PCuABI specification introduces memory reservation so add a flag MMF_PCUABI_RESERVE to represent such memory mappings. As memory reservations are mm specific, this flag will help to differentiate between purecap and compat process memory mappings.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- include/linux/sched/coredump.h | 2 ++ 1 file changed, 2 insertions(+)

diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h index 0ee96ea7a0e9..fa5b5ae5f67c 100644 --- a/include/linux/sched/coredump.h +++ b/include/linux/sched/coredump.h @@ -91,4 +91,6 @@ static inline int get_dumpable(struct mm_struct *mm) MMF_DISABLE_THP_MASK | MMF_HAS_MDWE_MASK)

#define MMF_VM_MERGE_ANY 29 + +#define MMF_PCUABI_RESERVE 30 /* PCuABI memory reservation feature */ #endif /* _LINUX_SCHED_COREDUMP_H */

PCuABI needs the address space reservation interfaces to manage the owning capability of the allocated addresses. This interface prevents two unrelated owning capabilities created by the kernel to overlap.

The reservation interface stores the ranges of different virtual addresses as reservation entries which is same as the bound of the capability provided by the kernel to userspace. It also stores the owning capability permissions to manage the future syscall requests for updating permissions.

Few basic rules are followed by the reservation interfaces:

- Reservations can only be created or destroyed and they are never expanded or shrunk. Reservations are created when new memory mapping is made outside of an existing reservation. - A single reservation can have many mappings. However unused region of the reservation cannot be re-used again. - Reservations start address is aligned to CHERI representable base. - Reservations length value is aligned to CHERI representable length.

More rules about the address space reservation interface can be found in the PCuABI specification.

This commit introduces API's reserv_vma_set_reserv(), reserv_range_set_reserv(), reserv_vmi_range_mapped(), reserv_vmi_valid_capability(), reserv_vma_valid_capability(), reserv_vma_valid_address(), reserv_vma_same_reserv() and reserv_vma_is_supported(). Here except reserv_range_set_reserv(), all other involves single vma. All the above interfaces will be used in different memory management syscalls in subsequent patches.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- include/linux/cap_addr_mgmt.h | 196 ++++++++++++++++++++++++++++++++++ include/linux/mm_types.h | 5 + mm/Makefile | 2 +- mm/cap_addr_mgmt.c | 176 ++++++++++++++++++++++++++++++ 4 files changed, 378 insertions(+), 1 deletion(-) create mode 100644 include/linux/cap_addr_mgmt.h create mode 100644 mm/cap_addr_mgmt.c

diff --git a/include/linux/cap_addr_mgmt.h b/include/linux/cap_addr_mgmt.h new file mode 100644 index 000000000000..2f296f02c3ff --- /dev/null +++ b/include/linux/cap_addr_mgmt.h @@ -0,0 +1,196 @@ +/* SPDX-License-Identifier: GPL-2.0 */ + +#ifndef _LINUX_CAP_ADDR_MGMT_H +#define _LINUX_CAP_ADDR_MGMT_H + +#include <linux/cheri.h> +#include <linux/init.h> +#include <linux/list.h> +#include <linux/mm_types.h> +#include <linux/sched/coredump.h> +#include <linux/types.h> + +#ifdef CONFIG_CHERI_PURECAP_UABI +#define CHERI_REPRESENTABLE_ALIGNMENT(len) \ + (~cheri_representable_alignment_mask(len) + 1) + +#define CHERI_REPRESENTABLE_BASE(base, len) \ + ((base) & cheri_representable_alignment_mask(len)) + +/** + * reserv_vma_set_reserv() - Sets the reservation details in the VMA for the + * virtual address range from start to (start + len) with perm permission as + * the entry. The start address are stored as CHERI representable base and the + * length as CHERI representable length. They are expected to not interfere + * with the successive vma. This function should be called with mmap_lock + * held. + * @vma: VMA pointer to insert the reservation entry. + * @start: Reservation start value. + * @len: Reservation length. + * @perm: Capability permission for the reserved range. + * + * Return: 0 if reservation entry added successfully or -ERESERVATION + * otherwise. + */ +int reserv_vma_set_reserv(struct vm_area_struct *vma, ptraddr_t start, + size_t len, cheri_perms_t perm); + +/** + * reserv_range_set_reserv() - Sets the reservation details across the VMA's + * for the virtual address range from start to (start + len) with the perm + * permission as the entry. The start address is expected to be CHERI + * representable base and the length to be CHERI representable length. + * This function internally uses mmap_lock to synchronize the vma updates + * if mmap_lock not already held. + * @start: Reservation start value. + * @len: Reservation length. + * @perm: Capability permission for the reserved range. + * @locked: Flag to indicate if mmap_lock is already held. + * + * Return: valid capability with bounded range and requested permission or + * negative errorcode otherwise. + */ +user_uintptr_t reserv_range_set_reserv(ptraddr_t start, size_t len, + cheri_perms_t perm, bool locked); + +/** + * reserv_vmi_range_mapped_unlocked() - Searches the reservation interface for + * the virtual address range from start to (start + len). This is useful to + * find if the requested range maps completely and there is no fragmentation. + * This function internally uses mmap_lock to synchronize the vma updates + * if mmap_lock not already held. + * @vmi: The vma iterator pointing at the vma. + * @start: Virtual address start value. + * @len: Virtual address length. + * @locked: Flag to indicate if mmap_lock is already held. + * + * Return: 0 if the vma mapping matches fully with the given range or negative + * errorcode otherwise. + */ +int reserv_vmi_range_mapped(struct vma_iterator *vmi, ptraddr_t start, + size_t len, bool locked); + +/** + * reserv_vmi_valid_capability() - Search and matches the reservation interface + * for the capability bound values falling within the reserved virtual address + * range. This function internally uses mmap_lock to synchronize the vma + * updates if mmap_lock not already held. + * @vmi: The vma iterator pointing at the vma. + * @cap: Reservation capability value. + * @locked: Flag to indicate if mmap_lock is already held. + * + * Return: True if the input capability bound values within the reserved virtual + * address range or false otherwise. + */ +bool reserv_vmi_valid_capability(struct vma_iterator *vmi, user_uintptr_t cap, + bool locked); + +/** + * reserv_vma_valid_capability() - Search and matches the input vma for the + * capability bound values falling within the reserved virtual address range. + * This function should be called with mmap_lock held. + * @vma: The vma pointer. + * @cap: Reservation capability value. + * + * Return: True if the input capability bound values within the reserved virtual + * address range or false otherwise. + */ +bool reserv_vma_valid_capability(struct vm_area_struct *vma, user_uintptr_t cap); + +/** + * reserv_vma_valid_address() - Search and matches the input vma for the input + * address range falling within the reserved virtual address range. This + * function should be called with mmap_lock held. + * @vma: The vma pointer. + * @start: Virtual address start value. + * @len: Virtual address length. + * + * Return: True if the input address range within the reserved virtual address + * range or false otherwise. + */ +bool reserv_vma_valid_address(struct vm_area_struct *vma, ptraddr_t start, size_t len); + +/** + * reserv_vma_same_reserv() - Compares the reservation properties between + * two vma's. This function should be called with mmap_lock held. + * @vma1: The first vma pointer. + * @vma2: The second vma pointer. + * + * Return: True if two vma's have the same reservation range or false otherwise. + */ +bool reserv_vma_same_reserv(struct vm_area_struct *vma1, struct vm_area_struct *vma2); + +/** + * reserv_vma_is_supported() - Checks if the reservation properties exists + * for the vma. This function should be called with mmap_lock held. + * @vma: The vma pointer. + * + * Return: True if vma has the reservation property set or false otherwise. + */ +bool reserv_vma_is_supported(struct vm_area_struct *vma); + +/** + * reserv_fork() - Checks and copies the MMF_PCUABI_RESERVE bit in the new + * mm during fork. + * @mm: New mm pointer. + * @oldmm: Old mm pointer. + * + * Return: None. + */ +static inline void reserv_fork(struct mm_struct *mm, struct mm_struct *oldmm) +{ + if (test_bit(MMF_PCUABI_RESERVE, &oldmm->flags)) + set_bit(MMF_PCUABI_RESERVE, &mm->flags); +} + +#else /* CONFIG_CHERI_PURECAP_UABI */ + +static inline int reserv_vma_set_reserv(struct vm_area_struct *vma, ptraddr_t start, + size_t len, cheri_perms_t perm) +{ + return 0; +} + +static inline user_uintptr_t reserv_range_set_reserv(ptraddr_t start, size_t len, + cheri_perms_t perm, bool locked) +{ + return (user_uintptr_t)start; +} + +static inline int reserv_vmi_range_mapped(struct vma_iterator *vmi, ptraddr_t start, + size_t len, bool locked) +{ + return 0; +} + +static inline bool reserv_vmi_valid_capability(struct vma_iterator *vmi, user_uintptr_t cap, + bool locked) +{ + return true; +} + +static inline bool reserv_vma_valid_capability(struct vm_area_struct *vma, user_uintptr_t cap) +{ + return true; +} + +static inline bool reserv_vma_valid_address(struct vm_area_struct *vma, ptraddr_t addr, size_t len) +{ + return true; +} + +static inline bool reserv_vma_same_reserv(struct vm_area_struct *vma1, struct vm_area_struct *vma2) +{ + return true; +} + +static inline bool reserv_vma_is_supported(struct vm_area_struct *vma) +{ + return false; +} + +static inline void reserv_fork(struct mm_struct *mm, struct mm_struct *oldmm) {} + +#endif /* CONFIG_CHERI_PURECAP_UABI */ + +#endif /* _LINUX_CAP_ADDR_MGMT_H */ diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h index 12e87f83287d..38bad6b201ca 100644 --- a/include/linux/mm_types.h +++ b/include/linux/mm_types.h @@ -571,6 +571,11 @@ struct vm_area_struct { struct vma_numab_state *numab_state; /* NUMA Balancing state */ #endif struct vm_userfaultfd_ctx vm_userfaultfd_ctx; +#ifdef CONFIG_CHERI_PURECAP_UABI + unsigned long reserv_start; + unsigned long reserv_len; + unsigned long reserv_perm; +#endif } __randomize_layout;

#ifdef CONFIG_SCHED_MM_CID diff --git a/mm/Makefile b/mm/Makefile index e29afc890cde..c2ca31fe5798 100644 --- a/mm/Makefile +++ b/mm/Makefile @@ -39,7 +39,7 @@ mmu-y := nommu.o mmu-$(CONFIG_MMU) := highmem.o memory.o mincore.o \ mlock.o mmap.o mmu_gather.o mprotect.o mremap.o \ msync.o page_vma_mapped.o pagewalk.o \ - pgtable-generic.o rmap.o vmalloc.o + pgtable-generic.o rmap.o vmalloc.o cap_addr_mgmt.o

