On Fri, Sep 21, 2018 at 06:31:53PM -0400, Joel Fernandes (Google) wrote:
> RCU Data-Structures document describes a trick to test RCU with small
> number of CPUs but with a larger tree. It wasn't immediately clear how
> the document arrived at 16 CPUs which also requires setting the
> FANOUT_LEAF t
On 09/21/2018 08:03 AM, Yu-cheng Yu wrote:
> The previous version of CET patches can be found in the following
> link:
>
> https://lkml.org/lkml/2018/8/30/608
So, this is an RFC, but there no mention of what you want comments *on*. :)
What do you want folks to review? What needs to get settle
Texas Instruments INA3221 is a triple-channel shunt and bus
voltage monitor. This patch adds a DT binding doc for it.
Signed-off-by: Nicolin Chen
---
Changelog
v2->v3:
* Added a simple subject in the line 1
* Fixed the shunt resistor value in the example
v1->v2:
* Dropped channel name properti
From: Nicolin Chen
An ina3221 chip has three input ports. Each port is used
to measure the voltage and current of its input source.
The DT binding now has defined bindings for their input
sources, so the driver should read these information and
handle accordingly.
This patch adds a new structur
This series adds a initial DT binding doc for ina3221. It defines
a child node to describe the input source of each ina3221 channel.
Then it changes the driver to handle the information properly.
Changelog
v2->v3:
* Fixed two places in DT bindings (PATCH-1)
v1->v2:
* Redefined DT bindings (detai
RCU Data-Structures document describes a trick to test RCU with small
number of CPUs but with a larger tree. It wasn't immediately clear how
the document arrived at 16 CPUs which also requires setting the
FANOUT_LEAF to 2 instead of the default of 16. Clarify that.
Signed-off-by: Joel Fernandes (G
Found two mistakes at this doc, sending v3.
On Fri, Sep 21, 2018 at 1:12 PM Nicolin Chen wrote:
> +++ b/Documentation/devicetree/bindings/hwmon/ina3221.txt
> @@ -0,0 +1,38 @@
> +ina3221 properties
> +
Should be a description of the doc.
> + VDD_GPU {
> + shunt-resistor = <5>;
Should
Texas Instruments INA3221 is a triple-channel shunt and bus
voltage monitor. This patch adds a DT binding doc for it.
Signed-off-by: Nicolin Chen
---
Changelog
v1->v2:
* Dropped channel name properties
* Added child node definitions.
* * Added shunt resistor property in the child node
* * Add
From: Nicolin Chen
An ina3221 chip has three input ports. Each port is used
to measure the voltage and current of its input source.
The DT binding now has defined bindings for their input
sources, so the driver should read these information and
handle accordingly.
This patch adds a new structur
This series adds a initial DT binding doc for ina3221. It defines
a child node to describe the input source of each ina3221 channel.
Then it changes the driver to handle the information properly.
Changelog
v1->v2:
* Redefined DT bindings (detail in PATCH-1)
* Changed the driver code accordingly
On Fri, 2018-09-21 at 09:55 -0700, Randy Dunlap wrote:
> On 9/21/18 8:03 AM, Yu-cheng Yu wrote:
> > Add shadow stack pages to memory accounting.
> > Also check if the system has enough memory before enabling CET.
> >
> > Signed-off-by: Yu-cheng Yu
>
> oops. typo above.
>
I will fix it. Thanks
On 9/21/18 8:03 AM, Yu-cheng Yu wrote:
> Add shadow stack pages to memory accounting.
> Also check if the system has enough memory before enabling CET.
>
> Signed-off-by: Yu-cheng Yu
oops. typo above.
> ---
> mm/mmap.c | 5 +
> 1 file changed, 5 insertions(+)
--
~Randy
We now have two KASAN modes: generic KASAN and tag-based KASAN. Rename
kasan.c to generic.c to reflect that. Also rename kasan_init.c to init.c
as it contains initialization code for both KASAN modes.
