Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp948285pxx; Thu, 29 Oct 2020 19:51:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwcCbCnvbEdaZsCHtYMoc3/0Buec/oT0N9SINo9dO96dd3Macb0+XqG1ZN0vJFU6Sc9hjN9 X-Received: by 2002:a05:6402:6ca:: with SMTP id n10mr43843edy.273.1604026310434; Thu, 29 Oct 2020 19:51:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1604026310; cv=none; d=google.com; s=arc-20160816; b=oGoqutXYlhLYvk6tmPUssHMCaxgZ1WbNDTon8EOXCa9FH6kdRzPWGgAweWXEyt5B/S Zgu4yMkUsOx6Z++my3b4qrymnzBra/r7/DffDeDtmtMjcCMQPzxEqux3XFm/AvnWIHDk svGp+p4Ez8Zv8ADdDZzeyLoG0hyCsXBpSTSG9bn/Xb+tnhVYZ4EJEgkBib0AX7OTKxEp 5i9zRICFFc1tBnB+0T3Js6dCuqAduOKrnxDEXwOpWgpRA9pXQTzVMjNUaBPKe/uMyfN9 WzJwF+cY8pH5Io0Tp2D7+Lb/otmC3pt2lcGRegpPSafsz2/ys1mIPTrxuwCegnNvLGMo YWoA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=iyTdtZ1FYlfsFiUutt0GVS7r1yGxXmwfsMwCFfiA6Mo=; b=0S4Cxipe1YVJEVHdVKZBpemmk6qyOrvutQk2P6z2+mP0g5oYek+QgWANoEK2wN8xiL 5y/swXHOftjlKkDN/D9e9wS57exeduQsRmr2HZaqcyjlJL4v723R7P4MdWMm3m4+7Ong TPT/90oB5mC5NAtkXW4Uebo8043vBmfOMBcprgbR+ucE1/MmHEP6V/IgcpE2WXGx2PBW 1ItDGjiFhrvwe7rX4hEJBlJKNhrHrqtt7ToEifQQ9/h2kgcRVDj8FwcCeqVs8C9uZglR 83tZOk7HfLJYxy6jHy6fIT2pNQOy09sqVNO3hghVigC5DUtDDERoYrYkSTgqUWAQhtHR baCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="SUW+4c/G"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r17si3454948edo.383.2020.10.29.19.51.28; Thu, 29 Oct 2020 19:51:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b="SUW+4c/G"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726184AbgJ3Ctu (ORCPT + 99 others); Thu, 29 Oct 2020 22:49:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39158 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725800AbgJ3Ctt (ORCPT ); Thu, 29 Oct 2020 22:49:49 -0400 Received: from mail-lf1-x144.google.com (mail-lf1-x144.google.com [IPv6:2a00:1450:4864:20::144]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A6DEC0613D2 for ; Thu, 29 Oct 2020 19:49:48 -0700 (PDT) Received: by mail-lf1-x144.google.com with SMTP id i6so6004678lfd.1 for ; Thu, 29 Oct 2020 19:49:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iyTdtZ1FYlfsFiUutt0GVS7r1yGxXmwfsMwCFfiA6Mo=; b=SUW+4c/GNE2jYgqJQV5kCIdiJARuhagFhX6ggUAoYxWGbqSqx02k4o9Tbnm3CNpKFs FF3l0+3VB4TT6FMDYhi8KoTZnmVhyAbOsiYPc2Bzhqu3IkAa+nt2nmOuGJNcaOoeFFmH eImGHLnDZLkLEAwPK9vvuFXDgePNGK/8A91nKOP3jpox4HFLofcCdk+6+QhiVVmuN0nV MZ6YymaPmdL9ktRdNMeFZfQ9UpwoeXvweWZv24EzEw5oxsjbIJrrzW8NPseQLz2KIB0S kvTPc+Ur9VsGUKlMApEFPWvIkmBYzIGWhA62E8vNbVv/qjnouitKYK9OQtDpL3SCfgQc wFMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iyTdtZ1FYlfsFiUutt0GVS7r1yGxXmwfsMwCFfiA6Mo=; b=srbJ7dCNs274KtMwOo8iWJYLWEKzcrI75Q8Y19AE2fW9eOrvmlzrRqfIv0GBEnKGK9 b+g6tJouiCIUA9KIVh8X+MYDgB+p/AyUoZXsh/bElypmMGlumjUquX7CpZVnjP/i48Pk zgZrE7reGHvIKFw60itY4RI7SNdklVZnUgfgFJE8QLGA05jKwBDFYK1hLUclaK4GqBhh s1mklz2H/x5X1n+WOkh2Y+5iz023jJIgMHJ5HtXuiuuAdH0A+50UqT3EhtA/7tOZ9J4u +viRrN04ozkHm2banHgpHrVUQMYgNfbPdhqRkoOAXAdvHXnj101U6miTXmTY8gkokrxb weKg== X-Gm-Message-State: AOAM531MtOaSSUr1KYjYGwcu++Xk/h7Xyzvv1A6NunwJMxhxp/W2vflN qhdXJLyl1+SB0i1Dc5mVje6OZFWOYu7leZGDe/U2Pw== X-Received: by 2002:a19:ef07:: with SMTP id n7mr22380lfh.482.1604026186911; Thu, 29 Oct 2020 19:49:46 -0700 (PDT) MIME-Version: 1.0 References: <20201029131649.182037-1-elver@google.com> <20201029131649.182037-3-elver@google.com> In-Reply-To: <20201029131649.182037-3-elver@google.com> From: Jann Horn Date: Fri, 30 Oct 2020 03:49:19 +0100 Message-ID: Subject: Re: [PATCH v6 2/9] x86, kfence: enable KFENCE for x86 To: Marco Elver Cc: Andrew Morton , Alexander Potapenko , "H . Peter Anvin" , "Paul E . McKenney" , Andrey Konovalov , Andrey Ryabinin , Andy Lutomirski , Borislav Petkov , Catalin Marinas , Christoph Lameter , Dave Hansen , David Rientjes , Dmitry Vyukov , Eric Dumazet , Greg Kroah-Hartman , Hillf Danton , Ingo Molnar , Jonathan Cameron , Jonathan Corbet , Joonsoo Kim , joern@purestorage.com, Kees Cook , Mark Rutland , Pekka Enberg , Peter Zijlstra , SeongJae Park , Thomas Gleixner , Vlastimil Babka , Will Deacon , "the arch/x86 maintainers" , "open list:DOCUMENTATION" , kernel list , kasan-dev , Linux ARM , Linux-MM Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 29, 2020 at 2:17 PM Marco Elver wrote: > Add architecture specific implementation details for KFENCE and enable > KFENCE for the x86 architecture. In particular, this implements the > required interface in for setting up the pool and > providing helper functions for protecting and unprotecting pages. > > For x86, we need to ensure that the pool uses 4K pages, which is done > using the set_memory_4k() helper function. > > Reviewed-by: Dmitry Vyukov > Co-developed-by: Marco Elver > Signed-off-by: Marco Elver > Signed-off-by: Alexander Potapenko [...] > diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c [...] > @@ -725,6 +726,9 @@ no_context(struct pt_regs *regs, unsigned long error_code, > if (IS_ENABLED(CONFIG_EFI)) > efi_recover_from_page_fault(address); > > + if (kfence_handle_page_fault(address)) > + return; We can also get to this point due to an attempt to execute a data page. That's very unlikely (given that the same thing would also crash if you tried to do it with normal heap memory, and KFENCE allocations are extremely rare); but we might want to try to avoid handling such faults as KFENCE faults, since KFENCE will assume that it has resolved the fault and retry execution of the faulting instruction. Once kernel protection keys are introduced, those might cause the same kind of trouble. So we might want to gate this on a check like "if ((error_code & X86_PF_PROT) == 0)" (meaning "only handle the fault if the fault was caused by no page being present", see enum x86_pf_error_code). Unrelated sidenote: Since we're hooking after exception fixup handling, the debug-only KFENCE_STRESS_TEST_FAULTS can probably still cause some behavioral differences through spurious faults in places like copy_user_enhanced_fast_string (where the exception table entries are used even if the *kernel* pointer, not the user pointer, causes a fault). But since KFENCE_STRESS_TEST_FAULTS is exclusively for KFENCE development, the difference might not matter. And ordering them the other way around definitely isn't possible, because the kernel relies on being able to fixup OOB reads. So there probably isn't really anything we can do better here; it's just something to keep in mind. Maybe you can add a little warning to the help text for that Kconfig entry that warns people about this? > + > oops: > /* > * Oops. The kernel tried to access some bad page. We'll have to > -- > 2.29.1.341.ge80a0c044ae-goog >