From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

The PCuABI specification introduces this error, it is used to indicate errors related to memory reservations.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- include/uapi/asm-generic/errno.h | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/include/uapi/asm-generic/errno.h b/include/uapi/asm-generic/errno.h index cf9c51ac49f9..4589a3165fe1 100644 --- a/include/uapi/asm-generic/errno.h +++ b/include/uapi/asm-generic/errno.h @@ -120,4 +120,6 @@

#define EHWPOISON 133 /* Memory page has hardware error */

+#define ERESERVATION 192 /* PCuABI memory reservation error */ + #endif

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

A typedef user_ptr_perms_t is created of type cheri_perms_t in case of PCuABI. Otherwise, this defaults to int in non-PCuABI case. This will allow manipulating permissions unconditionally (without #ifdef).

Note: this change will cause linux/cheri.h to get included everywhere as linux/kernel.h includes linux/user_ptr.h. This is unfortunate, but it seems difficult to avoid in this case.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- include/linux/user_ptr.h | 5 +++++ 1 file changed, 5 insertions(+)

diff --git a/include/linux/user_ptr.h b/include/linux/user_ptr.h index 825c703dd44c..997e6cfa95e2 100644 --- a/include/linux/user_ptr.h +++ b/include/linux/user_ptr.h @@ -2,6 +2,7 @@ #ifndef _LINUX_USER_PTR_H #define _LINUX_USER_PTR_H

+#include <linux/cheri.h> #include <linux/limits.h> #include <linux/typecheck.h>

@@ -27,6 +28,8 @@

#ifdef CONFIG_CHERI_PURECAP_UABI

+typedef cheri_perms_t user_ptr_perms_t; + /** * uaddr_to_user_ptr() - Convert a user-provided address to a user pointer. * @addr: The address to set the pointer to. @@ -109,6 +112,8 @@ bool check_user_ptr_rw(void __user *ptr, size_t len);

#else /* CONFIG_CHERI_PURECAP_UABI */

+typedef int user_ptr_perms_t; + static inline void __user *uaddr_to_user_ptr(ptraddr_t addr) { return as_user_ptr(addr);

Add reservation information to mm_struct in PCuABI. This will be used by subsequent patches to manage address space reservations.

Co-developed-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- include/linux/mm_types.h | 9 +++++++++ 1 file changed, 9 insertions(+)

diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 774bd7d6ad60..25cbbe18f5b8 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -607,6 +607,12 @@ struct vma_numab_state { int prev_scan_seq; };

+struct reserv_struct { + ptraddr_t start; + size_t len; + user_ptr_perms_t perms; +}; + /* * This struct describes a virtual memory area. There is one of these * per VM-area/task. A VM area is any part of the process virtual memory @@ -711,6 +717,9 @@ struct vm_area_struct { struct vma_numab_state *numab_state; /* NUMA Balancing state */ #endif struct vm_userfaultfd_ctx vm_userfaultfd_ctx; +#ifdef CONFIG_CHERI_PURECAP_UABI + struct reserv_struct reserv_data; +#endif } __randomize_layout;

#ifdef CONFIG_NUMA

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

This patch introduces helpers to manage address space reservations and owning capabilities, as introduced in the PCuABI specification. This interface prevents two unrelated owning capabilities created by the kernel from overlapping.

The reservation interface stores virtual address ranges as reservation entries, which is the same as the bounds of the owning capability provided by the kernel to userspace. It also stores the owning capability permissions to manage the future syscall requests for updating permissions.

The reservation interface follows a few basic rules:

- Reservations can only be created or destroyed but never expanded or shrunk. Reservations are created when new memory mapping is made outside of an existing reservation. - A single reservation can have many mappings. However, unused regions of the reservation cannot be reused again. - The Reservation start address is aligned to CHERI representable base. - The Reservation length value is aligned to CHERI representable length.

More rules about the address space reservation interface can be found in the PCuABI specification.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Co-developed-by: Kevin Brodsky kevin.brodsky@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- include/linux/mm_reserv.h | 302 ++++++++++++++++++++++++++++++++++++++ mm/Makefile | 1 + mm/reserv.c | 181 +++++++++++++++++++++++ 3 files changed, 484 insertions(+) create mode 100644 include/linux/mm_reserv.h create mode 100644 mm/reserv.c

