Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3592846imu; Sun, 11 Nov 2018 18:54:59 -0800 (PST) X-Google-Smtp-Source: AJdET5f+d1bTTri5B/NPTK3RySrWyLCGcTOnXEKOekYWKu+237el7CaEhoz1nsvoGUIB0VnMJ2jN X-Received: by 2002:a17:902:887:: with SMTP id 7-v6mr10400707pll.283.1541991299721; Sun, 11 Nov 2018 18:54:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541991299; cv=none; d=google.com; s=arc-20160816; b=q/v59GdxmNqIFk4CflH1LYgmoNRjZEhpiN4eugXnuEpfPSuhTi1GvRHG87eqW5SYTn O+j3/SFygmd9DV5+D6XeTcLIwbSv9o8JIeIzpHgYXISG3z4lXMuED5fCwBWYW1FzKzlA /BpqcZPJ1OwgRIT8LZGCacAuaR3j54HhxvucJfPLd89vf05HFP+NAUWX39BU2hP/Jdcf FX2/eIyDFtdTYC/p0rasDZ2yKC8DrExYc9xlHnbcVwfeHassGHFD7SceVep+wQmUZtv6 9eG9oMBhXkOVuSYVLkMmwZ7ApQQtl9PUiaMd6oAmAZTzJ4HgI5KVFbOrabtvT33YkdhL lxrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date :dkim-signature; bh=iUPTeUlkDZopWO147HbzQEtm1dPP6+ks/t7K/3YKNA0=; b=JPnxiWxSDxjm+B8qx0nwFllO1S49Rj6SBb4fmNTwB38ETo6xblpmykF7SPejAc18uZ +Wiv0+w0iiVpTxXZwCj3ieWtvmkkUxQ4wWQF8RQkGiCYAy88F6+jmqdYIwIcjCRXjzRd YTk9EAAanR64rD+wCuW1xjXiIjhfVHnpdvb6NTJgnP3+Nw6rHpMvX5J14zTJJ4E54H1u c17CsD1MKbqiBNeJtP9eVU6y682sywz4gmgsEMawZYqle0zZTQpot3mfZrLOzuzu6XRM 7Mcxdt1mmboRXQCPtkdef551jeA5OQibe6/Kl9JAcLp50egw+PwKb2qBbb/5AUOUAvlp U4bQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="YGPdZQV/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d4-v6si16127239pla.203.2018.11.11.18.54.44; Sun, 11 Nov 2018 18:54:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="YGPdZQV/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730311AbeKLMp1 (ORCPT + 99 others); Mon, 12 Nov 2018 07:45:27 -0500 Received: from mail.kernel.org ([198.145.29.99]:50214 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729884AbeKLMp1 (ORCPT ); Mon, 12 Nov 2018 07:45:27 -0500 Received: from devnote (NE2965lan1.rev.em-net.ne.jp [210.141.244.193]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6B3E9208A3; Mon, 12 Nov 2018 02:54:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541991263; bh=E4po7NNr+yh8akWTpaMrcpEQ2F1dZwvZK8uJLkGbD+w=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=YGPdZQV/6/QhsEW6vkZA0skX73WOWMFH94M+W4a6jzzOXqQE5zDMZjO7LQ/cg/Q8q 8jqxD2KmiFjEPR5inPPmNgd+8PgTN+tsRPFa4twQuJqTN1AyslgdqAr49h/W0gnL5K Qgr3AL0ZcIUdn4HxjSJHKvG5vjTmQ4gJqHBkCz3U= Date: Mon, 12 Nov 2018 11:54:19 +0900 From: Masami Hiramatsu To: Nadav Amit Cc: Ingo Molnar , , , "H. Peter Anvin" , Thomas Gleixner , Borislav Petkov , Dave Hansen , Jiri Kosina , Andy Lutomirski , Kees Cook , Dave Hansen , Masami Hiramatsu Subject: Re: [PATCH v4 01/10] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" Message-Id: <20181112115419.3e86d8a522b6c7457c036dc9@kernel.org> In-Reply-To: <20181110231732.15060-2-namit@vmware.com> References: <20181110231732.15060-1-namit@vmware.com> <20181110231732.15060-2-namit@vmware.com> X-Mailer: Sylpheed 3.5.0 (GTK+ 2.24.30; x86_64-pc-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, 10 Nov 2018 15:17:23 -0800 Nadav Amit wrote: > text_mutex is currently expected to be held before text_poke() is > called, but we kgdb does not take the mutex, and instead *supposedly* > ensures the lock is not taken and will not be acquired by any other core > while text_poke() is running. > > The reason for the "supposedly" comment is that it is not entirely clear > that this would be the case if gdb_do_roundup is zero. > > This patch creates two wrapper functions, text_poke() and > text_poke_kgdb() which