From patchwork Wed Apr 17 18:52:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Xu X-Patchwork-Id: 13633766 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1CB97C4345F for ; Wed, 17 Apr 2024 18:52:27 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 60B3A6B0085; Wed, 17 Apr 2024 14:52:26 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 5934F6B0087; Wed, 17 Apr 2024 14:52:26 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 40CA46B0088; Wed, 17 Apr 2024 14:52:26 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 204776B0085 for ; Wed, 17 Apr 2024 14:52:26 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id A24E916081A for ; Wed, 17 Apr 2024 18:52:25 +0000 (UTC) X-FDA: 82019919450.02.5968C26 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf05.hostedemail.com (Postfix) with ESMTP id 962CA10001B for ; Wed, 17 Apr 2024 18:52:23 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=UwpsZlXy; spf=pass (imf05.hostedemail.com: domain of peterx@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1713379943; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:dkim-signature; bh=Tew7DnBHXv/dAADkrspYwkAgLRodYl6fxKKd2qlbBpE=; b=lcfVLc/17qUAgg1zIs6umN+zMCWLCb5jETFYdyv8L/a3/Wbq+GOi3TX5y9PwWA/kLABWnh 0ugPLnHWsYl8/ANzV+SaJuJQ8GSOi3nLSfwECmNObux5cYjlKf//diwAZu5us6qzA83mgC zcltfS5CjzJohflk1ccfx0pe/OHC9Bc= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=UwpsZlXy; spf=pass (imf05.hostedemail.com: domain of peterx@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=peterx@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1713379943; a=rsa-sha256; cv=none; b=CX4htJasMO7S2McOthaai2mggUpOwpyPmk/akE4uQxLrWsVgJXHw5DYviDeZ/iYjigt3R1 6h8S6Fz3K4VXORPMGah4Qu2OQMkGL7oAYJn+TthVAmsWn1TBlZKavbej9ueVZSHJjl37iv HmHKHb3j+IwIJsrWURGKZXOO6pPGiUQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1713379943; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Tew7DnBHXv/dAADkrspYwkAgLRodYl6fxKKd2qlbBpE=; b=UwpsZlXytPSYer0p3cAdknc9Fb0homTNwFNv9r96jTCF4CEI4aq8jcVKcOV92xdzGBisds RxrFpBX1/qj3ttzdmJ/TDu7mWJ4WyydM9uDz63jrtvBhMVuD63fzhQZ6R4ZGBiIoXoAt5z Kxmlw1+ZyyDCWpKFLoGar84A5T6Ks7k= Received: from mail-vs1-f72.google.com (mail-vs1-f72.google.com [209.85.217.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-329-h6FdWPDgNQOAw7bp_3ewug-1; Wed, 17 Apr 2024 14:52:21 -0400 X-MC-Unique: h6FdWPDgNQOAw7bp_3ewug-1 Received: by mail-vs1-f72.google.com with SMTP id ada2fe7eead31-47ba363a87aso9820137.3 for ; Wed, 17 Apr 2024 11:52:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713379941; x=1713984741; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Tew7DnBHXv/dAADkrspYwkAgLRodYl6fxKKd2qlbBpE=; b=ZyK7vFI32TSKCGUujvJUl3yGIz08hP8Ij6KW9O62uUDA0zCZZ8MQABSTQuXb3x5wdC H5O4+2O8VWZDlkFWgqE52H9VvqmyHnrplcH3RYD/HuozH95FULX0ObIVgWvuMEdlSoJ9 gvmAWdTVCqFrk/7bkQzsbtzbyM3pokiEFnmpgk6b5y0qyTk3azHFx54wiXv5E+lCAwky w8+9lAkT7c0b5vbrBeZjYyHeUXr1jzxwKnvtsCQFwtz+lxZfU20JpG2eqyiReKE9+NeA 8XbqBJepH25vdQFHq5SDFCdH9YYurZ/nqSWgzOlB2gkFB0UJIKRGUUfAh+/kGoAvutGG /ybA== X-Forwarded-Encrypted: i=1; AJvYcCXKatlCPyJCPrczZ4Qijfp0/UTAPT14ZJMp23II7YcFE/NXP8ANzbfSP2ALajCYEISBM2ymHADzGhHcih94PL54KSc= X-Gm-Message-State: AOJu0YyXjMOZ+YFcDUyEPF5zBDK0chWiTNHSX4AgM7SsOSqiguolXzCd qGGw6uBNvFwaeUeDZmHIEJ2rKdtWWZXY4CEHHn6+RH/58dRwKiL4djgrDYHGcwQgcpPcJe9w3i2 EVBiHU1pg7EXrO2GKVgxZdIETHBHnCB956/sc3NVsGStDpAjp X-Received: by 2002:a1f:f449:0:b0:4d4:eb8:bf1f with SMTP id s70-20020a1ff449000000b004d40eb8bf1fmr616721vkh.0.1713379940405; Wed, 17 Apr 2024 11:52:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEmvQhcK7g/g6HfsIin2L5g7CUCALj6zs9ezToh7Mi8fEGATINcPL4QIMIzANzqRCW/PtUe6A== X-Received: by 2002:a1f:f449:0:b0:4d4:eb8:bf1f with SMTP id s70-20020a1ff449000000b004d40eb8bf1fmr616688vkh.0.1713379939338; Wed, 17 Apr 2024 11:52:19 -0700 (PDT) Received: from x1n.redhat.com (pool-99-254-121-117.cpe.net.cable.rogers.com. [99.254.121.117]) by smtp.gmail.com with ESMTPSA id ne22-20020a056214425600b006a04769b5a7sm738831qvb.110.2024.04.17.11.52.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 17 Apr 2024 11:52:19 -0700 (PDT) From: Peter Xu To: linux-kernel@vger.kernel.org, linux-mm@kvack.org Cc: Axel Rasmussen , peterx@redhat.com, David Hildenbrand , Pasha Tatashin , Nadav Amit , Andrew Morton Subject: [PATCH v2] mm/page_table_check: Support userfault wr-protect entries Date: Wed, 17 Apr 2024 14:52:17 -0400 Message-ID: <20240417185217.2667853-1-peterx@redhat.com> X-Mailer: git-send-email 2.44.0 MIME-Version: 1.0 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Stat-Signature: jjo5a9paxro14eu9qe91k6t5i9asoeos X-Rspamd-Queue-Id: 962CA10001B X-Rspamd-Server: rspam02 X-Rspam-User: X-HE-Tag: 1713379943-66794 X-HE-Meta: U2FsdGVkX1+Avx8VB90zXgiFfaoLPMNogtte051A3Naeu/Ie+47wavBLazSY8zDCqVa8KNLfjCwJ3zzwVKwBmQ2o7UxLbBkEAropQKydgmVbVEVcLcbu0MDL9TpZSpmE+qkbEM+JzNBx8RranFhIawgqXJFWAgcHAgKfGbuKgI3dvhh8Hwx3UZfVVTubPOEuc9IM5eJ5uH5ZQiAg+hUfpja5KL9AmzIDhcYq6+NOcHfV1s89xGvYcGLfiSYjNPjwyOKYivRslsm2h3v+qqaWWW08e2rMEDQ8NZbRxprblh8ZA6JQeyQmP1tsaAh5Ez5LTjhPRTl1EmPNZT1X3UuwXaXkw607BNnlefa8sL+zDKLLzLmhVwPz9D7V+1qo/Qf8I8Emaeo2v7A7uCGcwtEj28ufJx64pnIHfjOalXpWIcSPdovy6I1FblR3LTthZf/R5YsMrWB9fSn0zdekOKW1/nFh9hWcjGiC8ZcmRN7EGPAsXbgaSxSc+oRKm5fk0EofqdjV25zjj6aTMsw3nObf4Dq2mZEa5HWz6A0QIBMqiGspByxLU6ePtva/2nLLUi2adTjXdKeKqPbdY7DE8xalAKOwzqFjaIDoHEKwVCnvVrqq9zwHWSgcPJuewA2gmIVNGcbeuiOiX38H4QknyVuYt1+2UTHBpWT61jM11m1tRY4vTkLoYjjD6FE/vbqdUKSjYTJjHuWxH1ALuiuRPk/svXYHuEuVVufGJXBANsOO8Np2+6ITi61pFX0SFEmKMrA0gRfB0hPFCkK6LSuUtTufVJu9rYIhJb2GzKvo8qISmYPiJYqSxoPPuO4D6h6t7s91CY6/19vokJj8uI+r+s8htfS9UZskIobnFJYnT/yBJCJCkccSv1LHZbPRKMFt38cNNtejTxndc5HfrkslIaGL19eLf4fgqGKd+9jJWbeQh29FHGO+3O7FTIgu+2oeNlbeHfLYRifi581Ay6g0GfJ UP2nvp/R 