diff --git a/include/linux/mm_reserv.h b/include/linux/mm_reserv.h new file mode 100644 index 000000000000..2debbcbf7495 --- /dev/null +++ b/include/linux/mm_reserv.h @@ -0,0 +1,302 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#ifndef _LINUX_MM_RESERV_H +#define _LINUX_MM_RESERV_H + +#include <linux/cheri.h> +#include <linux/mm_types.h> +#include <linux/sched/coredump.h> +#include <linux/types.h> + +#ifdef CONFIG_CHERI_PURECAP_UABI +#define reserv_representable_alignment(len) \ + (reserv_is_supported(current->mm) \ + ? (PAGE_MASK & ~cheri_representable_alignment_mask(len)) : 0) + +#define reserv_representable_base(base, len) \ + (reserv_is_supported(current->mm) \ + ? ((base) & cheri_representable_alignment_mask(len)) : (base)) + +#define reserv_representable_length(len) \ + (reserv_is_supported(current->mm) \ + ? cheri_representable_length(len) : (len)) + +#define reserv_vma_reserv_start(vma) \ + (reserv_is_supported((vma)->vm_mm) \ + ? (vma)->reserv_data.start : (vma)->vm_start) + +#define reserv_vma_reserv_len(vma) \ + (reserv_is_supported((vma)->vm_mm) \ + ? (vma)->reserv_data.len : ((vma)->vm_end - (vma)->vm_start)) + +/** + * reserv_vma_set_reserv() - Set the reservation information in the VMA. + * @vma: Target VMA. + * @start: Reservation start address. + * @len: Reservation length. + * @prot: prot flags to calculate the reservation permissions. + * + * Return: 0 if reservation information set successfully or negative errorcode + * otherwise. + * + * The start address is stored as CHERI representable base and the length as + * CHERI representable length. They are expected to not overlap with any other + * VMA. This function should be called with mmap_lock held. + */ +int reserv_vma_set_reserv(struct vm_area_struct *vma, ptraddr_t start, + size_t len, int prot); + +/** + * reserv_vma_set_reserv_start_len() - Set the reservation information in the VMA. + * @vma: Target VMA. + * @start: Reservation start address. + * @len: Reservation length. + * + * Return: 0 if reservation information set successfully or negative errorcode + * otherwise. + * + * The start address is stored as CHERI representable base and the length as + * CHERI representable length. They are expected to not overlap with any other + * VMA. The reservation permissions are left unchanged. This function should + * be called with mmap_lock held. + */ +int reserv_vma_set_reserv_start_len(struct vm_area_struct *vma, ptraddr_t start, + size_t len); + +/** + * reserv_vma_set_reserv_data() - Set the reservation information in the VMA. + * @vma: Target VMA. + * @reserv_data: New reservation information + * + * The VMA's reservation information is set to the contents of @reserv_data. + * This function should be called with mmap_lock held. + */ +void reserv_vma_set_reserv_data(struct vm_area_struct *vma, + const struct reserv_struct *reserv_data); + +/** + * reserv_find_reserv_info_range() - Find a reservation spanning at least the + * input address range. + * @start: Region start address. + * @len: Region length. + * @locked: Flag to indicate if mmap_lock is already held. + * @reserv_info: Pointer to a reserv_struct to set if a matching reservation is + * found. + * + * Return: True if a matching reservation is found or false otherwise. + * + * This function internally uses mmap_lock to access VMAs if mmap_lock is not + * already held. + + */ +bool reserv_find_reserv_info_range(ptraddr_t start, size_t len, bool locked, + struct reserv_struct *reserv_info); + +/** + * reserv_vma_range_within_reserv() - Check that the input address range falls + * within @vma's reservation. + * @vma: Target VMA. + * @start: Region start address. + * @len: Region length. + * + * Return: True if the input address range falls within the reserved virtual + * address range or false otherwise. + * + * This function should be called with mmap_lock held. + */ +bool reserv_vma_range_within_reserv(struct vm_area_struct *vma, ptraddr_t start, + size_t len); + +/** + * reserv_cap_within_reserv() - Check that the capability bounds of @cap + * are wholly contained within an existing reservation. + * @cap: Capability to check. + * @locked: Flag to indicate if mmap_lock is already held. + * + * Return: True if the input capability bounds fall within a reservation or + * false otherwise. + * + * This function internally uses mmap_lock to access VMAs if mmap_lock is not + * already held. + */ +bool reserv_cap_within_reserv(user_uintptr_t cap, bool locked); + +/** + * reserv_aligned_range_within_reserv() - Check that the input address range falls + * within any reservation. + * @start: Region start address. + * @len: Region length. + * @locked: Flag to indicate if mmap_lock is already held. + * + * Return: True if the input address range (aligned for representability) falls + * within a reservation or false otherwise. + * + * @start and @len are appropriately aligned down/up so that the range that is + * checked corresponds to that of a new reservation. This function should be + * called with mmap_lock held. + */ +bool reserv_aligned_range_within_reserv(ptraddr_t start, size_t len, + bool locked); + +/** + * reserv_range_mapped() - Check that the input address range is fully mapped. + * @start: Region start address. + * @len: Region length. + * @locked: Flag to indicate if mmap_lock is already held. + * + * Return: 0 if the range is fully mapped or negative errorcode otherwise. + * + * This is useful to find if the requested range is fully mapped without + * fragmentation. This function internally uses mmap_lock to access VMAs if + * mmap_lock is not already held. + */ +int reserv_range_mapped(ptraddr_t start, size_t len, bool locked); + +/** + * reserv_make_user_ptr_owning() - Build an owning user pointer for a given + * reservation. + * @vma_addr: VMA address. + * @locked: Flag to indicate if mmap_lock is already held. + * + * Return: the constructed user pointer. + * + * @vma_addr must be the address of an existing VMA, whose reservation + * information will be used to set the user pointer's bounds and permissions. + * Its address will be set to @vma_addr. This function internally uses + * mmap_lock to access VMAs if mmap_lock is not already held. + */ +user_uintptr_t reserv_make_user_ptr_owning(ptraddr_t vma_addr, bool locked); + +/** + * reserv_vma_make_user_ptr_owning() - Build an owning user pointer for a given + * reservation. + * @vma: Target VMA. + * + * Return: the constructed user pointer. + * + * @vma's reservation information will be used to set the user + * pointer's bounds and permissions. Its address will be set to @vma's start + * address. This function should be called with mmap_lock held. + */ +user_uintptr_t reserv_vma_make_user_ptr_owning(struct vm_area_struct *vma); + +/** + * reserv_is_supported() - Check if reservations are enabled for the given mm. + * + * @mm: The mm pointer. + * + * Return: True if mm has reservations enabled or false otherwise. + */ +static inline bool reserv_is_supported(struct mm_struct *mm) +{ + return test_bit(MMF_PCUABI_RESERV, &mm->flags); +} + +/** + * reserv_mm_set_flag() - Set the MMF_PCUABI_RESERV flag according to @compat. + * + * @mm: mm pointer. + * @compat: Flag indicating if the current task is compat. + */ +static inline void reserv_mm_set_flag(struct mm_struct *mm, bool compat) +{ + if (compat) + clear_bit(MMF_PCUABI_RESERV, &mm->flags); + else + set_bit(MMF_PCUABI_RESERV, &mm->flags); +} + +/** + * reserv_fork() - Copy the MMF_PCUABI_RESERV flag from @oldmm to @mm. + * + * @mm: New mm pointer. + * @oldmm: Old mm pointer. + */ +static inline void reserv_fork(struct mm_struct *mm, struct mm_struct *oldmm) +{ + if (test_bit(MMF_PCUABI_RESERV, &oldmm->flags)) + set_bit(MMF_PCUABI_RESERV, &mm->flags); +} + +#else /* CONFIG_CHERI_PURECAP_UABI */ + +#define reserv_representable_alignment(len) 0 + +#define reserv_representable_base(base, len) base + +#define reserv_representable_length(len) len + +#define reserv_vma_reserv_start(vma) vma->vm_start + +#define reserv_vma_reserv_len(vma) (vma->vm_end - vma->vm_start) + +static inline int reserv_vma_set_reserv(struct vm_area_struct *vma, + ptraddr_t start, size_t len, int prot) +{ + return 0; +} + +static inline int reserv_vma_set_reserv_start_len(struct vm_area_struct *vma, + ptraddr_t start, size_t len) +{ + return 0; +} + +static inline void reserv_vma_set_reserv_data(struct vm_area_struct *vma, + const struct reserv_struct *reserv_data) +{} + +static inline bool reserv_find_reserv_info_range(ptraddr_t start, + size_t len, bool locked, + struct reserv_struct *reserv_info) +{ + return true; +} + +static inline bool reserv_vma_range_within_reserv(struct vm_area_struct *vma, + ptraddr_t start, + size_t len) +{ + return true; +} + +static inline bool reserv_cap_within_reserv(user_uintptr_t cap, bool locked) +{ + return true; +} + +static inline bool reserv_aligned_range_within_reserv(ptraddr_t start, + size_t len, + bool locked) +{ + return true; +} + +static inline int reserv_range_mapped(ptraddr_t start, size_t len, bool locked) +{ + return 0; +} + +static inline user_uintptr_t reserv_make_user_ptr_owning(ptraddr_t vma_addr, + bool locked) +{ + return vma_addr; +} + +static inline user_uintptr_t reserv_vma_make_user_ptr_owning(struct vm_area_struct *vma) +{ + return vma->vm_start; +} + +static inline bool reserv_is_supported(struct mm_struct *mm) +{ + return false; +} + +static inline void reserv_mm_set_flag(struct mm_struct *mm, bool compat) {} + +static inline void reserv_fork(struct mm_struct *mm, struct mm_struct *oldmm) {} + +#endif /* CONFIG_CHERI_PURECAP_UABI */ + +#endif /* _LINUX_MM_RESERV_H */ diff --git a/mm/Makefile b/mm/Makefile index 33873c8aedb3..94a7ab7057f0 100644 --- a/mm/Makefile +++ b/mm/Makefile @@ -41,6 +41,7 @@ mmu-$(CONFIG_MMU) := highmem.o memory.o mincore.o \ msync.o page_vma_mapped.o pagewalk.o \ pgtable-generic.o rmap.o vmalloc.o

