Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp3551081ybg; Mon, 28 Oct 2019 14:49:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqzjLPJK86/qX+TNJh5EqSVp2kfHub/1/JFE1GdgXiQga9gT3cPiatyos81PKU3Q+wv3uFQp X-Received: by 2002:a17:906:c836:: with SMTP id dd22mr50649ejb.178.1572299358296; Mon, 28 Oct 2019 14:49:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572299358; cv=none; d=google.com; s=arc-20160816; b=L7RfDFYcDzWJK6cxAC0LZHj76SrNHwSXk9SVhdLGQ9GY83HXi0OQLCcjYmMMJhPXb1 1AIjENhpnskjeXkSnGxDQcosqww+hnS1SjIsS5PT2UvugZFW2RCm/uOTcy1fXzyXhMK3 UPBU7SNfrxtSxG5ymnZCiobXtDLUiRd/qbfrbc635nO4mBPh7QZMJ3GLdPy7otfcmpGs lQnSY26/atnZGsxPrxEIOY+rbHTHjivZsOt6V0Rc4sEx47VIo4rNCilQ6lKJ1f+Qivjz exIhDKm0TPQSRFtzkD1wsClV6f2i96dka0oyjOZYHSW5tNM2ly6ia1HAuIvREcuFIkqd Mh+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=EUvLIkdc0IirrJRjb+cf3QHnMiZeWuqm+X4DDSMCx+c=; b=Vy0L63qiW6MHZWm/TQwplyMKK6wuquig/tkFRapQcRA1TSVSubNlKQAWixj0OFcvsO VW0AOh8kHXTf9HJi66jnjG32duJ6eE/IrWkU+xSke41onYyJNj0OBb5q38+Vs5fClIpQ w+9YWf6K/NgaD4BuoataZagKKMVGzKN8FzUCy3E88Cxo2oN4H1EamwpD8o3MpbWyE5K8 brUAfGYfwSBpIhY/WrYiz9Gl+HWkSk4Y3VPGcJQmGki1aHvSMPJeC9PIBxmFMyntu9ry cbDnn2SgCD6UfLqKw3cI2dGIB8XQa61RYKJU9oLlOfFcgDo7/pfSqshsTO4Va5vJOQ4G YMtg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="HDA/GO3/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z33si7465956edz.114.2019.10.28.14.48.54; Mon, 28 Oct 2019 14:49:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="HDA/GO3/"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390795AbfJ1SC6 (ORCPT + 99 others); Mon, 28 Oct 2019 14:02:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:43252 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732035AbfJ1SC6 (ORCPT ); Mon, 28 Oct 2019 14:02:58 -0400 Received: from mail-wr1-f53.google.com (mail-wr1-f53.google.com [209.85.221.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A966D222C5 for ; Mon, 28 Oct 2019 18:02:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1572285776; bh=z+ls7tY9FydbXkZifzUsINlks/TY83Qg10OvpMJem5Y=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=HDA/GO3/EzfOrCmw0z6mWZJU2StimT/3qGL5kVoF5IN+iSrQ5Y26PbsCL9FFqNZY9 WijMqBubXjpjqsmMx2ylXS+uUIaI/5UZEZxxTKhNapZ3c89cxyC+K+8N7SRk5SYOoZ BF/b/kIC8WQf6Lwh2dNWvHfEnSUIskyVn+7hb0Mk= Received: by mail-wr1-f53.google.com with SMTP id z11so10857822wro.11 for ; Mon, 28 Oct 2019 11:02:56 -0700 (PDT) X-Gm-Message-State: APjAAAWJJc6h0bta+cRdA8kPoxxIb5r8QLsUd2pSB3OIjawLDO3kjI2c KPMSxeCatGCRajuNzTzd8fGYoWA0raNsMt+CtYOj9g== X-Received: by 2002:a5d:51c2:: with SMTP id n2mr15773727wrv.149.1572285775063; Mon, 28 Oct 2019 11:02:55 -0700 (PDT) MIME-Version: 1.0 References: <1572171452-7958-1-git-send-email-rppt@kernel.org> <1572171452-7958-2-git-send-email-rppt@kernel.org> In-Reply-To: <1572171452-7958-2-git-send-email-rppt@kernel.org> From: Andy Lutomirski Date: Mon, 28 Oct 2019 11:02:44 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH RFC] mm: add MAP_EXCLUSIVE to create exclusive user mappings To: Mike Rapoport Cc: LKML , Alexey Dobriyan , Andrew Morton , Andy Lutomirski , Arnd Bergmann , Borislav Petkov , Dave Hansen , James Bottomley , Peter Zijlstra , Steven Rostedt , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , Linux API , Linux-MM , X86 ML , Mike Rapoport Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Oct 27, 2019 at 3:17 AM Mike Rapoport wrote: > > From: Mike Rapoport > > The mappings created with MAP_EXCLUSIVE are visible only in the context of > the owning process and can be used by applications to store secret > information that will not be visible not only to other processes but to the > kernel as well. > > The pages in these mappings are removed from the kernel direct map and > marked with PG_user_exclusive flag. When the exclusive area is unmapped, > the pages are mapped back into the direct map. > > The MAP_EXCLUSIVE flag implies MAP_POPULATE and MAP_LOCKED. > > Signed-off-by: Mike Rapoport > --- > arch/x86/mm/fault.c | 14 ++++++++++ > fs/proc/task_mmu.c | 1 + > include/linux/mm.h | 9 +++++++ > include/linux/page-flags.h | 7 +++++ > include/linux/page_excl.h | 49 ++++++++++++++++++++++++++++++++++ > include/trace/events/mmflags.h | 9 ++++++- > include/uapi/asm-generic/mman-common.h | 1 + > kernel/fork.c | 3 ++- > mm/Kconfig | 3 +++ > mm/gup.c | 8 ++++++ > mm/memory.c | 3 +++ > mm/mmap.c | 16 +++++++++++ > mm/page_alloc.c | 5 ++++ > 13 files changed, 126 insertions(+), 2 deletions(-) > create mode 100644 include/linux/page_excl.h > > diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c > index 9ceacd1..8f73a75 100644 > --- a/arch/x86/mm/fault.c > +++ b/arch/x86/mm/fault.c > @@ -17,6 +17,7 @@ > #include /* exception_enter(), ... */ > #include /* faulthandler_disabled() */ > #include /* efi_recover_from_page_fault()*/ > +#include /* page_is_user_exclusive() */ > #include > > #include /* boot_cpu_has, ... */ > @@ -1218,6 +1219,13 @@ static int fault_in_kernel_space(unsigned long address) > return address >= TASK_SIZE_MAX; > } > > +static bool fault_in_user_exclusive_page(unsigned long address) > +{ > + struct page *page = virt_to_page(address); > + > + return page_is_user_exclusive(page); > +} > + > /* > * Called for all faults where 'address' is part of the kernel address > * space. Might get called for faults that originate from *code* that > @@ -1261,6 +1269,12 @@ do_kern_addr_fault(struct pt_regs *regs, unsigned long hw_error_code, > if (spurious_kernel_fault(hw_error_code, address)) > return; > > + /* FIXME: warn and handle gracefully */ > + if (unlikely(fault_in_user_exclusive_page(address))) { > + pr_err("page fault in user exclusive page at %lx", address); > + force_sig_fault(SIGSEGV, SEGV_MAPERR, (void __user *)address); > + } Sending a signal here is not a reasonable thing to do in response to an unexpected kernel fault. You need to OOPS. Printing a nice message would be nice. --Andy