Greetings,
0day kernel testing robot got the below dmesg and the first bad commit is
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git x86/pti
commit 30514effc9206d4e084ec32239ae221db157d43a
Author: Joerg Roedel <[email protected]>
AuthorDate: Tue Aug 7 12:24:30 2018 +0200
Commit: Thomas Gleixner <[email protected]>
CommitDate: Tue Aug 7 23:36:02 2018 +0200
x86/mm/pti: Don't clear permissions in pti_clone_pmd()
The function sets the global-bit on cloned PMD entries, which only makes
sense when the permissions are identical between the user and the kernel
page-table. Further, only write-permissions are cleared for entry-text and
kernel-text sections, which are not writeable at the end of the boot
process.
The reason why this RW clearing exists is that in the early PTI
implementations the cloned kernel areas were set up during early boot
before the kernel text is set to read only and not touched afterwards.
This is not longer true. The cloned areas are still set up early to get the
entry code working for interrupts and other things, but after the kernel
text has been set RO the clone is repeated which copies the RO PMD/PTEs
over to the user visible clone. That means the initial clearing of the
writable bit can be avoided.
[ tglx: Amended changelog ]
Signed-off-by: Joerg Roedel <[email protected]>
Signed-off-by: Thomas Gleixner <[email protected]>
Acked-by: Dave Hansen <[email protected]>
Cc: "H . Peter Anvin" <[email protected]>
Cc: [email protected]
Cc: Linus Torvalds <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Josh Poimboeuf <[email protected]>
Cc: Juergen Gross <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Borislav Petkov <[email protected]>
Cc: Jiri Kosina <[email protected]>
Cc: Boris Ostrovsky <[email protected]>
Cc: Brian Gerst <[email protected]>
Cc: David Laight <[email protected]>
Cc: Denys Vlasenko <[email protected]>
Cc: Eduardo Valentin <[email protected]>
Cc: Greg KH <[email protected]>
Cc: Will Deacon <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Cc: Andrea Arcangeli <[email protected]>
Cc: Waiman Long <[email protected]>
Cc: Pavel Machek <[email protected]>
Cc: "David H . Gutteridge" <[email protected]>
Cc: [email protected]
Link: https://lkml.kernel.org/r/[email protected]
88c6f8a397 x86/mm/pti: Fix 32 bit PCID check
30514effc9 x86/mm/pti: Don't clear permissions in pti_clone_pmd()
16a3fe634f x86/mm/pti: Clone kernel-image on PTE level for 32 bit
5d09a26943 Merge branch 'x86/urgent'
+-----------------------------------------------------+------------+------------+------------+------------+
| | 88c6f8a397 | 30514effc9 | 16a3fe634f | 5d09a26943 |
+-----------------------------------------------------+------------+------------+------------+------------+
| boot_successes | 35 | 0 | 0 | 0 |
| boot_failures | 0 | 15 | 13 | 11 |
| WARNING:at_arch/x86/mm/dump_pagetables.c:#note_page | 0 | 15 | 13 | 11 |
| RIP:note_page | 0 | 15 | 13 | 11 |
+-----------------------------------------------------+------------+------------+------------+------------+
[ 16.937839] Freeing unused kernel image memory: 556K
[ 16.954368] x86/mm: Checked W+X mappings: passed, no W+X pages found.
[ 16.956696] x86/mm: Checking user space page tables
[ 16.973108] ------------[ cut here ]------------
[ 16.975052] x86/mm: Found insecure W+X mapping at address (____ptrval____)/native_usergs_sysret64+0x0/0x10
[ 16.978787] WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:283 note_page+0xdd/0x890
[ 16.982965] CPU: 0 PID: 1 Comm: swapper Tainted: G T 4.18.0-rc8-00058-g30514eff #1
[ 16.986506] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 16.989935] RIP: 0010:note_page+0xdd/0x890
[ 16.991679] Code: 74 f4 4d 85 c9 78 ef 80 3d 95 ec 20 02 00 48 8b 76 18 75 1c 48 89 f2 48 c7 c7 18 49 d3 84 c6 05 7e ec 20 02 01 e8 33 b9 06 00 <0f> 0b 48 8b 73 18 4c 8b 4b 20 4c 89 c8 48 29 f0 48 c1 e8 0c 48 01
[ 16.998255] RSP: 0000:ffff88001f457e08 EFLAGS: 00010282
[ 17.000269] RAX: 0000000000000000 RBX: ffff88001f457ec8 RCX: 0000000000000000
[ 17.002692] RDX: ffff88001f450040 RSI: 0000000000000001 RDI: 0000000000000246
[ 17.005129] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[ 17.007555] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
[ 17.009980] R13: 0000000000000004 R14: 0000000000000000 R15: ffff88001f457ec8
[ 17.012399] FS: 0000000000000000(0000) GS:ffffffff85087000(0000) knlGS:0000000000000000
[ 17.015931] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 17.018052] CR2: 0000000000000000 CR3: 000000000cc62001 CR4: 00000000001606f0
[ 17.020485] Call Trace:
[ 17.021888] ptdump_walk_pgd_level_core+0x3e7/0x510
[ 17.023814] ? __kprobes_text_end+0x76488/0x76488
[ 17.025713] ? __irqentry_text_end+0x1fe4ee/0x1fe4ee
[ 17.027666] ? rest_init+0xa0/0xa0
[ 17.029876] kernel_init+0x27/0xf0
[ 17.031488] ret_from_fork+0x3a/0x50
[ 17.033135] irq event stamp: 9170668
[ 17.034781] hardirqs last enabled at (9170667): [<ffffffff831061d1>] console_unlock+0x451/0x4e0
[ 17.038310] hardirqs last disabled at (9170668): [<ffffffff844011b9>] error_entry+0x89/0x110
[ 17.041745] softirqs last enabled at (9170648): [<ffffffff84600214>] __do_softirq+0x214/0x254
[ 17.045231] softirqs last disabled at (9170631): [<ffffffff830bcfb1>] irq_exit+0x61/0xc0
[ 17.050776] ---[ end trace e678f3f9b7a7f5ff ]---
[ 17.054226] x86/mm: Checked W+X mappings: FAILED, 512 W+X pages found.