+mmu-$(CONFIG_CHERI_PURECAP_UABI) += reserv.o

ifdef CONFIG_CROSS_MEMORY_ATTACH mmu-$(CONFIG_MMU) += process_vm_access.o diff --git a/mm/reserv.c b/mm/reserv.c new file mode 100644 index 000000000000..de5a3095a863 --- /dev/null +++ b/mm/reserv.c @@ -0,0 +1,181 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <linux/bug.h> +#include <linux/mm_reserv.h> +#include <linux/mm.h> +#include <linux/slab.h> + +int reserv_vma_set_reserv(struct vm_area_struct *vma, ptraddr_t start, + size_t len, int prot) +{ + if (!reserv_is_supported(vma->vm_mm)) + return 0; + if (start + len < start) + return -EINVAL; + /* Reservation base/length is expected as page aligned */ + VM_BUG_ON(start & ~PAGE_MASK || len % PAGE_SIZE); + + vma->reserv_data.start = start & cheri_representable_alignment_mask(len); + vma->reserv_data.len = cheri_representable_length(len); + vma->reserv_data.perms = user_ptr_owning_perms_from_prot(prot, + vma->vm_flags); + + return 0; +} + +int reserv_vma_set_reserv_start_len(struct vm_area_struct *vma, ptraddr_t start, + size_t len) +{ + if (!reserv_is_supported(vma->vm_mm)) + return 0; + if (start + len < start) + return -EINVAL; + /* Reservation base/length is expected as page aligned */ + VM_BUG_ON(start & ~PAGE_MASK || len % PAGE_SIZE); + + vma->reserv_data.start = start & cheri_representable_alignment_mask(len); + vma->reserv_data.len = cheri_representable_length(len); + + return 0; +} + +void reserv_vma_set_reserv_data(struct vm_area_struct *vma, + const struct reserv_struct *reserv_data) +{ + if (!reserv_is_supported(vma->vm_mm)) + return; + + vma->reserv_data = *reserv_data; +} + +bool reserv_find_reserv_info_range(ptraddr_t start, size_t len, + bool locked, struct reserv_struct *reserv_info) +{ + struct mm_struct *mm = current->mm; + struct vm_area_struct *next, *prev; + struct reserv_struct *info = NULL; + + if (!reserv_is_supported(mm)) + return true; + if (!locked && mmap_read_lock_killable(mm)) + return false; + + next = find_vma_prev(mm, start, &prev); + + if (next && reserv_vma_range_within_reserv(next, start, len)) + info = &next->reserv_data; + else if (prev && reserv_vma_range_within_reserv(prev, start, len)) + info = &prev->reserv_data; + + if (info && reserv_info) + *reserv_info = *info; + + if (!locked) + mmap_read_unlock(mm); + + return !!info; +} + +bool reserv_vma_range_within_reserv(struct vm_area_struct *vma, ptraddr_t start, + size_t len) +{ + if (!reserv_is_supported(vma->vm_mm)) + return true; + + /* Check if there is match with the existing reservations */ + return vma->reserv_data.start <= start && + vma->reserv_data.start + vma->reserv_data.len >= start + len; +} + +bool reserv_cap_within_reserv(user_uintptr_t cap, bool locked) +{ + return reserv_find_reserv_info_range(cheri_base_get(cap), + cheri_length_get(cap), + locked, NULL); +} + +bool reserv_aligned_range_within_reserv(ptraddr_t start, size_t len, + bool locked) +{ + ptraddr_t aligned_start = start & cheri_representable_alignment_mask(len); + size_t aligned_len = cheri_representable_length(len); + + if (start + len < start) + return false; + + return reserv_find_reserv_info_range(aligned_start, aligned_len, + locked, NULL); +} + +int reserv_range_mapped(ptraddr_t start, size_t len, bool locked) +{ + struct vm_area_struct *vma, *last_vma = NULL; + struct mm_struct *mm = current->mm; + ptraddr_t end = start + len - 1; + int ret = -ENOMEM; + VMA_ITERATOR(vmi, mm, 0); + + if (!reserv_is_supported(mm)) + return 0; + if (!locked && mmap_read_lock_killable(mm)) + return -EINTR; + + start = untagged_addr(start); + start = round_down(start, PAGE_SIZE); + len = round_up(len, PAGE_SIZE); + vma_iter_set(&vmi, start); + /* Try walking the given range */ + do { + vma = mas_find(&vmi.mas, end); + if (vma) { + /* The new and old vma should be continuous */ + if (last_vma && last_vma->vm_end != vma->vm_start) + goto out; + /* End range is within the vma so return success */ + if (end < vma->vm_end) { + ret = 0; + goto out; + } + last_vma = vma; + } + } while (vma); +out: + if (!locked) + mmap_read_unlock(mm); + return ret; +} + +user_uintptr_t reserv_make_user_ptr_owning(ptraddr_t vma_addr, bool locked) +{ + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + struct reserv_struct reserv; + + if (!reserv_is_supported(mm)) + return vma_addr; + if (!locked && mmap_read_lock_killable(mm)) + return vma_addr; + + vma = find_vma(mm, vma_addr); + + if (WARN_ON(!vma || vma->vm_start != vma_addr)) { + if (!locked) + mmap_read_unlock(mm); + return vma_addr; + } + + reserv = vma->reserv_data; + + if (!locked) + mmap_read_unlock(mm); + + return make_user_ptr_owning(&reserv, vma_addr); +} + +user_uintptr_t reserv_vma_make_user_ptr_owning(struct vm_area_struct *vma) +{ + if (!reserv_is_supported(vma->vm_mm)) + return vma->vm_start; + + return make_user_ptr_owning(&vma->reserv_data, vma->vm_start); +}

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

PCuABI memory reservations require adding reservation properties while creating and modifying the VMA. reserv_vma_set_reserv() and variants are used to update those reservation details. Currently, these properties are added only for mmap/mremap, and later commits will add them for other syscalls (shmat) and special VMA mappings.

PCuABI memory reservations also prevent merging or expanding VMAs that do not belong to the same reservation. Use suitable reservation interfaces to check those properties before performing such operations on the VMA.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Co-developed-by: Kevin Brodsky kevin.brodsky@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- include/linux/mm.h | 4 ++-- kernel/fork.c | 3 +++ mm/mmap.c | 32 +++++++++++++++++++++++++------- mm/mremap.c | 13 +++++++++---- 4 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h index efc17977a31e..f9b5ad66a938 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3259,7 +3259,7 @@ extern int insert_vm_struct(struct mm_struct *, struct vm_area_struct *); extern void unlink_file_vma(struct vm_area_struct *); extern struct vm_area_struct *copy_vma(struct vm_area_struct **, unsigned long addr, unsigned long len, pgoff_t pgoff, - bool *need_rmap_locks); + bool *need_rmap_locks, struct reserv_struct *reserv_info); extern void exit_mmap(struct mm_struct *); struct vm_area_struct *vma_modify(struct vma_iterator *vmi, struct vm_area_struct *prev, @@ -3365,7 +3365,7 @@ extern unsigned long get_unmapped_area(struct file *, unsigned long, unsigned lo

extern unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, - struct list_head *uf); + struct list_head *uf, unsigned long prot); extern unsigned long do_mmap(struct file *file, unsigned long addr, unsigned long len, unsigned long prot, unsigned long flags, vm_flags_t vm_flags, unsigned long pgoff, unsigned long *populate, diff --git a/kernel/fork.c b/kernel/fork.c index a460a65624d7..ccbfc0c520ae 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -99,6 +99,7 @@ #include <linux/stackprotector.h> #include <linux/user_events.h> #include <linux/iommu.h> +#include <linux/mm_reserv.h>

#include <asm/pgalloc.h> #include <linux/uaccess.h> @@ -678,6 +679,8 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, goto out; khugepaged_fork(mm, oldmm);

+ reserv_fork(mm, oldmm); + retval = vma_iter_bulk_alloc(&vmi, oldmm->map_count); if (retval) goto out; diff --git a/mm/mmap.c b/mm/mmap.c index 6ae675961785..40d64fa163a2 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -911,7 +911,8 @@ static struct vm_area_struct /* Can we merge the predecessor? */ if (addr == prev->vm_end && mpol_equal(vma_policy(prev), policy) && can_vma_merge_after(prev, vm_flags, anon_vma, file, - pgoff, vm_userfaultfd_ctx, anon_name)) { + pgoff, vm_userfaultfd_ctx, anon_name) + && reserv_vma_range_within_reserv(prev, addr, end - addr)) { merge_prev = true; vma_prev(vmi); } @@ -920,7 +921,8 @@ static struct vm_area_struct /* Can we merge the successor? */ if (next && mpol_equal(policy, vma_policy(next)) && can_vma_merge_before(next, vm_flags, anon_vma, file, pgoff+pglen, - vm_userfaultfd_ctx, anon_name)) { + vm_userfaultfd_ctx, anon_name) && + reserv_vma_range_within_reserv(next, addr, end - addr)) { merge_next = true; }

@@ -1382,7 +1384,7 @@ unsigned long do_mmap(struct file *file, unsigned long addr, vm_flags |= VM_NORESERVE; }

