- linux-morello - op-lists.linaro.org

[Announcement] Integration drop 1.6 - changelog

by Kevin Brodsky

Hi, The top of the master branch has been tagged [0] as part of the integration drop 1.6. Below is the changelog for kernel users, since the previous integration drop (1.5). New features ------------ - Read/write tag access in mappings is now advertised as rc/wc in /proc/<pid>/smaps [1]. - The clone3 syscall now reads full capabilities from userspace in PCuABI, thanks to an updated layout for struct clone_args. The new struct definition is documented in the PCuABI specification [2]. - Device trees for the Morello board and FVP are now included [3]. - A minimal set of options to run a graphical environment is now enabled in the transitional PCuABI defconfig [4]. - The branch was rebased on the 6.1 upstream release. The only user-facing Morello-related change is an updated value for HWCAP2_MORELLO; see the announcement email [5] for details. Bug fixes --------- - Fixed ptrace(PTRACE_POKEDATA) writing too much data in purecap. - Fixed most remaining LTP failures in compat64 and purecap (notably by fixing struct layouts and updating internal constants for compat64). - Fixed a Bionic tests failure in compat64, which was due to the preadv/pwritev syscall handlers misreading the offset argument. - Fixed the vast majority of warnings when building the kernel with GCC. Cheers, Kevin [0] https://git.morello-project.org/morello/kernel/linux/-/commits/morello-rele… [1] https://git.morello-project.org/morello/kernel/linux/-/blob/morello-release… [2] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-c… [3] arch/arm64/boot/dts/arm/morello-{soc,fvp}.dts [4] arch/arm64/configs/morello_transitional_pcuabi_defconfig [5] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org…

3 years

1
0
0 0

[linux-morello][PATCH 00/10] enable nfs rootfs

by Pawel Zalewski

This series of patches enables nfs rootfs support on the Morello board. Patches 01 and 02 fix the inital kernel build error associated with a wrong function pointer type within the sunrpc modules due to the unlocked_ioctl fp, the error occurs upon enabling nfs within the defconfig. Patches 03-09 deal with the fallout caused by changes inferred by patches 01 and 02. Details can be found in the description of patch 03. Patch 10 is enabling nfs rootfs by default in the kernel. It was confirmed that the kernel can boot with a nfs rootfs, the other affected modules were not tested. Pawel Zalewski (10): net:sunrpc: fix incompatible function pointer type in cache net:sunrpc: fix incompatible function pointer type in rpc_pipe include:linux: proc_ioctl should take user_uintptr_t as argument net:sunrpc: fix incompatible function pointer type in cache sound:core: fix incompatible function pointer type in info scsi:esas2r: fix incompatible function pointer type in esas2r_main pci: fix incompatible function pointer type in proc hwmon: fix incompatible function pointer type in dell-smm-hwmon cpu:mtrr: fix incompatible function pointer type in if defconfig: enable nfs rootfs by default arch/arm64/configs/morello_transitional_pcuabi_defconfig | 2 ++ arch/x86/kernel/cpu/mtrr/if.c | 2 +- drivers/hwmon/dell-smm-hwmon.c | 2 +- drivers/pci/proc.c | 2 +- drivers/scsi/esas2r/esas2r_main.c | 2 +- include/linux/proc_fs.h | 4 ++-- include/sound/info.h | 2 +- net/sunrpc/cache.c | 6 +++--- net/sunrpc/rpc_pipe.c | 2 +- sound/core/info.c | 2 +- 10 files changed, 14 insertions(+), 12 deletions(-) -- 2.34.1

3 years

2
17
0 0

[PATCH v3 0/3] futex: Enable PCuABI memory accesses

by Luca Vizzarro

This commit tackles the issue reported at: https://git.morello-project.org/morello/kernel/linux/-/issues/6 Commit also available at: https://git.morello-project.org/Sevenarth/linux/-/commits/morello/futex-v3 v3: - reworded commit bodies - removed a redundant include - fixed whitespace alignment v2: - split code in 3 commits as suggested - added more details in the commit bodies - updated the TODO notation for futex.h - updated the prefix for A64/C64 definitions in futex.h - updated the asm constraint's name to follow naming conventions - updated the robust list entry fetch code to use the pre-existing helper USER_PTR_ALIGN_DOWN - reverted pointer comparisons Luca Vizzarro (3): arm64: futex: Enable capability-based uaccess futex: Handle capability-based robust list entries futex: Add explicit capability checking TODOs arch/arm64/include/asm/futex.h | 47 ++++++++++++++++++++++++---------- kernel/futex/core.c | 19 ++++++-------- 2 files changed, 41 insertions(+), 25 deletions(-) -- 2.34.1

