December 2022 - linux-morello - op-lists.linaro.org

[PATCH v2 00/15] New CHERI API and separation of root capabilities

by Kevin Brodsky

Hi, This series is a follow-up to the RFC "New CHERI API and rehauled user_ptr.h", with a slightly different scope to make it more self-contained. There are two main focuses for this series: 1. Introducing linux/cheri.h. There is no fundamental change compared to v1 here. 2. Deriving all capabilities from an appropriate userspace root capability (cheri_user_root_*) instead of morello_root_cap. v1 started this by reimplementing uaddr_to_user_ptr*, this series finishes up the work. The focus of v1, adding generic functions to linux/user_ptr.h, has been dropped and will reappear in a separate series. Some more details on the choice of root capabilities (see the comment in patch 5 regarding cheri_user_root_*): * In purecap, the PCuABI spec gives us good guidance on which root capability we should use where. Namely: - cheri_user_root_cap for almost all capabilities. The permissions correspond to the maximum permissions obtainable via mmap(). As we progress through the second phase, the bounds/permissions of capabilities derived from this root will be restricted as specified, and DDC will be set to null. - cheri_user_root_{seal,cid}_cap for the AT_CHERI_{SEAL,CID}_CAP. These capabilities exist precisely because their permissions (Seal/Unseal/CompartmentID) are not provided in regular capabilities (derived from cheri_user_root_cap). - cheri_user_root_all_cap for capabilities created via (privileged) ptrace. See patch 13 for some details on this. * In hybrid, the de facto ABI is what Documentation/arm64/morello.rst says. As there is no mechanism to obtain special permissions, all capabilities are derived from cheri_user_root_all_cap. The documentation is updated accordingly. This series introduces functional changes by restricting the bounds/permissions of all userspace capabilities, but these restrictions should not affect any valid use-case. More specifically: * In purecap, the bounds of all capabilities are restricted to the user address space. See above for details on permissions. * In hybrid, the bounds of capabilities are also restricted to the user address space. All relevant permissions remain available. CSP is no longer initialised to a valid capability, as this is neither required nor documented. More detailed changelog below. v1..v2: * Addressing review comments: - Reformatted the function documentation to make kernel-doc -v (mostly) happy. - Added some comment clarifying what CHERI_PERM_SW_VMEM is about. - Renamed ARCH_HAS_CHERI_H to HAVE_ARCH_CHERI_H. - Renamed cheri_root*_cap_userspace to cheri_user_root_*cap and added some description of each. - Renamed cheri_check_cap_data_access() to cheri_check_cap(). * New patches: - Derive compat_ptr() from cheri_user_root_all_cap (deriving from DDC proved more complicated than expected, created a ticket for that [1]) - Derive AT_CHERI_{SEAL,CID}_CAP from cheri_user_root_{seal,cid}_cap - Initialisation of capability registers from cheri_user_root_* (with a clear separation between purecap and hybrid) - Capabilities created via (privileged) ptrace now derived from cheri_user_root_all_cap - Remove morello_root_cap (no longer used) - Update documentation to reflect cheri_user_root_all_cap being the new root capability in hybrid * Other changes: - As per a recent update to the PCuABI spec, the BranchSealedPair is no longer part of the rootcap permission set. It is still needed in certain user capabilities, so moved it from CHERI_PERMS_ROOTCAP to explicit addition to cheri_user_root_cap in morello.c. - Added cheri_user_root_all_cap, the "root of roots" with all permissions. cheri_user_root_cid_cap is now derived from it too, so its bounds are not the whole address space any more. - Patch 8/9 (new functions in user_ptr.h) dropped. - Rebased on next. Review branch: https://git.morello-project.org/kbrodsky-arm/linux/-/commits/cheri_ptr_api_… Thanks, Kevin [1] https://git.morello-project.org/morello/kernel/linux/-/issues/40 Kevin Brodsky (15): pps: Add missing #include linux/user_ptr.h: Remove kaddr_to_user_ptr() linux/user_ptr.h: Improve comment formatting arm64: uapi: Add asm/cheri.h linux/cheri.h: Introduce CHERI helpers arm64: morello: Implement cheri.h fs/binfmt_elf: Use appropriate caps for AT_CHERI_{SEAL,CID}_CAP arm64: compat: Use appropriate root cap in compat_ptr() in PCuABI linux/user_ptr.h: Generic PCuABI impl for uaddr_to_user_ptr* arm64: Remove asm/user_ptr.h arm64: morello: Initialise user capabilities from cheri_user_root_* arm64: morello: Initialise user DDC from cheri_user_root_* arm64: morello: Build arbitrary user caps using appropriate root arm64: morello: Remove morello_root_cap arm64: morello: Update root capability in documentation Documentation/arm64/morello.rst | 23 +++-- Documentation/core-api/user_ptr.rst | 8 -- arch/Kconfig | 2 +- arch/arm64/Kconfig | 2 +- arch/arm64/include/asm/cheri.h | 11 +++ arch/arm64/include/asm/compat.h | 9 +- arch/arm64/include/asm/morello.h | 12 ++- arch/arm64/include/asm/user_ptr.h | 43 --------- arch/arm64/include/uapi/asm/cheri.h | 11 +++ arch/arm64/kernel/morello.c | 143 +++++++++++++++++----------- arch/arm64/kernel/process.c | 2 +- arch/arm64/kernel/ptrace.c | 2 +- arch/arm64/lib/morello.S | 17 ++-- drivers/pps/pps.c | 1 + fs/binfmt_elf.c | 10 +- include/linux/cheri.h | 132 +++++++++++++++++++++++++ include/linux/user_ptr.h | 69 ++++++-------- lib/Makefile | 3 + lib/cheri.c | 72 ++++++++++++++ lib/user_ptr.c | 26 +++++ 20 files changed, 413 insertions(+), 185 deletions(-) create mode 100644 arch/arm64/include/asm/cheri.h delete mode 100644 arch/arm64/include/asm/user_ptr.h create mode 100644 arch/arm64/include/uapi/asm/cheri.h create mode 100644 include/linux/cheri.h create mode 100644 lib/cheri.c create mode 100644 lib/user_ptr.c -- 2.38.1

