• Peter Xu's avatar
    mm/page_table_check: support userfault wr-protect entries · 8430557f
    Peter Xu authored
    Allow page_table_check hooks to check over userfaultfd wr-protect criteria
    upon pgtable updates.  The rule is no co-existance allowed for any
    writable flag against userfault wr-protect flag.
    
    This should be better than c2da319c, where we used to only sanitize such
    issues during a pgtable walk, but when hitting such issue we don't have a
    good chance to know where does that writable bit came from [1], so that
    even the pgtable walk exposes a kernel bug (which is still helpful on
    triaging) but not easy to track and debug.
    
    Now we switch to track the source.  It's much easier too with the recent
    introduction of page table check.
    
    There are some limitations with using the page table check here for
    userfaultfd wr-protect purpose:
    
      - It is only enabled with explicit enablement of page table check configs
      and/or boot parameters, but should be good enough to track at least
      syzbot issues, as syzbot should enable PAGE_TABLE_CHECK[_ENFORCED] for
      x86 [1].  We used to have DEBUG_VM but it's now off for most distros,
      while distros also normally not enable PAGE_TABLE_CHECK[_ENFORCED], which
      is similar.
    
      - It conditionally works with the ptep_modify_prot API.  It will be
      bypassed when e.g. XEN PV is enabled, however still work for most of the
      rest scenarios, which should be the common cases so should be good
      enough.
    
      - Hugetlb check is a bit hairy, as the page table check cannot identify
      hugetlb pte or normal pte via trapping at set_pte_at(), because of the
      current design where hugetlb maps every layers to pte_t... For example,
      the default set_huge_pte_at() can invoke set_pte_at() directly and lose
      the hugetlb context, treating it the same as a normal pte_t. So far it's
      fine because we have huge_pte_uffd_wp() always equals to pte_uffd_wp() as
      long as supported (x86 only).  It'll be a bigger problem when we'll
      define _PAGE_UFFD_WP differently at various pgtable levels, because then
      one huge_pte_uffd_wp() per-arch will stop making sense first.. as of now
      we can leave this for later too.
    
    This patch also removes commit c2da319c altogether, as we have something
    better now.
    
    [1] https://lore.kernel.org/all/000000000000dce0530615c89210@google.com/
    
    Link: https://lkml.kernel.org/r/20240417212549.2766883-1-peterx@redhat.comSigned-off-by: default avatarPeter Xu <peterx@redhat.com>
    Reviewed-by: default avatarPasha Tatashin <pasha.tatashin@soleen.com>
    Cc: Axel Rasmussen <axelrasmussen@google.com>
    Cc: David Hildenbrand <david@redhat.com>
    Cc: Nadav Amit <nadav.amit@gmail.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    8430557f
pgtable.h 40.8 KB