prg2.suse.org:helo,imap1.dmz-prg2.suse.org:rdns]; RCVD_TLS_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCPT_COUNT_SEVEN(0.00)[11]; FUZZY_BLOCKED(0.00)[rspamd.com]; TO_DN_SOME(0.00)[]; DKIM_SIGNED(0.00)[suse.com:s=susede1]; FREEMAIL_ENVRCPT(0.00)[gmail.com] Content-Type: text/plain; charset="utf-8" When running as Xen PV guest in some cases W^X violation WARN()s have been observed. Those WARN()s are produced by verify_rwx(), which looks into the PTE to verify that writable kernel pages have the NX bit set in order to avoid code modifications of the kernel by rogue code. As the NX bits of all levels of translation entries are or-ed and the RW bits of all levels are and-ed, looking just into the PTE isn't enough for the decision that a writable page is executable, too. When running as a Xen PV guest, the direct map PMDs and kernel high map PMDs share the same set of PTEs. Xen kernel initialization will set the NX bit in the direct map PMD entries, and not the shared PTEs. Fixes: 652c5bf380ad ("x86/mm: Refuse W^X violations") Reported-by: Jason Andryuk Signed-off-by: Juergen Gross --- V2: - patch split (Ingo Molnar) - commit message reworded (Jason Andryuk) --- arch/x86/mm/pat/set_memory.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/arch/x86/mm/pat/set_memory.c b/arch/x86/mm/pat/set_memory.c index 4ebccaf29bf2..19fdfbb171ed 100644 --- a/arch/x86/mm/pat/set_memory.c +++ b/arch/x86/mm/pat/set_memory.c @@ -619,7 +619,8 @@ static inline pgprot_t static_protections(pgprot_t prot= , unsigned long start, * Validate strict W^X semantics. */ static inline pgprot_t verify_rwx(pgprot_t old, pgprot_t new, unsigned lon= g start, - unsigned long pfn, unsigned long npg) + unsigned long pfn, unsigned long npg, + bool nx, bool rw) { unsigned long end; =20 @@ -641,6 +642,10 @@ static inline pgprot_t verify_rwx(pgprot_t old, pgprot= _t new, unsigned long star if ((pgprot_val(new) & (_PAGE_RW | _PAGE_NX)) !=3D _PAGE_RW) return new; =20 + /* Non-leaf translation entries can disable writing or execution. */ + if (!rw || nx) + return new; + end =3D start + npg * PAGE_SIZE - 1; WARN_ONCE(1, "CPA detected W^X violation: %016llx -> %016llx range: 0x%01= 6lx - 0x%016lx PFN %lx\n", (unsigned long long)pgprot_val(old), @@ -742,7 +747,7 @@ pte_t *lookup_address(unsigned long address, unsigned i= nt *level) EXPORT_SYMBOL_GPL(lookup_address); =20 static pte_t *_lookup_address_cpa(struct cpa_data *cpa, unsigned long addr= ess, - unsigned int *level) + unsigned int *level, bool *nx, bool *rw) { pgd_t *pgd; =20 @@ -751,7 +756,7 @@ static pte_t *_lookup_address_cpa(struct cpa_data *cpa,= unsigned long address, else pgd =3D cpa->pgd + pgd_index(address); =20 - return lookup_address_in_pgd(pgd, address, level); + return lookup_address_in_pgd_attr(pgd, address, level, nx, rw); } =20 /* @@ -879,12 +884,13 @@ static int __should_split_large_page(pte_t *kpte, uns= igned long address, pgprot_t old_prot, new_prot, req_prot, chk_prot; pte_t new_pte, *tmp; enum pg_level level; + bool nx, rw; =20 /* * Check for races, another CPU might have split this page * up already: */ - tmp =3D _lookup_address_cpa(cpa, address, &level); + tmp =3D _lookup_address_cpa(cpa, address, &level, &nx, &rw); if (tmp !=3D kpte) return 1; =20 @@ -995,7 +1001,8 @@ static int __should_split_large_page(pte_t *kpte, unsi= gned long address, new_prot =3D static_protections(req_prot, lpaddr, old_pfn, numpages, psize, CPA_DETECT); =20 - new_prot =3D verify_rwx(old_prot, new_prot, lpaddr, old_pfn, numpages); + new_prot =3D verify_rwx(old_prot, new_prot, lpaddr, old_pfn, numpages, + nx, rw); =20 /* * If there is a conflict, split the large page. @@ -1076,6 +1083,7 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte,= unsigned long address, pte_t *pbase =3D (pte_t *)page_address(base); unsigned int i, level; pgprot_t ref_prot; + bool nx, rw; pte_t *tmp; =20 spin_lock(&pgd_lock); @@ -1083,7 +1091,7 @@ __split_large_page(struct cpa_data *cpa, pte_t *kpte,= unsigned long address, * Check for races, another CPU might have split this page * up for us already: */ - tmp =3D _lookup_address_cpa(cpa, address, &level); + tmp =3D _lookup_address_cpa(cpa, address, &level, &nx, &rw); if (tmp !=3D kpte) { spin_unlock(&pgd_lock); return 1; @@ -1624,10 +1632,11 @@ static int __change_page_attr(struct cpa_data *cpa,= int primary) int do_split, err; unsigned int level; pte_t *kpte, old_pte; + bool nx, rw; =20 address =3D __cpa_addr(cpa, cpa->curpage); repeat: - kpte =3D _lookup_address_cpa(cpa, address, &level); + kpte =3D _lookup_address_cpa(cpa, address, &level, &nx, &rw); if (!kpte) return __cpa_process_fault(cpa, address, primary); =20 @@ -1649,7 +1658,8 @@ static int __change_page_attr(struct cpa_data *cpa, i= nt primary) new_prot =3D static_protections(new_prot, address, pfn, 1, 0, CPA_PROTECT); =20 - new_prot =3D verify_rwx(old_prot, new_prot, address, pfn, 1); + new_prot =3D verify_rwx(old_prot, new_prot, address, pfn, 1, + nx, rw); =20 new_prot =3D pgprot_clear_protnone_bits(new_prot); =20 --=20 2.35.3