Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp3474662pxb; Fri, 11 Feb 2022 00:02:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJzo9cah7sNKr81pk3Y/UpB2qhWOsRquAeavzUcb5hslK8rgQiYmhVt9ZZzrFxctmhn8V7AF X-Received: by 2002:a05:6402:27d4:: with SMTP id c20mr601144ede.182.1644566545019; Fri, 11 Feb 2022 00:02:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644566545; cv=none; d=google.com; s=arc-20160816; b=lylACC0LmIjG46OsBcKwF1bDKkH/rgfLQzki5Mi99vESbZAeyVozc1YRGnqQqOec4n VaivBA1/pDeoKFQIH8cNdLLN0qMHsCpkeB1KYpdJhlrxm2wixDOr8SOLUx4J6McLtu54 FwxGsZTm4pKAahYapBBiqtg8c2tcIyBAhzj9nyS7TIVQyxuyDqgESMPg7GcD4pbr0KWw msTqXbsaENrdMsajyPHxbl98AOPfbmcPFsPpulZJ0mszXtrdto1hSRNbtEU8N/BKtD4V bJVPv8helLGhmmfC8b8KT0JgBS/hO5f+JXKIpzZUXs0yNH0OvXDDbFvPdDObd4nncDY4 1Meg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=Q7JQx7Pz1v8Z/nMfl7rvplR7FgqchrdS8vRoRpNLRM8=; b=0L/l2TXxQ8aP3wyScrlPpd7AF5SoNPkQuxdPEPOWHREsZwsFPty0AtpOxUgbFNuXq5 3OY9TyagxgRfxN5NltJv6aCEarLeQv0OTvPeNoNYqI5On3cYhL6+D5jnXoeugsDXNcJv 9tprHqoSF43tv+np86Hy/z6i7gctv8eYXfI3TXwy7vwdnJG2sAXljingxyLuxm4u+nU4 1r58CH8pVHoWMcBGyj4FVb2/jzeCIQL5bpdLLoBHdEKsJQQxnR7f8NoUhAi3ODZF1z83 RJyugjrHAHFMZGDxlgo3Y2J2mFmKgOPNAhO1a3Svepgahg8ZLl31hRr02o4pSdb4sUfS WCQw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=X0hya5AD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ne30si2579817ejc.923.2022.02.11.00.01.57; Fri, 11 Feb 2022 00:02:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b=X0hya5AD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345145AbiBJWnq (ORCPT + 99 others); Thu, 10 Feb 2022 17:43:46 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:60810 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244866AbiBJWno (ORCPT ); Thu, 10 Feb 2022 17:43:44 -0500 Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD0F15F41; Thu, 10 Feb 2022 14:43:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1644533023; x=1676069023; h=message-id:date:mime-version:subject:to:cc:references: from:in-reply-to:content-transfer-encoding; bh=3M8IIwvsuOqGIFi2k0uaq5Qj6oZtRqaS6GfOESfH9CM=; b=X0hya5ADAOmuvFoDifDsSXV/gmlS/M0AxwFneZhASUfMAVt4+XklMNf3 dZbe088wA7w24OtTlxPrJc4t9QCFHsy+ajI5rWAlr0gSOvh1NwUXnqR1O fzL6GyaUfws6kOpWtv77YCn6DKBCvXN7IT3V4alvhExUhAJbYO043ArA/ wFW4FzidJMTvEJRHh9zCXBV7nI+5xhq1A8x9MLdMQcwW6dVXcm5FAC2xQ ODxgXRFBPexpEEHGNuEkCHpkBtW5udrg1EaRYUhgVlTpLNE1NkLJO8c3I sGxa43jwLYexxPn5Y16vIUscWi1X/FIxNeLTc+AD6s3luyGcnSEivqvL9 g==; X-IronPort-AV: E=McAfee;i="6200,9189,10254"; a="249819281" X-IronPort-AV: E=Sophos;i="5.88,359,1635231600"; d="scan'208";a="249819281" Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Feb 2022 14:43:43 -0800 X-IronPort-AV: E=Sophos;i="5.88,359,1635231600"; d="scan'208";a="500561782" Received: from pengyusu-mobl.amr.corp.intel.com (HELO [10.212.149.216]) ([10.212.149.216]) by orsmga002-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Feb 2022 14:43:42 -0800 Message-ID: <4c216532-2b68-dd95-93f1-542df4786d7a@intel.com> Date: Thu, 10 Feb 2022 14:43:39 -0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 Subject: Re: [PATCH 18/35] mm: Add guard pages around a shadow stack. Content-Language: en-US To: Rick Edgecombe , x86@kernel.org, "H . Peter Anvin" , Thomas Gleixner , Ingo Molnar , linux-kernel@vger.kernel.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-api@vger.kernel.org, Arnd Bergmann , Andy Lutomirski , Balbir Singh , Borislav Petkov , Cyrill Gorcunov , Dave Hansen , Eugene Syromiatnikov , Florian Weimer , "H . J . Lu" , Jann Horn , Jonathan Corbet , Kees Cook , Mike Kravetz , Nadav Amit , Oleg Nesterov , Pavel Machek , Peter Zijlstra , Randy Dunlap , "Ravi V . Shankar" , Dave Martin , Weijiang Yang , "Kirill A . Shutemov" , joao.moreira@intel.com, John Allen , kcc@google.com, eranian@google.com Cc: Yu-cheng Yu References: <20220130211838.8382-1-rick.p.edgecombe@intel.com> <20220130211838.8382-19-rick.p.edgecombe@intel.com> From: Dave Hansen In-Reply-To: <20220130211838.8382-19-rick.p.edgecombe@intel.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/30/22 13:18, Rick Edgecombe wrote: > INCSSP(Q/D) increments shadow stack pointer and 'pops and discards' the > first and the last elements in the range, effectively touches those memory > areas. > > The maximum moving distance by INCSSPQ is 255 * 8 = 2040 bytes and > 255 * 4 = 1020 bytes by INCSSPD. Both ranges are far from PAGE_SIZE. > Thus, putting a gap page on both ends of a shadow stack prevents INCSSP, > CALL, and RET from going beyond. What is the downside of not applying this patch? The shadow stack gap is 1MB instead of 4k? That, frankly, doesn't seem too bad. How badly do we *need* this patch?