Re: [PATCH v2 05/20] x86/alternative: initializing temporary mm for patching

[PATCH v2 00/20] Merge text_poke fixes and executable lockdowns · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 02/20] x86/jump_label: Use text_poke_early() during early init · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 15/20] vmalloc: New flags for safe vfree on special perms · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
Re: [PATCH v2 15/20] vmalloc: New flags for safe vfree on special perms · Borislav Petkov <bp@alien8.de> · 2019-02-19
Re: [PATCH v2 15/20] vmalloc: New flags for safe vfree on special perms · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2019-02-19
Re: [PATCH v2 15/20] vmalloc: New flags for safe vfree on special perms · Borislav Petkov <bp@alien8.de> · 2019-02-20
[PATCH v2 20/20] x86/alternative: comment about module removal races · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 17/20] bpf: Use vmalloc special flag · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 18/20] x86/ftrace: Use vmalloc special flag · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 08/20] x86/ftrace: set trampoline pages as executable · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 03/20] x86/mm: temporary mm struct · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
Re: [PATCH v2 03/20] x86/mm: temporary mm struct · Borislav Petkov <bp@alien8.de> · 2019-01-31
Re: [PATCH v2 03/20] x86/mm: temporary mm struct · Nadav Amit <hidden> · 2019-01-31
Re: [PATCH v2 03/20] x86/mm: temporary mm struct · Borislav Petkov <bp@alien8.de> · 2019-02-01
Re: [PATCH v2 03/20] x86/mm: temporary mm struct · Nadav Amit <hidden> · 2019-02-01
Re: [PATCH v2 03/20] x86/mm: temporary mm struct · Borislav Petkov <bp@alien8.de> · 2019-02-04
[PATCH v2 16/20] modules: Use vmalloc special flag · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 19/20] x86/kprobes: Use vmalloc special flag · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 14/20] mm: Make hibernate handle unmapped pages · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
Re: [PATCH v2 14/20] mm: Make hibernate handle unmapped pages · Borislav Petkov <bp@alien8.de> · 2019-02-19
Re: [PATCH v2 14/20] mm: Make hibernate handle unmapped pages · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2019-02-19
Re: [PATCH v2 14/20] mm: Make hibernate handle unmapped pages · Borislav Petkov <bp@alien8.de> · 2019-02-20
[PATCH v2 13/20] Add set_alias_ function and x86 implementation · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
Re: [PATCH v2 13/20] Add set_alias_ function and x86 implementation · Borislav Petkov <bp@alien8.de> · 2019-02-11
Re: [PATCH v2 13/20] Add set_alias_ function and x86 implementation · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2019-02-11
Re: [PATCH v2 13/20] Add set_alias_ function and x86 implementation · Andy Lutomirski <luto@kernel.org> · 2019-02-11
Re: [PATCH v2 13/20] Add set_alias_ function and x86 implementation · "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> · 2019-02-12
[PATCH v2 01/20] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 12/20] x86/alternative: Remove the return value of text_poke_*() · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 11/20] x86/jump-label: remove support for custom poker · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
Re: [PATCH v2 11/20] x86/jump-label: remove support for custom poker · Borislav Petkov <bp@alien8.de> · 2019-02-11
[PATCH v2 09/20] x86/kprobes: instruction pages initialization enhancements · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
Re: [PATCH v2 09/20] x86/kprobes: instruction pages initialization enhancements · Borislav Petkov <bp@alien8.de> · 2019-02-11
Re: [PATCH v2 09/20] x86/kprobes: instruction pages initialization enhancements · Nadav Amit <hidden> · 2019-02-11
[PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Borislav Petkov <bp@alien8.de> · 2019-02-11
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Nadav Amit <hidden> · 2019-02-11
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Borislav Petkov <bp@alien8.de> · 2019-02-11
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Nadav Amit <hidden> · 2019-02-11
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Borislav Petkov <bp@alien8.de> · 2019-02-11
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Nadav Amit <hidden> · 2019-02-11
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Borislav Petkov <bp@alien8.de> · 2019-02-11
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Nadav Amit <hidden> · 2019-02-11
[PATCH] x86/cpufeature: Remove __pure attribute to _static_cpu_has() · Borislav Petkov <bp@alien8.de> · 2019-03-07
Re: [PATCH] x86/cpufeature: Remove __pure attribute to _static_cpu_has() · hpa@zytor.com · 2019-03-07
Re: [PATCH] x86/cpufeature: Remove __pure attribute to _static_cpu_has() · Borislav Petkov <bp@alien8.de> · 2019-03-07
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Borislav Petkov <bp@alien8.de> · 2019-03-07
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · hpa@zytor.com · 2019-03-07
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Borislav Petkov <bp@alien8.de> · 2019-03-07
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Andy Lutomirski <luto@kernel.org> · 2019-03-07
Re: [PATCH v2 10/20] x86: avoid W^X being broken during modules loading · Borislav Petkov <bp@alien8.de> · 2019-03-07
[PATCH v2 06/20] x86/alternative: use temporary mm for text poking · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
Re: [PATCH v2 06/20] x86/alternative: use temporary mm for text poking · Borislav Petkov <bp@alien8.de> · 2019-02-05
Re: [PATCH v2 06/20] x86/alternative: use temporary mm for text poking · Peter Zijlstra <peterz@infradead.org> · 2019-02-05
Re: [PATCH v2 06/20] x86/alternative: use temporary mm for text poking · Borislav Petkov <bp@alien8.de> · 2019-02-05
Re: [PATCH v2 06/20] x86/alternative: use temporary mm for text poking · Peter Zijlstra <peterz@infradead.org> · 2019-02-05
Re: [PATCH v2 06/20] x86/alternative: use temporary mm for text poking · Nadav Amit <hidden> · 2019-02-05
Re: [PATCH v2 06/20] x86/alternative: use temporary mm for text poking · Peter Zijlstra <peterz@infradead.org> · 2019-02-05
[PATCH v2 07/20] x86/kgdb: avoid redundant comparison of patched code · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
[PATCH v2 05/20] x86/alternative: initializing temporary mm for patching · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
Re: [PATCH v2 05/20] x86/alternative: initializing temporary mm for patching · Borislav Petkov <bp@alien8.de> · 2019-02-05
Re: [PATCH v2 05/20] x86/alternative: initializing temporary mm for patching · Nadav Amit <hidden> · 2019-02-11
Re: [PATCH v2 05/20] x86/alternative: initializing temporary mm for patching · Andy Lutomirski <luto@amacapital.net> · 2019-02-11
Re: [PATCH v2 05/20] x86/alternative: initializing temporary mm for patching · Nadav Amit <hidden> · 2019-02-11
Re: [PATCH v2 05/20] x86/alternative: initializing temporary mm for patching · Andy Lutomirski <luto@kernel.org> · 2019-02-11
Re: [PATCH v2 05/20] x86/alternative: initializing temporary mm for patching · Nadav Amit <hidden> · 2019-02-11
Re: [PATCH v2 05/20] x86/alternative: initializing temporary mm for patching · Andy Lutomirski <luto@kernel.org> · 2019-02-11
Re: [PATCH v2 05/20] x86/alternative: initializing temporary mm for patching · Nadav Amit <hidden> · 2019-02-12
[PATCH v2 04/20] fork: provide a function for copying init_mm · Rick Edgecombe <rick.p.edgecombe@intel.com> · 2019-01-29
Re: [PATCH v2 04/20] fork: provide a function for copying init_mm · Borislav Petkov <bp@alien8.de> · 2019-02-05
Re: [PATCH v2 04/20] fork: provide a function for copying init_mm · Nadav Amit <hidden> · 2019-02-05