3 years, 1 month

3
7
0 0

[PATCH] morello: Fix build of kernel due to merge conflicts

by carsten.haitzler＠foss.arm.com

From: Carsten Haitzler <carsten.haitzler(a)arm.com> New conflicts have appeared now in the kernel git. Use checkout not merge to solve this so we can build morello images again. Signed-off-by: Carsten Haitzler <carsten.haitzler(a)arm.com> --- morello/scripts/configure-linux.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/morello/scripts/configure-linux.sh b/morello/scripts/configure-linux.sh index 54933fc..b7dd2b4 100755 --- a/morello/scripts/configure-linux.sh +++ b/morello/scripts/configure-linux.sh @@ -10,7 +10,7 @@ submodule_update() { echo "$1 updating progress..." # Populate repositories git submodule update --init --recursive --progress $1 - git submodule update --remote --merge $1 + git submodule update --remote --checkout $1 } submodule_update_projects() { -- 2.25.1

3 years, 1 month

4
4
0 0

[PATCH v6 0/10] Support io_uring for Purecap apps

by Tudor Cretu

This series makes it possible for purecap apps to use the io_uring system. With these patches, all io_uring LTP tests pass in both Purecap and plain AArch64 modes. Note that the LTP tests only address the basic functionality of the io_uring system and a significant portion of the multiplexed functionality is untested in LTP. I have finished investigating Purecap and plain AArch64 liburing tests and examples and the series is updated accordingly. v6: - Only Patches 8 and 10 are slighlty modified - Fix format issues - Add license header to io_uring_compat.h - Move __io_get_ith_cqe after __io_get_cqe - Remove the const from io_user_data_is_same parameters v5: - Revert changes in trace/events/io_uring.h - Add new header trace/events/io_uring.h for compat structs - Change cqe_cached/ccqe_sentinel to indices - Move print_sqe and print_cqe macros outside of the function - Rename is_compat64_io_ring_ctx to io_in_compat64 - Add helper for user_data values comparison - Add condition to not change addr fielt to a compat_ptr for opcodes where it's a user_data value stored - Other small fixes suggested by Kevin v4: - Rebase on top of morello/next - Remove the union for flags in struct compat_io_uring_sqe and only kept a single member - Improve format and move functions as per feedback on v3 - Add a new helper for checking if context is compat - Remove struct conversion in fdinfo and just use macros - Remove the union from struct io_overflow_cqe and just leave the native struct - Fix the cqe_cached/cqe_sentinel mechanism - Separate the fix for the shared ring size's off-by-one error into a new PATCH 6 - Remove the compat_ptr for addr fields that represent user_data values - Extend the trace events accordingly to propagate capabilities - Use copy*_with_ptr routine for copy_msghdr_from_user in a new PATCH 1 - Fix the misuse of addr2 and off in IORING_OP_CONNECT and IORING_OP_POLL_REMOVE v3: - Introduce Patch 