I have tested this with the Radix MMU and everything seems to work, and
the previous patch for Hash seems to fix everything too.
STRICT_KERNEL_RWX should still be disabled by default for now.
Please test STRICT_KERNEL_RWX + RELOCATABLE!
Signed-off-by: Russell Currey
---
arch/powerpc/Kconfig |
With STRICT_KERNEL_RWX on in a relocatable kernel under the hash MMU, if
the position the kernel is loaded at is not 16M aligned, the kernel
miscalculates its ALIGN*()s and things go horribly wrong.
We can easily avoid this when selecting the linear mapping size, so do
so and print a warning. I
v5 cover letter:
https://lore.kernel.org/kernel-hardening/20191030073111.140493-1-rus...@russell.cc/
v4 cover letter:
https://lists.ozlabs.org/pipermail/linuxppc-dev/2019-October/198268.html
v3 cover letter:
https://lists.ozlabs.org/pipermail/linuxppc-dev/2019-October/198023.html
Changes since
skiroot_defconfig is the only powerpc defconfig with STRICT_KERNEL_RWX
enabled, and if you want memory protection for kernel text you'd want it
for modules too, so enable STRICT_MODULE_RWX there.
Acked-by: Joel Stanley
Signed-off-by: Russell Currey
---
arch/powerpc/configs/skiroot_defconfig |
To enable strict module RWX on powerpc, set:
CONFIG_STRICT_MODULE_RWX=y
You should also have CONFIG_STRICT_KERNEL_RWX=y set to have any real
security benefit.
ARCH_HAS_STRICT_MODULE_RWX is set to require ARCH_HAS_STRICT_KERNEL_RWX.
This is due to a quirk in arch/Kconfig and
Very rudimentary, just
echo 1 > [debugfs]/check_wx_pages
and check the kernel log. Useful for testing strict module RWX.
Updated the Kconfig entry to reflect this.
Also fixed a typo.
Signed-off-by: Russell Currey
---
arch/powerpc/Kconfig.debug | 6 --
The set_memory_{ro/rw/nx/x}() functions are required for STRICT_MODULE_RWX,
and are generally useful primitives to have. This implementation is
designed to be completely generic across powerpc's many MMUs.
It's possible that this could be optimised to be faster for specific
MMUs, but the focus
With CONFIG_STRICT_KERNEL_RWX=y and CONFIG_KPROBES=y, there will be one
W+X page at boot by default. This can be tested with
CONFIG_PPC_PTDUMP=y and CONFIG_PPC_DEBUG_WX=y set, and checking the
kernel log during boot.
powerpc doesn't implement its own alloc() for kprobes like other
architectures
This adds tests which will validate architecture page table helpers and
other accessors in their compliance with expected generic MM semantics.
This will help various architectures in validating changes to existing
page table helpers or addition of new ones.
This test covers basic page table
On Mon, Dec 23, 2019 at 6:31 AM Christophe Leroy
wrote:
>
> do_hres() is called from several places, so GCC doesn't inline
> it at first.
>
> do_hres() takes a struct __kernel_timespec * parameter for
> passing the result. In the 32 bits case, this parameter corresponds
> to a local var in the
On Mon, Dec 23, 2019 at 6:31 AM Christophe Leroy
wrote:
>
> On powerpc, __arch_get_vdso_data() clobbers the link register,
> requiring the caller to set a stack frame in order to save it.
>
> As the parent function already has to set a stack frame and save
> the link register to call the C vdso
On Mon, Dec 23, 2019 at 6:31 AM Christophe Leroy
wrote:
>
> On powerpc, VDSO functions and syscalls cannot be implemented in C
> because the Linux kernel ABI requires that CR[SO] bit is set in case
> of error and cleared when no error.
>
> As this cannot be done in C, C VDSO functions and
On Mon, Dec 23, 2019 at 6:31 AM Christophe Leroy
wrote:
>
> In order to simplify next step which moves fallback call at arch
> level, ensure all arches have a 32bit fallback instead of handling
> the lack of 32bit fallback in the common code based
> on VDSO_HAS_32BIT_FALLBACK
I don't like this.
