Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp7013985rwr; Wed, 10 May 2023 02:35:26 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7HgwPtOKgxQOmHt3kurgkALWqoOaPJVBdhmdMJ7rO1ObR5aCtYPxFJahN7UGAUpuj8p56H X-Received: by 2002:a17:90b:1e11:b0:24b:2f97:9208 with SMTP id pg17-20020a17090b1e1100b0024b2f979208mr17143604pjb.0.1683711326164; Wed, 10 May 2023 02:35:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683711326; cv=none; d=google.com; s=arc-20160816; b=zumzNIJHZXe2abgYBhXmHaIvcimFBsk8hnpbeLyNGAoaTRAGse575hN3fV2bfzIBF+ QuwAwvVlB9A3r16pwCpQ0YBI1Dnmi3f4cyVrBhLHUJsVox3u8aV6h4teYY1Tz/lIcKRi EViGGmUBQmg3lej7d/LjsCT3ujd+bTIozahpiKO8mDRBx1h1l9TyHrIjTUcSoqi6z75m ytlBVF6z6iGAI3dnBPfjeVgXDHRcrm1GwTKCR7WkYG/gO42yLfTCSdQsaKikZpUvZ3LP v0URqb/ptAuR4HesI279tNEoRnzhQaVQtbPmsCSqmE1rb9evXethwyd1rniilllOQNgL vvBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=RB+r4iZrVOmwsYSQRyyhbeOKjs7TDEZNd2ZsWb5cZtk=; b=i1CFuvTZsBs63BAi9prB9m+cNFgSF0lgyXNO6tLw+ZMnUS4rNSmb9zMayWOTkWCJAP lXjJfvwcpV83mie3fD5My6LtBC67WfjIsMCawvZ5q9vg+RzhgUUntxCD4ZwIY+cUlC1e QSBtYYXjbz2aTIhomU0L61AwF8fvaIporrFPnQTZ58EZjCA8hQ88xH90n7faYu0PF+RO R8PLlH9MXRI06uQWU1bgIZwrgN8vyTKrFeU+HVVGHGwusbWr50zvVZNbpB525eEI0UaD uTeuj2dxq0NutYVDQn1yt1dqARYIm2oQJEWayT8EPha7EBxBErEVIZHmIi6sB+05Vc2C agqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@pku.edu.cn header.s=dkim header.b=L0PRStVH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=pku.edu.cn Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id o19-20020a17090ad25300b0023d22d0f0fdsi17612828pjw.19.2023.05.10.02.35.12; Wed, 10 May 2023 02:35:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@pku.edu.cn header.s=dkim header.b=L0PRStVH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=pku.edu.cn Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236978AbjEJJEU (ORCPT + 99 others); Wed, 10 May 2023 05:04:20 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55944 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236945AbjEJJEM (ORCPT ); Wed, 10 May 2023 05:04:12 -0400 Received: from pku.edu.cn (mx18.pku.edu.cn [162.105.129.181]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 79EAE2D77; Wed, 10 May 2023 02:03:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pku.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date: Message-Id:In-Reply-To:References:MIME-Version: Content-Transfer-Encoding; bh=RB+r4iZrVOmwsYSQRyyhbeOKjs7TDEZNd2 ZsWb5cZtk=; b=L0PRStVHlRMssHOkLlj1FvPWWrdexyLACLIumO/xDcAacGWE/+ X1g6e1sA59PGoi59w9njDcCDKlSPAqDawPJKH26Lv7OGrs1CuTx3NjjL9Y4xKq0L Z2HeVgZmkWKCKy+IAJbU2f6jW6QWMJswqW1u0ytOkPN6uwKg0z8tYYat0= Received: from localhost.localdomain (unknown [10.7.101.92]) by front01 (Coremail) with SMTP id 5oFpogBnb2cIXFtkW9d5Ag--.63159S5; Wed, 10 May 2023 16:55:43 +0800 (CST) From: Ruihan Li To: linux-mm@kvack.org Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Pasha Tatashin , David Hildenbrand , Matthew Wilcox , Andrew Morton , Christoph Hellwig , Greg Kroah-Hartman , Ruihan Li , stable@vger.kernel.org Subject: [PATCH 3/4] mm: page_table_check: Make it dependent on !DEVMEM Date: Wed, 10 May 2023 16:55:26 +0800 Message-Id: <20230510085527.57953-4-lrh2000@pku.edu.cn> X-Mailer: git-send-email 2.40.1 In-Reply-To: <20230510085527.57953-1-lrh2000@pku.edu.cn> References: <20230510085527.57953-1-lrh2000@pku.edu.cn> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID: 5oFpogBnb2cIXFtkW9d5Ag--.63159S5 X-Coremail-Antispam: 1UD129KBjvJXoWxuF4fZF4xKw4DAF17WF4kZwb_yoW5WrWkpa s2qayS9rW5G34fur1fZws29r1rCrs3GFW3ZrySkF15u3s8CFyvvr4agFy3Z3WUC395Aasx XFWYgryYka18AaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUBF1xkIjI8I6I8E6xAIw20EY4v20xvaj40_Wr0E3s1l1IIY67AE