Signed-off-by: Andrey Konovalov
---
mm/kasan/Makefile | 8
mm/kasan/{k
Tag-based KASAN changes the value of the top byte of pointers returned
from the kernel allocation functions (such as kmalloc). This patch updates
KASAN hooks signatures and their usage in SLAB and SLUB code to reflect
that.
Signed-off-by: Andrey Konovalov
---
include/linux/kasan.h | 43 +
Tag-based KASAN uses 1 shadow byte for 16 bytes of kernel memory, so it
requires 1/16th of the kernel virtual address space for the shadow memory.
This commit sets KASAN_SHADOW_SCALE_SHIFT to 4 when the tag-based KASAN
mode is enabled.
Signed-off-by: Andrey Konovalov
---
arch/arm64/Makefile
show_pte in arm64 fault handling relies on the fact that the top byte of
a kernel pointer is 0xff, which isn't always the case with tag-based
KASAN.
This patch resets the top byte in show_pte.
Signed-off-by: Andrey Konovalov
---
arch/arm64/mm/fault.c | 3 +++
1 file changed, 3 insertions(+)
di
The krealloc function checks where the same buffer was reused or a new one
allocated by comparing kernel pointers. Tag-based KASAN changes memory tag
on the krealloc'ed chunk of memory and therefore also changes the pointer
tag of the returned pointer. Therefore we need to perform comparison on
unt
This patch adds a "SPDX-License-Identifier: GPL-2.0" mark to all source
files under mm/kasan.
Signed-off-by: Andrey Konovalov
---
mm/kasan/common.c | 1 +
mm/kasan/generic.c| 1 +
mm/kasan/generic_report.c | 1 +
mm/kasan/init.c | 1 +
mm/kasan/quarantine.c | 1 +
m
Tag-based KASAN doesn't check memory accesses through pointers tagged with
0xff. When page_address is used to get pointer to memory that corresponds
to some page, the tag of the resulting pointer gets set to 0xff, even
though the allocated memory might have been tagged differently.
For slab pages
Tag-based KASAN uses the Top Byte Ignore feature of arm64 CPUs to store a
pointer tag in the top byte of each pointer. This commit enables the
TCR_TBI1 bit, which enables Top Byte Ignore for the kernel, when tag-based
KASAN is used.
Signed-off-by: Andrey Konovalov
---
arch/arm64/include/asm/pgta
Tag-based KASAN inline instrumentation mode (which embeds checks of shadow
memory into the generated code, instead of inserting a callback) generates
a brk instruction when a tag mismatch is detected.
This commit adds a tag-based KASAN specific brk handler, that decodes the
immediate value passed
An object constructor can initialize pointers within this objects based on
the address of the object. Since the object address might be tagged, we
need to assign a tag before calling constructor.
The implemented approach is to assign tags to objects with constructors
when a slab is allocated and c
This commit adds rountines, that print tag-based KASAN error reports.
Those are quite similar to generic KASAN, the difference is:
1. The way tag-based KASAN finds the first bad shadow cell (with a
mismatching tag). Tag-based KASAN compares memory tags from the shadow
memory to the pointer t
This patch updates KASAN documentation to reflect the addition of the new
tag-based mode.
Signed-off-by: Andrey Konovalov
---
Documentation/dev-tools/kasan.rst | 232 ++
1 file changed, 138 insertions(+), 94 deletions(-)
diff --git a/Documentation/dev-tools/kasan.rst
This commit adds a few helper functions, that are meant to be used to
work with tags embedded in the top byte of kernel pointers: to set, to
get or to reset (set to 0xff) the top byte.
Signed-off-by: Andrey Konovalov
---
arch/arm64/mm/kasan_init.c | 2 ++
include/linux/kasan.h | 13 +++
A tag-based KASAN shadow memory cell contains a memory tag, that
corresponds to the tag in the top byte of the pointer, that points to that
memory. The native top byte value of kernel pointers is 0xff, so with
tag-based KASAN we need to initialize shadow memory to 0xff.
Signed-off-by: Andrey Konov
__kimg_to_phys (which is used by virt_to_phys) and _virt_addr_is_linear
(which is used by virt_addr_valid) assume that the top byte of the address
is 0xff, which isn't always the case with tag-based KASAN.