do or do not run the lockdep assertion > respectively. > > While we are at it, change the return code of text_poke() to something > meaningful. One day, callers might actually respect it and the existing > BUG_ON() when patching fails could be removed. For kgdb, the return > value can actually be used. Hm, this looks reasonable and good to me. Reviewed-by: Masami Hiramatsu Thank you! > > Cc: Jiri Kosina > Cc: Andy Lutomirski > Cc: Kees Cook > Cc: Dave Hansen > Cc: Masami Hiramatsu > Fixes: 9222f606506c ("x86/alternatives: Lockdep-enforce text_mutex in text_poke*()") > Suggested-by: Peter Zijlstra > Signed-off-by: Nadav Amit > --- > arch/x86/include/asm/text-patching.h | 3 +- > arch/x86/kernel/alternative.c | 72 +++++++++++++++++++++------- > arch/x86/kernel/kgdb.c | 15 ++++-- > 3 files changed, 66 insertions(+), 24 deletions(-) > > diff --git a/arch/x86/include/asm/text-patching.h b/arch/x86/include/asm/text-patching.h > index e85ff65c43c3..5a2600370763 100644 > --- a/arch/x86/include/asm/text-patching.h > +++ b/arch/x86/include/asm/text-patching.h > @@ -34,7 +34,8 @@ extern void *text_poke_early(void *addr, const void *opcode, size_t len); > * On the local CPU you need to be protected again NMI or MCE handlers seeing an > * inconsistent instruction while you patch. > */ > -extern void *text_poke(void *addr, const void *opcode, size_t len); > +extern int text_poke(void *addr, const void *opcode, size_t len); > +extern int text_poke_kgdb(void *addr, const void *opcode, size_t len); > extern int poke_int3_handler(struct pt_regs *regs); > extern void *text_poke_bp(void *addr, const void *opcode, size_t len, void *handler); > extern int after_bootmem; > diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c > index ebeac487a20c..ebe9210dc92e 100644 > --- a/arch/x86/kernel/alternative.c > +++ b/arch/x86/kernel/alternative.c > @@ -678,23 +678,12 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode, > return addr; > } > > -/** > - * text_poke - Update instructions on a live kernel > - * @addr: address to modify > - * @opcode: source of the copy > - * @len: length to copy > - * > - * Only atomic text poke/set should be allowed when not doing early patching. > - * It means the size must be writable atomically and the address must be aligned > - * in a way that permits an atomic write. It also makes sure we fit on a single > - * page. > - */ > -void *text_poke(void *addr, const void *opcode, size_t len) > +static int __text_poke(void *addr, const void *opcode, size_t len) > { > unsigned long flags; > char *vaddr; > struct page *pages[2]; > - int i; > + int i, r = 0; > > /* > * While boot memory allocator is runnig we cannot use struct > @@ -702,8 +691,6 @@ void *text_poke(void *addr, const void *opcode, size_t len) > */ > BUG_ON(!after_bootmem); > > - lockdep_assert_held(&text_mutex); > - > if (!core_kernel_text((unsigned long)addr)) { > pages[0] = vmalloc_to_page(addr); > pages[1] = vmalloc_to_page(addr + PAGE_SIZE); > @@ -712,7 +699,8 @@ void *text_poke(void *addr, const void *opcode, size_t len) > WARN_ON(!PageReserved(pages[0])); > pages[1] = virt_to_page(addr + PAGE_SIZE); > } > - BUG_ON(!pages[0]); > + if (!pages[0]) > + return -EFAULT; > local_irq_save(flags); > set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0])); > if (pages[1]) > @@ -727,9 +715,57 @@ void *text_poke(void *addr, const void *opcode, size_t len) > /* Could also do a CLFLUSH