1 year, 9 months

3
39
0 0

[PATCH] arm64: compat64: Restore size of newsp/tls clone arguments

by Kevin Brodsky

A subtle ABI change was introduced in compat64 by "clone: Alter clone to accept capabilities". Indeed, since there is no compat handler for clone, the native one is also used for compat64. This is where the way we convert compat64 syscall arguments to native is showing its limits: if a syscall wrapper expects a capability-sized argument, compat_ptr() is used to convert the user-provided 64-bit value to a capability. In general, this is what we want, and in fact it is the case for the parent_tidptr and child_tidptr arguments of clone, which are ordinary pointers to user data. However, the newsp and tls arguments are special: they specify the value to set registers to. We should not alter these values in any way: in PCuABI, they are capabilities and we set CSP/CTPIDR accordingly, but in hybrid, they are still 64-bit values and we should only set the lower 64 bits of CSP/CTPIDR. This is not the case in compat64 as compat_ptr() is called to turn these 64-bit values into capabilities. The most correct solution would be to introduce a generic compat clone wrapper, but this is rather painful as clone has 4 possible prototypes depending on the architecture. Given that the issue is completely specific to the hybrid ABI, overriding the compat64 syscall wrapper in sys_compat64.c feels like a reasonable compromise. Signed-off-by: Kevin Brodsky <kevin.brodsky(a)arm.com> --- I've realised this inconsistency while thinking about the initialisation of capability registers ("New CHERI API and separation root capabilities" series), as well as reviewing the clone3 series. We are already doing the right thing for clone3, time to align clone. arch/arm64/kernel/sys_compat64.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/arch/arm64/kernel/sys_compat64.c b/arch/arm64/kernel/sys_compat64.c index 819b895ec21d..b3c4cf9f3af8 100644 --- a/arch/arm64/kernel/sys_compat64.c +++ b/arch/arm64/kernel/sys_compat64.c @@ -9,6 +9,7 @@ #include <linux/compat.h> #include <linux/compiler.h> +#include <linux/sched/task.h> #include <linux/syscalls.h> #include <asm/syscall.h> @@ -83,6 +84,33 @@ #define __arm64_compatentry_compat_sys_setitimer __arm64_compatentry_sys_setitimer #define __arm64_compatentry_compat_sys_getrusage __arm64_compatentry_sys_getrusage +/* + * This is exactly the same definition as the native clone, except that newsp + * and tls are defined as unsigned long, not user_uintptr_t. When the native ABI + * is PCuABI, this prevents capabilities from being implicitly created for the + * stack/TLS in compat64 by the syscall wrapper. This ensures alignment with the + * hybrid ABI (i.e. CSP/CTPIDR are set to the 64-bit values passed to clone()). + */ +COMPAT_SYSCALL_DEFINE5(arm64_clone, unsigned long, clone_flags, unsigned long, newsp, + int __user *, parent_tidptr, + unsigned long, tls, + int __user *, child_tidptr) +{ + struct kernel_clone_args args = { + .flags = (lower_32_bits(clone_flags) & ~CSIGNAL), + .pidfd = parent_tidptr, + .child_tid = child_tidptr, + .parent_tid = parent_tidptr, + .exit_signal = (lower_32_bits(clone_flags) & CSIGNAL), + .stack = newsp, + .tls = tls, + }; + + return kernel_clone(&args); +} + +#define __arm64_compatentry_sys_clone __arm64_compatentry_compat_sys_arm64_clone + asmlinkage long sys_ni_syscall(void); asmlinkage long __arm64_compatentry_sys_ni_syscall(const struct pt_regs *__unused) -- 2.38.1