- addr = mmap_region(file, addr, len, vm_flags, pgoff, uf); + addr = mmap_region(file, addr, len, vm_flags, pgoff, uf, prot); if (!IS_ERR_VALUE(addr) && ((vm_flags & VM_LOCKED) || (flags & (MAP_POPULATE | MAP_NONBLOCK)) == MAP_POPULATE)) @@ -2785,7 +2787,7 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len,

unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, - struct list_head *uf) + struct list_head *uf, unsigned long prot) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma = NULL; @@ -2797,6 +2799,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, bool writable_file_mapping = false; pgoff_t vm_pgoff; int error; + struct reserv_struct reserv_info; + bool new_reserv; VMA_ITERATOR(vmi, mm, addr);

/* Check against address space limit. */ @@ -2814,6 +2818,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, return -ENOMEM; }

+ new_reserv = !reserv_find_reserv_info_range(addr, len, true, &reserv_info); + /* Unmap any existing mapping in the area */ if (do_vmi_munmap(&vmi, mm, addr, len, uf, false)) return -ENOMEM; @@ -2840,7 +2846,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, /* Check next */ if (next && next->vm_start == end && !vma_policy(next) && can_vma_merge_before(next, vm_flags, NULL, file, pgoff+pglen, - NULL_VM_UFFD_CTX, NULL)) { + NULL_VM_UFFD_CTX, NULL) && + reserv_vma_range_within_reserv(next, addr, len)) { merge_end = next->vm_end; vma = next; vm_pgoff = next->vm_pgoff - pglen; @@ -2851,7 +2858,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, (vma ? can_vma_merge_after(prev, vm_flags, vma->anon_vma, file, pgoff, vma->vm_userfaultfd_ctx, NULL) : can_vma_merge_after(prev, vm_flags, NULL, file, pgoff, - NULL_VM_UFFD_CTX, NULL))) { + NULL_VM_UFFD_CTX, NULL)) && + reserv_vma_range_within_reserv(prev, addr, len)) { merge_start = prev->vm_start; vma = prev; vm_pgoff = prev->vm_pgoff; @@ -2959,6 +2967,12 @@ unsigned long mmap_region(struct file *file, unsigned long addr, if (vma_iter_prealloc(&vmi, vma)) goto close_and_free_vma;

+ if (new_reserv) { + reserv_vma_set_reserv(vma, addr, len, prot); + } else { + reserv_vma_set_reserv_data(vma, &reserv_info); + } + /* Lock the VMA since it is modified after insertion into VMA tree */ vma_start_write(vma); vma_iter_store(&vmi, vma); @@ -3432,7 +3446,7 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma) */ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, unsigned long addr, unsigned long len, pgoff_t pgoff, - bool *need_rmap_locks) + bool *need_rmap_locks, struct reserv_struct *reserv_info) { struct vm_area_struct *vma = *vmap; unsigned long vma_start = vma->vm_start; @@ -3484,6 +3498,10 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, new_vma->vm_start = addr; new_vma->vm_end = addr + len; new_vma->vm_pgoff = pgoff; + if (reserv_info) + reserv_vma_set_reserv_data(new_vma, reserv_info); + else + reserv_vma_set_reserv_start_len(new_vma, addr, len); if (vma_dup_policy(vma, new_vma)) goto out_free_vma; if (anon_vma_clone(new_vma, vma)) diff --git a/mm/mremap.c b/mm/mremap.c index 515217a95293..6a9fb59df4a6 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -651,7 +651,8 @@ static unsigned long move_vma(struct vm_area_struct *vma, unsigned long old_addr, unsigned long old_len, unsigned long new_len, unsigned long new_addr, bool *locked, unsigned long flags, - struct vm_userfaultfd_ctx *uf, struct list_head *uf_unmap) + struct vm_userfaultfd_ctx *uf, struct list_head *uf_unmap, + struct reserv_struct *reserv_info) { long to_account = new_len - old_len; struct mm_struct *mm = vma->vm_mm; @@ -705,7 +706,7 @@ static unsigned long move_vma(struct vm_area_struct *vma, vma_start_write(vma); new_pgoff = vma->vm_pgoff + ((old_addr - vma->vm_start) >> PAGE_SHIFT); new_vma = copy_vma(&vma, new_addr, new_len, new_pgoff, - &need_rmap_locks); + &need_rmap_locks, reserv_info); if (!new_vma) { if (vm_flags & VM_ACCOUNT) vm_unacct_memory(to_account >> PAGE_SHIFT); @@ -874,6 +875,7 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, struct vm_area_struct *vma; unsigned long ret = -EINVAL; unsigned long map_flags = 0; + struct reserv_struct reserv_info, *reserv_ptr = NULL;

if (offset_in_page(new_addr)) goto out; @@ -902,6 +904,9 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, if ((mm->map_count + 2) >= sysctl_max_map_count - 3) return -ENOMEM;

+ if (reserv_find_reserv_info_range(new_addr, new_len, true, &reserv_info)) + reserv_ptr = &reserv_info; + if (flags & MREMAP_FIXED) { ret = do_munmap(mm, new_addr, new_len, uf_unmap_early); if (ret) @@ -945,7 +950,7 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, new_addr = ret;

ret = move_vma(vma, addr, old_len, new_len, new_addr, locked, flags, uf, - uf_unmap); + uf_unmap, reserv_ptr);

out: return ret; @@ -1160,7 +1165,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len }

ret = move_vma(vma, addr, old_len, new_len, new_addr, - &locked, flags, &uf, &uf_unmap); + &locked, flags, &uf, &uf_unmap, NULL); } out: if (offset_in_page(ret))

The stack needs special handling in PCuABI to ensure that its underlying reservation is appropriately sized. A new sysctl "cheri.max_stack_size" is introduced to that effect, as per the PCuABI specification, specifying the reservation size (before alignment) unless the hard limit of RLIMIT_STACK is lower (unlimited by default).

The default value for cheri.max_stack_size (128 MB) should be plenty for any application. The minimum value (256 KB) was chosen to leave a safe amount of space over the initial stack mapping expansion (128 KB, see setup_arg_pages()). The maximum value is fairly arbitrary, but has the advantage of fitting in an int.

acct_stack_growth() is also modified to prevent a mapping with VM_GROWSDOWN from growing beyond its reservation (for this reason the reservation details are set before calling expand_stack_locked()). This is only used for the main stack, as PROT_GROWSDOWN is not supported in PCuABI.

Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- fs/exec.c | 59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ mm/mmap.c | 3 +++ 2 files changed, 62 insertions(+)

diff --git a/fs/exec.c b/fs/exec.c index 48b29402f838..cabb0560877e 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -66,6 +66,9 @@ #include <linux/coredump.h> #include <linux/time_namespace.h> #include <linux/user_events.h> +#include <linux/mm_reserv.h> +#include <linux/cheri.h> +#include <linux/mman.h>

#include <linux/uaccess.h> #include <asm/mmu_context.h> @@ -113,6 +116,56 @@ bool path_noexec(const struct path *path) (path->mnt->mnt_sb->s_iflags & SB_I_NOEXEC); }