here to speed up CPU recovery; but > that causes hangs on some VIA CPUs. */ > for (i = 0; i < len; i++) > - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]); > + if (((char *)addr)[i] != ((char *)opcode)[i]) > + r = -EFAULT; > local_irq_restore(flags); > - return addr; > + return r; > +} > + > +/** > + * text_poke - Update instructions on a live kernel > + * @addr: address to modify > + * @opcode: source of the copy > + * @len: length to copy > + * > + * Only atomic text poke/set should be allowed when not doing early patching. > + * It means the size must be writable atomically and the address must be aligned > + * in a way that permits an atomic write. It also makes sure we fit on a single > + * page. > + */ > +int text_poke(void *addr, const void *opcode, size_t len) > +{ > + int r; > + > + lockdep_assert_held(&text_mutex); > + > + r = __text_poke(addr, opcode, len); > + > + /* > + * TODO: change the callers to consider the return value and remove this > + * historical assertion. > + */ > + BUG_ON(r); > + > + return r; > +} > + > +/** > + * text_poke_kgdb - Update instructions on a live kernel by kgdb > + * @addr: address to modify > + * @opcode: source of the copy > + * @len: length to copy > + * > + * Only atomic text poke/set should be allowed when not doing early patching. > + * It means the size must be writable atomically and the address must be aligned > + * in a way that permits an atomic write. It also makes sure we fit on a single > + * page. > + * > + * Context: should only be used by kgdb, which ensures no other core is running, > + * despite the fact it does not hold the text_mutex. > + */ > +int text_poke_kgdb(void *addr, const void *opcode, size_t len) > +{ > + return __text_poke(addr, opcode, len); > } > > static void do_sync_core(void *info) > diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c > index 8e36f249646e..8091b2e381d4 100644 > --- a/arch/x86/kernel/kgdb.c > +++ b/arch/x86/kernel/kgdb.c > @@ -763,13 +763,15 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt) > if (!err) > return err; > /* > - * It is safe to call text_poke() because normal kernel execution > + * It is safe to call text_poke_kgdb() because normal kernel execution > * is stopped on all cores, so long as the text_mutex is not locked. > */ > if (mutex_is_locked(&text_mutex)) > return -EBUSY; > - text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr, > - BREAK_INSTR_SIZE); > + err = text_poke_kgdb((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr, > + BREAK_INSTR_SIZE); > + if (err) > + return err; > err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE); > if (err) > return err; > @@ -788,12 +790,15 @@ int kgdb_arch_remove_breakpoint(struct kgdb_bkpt *bpt) > if (bpt->type != BP_POKE_BREAKPOINT) > goto knl_write; > /* > - * It is safe to call text_poke() because normal kernel execution > + * It is safe to call text_poke_kgdb() because normal kernel execution > * is stopped on all cores, so long as the text_mutex is not locked. > */ > if (mutex_is_locked(&text_mutex)) > goto knl_write; > - text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE); > + err = text_poke_kgdb((void *)bpt->bpt_addr, bpt->saved_instr, > + BREAK_INSTR_SIZE); > + if (err) > + return err; > err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE); > if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE)) > goto knl_write; > -- > 2.17.1 > -- Masami Hiramatsu