From: Andy Lutomirski <luto@kernel.org>
Date: 2019-02-11 22:47:58
Also in: linux-integrity, linux-mm, lkml

On Mon, Feb 11, 2019 at 11:18 AM Nadav Amit [off-list ref] wrote:

quoted

On Feb 11, 2019, at 11:07 AM, Andy Lutomirski [off-list ref] wrote:

I'm certainly amenable to other solutions, but this one does seem the
least messy.  I looked at my old patch, and it doesn't do what you
want.  I'd suggest you just add a percpu variable like cpu_dr7 and rig
up some accessors so that it stays up to date.  Then you can skip the
dr7 writes if there are no watchpoints set.

Also, EFI is probably a less interesting example than rare_write.
With rare_write, especially the dynamically allocated variants that
people keep coming up with, we'll need a swath of address space fully
as large as the vmalloc area. and getting *that* right while still
using the kernel address range might be more of a mess than we really
want to deal with.

As long as you feel comfortable with this solution, I’m fine with it.

Here is what I have (untested). I prefer to save/restore all the DRs,
because IIRC DR6 indications are updated even if breakpoints are disabled
(in DR7). And anyhow, that is the standard interface.

Seems reasonable, but:

quoted hunk ↗ jump to hunk


-- >8 --

From: Nadav Amit <redacted>
Date: Mon, 11 Feb 2019 03:07:08 -0800
Subject: [PATCH] mm: save DRs when loading temporary mm

Signed-off-by: Nadav Amit <redacted>
---
 arch/x86/include/asm/mmu_context.h | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
index d684b954f3c0..4f92ec3df149 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h

@@ -13,6 +13,7 @@
 #include <asm/tlbflush.h>
 #include <asm/paravirt.h>
 #include <asm/mpx.h>
+#include <asm/debugreg.h>

 extern atomic64_t last_mm_ctx_id;

@@ -358,6 +359,7 @@ static inline unsigned long __get_current_cr3_fast(void)

 typedef struct {
        struct mm_struct *prev;
+       unsigned short bp_enabled : 1;
 } temp_mm_state_t;

 /*

@@ -380,6 +382,15 @@ static inline temp_mm_state_t use_temporary_mm(struct mm_struct *mm)
        lockdep_assert_irqs_disabled();
        state.prev = this_cpu_read(cpu_tlbstate.loaded_mm);
        switch_mm_irqs_off(NULL, mm, current);
+
+       /*
+        * If breakpoints are enabled, disable them while the temporary mm is
+        * used - they do not belong and might cause wrong signals or crashes.
+        */

Maybe clarify this?  Add some mention that the specific problem is
that user code could set a watchpoint on an address that is also used
in the temporary mm.

Arguably we should not disable *kernel* breakpoints a la perf, but
that seems like quite a minor issue, at least as long as
use_temporary_mm() doesn't get wider use.  But a comment that this
also disables perf breakpoints and that this could be undesirable
might be in order as well.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help