Re: [PATCH 0/2] Proper ro_after_init implementation on s390
On Tue, Jun 7, 2016 at 10:41 PM, Heiko Carstenswrote: > On Tue, Jun 07, 2016 at 11:11:17AM -0700, Kees Cook wrote: >> On Tue, Jun 7, 2016 at 11:07 AM, Heiko Carstens >> wrote: >> > On Tue, Jun 07, 2016 at 08:49:14AM -0700, Kees Cook wrote: >> >> > Heiko Carstens (2): >> >> > vmlinux.lds.h: allow arch specific handling of ro_after_init data >> >> > section >> >> > s390/mm: add proper __ro_after_init support >> >> > >> >> > arch/s390/include/asm/cache.h | 3 --- >> >> > arch/s390/include/asm/sections.h | 1 + >> >> > arch/s390/kernel/vmlinux.lds.S| 12 +++- >> >> > arch/s390/mm/init.c | 7 --- >> >> > arch/s390/mm/vmem.c | 7 +++ >> >> > include/asm-generic/vmlinux.lds.h | 10 +- >> >> > 6 files changed, 28 insertions(+), 12 deletions(-) >> >> >> >> Awesome! This looks great to me! Have you had a chance to look through >> >> any of the arch/s390/ __init code for variables that should be marked >> >> __ro_after_init? >> > >> > Not yet, and actually this I'm a bit reluctant to do that, since any wrong >> > annotation will lead to kernel crashes sooner or later ;) >> > However I'll look into this as well. >> >> Yup, though the good news is it's usually discovered very quickly. :) > > Eventually it might make sense to add something like > DEBUG_SECTION_MISMATCH, which would only report on _write_ accesses from > non-init sections. > > Not sure if this can be done easily and without the need of a new compiler > feature. The new problem class I'm afraid of is more or less the same that > we had when non-init code referenced (already freed) initdata objects. Yeah. I'm hopeful we'll have a gcc plugin to help with this soon. -Kees -- Kees Cook Chrome OS & Brillo Security
Re: [PATCH 0/2] Proper ro_after_init implementation on s390
On Tue, Jun 7, 2016 at 10:41 PM, Heiko Carstens wrote: > On Tue, Jun 07, 2016 at 11:11:17AM -0700, Kees Cook wrote: >> On Tue, Jun 7, 2016 at 11:07 AM, Heiko Carstens >> wrote: >> > On Tue, Jun 07, 2016 at 08:49:14AM -0700, Kees Cook wrote: >> >> > Heiko Carstens (2): >> >> > vmlinux.lds.h: allow arch specific handling of ro_after_init data >> >> > section >> >> > s390/mm: add proper __ro_after_init support >> >> > >> >> > arch/s390/include/asm/cache.h | 3 --- >> >> > arch/s390/include/asm/sections.h | 1 + >> >> > arch/s390/kernel/vmlinux.lds.S| 12 +++- >> >> > arch/s390/mm/init.c | 7 --- >> >> > arch/s390/mm/vmem.c | 7 +++ >> >> > include/asm-generic/vmlinux.lds.h | 10 +- >> >> > 6 files changed, 28 insertions(+), 12 deletions(-) >> >> >> >> Awesome! This looks great to me! Have you had a chance to look through >> >> any of the arch/s390/ __init code for variables that should be marked >> >> __ro_after_init? >> > >> > Not yet, and actually this I'm a bit reluctant to do that, since any wrong >> > annotation will lead to kernel crashes sooner or later ;) >> > However I'll look into this as well. >> >> Yup, though the good news is it's usually discovered very quickly. :) > > Eventually it might make sense to add something like > DEBUG_SECTION_MISMATCH, which would only report on _write_ accesses from > non-init sections. > > Not sure if this can be done easily and without the need of a new compiler > feature. The new problem class I'm afraid of is more or less the same that > we had when non-init code referenced (already freed) initdata objects. Yeah. I'm hopeful we'll have a gcc plugin to help with this soon. -Kees -- Kees Cook Chrome OS & Brillo Security
Re: [PATCH 0/2] Proper ro_after_init implementation on s390
On Tue, Jun 07, 2016 at 11:11:17AM -0700, Kees Cook wrote: > On Tue, Jun 7, 2016 at 11:07 AM, Heiko Carstens >wrote: > > On Tue, Jun 07, 2016 at 08:49:14AM -0700, Kees Cook wrote: > >> > Heiko Carstens (2): > >> > vmlinux.lds.h: allow arch specific handling of ro_after_init data > >> > section > >> > s390/mm: add proper __ro_after_init support > >> > > >> > arch/s390/include/asm/cache.h | 3 --- > >> > arch/s390/include/asm/sections.h | 1 + > >> > arch/s390/kernel/vmlinux.lds.S| 12 +++- > >> > arch/s390/mm/init.c | 7 --- > >> > arch/s390/mm/vmem.c | 7 +++ > >> > include/asm-generic/vmlinux.lds.h | 10 +- > >> > 6 files changed, 28 insertions(+), 12 deletions(-) > >> > >> Awesome! This looks great to me! Have you had a chance to look through > >> any of the arch/s390/ __init code for variables that should be marked > >> __ro_after_init? > > > > Not yet, and actually this I'm a bit reluctant to do that, since any wrong > > annotation will lead to kernel crashes sooner or later ;) > > However I'll look into this as well. > > Yup, though the good news is it's usually discovered very quickly. :) Eventually it might make sense to add something like DEBUG_SECTION_MISMATCH, which would only report on _write_ accesses from non-init sections. Not sure if this can be done easily and without the need of a new compiler feature. The new problem class I'm afraid of is more or less the same that we had when non-init code referenced (already freed) initdata objects.
