[PATCH 2/3] arm64: gcs: Allow PAGE_NONE mappings for NUMA balancing
Catalin Marinas
catalin.marinas at arm.com
Fri Feb 20 11:52:53 PST 2026
On Fri, Feb 20, 2026 at 05:16:52PM +0100, David Hildenbrand wrote:
> On 2/20/26 15:05, Catalin Marinas wrote:
> > diff --git a/arch/arm64/mm/mmap.c b/arch/arm64/mm/mmap.c
> > index 2e404441063b..f8993e3fa5d1 100644
> > --- a/arch/arm64/mm/mmap.c
> > +++ b/arch/arm64/mm/mmap.c
> > @@ -87,7 +87,15 @@ pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
> > /* Short circuit GCS to avoid bloating the table. */
> > if (system_supports_gcs() && (vm_flags & VM_SHADOW_STACK)) {
> > - prot = pgprot_val(PAGE_GCS_RO);
> > + /*
> > + * Allow PAGE_NONE for NUMA balancing, otherwise use
> > + * PAGE_GCS_RO. The permission will be made writeable
> > + * (PAGE_GCS) on a GCS fault.
> > + */
> > + if (vm_flags & (VM_READ | VM_WRITE))
>
> Could consider using VM_ACCESS_FLAGS here. For Shadow stacks we'd never
> expect executable properties.
Yes, this is better.
> > + prot = pgprot_val(PAGE_GCS_RO);
> > + else
> > + prot = pgprot_val(protection_map[VM_NONE]);
>
> change_protection() documents that "This is assuming that NUMA faults are
> handled using PROT_NONE. If an architecture makes a different choice, it
> will need further changes to the core."
>
> So task_numa_work()->change_prot_numa()->change_protection() passes "newprot
> = PAGE_NONE".
>
> Where is the vm_get_page_prot() called on that path where your change would
> make a difference?
>
> I'd thing that vm_get_page_prot() gets only invoked through a "proper"
> mpotect() in mprotect_fixup()->vma_set_page_prot()...->vm_get_page_prot(),
> not for NUMA hinting that leaves the VMA untouched.
>
> OTOH, I wonder whether mprotect(PROT_NONE) could trigger the path you
> thought of above.
I started with the mprotect(PROT_NONE) in mind but thought the NUMA case
is a better argument. You are right, it doesn't use the same path.
I need to check what we do with mprotect(PROT_NONE). If it's not
rejected somewhere on the path to change_protect(), we end up with an
accessible GCS mapping. Maybe it doesn't matter much but I'd rather have
the access disabled. Anyway, I'll write some test next week to see what
it does. The above comment will need to be changed.
Thanks for the review.
--
Catalin
More information about the linux-arm-kernel
mailing list