5 which exposes the compat handling logic for epoll_event. This is used then in io_uring/epoll.c. - Introduce Patch 6 which makes sure that when struct iovec is copied from userspace, the capability tags are preserved. - Fix a few sizeof(var) to sizeof(*var). - Use iovec_from_user so that compat handling logic is applied instead of copying directly from user - Add a few missing copy_from_user_with_ptr where suitable. v2: - Rebase on top of release 6.1 - Remove VM_READ_CAPS/VM_LOAD_CAPS patches as they are already merged - Update commit message in PATCH 1 - Add the generic changes PATCH 2 and PATCH 3 to avoid copying user pointers from/to userspace unnecesarily. These could be upstreamable. - Split "pulling the cqes memeber out" change into PATCH 4 - The changes for PATCH 5 and 6 are now split into their respective files after the rebase. - Format and change organization based on the feedback on the previous version, including creating helpers copy_*_from_* for various uAPI structs - Add comments related to handling of setup flags IORING_SETUP_SQE128 and IORING_SETUP_CQE32 - Add handling for new uAPI structs: io_uring_buf, io_uring_buf_ring, io_uring_buf_reg, io_uring_sync_cancel_reg. Gitlab issue: https://git.morello-project.org/morello/kernel/linux/-/issues/2 Review branch: https://git.morello-project.org/tudcre01/linux/-/commits/morello/io_uring_v6 Tudor Cretu (10): net: socket: use copy_from_user_with_ptr for struct user_msghdr io_uring/rw: Restrict copy to only uiov->len from userspace io_uring/tctx: Copy only the offset field back to user io_uring: Pull cqes member out from rings struct epoll: Expose compat handling logic of epoll_event io_uring/kbuf: Fix size for shared buffer ring io_uring: Make cqe_cached and cqe_sentinel indices instead of pointers io_uring: Implement compat versions of uAPI structs and handle them io_uring: Allow capability tag access on the shared memory io_uring: Use user pointer type in the uAPI structs fs/eventpoll.c | 38 ++-- include/linux/eventpoll.h | 4 + include/linux/io_uring_compat.h | 130 +++++++++++++ include/linux/io_uring_types.h | 35 ++-- include/uapi/linux/io_uring.h | 76 ++++---- io_uring/advise.c | 7 +- io_uring/cancel.c | 32 +++- io_uring/cancel.h | 2 +- io_uring/epoll.c | 4 +- io_uring/fdinfo.c | 79 +++++--- io_uring/fs.c | 16 +- io_uring/io_uring.c | 323 ++++++++++++++++++++++++-------- io_uring/io_uring.h | 147 +++++++++++++-- io_uring/kbuf.c | 111 +++++++++-- io_uring/kbuf.h | 8 +- io_uring/msg_ring.c | 4 +- io_uring/net.c | 25 +-- io_uring/openclose.c | 4 +- io_uring/poll.c | 8 +- io_uring/rsrc.c | 138 +++++++++++--- io_uring/rw.c | 22 +-- io_uring/statx.c | 4 +- io_uring/tctx.c | 56 +++++- io_uring/timeout.c | 14 +- io_uring/uring_cmd.c | 5 + io_uring/uring_cmd.h | 4 + io_uring/xattr.c | 12 +- net/socket.c | 2 +- 28 files changed, 1000 insertions(+), 310 deletions(-) create mode 100644 include/linux/io_uring_compat.h -- 2.34.1

