Received: by 2002:a05:7412:bb8d:b0:d7:7d3a:4fe2 with SMTP id js13csp1130646rdb; Wed, 16 Aug 2023 02:39:12 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE3PNwxjpez1SEKHO7/j03JrHbMEDNrl6ymEfNEoIjd7cK93khay162DhuKtAPIB117MFG5 X-Received: by 2002:a50:fb16:0:b0:522:2711:863 with SMTP id d22-20020a50fb16000000b0052227110863mr1155131edq.1.1692178752478; Wed, 16 Aug 2023 02:39:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1692178752; cv=none; d=google.com; s=arc-20160816; b=nUCIy5NOI/+5fAsqYMT4oqfKrXEd7on8AtsKqIdRfwKEBsIVjZWOdRaXvt0H8Jx6/n fJMwiu+1ynyRjiLbKiMR5Y14YB9NMy86IjiVyyGUq3cuoHZsLP5wuF8C72ti9rpBJ7G6 Wl+CGN2Vhbk+nimkN5ZO+nMxoRJarJZ9hhTLNEb7/sax9uH3f6NO46lGwuq70yVzPMvF X4wGpB1QNaZek467HkY1DSlB/MJxGTRw3JTQKtDWeT7LbR8UbbKTLnhHh9KpbSQ/u8pq OK3H7pm92JBblf30oyytCYMCPecoXKMsKRE0WF0SiPaYZEnfVLYDDY3flz76Q395THJK ePLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=cRtU1iHpZakw568z98K1SEy1uFX2nGssPNiWocKuuo8=; fh=wS7gH9gJTwVbMI1951Any7fjyeH00wl+n7Iolqr1PYU=; b=D3/rAQzzM6aWhnMQdFnrxvzhHH3TfKrD4W+EdpLpTeiAN3iW6/g0PYZ9xRgIFaVpjC O78mcXTxuu7GcuDFYv828vo6D4hbwpRk3OaxuCn7RLRNBko5iWx1bnCqkXHEPb4S4/vL lfMaRhtb0G5QKZMEGocf+CgvqL1vlhTvMk8POvdp6/Urm0301clvN8+M1Ff6u4zGTRvW I3HYWQrSlF8V6FwNnmdo8GJZDI8uokSJ+q7FT4NwBLXC9wY721zmXoRZ5ir/UULiQI2n /hRKIaOSxskIUvApUx4MqS1X2ah9AhfC2Cqm1hP6togM7DUKVpQpz8+gJVyXQFJ2mRV/ zsHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=DxIy5vbU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c23-20020aa7df17000000b005234f46af0csi7862715edy.128.2023.08.16.02.38.46; Wed, 16 Aug 2023 02:39:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=DxIy5vbU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240733AbjHOXy4 (ORCPT + 99 others); Tue, 15 Aug 2023 19:54:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240732AbjHOXym (ORCPT ); Tue, 15 Aug 2023 19:54:42 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 866A5EE; Tue, 15 Aug 2023 16:54:41 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 073CD62C98; Tue, 15 Aug 2023 23:54:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 47CCBC433C8; Tue, 15 Aug 2023 23:54:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1692143680; bh=n6eEACiqimpPB7PLvfd+oUPFPVhzIcPuBLC1dr7dvkk=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=DxIy5vbUapbtWP3sld3mWYjZBRmjMrNODKGFDnO97nPi0kw+utGl7YhSUxRcSA55j bgF8O8udbd4TU+m5lMdm4Tq8mz2Iji+2duH30c7Uih+GPjDtxMtERbEdC1HkZkRbV1 vhFKi5KpL9sjgdjBtwcn8MOqnv66AJbhzBkjh1oYLzW8TtTXJwoSBhyLhul3VdRwcO 1WhbPKDlq0Tm06lqfY+xHm0muT2Lor4Y/lV59laZCZRREuOI6SYgQstfXcPOumpgOw HGCLOk+Rs8gWd4G0xWygKex2ny89KElnHHwFax3NDVcmPkRCbi5eOwwkFR7OjQVK7e 9jsYzSH7oiqSw== Date: Wed, 16 Aug 2023 00:54:30 +0100 From: Mark Brown To: Catalin Marinas Cc: Will Deacon , Jonathan Corbet , Andrew Morton , Marc Zyngier , Oliver Upton , James Morse , Suzuki K Poulose , Arnd Bergmann , Oleg Nesterov , Eric Biederman , Kees Cook , Shuah Khan , "Rick P. Edgecombe" , Deepak Gupta , Ard Biesheuvel , Szabolcs Nagy , "H.J. Lu" , Paul Walmsley , Palmer Dabbelt , Albert Ou , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, kvmarm@lists.linux.dev, linux-fsdevel@vger.kernel.org, linux-arch@vger.kernel.org, linux-mm@kvack.