x86, cpa: Fix kernel text RO checks in static_protection()

Suresh Siddha · Ingo Molnar · commit 502f660466ba · 2009-11-02T17:16:35.000+01:00
Steven Rostedt reported that we are unconditionally making the
kernel text mapping as read-only. i.e., if someone does cpa() to
the kernel text area for setting/clearing any page table
attribute, we unconditionally clear the read-write attribute for
the kernel text mapping that is set at compile time.

We should delay (to forbid the write attribute) and enforce only
after the kernel has mapped the text as read-only.

Reported-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
Signed-off-by: Suresh Siddha &lt;suresh.b.siddha@intel.com&gt;
Acked-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
Tested-by: Steven Rostedt &lt;rostedt@goodmis.org&gt;
LKML-Reference: &lt;20091029024820.996634347@sbs-t61.sc.intel.com&gt;
[ marked kernel_set_to_readonly as __read_mostly ]
Signed-off-by: Ingo Molnar &lt;mingo@elte.hu&gt;
diff --git a/arch/x86/include/asm/cacheflush.h b/arch/x86/include/asm/cacheflush.h
@@ -176,6 +176,7 @@ void clflush_cache_range(void *addr, unsigned int size);
 #ifdef CONFIG_DEBUG_RODATA
 void mark_rodata_ro(void);
 extern const int rodata_test_data;
+extern int kernel_set_to_readonly;
 void set_kernel_text_rw(void);
 void set_kernel_text_ro(void);
 #else
diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
@@ -997,7 +997,7 @@ static noinline int do_test_wp_bit(void)
 const int rodata_test_data = 0xC3;
 EXPORT_SYMBOL_GPL(rodata_test_data);
 
-static int kernel_set_to_readonly;
+int kernel_set_to_readonly __read_mostly;
 
 void set_kernel_text_rw(void)
 {
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
@@ -695,7 +695,7 @@ void __init mem_init(void)
 const int rodata_test_data = 0xC3;
 EXPORT_SYMBOL_GPL(rodata_test_data);
 
-static int kernel_set_to_readonly;
+int kernel_set_to_readonly;
 
 void set_kernel_text_rw(void)
 {
diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
@@ -282,14 +282,16 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA) && \
 	!defined(CONFIG_DYNAMIC_FTRACE)
 	/*
-	 * Kernel text mappings for the large page aligned .rodata section
-	 * will be read-only. For the kernel identity mappings covering
-	 * the holes caused by this alignment can be anything.
+	 * Once the kernel maps the text as RO (kernel_set_to_readonly is set),
+	 * kernel text mappings for the large page aligned text, rodata sections
+	 * will be always read-only. For the kernel identity mappings covering
+	 * the holes caused by this alignment can be anything that user asks.
 	 *
 	 * This will preserve the large page mappings for kernel text/data
 	 * at no extra cost.
 	 */
-	if (within(address, (unsigned long)_text,
+	if (kernel_set_to_readonly &&
+	    within(address, (unsigned long)_text,
 		   (unsigned long)__end_rodata_hpage_align))
 		pgprot_val(forbidden) |= _PAGE_RW;
 #endif

Original file line number	Diff line number	Diff line change
`@@ -997,7 +997,7 @@ static noinline int do_test_wp_bit(void)`
`997`	`997`	`const int rodata_test_data = 0xC3;`
`998`	`998`	`EXPORT_SYMBOL_GPL(rodata_test_data);`
`999`	`999`
`1000`		`-static int kernel_set_to_readonly;`
	`1000`	`+int kernel_set_to_readonly __read_mostly;`
`1001`	`1001`
`1002`	`1002`	`void set_kernel_text_rw(void)`
`1003`	`1003`	`{`
Original file line number	Diff line number	Diff line change
`@@ -695,7 +695,7 @@ void __init mem_init(void)`
`695`	`695`	`const int rodata_test_data = 0xC3;`
`696`	`696`	`EXPORT_SYMBOL_GPL(rodata_test_data);`
`697`	`697`
`698`		`-static int kernel_set_to_readonly;`
	`698`	`+int kernel_set_to_readonly;`
`699`	`699`
`700`	`700`	`void set_kernel_text_rw(void)`
`701`	`701`	`{`