Re: [PATCH 0/2] Proper ro_after_init implementation on s390
On Tue, Jun 07, 2016 at 11:11:17AM -0700, Kees Cook wrote: > On Tue, Jun 7, 2016 at 11:07 AM, Heiko Carstens > wrote: > > On Tue, Jun 07, 2016 at 08:49:14AM -0700, Kees Cook wrote: > >> > Heiko Carstens (2): > >> > vmlinux.lds.h: allow arch specific handling of ro_after_init data > >> > section > >> > s390/mm: add proper __ro_after_init support > >> > > >> > arch/s390/include/asm/cache.h | 3 --- > >> > arch/s390/include/asm/sections.h | 1 + > >> > arch/s390/kernel/vmlinux.lds.S| 12 +++- > >> > arch/s390/mm/init.c | 7 --- > >> > arch/s390/mm/vmem.c | 7 +++ > >> > include/asm-generic/vmlinux.lds.h | 10 +- > >> > 6 files changed, 28 insertions(+), 12 deletions(-) > >> > >> Awesome! This looks great to me! Have you had a chance to look through > >> any of the arch/s390/ __init code for variables that should be marked > >> __ro_after_init? > > > > Not yet, and actually this I'm a bit reluctant to do that, since any wrong > > annotation will lead to kernel crashes sooner or later ;) > > However I'll look into this as well. > > Yup, though the good news is it's usually discovered very quickly. :) Eventually it might make sense to add something like DEBUG_SECTION_MISMATCH, which would only report on _write_ accesses from non-init sections. Not sure if this can be done easily and without the need of a new compiler feature. The new problem class I'm afraid of is more or less the same that we had when non-init code referenced (already freed) initdata objects.
Re: [PATCH 0/2] Proper ro_after_init implementation on s390
On Tue, Jun 7, 2016 at 11:07 AM, Heiko Carstenswrote: > On Tue, Jun 07, 2016 at 08:49:14AM -0700, Kees Cook wrote: >> > Heiko Carstens (2): >> > vmlinux.lds.h: allow arch specific handling of ro_after_init data section >> > s390/mm: add proper __ro_after_init support >> > >> > arch/s390/include/asm/cache.h | 3 --- >> > arch/s390/include/asm/sections.h | 1 + >> > arch/s390/kernel/vmlinux.lds.S| 12 +++- >> > arch/s390/mm/init.c | 7 --- >> > arch/s390/mm/vmem.c | 7 +++ >> > include/asm-generic/vmlinux.lds.h | 10 +- >> > 6 files changed, 28 insertions(+), 12 deletions(-) >> >> Awesome! This looks great to me! Have you had a chance to look through >> any of the arch/s390/ __init code for variables that should be marked >> __ro_after_init? > > Not yet, and actually this I'm a bit reluctant to do that, since any wrong > annotation will lead to kernel crashes sooner or later ;) > However I'll look into this as well. Yup, though the good news is it's usually discovered very quickly. :) >> Reviewed-by: Kees Cook > > Thanks! I add that to both patches. > > (sorry for the broken threading; one of the outgoing mail servers rewrote > all Message-Id headers) Cool, no worries. I tried to reply to what looked like the right one. :) -Kees -- Kees Cook Chrome OS & Brillo Security
Re: [PATCH 0/2] Proper ro_after_init implementation on s390
On Tue, Jun 7, 2016 at 11:07 AM, Heiko Carstens wrote: > On Tue, Jun 07, 2016 at 08:49:14AM -0700, Kees Cook wrote: >> > Heiko Carstens (2): >> > vmlinux.lds.h: allow arch specific handling of ro_after_init data section >> > s390/mm: add proper __ro_after_init support >> > >> > arch/s390/include/asm/cache.h | 3 --- >> > arch/s390/include/asm/sections.h | 1 + >> > arch/s390/kernel/vmlinux.lds.S| 12 +++- >> > arch/s390/mm/init.c | 7 --- >> > arch/s390/mm/vmem.c | 7 +++ >> > include/asm-generic/vmlinux.lds.h | 10 +- >> > 6 files changed, 28 insertions(+), 12 deletions(-) >> >> Awesome! This looks great to me! Have you had a chance to look through >> any of the arch/s390/ __init code for variables that should be marked >> __ro_after_init? > > Not yet, and actually this I'm a bit reluctant to do that, since any wrong > annotation will lead to kernel crashes sooner or later ;) > However I'll look into this as well. Yup, though the good news is it's usually discovered very quickly. :) >> Reviewed-by: Kees Cook > > Thanks! I add that to both patches. > > (sorry for the broken threading; one of the outgoing mail servers rewrote > all Message-Id headers) Cool, no worries. I tried to reply to what looked like the right one. :) -Kees -- Kees Cook Chrome OS & Brillo Security
Re: [PATCH 0/2] Proper ro_after_init implementation on s390