0Kcqgx3Nb6P3iBKxpIsBXP7hBMcDK86XsCvndjbYj7aVot6d9kQ9TDX8/PIthJWZOAlh+8c1+j6lJGehv/TKomm034BLkw8wnEdLsvpdCRKKuCe9ujGsZW9HT4AOezqLU5cuzxFu0c6d+u5CqAY6p0xEqPFx0wVEvzWztdivmqV1QPbU5iVAVKeMNNWqxxbhJvo9aWFj4+Ss+SAZwp2QrA9oBtD8sI54s2zRW/ICvxJf4tzuQtSW+jo3PCQW1XHk1RgvTkIX3xT0DAx93GvmCiG1icXQAcN9rdTkgrp0Sxr8CUDleTdIoP+k5No6yZ6YafNOn6mbM3+YpZHeZYY4AqoR9qKi4/tIV6t2+IK59Z1yM88k8S6W5aCrIDpgEKQAOH7/hBtog38IGAtMnYVtkwQ4M8JeCXhP+hKJMwbYv0oZ/YhlCE7g+LJ30TuWdyOxez5JaUmj88O7Tj6mNpzTQUNtl4HFMn7nPCNMoIwXUFrfpERrUPn3Awdv7Bz5glL+IlHW56KD9i45/Rt6Vf8gi/yA7OcaGANCYDRq3wFSvaulnGI1dbnzzvl13LQKG+yPDL+KSewggdiDHY/LKt4KdNTLccVTW3fBq5N7MEU0bwJ1AN6U7iEjk/vLggfqy0z/U2OavK9GBdHEK4fY= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Allow page_table_check hooks to check over userfaultfd wr-protect criteria upon pgtable updates. The rule is no co-existance allowed for any writable flag against userfault wr-protect flag. This should be better than c2da319c2e, where we used to only sanitize such issues during a pgtable walk, but when hitting such issue we don't have a good chance to know where does that writable bit came from [1], so that even the pgtable walk exposes a kernel bug (which is still helpful on triaging) but not easy to track and debug. Now we switch to track the source. It's much easier too with the recent introduction of page table check. There are some limitations with using the page table check here for userfaultfd wr-protect purpose: - It is only enabled with explicit enablement of page table check configs and/or boot parameters, but should be good enough to track at least syzbot issues, as syzbot should enable PAGE_TABLE_CHECK[_ENFORCED] for x86 [1]. We used to have DEBUG_VM but it's now off for most distros, while distros also normally not enable PAGE_TABLE_CHECK[_ENFORCED], which is similar. - It conditionally works with the ptep_modify_prot API. It will be bypassed when e.g. XEN PV is enabled, however still work for most of the rest scenarios, which should be the common cases so should be good enough. - Hugetlb check is a bit hairy, as the page table check cannot identify hugetlb pte or normal pte via trapping at set_pte_at(), because of the current design where hugetlb maps every layers to pte_t... For example, the default set_huge_pte_at() can invoke set_pte_at() directly and lose the hugetlb context, treating it the same as a normal pte_t. So far it's fine because we have huge_pte_uffd_wp() always equals to pte_uffd_wp() as long as supported (x86 only). It'll be a bigger problem when we'll define _PAGE_UFFD_WP differently at various pgtable levels, because then one huge_pte_uffd_wp() per-arch will stop making sense first.. as of now we can leave this for later too. This patch also removes commit c2da319c2e altogether, as we have something better now. [1] https://lore.kernel.org/all/000000000000dce0530615c89210@google.com/ Cc: Pasha Tatashin Signed-off-by: Peter Xu --- v2: - Rename __page_table_check_pxx() to page_table_check_pxx_flags(), meanwhile move the pte check out of the loop [Pasha] - Fix build issues reported from the bot, also added SWP_DEVICE_WRITE which was overlooked before --- arch/x86/include/asm/pgtable.h | 18 +--------------- mm/page_table_check.c | 39 ++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 17 deletions(-) diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h