This patch resets the tag in those macros.
Signed-off-by: Andrey Konovalov
---
arch/arm64
This commit splits the current CONFIG_KASAN config option into two:
1. CONFIG_KASAN_GENERIC, that enables the generic KASAN mode (the one
that exists now);
2. CONFIG_KASAN_SW_TAGS, that enables the software tag-based KASAN mode.
The name CONFIG_KASAN_SW_TAGS is chosen as in the future we will h
This patchset adds a new software tag-based mode to KASAN [1].
(Initially this mode was called KHWASAN, but it got renamed,
see the naming rationale at the end of this section).
The plan is to implement HWASan [2] for the kernel with the incentive,
that it's going to have comparable to KASAN perf
Tag-based KASAN reuses a significant part of the generic KASAN code, so
move the common parts to common.c without any functional changes.
Signed-off-by: Andrey Konovalov
---
mm/kasan/Makefile | 5 +-
mm/kasan/common.c | 603 ++
mm/kasan/kasan.c | 57
This commit adds tag-based KASAN specific hooks implementation and
adjusts common generic and tag-based KASAN ones.
1. When a new slab cache is created, tag-based KASAN rounds up the size of
the objects in this cache to KASAN_SHADOW_SCALE_SIZE (== 16).
2. On each kmalloc tag-based KASAN genera
This patch moves generic KASAN specific error reporting routines to
generic_report.c without any functional changes, leaving common error
reporting code in report.c to be later reused by tag-based KASAN.
Signed-off-by: Andrey Konovalov
---
mm/kasan/Makefile | 4 +-
mm/kasan/generic_rep
While with SLUB we can actually preassign tags for caches with contructors
and store them in pointers in the freelist, SLAB doesn't allow that since
the freelist is stored as an array of indexes, so there are no pointers to
store the tags.
Instead we compute the tag twice, once when a slab is crea
VM_SHSTK indicates a shadow stack memory area.
The shadow stack is implemented only for the 64-bit kernel.
Signed-off-by: Yu-cheng Yu
---
include/linux/mm.h | 8
1 file changed, 8 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index a61ebe8ad4ca..f40387ecd920 100644
To support XSAVES system states, change some names to distinguish
user and system states.
Change:
supervisor to system
copy_init_fpstate_to_fpregs() to copy_init_user_fpstate_to_fpregs()
xfeatures_mask to xfeatures_mask_user
XCNTXT_MASK to SUPPORTED_XFEATURES_MASK (states supported)
Signe
Intel Control-flow Enforcement Technology (CET) introduces the
following MSRs into the XSAVES system states.
IA32_U_CET (user-mode CET settings),
IA32_PL3_SSP (user-mode shadow stack),
IA32_PL0_SSP (kernel-mode shadow stack),
IA32_PL1_SSP (ring-1 shadow stack),
IA32_PL2_SSP (ri
A control protection exception is triggered when a control flow transfer
attempt violated shadow stack or indirect branch tracking constraints.
For example, the return address for a RET instruction differs from the
safe copy on the shadow stack; or a JMP instruction arrives at a non-
ENDBR instruct
Explain how CET works and the no_cet_shstk/no_cet_ibt kernel
parameters.
Signed-off-by: Yu-cheng Yu
---
.../admin-guide/kernel-parameters.txt | 6 +
Documentation/index.rst | 1 +
Documentation/x86/index.rst | 11 +
Documentation/x86/intel_cet
Add CPUIDs for Control-flow Enforcement Technology (CET).
CPUID.(EAX=7,ECX=0):ECX[bit 7] Shadow stack
CPUID.(EAX=7,ECX=0):EDX[bit 20] Indirect branch tracking
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/cpufeatures.h | 2 ++
arch/x86/kernel/cpu/scattered.c| 1 +
2 files changed, 3 i
This patch implements THP shadow stack memory copying in the same
way as the previous patch for regular PTE.
In copy_huge_pmd(), we clear the dirty bit from the PMD. On the
next shadow stack access to the PMD, a page fault occurs. At
that time, the page is copied/re-used and the PMD is fixed.