ifdef CONFIG_CROSS_MEMORY_ATTACH diff --git a/mm/cap_addr_mgmt.c b/mm/cap_addr_mgmt.c new file mode 100644 index 000000000000..8b5f98d0d01c --- /dev/null +++ b/mm/cap_addr_mgmt.c @@ -0,0 +1,176 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <linux/bug.h> +#include <linux/cap_addr_mgmt.h> +#include <linux/cheri.h> +#include <linux/mm.h> +#include <linux/slab.h> + +#ifdef CONFIG_CHERI_PURECAP_UABI + +int reserv_vma_set_reserv(struct vm_area_struct *vma, ptraddr_t start, + size_t len, cheri_perms_t perm) +{ + if (!reserv_vma_is_supported(vma)) + return 0; + /* Reservation base/length is expected as page aligned */ + VM_BUG_ON(start & ~PAGE_MASK); + VM_BUG_ON(len & ~PAGE_MASK); + + vma->reserv_start = CHERI_REPRESENTABLE_BASE(start, len); + vma->reserv_len = cheri_representable_length(len); + if (perm) + vma->reserv_perm = perm; + + return 0; +} + +user_uintptr_t reserv_range_set_reserv(ptraddr_t start, size_t len, cheri_perms_t perm, bool locked) +{ + struct mm_struct *mm = current->mm; + struct vm_area_struct *vma; + ptraddr_t end = start + len; + user_uintptr_t ret = 0; + VMA_ITERATOR(vmi, mm, start); + + if (!test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + return start; + + if (end < start) + return -EINVAL; + if (end == start) + return 0; + + /* Check if the reservation range is representable and throw error if not */ + if (start & ~cheri_representable_alignment_mask(len) || + len != cheri_representable_length(len) || + start & ~PAGE_MASK || len % PAGE_SIZE) { + printk(KERN_WARNING "Reservation range (0x%lx)-(0x%lx) is not representable\n", + start, start + len - 1); + return -ERESERVATION; + } + if (!locked && mmap_write_lock_killable(mm)) + return -EINTR; + + for_each_vma_range(vmi, vma, end) { + WRITE_ONCE(vma->reserv_start, start); + WRITE_ONCE(vma->reserv_len, len); + WRITE_ONCE(vma->reserv_perm, perm); + } + if (!locked) + mmap_write_unlock(current->mm); + ret = (user_uintptr_t)uaddr_to_user_ptr_safe(start); + + return ret; +} + +int reserv_vmi_range_mapped(struct vma_iterator *vmi, ptraddr_t start, + size_t len, bool locked) +{ + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; + int ret = -ENOMEM; + + if (!test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + return 0; + + if (!locked && mmap_read_lock_killable(mm)) + return -EINTR; + + start = round_down(start, PAGE_SIZE); + len = round_up(len, PAGE_SIZE); + mas_set_range(&vmi->mas, start, start); + /* Try walking the given range */ + vma = mas_find(&vmi->mas, start + len - 1); + if (!vma) + goto out; + + /* If the range is fully mapped then no gap exists */ + if (mas_empty_area(&vmi->mas, start, start + len - 1, 1)) + goto out; +out: + if (!locked) + mmap_read_unlock(mm); + return ret; +} + +bool reserv_vmi_valid_capability(struct vma_iterator *vmi, user_uintptr_t cap, bool locked) +{ + struct vm_area_struct *vma; + struct mm_struct *mm = current->mm; + ptraddr_t cap_start = cheri_base_get(cap); + ptraddr_t cap_end = cap_start + cheri_length_get(cap); + bool ret = false; + + if (!test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + return true; + + if (!locked && mmap_read_lock_killable(mm)) + return false; + + /* Check if there is match with the existing reservations */ + vma = mas_find(&vmi->mas, cap_end); + if (!vma) { + ret = true; + goto out; + } + + if (vma->reserv_start <= cap_start && + vma->reserv_len >= cheri_length_get(cap)) + ret = true; +out: + if (!locked) + mmap_read_unlock(mm); + + return ret; +} + +bool reserv_vma_valid_capability(struct vm_area_struct *vma, user_uintptr_t cap) +{ + if (!reserv_vma_is_supported(vma)) + return true; + + /* Check if there is match with the existing reservations */ + if (vma->reserv_start <= cheri_base_get(cap) && + vma->reserv_len >= cheri_length_get(cap)) + return true; + + return false; +} + +bool reserv_vma_valid_address(struct vm_area_struct *vma, ptraddr_t start, size_t len) +{ + if (!reserv_vma_is_supported(vma)) + return true; + + /* Check if there is match with the existing reservations */ + if (vma->reserv_start <= start && vma->reserv_len >= len) + return true; + + return false; +} + +bool reserv_vma_same_reserv(struct vm_area_struct *vma1, struct vm_area_struct *vma2) +{ + if (!vma1 || !vma2 || !reserv_vma_is_supported(vma1) || !reserv_vma_is_supported(vma1)) + return true; + + /* Match reservation properties betwen 2 vma's */ + if (reserv_vma_is_supported(vma1) && reserv_vma_is_supported(vma1) + && vma1->reserv_start == vma2->reserv_start + && vma1->reserv_len == vma2->reserv_len) + return true; + + return false; +} + +bool reserv_vma_is_supported(struct vm_area_struct *vma) +{ + if (vma && vma->vm_mm && test_bit(MMF_PCUABI_RESERVE, + &vma->vm_mm->flags)) + return true; + + return false; +} + +#endif /* CONFIG_CHERI_PURECAP_UABI */

Helper functions such as capability_owns_range(), build_owning_capability() and mapping_to_capability_perm() are added to manage capability constraints as per PCuABI specifications.

