Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2384221imu; Thu, 29 Nov 2018 04:14:54 -0800 (PST) X-Google-Smtp-Source: AFSGD/VJTniu0JhA++n746NVarhQNamYN7IZGZ23m93xuIcCgvr2qD/5ntc7alCYIjEj8YPbxJRx X-Received: by 2002:a62:e0d8:: with SMTP id d85mr1138061pfm.214.1543493694532; Thu, 29 Nov 2018 04:14:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543493694; cv=none; d=google.com; s=arc-20160816; b=GMGGeuyA4FjjvObXVj1qQ7y6pZo8QCxuVMutqlFdvOwsWPTNtTT/uscfR6EN22i6fm Fwg4HhUd/YFE6Rf6lfgZTbA9AVeL5nzYQixRyn4PIvuoPrjpmo7WuzyqmbWTO0bmsW5j sdDUVlEZXJchV/1b952d2E7AYds5pfPn2EqXcQ7qbBZx1qWKkv19itzxZ5quLShixJ/X IxXPDXeYb8cUGjfTaT8EJYpr/ujrhYzvX/0qfOgNtbKm89QZvpheVV4GtANcQAcPGsGk JW5JRzQbmrh5LPwnsxiQltQ66F+zfCUQ43klkigYxwxXSTZUwhFvpHuIGO6kSF4UIGMa Z0KQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=+zVa8XF4mbHr4ANgBDnQYzwMi3+EJG2YWvhwiDUJxTQ=; b=M5j5bMt3rcd+YeSsmUoG+jCU8q/c8kXmBUOW+7XVNjaCqan9b2/zTjh+qni9hOzwjA LW9XBsSPLzjJOFFZQEeMxbTcrpOsLBGWptDGwX/LYZnWREMa2YArdtoWmoc8ocU1AFHb 1PfzFkf7YRWutVnsodfCOlj128GS1wjA9K2MEgBbpmIOdeyr1rzSPVGkJa41UKuCVTmv PbiK2JrlCJSF5AyPCA1hKhNNzw/fgeumPtnOb/oREpoh+/+7LL+ese1VDlr9284yWPTr YjMYCDy6JW2ROZJadFe0xnnm/PZ+NhLmXu30lW4QyMUBloLOzxtHUFU18PfEE2H1SqdR eHLA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k11si1955326plt.68.2018.11.29.04.14.38; Thu, 29 Nov 2018 04:14:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727981AbeK2XRq (ORCPT + 99 others); Thu, 29 Nov 2018 18:17:46 -0500 Received: from pegase1.c-s.fr ([93.17.236.30]:62901 "EHLO pegase1.c-s.fr" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726683AbeK2XRq (ORCPT ); Thu, 29 Nov 2018 18:17:46 -0500 Received: from localhost (mailhub1-int [192.168.12.234]) by localhost (Postfix) with ESMTP id 435GcL4KTpz9vGxw; Thu, 29 Nov 2018 13:12:34 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at c-s.fr Received: from pegase1.c-s.fr ([192.168.12.234]) by localhost (pegase1.c-s.fr [192.168.12.234]) (amavisd-new, port 10024) with ESMTP id B2j74Y-Puwei; Thu, 29 Nov 2018 13:12:34 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase1.c-s.fr (Postfix) with ESMTP id 435GcL3ggMz9vGxv; Thu, 29 Nov 2018 13:12:34 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 9E6DB8B89A; Thu, 29 Nov 2018 13:12:35 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id SkVQhbmlSxdj; Thu, 29 Nov 2018 13:12:35 +0100 (CET) Received: from PO15451 (unknown [192.168.232.3]) by messagerie.si.c-s.fr (Postfix) with ESMTP id E65EA8B899; Thu, 29 Nov 2018 13:12:34 +0100 (CET) Subject: Re: [PATCH] powerpc/mm: add exec protection on powerpc 603 To: "Aneesh Kumar K.V" , Benjamin Herrenschmidt , Paul Mackerras , Michael Ellerman Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org References: From: Christophe LEROY Message-ID: Date: Thu, 29 Nov 2018 13:12:34 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: fr Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 29/11/2018 à 12:25, Aneesh Kumar K.V a écrit : > On 11/16/18 10:50 PM, Christophe Leroy wrote: >> The 603 doesn't have a HASH table, TLB misses are handled by >> software. It is then possible to generate page fault when >> _PAGE_EXEC is not set like in nohash/32. >> >> In order to support it, set_pte_filter() and >> set_access_flags_filter() are