# HH:MM RESULT GOOD BAD GOOD_BUT_DIRTY DIRTY_NOT_BAD
git bisect start 59f242421e6bc986692795d8b1d0289ec0ded657 1ffaddd029c867d134a1dde39f540dcc8c52e274 --
git bisect bad 49b82b310744d2f1e0e0c7c1783f025b1f925dd9 # 13:38 B 0 7 21 0 Merge 'perf/perf/core' into devel-catchup-201808081129
git bisect good 93fac2021c2785544dc3a400401df7cda0ffaf3f # 13:49 G 11 0 0 0 Merge 'bluetooth-next/master' into devel-catchup-201808081129
git bisect bad 49f5b4024f21f256aecd546ee8258e792088fb96 # 13:59 B 0 5 19 0 Merge 'tip/x86/pti' into devel-catchup-201808081129
git bisect good 5d27748d8731b478e3148ea1f3d5564f9eeaa4a8 # 14:14 G 11 0 0 0 Merge 'vfio/next' into devel-catchup-201808081129
git bisect good ff829964a0914aece6b461a1fc9b97bc68663d72 # 14:34 G 11 0 0 0 Merge 'tip/x86/urgent' into devel-catchup-201808081129
git bisect good 1ac228a7c87f697d1d01eb6362a6b5246705b0dd # 14:45 G 11 0 0 0 x86/mm/pti: Keep permissions when cloning kernel text in pti_clone_kernel_text()
git bisect good d5e84c21dbf5ea458897f88346dc979909eed913 # 14:58 G 11 0 0 0 x86/entry/32: Check for VM86 mode in slow-path check
git bisect good 706d51681d636a0c4a5ef53395ec3b803e45ed4d # 15:11 G 10 0 1 1 x86/speculation: Support Enhanced IBRS on future CPUs
git bisect good c40a56a7818cfe735fc93a69e1875f8bba834483 # 15:23 G 11 0 0 0 x86/mm/init: Remove freed kernel image areas from alias mapping
git bisect good 88c6f8a3977cc35997b47e2f99f080a15559c1eb # 15:41 G 11 0 0 0 x86/mm/pti: Fix 32 bit PCID check
git bisect bad 16a3fe634f6a568c6234b8747e5d50487fed3526 # 15:56 B 0 5 20 1 x86/mm/pti: Clone kernel-image on PTE level for 32 bit
git bisect bad 30514effc9206d4e084ec32239ae221db157d43a # 16:11 B 0 11 25 0 x86/mm/pti: Don't clear permissions in pti_clone_pmd()
# first bad commit: [30514effc9206d4e084ec32239ae221db157d43a] x86/mm/pti: Don't clear permissions in pti_clone_pmd()
git bisect good 88c6f8a3977cc35997b47e2f99f080a15559c1eb # 16:13 G 31 0 0 0 x86/mm/pti: Fix 32 bit PCID check
# extra tests with debug options
git bisect bad 30514effc9206d4e084ec32239ae221db157d43a # 16:55 B 0 1 15 0 x86/mm/pti: Don't clear permissions in pti_clone_pmd()
# extra tests on HEAD of linux-devel/devel-catchup-201808081129
git bisect bad 59f242421e6bc986692795d8b1d0289ec0ded657 # 17:01 B 0 365 382 0 0day head guard for 'devel-catchup-201808081129'
# extra tests on tree/branch tip/x86/pti
git bisect bad 16a3fe634f6a568c6234b8747e5d50487fed3526 # 17:03 B 0 11 25 0 x86/mm/pti: Clone kernel-image on PTE level for 32 bit
# extra tests on tree/branch tip/master
git bisect bad 5d09a2694308dff4b0bc9b550b7906b11dc9da91 # 17:21 B 0 4 18 0 Merge branch 'x86/urgent'
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/lkp Intel Corporation
Hi,
thanks for the report!
On Wed, Aug 08, 2018 at 05:26:53PM +0800, kernel test robot wrote:
> [ 16.937839] Freeing unused kernel image memory: 556K
> [ 16.954368] x86/mm: Checked W+X mappings: passed, no W+X pages found.
> [ 16.956696] x86/mm: Checking user space page tables
> [ 16.973108] ------------[ cut here ]------------
> [ 16.975052] x86/mm: Found insecure W+X mapping at address (____ptrval____)/native_usergs_sysret64+0x0/0x10
> [ 16.978787] WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:283 note_page+0xdd/0x890
I think this is caused by debug_checkrwx() running before
pti_finalize(). The check runs on the user page-tables before they are
finished. I prepare a patch to move the check for the user page-table to
pti_finilize() after the page-tables are updated. That should fix the
warning.
Thanks,
Joerg