Note: These helper functions do not check for capability permission constraints and full support will be added in subsequent commits.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- include/linux/cap_addr_mgmt.h | 52 +++++++++++++++++++++++++++++++++++ mm/cap_addr_mgmt.c | 36 +++++++++++++++++++++++- 2 files changed, 87 insertions(+), 1 deletion(-)

diff --git a/include/linux/cap_addr_mgmt.h b/include/linux/cap_addr_mgmt.h index 2f296f02c3ff..6a42e714ecd5 100644 --- a/include/linux/cap_addr_mgmt.h +++ b/include/linux/cap_addr_mgmt.h @@ -143,6 +143,38 @@ static inline void reserv_fork(struct mm_struct *mm, struct mm_struct *oldmm) set_bit(MMF_PCUABI_RESERVE, &mm->flags); }

+/** + * capability_owns_range() - Check if the address range is within the valid + * capability bound. + * @cap: A Capability value. + * @addr: Address start value. + * @len: Address length. + * + * Return: True if address within the capability bound or false otherwise. + */ +bool capability_owns_range(user_uintptr_t cap, ptraddr_t addr, size_t len); + +/** + * build_owning_capability() - Creates a userspace capability from the + * requested base address, length and memory permission flags. + * @addr: Requested capability address. + * @len: Requested capability length. + * @perm: Requested capability permission flags. + * + * Return: A new capability derived from cheri_user_root_cap. + */ +user_uintptr_t build_owning_capability(ptraddr_t addr, size_t len, cheri_perms_t perm); + +/** + * mapping_to_capability_perm() - Converts memory mapping protection flags to + * capability permission flags. + * @prot: Memory protection flags. + * @has_tag_access: Capability permissions to have tag check flags. + * + * Return: Capability permission flags + */ +cheri_perms_t mapping_to_capability_perm(int prot, bool has_tag_access); + #else /* CONFIG_CHERI_PURECAP_UABI */

static inline int reserv_vma_set_reserv(struct vm_area_struct *vma, ptraddr_t start, @@ -191,6 +223,26 @@ static inline bool reserv_vma_is_supported(struct vm_area_struct *vma)

static inline void reserv_fork(struct mm_struct *mm, struct mm_struct *oldmm) {}

+static inline bool capability_owns_range(user_uintptr_t cap, ptraddr_t addr, size_t len) +{ + return true; +} + +static inline user_uintptr_t build_owning_capability(ptraddr_t addr, size_t len, cheri_perms_t perm) +{ + return addr; +} + +static inline bool capability_may_set_prot(user_uintptr_t cap, int prot) +{ + return true; +} + +static inline cheri_perms_t mapping_to_capability_perm(int prot, bool has_tag_access) +{ + return 0; +} + #endif /* CONFIG_CHERI_PURECAP_UABI */

#endif /* _LINUX_CAP_ADDR_MGMT_H */ diff --git a/mm/cap_addr_mgmt.c b/mm/cap_addr_mgmt.c index 8b5f98d0d01c..0112b2136755 100644 --- a/mm/cap_addr_mgmt.c +++ b/mm/cap_addr_mgmt.c @@ -59,7 +59,7 @@ user_uintptr_t reserv_range_set_reserv(ptraddr_t start, size_t len, cheri_perms_ } if (!locked) mmap_write_unlock(current->mm); - ret = (user_uintptr_t)uaddr_to_user_ptr_safe(start); + ret = build_owning_capability(start, len, perm);

return ret; } @@ -173,4 +173,38 @@ bool reserv_vma_is_supported(struct vm_area_struct *vma) return false; }

+bool capability_owns_range(user_uintptr_t cap, ptraddr_t addr, size_t len) +{ + ptraddr_t align_addr = round_down(addr, PAGE_SIZE); + size_t align_len = round_up(len, PAGE_SIZE); + + if (!test_bit(MMF_PCUABI_RESERVE, &current->mm->flags)) + return true; + + return cheri_check_cap((const void * __capability)cheri_address_set(cap, align_addr), + align_len, CHERI_PERM_GLOBAL | CHERI_PERM_SW_VMEM); +} + +user_uintptr_t build_owning_capability(ptraddr_t addr, size_t len, cheri_perms_t perm) +{ + ptraddr_t align_start = CHERI_REPRESENTABLE_BASE(round_down(addr, PAGE_SIZE), len); + size_t align_len = cheri_representable_length(round_up(len, PAGE_SIZE)); + user_uintptr_t ret; + + if (!test_bit(MMF_PCUABI_RESERVE, &current->mm->flags)) + return (user_uintptr_t)addr; + + ret = (user_uintptr_t)cheri_build_user_cap(align_start, align_len, perm); + + return cheri_address_set(ret, addr); +} + +cheri_perms_t mapping_to_capability_perm(int prot __maybe_unused, + bool has_tag_access __maybe_unused) +{ + /* TODO [PCuABI] - capability permission conversion from memory permission */ + return (CHERI_PERMS_READ | CHERI_PERMS_WRITE | + CHERI_PERMS_EXEC | CHERI_PERMS_ROOTCAP); +} + #endif /* CONFIG_CHERI_PURECAP_UABI */

In CHERI architecture, all the ranges cannot be represented in capability so add the necessary CHERI base and length alignment checks when generating the free unmapped virtual address or evaluating the fixed input address.

The PCuABI reservation interface stores the un-usable alignment gaps at the start and end. These gaps should be considered when finding the free unmapped address space.

In case of fixed valid capability type addresses, the requested address range should completely overlap with the reservation range. In case of fixed null capability addresses, they are verified to not overlap with any existing reservation range.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- include/linux/mm.h | 8 ++++ mm/mmap.c | 97 +++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 95 insertions(+), 10 deletions(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h index a4b7381b4977..5b79120c999a 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3239,6 +3239,10 @@ static inline unsigned long vm_start_gap(struct vm_area_struct *vma) { unsigned long vm_start = vma->vm_start;

+#ifdef CONFIG_CHERI_PURECAP_UABI + if (test_bit(MMF_PCUABI_RESERVE, &vma->vm_mm->flags)) + vm_start = vma->reserv_start; +#endif if (vma->vm_flags & VM_GROWSDOWN) { vm_start -= stack_guard_gap; if (vm_start > vma->vm_start) @@ -3251,6 +3255,10 @@ static inline unsigned long vm_end_gap(struct vm_area_struct *vma) { unsigned long vm_end = vma->vm_end;