S
Add the following shadow stack management instructions.
INCSSP:
Increment shadow stack pointer by the steps specified.
RDSSP:
Read SSP register into a GPR.
SAVEPREVSSP:
Use "prev ssp" token at top of current shadow stack to
create a "restore token" on previous shadow stack.
RSTO
A RO and dirty PTE exists in the following cases:
(a) A page is modified and then shared with a fork()'ed child;
(b) A R/O page that has been COW'ed;
(c) A SHSTK page.
The processor does not read the dirty bit for (a) and (b), but
checks the dirty bit for (c). To prevent the use of non-SHSTK
mem
We are going to create _PAGE_DIRTY_SW for non-hardware, memory
management purposes. Rename _PAGE_DIRTY to _PAGE_DIRTY_HW and
_PAGE_BIT_DIRTY to _PAGE_BIT_DIRTY_HW to make these PTE dirty
bits more clear. There are no functional changes in this
patch.
Signed-off-by: Yu-cheng Yu
---
arch/x86/inc
The previous version of CET patches can be found in the following
link:
https://lkml.org/lkml/2018/8/30/582
Summary of changes from v3:
Move IBT legacy code bitmap allocation back to when the application
requests it. Most application do not need the bitmap. It is only
used when an appl
arch_prctl(ARCH_CET_STATUS, unsigned long *addr)
Return CET feature status.
The parameter 'addr' is a pointer to a user buffer.
On returning to the caller, the kernel fills the following
information:
*addr = SHSTK/IBT status
*(addr + 1) = SHSTK base address
*(addr + 2)
Create a guard area between VMAs, to detect memory corruption.
Signed-off-by: Yu-cheng Yu
---
include/linux/mm.h | 30 --
1 file changed, 20 insertions(+), 10 deletions(-)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index c4cc07baccda..3a823bdae09d 100644
--
Update _PAGE_DIRTY to _PAGE_DIRTY_BITS in split_2MB_gtt_entry().
In order to support Control Flow Enforcement (CET), _PAGE_DIRTY
is now _PAGE_DIRTY_HW or _PAGE_DIRTY_SW.
Signed-off-by: Yu-cheng Yu
---
drivers/gpu/drm/i915/gvt/gtt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --g
The user-mode indirect branch tracking support is done mostly by
GCC to insert ENDBR64/ENDBR32 instructions at branch targets.
The kernel provides CPUID enumeration, feature MSR setup and
the allocation of legacy bitmap.
Signed-off-by: Yu-cheng Yu
---
arch/x86/Kconfig | 12
arch/x8
Indirect branch tracking provides an optional legacy code bitmap
that indicates locations of non-IBT compatible code. When set,
each bit in the bitmap represents a page in the linear address is
legacy code.
We allocate the bitmap only when the application requests it.
Most applications do not nee
Add shadow stack pages to memory accounting.
Also check if the system has enough memory before enabling CET.
Signed-off-by: Yu-cheng Yu
---
mm/mmap.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/mm/mmap.c b/mm/mmap.c
index 5f2b2b184c60..de2d0faa1c61 100644
--- a/mm/mmap.c
+++ b/mm/mm
Function returns could unwind stacks beyond its allocated area.
We do not merge shadow stack areas.
This and VMA guards prevent shadow stack underflow.
Signed-off-by: Yu-cheng Yu
---
mm/mmap.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/mm/mmap.c b/mm/mmap.c
index de2d0faa1c61..fa
Introduce Kconfig option X86_INTEL_SHADOW_STACK_USER.
An application has shadow stack protection when all the following are
true:
(1) The kernel has X86_INTEL_SHADOW_STACK_USER enabled,
(2) The running processor supports the shadow stack,
(3) The application is built with shadow stack enabl
Update ARCH_CET_STATUS and ARCH_CET_DISABLE to include Indirect
Branch Tracking features.
Introduce:
arch_prctl(ARCH_CET_LEGACY_BITMAP, unsigned long *addr)
Enable the Indirect Branch Tracking legacy code bitmap.
The parameter 'addr' is a pointer to a user buffer.