On Tue, Jun 07, 2016 at 08:49:14AM -0700, Kees Cook wrote: > > Heiko Carstens (2): > > vmlinux.lds.h: allow arch specific handling of ro_after_init data section > > s390/mm: add proper __ro_after_init support > > > > arch/s390/include/asm/cache.h | 3 --- > > arch/s390/include/asm/sections.h | 1 + > > arch/s390/kernel/vmlinux.lds.S| 12 +++- > > arch/s390/mm/init.c | 7 --- > > arch/s390/mm/vmem.c | 7 +++ > > include/asm-generic/vmlinux.lds.h | 10 +- > > 6 files changed, 28 insertions(+), 12 deletions(-) > > Awesome! This looks great to me! Have you had a chance to look through > any of the arch/s390/ __init code for variables that should be marked > __ro_after_init? Not yet, and actually this I'm a bit reluctant to do that, since any wrong annotation will lead to kernel crashes sooner or later ;) However I'll look into this as well. > Reviewed-by: Kees CookThanks! I add that to both patches. (sorry for the broken threading; one of the outgoing mail servers rewrote all Message-Id headers)
Re: [PATCH 0/2] Proper ro_after_init implementation on s390
On Tue, Jun 07, 2016 at 08:49:14AM -0700, Kees Cook wrote: > > Heiko Carstens (2): > > vmlinux.lds.h: allow arch specific handling of ro_after_init data section > > s390/mm: add proper __ro_after_init support > > > > arch/s390/include/asm/cache.h | 3 --- > > arch/s390/include/asm/sections.h | 1 + > > arch/s390/kernel/vmlinux.lds.S| 12 +++- > > arch/s390/mm/init.c | 7 --- > > arch/s390/mm/vmem.c | 7 +++ > > include/asm-generic/vmlinux.lds.h | 10 +- > > 6 files changed, 28 insertions(+), 12 deletions(-) > > Awesome! This looks great to me! Have you had a chance to look through > any of the arch/s390/ __init code for variables that should be marked > __ro_after_init? Not yet, and actually this I'm a bit reluctant to do that, since any wrong annotation will lead to kernel crashes sooner or later ;) However I'll look into this as well. > Reviewed-by: Kees Cook Thanks! I add that to both patches. (sorry for the broken threading; one of the outgoing mail servers rewrote all Message-Id headers)
Re: [PATCH 0/2] Proper ro_after_init implementation on s390
On Tue, Jun 7, 2016 at 5:06 AM, Heiko Carstenswrote: > These two patches allow a proper ro_after_init implementation on s390. > > The current implementation maps __ro_after_init to __read_mostly, > which means that ro_after_init data won't be write protected at all. > > Reason for this is that s390 write protects rodata very early (before > init calls) and therefore adding ro_after_init data to rodata would > lead to crashes. > > Since I don't want to mark the page table entries much later read-only > on s390 just to make this work, allow an architecture specific > handling which can be used to move the ro_after_init data to a > different place which can be marked read-only later when > mark_rodata_ro gets executed. > > Note: these patches require the s390 kernel page table splitting > support which currently is only available at > > git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git features > > (included in linux-next) > > Therefore, if we can agree on this solution I'd like to add these > patches to the s390 tree, so it can be merged during the next merge > window. > > Heiko Carstens (2): > vmlinux.lds.h: allow arch specific handling of ro_after_init data section > s390/mm: add proper __ro_after_init support > > arch/s390/include/asm/cache.h | 3 --- > arch/s390/include/asm/sections.h | 1 + > arch/s390/kernel/vmlinux.lds.S| 12 +++- > arch/s390/mm/init.c | 7 --- > arch/s390/mm/vmem.c | 7 +++ > include/asm-generic/vmlinux.lds.h | 10 +- > 6 files changed, 28 insertions(+), 12 deletions(-) Awesome! This looks great to me! Have you had a chance to look through any of the arch/s390/ __init code for variables that should be marked __ro_after_init? Reviewed-by: Kees Cook -Kees -- Kees Cook Chrome OS & Brillo Security
Re: [PATCH 0/2] Proper ro_after_init implementation on s390