+#ifdef CONFIG_CHERI_PURECAP_UABI + if (test_bit(MMF_PCUABI_RESERVE, &vma->vm_mm->flags)) + vm_end = vma->reserv_start + vma->reserv_len; +#endif if (vma->vm_flags & VM_GROWSUP) { vm_end += stack_guard_gap; if (vm_end < vma->vm_end) diff --git a/mm/mmap.c b/mm/mmap.c index 7f2246cbc969..6027da2c248b 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -48,6 +48,7 @@ #include <linux/sched/mm.h> #include <linux/ksm.h>

+#include <linux/cap_addr_mgmt.h> #include <linux/uaccess.h> #include <asm/cacheflush.h> #include <asm/tlb.h> @@ -1561,6 +1562,11 @@ static unsigned long unmapped_area(struct vm_unmapped_area_info *info)

/* Adjust search length to account for worst case alignment overhead */ length = info->length + info->align_mask; +#if defined(CONFIG_CHERI_PURECAP_UABI) + /* Cheri Representable length is sufficient for alignment */ + if (test_bit(MMF_PCUABI_RESERVE, &current->mm->flags)) + length = cheri_representable_length(info->length); +#endif if (length < info->length) return -ENOMEM;

@@ -1612,6 +1618,11 @@ static unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info) MA_STATE(mas, &current->mm->mm_mt, 0, 0); /* Adjust search length to account for worst case alignment overhead */ length = info->length + info->align_mask; +#if defined(CONFIG_CHERI_PURECAP_UABI) + /* Cheri Representable length is sufficient for alignment */ + if (test_bit(MMF_PCUABI_RESERVE, &current->mm->flags)) + length = cheri_representable_length(info->length); +#endif if (length < info->length) return -ENOMEM;

@@ -1637,6 +1648,10 @@ static unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info) tmp = mas_prev(&mas, 0); if (tmp && vm_end_gap(tmp) > gap) { high_limit = tmp->vm_start; +#if defined(CONFIG_CHERI_PURECAP_UABI) + if (test_bit(MMF_PCUABI_RESERVE, &current->mm->flags)) + high_limit = tmp->reserv_start; +#endif mas_reset(&mas); goto retry; } @@ -1688,20 +1703,46 @@ generic_get_unmapped_area(struct file *filp, user_uintptr_t user_ptr, struct vm_unmapped_area_info info; unsigned long addr = (ptraddr_t)user_ptr; const unsigned long mmap_end = arch_get_mmap_end(addr, len, flags); + unsigned long align_len = len;

- if (len > mmap_end - mmap_min_addr) +#if defined(CONFIG_CHERI_PURECAP_UABI) + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + align_len = cheri_representable_length(len); +#endif + if (align_len > mmap_end - mmap_min_addr) return -ENOMEM;

- if (flags & MAP_FIXED) + if (flags & MAP_FIXED) { +#if defined(CONFIG_CHERI_PURECAP_UABI) + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags) && cheri_tag_get(user_ptr)) { + /* Ensure that this range is within the reservation bound */ + vma = find_vma(mm, addr); + if (!vma || !reserv_vma_valid_address(vma, addr, len)) + return -ERESERVATION; + return addr; + } else if (!test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + return addr; +#else return addr; +#endif + }

if (addr) { addr = PAGE_ALIGN(addr); +#if defined(CONFIG_CHERI_PURECAP_UABI) + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + addr = round_up(addr, CHERI_REPRESENTABLE_ALIGNMENT(len)); +#endif vma = find_vma_prev(mm, addr, &prev); - if (mmap_end - len >= addr && addr >= mmap_min_addr && - (!vma || addr + len <= vm_start_gap(vma)) && + if (mmap_end - align_len >= addr && addr >= mmap_min_addr && + (!vma || addr + align_len <= vm_start_gap(vma)) && (!prev || addr >= vm_end_gap(prev))) return addr; +#if defined(CONFIG_CHERI_PURECAP_UABI) + else if (flags & MAP_FIXED) + /* This non-tagged fixed address overlaps with other reservation */ + return -ERESERVATION; +#endif }

info.flags = 0; @@ -1709,6 +1750,10 @@ generic_get_unmapped_area(struct file *filp, user_uintptr_t user_ptr, info.low_limit = mm->mmap_base; info.high_limit = mmap_end; info.align_mask = 0; +#if defined(CONFIG_CHERI_PURECAP_UABI) + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + info.align_mask = ~(cheri_representable_alignment_mask(len)); +#endif info.align_offset = 0; return vm_unmapped_area(&info); } @@ -1737,22 +1782,50 @@ generic_get_unmapped_area_topdown(struct file *filp, user_uintptr_t user_ptr, struct vm_unmapped_area_info info; unsigned long addr = (ptraddr_t)user_ptr; const unsigned long mmap_end = arch_get_mmap_end(addr, len, flags); + unsigned long align_len = len; + unsigned long align_addr;

+#if defined(CONFIG_CHERI_PURECAP_UABI) + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + align_len = cheri_representable_length(len); +#endif /* requested length too big for entire address space */ - if (len > mmap_end - mmap_min_addr) + if (align_len > mmap_end - mmap_min_addr) return -ENOMEM;

- if (flags & MAP_FIXED) + if (flags & MAP_FIXED) { +#if defined(CONFIG_CHERI_PURECAP_UABI) + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags) && cheri_tag_get(user_ptr)) { + /* Ensure that this range is within the reservation bound */ + vma = find_vma(mm, addr); + if (!vma || !reserv_vma_valid_address(vma, addr, len)) + return -ERESERVATION; + return addr; + } else if (!test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + return addr; +#else return addr; +#endif + }

