On 24/04/2024 16:51, Kevin Brodsky wrote:
Hi,
This series adds reservation management and modifies the behaviour of address space management syscalls as per the PCuABI specification [1]. It also restricts the bounds and permissions of those initial capabilities that my previous series [2] couldn't take care of.
The series is largely based on Amit's v3 series [3] plus this follow-up [4] (squashed in the corresponding patch), with various additions and tweaks. The most important (user-facing) changes are the following:
Owning capabilities are now always created based on the corresponding reservation's bounds and permissions, ensuring there is no mismatch (and simplifying mmap/mremap a little).
Capability/reservation permissions are now calculated based on VM_{READ,WRITE}_CAPS instead of PROT_SHARED/VM_SHARED. This fixes the io_uring case, where we do allow capabilities to be stored in a shared mapping.
A stack reservation is created, its size is controlled by a new cheri.max_stack_size sysctl as per the spec. The initial stack capabilities (CSP and AT_CHERI_STACK_CAP) are narrowed accordingly.
PCuABI restrictions are added to shmdt() too.
PROT_CAP_INVOKE is handled (adding BranchSealedPair).
mmap/mremap/shmat now ensure that no existing reservation is overwritten if a null-derived pointer is passed with MAP_FIXED (if the new reservation would overlap with any existing one, -ERESERVATION is returned).
The reservation lookup helper has been fixed to ensure that a reservation is found even if it starts before the targeted range.
Here is a rough breakdown of the patches:
- Patch 1: fixup for kselfests.
- Patch 2-8: infrastructure, uapi additions
- Patch 9-14: reservation management
- Patch 15-22: capability handling in address space management syscalls
- Patch 23-33: capability permissions handling
- Patch 34: extra restriction for mmap()
- Patch 35-36: restriction of initial capabilities
Having made the appropriate fixes to LTP and Musl, the usual LTP and Musl tests are passing, as well as the Morello kselftests with Chaitanya's extra tests [5].
Special thanks to Amit for his original work as well as his detailed review of this updated series, and to Chaitanya for writing those extra kselftests, which proved very useful to catch mistakes early.
Review branch:
https://git.morello-project.org/kbrodsky-arm/linux/-/tree/morello/reservatio...
Thanks, Kevin
[1] https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-ca... [2] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org/... [3] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org/... [4] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org/... [5] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org/...
Amit Daniel Kachhap (25): uapi: errno.h: Introduce PCuABI memory reservation error linux/sched/coredump.h: Add MMF_PCUABI_RESERV mm flag linux/user_ptr.h: Add a typedef user_ptr_perms_t linux/user_ptr.h: Add user_ptr_is_valid, user_ptr_set_addr linux/user_ptr.h: Add helpers to manage owning pointers mm/reserv: Add address space reservation API mm/mmap: Handle reservations in get_unmapped_area mm/(mmap,mremap): Handle PCuABI reservations during VMA operations fs/binfmt_elf: Create appropriate reservations in PCuABI mm/mmap: Add PCuABI capability handling in mmap/munmap mm/mremap: Add PCuABI capability handling in mremap mm/mprotect: Add PCuABI capability handling in mprotect mm/madvise: Add PCuABI capability handling in madvise mm/mlock: Add PCuABI capability handling in mlock{,2} and munlock mm/msync: Add PCuABI capability handling in msync mm/mincore: Add PCuABI capability constraints ipc/shm: Add PCuABI capability handling in shmat/shmdt uapi: mman-common.h: Macros for maximum capability permissions arm64: user_ptr: Implement Morello capability permission helper linux/user_ptr.h: Infer capability permissions from prot/vm_flags in PCuABI mm/mmap: Add capability permission constraints for PCuABI mm/mremap: Add capability permission constraints for PCuABI mm/mprotect: Add capability permissions constraints for PCuABI mm/mmap: Disable MAP_GROWSDOWN mapping flag for PCuABI arm64: vdso: Create appropriate capability
Kevin Brodsky (11): kselftests/arm64: morello: Fix expected permissions with MAP_SHARED linux/mm_types.h: Introduce reserv_struct fs/exec: Create a stack reservation in PCuABI arm64: vdso: Create appropriate reservation fs/binfmt_elf: Enable reservations fs/binfmt_elf: Set appropriate permissions for initial reservations arm64: morello: Ensure appropriate permissions for initial reservations uapi: mm: Introduce PROT_CAP_INVOKE arm64: user_ptr: Handle PROT_CAP_INVOKE fs/binfmt_elf: Create mappings with PROT_CAP_INVOKE fs/binfmt_elf: Restrict stack capability bounds
Applied on next, with a small fix in patch 16 (one case of ret = addr wasn't amended). Thanks Amit for the extra reviewing and testing!
Kevin
Documentation/core-api/user_ptr.rst | 28 ++ arch/Kconfig | 3 + arch/arm64/Kconfig | 1 + arch/arm64/include/asm/elf.h | 9 +- arch/arm64/include/asm/mmu.h | 2 +- arch/arm64/include/asm/user_ptr.h | 37 +++ arch/arm64/kernel/morello.c | 16 + arch/arm64/kernel/vdso.c | 37 ++- fs/binfmt_elf.c | 63 ++-- fs/exec.c | 59 ++++ include/linux/mm.h | 15 +- include/linux/mm_reserv.h | 302 +++++++++++++++++++ include/linux/mm_types.h | 9 + include/linux/sched/coredump.h | 2 + include/linux/shm.h | 4 +- include/linux/user_ptr.h | 114 ++++++- include/uapi/asm-generic/errno.h | 2 + include/uapi/asm-generic/mman-common.h | 8 + io_uring/advise.c | 3 +- ipc/shm.c | 44 ++- kernel/fork.c | 3 + lib/user_ptr.c | 73 +++++ mm/Makefile | 1 + mm/damon/vaddr.c | 2 +- mm/internal.h | 2 +- mm/madvise.c | 26 +- mm/mincore.c | 54 +++- mm/mlock.c | 36 ++- mm/mmap.c | 182 +++++++++-- mm/mprotect.c | 25 +- mm/mremap.c | 96 ++++-- mm/msync.c | 12 +- mm/reserv.c | 181 +++++++++++ mm/util.c | 9 +- tools/testing/selftests/arm64/morello/mmap.c | 2 +- 35 files changed, 1312 insertions(+), 150 deletions(-) create mode 100644 arch/arm64/include/asm/user_ptr.h create mode 100644 include/linux/mm_reserv.h create mode 100644 mm/reserv.c