Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp698697pxp; Fri, 11 Mar 2022 12:42:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJypL06udF4hnA1C5rvvsZWKq67SMRtIAAT6Ns6pAY8p+yooHNGENQOUoBZkpzCNzi/vmR/3 X-Received: by 2002:a17:90b:1d8b:b0:1bf:b979:bf27 with SMTP id pf11-20020a17090b1d8b00b001bfb979bf27mr14793396pjb.15.1647031345165; Fri, 11 Mar 2022 12:42:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647031345; cv=none; d=google.com; s=arc-20160816; b=Km5mdLNq9Z10fO49BLWAOvsSky92KukfwPY6Ah15jQIv6AkoBWNajfYrccFQfYQzTD 5NYleS9VKGq2LE8LLC/u5nQwJzckB9U9OXZnG+PaTyNQqr9zdkOdjHeC/JlFmd7mCf2I UhELBXNEn6aTsytD8X7/rPGsquBuGit0tssjk/yjTIAAqfFrNe84hesnqwQjRH93Xs+R YS6bH/B2goY4bq6IDMJIUxS64qfuoF/4WXk2oLiFyL1Gol1DfNvJsfmbb4imio49vNT1 mZ7ZnLf+MwdzYJewAdIDuuGq37o7UqAGqvBAwvOT2XzMyk3L+Nit/h2eUNRzo+fSojYM B5Zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=MJr/kZCwai2uuV42ppqPQaEtrRKO4Yyl82nxobD+ZU8=; b=ArSRHjy307nGpOkC7m+W7J+Mm1uJ7RfSfyf5lvcqVVSe2Z+B2KUPt5bLPQW3jTvILE CwLEUymtEwF9nKC+4AxNiEfqNEBwqFe/ho3WAhLw5nISBkObhsGSPGCoSqkSipp46eEd CvbY0iR1ihwkXRnwfs9lo4p4l2+4I4QrsnW05sqjWlB5YYJRhh0za4UQ0Z7KXFPHkP0K RKaouCpTnVyZD3o+2LQtk7i9EG6Im7eD5eGNWhSVduJg+vIaOIUtT98pyKnksFoM8XSP 5A228GtuBNl31sHUy3cw2kn1s7SSrtgNSjS1/ps9wdxEr4jGJH/pq2XdVfjqqmhGFnRK sWcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="l5J6JC7/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id v186-20020a6389c3000000b0037f96abcbf2si8682142pgd.639.2022.03.11.12.42.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 12:42:25 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@intel.com header.s=Intel header.b="l5J6JC7/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7A5D11D8A99; Fri, 11 Mar 2022 12:39:25 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S245133AbiCJRZH (ORCPT + 99 others); Thu, 10 Mar 2022 12:25:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55234 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245135AbiCJRXL (ORCPT ); Thu, 10 Mar 2022 12:23:11 -0500 Received: from mga06.intel.com (mga06.intel.com [134.134.136.31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C584B198D07 for ; Thu, 10 Mar 2022 09:22:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1646932923; x=1678468923; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=i6pPXC0JSSSMuLc8Wn5aZ29lRSQ2lCEZPmuGWTz0kMM=; b=l5J6JC7/oIbdMXY0HinjoJsV8GWAGsMKsufeyMHMzR4YZ1PZSY66Mlpq DJvEG9YSTHGwetdPwFhc5sn1wwE8y0+XAu6l9M8uKHW39pacn56A9HSfH BM1ByDghpBnmoVfqzAU9X0IA7A5LaYKj8IhdlEAAJmaOcTIKfHSLiPMCg bUXlZ4893eiJaJ3nXZDN1gIVXLUpON6amTzxWdR94ww43bhhZ3dOd0aVL hMJBXG+iTXmIs9VazkR07uycVWk/rO7ACVXTlpAVERyVVKcY+lF2fIWYS 6rygLsxOwNkuuhzVztneqBbZLbNF6+Mxbu8MefyJ9CuFJn2g0qnUhIxT/ A==; X-IronPort-AV: E=McAfee;i="6200,9189,10282"; a="316033214" X-IronPort-AV: E=Sophos;i="5.90,171,1643702400"; d="scan'208";a="316033214" Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Mar 2022 09:22:03 -0800 X-IronPort-AV: E=Sophos;i="5.90,171,1643702400"; d="scan'208";a="688732698" Received: from gdavids1-mobl.amr.corp.intel.com (HELO localhost) ([10.212.65.108]) by fmsmga001-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Mar 2022 09:22:02 -0800 From: ira.weiny@intel.com To: Dave Hansen , "H. Peter Anvin" , Dan Williams Cc: Ira Weiny , Fenghua Yu , Rick Edgecombe , "Shankar, Ravi V" , linux-kernel@vger.kernel.org Subject: [PATCH V9 44/45] nvdimm/pmem: Enable stray access protection Date: Thu, 10 Mar 2022 09:20:18 -0800 Message-Id: <20220310172019.850939-45-ira.weiny@intel.com> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220310172019.850939-1-ira.weiny@intel.com> References: <20220310172019.850939-1-ira.weiny@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ira Weiny The persistent memory (PMEM) driver uses the memremap_pages facility to provide 'struct page' metadata (vmemmap) for