made common, and the handling >> is made dependent on MMU_FTR_HPTE_TABLE >> >> Signed-off-by: Christophe Leroy >> --- >>   arch/powerpc/include/asm/book3s/32/hash.h    |  1 + >>   arch/powerpc/include/asm/book3s/32/pgtable.h | 18 +++++++++--------- >>   arch/powerpc/include/asm/cputable.h          |  8 ++++---- >>   arch/powerpc/kernel/head_32.S                |  2 ++ >>   arch/powerpc/mm/pgtable.c                    | 20 +++++++++++--------- >>   5 files changed, 27 insertions(+), 22 deletions(-) >> >> diff --git a/arch/powerpc/include/asm/book3s/32/hash.h >> b/arch/powerpc/include/asm/book3s/32/hash.h >> index f2892c7ab73e..2a0a467d2985 100644 >> --- a/arch/powerpc/include/asm/book3s/32/hash.h >> +++ b/arch/powerpc/include/asm/book3s/32/hash.h >> @@ -26,6 +26,7 @@ >>   #define _PAGE_WRITETHRU    0x040    /* W: cache write-through */ >>   #define _PAGE_DIRTY    0x080    /* C: page changed */ >>   #define _PAGE_ACCESSED    0x100    /* R: page referenced */ >> +#define _PAGE_EXEC    0x200    /* software: exec allowed */ >>   #define _PAGE_RW    0x400    /* software: user write access allowed */ >>   #define _PAGE_SPECIAL    0x800    /* software: Special page */ >> diff --git a/arch/powerpc/include/asm/book3s/32/pgtable.h >> b/arch/powerpc/include/asm/book3s/32/pgtable.h >> index c21d33704633..cf844fed4527 100644 >> --- a/arch/powerpc/include/asm/book3s/32/pgtable.h >> +++ b/arch/powerpc/include/asm/book3s/32/pgtable.h >> @@ -10,9 +10,9 @@ >>   /* And here we include common definitions */ >>   #define _PAGE_KERNEL_RO        0 >> -#define _PAGE_KERNEL_ROX    0 >> +#define _PAGE_KERNEL_ROX    (_PAGE_EXEC) >>   #define _PAGE_KERNEL_RW        (_PAGE_DIRTY | _PAGE_RW) >> -#define _PAGE_KERNEL_RWX    (_PAGE_DIRTY | _PAGE_RW) >> +#define _PAGE_KERNEL_RWX    (_PAGE_DIRTY | _PAGE_RW | _PAGE_EXEC) >>   #define _PAGE_HPTEFLAGS _PAGE_HASHPTE >> @@ -66,11 +66,11 @@ static inline bool pte_user(pte_t pte) >>    */ >>   #define PAGE_NONE    __pgprot(_PAGE_BASE) >>   #define PAGE_SHARED    __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW) >> -#define PAGE_SHARED_X    __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW) >> +#define PAGE_SHARED_X    __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_RW >> | _PAGE_EXEC) >>   #define PAGE_COPY    __pgprot(_PAGE_BASE | _PAGE_USER) >> -#define PAGE_COPY_X    __pgprot(_PAGE_BASE | _PAGE_USER) >> +#define PAGE_COPY_X    __pgprot(_PAGE_BASE | _PAGE_USER | _PAGE_EXEC) >>   #define PAGE_READONLY    __pgprot(_PAGE_BASE | _PAGE_USER) >> -#define PAGE_READONLY_X    __pgprot(_PAGE_BASE | _PAGE_USER) >> +#define PAGE_READONLY_X    __pgprot(_PAGE_BASE | _PAGE_USER | >> _PAGE_EXEC) >>   /* Permission masks used for kernel mappings */ >>   #define PAGE_KERNEL    __pgprot(_PAGE_BASE | _PAGE_KERNEL_RW) >> @@ -318,7 +318,7 @@ static inline void __ptep_set_access_flags(struct >> vm_area_struct *vma, >>                          int psize) >>   { >>       unsigned long set = pte_val(entry) & >> -        (_PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_RW); >> +        (_PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_RW | _PAGE_EXEC); >>       pte_update(ptep, 0, set); >> @@ -384,7 +384,7 @@ static inline int pte_dirty(pte_t pte)        { >> return !!