index 273f7557218c..65b8e5bb902c 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -388,23 +388,7 @@ static inline pte_t pte_wrprotect(pte_t pte) #ifdef CONFIG_HAVE_ARCH_USERFAULTFD_WP static inline int pte_uffd_wp(pte_t pte) { - bool wp = pte_flags(pte) & _PAGE_UFFD_WP; - -#ifdef CONFIG_DEBUG_VM - /* - * Having write bit for wr-protect-marked present ptes is fatal, - * because it means the uffd-wp bit will be ignored and write will - * just go through. - * - * Use any chance of pgtable walking to verify this (e.g., when - * page swapped out or being migrated for all purposes). It means - * something is already wrong. Tell the admin even before the - * process crashes. We also nail it with wrong pgtable setup. - */ - WARN_ON_ONCE(wp && pte_write(pte)); -#endif - - return wp; + return pte_flags(pte) & _PAGE_UFFD_WP; } static inline pte_t pte_mkuffd_wp(pte_t pte) diff --git a/mm/page_table_check.c b/mm/page_table_check.c index af69c3c8f7c2..388bcf60d8b5 100644 --- a/mm/page_table_check.c +++ b/mm/page_table_check.c @@ -7,6 +7,8 @@ #include #include #include +#include +#include #undef pr_fmt #define pr_fmt(fmt) "page_table_check: " fmt @@ -182,6 +184,31 @@ void __page_table_check_pud_clear(struct mm_struct *mm, pud_t pud) } EXPORT_SYMBOL(__page_table_check_pud_clear); +/* Whether the swap entry cached writable information */ +static inline bool swap_cached_writable(swp_entry_t entry) +{ + unsigned type = swp_type(entry); + +#ifdef CONFIG_DEVICE_PRIVATE + if (type == SWP_DEVICE_EXCLUSIVE_WRITE || type == SWP_DEVICE_WRITE) + return true; +#endif +#ifdef CONFIG_MIGRATION + if (type == SWP_MIGRATION_WRITE) + return true; +#endif + + return false; +} + +static inline void page_table_check_pte_flags(pte_t pte) +{ + if (pte_present(pte) && pte_uffd_wp(pte)) + WARN_ON_ONCE(pte_write(pte)); + else if (is_swap_pte(pte) && pte_swp_uffd_wp(pte)) + WARN_ON_ONCE(swap_cached_writable(pte_to_swp_entry(pte))); +} + void __page_table_check_ptes_set(struct mm_struct *mm, pte_t *ptep, pte_t pte, unsigned int nr) { @@ -190,6 +217,8 @@ void __page_table_check_ptes_set(struct mm_struct *mm, pte_t *ptep, pte_t pte, if (&init_mm == mm) return; + page_table_check_pte_flags(pte); + for (i = 0; i < nr; i++) __page_table_check_pte_clear(mm, ptep_get(ptep + i)); if (pte_user_accessible_page(pte)) @@ -197,11 +226,21 @@ void __page_table_check_ptes_set(struct mm_struct *mm, pte_t *ptep, pte_t pte, } EXPORT_SYMBOL(__page_table_check_ptes_set); +static inline void page_table_check_pmd_flags(pmd_t pmd) +{ + if (pmd_present(pmd) && pmd_uffd_wp(pmd)) + WARN_ON_ONCE(pmd_write(pmd)); + else if (is_swap_pmd(pmd) && pmd_swp_uffd_wp(pmd)) + WARN_ON_ONCE(swap_cached_writable(pmd_to_swp_entry(pmd))); +} + void __page_table_check_pmd_set(struct mm_struct *mm, pmd_t *pmdp, pmd_t pmd) { if (&init_mm == mm) return; + page_table_check_pmd_flags(pmd); + __page_table_check_pmd_clear(mm, *pmdp); if (pmd_user_accessible_page(pmd)) { page_table_check_set(pmd_pfn(pmd), PMD_SIZE >> PAGE_SHIFT,