3 years, 1 month

2
12
0 0

[PATCH v2 0/3] futex: Enable PCuABI memory accesses

by Luca Vizzarro

This commit tackles the issue reported at: https://git.morello-project.org/morello/kernel/linux/-/issues/6 Commit also available at: https://git.morello-project.org/Sevenarth/linux/-/commits/morello/futex-v2 v2: - split code in 3 commits as suggested - added more details in the commit bodies - updated the TODO notation for futex.h - updated the prefix for A64/C64 definitions in futex.h - updated the asm constraint's name to follow naming conventions - updated the robust list entry fetch code to use the pre-existing helper USER_PTR_ALIGN_DOWN - reverted pointer comparisons Luca Vizzarro (3): arm64: futex: Enable capability-based uaccess futex: Handle capability-based robust list entries futex: Add explicit capability checking TODOs arch/arm64/include/asm/futex.h | 47 ++++++++++++++++++++++++---------- kernel/futex/core.c | 20 +++++++-------- 2 files changed, 42 insertions(+), 25 deletions(-) -- 2.34.1

3 years, 1 month

2
6
0 0

[PATCH v5 0/10] Support io_uring for Purecap apps

by Tudor Cretu

This series makes it possible for purecap apps to use the io_uring system. With these patches, all io_uring LTP tests pass in both Purecap and plain AArch64 modes. Note that the LTP tests only address the basic functionality of the io_uring system and a significant portion of the multiplexed functionality is untested in LTP. I have finished investigating Purecap and plain AArch64 liburing tests and examples and the series is updated accordingly. v5: - Revert changes in trace/events/io_uring.h - Add new header trace/events/io_uring.h for compat structs - Change cqe_cached/ccqe_sentinel to indices - Move print_sqe and print_cqe macros outside of the function - Rename is_compat64_io_ring_ctx to io_in_compat64 - Add helper for user_data values comparison - Add condition to not change addr fielt to a compat_ptr for opcodes where it's a user_data value stored - Other small fixes suggested by Kevin v4: - Rebase on top of morello/next - Remove the union for flags in struct compat_io_uring_sqe and only kept a single member - Improve format and move functions as per feedback on v3 - Add a new helper for checking if context is compat - Remove struct conversion in fdinfo and just use macros - Remove the union from struct io_overflow_cqe and just leave the native struct - Fix the cqe_cached/cqe_sentinel mechanism - Separate the fix for the shared ring size's off-by-one error into a new PATCH 6 - Remove the compat_ptr for addr fields that represent user_data values - Extend the trace events accordingly to propagate capabilities - Use copy*_with_ptr routine for copy_msghdr_from_user in a new PATCH 1 - Fix the misuse of addr2 and off in IORING_OP_CONNECT and IORING_OP_POLL_REMOVE v3: - Introduce Patch 5 which exposes the compat handling logic for epoll_event. This is used then in io_uring/epoll.c. - Introduce Patch 6 which makes sure that when struct iovec is copied from userspace, the capability tags are preserved. - Fix a few sizeof(var) to sizeof(*var). - Use iovec_from_user so that compat handling logic is applied instead of copying directly from user - Add a few missing copy_from_user_with_ptr where suitable. v2: - Rebase on top of release 6.1 - Remove VM_READ_CAPS/VM_LOAD_CAPS patches as they are already merged - Update commit message in PATCH 1 - Add the generic changes PATCH 2 and PATCH 3 to avoid copying user pointers from/to userspace unnecesarily. These could be upstreamable. - Split "pulling the cqes memeber out" change into PATCH 4 - The changes for PATCH 5 and 6 are now split into their respective files after the rebase. - Format and change organization based on the feedback on the previous version, including creating helpers copy_*_from_* for various uAPI structs - Add comments related to handling of setup flags IORING_SETUP_SQE128 and IORING_SETUP_CQE32 - Add handling for new uAPI structs: io_uring_buf, io_uring_buf_ring, io_uring_buf_reg, io_uring_sync_cancel_reg. Gitlab issue: https://git.morello-project.org/morello/kernel/linux/-/issues/2 Review branch: https://git.morello-project.org/tudcre01/linux/-/commits/morello/io_uring_v5 Tudor Cretu (10): net: socket: use copy_from_user_with_ptr for struct user_msghdr io_uring/rw: Restrict copy to only uiov->len from userspace io_uring/tctx: Copy only the offset field back to user io_uring: Pull cqes member out from rings struct epoll: Expose compat handling logic of epoll_event io_uring/kbuf: Fix size for shared buffer ring io_uring: Make cqe_cached and cqe_sentinel indices instead of pointers io_uring: Implement compat versions of uAPI structs and handle them io_uring: Allow capability tag access on the shared memory io_uring: Use user pointer type in the uAPI structs fs/eventpoll.c | 38 ++-- include/linux/eventpoll.h | 4 + include/linux/io_uring_compat.h | 129 +++++++++++++ include/linux/io_uring_types.h | 35 ++-- include/uapi/linux/io_uring.h | 76 ++++---- io_uring/advise.c | 7 +- io_uring/cancel.c | 32 +++- io_uring/cancel.h | 2 +- io_uring/epoll.c | 4 +- io_uring/fdinfo.c | 82 +++++--- io_uring/fs.c | 16 +- io_uring/io_uring.c | 321 +++++++++++++++++++++++--------- io_uring/io_uring.h | 147 +++++++++++++-- io_uring/kbuf.c | 111 +++++++++-- io_uring/kbuf.h | 8 +- io_uring/msg_ring.c | 4 +- io_uring/net.c | 25 +-- io_uring/openclose.c | 4 +- io_uring/poll.c | 8 +- io_uring/rsrc.c | 138 +++++++++++--- io_uring/rw.c | 22 +-- io_uring/statx.c | 4 +- io_uring/tctx.c | 56 +++++- io_uring/timeout.c | 14 +- io_uring/uring_cmd.c | 5 + io_uring/uring_cmd.h | 4 + io_uring/xattr.c | 12 +- net/socket.c | 2 +- 28 files changed, 1000 insertions(+), 310 deletions(-) create mode 100644 include/linux/io_uring_compat.h -- 2.34.1

