On Mon, 2023-02-20 at 13:57 +0100, David Hildenbrand wrote: > > > > + /* > > + * When a page becomes COW it changes from a shadow stack > > permission > > + * page (Write=0,Dirty=1) to (Write=0,Dirty=0,SavedDirty=1), > > which is simply > > + * read-only to the CPU. When shadow stack is enabled, a RET > > would > > + * normally pop the shadow stack by reading it with a "shadow > > stack > > + * read" access. However, in the COW case the shadow stack > > memory does > > + * not have shadow stack permissions, it is read-only. So it > > will > > + * generate a fault. > > + * > > + * For conventionally writable pages, a read can be serviced > > with a > > + * read only PTE, and COW would not have to happen. But for > > shadow > > + * stack, there isn't the concept of read-only shadow stack > > memory. > > + * If it is shadow stack permission, it can be modified via > > CALL and > > + * RET instructions. So COW needs to happen before any memory > > can be > > + * mapped with shadow stack permissions. > > + * > > + * Shadow stack accesses (read or write) need to be serviced > > with > > + * shadow stack permission memory, so in the case of a shadow > > stack > > + * read access, treat it as a WRITE fault so both COW will > > happen and > > + * the write fault path will tickle maybe_mkwrite() and map > > the memory > > + * shadow stack. > > + */ > > Again, I suggest dropping all details about COW from this comment > and > from the patch description. It's just one such case that can happen. Hi David, I was just trying to edit this one to drop COW details, but I think in this case, one of the major reasons for the code *is* actually COW. We are not working around the whole inadvertent shadow stack memory piece here, but something else: Making sure shadow stack memory is faulted in and doing COW if required to make this possible. I came up with this, does it seem better? /* * For conventionally writable pages, a read can be serviced with a * read only PTE. But for shadow stack, there isn't a concept of * read- only shadow stack memory. If it a PTE has the shadow stack * permission, it can be modified via CALL and RET instructions. So * core MM needs to fault in a writable PTE and do things it already * does for write faults. * * Shadow stack accesses (read or write) need to be serviced with * shadow stack permission memory, so in the case of a shadow stack * read access, treat it as a WRITE fault so both any required COW will * happen and the write fault path will tickle maybe_mkwrite() and map * the memory shadow stack. */ Thanks, Rick