w4v_Jr0_Jr4l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2 IY67AKxVWDJVCq3wA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxVW0oVCq3wA2z4x0Y4vEx4A2 jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oVCq3wAac4AC62xK8xCEY4 vEwIxC4wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv 7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r 1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02 628vn2kIc2xKxwCY02Avz4vE-syl42xK82IYc2Ij64vIr41l42xK82IY6x8ErcxFaVAv8V WkJr1UJwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E 7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcV C0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF 04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7 CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUQZ23UUUUU= X-CM-SenderInfo: yssqiiarrvmko6sn3hxhgxhubq/1tbiAgEHBVPy77151QAAse X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The special device /dev/mem enables users to map arbitrary physical memory regions into the user space, which can conflict with the double mapping detection logic used by the page table check. For instance, pages may change their properties (e.g., from anonymous pages to named pages) while they are still being mapped in the user space via /dev/mem, leading to "corruption" detected by the page table check. To address this issue, the PAGE_TABLE_CHECK config option is now dependent on !DEVMM. This ensures that the page table check cannot be enabled when /dev/mem is used. It should be noted that /dev/mem itself is a significant security issue, and its conflict with a hardening technique is understandable. Cc: # 5.17 Signed-off-by: Ruihan Li --- Documentation/mm/page_table_check.rst | 18 ++++++++++++++++++ mm/Kconfig.debug | 2 +- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/Documentation/mm/page_table_check.rst b/Documentation/mm/page_table_check.rst index cfd8f4117..b04f29230 100644 --- a/Documentation/mm/page_table_check.rst +++ b/Documentation/mm/page_table_check.rst @@ -52,3 +52,21 @@ Build kernel with: Optionally, build kernel with PAGE_TABLE_CHECK_ENFORCED in order to have page table support without extra kernel parameter. + +Implementation notes +==================== + +We specifically decided not to use VMA information in order to avoid relying on +MM states (except for limited "struct page" info). The page table check is a +separate from Linux-MM state machine that verifies that the user accessible +pages are not falsely shared. + +As a result, special devices that violate the model cannot live with +PAGE_TABLE_CHECK. Currently, /dev/mem is the only known example. Given it +allows users to map arbitrary physical memory regions into the userspace, any +pages may change their properties (e.g., from anonymous pages to named pages) +while they are still being mapped in the userspace via /dev/mem, leading to +"corruption" detected by the page table check. Therefore, the PAGE_TABLE_CHECK +config option is now dependent on !DEVMEM. It's worth noting that /dev/mem +itself is a significant security issue, and its conflict with a hardening +technique is understandable. diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug index a925415b4..37f3d5b20 100644 --- a/mm/Kconfig.debug +++ b/mm/Kconfig.debug @@ -97,7 +97,7 @@ config PAGE_OWNER config PAGE_TABLE_CHECK bool "Check for invalid mappings in user page tables" - depends on ARCH_SUPPORTS_PAGE_TABLE_CHECK + depends on ARCH_SUPPORTS_PAGE_TABLE_CHECK && !DEVMEM select PAGE_EXTENSION help Check that anonymous page is not being mapped twice with read write -- 2.40.1