On 3/3/23 06:00, Borislav Petkov wrote:
> On Mon, Feb 27, 2023 at 02:29:35PM -0800, Rick Edgecombe wrote:
>> @@ -1310,6 +1324,23 @@ void do_user_addr_fault(struct pt_regs *regs,
>>
>> perf_sw_event(PERF_COUNT_SW_PAGE_FAULTS, 1, regs, address);
>>
>> + /*
>> + * For conventionally writable pages, a read can be serviced with a
>> + * read only PTE. But for shadow stack, there isn't a concept of
>> + * read-only shadow stack memory. If it a PTE has the shadow stack
> s/it //
>
>> + * permission, it can be modified via CALL and RET instructions. So
>> + * core MM needs to fault in a writable PTE and do things it already
>> + * does for write faults.
>> + *
>> + * Shadow stack accesses (read or write) need to be serviced with
>> + * shadow stack permission memory, which always include write
>> + * permissions. So in the case of a shadow stack read access, treat it
>> + * as a WRITE fault. This will make sure that MM will prepare
>> + * everything (e.g., break COW) such that maybe_mkwrite() can create a
>> + * proper shadow stack PTE.
I ended up just chopping that top paragraph out and rewording it a bit. I think this still expresses the intent in a lot less space:
/*
* Read-only permissions can not be expressed in shadow stack PTEs.
* Treat all shadow stack accesses as WRITE faults. This ensures
* that the MM will prepare everything (e.g., break COW) such that
* maybe_mkwrite() can create a proper shadow stack PTE.
*/