On Mon, Dec 23, 2019 at 6:31 AM Christophe Leroy
wrote:
>
> VDSO_HRES and VDSO_RAW clocks are handled the same way.
>
> Don't duplicate code.
>
> Signed-off-by: Christophe Leroy
Reviewed-by: Andy Lutomirski
On Mon, Dec 23, 2019 at 6:31 AM Christophe Leroy
wrote:
>
> READ_ONCE() forces the read of the 64 bit value of
> vd[CS_HRES_COARSE].basetime[CLOCK_REALTIME].sec allthough
> only the lower part is needed.
Seems reasonable and very unlikely to be harmful. That being said,
this function really
On 23/12/2019 22:18, Michael Ellerman wrote:
> Alexey Kardashevskiy writes:
>
>> The last jump to free_exit in mm_iommu_do_alloc() happens after page
>> pointers in struct mm_iommu_table_group_mem_t were already converted to
>> physical addresses. Thus calling put_page() on these physical
On Fri, Dec 20, 2019 at 04:32:13PM -0800, Dan Williams wrote:
> > > There's already a limit, it's just a much larger one. :) What does "no
> > > limit"
> > > really mean, numerically, to you in this case?
> >
> > I guess I mean 'hidden limit' - hitting the limit and failing would
> > be
There are two IRQ stacks: softirq_ctx and hardirq_ctx
do_softirq_own_stack() switches stack to softirq_ctx
do_IRQ() switches stack to hardirq_ctx
However, when soft and hard IRQs are nested, only one of the two
stacks is used:
- When on softirq stack, do_IRQ() doesn't switch to hardirq stack.
-
Exception entries run of kernel thread stack, then do_IRQ()
switches to the IRQ stack.
Instead of doing a first step of the thread stack, increasing the
risk of stack overflow and spending time switch stacks two times when
coming from userspace, set the stack to IRQ stack immediately in the
As we are going to switch to IRQ stack immediately in the exception
handler, it won't be possible anymore to check stack overflow by
reading stack pointer.
Do the verification on regs->gpr[1] which contains the stack pointer
at the time the IRQ happended, and move it to __do_irq() so that the
Instead of #ifdef, use IS_ENABLED(CONFIG_DEBUG_STACKOVERFLOW).
This enable GCC to check for code validity even when the option
is not selected.
The function is not using current_stack_pointer() anymore so no
need to declare it inline, let GCC decide.
Signed-off-by: Christophe Leroy
---
set_irq_regs() is called by do_IRQ() while irq_enter() and irq_exit()
are called by __do_irq().
Move set_irq_regs() in __do_irq()
Signed-off-by: Christophe Leroy
---
arch/powerpc/kernel/irq.c | 16 ++--
1 file changed, 6 insertions(+), 10 deletions(-)
diff --git
Before commit 7306e83ccf5c ("powerpc: Don't use CURRENT_THREAD_INFO to
find the stack"), the current stack base address was obtained by
calling current_thread_info(). That inline function was simply masking
out the value of r1.
In that commit, it was changed to using current_stack_pointer(),
call_do_irq() and call_do_softirq() are simple enough to be
worth inlining.
Inlining them avoids an mflr/mtlr pair plus a save/reload on stack.
It also allows GCC to keep the saved ksp_limit in an nonvolatile reg.
This is inspired from S390 arch. Several other arches do more or
less the same.
PPC32 implements a specific early stack overflow detection.
This detection is inherited from ppc arch (before the merge of
ppc and ppc64 into powerpc). At that time, there was no irqstacks
and the verification was simply to check that the stack pointer
was still over the stack base. But when
The purpose of this series is to accelerate IRQ entry by
avoiding unneccessary trampoline functions like call_do_irq()
and call_do_softirq() and by switching to IRQ stack
immediately in the exception handler.