1 year, 9 months

3
6
0 0

[PATCH v2] linux/user_ptr.h: clear up as_user_ptr() usage

by Zachary Leaf

as_user_ptr() is intended to be used where an arbitrary integer e.g. an error code is stored in a __user ptr. The current implementation can be somewhat confusing in that it looks like it can be used as direct replacement for u64_to_user_ptr e.g. in PCuABI, where u64 addresses in the kernel-user interface are being replaced with capability containing types such as __kernel_uintptr_t. Currently, passing a valid capability e.g. a __kernel_uintptr_t, __uintcap_t or user_uintptr_t etc to as_user_ptr() will result in a cast to (void __user *) and a valid capability/pointer that can be dereferenced. This is contrary to the code comment and intended usage for as_user_ptr(). Add a cast to (u64) before the cast to (void __user *)(user_uintptr_t) to make clearer the intended usage. This also always results in a null capability that cannot be dereferenced. Signed-off-by: Zachary Leaf <zachary.leaf(a)arm.com> --- rendered version: https://git.morello-project.org/zdleaf/linux/-/blob/dev/as_user_ptr/Documen… Documentation/core-api/user_ptr.rst | 22 +++++++++++++++++----- include/linux/user_ptr.h | 6 +++--- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/Documentation/core-api/user_ptr.rst b/Documentation/core-api/user_ptr.rst index 21e02d4bd11b..b4b9afe88095 100644 --- a/Documentation/core-api/user_ptr.rst +++ b/Documentation/core-api/user_ptr.rst @@ -31,7 +31,8 @@ errors are likely to occur in PCuABI if it is omitted. In certain situations, it is more convenient to represent user pointers as integers. The type ``user_uintptr_t`` must be used for that purpose. It is **the only integer type** that may be directly cast to and from a -user pointer, for instance ``user_uintptr_t u = (user_uintptr_t)uptr``. +user pointer, for instance ``user_uintptr_t uint = (user_uintptr_t)uptr`` +or ``void __user *uptr = (void __user *)uint``. Note that ``(u)intptr_t`` is the recommended type to represent kernel pointers, but it cannot represent user pointers. @@ -106,6 +107,13 @@ Each function covers a particular category of input integer: - Integer of any type: ``as_user_ptr()`` - ``u64`` (deprecated): ``u64_to_user_ptr()`` +Note: ``as_user_ptr()`` nullifies any capability and is not a +replacement for all uses of ``u64_to_user_ptr()``. To convert an integer +representation of a user pointer i.e. user_uintptr_t back to pointer +type, a simple cast such as ``(void __user *)`` is sufficient. See +`Representing user pointers`_ and notes for ``as_user_ptr()`` and +``u64_to_user_ptr()`` below. + These functions are available in ``<linux/user_ptr.h>``, except ``compat_ptr()`` (``<linux/compat.h>``). @@ -142,16 +150,20 @@ derived from in the PCuABI case. | | | ``compat_*`` struct | | | +------------------------------+--------------------+------------------------+-----------------------------------+------------------------------------------------------+ | ``as_user_ptr()`` | Arbitrary integer | Error code | Null capability | This is a pure representation change, as suggested | -| | | | | by the ``as_`` prefix. The resulting pointer cannot | -| | | | | be dereferenced. | +| | | | | by the ``as_`` prefix. Returns up to 64 bits of an | +| | | | | arbitrary integer represented as a user pointer. The | +| | | | | result is