On 07/11/2018 10:05 AM, Yu-cheng Yu wrote:
My understanding is that we don't want to follow write pte if the page
is shared as read-only. For a SHSTK page, that is (R/O + DIRTY_SW),
which means the SHSTK page has not been COW'ed. Is that right?
Let's look at the code again:
-static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
+static inline bool can_follow_write_pte(pte_t pte, unsigned int flags,
+ bool shstk)
{
+ bool pte_cowed = shstk ? is_shstk_pte(pte):pte_dirty(pte);
+
return pte_write(pte) ||
- ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_cowed);
}
This is another case where the naming of pte_*() is biting us vs. the
perversion of the PTE bits. The lack of comments and explanation inthe
patch is compounding the confusion.
We need to find a way to differentiate "someone can write to this PTE"
from "the write bit is set in this PTE".
In this particular hunk, we need to make it clear that pte_write() is
*never* true for shadowstack PTEs. In other words, shadow stack VMAs
will (should?) never even *see* a pte_write() PTE.
I think this is a case where you just need to bite the bullet and
bifurcate can_follow_write_pte(). Just separate the shadowstack and
non-shadowstack parts.