For now, it is an RFC as it is still a bit messy.
Please provide feedback and I'll
This is a tentative to switch powerpc/32 vdso to
generic C implementation.
It will likely not work on 64 bits or even build properly
at the moment, hence the RFC status.
powerpc is a bit special for VDSO as well as system calls in the
way that it requires setting CR SO bit which cannot be done
__get_datapage() is only a few instructions to retrieve the
address of the page where the kernel stores data to the VDSO.
By inlining this function into its users, a bl/blr pair and
a mflr/mtlr pair is avoided, plus a few reg moves.
The improvement is noticeable (about 55 nsec/call on an 8xx)
READ_ONCE() forces the read of the 64 bit value of
vd[CS_HRES_COARSE].basetime[CLOCK_REALTIME].sec allthough
only the lower part is needed.
This results in a suboptimal code:
0af4 <__c_kernel_time>:
af4: 2c 03 00 00 cmpwi r3,0
af8: 81 44 00 20 lwz r10,32(r4)
afc: 81 64
do_coarse() is similare to do_hres() except that it never
fails.
Change its type to int instead of void and get it return 0
at all time. This cleans the code a bit.
Signed-off-by: Christophe Leroy
---
lib/vdso/gettimeofday.c | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
do_hres() is called from several places, so GCC doesn't inline
it at first.
do_hres() takes a struct __kernel_timespec * parameter for
passing the result. In the 32 bits case, this parameter corresponds
to a local var in the caller. In order to provide a pointer
to this structure, the caller has
VDSO_HRES and VDSO_RAW clocks are handled the same way.
Don't duplicate code.
Signed-off-by: Christophe Leroy
---
lib/vdso/gettimeofday.c | 7 +--
1 file changed, 1 insertion(+), 6 deletions(-)
diff --git a/lib/vdso/gettimeofday.c b/lib/vdso/gettimeofday.c
index 5a17a9d2e6cd..aa4a167bf1e0
On powerpc, __arch_get_vdso_data() clobbers the link register,
requiring the caller to set a stack frame in order to save it.
As the parent function already has to set a stack frame and save
the link register to call the C vdso function, retriving the
vdso data pointer there is lighter.
Give
On powerpc, VDSO functions and syscalls cannot be implemented in C
because the Linux kernel ABI requires that CR[SO] bit is set in case
of error and cleared when no error.
As this cannot be done in C, C VDSO functions and syscall'based
fallback need a trampoline in ASM.
By moving the fallback
__cvdso_clock_getres() just calls __cvdso_clock_getres_common().
__cvdso_clock_gettime() just calls __cvdso_clock_getres_common().
Drop __cvdso_clock_getres() and __cvdso_clock_gettime()
Rename __cvdso_clock_gettime_common() into __cvdso_clock_gettime()
Rename __cvdso_clock_getres_common() into
In order to simplify next step which moves fallback call at arch
level, ensure all arches have a 32bit fallback instead of handling
the lack of 32bit fallback in the common code based
on VDSO_HAS_32BIT_FALLBACK
Signed-off-by: Christophe Leroy
---
arch/arm/include/asm/vdso/gettimeofday.h
This is a second tentative to switch powerpc/32 vdso to generic C
implementation.
It will likely not work on 64 bits or even build properly at the moment.
powerpc is a bit special for VDSO as well as system calls in the
way that it requires setting CR SO bit which cannot be done in C.
Recently, the spinlock implementation grew a static key optimization,
but the jump_label.h header include was left out, leading to build
errors:
linux/arch/powerpc/include/asm/spinlock.h:44:7: error: implicit declaration of
function ‘static_branch_unlikely’
Alexey Kardashevskiy writes:
> The last jump to free_exit in mm_iommu_do_alloc() happens after page
> pointers in struct mm_iommu_table_group_mem_t were already converted to
> physical addresses. Thus calling put_page() on these physical addresses
> will likely crash.
>
> This moves the loop
39 matches
Mail list logo
