Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp698881imm; Wed, 29 Aug 2018 09:55:43 -0700 (PDT) X-Google-Smtp-Source: ANB0Vdb/fBXEWV1M+wIhBX920S9te+TeLpkPQtJloQKs41d58jp7/+44YqexnbiJfOiiTZ8BmhvV X-Received: by 2002:a17:902:bf43:: with SMTP id u3-v6mr6752142pls.88.1535561743334; Wed, 29 Aug 2018 09:55:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535561743; cv=none; d=google.com; s=arc-20160816; b=IV6DaLwofDyXzuYVbTgxzhqRYwXbYq6CJkyV+ri/HMAKH5T2xHzOFJCo1mZWuST95I jGqsSgJ0DofOxo8mLNobSQjifj1vMBQePbSt7iy7AYj9DFXqeNCQe46lyeWFQmEn/3ix CHCMLIQhWIyWX8ZqDmKmBQWs38fn2Scw9zQrbqy95sIgOvZ4UJ/6xJ/Fh6EqCLxFM24r gkI8ACsTOwBEG534qRNLz5/XAICeZ2aeOYVRLMP8APkcJLYHgJitu0XRtxm6LIAv8Okk k9cHfVLUg57guNVybxfn1iCjc7KlY7QLAs+cl5eCjHEvo0ecOoUdGXDA06jX6K9bxKcA Hmnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-id:spamdiagnosticmetadata:spamdiagnosticoutput:bcl :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=DShstZYyK6IcNOYw8LMA0LAuyuPvkyYSO7bv0kEUjMk=; b=CVRXJdbaJ6e1gNpicU9sYYjctoyGLHzOvQrx9uR8xAqlf5ofBQe4hRTH0ksYpsIMpB 9HBPzWDJ8c5XFo24/+/LROpJMcOwjbnmVtVUkE3W3BPoKW1iLnKBqW1cZd7S+bCYYsUS dm6EaKRQX3GaOBmzUJVs0hPJ7d3MqqwgwMJi2jP8kqUrcS3PGKhw15fveduNyiOqS8+o hLi2ILE+AbLGs6PTU0uX2zGLmNn0mLFKhIT8t+idtDLBJ9aAGzbL63A90dObXQqguyNu heQl+eVBOe+sTj2uLUaeb3mns7dlzbwRSWAVJUaP/nDqIAKdJg/FIA85N/X1AV0reEjI QeRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@vmware.com header.s=selector1 header.b=JF4WNjXX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=vmware.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e34-v6si4712485plb.2.2018.08.29.09.55.27; Wed, 29 Aug 2018 09:55:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@vmware.com header.s=selector1 header.b=JF4WNjXX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=vmware.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728159AbeH2UwE (ORCPT + 99 others); Wed, 29 Aug 2018 16:52:04 -0400 Received: from mail-eopbgr720052.outbound.protection.outlook.com ([40.107.72.52]:9248 "EHLO NAM05-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727245AbeH2UwE (ORCPT ); Wed, 29 Aug 2018 16:52:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vmware.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DShstZYyK6IcNOYw8LMA0LAuyuPvkyYSO7bv0kEUjMk=; b=JF4WNjXXBrPhOyxuKYmNuZYYd5mZT1Knr1aDj3YDyj6JR0FUOJRoMYFUCY3JKxaeS8aO+K4jajXl5LsSf7Vo9me84leTLFnJ7peJGZac+oHu7ETXZZG2A+UPJXP7B50oPrnUxOLxS6KaEOHFenBI+X/u/HDZA40Oi4X26DOaaCI= Received: from BYAPR05MB4776.namprd05.prod.outlook.com (52.135.233.146) by BYAPR05MB4597.namprd05.prod.outlook.com (52.135.233.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1122.7; Wed, 29 Aug 2018 16:54:13 +0000 Received: from BYAPR05MB4776.namprd05.prod.outlook.com ([fe80::911b:395c:ce8a:38c3]) by BYAPR05MB4776.namprd05.prod.outlook.com ([fe80::911b:395c:ce8a:38c3%3]) with mapi id 15.20.1101.007; Wed, 29 Aug 2018 16:54:13 +0000 From: Nadav Amit To: Andy Lutomirski , Masami Hiramatsu CC: Thomas Gleixner , LKML , Ingo Molnar , X86 ML , Arnd Bergmann , linux-arch , Kees Cook , Peter Zijlstra Subject: Re: [RFC PATCH 2/6] x86/mm: temporary mm struct Thread-Topic: [RFC PATCH 2/6] x86/mm: temporary mm struct Thread-Index: AQHUP3AvtPpOeUrzJkKcPlbuZwJlIKTWfEOAgABiOwCAABRygA== Date: Wed, 29 Aug 2018 16:54:13 +0000 Message-ID: References: <20180829081147.184610-1-namit@vmware.com> <20180829081147.184610-3-namit@vmware.com> <20180829184925.64caee4dadf705080373f84f@kernel.org> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=namit@vmware.com; x-originating-ip: [66.170.99.1] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BYAPR05MB4597;20:83eowXEzknIRxPqQ8j9vpkvzPWeTjmtO8Wf4N7KuJZUo3nnTc23WQpRQT1KBWokcPNsCHnSQmeIeGCH+cZ0YxzPw/TYSc8e4DgG+QyasCMJeiLm0SY+/zPAZG8IYUj6cp6SW9eLFwBa9txXFx0L0GIimc9HK0tSpoa6R15vrNZ0= x-ms-exchange-antispam-srfa-diagnostics: SOS; x-ms-office365-filtering-correlation-id: 046db511-c129-4dc5-aea6-08d60dd00cc3 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(2017052603328)(7153060)(7193020);SRVR:BYAPR05MB4597; x-ms-traffictypediagnostic: BYAPR05MB4597: bcl: 0 x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(61668805478150)(192374486261705); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201708071742011)(7699016);SRVR:BYAPR05MB4597;BCL:0;PCL:0;RULEID:;SRVR:BYAPR05MB4597; x-forefront-prvs: 