+#ifdef CONFIG_CHERI_PURECAP_UABI +static int cheri_max_stack_size = 128 * 1024 * 1024; +static int __cheri_max_stack_size_min = 256 * 1024; +static int __cheri_max_stack_size_max = 1024 * 1024 * 1024; + +static struct ctl_table pcuabi_sysctls[] = { + { + .procname = "max_stack_size", + .mode = 0644, + .data = &cheri_max_stack_size, + .maxlen = sizeof(int), + .proc_handler = proc_dointvec_minmax, + .extra1 = &__cheri_max_stack_size_min, + .extra2 = &__cheri_max_stack_size_max, + }, + { } +}; + +static void register_pcuabi_sysctls(void) +{ + register_sysctl_init("cheri", pcuabi_sysctls); +} + +static int set_stack_reserv(struct vm_area_struct *vma, + struct linux_binprm *bprm) +{ + size_t rlim_stack_max = bprm->rlim_stack.rlim_max; + ptraddr_t start; + size_t len; + + len = min(rlim_stack_max, (size_t)cheri_max_stack_size); + + start = (vma->vm_end - len) & cheri_representable_alignment_mask(len); + /* + * vma->vm_end must remain unchanged, so after aligning down the start + * address, we need to recalculate the length. + */ + len = (vma->vm_end - start); + return reserv_vma_set_reserv(vma, start, len, PROT_READ | PROT_WRITE); +} +#else +static inline void register_pcuabi_sysctls(void) {} + +static inline int set_stack_reserv(struct vm_area_struct *vma, + struct linux_binprm *bprm) +{ + return 0; +} +#endif + #ifdef CONFIG_USELIB /* * Note that a shared library must be both readable and executable due to @@ -862,6 +915,11 @@ int setup_arg_pages(struct linux_binprm *bprm, stack_base = vma->vm_end - stack_expand; #endif current->mm->start_stack = bprm->p; + + ret = set_stack_reserv(vma, bprm); + if (ret) + goto out_unlock; + ret = expand_stack_locked(vma, stack_base); if (ret) ret = -EFAULT; @@ -2195,6 +2253,7 @@ static struct ctl_table fs_exec_sysctls[] = { static int __init init_fs_exec_sysctls(void) { register_sysctl_init("fs", fs_exec_sysctls); + register_pcuabi_sysctls(); return 0; }

diff --git a/mm/mmap.c b/mm/mmap.c index 40d64fa163a2..886a729fb13c 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1973,6 +1973,9 @@ static int acct_stack_growth(struct vm_area_struct *vma, if (size > rlimit(RLIMIT_STACK)) return -ENOMEM;

+ if (reserv_is_supported(mm) && size > reserv_vma_reserv_len(vma)) + return -ERESERVATION; + /* mlock limit tests */ if (!mlock_future_ok(mm, vma->vm_flags, grow << PAGE_SHIFT)) return -ENOMEM;

Enable reservations early (before any mapping is created) if the new process is in PCuABI, and otherwise disable them (the corresponding mm flag being inherited from the parent).

Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- fs/binfmt_elf.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index e330dec431be..8617b5328197 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -1287,6 +1287,8 @@ static int load_elf_binary(struct linux_binprm *bprm) if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space) current->flags |= PF_RANDOMIZE;

+ reserv_mm_set_flag(current->mm, ELF_COMPAT); + setup_new_exec(bprm);

/* Do this so that we can load the interpreter, if need be. We will

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

Use the recently introduced PCuABI reservation interfaces to add different parameter constraints for mremap syscall. The capability returned by the syscall is either the same as the input capability or a new one if a new reservation is created, with the same permissions as the pointer to the original mapping, as per the PCuABI specification.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Co-developed-by: Kevin Brodsky kevin.brodsky@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- mm/mremap.c | 64 ++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 51 insertions(+), 13 deletions(-)

diff --git a/mm/mremap.c b/mm/mremap.c index 6a9fb59df4a6..78858a167242 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -25,6 +25,7 @@ #include <linux/uaccess.h> #include <linux/userfaultfd_k.h> #include <linux/mempolicy.h> +#include <linux/mm_reserv.h>

#include <asm/cacheflush.h> #include <asm/tlb.h> @@ -865,17 +866,35 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, return vma; }

-static unsigned long mremap_to(unsigned long addr, unsigned long old_len, - unsigned long new_addr, unsigned long new_len, bool *locked, +static user_uintptr_t make_new_user_ptr_owning(ptraddr_t new_vma_addr, + user_uintptr_t old_user_ptr) +{ + user_uintptr_t ret; + + ret = reserv_make_user_ptr_owning((ptraddr_t)new_vma_addr, true); + if (IS_ERR_VALUE(ret)) + return ret; + +#ifdef CONFIG_CHERI_PURECAP_UABI + if (reserv_is_supported(current->mm)) + ret = cheri_perms_and(ret, cheri_perms_get(old_user_ptr)); +#endif + return ret; +} + +static user_uintptr_t mremap_to(user_uintptr_t user_ptr, unsigned long old_len, + user_uintptr_t new_user_ptr, unsigned long new_len, bool *locked, unsigned long flags, struct vm_userfaultfd_ctx *uf, struct list_head *uf_unmap_early, struct list_head *uf_unmap) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; - unsigned long ret = -EINVAL; + user_uintptr_t ret = -EINVAL; unsigned long map_flags = 0; struct reserv_struct reserv_info, *reserv_ptr = NULL; + ptraddr_t addr = untagged_addr((ptraddr_t)user_ptr); + ptraddr_t new_addr = (ptraddr_t)new_user_ptr;

if (offset_in_page(new_addr)) goto out; @@ -952,6 +971,13 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, ret = move_vma(vma, addr, old_len, new_len, new_addr, locked, flags, uf, uf_unmap, reserv_ptr);

+ if (!IS_ERR_VALUE(ret) && reserv_is_supported(mm)) { + if ((flags & MREMAP_FIXED) && + user_ptr_is_valid((const void __user *)new_user_ptr)) + ret = new_user_ptr; + else + ret = make_new_user_ptr_owning((ptraddr_t)ret, user_ptr); + } out: return ret; } @@ -977,19 +1003,20 @@ static int vma_expandable(struct vm_area_struct *vma, unsigned long delta) * MREMAP_FIXED option added 5-Dec-1999 by Benjamin LaHaise * This option implies MREMAP_MAYMOVE. */ -SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len, +SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, user_ptr, unsigned long, old_len, unsigned long, new_len, unsigned long, flags, - user_uintptr_t, new_addr) + user_uintptr_t, new_user_ptr) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; user_uintptr_t ret = -EINVAL; bool locked = false; struct vm_userfaultfd_ctx uf = NULL_VM_UFFD_CTX; + ptraddr_t addr = (ptraddr_t)user_ptr; + ptraddr_t new_addr = (ptraddr_t)new_user_ptr; LIST_HEAD(uf_unmap_early); LIST_HEAD(uf_unmap);

- /* @TODO [PCuABI] - capability validation */ /* * There is a deliberate asymmetry here: we strip the pointer tag * from the old address but leave the new address alone. This is @@ -1039,7 +1066,18 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len ret = -EFAULT; goto out; } + if (reserv_is_supported(mm) && + !check_user_ptr_owning(user_ptr, old_len ? old_len : new_len)) + goto out; + if (!reserv_cap_within_reserv(user_ptr, true)) { + ret = -ERESERVATION; + goto out; + } + ret = check_pcuabi_map_ptr_arg(new_user_ptr, new_len, flags & MREMAP_FIXED, true); + if (ret) + goto out;

+ ret = -EINVAL; if (is_vm_hugetlb_page(vma)) { struct hstate *h __maybe_unused = hstate_vma(vma);

@@ -1061,7 +1099,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len }

if (flags & (MREMAP_FIXED | MREMAP_DONTUNMAP)) { - ret = mremap_to(addr, old_len, new_addr, new_len, + ret = mremap_to(user_ptr, old_len, new_user_ptr, new_len, &locked, flags, &uf, &uf_unmap_early, &uf_unmap); goto out; @@ -1086,7 +1124,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len if (ret) goto out;

- ret = addr; + ret = user_ptr; goto out_unlocked; }

@@ -1140,7 +1178,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len locked = true; new_addr = addr; } - ret = addr; + ret = user_ptr; goto out; } } @@ -1166,6 +1204,9 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len

ret = move_vma(vma, addr, old_len, new_len, new_addr, &locked, flags, &uf, &uf_unmap, NULL); + + if (!IS_ERR_VALUE(ret) && reserv_is_supported(mm)) + ret = make_new_user_ptr_owning((ptraddr_t)ret, user_ptr); } out: if (offset_in_page(ret)) @@ -1177,8 +1218,5 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len userfaultfd_unmap_complete(mm, &uf_unmap_early); mremap_userfaultfd_complete(&uf, addr, ret, old_len); userfaultfd_unmap_complete(mm, &uf_unmap); - /* TODO [PCuABI] - derive proper capability */ - return IS_ERR_VALUE(ret) ? - ret : - (user_intptr_t)uaddr_to_user_ptr_safe((ptraddr_t)ret); + return ret; }