not a valid pointer and cannot be | +| | | | | dereferenced. | +------------------------------+--------------------+------------------------+-----------------------------------+------------------------------------------------------+ | ``u64_to_user_ptr()`` | ``u64`` integer | [Deprecated] | Null capability | Legacy function, new callers should not be added. | | | | | | Existing callers should move to either | | | | | | ``as_user_ptr()`` if the user pointer is not used to | | | | | | access memory, or ``uaddr_to_user_ptr()`` if the | | | | | | input is an address and the user pointer is | -| | | | | dereferenced (or ideally removed if the uapi can be | -| | | | | changed appropriately). | +| | | | | dereferenced (or ideally replace u64 with a | +| | | | | capability containing type such as | +| | | | | ``__kernel_uintptr_t`` if the uapi can be changed | +| | | | | appropriately). | +------------------------------+--------------------+------------------------+-----------------------------------+------------------------------------------------------+ diff --git a/include/linux/user_ptr.h b/include/linux/user_ptr.h index 0942b58cfb6a..516024f3fead 100644 --- a/include/linux/user_ptr.h +++ b/include/linux/user_ptr.h @@ -12,10 +12,10 @@ * as_user_ptr - convert an arbitrary integer value to a user pointer * @x: the integer value to convert * - * Returns @x represented as a user pointer. The result is not a valid pointer - * and shall not be dereferenced. + * Returns up to 64 bits of @x represented as a user pointer. The result is + * not a valid pointer and shall not be dereferenced. */ -#define as_user_ptr(x) ((void __user *)(user_uintptr_t)(x)) +#define as_user_ptr(x) ((void __user *)(user_uintptr_t)(u64)(x)) /* Same semantics as as_user_ptr(), but also requires x to be of a given type */ #define as_user_ptr_strict(type, x) ( \ -- 2.34.1

1 year, 10 months

2
2
0 0

[PATCH v2] arm64/asm: update some compat defines to 64-bits

by Teo Couprie Diaz

Some compat defines are still using 32-bits values, update them to a 64-bits one (COMPAT_OFF_T_MAX) or use the native value in COMPAT64 (COMPAT_RLIM_INFINITY, COMPAT_MINSIGSTKSZ). Signed-off-by: Teo Couprie Diaz <teo.coupriediaz(a)arm.com> --- arch/arm64/include/asm/compat.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h index 9c6112ae942b..85b6972745de 100644 --- a/arch/arm64/include/asm/compat.h +++ b/arch/arm64/include/asm/compat.h @@ -15,6 +15,7 @@ typedef u16 compat_mode_t; /* * Architecture specific compatibility types */ +#include <linux/resource.h> #include <linux/types.h> #include <linux/sched.h> #include <linux/sched/task_stack.h> @@ -100,9 +101,15 @@ struct compat_statfs { compat_long_t f_spare[4]; }; +#ifdef CONFIG_COMPAT64 +#define COMPAT_RLIM_INFINITY RLIM_INFINITY + +#define COMPAT_OFF_T_MAX 0x7fffffffffffffff +#else #define COMPAT_RLIM_INFINITY 0xffffffff #define COMPAT_OFF_T_MAX 0x7fffffff +#endif static inline void __user *compat_ptr(compat_uptr_t uptr) { @@ -115,7 +122,12 @@ static inline void __user *compat_ptr(compat_uptr_t uptr) #define compat_ptr(uptr) compat_ptr(uptr) #define compat_user_stack_pointer() (user_stack_pointer(task_pt_regs(current))) + +#ifdef CONFIG_COMPAT64 +#define COMPAT_MINSIGSTKSZ MINSIGSTKSZ +#else #define COMPAT_MINSIGSTKSZ 2048 +#endif #ifdef CONFIG_COMPAT64 #define COMPAT_USE_64BIT_TIME 1 -- 2.25.1