3 years, 1 month

2
14
0 0

[PATCH v2 0/2] morello: Enable TUN by default

by Kevin Brodsky

Hi, This is a small update to Vincenzo's series enabling TUN/TAP support. v1..v2: - Brought back tun_chr_compat_ioctl(), as we need to keep the handling of struct compat_ifreq being of a different size. The behaviour is otherwise unchanged from v1 (arg is always converted to a user pointer via compat_ptr(), just like when using compat_ptr_ioctl). - Adjusted the commit message in patch 1 accordingly, changed commit title as I suggested in v1. Review branch: https://git.morello-project.org/kbrodsky-arm/linux/-/commits/morello/tun_v2 Thanks, Kevin Vincenzo Frascino (2): net: tun: Fix ioctl handler argument type arm64: morello: Enable TUN in defconfig .../morello_transitional_pcuabi_defconfig | 1 + drivers/net/tun.c | 22 ++++--------------- 2 files changed, 5 insertions(+), 18 deletions(-) -- 2.38.1

3 years, 1 month

2
4
0 0

[PATCH] arm64: signal: Fix stale CSP read

by Kevin Brodsky

When Morello support is enabled, there is no guarantee that the view of a task's X and C registers (e.g. regs->regs and regs->cregs) is coherent (see also the note on "write coalescing" in Documentation/arm64/morello.rst). X/C merging always happens when returning to userspace, but the value of a task's X registers may be updated without the task being scheduled. This may happen due to ptrace(PTRACE_SETREGSET), but also, crucially, when multiple pending signals are delivered at the same time (typically when the task unblocks them). All capability registers are read in preserve_morello_context(), in order to store them in the signal frame, and morello_merge_cap_regs() is called beforehand to update the view of capability registers. However, there was an oversight in one of the initial Morello support commits ("arm64: morello: Context-switch Restricted registers"): regs->csp is also read in signal_sp(), which is called before preserve_morello_context(). signal_sp() may therefore read a stale SP value. signal_sp() has changed several times since that commit, especially to add PCuABI support. The last commit ("arm64: signal: Fix signal_sp() in compat64") made the issue resurface, as regs->csp is now used in compat64 too. The error condition is indeed difficult to hit in PCuABI, as it requires using ptrace with a very precise timing. On the other hand, it can be reliably triggered in compat64 by delivering two signals at the same time: regs->sp is set in setup_return() when the first signal frame is set up, leaving regs->csp unchanged, and signal_sp() will then read a stale SP value through regs->csp to set up the second signal frame. This situation is precisely what the sigpending02 LTP test creates, allowing the bug to be finally caught. To avoid any further issue, the call to morello_merge_cap_regs() is therefore moved to the very beginning of setup_rt_frame(), before any register is read. Note that signal_sp() is also called from the rt_sigreturn handler, but this is not a concern as the register view is up-to-date at the point where a syscall handler is called. Signed-off-by: Kevin Brodsky <kevin.brodsky(a)arm.com> --- arch/arm64/kernel/signal.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/arch/arm64/kernel/signal.c b/arch/arm64/kernel/signal.c index 183293d77f80..81130cc42696 100644 --- a/arch/arm64/kernel/signal.c +++ b/arch/arm64/kernel/signal.c @@ -275,14 +275,6 @@ static int preserve_morello_context(struct morello_context __user *ctx, __put_user_error(sizeof(struct morello_context), &ctx->head.size, err); __put_user_error(0, &ctx->__pad, err); - /* - * current's 64-bit registers may have been modified (e.g. through - * ptrace) since the last time it was scheduled. - * Perform the standard 64-bit / capability register merging, to ensure - * that both views in the signal frame are consistent. - */ - morello_merge_cap_regs(regs); - for (i = 0; i < ARRAY_SIZE(regs->cregs); i++) __morello_put_user_cap_error(regs->cregs[i], &ctx->cregs[i], err); __morello_put_user_cap_error(regs->csp, &ctx->csp, err); @@ -1108,6 +1100,18 @@ static int setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, int err = 0; fpsimd_signal_preserve_current_state(); +#ifdef CONFIG_ARM64_MORELLO + /* + * current's 64-bit registers may have been modified since the last + * time it was scheduled. This may have happened through ptrace, but + * also if another signal frame just got set up without returning to + * userspace. + * Perform the standard 64-bit / capability register merging to ensure + * that both views are consistent, as we will need to read the current + * value of all (C/X) registers. + */ + morello_merge_cap_regs(regs); +#endif if (get_sigframe(&user, ksig, regs)) return 1; -- 2.38.1