/* requesting a specific address */ if (addr) { addr = PAGE_ALIGN(addr); - vma = find_vma_prev(mm, addr, &prev); - if (mmap_end - len >= addr && addr >= mmap_min_addr && - (!vma || addr + len <= vm_start_gap(vma)) && - (!prev || addr >= vm_end_gap(prev))) + align_addr = addr; +#if defined(CONFIG_CHERI_PURECAP_UABI) + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + align_addr = CHERI_REPRESENTABLE_BASE(addr, len); +#endif + vma = find_vma_prev(mm, align_addr, &prev); + if (mmap_end - align_len >= align_addr && align_addr >= mmap_min_addr && + (!vma || align_addr + align_len <= vm_start_gap(vma)) && + (!prev || align_addr >= vm_end_gap(prev))) return addr; +#if defined(CONFIG_CHERI_PURECAP_UABI) + else if (flags & MAP_FIXED) + /* This non-tagged fixed address overlaps with other reservation */ + return -ERESERVATION; +#endif }

info.flags = VM_UNMAPPED_AREA_TOPDOWN; @@ -1760,6 +1833,10 @@ generic_get_unmapped_area_topdown(struct file *filp, user_uintptr_t user_ptr, info.low_limit = PAGE_SIZE; info.high_limit = arch_get_mmap_base(addr, mm->mmap_base); info.align_mask = 0; +#if defined(CONFIG_CHERI_PURECAP_UABI) + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + info.align_mask = ~(cheri_representable_alignment_mask(len)); +#endif info.align_offset = 0; addr = vm_unmapped_area(&info);

PCuABI memory reservation requires adding reservation properties while creating and modifying the vma. reserv_vma_init_reserv() is added to initialize them and reserv_vma_set_reserv() is used to update those details. As of now only for mmap/mremap syscalls these properties are added and later commits will add them for other special vma mappings.

PCuABI memory reservation also requires merging or expanding vma's which only belong to the original reservation. Use suitable reservation interfaces to check those properties before performing such operations on the vma.

The address parameter type is modified from unsigned long to user_uintptr_t in several do_mmap() upstream functions to find out if a new reservation is required or not.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- include/linux/mm.h | 24 +++++++++++++++--- kernel/fork.c | 3 +++ mm/mmap.c | 63 ++++++++++++++++++++++++++++++++++++++-------- mm/util.c | 5 ++-- 4 files changed, 80 insertions(+), 15 deletions(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h index 5b79120c999a..06d2aee83aa4 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -747,6 +747,21 @@ static inline void vma_mark_detached(struct vm_area_struct *vma,

#endif /* CONFIG_PER_VMA_LOCK */

+#ifdef CONFIG_CHERI_PURECAP_UABI + +static void reserv_vma_init_reserv(struct vm_area_struct *vma) +{ + vma->reserv_start = 0; + vma->reserv_len = 0; + vma->reserv_perm = 0; +} + +#else /* CONFIG_CHERI_PURECAP_UABI */ + +static void reserv_vma_init_reserv(struct vm_area_struct *vma) {} + +#endif /* CONFIG_CHERI_PURECAP_UABI */ + /* * WARNING: vma_init does not initialize vma->vm_lock. * Use vm_area_alloc()/vm_area_free() if vma needs locking. @@ -761,6 +776,7 @@ static inline void vma_init(struct vm_area_struct *vma, struct mm_struct *mm) INIT_LIST_HEAD(&vma->anon_vma_chain); vma_mark_detached(vma, false); vma_numab_state_init(vma); + reserv_vma_init_reserv(vma); }

/* Use when VMA is not part of the VMA tree and needs no locking */ @@ -3139,10 +3155,12 @@ extern unsigned long get_unmapped_area(struct file *, user_uintptr_t, unsigned l

extern unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, - struct list_head *uf); -extern unsigned long do_mmap(struct file *file, unsigned long addr, + struct list_head *uf, unsigned long prot, bool new_reserv); + +extern user_uintptr_t do_mmap(struct file *file, user_uintptr_t usrptr, unsigned long len, unsigned long prot, unsigned long flags, unsigned long pgoff, unsigned long *populate, struct list_head *uf); + extern int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, unsigned long start, size_t len, struct list_head *uf, bool downgrade); @@ -3169,7 +3187,7 @@ static inline void mm_populate(unsigned long addr, unsigned long len) {} extern int __must_check vm_brk(unsigned long, unsigned long); extern int __must_check vm_brk_flags(unsigned long, unsigned long, unsigned long); extern int vm_munmap(unsigned long, size_t); -extern unsigned long __must_check vm_mmap(struct file *, unsigned long, +extern user_uintptr_t __must_check vm_mmap(struct file *, user_uintptr_t, unsigned long, unsigned long, unsigned long, unsigned long);

diff --git a/kernel/fork.c b/kernel/fork.c index d6fd09ba8d0a..f051a75e448e 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -99,6 +99,7 @@ #include <linux/stackprotector.h> #include <linux/user_events.h> #include <linux/iommu.h> +#include <linux/cap_addr_mgmt.h>

#include <asm/pgalloc.h> #include <linux/uaccess.h> @@ -682,6 +683,8 @@ static __latent_entropy int dup_mmap(struct mm_struct *mm, goto out; khugepaged_fork(mm, oldmm);

+ reserv_fork(mm, oldmm); + retval = vma_iter_bulk_alloc(&vmi, oldmm->map_count); if (retval) goto out; diff --git a/mm/mmap.c b/mm/mmap.c index 6027da2c248b..7fd7d3ac377b 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -49,6 +49,7 @@ #include <linux/ksm.h>