On Tue, Jun 7, 2016 at 5:06 AM, Heiko Carstens wrote: > These two patches allow a proper ro_after_init implementation on s390. > > The current implementation maps __ro_after_init to __read_mostly, > which means that ro_after_init data won't be write protected at all. > > Reason for this is that s390 write protects rodata very early (before > init calls) and therefore adding ro_after_init data to rodata would > lead to crashes. > > Since I don't want to mark the page table entries much later read-only > on s390 just to make this work, allow an architecture specific > handling which can be used to move the ro_after_init data to a > different place which can be marked read-only later when > mark_rodata_ro gets executed. > > Note: these patches require the s390 kernel page table splitting > support which currently is only available at > > git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git features > > (included in linux-next) > > Therefore, if we can agree on this solution I'd like to add these > patches to the s390 tree, so it can be merged during the next merge > window. > > Heiko Carstens (2): > vmlinux.lds.h: allow arch specific handling of ro_after_init data section > s390/mm: add proper __ro_after_init support > > arch/s390/include/asm/cache.h | 3 --- > arch/s390/include/asm/sections.h | 1 + > arch/s390/kernel/vmlinux.lds.S| 12 +++- > arch/s390/mm/init.c | 7 --- > arch/s390/mm/vmem.c | 7 +++ > include/asm-generic/vmlinux.lds.h | 10 +- > 6 files changed, 28 insertions(+), 12 deletions(-) Awesome! This looks great to me! Have you had a chance to look through any of the arch/s390/ __init code for variables that should be marked __ro_after_init? Reviewed-by: Kees Cook -Kees -- Kees Cook Chrome OS & Brillo Security
[PATCH 0/2] Proper ro_after_init implementation on s390
These two patches allow a proper ro_after_init implementation on s390. The current implementation maps __ro_after_init to __read_mostly, which means that ro_after_init data won't be write protected at all. Reason for this is that s390 write protects rodata very early (before init calls) and therefore adding ro_after_init data to rodata would lead to crashes. Since I don't want to mark the page table entries much later read-only on s390 just to make this work, allow an architecture specific handling which can be used to move the ro_after_init data to a different place which can be marked read-only later when mark_rodata_ro gets executed. Note: these patches require the s390 kernel page table splitting support which currently is only available at git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git features (included in linux-next) Therefore, if we can agree on this solution I'd like to add these patches to the s390 tree, so it can be merged during the next merge window. Heiko Carstens (2): vmlinux.lds.h: allow arch specific handling of ro_after_init data section s390/mm: add proper __ro_after_init support arch/s390/include/asm/cache.h | 3 --- arch/s390/include/asm/sections.h | 1 + arch/s390/kernel/vmlinux.lds.S| 12 +++- arch/s390/mm/init.c | 7 --- arch/s390/mm/vmem.c | 7 +++ include/asm-generic/vmlinux.lds.h | 10 +- 6 files changed, 28 insertions(+), 12 deletions(-) -- 2.6.6
[PATCH 0/2] Proper ro_after_init implementation on s390
These two patches allow a proper ro_after_init implementation on s390. The current implementation maps __ro_after_init to __read_mostly, which means that ro_after_init data won't be write protected at all. Reason for this is that s390 write protects rodata very early (before init calls) and therefore adding ro_after_init data to rodata would lead to crashes. Since I don't want to mark the page table entries much later read-only on s390 just to make this work, allow an architecture specific handling which can be used to move the ro_after_init data to a different place which can be marked read-only later when mark_rodata_ro gets executed. Note: these patches require the s390 kernel page table splitting support which currently is only available at git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux.git features (included in linux-next) Therefore, if we can agree on this solution I'd like to add these patches to the s390 tree, so it can be merged during the next merge window. Heiko Carstens (2): vmlinux.lds.h: allow arch specific handling of ro_after_init data section s390/mm: add proper __ro_after_init support arch/s390/include/asm/cache.h | 3 --- arch/s390/include/asm/sections.h | 1 + arch/s390/kernel/vmlinux.lds.S| 12 +++- arch/s390/mm/init.c | 7 --- arch/s390/mm/vmem.c | 7 +++ include/asm-generic/vmlinux.lds.h | 10 +- 6 files changed, 28 insertions(+), 12 deletions(-) -- 2.6.6