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org Subject: Re: [PATCH v4 17/36] arm64/mm: Handle GCS data aborts Message-ID: <752f9f06-69e3-4e60-94ca-49cacb1122ff@sirena.org.uk> References: <20230807-arm64-gcs-v4-0-68cfa37f9069@kernel.org> <20230807-arm64-gcs-v4-17-68cfa37f9069@kernel.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="bU0eg43A83FLgDHm" Content-Disposition: inline In-Reply-To: X-Cookie: Darth Vader sleeps with a Teddywookie. X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --bU0eg43A83FLgDHm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Aug 11, 2023 at 04:09:33PM +0100, Catalin Marinas wrote: > On Mon, Aug 07, 2023 at 11:00:22PM +0100, Mark Brown wrote: > > + if (is_write_abort(esr) && > > + !(is_gcs_fault(esr) || is_el1_data_abort(esr))) > > + return VM_FAULT_BADACCESS; > Related to my PIE permissions comment: when do we have a valid EL1 data > write abort that's not a GCS fault? Does a faulting GCSSTTR set the > ESR_ELx_GCS bit? Yes, it should do. The GCS instructions have access descriptors created with CreateAccDescGCS() which results in the access being flagged as a GCS access. > > + } else { > > + /* > > + * GCS faults should never happen for pages that are > > + * not part of a GCS and the operation being attempted > > + * can never succeed. > > + */ > > + if (is_gcs_fault(esr)) > > + return VM_FAULT_BADACCESS; > If one does a GCS push/store to a non-GCS page, do we get a GCS fault or > something else? I couldn't figure out from the engineering spec. If the > hardware doesn't generate such exceptions, we might as well remove this > 'else' branch. But maybe it does generate a GCS-specific fault as you > added a similar check in is_invalid_el0_gcs_access(). Yes, see AddGCSRecord() and LoadCheckGCSRecord() - all GCS initiated accesses need to be AccDescGCS so appropriate permissions enforcement can happen and that's what causes the fault to be flagged as GCS. > > @@ -595,6 +644,19 @@ static int __kprobes do_page_fault(unsigned long f= ar, unsigned long esr, > > if (!vma) > > goto lock_mmap; > > =20 > > + /* > > + * We get legitimate write faults for GCS pages from GCS > > + * operations and from EL1 writes to EL0 pages but just plain > What are the EL1 writes to the shadow stack? Would it not use > copy_to_user_gcs()? They should, yes - I'll reword the comment. --bU0eg43A83FLgDHm Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAmTcEDYACgkQJNaLcl1U h9A2rAgAhd1tNqwsfCv0ZnuQlRFZyTwPwFCn76BeqIuV3TYu4Nymed/YLhOECsZ9 H6Fni+Igkf4ckDfRhk742+N6QqLOBZz4ddBTJDV74NJk7EgWWv9srbi10k/thyIT O/Wz8nVnuUHHXN3dkJIZJQ/l6GjLrzoiskqkrh9ft7HskvTTe1DOL8gFS8Qa5DjS ut+XhC5VI7HX7iBwhhqw1tEjsQM3ldnl0r/rSd37tFbJbDX6ujuMlgpBKReSH8qV kfrNbgpcBoxaKvE/rytuAXTIS2oqh/1yHuWi8ujBlZgGf8Vo7OK0alzL8T+oIEaQ 92UJwq3fW51GVCMDxbeaCh1vD7hrKg== =cuH7 -----END PGP SIGNATURE----- --bU0eg43A83FLgDHm--