#include <linux/cap_addr_mgmt.h> +#include <linux/cheri.h> #include <linux/uaccess.h> #include <asm/cacheflush.h> #include <asm/tlb.h> @@ -953,7 +954,8 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, /* Can we merge the predecessor? */ if (addr == prev->vm_end && mpol_equal(vma_policy(prev), policy) && can_vma_merge_after(prev, vm_flags, anon_vma, file, - pgoff, vm_userfaultfd_ctx, anon_name)) { + pgoff, vm_userfaultfd_ctx, anon_name) + && reserv_vma_same_reserv(prev, curr)) { merge_prev = true; vma_prev(vmi); } @@ -962,7 +964,8 @@ struct vm_area_struct *vma_merge(struct vma_iterator *vmi, struct mm_struct *mm, /* Can we merge the successor? */ if (next && mpol_equal(policy, vma_policy(next)) && can_vma_merge_before(next, vm_flags, anon_vma, file, pgoff+pglen, - vm_userfaultfd_ctx, anon_name)) { + vm_userfaultfd_ctx, anon_name) + && reserv_vma_same_reserv(next, curr)) { merge_next = true; }

@@ -1225,7 +1228,7 @@ static inline bool file_mmap_ok(struct file *file, struct inode *inode, /* * The caller must write-lock current->mm->mmap_lock. */ -unsigned long do_mmap(struct file *file, unsigned long addr, +user_uintptr_t do_mmap(struct file *file, user_uintptr_t usrptr, unsigned long len, unsigned long prot, unsigned long flags, unsigned long pgoff, unsigned long *populate, struct list_head *uf) @@ -1233,6 +1236,8 @@ unsigned long do_mmap(struct file *file, unsigned long addr, struct mm_struct *mm = current->mm; vm_flags_t vm_flags; int pkey = 0; + unsigned long addr = (ptraddr_t)usrptr; + bool new_caps = true;

validate_mm(mm); *populate = 0; @@ -1240,6 +1245,12 @@ unsigned long do_mmap(struct file *file, unsigned long addr, if (!len) return -EINVAL;

+#ifdef CONFIG_CHERI_PURECAP_UABI + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags)) { + if (cheri_tag_get(usrptr)) + new_caps = false; + } +#endif /* * Does the application expect PROT_READ to imply PROT_EXEC? * @@ -1397,20 +1408,25 @@ unsigned long do_mmap(struct file *file, unsigned long addr, vm_flags |= VM_NORESERVE; }

- addr = mmap_region(file, addr, len, vm_flags, pgoff, uf); + if (new_caps) + usrptr = addr; + + addr = mmap_region(file, addr, len, vm_flags, pgoff, uf, prot, new_caps); if (!IS_ERR_VALUE(addr) && ((vm_flags & VM_LOCKED) || (flags & (MAP_POPULATE | MAP_NONBLOCK)) == MAP_POPULATE)) *populate = len; + return addr; }

-user_uintptr_t ksys_mmap_pgoff(user_uintptr_t addr, unsigned long len, +user_uintptr_t ksys_mmap_pgoff(user_uintptr_t usrptr, unsigned long len, unsigned long prot, unsigned long flags, unsigned long fd, unsigned long pgoff) { struct file *file = NULL; user_uintptr_t retval; + ptraddr_t addr = (ptraddr_t)usrptr;

if (!(flags & MAP_ANONYMOUS)) { audit_mmap_fd(fd, flags); @@ -1443,7 +1459,7 @@ user_uintptr_t ksys_mmap_pgoff(user_uintptr_t addr, unsigned long len, return PTR_ERR(file); }

- retval = vm_mmap_pgoff(file, addr, len, prot, flags, pgoff); + retval = vm_mmap_pgoff(file, usrptr, len, prot, flags, pgoff); out_fput: if (file) fput(file); @@ -2628,15 +2644,18 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len,

unsigned long mmap_region(struct file *file, unsigned long addr, unsigned long len, vm_flags_t vm_flags, unsigned long pgoff, - struct list_head *uf) + struct list_head *uf, unsigned long prot, bool new_reserv) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma = NULL; - struct vm_area_struct *next, *prev, *merge; + struct vm_area_struct *next, *prev, *merge, *old_vma; pgoff_t pglen = len >> PAGE_SHIFT; unsigned long charged = 0; unsigned long end = addr + len; unsigned long merge_start = addr, merge_end = end; + unsigned long reserv_start = 0; + unsigned long reserv_len = 0; + unsigned long reserv_perm = 0; pgoff_t vm_pgoff; int error; VMA_ITERATOR(vmi, mm, addr); @@ -2656,6 +2675,20 @@ unsigned long mmap_region(struct file *file, unsigned long addr, return -ENOMEM; }

+ if (!new_reserv) { + old_vma = vma_find(&vmi, end); + if (!old_vma) + return -ENOMEM; +#ifdef CONFIG_CHERI_PURECAP_UABI + if (reserv_vma_is_supported(old_vma)) { + reserv_start = old_vma->reserv_start; + reserv_len = old_vma->reserv_len; + reserv_perm = old_vma->reserv_perm; + } +#endif + vma_iter_set(&vmi, addr); + } + /* Unmap any existing mapping in the area */ if (do_vmi_munmap(&vmi, mm, addr, len, uf, false)) return -ENOMEM; @@ -2679,7 +2712,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, /* Check next */ if (next && next->vm_start == end && !vma_policy(next) && can_vma_merge_before(next, vm_flags, NULL, file, pgoff+pglen, - NULL_VM_UFFD_CTX, NULL)) { + NULL_VM_UFFD_CTX, NULL) && + reserv_vma_valid_address(next, addr, len)) { merge_end = next->vm_end; vma = next; vm_pgoff = next->vm_pgoff - pglen; @@ -2690,7 +2724,8 @@ unsigned long mmap_region(struct file *file, unsigned long addr, (vma ? can_vma_merge_after(prev, vm_flags, vma->anon_vma, file, pgoff, vma->vm_userfaultfd_ctx, NULL) : can_vma_merge_after(prev, vm_flags, NULL, file, pgoff, - NULL_VM_UFFD_CTX, NULL))) { + NULL_VM_UFFD_CTX, NULL)) && + reserv_vma_valid_address(prev, addr, len)) { merge_start = prev->vm_start; vma = prev; vm_pgoff = prev->vm_pgoff; @@ -2722,6 +2757,12 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vm_flags_init(vma, vm_flags); vma->vm_page_prot = vm_get_page_prot(vm_flags); vma->vm_pgoff = pgoff; + if (new_reserv) + reserv_vma_set_reserv(vma, addr, len, + mapping_to_capability_perm(prot, (vm_flags & VM_SHARED) + ? false : true)); + else + reserv_vma_set_reserv(vma, reserv_start, reserv_len, reserv_perm);