077929D941 x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(366004)(376002)(346002)(396003)(136003)(39860400002)(199004)(189003)(486006)(256004)(93886005)(14444005)(83716003)(217873002)(76176011)(186003)(26005)(53546011)(99286004)(6506007)(110136005)(54906003)(102836004)(316002)(305945005)(2906002)(5660300001)(7736002)(11346002)(66066001)(2900100001)(36756003)(5250100002)(446003)(476003)(2616005)(53936002)(6246003)(97736004)(8676002)(81166006)(229853002)(81156014)(575784001)(86362001)(7416002)(68736007)(6486002)(82746002)(6436002)(105586002)(106356001)(33656002)(6116002)(6512007)(3846002)(8936002)(4326008)(14454004)(25786009)(478600001);DIR:OUT;SFP:1101;SCL:1;SRVR:BYAPR05MB4597;H:BYAPR05MB4776.namprd05.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: vmware.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: v0HGmRloGZTEWHglpVO4lmJKZf3mIxnMBF44D4fuvctYDGA3zKq2zefCjTw65RK6ZbE/y47Tlat/yCtX0PLhVnPWHBO+cStKSG0BFjO3jUJz6YjFRbQddYU5DLMjwCZhLkJrNH+jODGbgm2vabBUmE36soXkzx6EhKl32aWFzn343SFvoeK3uubrp0UmlkyeJVxC0/HK2WmI1sr/ueJyltTYQvUDjxaI05pYowDFfCDMAWE4K2x3cgyqRtEBsY2CTHwPoOEcHVhl9fCXNhhJvp2coq8PVHUPftpADiXDtJJs6GpuT/jiealAMF23kmcanAwWlbrEGnLDb1qrQBlC+qVJ/v3Jb2TFAPrrUrgr3lM= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-ID: <64481C5D4380F94F95B21EF5D2D69D6C@namprd05.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: vmware.com X-MS-Exchange-CrossTenant-Network-Message-Id: 046db511-c129-4dc5-aea6-08d60dd00cc3 X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2018 16:54:13.5251 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4597 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org at 8:41 AM, Andy Lutomirski wrote: > On Wed, Aug 29, 2018 at 2:49 AM, Masami Hiramatsu w= rote: >> On Wed, 29 Aug 2018 01:11:43 -0700 >> Nadav Amit wrote: >>=20 >>> From: Andy Lutomirski >>>=20 >>> Sometimes we want to set a temporary page-table entries (PTEs) in one o= f >>> the cores, without allowing other cores to use - even speculatively - >>> these mappings. There are two benefits for doing so: >>>=20 >>> (1) Security: if sensitive PTEs are set, temporary mm prevents their us= e >>> in other cores. This hardens the security as it prevents exploding a >>> dangling pointer to overwrite sensitive data using the sensitive PTE. >>>=20 >>> (2) Avoiding TLB shootdowns: the PTEs do not need to be flushed in >>> remote page-tables. >>>=20 >>> To do so a temporary mm_struct can be used. Mappings which are private >>> for this mm can be set in the userspace part of the address-space. >>> During the whole time in which the temporary mm is loaded, interrupts >>> must be disabled. >>>=20 >>> The first use-case for temporary PTEs, which will follow, is for poking >>> the kernel text. >>>=20 >>> [ Commit message was written by Nadav ] >>>=20 >>> Cc: Andy Lutomirski >>> Cc: Masami Hiramatsu >>> Cc: Kees Cook >>> Cc: Peter Zijlstra >>> Signed-off-by: Nadav Amit >>> --- >>> arch/x86/include/asm/mmu_context.h | 20 ++++++++++++++++++++ >>> 1 file changed, 20 insertions(+) >>>=20 >>> diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/= mmu_context.h >>> index eeeb9289c764..96afc8c0cf15 100644 >>> --- a/arch/x86/include/asm/mmu_context.h >>> +++ b/arch/x86/include/asm/mmu_context.h >>> @@ -338,4 +338,24 @@ static inline unsigned long __get_current_cr3_fast= (void) >>> return cr3; >>> } >>>=20 >>> +typedef struct { >>> + struct mm_struct *prev; >>> +} temporary_mm_state_t; >>> + >>> +static inline temporary_mm_state_t use_temporary_mm(struct mm_struct *= mm) >>> +{ >>> + temporary_mm_state_t state; >>> + >>> + lockdep_assert_irqs_disabled(); >>> + state.prev =3D this_cpu_read(cpu_tlbstate.loaded_mm); >>> + switch_mm_irqs_off(NULL, mm, current); >>> + return state; >>> +} >>=20 >> Hmm, why don't we return mm_struct *prev directly? >=20 > I did it this way to make it easier to add future debugging stuff > later. Also, when I first wrote this, I stashed the old CR3 instead > of the old mm_struct, and it seemed like callers should be insulated > from details like this. Andy, please let me know if you want me to change it somehow, and please provide your signed-off-by.