1 year, 10 months

2
2
0 0

[PATCH] linux/user_ptr.h: clear up as_user_ptr() usage

by Zachary Leaf

as_user_ptr() is intended to be used where an arbitrary integer e.g. an error code is stored in a __user ptr. The current implementation can be somewhat confusing in that it looks like it can be used as direct replacement for u64_to_user_ptr e.g. in PCuABI, where u64 addresses in the kernel-user interface are being replaced with capability containing types such as __kernel_uintptr_t. Currently, passing a valid capability represented as an integer e.g. any __kernel_uintptr_t, __uintcap_t or user_uintptr_t to as_user_ptr() will result in a cast to (void __user *) and a valid capability/pointer that can be dereferenced. This is contrary to the code comment and intended usage for as_user_ptr(). Add a cast to (u64) before the cast to (void __user *)(user_uintptr_t) to make clearer the intended usage. This also always results in a null capability that cannot be dereferenced. Signed-off-by: Zachary Leaf <zachary.leaf(a)arm.com> --- Documentation/core-api/user_ptr.rst | 6 +++--- include/linux/user_ptr.h | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Documentation/core-api/user_ptr.rst b/Documentation/core-api/user_ptr.rst index 21e02d4bd11b..e4cc0676a92b 100644 --- a/Documentation/core-api/user_ptr.rst +++ b/Documentation/core-api/user_ptr.rst @@ -103,7 +103,7 @@ Each function covers a particular category of input integer: * **Arbitrary integer**: - - Integer of any type: ``as_user_ptr()`` + - 64-bit or less integer, of any type: ``as_user_ptr()`` - ``u64`` (deprecated): ``u64_to_user_ptr()`` These functions are available in ``<linux/user_ptr.h>``, except @@ -141,8 +141,8 @@ derived from in the PCuABI case. | | | user-provided | | pointer to a native user pointer. | | | | ``compat_*`` struct | | | +------------------------------+--------------------+------------------------+-----------------------------------+------------------------------------------------------+ -| ``as_user_ptr()`` | Arbitrary integer | Error code | Null capability | This is a pure representation change, as suggested | -| | | | | by the ``as_`` prefix. The resulting pointer cannot | +| ``as_user_ptr()`` | Arbitrary 64-bit | Error code | Null capability | This is a pure representation change, as suggested | +| | or less integer | | | by the ``as_`` prefix. The resulting pointer cannot | | | | | | be dereferenced. | +------------------------------+--------------------+------------------------+-----------------------------------+------------------------------------------------------+ | ``u64_to_user_ptr()`` | ``u64`` integer | [Deprecated] | Null capability | Legacy function, new callers should not be added. | diff --git a/include/linux/user_ptr.h b/include/linux/user_ptr.h index 0942b58cfb6a..183e40ccc51f 100644 --- a/include/linux/user_ptr.h +++ b/include/linux/user_ptr.h @@ -9,13 +9,14 @@ #endif /** - * as_user_ptr - convert an arbitrary integer value to a user pointer + * as_user_ptr - convert an arbitrary 64-bit or less integer value to a user + * pointer * @x: the integer value to convert * * Returns @x represented as a user pointer. The result is not a valid pointer * and shall not be dereferenced. */ -#define as_user_ptr(x) ((void __user *)(user_uintptr_t)(x)) +#define as_user_ptr(x) ((void __user *)(user_uintptr_t)(u64)(x)) /* Same semantics as as_user_ptr(), but also requires x to be of a given type */ #define as_user_ptr_strict(type, x) ( \ -- 2.34.1

