Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965338AbbLORpn (ORCPT ); Tue, 15 Dec 2015 12:45:43 -0500 Received: from mail-io0-f175.google.com ([209.85.223.175]:35015 "EHLO mail-io0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932211AbbLORpl (ORCPT ); Tue, 15 Dec 2015 12:45:41 -0500 MIME-Version: 1.0 In-Reply-To: <20151215094015.GA3677@amd> References: <20151115070022.GA15417@amd> <20151214080403.GA3708@amd> <20151214085803.GA10520@pd.tnic> <20151214090726.GA6472@amd> <20151214202627.GA15104@amd> <566F3378.8070009@linux.intel.com> <20151215094015.GA3677@amd> Date: Tue, 15 Dec 2015 09:45:40 -0800 X-Google-Sender-Auth: dvuiQQ11Xos698sBBzmyPNhAWR8 Message-ID: Subject: Re: 4.4-rc5: ugly warn on: 5 W+X pages found From: Linus Torvalds To: Pavel Machek Cc: Andy Lutomirski , Arjan van de Ven , Borislav Petkov , kernel list , Stephen Smalley , Brian Gerst , Denys Vlasenko , Peter Anvin , Mike Galbraith , Peter Zijlstra , Thomas Gleixner Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1847 Lines: 57 On Tue, Dec 15, 2015 at 1:40 AM, Pavel Machek wrote: > > I tried applying: > > [PATCH 1/2] x86_32/mm: Set NX in __supported_pte_mask before enabling > paging > > but I still get > > [ 2.691897] x86/mm: Found insecure W+X mapping at address ffe69000/0xffe69000 This may be an insane suggestion, but how about we try to detect when that entry gets set, rather than after the fact. Something really brute-force like diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h index 6ec0c8b2e9df..538c9bb239b9 100644 --- a/arch/x86/include/asm/pgtable.h +++ b/arch/x86/include/asm/pgtable.h @@ -337,6 +337,13 @@ static inline pmd_t pmd_clear_soft_dirty(pmd_t pmd) #endif /* CONFIG_HAVE_ARCH_SOFT_DIRTY */ +static inline int kernel_write_execute_prot(pgprotval_t protval) +{ + return !(protval & _PAGE_USER) && + !(protval & _PAGE_NX) && + (protval & _PAGE_RW); +} + /* * Mask out unsupported bits in a present pgprot. Non-present pgprots * can use those bits for other purposes, so leave them be. @@ -345,8 +352,10 @@ static inline pgprotval_t massage_pgprot(pgprot_t pgprot) { pgprotval_t protval = pgprot_val(pgprot); - if (protval & _PAGE_PRESENT) + if (protval & _PAGE_PRESENT) { protval &= __supported_pte_mask; + WARN_ON_ONCE(kernel_write_execute_prot(protval)); + } return protval; } or similar? The above is entirely untested. Maybe it doesn't compile. Or boot. Or work. Linus -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/