Received: by 10.192.165.148 with SMTP id m20csp3832814imm; Mon, 30 Apr 2018 07:10:45 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoogB9YAS8m4CQBnTgpmR5eIejYY3AleGexLA0M+2yqN9Rd/D431bbyGKQNWAAm6M8yyQpV X-Received: by 10.98.18.17 with SMTP id a17mr12245675pfj.104.1525097445174; Mon, 30 Apr 2018 07:10:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1525097445; cv=none; d=google.com; s=arc-20160816; b=JdDDiqRV0eulI8K9kfjnSTplV/DiAp6wnWo/NGt+jjG0fyCzll9kVrpmU54erqYYQ9 MoX1p0XG/tUfr3CYHeyZgDwXBcDuRzdvprIv5we+PiZv6eXD7I9QxdqysXOdhT7i+iox S7bYjKjZvRum/3J/fzpMERmh35vXmvS25WX4B5vPK8JDg1lMa88sRA2ykrVOALZmhaeW B03O6pYQ+0sn7CitbOxbyc7MtLlJvv6sisvHUwiwXqBgFzYvJdGLKpohS/7QQ+N1mFRR 8F2D4J1NwScoJAAWV54r8XbKJla4L2LWZuTAyLR67DPdK5ne8g82yL8MBUqJQmvHMa1l YZqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dmarc-filter :dkim-signature:dkim-signature:arc-authentication-results; bh=yRX09r5XEhSnMmFri8uRloNtajOejos6r1vSe60YfAs=; b=nBU2G6oMNAHWxYI9rrl5CELBsIuZawN6pTfL4IKxOxv+Le/8XOS3cUg8FzJMM4oaog lPvLvaMVMz6LmhJm8eJd/IEWOdWEcW3hO/ySrmxGJybBYaW1A7L59VUFqmN6WHTjvs+D DX3hBi/tGn6UJjECy+s/AGOp4G8cc3OPpGd16Gzs4j6I4Sli+576m7hKqKvdQqvQzZbO cbAgKbXS03ZDpCkUiwo47Rec7yuw98LDJ1jNaIPdfC+DjnjTpFfQxA5BuzAnCHr/+33F fFUJHIrzEd9rU+CTfCZdy2tuyYRV0+ReKb+K6u/3x9tGWOQ4U33S+/pRLkvgh3w3Q9mO c05Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=YviouKjx; dkim=pass header.i=@codeaurora.org header.s=default header.b=iqWh9FxH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m24-v6si6212384pgn.416.2018.04.30.07.10.30; Mon, 30 Apr 2018 07:10:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=YviouKjx; dkim=pass header.i=@codeaurora.org header.s=default header.b=iqWh9FxH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754253AbeD3OKQ (ORCPT + 99 others); Mon, 30 Apr 2018 10:10:16 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:51324 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754107AbeD3OKN (ORCPT ); Mon, 30 Apr 2018 10:10:13 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id CC053607CF; Mon, 30 Apr 2018 14:10:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1525097413; bh=oVpYj0HhB/LuvVtugj7o4/hCorsnQ4+N/DhmJrlPyjI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=YviouKjxr5TmUQ3S0L/ZkvWTBqcE+T0NNiR6FSoVCZzGgdG4M8ZvlVyQOrLKZ0A8R oTRFzaUIV+sf55mfZjKZeqSg88qDU2xmJQ95b1ubXFYq7GwwU7Gwx3yBTk9xxv/BpW KLtXycGxcMaYXHXZeVUIKxZMjgu7kgEXOw6+v/pA= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.8 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_SIGNED,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.0 Received: from [10.226.60.81] (i-global254.qualcomm.com [199.106.103.254]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: jhugo@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 88A7060556; Mon, 30 Apr 2018 14:10:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1525097409; bh=oVpYj0HhB/LuvVtugj7o4/hCorsnQ4+N/DhmJrlPyjI=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=iqWh9FxHj+eU/1tmp0GToze+rkEcHUqxDfFNSwwyU1zPBdSROph7LjDPfnxY34tt7 sM93lA8aNbZNo/pxIVVtqc+jKrQa35qQ7TdTB00cUftcyD/1dRqqjtohbMKLrTw39T sIMg6t71iiVWACQS+SzFZ321mkjrV+eZix3HnD60= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 88A7060556 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=jhugo@codeaurora.org Subject: Re: [PATCH v2] init: Fix false positives in W+X checking To: Ingo Molnar Cc: linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Mark Rutland , Jan Glauber , Kees Cook , Ard Biesheuvel , Catalin Marinas , Will Deacon , Laura Abbott , Timur Tabi , Stephen Smalley , Andrew Morton , Thomas Gleixner , Peter Zijlstra References: <1524866145-20337-1-git-send-email-jhugo@codeaurora.org> <20180428061401.oj4tytn6yy277f7y@gmail.com> From: Jeffrey Hugo Message-ID: Date: Mon, 30 Apr 2018 08:10:05 -0600 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <20180428061401.oj4tytn6yy277f7y@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/28/2018 12:14 AM, Ingo Molnar wrote: > > * Jeffrey Hugo wrote: > >> load_module() creates W+X mappings via __vmalloc_node_range() (from >> layout_and_allocate()->move_module()->module_alloc()) by using >> PAGE_KERNEL_EXEC. These mappings are later cleaned up via >> "call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module(). >> >> This is a problem because call_rcu_sched() queues work, which can be run >> after debug_checkwx() is run, resulting in a race condition. If hit, the >> race results in a nasty splat about insecure W+X mappings, which results >> in a poor user experience as these are not the mappings that >> debug_checkwx() is intended to catch. >> >> This issue is observed on multiple arm64 platforms, and has been >> artificially triggered on an x86 platform. >> >> Address the race by flushing the queued work before running the >> arch-defined mark_rodata_ro() which then calls debug_checkwx(). >> >> Reported-by: Timur Tabi >> Reported-by: Jan Glauber >> Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings") >> Signed-off-by: Jeffrey Hugo >> --- >> >> v1: >> -was "arm64: mm: Fix false positives in W+X checking" (see [1]) >> -moved to common code based on review and confirmation of issue on x86 >> >> [1] http://lists.infradead.org/pipermail/linux-arm-kernel/2018-April/573776.html >> >> init/main.c | 7 +++++++ >> 1 file changed, 7 insertions(+) >> >> diff --git a/init/main.c b/init/main.c >> index b795aa3..499d957 100644 >> --- a/init/main.c >> +++ b/init/main.c >> @@ -1034,6 +1034,13 @@ static int __init set_debug_rodata(char *str) >> static void mark_readonly(void) >> { >> if (rodata_enabled) { >> + /* >> + * load_module() results in W+X mappings, which are cleaned up >> + * with call_rcu_sched(). Let's make sure that queued work is >> + * flushed so that we don't hit false positives looking for >> + * insecure pages which are W+X. >> + */ >> + rcu_barrier_sched(); > > I'd suggest adding a matching comment to the module loading portion as well, > to make sure this connection does not get lost. With that: > > Acked-by: Ingo Molnar Sure. Will add that in a v3. -- Jeffrey Hugo Qualcomm Datacenter Technologies as an affiliate of Qualcomm Technologies, Inc. Qualcomm Technologies, Inc. is a member of the Code Aurora Forum, a Linux Foundation Collaborative Project.