1 year, 11 months

2
2
0 0

[PATCH] arm64/asm: use a 64bits rlim infinity in COMPAT64

by Teo Couprie Diaz

For arm64, COMPAT_RLIM_INFINITY was explicitly defined as a 0xffffffff, which is 32-bits. This was fine when COMPAT was only 32-bits, but is too restrictive for COMPAT64. Add a new define in COMPAT64 which uses the same define as the regular RLIM_INFINITY in asm-generic/resrouce.h, based on an unsigned long. Signed-off-by: Teo Couprie Diaz <teo.coupriediaz(a)arm.com> --- arch/arm64/include/asm/compat.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/include/asm/compat.h b/arch/arm64/include/asm/compat.h index 9c6112ae942b..f5ebdd9600a5 100644 --- a/arch/arm64/include/asm/compat.h +++ b/arch/arm64/include/asm/compat.h @@ -100,7 +100,11 @@ struct compat_statfs { compat_long_t f_spare[4]; }; +#ifdef CONFIG_COMPAT64 +#define COMPAT_RLIM_INFINITY (~0UL) +#else #define COMPAT_RLIM_INFINITY 0xffffffff +#endif #define COMPAT_OFF_T_MAX 0x7fffffff -- 2.25.1

1 year, 11 months

2
2
0 0

[PATCH v5 0/3] fork: clone3: Capabilities support

by Beata Michalska

Hi All, This series adds capabilities support for clone3 syscall along with set of testcases in morello clone kselftests. Changes available at: https://git.morello-project.org/Bea/linux/-/tree/morello/clone3_v5 LTP changes: https://git.morello-project.org/Bea/morello-linux-ltp/-/tree/morello/clone3 To run clone3 tests: ./runltp -f syscalls -s clone3 v5: [PATCH 3/3] - improved handling of default size for clone3 args - fixed alignment in code layout - dropped redundant cast v4: [PATCH 1/3] - fixed commit message referring to the wrong copy routine [PATCH 3/3] - dropped setting default size for clone3 args - dropped stale comment regarding re-using bits from clone_args flags - switched ASSERT_FALSE to ASSERT_EQ when comparing pids in child process - added caching tls value to safely unmap memory - added validation for both clone stack and tls - switch from clone_args-> tls to actual thread data when checking for tag in cloned process v3: [PATCH 1/3]: - updated commit message to reflect actual changes [PATCH 2/3]: - fixed type casting and sizes for copy routines - swapped order of args for clone_args_size_ver [PATCH 3/3]: - added dedicated field for test custom flags instead of 'borrowing' one from clone_args struct - added test for stack before calling munmap in failing test cases - switched to WSTOPPED for waitid call v2: - add copy_struct_from_user_with_ptr variant - drop explicit padding from clone_args struct - switch __alignof__ to sizeof for struct sizing conditions - use __clone_args_size_ver macro when validating struct layout - cache the current compat mode instead of relying on compiler optimizations - drop use of as_user_ptr in favour of explicit casting - use clone_args struct directly for kselftest test fixture - add signalling to better handle dependencies between test threads Beata Michalska (3): uaccess: Preserve capability tags with copy_struct_from_user_with_ptr fork: clone3: Add support for architectural capabilities kselftests/arm64: morello: Add clone3 test-cases include/linux/uaccess.h | 60 ++++- include/uapi/linux/sched.h | 30 ++- kernel/fork.c | 139 ++++++++--- .../testing/selftests/arm64/morello/Makefile | 1 + tools/testing/selftests/arm64/morello/clone.c | 223 +++++++++++++++++- 5 files changed, 401 insertions(+), 52 deletions(-) -- 2.25.1