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

Use the recently introduced PCuABI reservation interfaces to verify the address range for madvise syscall, and in the corresponding io_uring command.

do_madvise() has some internal kernel users that manipulate raw addresses, so add a parameter to skip the reservation checks.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- include/linux/mm.h | 3 ++- io_uring/advise.c | 3 +-- mm/damon/vaddr.c | 2 +- mm/madvise.c | 26 +++++++++++++++++++++----- 4 files changed, 25 insertions(+), 9 deletions(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h index 3d1e867bd903..691d624ad167 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3375,7 +3375,8 @@ extern int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, bool unlock); extern int do_munmap(struct mm_struct *, unsigned long, size_t, struct list_head *uf); -extern int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int behavior); +extern int do_madvise(struct mm_struct *mm, user_uintptr_t user_ptr, size_t len_in, + int behavior, bool cap_check_skip);

#ifdef CONFIG_MMU extern int do_vma_munmap(struct vma_iterator *vmi, struct vm_area_struct *vma, diff --git a/io_uring/advise.c b/io_uring/advise.c index 952d9289a311..b711af00719a 100644 --- a/io_uring/advise.c +++ b/io_uring/advise.c @@ -54,8 +54,7 @@ int io_madvise(struct io_kiocb *req, unsigned int issue_flags)

WARN_ON_ONCE(issue_flags & IO_URING_F_NONBLOCK);

- /* TODO [PCuABI] - capability checks for uaccess */ - ret = do_madvise(current->mm, user_ptr_addr(ma->addr), ma->len, ma->advice); + ret = do_madvise(current->mm, (user_uintptr_t)ma->addr, ma->len, ma->advice, false); io_req_set_res(req, ret, 0); return IOU_OK; #else diff --git a/mm/damon/vaddr.c b/mm/damon/vaddr.c index a4d1f63c5b23..3138da113117 100644 --- a/mm/damon/vaddr.c +++ b/mm/damon/vaddr.c @@ -643,7 +643,7 @@ static unsigned long damos_madvise(struct damon_target *target, if (!mm) return 0;

- applied = do_madvise(mm, start, len, behavior) ? 0 : len; + applied = do_madvise(mm, start, len, behavior, true) ? 0 : len; mmput(mm);

return applied; diff --git a/mm/madvise.c b/mm/madvise.c index d0c8e854636e..6668d76c8a35 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -31,6 +31,7 @@ #include <linux/swapops.h> #include <linux/shmem_fs.h> #include <linux/mmu_notifier.h> +#include <linux/mm_reserv.h>

#include <asm/tlb.h>

@@ -1394,13 +1395,15 @@ int madvise_set_anon_name(struct mm_struct *mm, unsigned long start, * -EBADF - map exists, but area maps something that isn't a file. * -EAGAIN - a kernel resource was temporarily unavailable. */ -int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int behavior) +int do_madvise(struct mm_struct *mm, user_uintptr_t user_ptr, size_t len_in, + int behavior, bool cap_check_skip) { unsigned long end; int error; int write; size_t len; struct blk_plug plug; + unsigned long start = (ptraddr_t)user_ptr;

if (!madvise_behavior_valid(behavior)) return -EINVAL; @@ -1433,14 +1436,27 @@ int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int beh mmap_read_lock(mm); }

- /* TODO [PCuABI] - capability checks for uaccess */ start = untagged_addr_remote(mm, start); end = start + len;

+ if (!cap_check_skip) { + if (reserv_is_supported(current->mm) && + !check_user_ptr_owning(user_ptr, len)) { + error = -EINVAL; + goto out; + } + /* Check if the range exists within the reservation with mmap lock. */ + if (!reserv_cap_within_reserv(user_ptr, true)) { + error = -ERESERVATION; + goto out; + } + } + blk_start_plug(&plug); error = madvise_walk_vmas(mm, start, end, behavior, madvise_vma_behavior); blk_finish_plug(&plug); +out: if (write) mmap_write_unlock(mm); else @@ -1449,9 +1465,9 @@ int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int beh return error; }

-SYSCALL_DEFINE3(madvise, user_uintptr_t, start, size_t, len_in, int, behavior) +SYSCALL_DEFINE3(madvise, user_uintptr_t, user_ptr, size_t, len_in, int, behavior) { - return do_madvise(current->mm, start, len_in, behavior); + return do_madvise(current->mm, user_ptr, len_in, behavior, false); }

SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec, @@ -1506,7 +1522,7 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,

while (iov_iter_count(&iter)) { ret = do_madvise(mm, user_ptr_addr(iter_iov_addr(&iter)), - iter_iov_len(&iter), behavior); + iter_iov_len(&iter), behavior, true); if (ret < 0) break; iov_iter_advance(&iter, iter_iov_len(&iter));

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

Use the recently introduced PCuABI reservation interfaces to verify the input pointer for the msync syscall.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- mm/msync.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/mm/msync.c b/mm/msync.c index ac4c9bfea2e7..64278c54c483 100644 --- a/mm/msync.c +++ b/mm/msync.c @@ -14,6 +14,7 @@ #include <linux/file.h> #include <linux/syscalls.h> #include <linux/sched.h> +#include <linux/mm_reserv.h>

/* * MS_SYNC syncs the entire file - including mappings. @@ -29,15 +30,14 @@ * So by _not_ starting I/O in MS_ASYNC we provide complete flexibility to * applications. */ -SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags) +SYSCALL_DEFINE3(msync, user_uintptr_t, user_ptr, size_t, len, int, flags) { unsigned long end; struct mm_struct *mm = current->mm; struct vm_area_struct *vma; int unmapped_error = 0; int error = -EINVAL; - - start = untagged_addr(start); + unsigned long start = untagged_addr((ptraddr_t)user_ptr);

if (flags & ~(MS_ASYNC | MS_INVALIDATE | MS_SYNC)) goto out; @@ -45,6 +45,12 @@ SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags) goto out; if ((flags & MS_ASYNC) && (flags & MS_SYNC)) goto out; + if (reserv_is_supported(mm) && !check_user_ptr_owning(user_ptr, len)) + goto out; + if (!reserv_cap_within_reserv(user_ptr, false)) { + error = -ERESERVATION; + goto out; + } error = -ENOMEM; len = (len + ~PAGE_MASK) & PAGE_MASK; end = start + len;

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

Use the recently introduced PCuABI reservation interfaces to verify the input pointer for the shmat and shmdt syscalls, and create a capability with appropriate bounds and permissions, if necessary, when shmat succeeds.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Co-developed-by: Kevin Brodsky kevin.brodsky@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- include/linux/shm.h | 4 ++-- ipc/shm.c | 44 +++++++++++++++++++++++++++++++++----------- 2 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/include/linux/shm.h b/include/linux/shm.h index d8e69aed3d32..bf5b2e5cbd0c 100644 --- a/include/linux/shm.h +++ b/include/linux/shm.h @@ -14,7 +14,7 @@ struct sysv_shm { struct list_head shm_clist; };

-long do_shmat(int shmid, char __user *shmaddr, int shmflg, unsigned long *addr, +long do_shmat(int shmid, char __user *shmaddr, int shmflg, user_uintptr_t *user_ptr, unsigned long shmlba); bool is_file_shm_hugepages(struct file *file); void exit_shm(struct task_struct *task); @@ -25,7 +25,7 @@ struct sysv_shm { };

static inline long do_shmat(int shmid, char __user *shmaddr, - int shmflg, unsigned long *addr, + int shmflg, user_uintptr_t *user_ptr, unsigned long shmlba) { return -ENOSYS; diff --git a/ipc/shm.c b/ipc/shm.c index 7bb7c4bbc383..ddf83a1f62ed 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -44,6 +44,7 @@ #include <linux/mount.h> #include <linux/ipc_namespace.h> #include <linux/rhashtable.h> +#include <linux/mm_reserv.h>