On returning to the
Look in .note.gnu.property of an ELF file and check if Indirect
Branch Tracking needs to be enabled for the task.
Signed-off-by: H.J. Lu
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/uapi/asm/elf_property.h | 1 +
arch/x86/kernel/elf.c| 8 +++-
2 files changed, 8 inser
Add user-mode indirect branch tracking enabling/disabling
and supporting routines.
Signed-off-by: H.J. Lu
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/cet.h | 8 ++
arch/x86/include/asm/disabled-features.h | 8 +-
arch/x86/kernel/cet.c| 31
The indirect branch tracking legacy bitmap takes a large address
space. This causes may_expand_vm() failure on the address limit
check. For a IBT-enabled task, add the bitmap size to the
address limit.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/uapi/asm/resource.h | 5 +
include/uapi
From: "H.J. Lu"
When Intel indirect branch tracking is enabled, functions in vDSO which
may be called indirectly must have endbr32 or endbr64 as the first
instruction. Compiler must support -fcf-protection=branch so that it
can be used to compile vDSO.
Signed-off-by: H.J. Lu
---
arch/x86/entr
Add control transfer terminating instructions:
ENDBR64/ENDBR32:
Mark a valid 64/32-bit control transfer endpoint.
Signed-off-by: Yu-cheng Yu
---
arch/x86/lib/x86-opcode-map.txt | 13 +++--
tools/objtool/arch/x86/lib/x86-opcode-map.txt | 13 +++--
2 files change
Add REGSET_CET64/REGSET_CET32 to get/set CET MSRs:
IA32_U_CET (user-mode CET settings),
IA32_PL3_SSP (user-mode shadow stack),
IA32_PL0_SSP (kernel-mode shadow stack),
IA32_PL1_SSP (ring-1 shadow stack),
IA32_PL2_SSP (ring-2 shadow stack).
Signed-off-by: Yu-cheng Yu
---
arch
can_follow_write_pte/pmd look for the (RO & DIRTY) PTE/PMD to
verify an exclusive RO page still exists after a broken COW.
A shadow stack PTE is RO & PAGE_DIRTY_SW when it is shared,
otherwise RO & PAGE_DIRTY_HW.
Introduce pte_exclusive() and pmd_exclusive() to also verify a
shadow stack PTE is e
XSAVES saves both system and user states. The Linux kernel
currently does not save/restore any system states. This patch
creates the framework for supporting system states.
Signed-off-by: Yu-cheng Yu
---
arch/x86/include/asm/fpu/internal.h | 3 +-
arch/x86/include/asm/fpu/xstate.h | 9 ++
There are a few places that need do_mmap() with mm->mmap_sem held.
Create an in-line function for that.
Signed-off-by: Yu-cheng Yu
---
include/linux/mm.h | 18 ++
1 file changed, 18 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index f40387ecd920..c4cc07bacc
When setting up a signal, the kernel creates a shadow stack
restore token at the current SHSTK address and then stores the
token's address in the signal frame, right after the FPU state.
Before restoring a signal, the kernel verifies and then uses the
restore token to set the SHSTK pointer.
Signed
When Shadow Stack is enabled, the [R/O + PAGE_DIRTY_HW] setting is
reserved only for the Shadow Stack. For non-Shadow Stack R/O PTEs,
we use [R/O + PAGE_DIRTY_SW].
When a PTE goes from [R/W + PAGE_DIRTY_HW] to [R/O + PAGE_DIRTY_SW],
it could become a transient Shadow Stack PTE in two cases.
The
WRUSS is a new kernel-mode instruction but writes directly
to user shadow stack memory. This is used to construct
a return address on the shadow stack for the signal
handler.
This instruction can fault if the user shadow stack is
invalid shadow stack memory. In that case, the kernel does
fixup.
If a page fault is triggered by a shadow stack access (e.g.
call/ret) or shadow stack management instructions (e.g.
wrussq), then bit[6] of the page fault error code is set.
In access_error(), we check if a shadow stack page fault
is within a shadow stack memory area.
Signed-off-by: Yu-cheng Yu
66 matches
Mail list logo