1 year, 11 months

2
5
0 0

[PATCH v3] uapi/socket: align with long rather than void*

by Teo Couprie Diaz

void* is used to align to 32-bits or 64-bits on 32 and 64 bits archs. The pure-capability ABI breaks this assumption as the pointer size is different than the word size, which is where the alignment requirement comes from. Indeed, the pointer size, and so void *, is now 16 bytes whereas the expected alignment is still 8 bytes, as it is a different ABI but for a 64-bit arch. Change it to an unsigned long. Musl uses the same type for its definition of struct sockaddr_storage. Signed-off-by: Teo Couprie Diaz <teo.coupriediaz(a)arm.com> --- include/uapi/linux/socket.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/uapi/linux/socket.h b/include/uapi/linux/socket.h index 51d6bb2f6765..28ff6a4aebca 100644 --- a/include/uapi/linux/socket.h +++ b/include/uapi/linux/socket.h @@ -22,7 +22,7 @@ struct __kernel_sockaddr_storage { /* space to achieve desired size, */ /* _SS_MAXSIZE value minus size of ss_family */ }; - void *__align; /* implementation specific desired alignment */ + unsigned long __align; /* implementation specific desired alignment */ }; }; -- 2.25.1

1 year, 11 months

2
1
0 0

[PATCH v3 0/3] Introduce VM_READ_CAPS and VM_WRITE_CAPS flags

by Tudor Cretu

This patch series addresses the VM_READ_CAPS/VM_WRITE_CAPS flags issue: https://git.morello-project.org/morello/kernel/linux/-/issues/36 io_uring system uses buffers shared with userspace to read the io events and report their results. The structs that populate the submission and completion queues can contain capabilities. Shared mappings don't have the Load/Store capabilities permission to avoid leaking capabilities outside their original address space, so add two new VM flags that would allow the kernel to set up such mappings. While at it, also fix pte_modify to allow setting PTE_*_CAPS flags, add new the new rc/wc smaps flags, and remove the automatic addition of PTE_*_CAPS to user mappings. To note: this wouldn't allow userspace to make arbitrary shared mappings with tag access, the new VM flags would be for internal use only for the time being. v3: - Improved documentation, comments, and commit message - Fixed condition in Patch 3, now tested properly with Morello GDB v2: - Removed Patch 1 from the series as it wasn't essential - Added docs to Documentation/filesystems/proc.rst - Removed VM_RW_CAPS - Moved definition of VM_*_CAPS just after the definition of VM_MTE - Added details for a TODO related to file-backed mappings - Introduced Patch 3 that removes an assumption about shared mappings Review branch: https://git.morello-project.org/tudcre01/linux/-/commits/vm_rw_caps_v3/ Thanks, Tudor Tudor Cretu (3): arm64: morello: Add VM_READ_CAPS and VM_WRITE_CAPS flags arm64: morello: Explicitly add VM_*_CAPS to private user mappings arm64: morello: Check against VM_WRITE_CAPS in access_remote_cap Documentation/filesystems/proc.rst | 2 ++ arch/arm64/Kconfig | 1 + arch/arm64/include/asm/mman.h | 26 ++++++++++++++++++++++++-- arch/arm64/include/asm/page.h | 3 ++- arch/arm64/include/asm/pgtable-prot.h | 12 +++++------- arch/arm64/kernel/morello.c | 7 +++---- fs/proc/task_mmu.c | 4 ++++ include/linux/mm.h | 8 ++++++++ 8 files changed, 49 insertions(+), 14 deletions(-) -- 2.25.1

1 year, 11 months

2
5
0 0

[PATCH v2] uapi/socket: align with long rather than void*

by Teo Couprie Diaz

void* is used to align to 32-bits or 64-bits on 32 and 64 bits archs. Purecap breaks this assumption. As struct __kernel_sockaddr_storage is used for both Aarch64 and purecap user structs, we cannot reliably use void* for alignment. Change it to an unsigned long. Musl uses the same type for its definition of struct sockaddr_storage. Signed-off-by: Teo Couprie Diaz <teo.coupriediaz(a)arm.com> --- include/uapi/linux/socket.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/uapi/linux/socket.h b/include/uapi/linux/socket.h index 51d6bb2f6765..28ff6a4aebca 100644 --- a/include/uapi/linux/socket.h +++ b/include/uapi/linux/socket.h @@ -22,7 +22,7 @@ struct __kernel_sockaddr_storage { /* space to achieve desired size, */ /* _SS_MAXSIZE value minus size of ss_family */ }; - void *__align; /* implementation specific desired alignment */ + unsigned long __align; /* implementation specific desired alignment */ }; }; -- 2.25.1

1 year, 11 months

2
6
0 0

2024

2023

2022

linux-morello December 2022