PMEM. Given that PMEM capacity maybe orders of magnitude higher capacity than System RAM it presents a large vulnerability surface to stray writes. Unlike stray writes to System RAM, which may result in a crash or other undesirable behavior, stray writes to PMEM additionally are more likely to result in permanent data loss. Reboot is not a remediation for PMEM corruption like it is for System RAM. Now that all valid kernel access' to PMEM have been annotated with {__}pgmap_set_{readwrite,noaccess}() PGMAP_PROTECTION is safe to enable in the pmem layer. Set PGMAP_PROTECTION if pgmap protections are available and set the pgmap property of the dax device for it's use. Internally, the pmem driver uses a cached virtual address, pmem->virt_addr (pmem_addr). Call __pgmap_set_{readwrite,noaccess}() directly when PGMAP_PROTECTION is active on those mappings. Signed-off-by: Ira Weiny --- Changes for V9 Remove the dax operations and pass the pgmap to the dax_device for its use. s/pgmap_mk_*/pgmap_set_*/ s/pmem_mk_*/pmem_set_*/ Changes for V8 Rebase to 5.17-rc1 Remove global param Add internal structure which uses the pmem device and pgmap device directly in the *_mk_*() calls. Add pmem dax ops callbacks Use pgmap_protection_available() s/PGMAP_PKEY_PROTECT/PGMAP_PROTECTION --- drivers/nvdimm/pmem.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/drivers/nvdimm/pmem.c b/drivers/nvdimm/pmem.c index 58d95242a836..2c7b18da7974 100644 --- a/drivers/nvdimm/pmem.c +++ b/drivers/nvdimm/pmem.c @@ -138,6 +138,18 @@ static blk_status_t read_pmem(struct page *page, unsigned int off, return BLK_STS_OK; } +static void pmem_set_readwrite(struct pmem_device *pmem) +{ + if (pmem->pgmap.flags & PGMAP_PROTECTION) + __pgmap_set_readwrite(&pmem->pgmap); +} + +static void pmem_set_noaccess(struct pmem_device *pmem) +{ + if (pmem->pgmap.flags & PGMAP_PROTECTION) + __pgmap_set_noaccess(&pmem->pgmap); +} + static blk_status_t pmem_do_read(struct pmem_device *pmem, struct page *page, unsigned int page_off, sector_t sector, unsigned int len) @@ -149,7 +161,11 @@ static blk_status_t pmem_do_read(struct pmem_device *pmem, if (unlikely(is_bad_pmem(&pmem->bb, sector, len))) return BLK_STS_IOERR; + /* Enable direct use of pmem->virt_addr */ + pmem_set_readwrite(pmem); rc = read_pmem(page, page_off, pmem_addr, len); + pmem_set_noaccess(pmem); + flush_dcache_page(page); return rc; } @@ -181,11 +197,15 @@ static blk_status_t pmem_do_write(struct pmem_device *pmem, * after clear poison. */ flush_dcache_page(page); + + /* Enable direct use of pmem->virt_addr */ + pmem_set_readwrite(pmem); write_pmem(pmem_addr, page, page_off, len); if (unlikely(bad_pmem)) { rc = pmem_clear_poison(pmem, pmem_off, len); write_pmem(pmem_addr, page, page_off, len); } + pmem_set_noaccess(pmem); return rc; } @@ -427,6 +447,8 @@ static int pmem_attach_disk(struct device *dev, pmem->pfn_flags = PFN_DEV; if (is_nd_pfn(dev)) { pmem->pgmap.type = MEMORY_DEVICE_FS_DAX; + if (pgmap_protection_available()) + pmem->pgmap.flags |= PGMAP_PROTECTION; addr = devm_memremap_pages(dev, &pmem->pgmap); pfn_sb = nd_pfn->pfn_sb; pmem->data_offset = le64_to_cpu(pfn_sb->dataoff); @@ -440,6 +462,8 @@ static int pmem_attach_disk(struct device *dev, pmem->pgmap.range.end = res->end; pmem->pgmap.nr_range = 1; pmem->pgmap.type = MEMORY_DEVICE_FS_DAX; + if (pgmap_protection_available()) + pmem->pgmap.flags |= PGMAP_PROTECTION; addr = devm_memremap_pages(dev, &pmem->pgmap); pmem->pfn_flags |= PFN_MAP; bb_range = pmem->pgmap.range; @@ -481,6 +505,8 @@ static int pmem_attach_disk(struct device *dev, } set_dax_nocache(dax_dev); set_dax_nomc(dax_dev); + if (pmem->pgmap.flags & PGMAP_PROTECTION) + set_dax_pgmap(dax_dev, &pmem->pgmap); if (is_nvdimm_sync(nd_region)) set_dax_synchronous(dax_dev); rc = dax_add_host(dax_dev, disk); -- 2.35.1