Commit f8af095d authored by Dave Jones's avatar Dave Jones Committed by Linus Torvalds

[PATCH] x86: change_page_attr() fix

The 'make rodata read-only' patch in -mm exposes a latent bug in the 32-bit
change_page_attr() function, which causes certain CPUs (Those with NX
basically) to reboot instantly after pages are marked read-only.

The same bug got fixed a while back on x86-64, but never got propagated to
i386.

Stuart Hayes from Dell also picked up on this last June, but it never got
fixed, as the only thing affected by it aparently was the nvidia driver.

Blatantly stealing description from his post..

"It doesn't appear to be fixed (in the i386 arch).  The
 change_page_attr()/split_large_page() code will still still set all the
 4K PTEs to PAGE_KERNEL (setting the _PAGE_NX bit) when a large page
 needs to be split.

 This wouldn't be a problem for the bulk of the kernel memory, but there
 are pages in the lower 4MB of memory that's free, and are part of large
 executable pages that also contain kernel code.  If change_page_attr()
 is called on these, it will set the _PAGE_NX bit on the whole 2MB region
 that was covered by the large page, causing a large chunk of kernel code
 to be non-executable."
Signed-off-by: default avatarArjan van de Ven <arjan@infradead.org>
Signed-off-by: default avatarDave Jones <davej@redhat.com>
Cc: <Stuart_Hayes@Dell.com>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent e72c8585
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
#include <asm/processor.h> #include <asm/processor.h>
#include <asm/tlbflush.h> #include <asm/tlbflush.h>
#include <asm/pgalloc.h> #include <asm/pgalloc.h>
#include <asm/sections.h>
static DEFINE_SPINLOCK(cpa_lock); static DEFINE_SPINLOCK(cpa_lock);
static struct list_head df_list = LIST_HEAD_INIT(df_list); static struct list_head df_list = LIST_HEAD_INIT(df_list);
...@@ -36,7 +37,8 @@ pte_t *lookup_address(unsigned long address) ...@@ -36,7 +37,8 @@ pte_t *lookup_address(unsigned long address)
return pte_offset_kernel(pmd, address); return pte_offset_kernel(pmd, address);
} }
static struct page *split_large_page(unsigned long address, pgprot_t prot) static struct page *split_large_page(unsigned long address, pgprot_t prot,
pgprot_t ref_prot)
{ {
int i; int i;
unsigned long addr; unsigned long addr;
...@@ -54,7 +56,7 @@ static struct page *split_large_page(unsigned long address, pgprot_t prot) ...@@ -54,7 +56,7 @@ static struct page *split_large_page(unsigned long address, pgprot_t prot)
pbase = (pte_t *)page_address(base); pbase = (pte_t *)page_address(base);
for (i = 0; i < PTRS_PER_PTE; i++, addr += PAGE_SIZE) { for (i = 0; i < PTRS_PER_PTE; i++, addr += PAGE_SIZE) {
set_pte(&pbase[i], pfn_pte(addr >> PAGE_SHIFT, set_pte(&pbase[i], pfn_pte(addr >> PAGE_SHIFT,
addr == address ? prot : PAGE_KERNEL)); addr == address ? prot : ref_prot));
} }
return base; return base;
} }
...@@ -98,11 +100,18 @@ static void set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte) ...@@ -98,11 +100,18 @@ static void set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
*/ */
static inline void revert_page(struct page *kpte_page, unsigned long address) static inline void revert_page(struct page *kpte_page, unsigned long address)
{ {
pte_t *linear = (pte_t *) pgprot_t ref_prot;
pte_t *linear;
ref_prot =
((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
? PAGE_KERNEL_LARGE_EXEC : PAGE_KERNEL_LARGE;
linear = (pte_t *)
pmd_offset(pud_offset(pgd_offset_k(address), address), address); pmd_offset(pud_offset(pgd_offset_k(address), address), address);
set_pmd_pte(linear, address, set_pmd_pte(linear, address,
pfn_pte((__pa(address) & LARGE_PAGE_MASK) >> PAGE_SHIFT, pfn_pte((__pa(address) & LARGE_PAGE_MASK) >> PAGE_SHIFT,
PAGE_KERNEL_LARGE)); ref_prot));
} }
static int static int
...@@ -123,10 +132,16 @@ __change_page_attr(struct page *page, pgprot_t prot) ...@@ -123,10 +132,16 @@ __change_page_attr(struct page *page, pgprot_t prot)
if ((pte_val(*kpte) & _PAGE_PSE) == 0) { if ((pte_val(*kpte) & _PAGE_PSE) == 0) {
set_pte_atomic(kpte, mk_pte(page, prot)); set_pte_atomic(kpte, mk_pte(page, prot));
} else { } else {
struct page *split = split_large_page(address, prot); pgprot_t ref_prot;
struct page *split;
ref_prot =
((address & LARGE_PAGE_MASK) < (unsigned long)&_etext)
? PAGE_KERNEL_EXEC : PAGE_KERNEL;
split = split_large_page(address, prot, ref_prot);
if (!split) if (!split)
return -ENOMEM; return -ENOMEM;
set_pmd_pte(kpte,address,mk_pte(split, PAGE_KERNEL)); set_pmd_pte(kpte,address,mk_pte(split, ref_prot));
kpte_page = split; kpte_page = split;
} }
get_page(kpte_page); get_page(kpte_page);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment