path: root/mm/Kconfig.debug
diff options
authorZong Li <>2020-06-03 16:03:52 -0700
committerLinus Torvalds <>2020-06-03 20:09:49 -0700
commit375d315cbfdb50e1eda099d4d004f7f401285111 (patch)
tree2d94b3c7be1f65cbf82c2cc10e92a4dd6b497ca2 /mm/Kconfig.debug
parent4fb6eabf1037cfbef90a26412492aeae5580cf0a (diff)
mm: add DEBUG_WX support
Patch series "Extract DEBUG_WX to shared use". Some architectures support DEBUG_WX function, it's verbatim from each others, so extract to mm/Kconfig.debug for shared use. PPC and ARM ports don't support generic page dumper yet, so we only refine x86 and arm64 port in this patch series. For RISC-V port, the DEBUG_WX support depends on other patches which be merged already: - RISC-V page table dumper - Support strict kernel memory permissions for security This patch (of 4): Some architectures support DEBUG_WX function, it's verbatim from each others. Extract to mm/Kconfig.debug for shared use. [ reword text, per Will Deacon & Zong Li] Link: [ remove the specific name of arm64] Link: [ add MMU dependency for DEBUG_WX] Link: Suggested-by: Palmer Dabbelt <> Signed-off-by: Zong Li <> Signed-off-by: Andrew Morton <> Cc: Paul Walmsley <> Cc: Thomas Gleixner <> Cc: Ingo Molnar <> Cc: Borislav Petkov <> Cc: "H. Peter Anvin" <> Cc: Catalin Marinas <> Cc: Will Deacon <> Link: Link: Signed-off-by: Linus Torvalds <>
Diffstat (limited to 'mm/Kconfig.debug')
1 files changed, 32 insertions, 0 deletions
diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
index 0271b22e063f..2409f7fc1567 100644
--- a/mm/Kconfig.debug
+++ b/mm/Kconfig.debug
@@ -118,6 +118,38 @@ config DEBUG_RODATA_TEST
This option enables a testcase for the setting rodata read-only.
+ bool
+config DEBUG_WX
+ bool "Warn on W+X mappings at boot"
+ depends on ARCH_HAS_DEBUG_WX
+ depends on MMU
+ select PTDUMP_CORE
+ help
+ Generate a warning if any W+X mappings are found at boot.
+ This is useful for discovering cases where the kernel is leaving W+X
+ mappings after applying NX, as such mappings are a security risk.
+ Look for a message in dmesg output like this:
+ <arch>/mm: Checked W+X mappings: passed, no W+X pages found.
+ or like this, if the check failed:
+ <arch>/mm: Checked W+X mappings: failed, <N> W+X pages found.
+ Note that even if the check fails, your kernel is possibly
+ still fine, as W+X mappings are not a security hole in
+ themselves, what they do is that they make the exploitation
+ of other unfixed kernel bugs easier.
+ There is no runtime or memory usage effect of this option
+ once the kernel has booted up - it's a one time check.
+ If in doubt, say "Y".