Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW

From: Yu-cheng Yu
Date: Thu Aug 30 2018 - 12:06:22 EST

Next message: Helen Paul: "Interest"
Previous message: Atish Patra: "Re: [PATCH v2 0/3] RISC-V: Add new smp features"
In reply to: Jann Horn: "Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW"
Next in thread: Dave Hansen: "Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2018-08-30 at 17:49 +0200, Jann Horn wrote:
> On Thu, Aug 30, 2018 at 4:43 PM Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx>
> wrote:
> >
> >
> > When Shadow Stack is enabled, the read-only and PAGE_DIRTY_HW PTE
> > setting is reserved only for the Shadow Stack.ÂÂTo track dirty of
> > non-Shadow Stack read-only PTEs, we use PAGE_DIRTY_SW.
> >
> > Update ptep_set_wrprotect() and pmdp_set_wrprotect().
> >
> > Signed-off-by: Yu-cheng Yu <yu-cheng.yu@xxxxxxxxx>
> > ---
> > Âarch/x86/include/asm/pgtable.h | 42
> > ++++++++++++++++++++++++++++++++++
> > Â1 file changed, 42 insertions(+)
> >
> > diff --git a/arch/x86/include/asm/pgtable.h
> > b/arch/x86/include/asm/pgtable.h
> > index 4d50de77ea96..556ef258eeff 100644
> > --- a/arch/x86/include/asm/pgtable.h
> > +++ b/arch/x86/include/asm/pgtable.h
> > @@ -1203,7 +1203,28 @@ static inline pte_t
> > ptep_get_and_clear_full(struct mm_struct *mm,
> > Âstatic inline void ptep_set_wrprotect(struct mm_struct *mm,
> > ÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂunsigned long addr, pte_t
> > *ptep)
> > Â{
> > +ÂÂÂÂÂÂÂpte_t pte;
> > +
> > ÂÂÂÂÂÂÂÂclear_bit(_PAGE_BIT_RW, (unsigned long *)&ptep->pte);
> > +ÂÂÂÂÂÂÂpte = *ptep;
> > +
> > +ÂÂÂÂÂÂÂ/*
> > +ÂÂÂÂÂÂÂÂ* Some processors can start a write, but ending up seeing
> > +ÂÂÂÂÂÂÂÂ* a read-only PTE by the time they get to the Dirty bit.
> > +ÂÂÂÂÂÂÂÂ* In this case, they will set the Dirty bit, leaving a
> > +ÂÂÂÂÂÂÂÂ* read-only, Dirty PTE which looks like a Shadow Stack
> > PTE.
> > +ÂÂÂÂÂÂÂÂ*
> > +ÂÂÂÂÂÂÂÂ* However, this behavior has been improved and will not
> > occur
> > +ÂÂÂÂÂÂÂÂ* on processors supporting Shadow Stacks.ÂÂWithout this
> > +ÂÂÂÂÂÂÂÂ* guarantee, a transition to a non-present PTE and flush
> > the
> > +ÂÂÂÂÂÂÂÂ* TLB would be needed.
> > +ÂÂÂÂÂÂÂÂ*
> > +ÂÂÂÂÂÂÂÂ* When change a writable PTE to read-only and if the PTE
> > has
> > +ÂÂÂÂÂÂÂÂ* _PAGE_DIRTY_HW set, we move that bit to _PAGE_DIRTY_SW
> > so
> > +ÂÂÂÂÂÂÂÂ* that the PTE is not a valid Shadow Stack PTE.
> > +ÂÂÂÂÂÂÂÂ*/
> > +ÂÂÂÂÂÂÂpte = pte_move_flags(pte, _PAGE_DIRTY_HW, _PAGE_DIRTY_SW);
> > +ÂÂÂÂÂÂÂset_pte_at(mm, addr, ptep, pte);
> > Â}
> I don't understand why it's okay that you first atomically clear the
> RW bit, then atomically switch from DIRTY_HW to DIRTY_SW. Doesn't
> that
> mean that between the two atomic writes, another core can
> incorrectly
> see a shadow stack?

Yes, we had that concern earlier and checked.
On processors supporting Shadow Stacks, that will not happen.

Yu-cheng

Next message: Helen Paul: "Interest"
Previous message: Atish Patra: "Re: [PATCH v2 0/3] RISC-V: Add new smp features"
In reply to: Jann Horn: "Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW"
Next in thread: Dave Hansen: "Re: [RFC PATCH v3 12/24] x86/mm: Modify ptep_set_wrprotect and pmdp_set_wrprotect for _PAGE_DIRTY_SW"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]