(pte_val(pte) & _PAGE_DIRTY); >>   static inline int pte_young(pte_t pte)        { return >> !!(pte_val(pte) & _PAGE_ACCESSED); } >>   static inline int pte_special(pte_t pte)    { return !!(pte_val(pte) >> & _PAGE_SPECIAL); } >>   static inline int pte_none(pte_t pte)        { return (pte_val(pte) >> & ~_PTE_NONE_MASK) == 0; } >> -static inline bool pte_exec(pte_t pte)        { return true; } >> +static inline bool pte_exec(pte_t pte)        { return pte_val(pte) & >> _PAGE_EXEC; } >>   static inline int pte_present(pte_t pte) >>   { >> @@ -451,7 +451,7 @@ static inline pte_t pte_wrprotect(pte_t pte) >>   static inline pte_t pte_exprotect(pte_t pte) >>   { >> -    return pte; >> +    return __pte(pte_val(pte) & ~_PAGE_EXEC); >>   } >>   static inline pte_t pte_mkclean(pte_t pte) >> @@ -466,7 +466,7 @@ static inline pte_t pte_mkold(pte_t pte) >>   static inline pte_t pte_mkexec(pte_t pte) >>   { >> -    return pte; >> +    return __pte(pte_val(pte) | _PAGE_EXEC); >>   } >>   static inline pte_t pte_mkpte(pte_t pte) >> diff --git a/arch/powerpc/include/asm/cputable.h >> b/arch/powerpc/include/asm/cputable.h >> index 29f49a35d6ee..a0395ccbbe9e 100644 >> --- a/arch/powerpc/include/asm/cputable.h >> +++ b/arch/powerpc/include/asm/cputable.h >> @@ -296,7 +296,7 @@ static inline void cpu_feature_keys_init(void) { } >>   #define CPU_FTRS_PPC601    (CPU_FTR_COMMON | CPU_FTR_601 | \ >>       CPU_FTR_COHERENT_ICACHE | CPU_FTR_UNIFIED_ID_CACHE | >> CPU_FTR_USE_RTC) >>   #define CPU_FTRS_603    (CPU_FTR_COMMON | CPU_FTR_MAYBE_CAN_DOZE | \ >> -        CPU_FTR_MAYBE_CAN_NAP | CPU_FTR_PPC_LE) >> +        CPU_FTR_MAYBE_CAN_NAP | CPU_FTR_PPC_LE | CPU_FTR_NOEXECUTE) >>   #define CPU_FTRS_604    (CPU_FTR_COMMON | CPU_FTR_PPC_LE) >>   #define CPU_FTRS_740_NOTAU    (CPU_FTR_COMMON | \ >>           CPU_FTR_MAYBE_CAN_DOZE | CPU_FTR_L2CR | \ >> @@ -367,15 +367,15 @@ static inline void cpu_feature_keys_init(void) { } >>           CPU_FTR_MAYBE_CAN_NAP | CPU_FTR_L2CR | CPU_FTR_ALTIVEC_COMP | \ >>           CPU_FTR_SPEC7450 | CPU_FTR_NAP_DISABLE_L2_PR | \ >>           CPU_FTR_PPC_LE | CPU_FTR_NEED_PAIRED_STWCX) >> -#define CPU_FTRS_82XX    (CPU_FTR_COMMON | CPU_FTR_MAYBE_CAN_DOZE) >> +#define CPU_FTRS_82XX    (CPU_FTR_COMMON | CPU_FTR_MAYBE_CAN_DOZE | >> CPU_FTR_NOEXECUTE) >>   #define CPU_FTRS_G2_LE    (CPU_FTR_COMMON | CPU_FTR_MAYBE_CAN_DOZE | \ >>           CPU_FTR_MAYBE_CAN_NAP) >>   #define CPU_FTRS_E300    (CPU_FTR_MAYBE_CAN_DOZE | \ >>           CPU_FTR_MAYBE_CAN_NAP | \ >> -        CPU_FTR_COMMON) >> +        CPU_FTR_COMMON  | CPU_FTR_NOEXECUTE) >>   #define CPU_FTRS_E300C2    (CPU_FTR_MAYBE_CAN_DOZE | \ >>           CPU_FTR_MAYBE_CAN_NAP | \ >> -        CPU_FTR_COMMON | CPU_FTR_FPU_UNAVAILABLE) >> +        CPU_FTR_COMMON | CPU_FTR_FPU_UNAVAILABLE  | CPU_FTR_NOEXECUTE) >>   #define CPU_FTRS_CLASSIC32    (CPU_FTR_COMMON) >>   #define CPU_FTRS_8XX    (CPU_FTR_NOEXECUTE) >>   #define CPU_FTRS_40X    (CPU_FTR_NODSISRALIGN | CPU_FTR_NOEXECUTE) >> diff --git a/arch/powerpc/kernel/head_32.S >> b/arch/powerpc/kernel/head_32.S >> index 61ca27929355..50e892763dbb 100644 >> --- a/arch/powerpc/kernel/head_32.S >> +++ b/arch/powerpc/kernel/head_32.S >> @@ -515,6 +515,8 @@ InstructionTLBMiss: >>       lwz    r0,0(r2)        /* get linux-style pte */ >>       andc.    r1,r1,r0        /* check access & ~permission */ >>       bne-    InstructionAddressInvalid /* return if access not >> permitted */ >> +    andi.    r1,r0,_PAGE_EXEC >> +    beq-    InstructionAddressInvalid /* return if not _PAGE_EXEC */ >>       ori    r0,r0,_PAGE_ACCESSED    /* set _PAGE_ACCESSED in pte */ > > Can we get a DataTLB miss and expect to map that in TLB with Exec > permission? There are two independant sets for TLBs, one set for data accesses and one set for instruction fetches. On a data TLB miss, a data TLB is loaded with tlbld instruction. On an instruction TLB miss, a insn TLB is loaded with tlbli instruction. So if I understand your question correctly, the answer is 'no'. > >>       /* >>        * NOTE! We are assuming this is not an SMP system, otherwise >> diff --git a/arch/powerpc/mm/pgtable.c b/arch/powerpc/mm/pgtable.c >> index 010e1c616cb2..3d86fe9d2ff4 100644 >> --- a/arch/powerpc/mm/pgtable.c >> +++ b/arch/powerpc/mm/pgtable.c >> @@ -74,7 +74,7 @@ static struct page *maybe_pte_to_page(pte_t pte) >>    * support falls into the same category. >>    */ >> -static pte_t set_pte_filter(pte_t pte) >> +static pte_t set_pte_filter_hash(pte_t pte) >>   { >>       if (radix_enabled()) >>           return pte; >> @@ -93,14 +93,12 @@ static pte_t set_pte_filter(pte_t pte) >>       return pte; >>   } >> -static pte_t set_access_flags_filter(pte_t pte, struct vm_area_struct >> *vma, >> -                     int dirty) >> -{ >> -    return pte; >> -} >> - >>   #else /* CONFIG_PPC_BOOK3S */ >> +static pte_t set_pte_filter_hash(pte_t pte) { return pte; } >> + >> +#endif /* CONFIG_PPC_BOOK3S */ >> + >>   /* Embedded type MMU with HW exec support. This is a bit more >> complicated >>    * as we don't have two bits to spare for _PAGE_EXEC and >> _PAGE_HWEXEC so >>    * instead we "filter out" the exec permission for non clean pages. >> @@ -109,6 +107,9 @@ static pte_t set_pte_filter(pte_t pte) >>   { >>       struct page *pg; >> +    if (mmu_has_feature(MMU_FTR_HPTE_TABLE)) >> +        return set_pte_filter_hash(pte); > > so 603 doesn't have a coherent icache? That's right, see asm/cputable.h > >> + >>       /* No exec permission in the first place, move on */ >>       if (!pte_exec(pte) || !pte_looks_normal(pte)) >>           return pte; >> @@ -138,6 +139,9 @@ static pte_t set_access_flags_filter(pte_t pte, >> struct vm_area_struct *vma, >>   { >>       struct page *pg; >> +    if (mmu_has_feature(MMU_FTR_HPTE_TABLE)) >> +        return pte; >> + >>       /* So here, we only care about exec faults, as we use them >>        * to recover lost _PAGE_EXEC and perform I$/D$ coherency >>        * if necessary. Also if _PAGE_EXEC is already set, same deal, >> @@ -172,8 +176,6 @@ static pte_t set_access_flags_filter(pte_t pte, >> struct vm_area_struct *vma, >>       return pte_mkexec(pte); >>   } >> -#endif /* CONFIG_PPC_BOOK3S */ >> - >>   /* >>    * set_pte stores a linux PTE into the linux page table. >>    */ >> > > The code looks good from book3s 64 point. I am not familiar with 603 > hardware. > > Reviewed-by: Aneesh Kumar K.V Thanks Christophe > > -aneesh