#include <linux/uaccess.h>

@@ -1519,14 +1520,13 @@ COMPAT_SYSCALL_DEFINE3(old_shmctl, int, shmid, int, cmd, void __user *, uptr) * Fix shmaddr, allocate descriptor, map shm, add attach descriptor to lists. * * NOTE! Despite the name, this is NOT a direct system call entrypoint. The - * "raddr" thing points to kernel space, and there has to be a wrapper around + * "ruser_ptr" thing points to kernel space, and there has to be a wrapper around * this. */ long do_shmat(int shmid, char __user *shmaddr, int shmflg, - ulong *raddr, unsigned long shmlba) + user_uintptr_t *ruser_ptr, unsigned long shmlba) { struct shmid_kernel *shp; - /* TODO [PCuABI] - capability checks for address space management */ unsigned long addr = user_ptr_addr(shmaddr); unsigned long size; struct file *file, *base; @@ -1538,6 +1538,7 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, struct shm_file_data *sfd; int f_flags; unsigned long populate = 0; + user_uintptr_t user_ptr = (user_uintptr_t)shmaddr;

err = -EINVAL; if (shmid < 0) @@ -1666,11 +1667,23 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, goto invalid; }

+ user_ptr = (user_uintptr_t)user_ptr_set_addr(shmaddr, addr); + err = check_pcuabi_map_ptr_arg(user_ptr, size, flags & MAP_FIXED, true); + if (err) + goto invalid; + addr = do_mmap(file, addr, size, prot, flags, 0, 0, &populate, NULL); - *raddr = addr; + + if (!IS_ERR_VALUE(addr) && reserv_is_supported(current->mm)) { + if (!user_ptr_is_valid((const void __user *)user_ptr)) + user_ptr = reserv_make_user_ptr_owning(addr, true); + } else { + user_ptr = addr; + } + *ruser_ptr = user_ptr; err = 0; - if (IS_ERR_VALUE(addr)) - err = (long)addr; + if (IS_ERR_VALUE(user_ptr)) + err = (long)user_ptr; invalid: mmap_write_unlock(current->mm); if (populate) @@ -1699,15 +1712,14 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg,

SYSCALL_DEFINE3(__retptr__(shmat), int, shmid, char __user *, shmaddr, int, shmflg) { - unsigned long ret; + user_uintptr_t ret; long err;

err = do_shmat(shmid, shmaddr, shmflg, &ret, SHMLBA); if (err) return err; force_successful_syscall_return(); - /* TODO [PCuABI] - derive proper capability */ - return (user_uintptr_t)uaddr_to_user_ptr_safe(ret); + return ret; }

#ifdef CONFIG_COMPAT @@ -1718,7 +1730,7 @@ SYSCALL_DEFINE3(__retptr__(shmat), int, shmid, char __user *, shmaddr, int, shmf

COMPAT_SYSCALL_DEFINE3(shmat, int, shmid, compat_uptr_t, shmaddr, int, shmflg) { - unsigned long ret; + user_uintptr_t ret; long err;

err = do_shmat(shmid, compat_ptr(shmaddr), shmflg, &ret, COMPAT_SHMLBA); @@ -1737,7 +1749,6 @@ long ksys_shmdt(char __user *shmaddr) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; - /* TODO [PCuABI] - capability checks for address space management */ unsigned long addr = user_ptr_addr(shmaddr); int retval = -EINVAL; #ifdef CONFIG_MMU @@ -1783,6 +1794,7 @@ long ksys_shmdt(char __user *shmaddr) */ if ((vma->vm_ops == &shm_vm_ops) && (vma->vm_start - addr)/PAGE_SIZE == vma->vm_pgoff) { + user_uintptr_t user_ptr = (user_uintptr_t)shmaddr;

/* * Record the file of the shm segment being @@ -1792,6 +1804,15 @@ long ksys_shmdt(char __user *shmaddr) */ file = vma->vm_file; size = i_size_read(file_inode(vma->vm_file)); + + if (reserv_is_supported(mm) && + !check_user_ptr_owning(user_ptr, size)) + goto out_unlock; + if (!reserv_cap_within_reserv(user_ptr, true)) { + retval = -ERESERVATION; + goto out_unlock; + } + do_vma_munmap(&vmi, vma, vma->vm_start, vma->vm_end, NULL, false); /* @@ -1836,6 +1857,7 @@ long ksys_shmdt(char __user *shmaddr)

#endif

+out_unlock: mmap_write_unlock(mm); return retval; }

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

Implement arch_user_ptr_owning_perms_from_prot() in PCuABI to handle Morello-specific flags and permissions. The hook will be used in a subsequent patch to restrict the permissions of owning capabilities.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- arch/arm64/Kconfig | 1 + arch/arm64/include/asm/user_ptr.h | 34 +++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) create mode 100644 arch/arm64/include/asm/user_ptr.h

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 83a5817afa7d..fbf4ed6c6b5b 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -31,6 +31,7 @@ config ARM64 select ARCH_HAS_GIGANTIC_PAGE select ARCH_HAS_KCOV select HAVE_ARCH_CHERI_H + select HAVE_ARCH_USER_PTR_H select ARCH_HAS_KEEPINITRD select ARCH_HAS_MEMBARRIER_SYNC_CORE select ARCH_HAS_NMI_SAFE_THIS_CPU_OPS diff --git a/arch/arm64/include/asm/user_ptr.h b/arch/arm64/include/asm/user_ptr.h new file mode 100644 index 000000000000..8e75f3e8b980 --- /dev/null +++ b/arch/arm64/include/asm/user_ptr.h @@ -0,0 +1,34 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef __ASM_USER_PTR_H +#define __ASM_USER_PTR_H + +#include <linux/cheri.h> +#include <linux/mman.h> +#include <linux/sched/task_stack.h> +#include <asm/processor.h> + +#ifdef CONFIG_CHERI_PURECAP_UABI + +static inline +user_ptr_perms_t arch_user_ptr_owning_perms_from_prot(int prot, unsigned long vm_flags) +{ + struct pt_regs *regs = task_pt_regs(current); + cheri_perms_t perms = 0; + + if ((prot & PROT_READ) && (vm_flags & VM_READ_CAPS)) + perms |= ARM_CAP_PERMISSION_MUTABLE_LOAD; + + if (prot & PROT_EXEC) { + if (cheri_perms_get(regs->pcc) & CHERI_PERM_SYSTEM_REGS) + perms |= CHERI_PERM_SYSTEM_REGS; + if (cheri_perms_get(regs->pcc) & ARM_CAP_PERMISSION_EXECUTIVE) + perms |= ARM_CAP_PERMISSION_EXECUTIVE; + } + + return perms; +} +#define arch_user_ptr_owning_perms_from_prot arch_user_ptr_owning_perms_from_prot + +#endif /* CONFIG_CHERI_PURECAP_UABI */ + +#endif /* __ASM_USER_PTR_H */

As things stand, the permissions of initial reservations will be based on the prot flags of the first segment of the executable/interpreter. Since both RX and RW segments are typically present, the reservation should rather have RWX permissions. Add appropriate PROT_MAX() flags to obtain the right permissions.

Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- fs/binfmt_elf.c | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 8617b5328197..e52b6adb14b9 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c @@ -887,6 +887,8 @@ static inline int make_prot(u32 p_flags, struct arch_elf_state *arch_state, if (p_flags & PF_X) prot |= PROT_EXEC;

+ prot |= PROT_MAX(PROT_READ | PROT_WRITE | PROT_EXEC); + return arch_elf_adjust_prot(prot, arch_state, has_interp, is_interp); }

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

Add a check that the requested protection bits do not exceed the maximum protection bits.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- mm/mmap.c | 11 +++++++++++ 1 file changed, 11 insertions(+)

diff --git a/mm/mmap.c b/mm/mmap.c index 059a9d21ec54..1b8534de40fb 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1463,6 +1463,17 @@ user_uintptr_t ksys_mmap_pgoff(user_uintptr_t user_ptr, unsigned long len, return PTR_ERR(file); }

+ /* + * Introduce additional checks for PCuABI: + * - The PCuABI reservation model introduces the concept of maximum + * protection mappings can have. Add a check to make sure the + * requested protection does not exceed the maximum protection. + */ + if (reserv_is_supported(current->mm)) { + if ((PROT_MAX_EXTRACT(prot) != 0) && + ((PROT_EXTRACT(prot) & PROT_MAX_EXTRACT(prot)) != PROT_EXTRACT(prot))) + goto out_fput; + } retval = check_pcuabi_map_ptr_arg(user_ptr, len, flags & MAP_FIXED, false); if (retval) goto out_fput;

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

Check that the requested prot flags can be set based on the input capability's permissions for the mprotect syscall.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- mm/mprotect.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mm/mprotect.c b/mm/mprotect.c index 7bf46faa7fd6..0f84e680ca5a 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -705,7 +705,8 @@ static int do_mprotect_pkey(user_uintptr_t user_ptr, size_t len, return -ENOMEM;

if (reserv_is_supported(current->mm) && - !(check_user_ptr_owning(user_ptr, len))) + !(check_user_ptr_owning(user_ptr, len) && + user_ptr_may_set_prot(user_ptr, prot))) return -EINVAL;

if (!arch_validate_prot(prot, start))

Add the BranchSealedPair permission if PROT_CAP_INVOKE is passed, as per the PCuABI specification.

Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- arch/arm64/include/asm/user_ptr.h | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/arch/arm64/include/asm/user_ptr.h b/arch/arm64/include/asm/user_ptr.h index 8e75f3e8b980..47e1eab2a420 100644 --- a/arch/arm64/include/asm/user_ptr.h +++ b/arch/arm64/include/asm/user_ptr.h @@ -25,6 +25,9 @@ user_ptr_perms_t arch_user_ptr_owning_perms_from_prot(int prot, unsigned long vm perms |= ARM_CAP_PERMISSION_EXECUTIVE; }

+ if (prot & PROT_CAP_INVOKE) + perms |= ARM_CAP_PERMISSION_BRANCH_SEALED_PAIR; + return perms; } #define arch_user_ptr_owning_perms_from_prot arch_user_ptr_owning_perms_from_prot

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

The MAP_GROWSDOWN flag is not supported by PCuABI specification. Hence, reject such requests with -EOPNOTSUPP error.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- mm/mmap.c | 6 ++++++ 1 file changed, 6 insertions(+)

diff --git a/mm/mmap.c b/mm/mmap.c index 1b8534de40fb..c1da5b13ec3c 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1468,11 +1468,17 @@ user_uintptr_t ksys_mmap_pgoff(user_uintptr_t user_ptr, unsigned long len, * - The PCuABI reservation model introduces the concept of maximum * protection mappings can have. Add a check to make sure the * requested protection does not exceed the maximum protection. + * - MAP_GROWSDOWN mappings have no fixed bounds and hence are not + * supported in the PCuABI reservation model. */ if (reserv_is_supported(current->mm)) { if ((PROT_MAX_EXTRACT(prot) != 0) && ((PROT_EXTRACT(prot) & PROT_MAX_EXTRACT(prot)) != PROT_EXTRACT(prot))) goto out_fput; + if (flags & MAP_GROWSDOWN) { + retval = -EOPNOTSUPP; + goto out_fput; + } } retval = check_pcuabi_map_ptr_arg(user_ptr, len, flags & MAP_FIXED, false); if (retval)

From: Amit Daniel Kachhap amitdaniel.kachhap@arm.com

Save the capability corresponding to the vDSO reservation in mm_context_t so that we can directly use it in ARCH_DLINFO, restricting the bounds and permissions of AT_SYSINFO_EHDR. We explicitly remove the VMem permission as per the PCuABI specification (we do not provide an owning capability for the vDSO).

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com Co-developed-by: Kevin Brodsky kevin.brodsky@arm.com Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- arch/arm64/include/asm/elf.h | 9 ++------- arch/arm64/include/asm/mmu.h | 2 +- arch/arm64/kernel/vdso.c | 20 +++++++++++++++++--- 3 files changed, 20 insertions(+), 11 deletions(-)

diff --git a/arch/arm64/include/asm/elf.h b/arch/arm64/include/asm/elf.h index 7d253fc3961c..be91c27ba24b 100644 --- a/arch/arm64/include/asm/elf.h +++ b/arch/arm64/include/asm/elf.h @@ -174,12 +174,7 @@ extern int aarch64_setup_additional_pages(struct linux_binprm *bprm, extern int purecap_setup_additional_pages(struct linux_binprm *bprm, int uses_interp); #define arch_setup_additional_pages purecap_setup_additional_pages -/* - * TODO [PCuABI]: Look into restricting the bounds of this capability to just - * the vDSO pages, as currently the bounds are of the root user capability. - */ -#define ARCH_DLINFO SETUP_DLINFO(uaddr_to_user_ptr_safe( \ - (elf_addr_t)current->mm->context.vdso)) +#define ARCH_DLINFO SETUP_DLINFO(current->mm->context.vdso) #else /* !CONFIG_CHERI_PURECAP_UABI */ #define arch_setup_additional_pages aarch64_setup_additional_pages #define ARCH_DLINFO SETUP_DLINFO((elf_addr_t)current->mm->context.vdso) @@ -219,7 +214,7 @@ typedef compat_elf_greg_t compat_elf_gregset_t[COMPAT_ELF_NGREG]; SET_PERSONALITY_AARCH64(); \ })

-#define COMPAT_ARCH_DLINFO SETUP_DLINFO((elf_addr_t)current->mm->context.vdso) +#define COMPAT_ARCH_DLINFO SETUP_DLINFO(current->mm->context.vdso)

#define compat_arch_setup_additional_pages aarch64_setup_additional_pages

diff --git a/arch/arm64/include/asm/mmu.h b/arch/arm64/include/asm/mmu.h index 12a7889f0a37..5b3e3e8c0fe1 100644 --- a/arch/arm64/include/asm/mmu.h +++ b/arch/arm64/include/asm/mmu.h @@ -23,7 +23,7 @@ typedef struct { void *sigpage; #endif refcount_t pinned; - void *vdso; + user_uintptr_t vdso; unsigned long flags; } mm_context_t;

diff --git a/arch/arm64/kernel/vdso.c b/arch/arm64/kernel/vdso.c index f9059577581f..9cda023bda85 100644 --- a/arch/arm64/kernel/vdso.c +++ b/arch/arm64/kernel/vdso.c @@ -84,10 +84,23 @@ static union { } vdso_data_store __page_aligned_data; struct vdso_data *vdso_data = vdso_data_store.data;

+static user_uintptr_t make_vdso_ptr(struct vm_area_struct *vdso_text_vma) +{ + user_uintptr_t ret; + + ret = reserv_vma_make_user_ptr_owning(vdso_text_vma); +#ifdef CONFIG_CHERI_PURECAP_UABI + if (!is_compat_task()) + ret = cheri_perms_clear(ret, CHERI_PERM_SW_VMEM); +#endif + + return ret; +} + static int vdso_mremap(const struct vm_special_mapping *sm, struct vm_area_struct *new_vma) { - current->mm->context.vdso = (void *)new_vma->vm_start; + current->mm->context.vdso = make_vdso_ptr(new_vma);

return 0; } @@ -233,7 +246,6 @@ static int __setup_additional_pages(enum vdso_abi abi, gp_flags = VM_ARM64_BTI;

vdso_text_base = vdso_base + VVAR_NR_PAGES * PAGE_SIZE; - mm->context.vdso = (void *)vdso_text_base; ret = _install_special_mapping(mm, vdso_text_base, vdso_text_len, VM_READ|VM_EXEC|gp_flags| VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, @@ -245,10 +257,12 @@ static int __setup_additional_pages(enum vdso_abi abi, PROT_READ | PROT_EXEC)) goto up_fail;

+ mm->context.vdso = make_vdso_ptr(ret); + return 0;

up_fail: - mm->context.vdso = NULL; + mm->context.vdso = 0; return PTR_ERR(ret); }