Received: by 10.192.165.148 with SMTP id m20csp3525392imm; Mon, 30 Apr 2018 01:33:08 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqQc+Vpcb4kMoDxhoKnv7KeNefz9JSc9SIKvDMABFM/dJ0sEIh1Kr84S/zXj5KrslXW1BS7 X-Received: by 2002:a17:902:8692:: with SMTP id g18-v6mr11620121plo.152.1525077188036; Mon, 30 Apr 2018 01:33:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525077187; cv=none; d=google.com; s=arc-20160816; b=Ln8JzlMgWxpE7FYQ4VrAvd0TnPKYJBxZvyAPlKg8hIQLHyRGc/Wera1/yrngrHCCQz ApIOzJQxmJ7sMNz4YEVg1btYXB67esBHTxh1qxsIJ9bI034y870m9JjcoPHqWWu23omY nzI/9B04w65s952YLYFFmnum0psnnEXq1NPtmVCXcWCGAf7CxBg9hO0H8TklGinMeJIF a5qOKG8xkmKtYEIGuhymPARCDJ3bDfbeKlwBXYKFkd2nMlZ47ErPjHGHJfdKzpYGLg5Z +SPUYskdwanRQYK76jLKL2Z22oB633j0JGDAVyUiXOT1JsIDYw+Y2b9l6OLgpZZrQHiS TbGg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=NvRT1S9s2emkosIxEDrp3XLxPzBQyW0U1gNcpkiPOKI=; b=ITcZ76uN5314eKQBJ9HPSazJ2O4YOPdW67Pb1bSISyVU1uSW51/vKGvClWg5V/qpzu dYpzPMNiQRu6gKoTJpsmFCfUwYJf1KZdZNJK34jddRyqk+EqXK//5hjthEMcS+kIt8Vt qXvPFg3r1OWUZpH3hzhiOiv3mVgpwHiuaSOfceot/wjUAtx5ISPygGbsuiTg+cIL6psZ YVpixMjb5QUDSZSz38/5PS1JAYrRV+uwgHsj+aivkK0ZaI52ggOn0VDWrjxqYoP5i4uZ tftrPzstkSnXxdWm1E7JUZJ/542j9dWmrbgZDYit6xx/IQWt5J5+yX3Ayp1760A+zG4W auLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k64-v6si5826979pge.448.2018.04.30.01.32.54; Mon, 30 Apr 2018 01:33:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752775AbeD3Ib1 (ORCPT + 99 others); Mon, 30 Apr 2018 04:31:27 -0400 Received: from foss.arm.com ([217.140.101.70]:56024 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751308AbeD3IbZ (ORCPT ); Mon, 30 Apr 2018 04:31:25 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8F06315AB; Mon, 30 Apr 2018 01:31:24 -0700 (PDT) Received: from edgewater-inn.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.72.51.249]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 5F6F73F590; Mon, 30 Apr 2018 01:31:24 -0700 (PDT) Received: by edgewater-inn.cambridge.arm.com (Postfix, from userid 1000) id 411031AE5035; Mon, 30 Apr 2018 09:31:45 +0100 (BST) Date: Mon, 30 Apr 2018 09:31:45 +0100 From: Will Deacon To: Jeffrey Hugo Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Mark Rutland , Jan Glauber , Kees Cook , Ard Biesheuvel , Catalin Marinas , Laura Abbott , Timur Tabi , Stephen Smalley , Andrew Morton , Ingo Molnar , Thomas Gleixner , Peter Zijlstra Subject: Re: [PATCH v2] init: Fix false positives in W+X checking Message-ID: <20180430083144.GA15504@arm.com> References: <1524866145-20337-1-git-send-email-jhugo@codeaurora.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1524866145-20337-1-git-send-email-jhugo@codeaurora.org> User-Agent: Mutt/1.5.23 (2014-03-12) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 27, 2018 at 03:55:45PM -0600, Jeffrey Hugo wrote: > load_module() creates W+X mappings via __vmalloc_node_range() (from > layout_and_allocate()->move_module()->module_alloc()) by using > PAGE_KERNEL_EXEC. These mappings are later cleaned up via > "call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module(). > > This is a problem because call_rcu_sched() queues work, which can be run > after debug_checkwx() is run, resulting in a race condition. If hit, the > race results in a nasty splat about insecure W+X mappings, which results > in a poor user experience as these are not the mappings that > debug_checkwx() is intended to catch. > > This issue is observed on multiple arm64 platforms, and has been > artificially triggered on an x86 platform. > > Address the race by flushing the queued work before running the > arch-defined mark_rodata_ro() which then calls debug_checkwx(). > > Reported-by: Timur Tabi > Reported-by: Jan Glauber > Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings") > Signed-off-by: Jeffrey Hugo > --- > > v1: > -was "arm64: mm: Fix false positives in W+X checking" (see [1]) > -moved to common code based on review and confirmation of issue on x86 > > [1] http://lists.infradead.org/pipermail/linux-arm-kernel/2018-April/573776.html > > init/main.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/init/main.c b/init/main.c > index b795aa3..499d957 100644 > --- a/init/main.c > +++ b/init/main.c > @@ -1034,6 +1034,13 @@ static int __init set_debug_rodata(char *str) > static void mark_readonly(void) > { > if (rodata_enabled) { > + /* > + * load_module() results in W+X mappings, which are cleaned up > + * with call_rcu_sched(). Let's make sure that queued work is > + * flushed so that we don't hit false positives looking for > + * insecure pages which are W+X. > + */ > + rcu_barrier_sched(); > mark_rodata_ro(); > rodata_test(); > } else Acked-by: Will Deacon Thanks for solving this for all architectures, Jeffrey. Will