3 years, 1 month

3
3
0 0

[PATCH] futex: Enable PCuABI memory accesses

by Luca Vizzarro

This commit adds support to the futex module to correctly load, store and handle capabilities. Signed-off-by: Luca Vizzarro <Luca.Vizzarro(a)arm.com> --- This commit tackles the issue reported at: https://git.morello-project.org/morello/kernel/linux/-/issues/6 Commit also available at: https://git.morello-project.org/Sevenarth/linux/-/commits/morello/futex The definitions added at arch/arm64/include/asm/futex.h are open to debate and not final. I assume that the mode switch can be important for many other parts of the project and not just futexes. I thought that this could go in cheri.h but I'm not that knowledgeable in these regards. Hence, I am seeking for feedback. Best, Luca Vizzarro arch/arm64/include/asm/futex.h | 47 ++++++++++++++++++++++++---------- kernel/futex/core.c | 26 +++++++++++-------- kernel/futex/requeue.c | 4 +-- 3 files changed, 50 insertions(+), 27 deletions(-) diff --git a/arch/arm64/include/asm/futex.h b/arch/arm64/include/asm/futex.h index 99d73e8a3175..db85ef63124a 100644 --- a/arch/arm64/include/asm/futex.h +++ b/arch/arm64/include/asm/futex.h @@ -10,6 +10,18 @@ #include <asm/errno.h> +#ifdef CONFIG_CHERI_PURECAP_UABI +#define __SWITCH_TO_C64 " bx #4\n" \ + ".arch morello+c64\n" +#define __SWITCH_TO_A64 " bx #4\n" \ + ".arch morello\n" +#define __ADDR_REGISTER "+C" +#else +#define __SWITCH_TO_C64 +#define __SWITCH_TO_A64 +#define __ADDR_REGISTER "+r" +#endif + #define FUTEX_MAX_LOOPS 128 /* What's the largest number you can think of? */ #define __futex_atomic_op(insn, ret, oldval, uaddr, tmp, oparg) \ @@ -18,20 +30,24 @@ do { \ \ uaccess_enable_privileged(); \ asm volatile( \ -" prfm pstl1strm, %2\n" \ -"1: ldxr %w1, %2\n" \ + __SWITCH_TO_C64 \ +" prfm pstl1strm, [%2]\n" \ +"1: ldxr %w1, [%2]\n" \ insn "\n" \ -"2: stlxr %w0, %w3, %2\n" \ +"2: stlxr %w0, %w3, [%2]\n" \ " cbz %w0, 3f\n" \ " sub %w4, %w4, %w0\n" \ " cbnz %w4, 1b\n" \ " mov %w0, %w6\n" \ "3:\n" \ " dmb ish\n" \ + __SWITCH_TO_A64 \ _ASM_EXTABLE_UACCESS_ERR(1b, 3b, %w0) \ _ASM_EXTABLE_UACCESS_ERR(2b, 3b, %w0) \ - : "=&r" (ret), "=&r" (oldval), "+Q" (*uaddr), "=&r" (tmp), \ - "+r" (loops) \ + /* FIXME: temporary solution for uaddr. Must be reverted to +Q once + * LLVM supports it for capabilities. */ \ + : "=&r" (ret), "=&r" (oldval), __ADDR_REGISTER (uaddr), \ + "=&r" (tmp), "+r" (loops) \ : "r" (oparg), "Ir" (-EAGAIN) \ : "memory"); \ uaccess_disable_privileged(); \ @@ -41,8 +57,7 @@ static inline int arch_futex_atomic_op_inuser(int op, int oparg, int *oval, u32 __user *_uaddr) { int oldval = 0, ret, tmp; - /* TODO [PCuABI] - perform the access via the user capability */ - u32 *uaddr = (u32 *)user_ptr_addr(__uaccess_mask_ptr(_uaddr)); + u32 __user *uaddr = __uaccess_mask_ptr(_uaddr); if (!access_ok(_uaddr, sizeof(u32))) return -EFAULT; @@ -85,20 +100,20 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *_uaddr, int ret = 0; unsigned int loops = FUTEX_MAX_LOOPS; u32 val, tmp; - u32 *uaddr; + u32 __user *uaddr; if (!access_ok(_uaddr, sizeof(u32))) return -EFAULT; - /* TODO [PCuABI] - perform the access via the user capability */ - uaddr = (u32 *)user_ptr_addr(__uaccess_mask_ptr(_uaddr)); + uaddr = __uaccess_mask_ptr(_uaddr); uaccess_enable_privileged(); asm volatile("// futex_atomic_cmpxchg_inatomic\n" -" prfm pstl1strm, %2\n" -"1: ldxr %w1, %2\n" + __SWITCH_TO_C64 +" prfm pstl1strm, [%2]\n" +"1: ldxr %w1, [%2]\n" " sub %w3, %w1, %w5\n" " cbnz %w3, 4f\n" -"2: stlxr %w3, %w6, %2\n" +"2: stlxr %w3, %w6, [%2]\n" " cbz %w3, 3f\n" " sub %w4, %w4, %w3\n" " cbnz %w4, 1b\n" @@ -106,9 +121,13 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *_uaddr, "3:\n" " dmb ish\n" "4:\n" + __SWITCH_TO_A64 _ASM_EXTABLE_UACCESS_ERR(1b, 4b, %w0) _ASM_EXTABLE_UACCESS_ERR(2b, 4b, %w0) - : "+r" (ret), "=&r" (val), "+Q" (*uaddr), "=&r" (tmp), "+r" (loops) + /* FIXME: temporary solution for uaddr. Must be reverted to +Q once + * LLVM supports it for capabilities. */ + : "+r" (ret), "=&r" (val), __ADDR_REGISTER (uaddr), "=&r" (tmp), + "+r" (loops) : "r" (oldval), "r" (newval), "Ir" (-EAGAIN) : "memory"); uaccess_disable_privileged(); diff --git a/kernel/futex/core.c b/kernel/futex/core.c index 759332a26b5a..1234223f274e 100644 --- a/kernel/futex/core.c +++ b/kernel/futex/core.c @@ -31,6 +31,7 @@ * "The futexes are also cursed." * "But they come in a choice of three flavours!" */ +#include <linux/cheri.h> #include <linux/compat.h> #include <linux/jhash.h> #include <linux/pagemap.h> @@ -226,6 +227,8 @@ int get_futex_key(u32 __user *uaddr, bool fshared, union futex_key *key, struct address_space *mapping; int err, ro = 0; + /* TODO [PCuABI] - capability checks for uaccess */ + /* * The futex address must be "naturally" aligned. */ @@ -411,6 +414,8 @@ int fault_in_user_writeable(u32 __user *uaddr) struct mm_struct *mm = current->mm; int ret; + /* TODO [PCuABI] - capability checks for uaccess */ + mmap_read_lock(mm); ret = fixup_user_fault(mm, user_ptr_addr(uaddr), FAULT_FLAG_WRITE, NULL); @@ -750,20 +755,19 @@ static inline int fetch_robust_entry(struct robust_list __user **entry, #endif unsigned int *pi) { - unsigned long uentry; + struct robust_list __user *uentry; + ptraddr_t uentry_ptr; - if (get_user(uentry, (unsigned long __user *)head)) + if (get_user_ptr(uentry, head)) return -EFAULT; - /* - * TODO [PCuABI] - pointer conversion to be checked - * Each entry points to either next one or head of the list - * so this should probably operate on capabilities and use - * get_user_ptr instead, or validate the capability prior to - * get_user - */ - *entry = uaddr_to_user_ptr(uentry & ~1UL); - *pi = uentry & 1; + uentry_ptr = user_ptr_addr(uentry); +#ifdef CONFIG_CHERI_PURECAP_UABI + *entry = cheri_address_set(uentry, uentry_ptr & ~1UL); +#else + *entry = uaddr_to_user_ptr(uentry_ptr & ~1UL); +#endif + *pi = uentry_ptr & 1; return 0; } diff --git a/kernel/futex/requeue.c b/kernel/futex/requeue.c index cba8b1a6a4cc..77b2443a880c 100644 --- a/kernel/futex/requeue.c +++ b/kernel/futex/requeue.c @@ -388,7 +388,7 @@ int futex_requeue(u32 __user *uaddr1, unsigned int flags, u32 __user *uaddr2, * Requeue PI only works on two distinct uaddrs. This * check is only valid for private futexes. See below. */ - if (uaddr1 == uaddr2) + if (user_ptr_addr(uaddr1) == user_ptr_addr(uaddr2)) return -EINVAL; /* @@ -774,7 +774,7 @@ int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, if (!IS_ENABLED(CONFIG_FUTEX_PI)) return -ENOSYS; - if (uaddr == uaddr2) + if (user_ptr_addr(uaddr) == user_ptr_addr(uaddr2)) return -EINVAL; if (!bitset) -- 2.34.1

3 years, 1 month

2
1
0 0

2026

2025

2024

2023

2022

linux-morello