if (file) { if (vm_flags & VM_SHARED) { @@ -3320,6 +3361,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, *vmap = vma = new_vma; } *need_rmap_locks = (new_vma->vm_pgoff <= vma->vm_pgoff); + reserv_vma_set_reserv(new_vma, addr, len, 0); } else { new_vma = vm_area_dup(vma); if (!new_vma) @@ -3327,6 +3369,7 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap, new_vma->vm_start = addr; new_vma->vm_end = addr + len; new_vma->vm_pgoff = pgoff; + reserv_vma_set_reserv(new_vma, addr, len, 0); if (vma_dup_policy(vma, new_vma)) goto out_free_vma; if (anon_vma_clone(new_vma, vma)) diff --git a/mm/util.c b/mm/util.c index 61de3bf7712b..f6fbfa7d014e 100644 --- a/mm/util.c +++ b/mm/util.c @@ -557,7 +557,8 @@ user_uintptr_t vm_mmap_pgoff(struct file *file, user_uintptr_t addr, return ret; }

-unsigned long vm_mmap(struct file *file, unsigned long addr, +/* TODO [PCuABI] - Update the users of vm_mmap */ +user_uintptr_t vm_mmap(struct file *file, user_uintptr_t usrptr, unsigned long len, unsigned long prot, unsigned long flag, unsigned long offset) { @@ -566,7 +567,7 @@ unsigned long vm_mmap(struct file *file, unsigned long addr, if (unlikely(offset_in_page(offset))) return -EINVAL;

- return vm_mmap_pgoff(file, addr, len, prot, flag, offset >> PAGE_SHIFT); + return vm_mmap_pgoff(file, usrptr, len, prot, flag, offset >> PAGE_SHIFT); } EXPORT_SYMBOL(vm_mmap);

Use the recently introduced PCuABI reservation interfaces to add different parameter constraints for mmap/munmap syscall. The capability returned by mmap syscalls is now bounded and is same as the reservation range. These reservation checks do not affect the compat64 code path.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- include/linux/cheri.h | 3 +++ include/linux/mm.h | 2 +- mm/mmap.c | 58 ++++++++++++++++++++++++++++++++++++++----- mm/util.c | 7 ------ 4 files changed, 56 insertions(+), 14 deletions(-)

diff --git a/include/linux/cheri.h b/include/linux/cheri.h index e5f588b056ad..02ef0e911e63 100644 --- a/include/linux/cheri.h +++ b/include/linux/cheri.h @@ -37,6 +37,9 @@ (CHERI_PERM_GLOBAL | CHERI_PERM_SW_VMEM) #endif

+#define cheri_is_null_derived(cap) \ + cheri_is_equal_exact((uintcap_t)cheri_address_get(cap), cap) + /** * cheri_build_user_cap() - Create a userspace capability. * @addr: Requested capability address. diff --git a/include/linux/mm.h b/include/linux/mm.h index 06d2aee83aa4..8e6541a8d4f9 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3186,7 +3186,7 @@ static inline void mm_populate(unsigned long addr, unsigned long len) {} /* These take the mm semaphore themselves */ extern int __must_check vm_brk(unsigned long, unsigned long); extern int __must_check vm_brk_flags(unsigned long, unsigned long, unsigned long); -extern int vm_munmap(unsigned long, size_t); +extern int vm_munmap(user_uintptr_t, size_t); extern user_uintptr_t __must_check vm_mmap(struct file *, user_uintptr_t, unsigned long, unsigned long, unsigned long, unsigned long); diff --git a/mm/mmap.c b/mm/mmap.c index 7fd7d3ac377b..95d16e306559 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1238,6 +1238,7 @@ user_uintptr_t do_mmap(struct file *file, user_uintptr_t usrptr, int pkey = 0; unsigned long addr = (ptraddr_t)usrptr; bool new_caps = true; + bool ignore_reserv = true;

validate_mm(mm); *populate = 0; @@ -1247,6 +1248,7 @@ user_uintptr_t do_mmap(struct file *file, user_uintptr_t usrptr,

#ifdef CONFIG_CHERI_PURECAP_UABI if (test_bit(MMF_PCUABI_RESERVE, &mm->flags)) { + ignore_reserv = false; if (cheri_tag_get(usrptr)) new_caps = false; } @@ -1284,7 +1286,7 @@ user_uintptr_t do_mmap(struct file *file, user_uintptr_t usrptr, /* Obtain the address to map to. we verify (or select) it and ensure * that it represents a valid section of the address space. */ - addr = get_unmapped_area(file, addr, len, pgoff, flags); + addr = get_unmapped_area(file, usrptr, len, pgoff, flags); if (IS_ERR_VALUE(addr)) return addr;

@@ -1416,6 +1418,13 @@ user_uintptr_t do_mmap(struct file *file, user_uintptr_t usrptr, ((vm_flags & VM_LOCKED) || (flags & (MAP_POPULATE | MAP_NONBLOCK)) == MAP_POPULATE)) *populate = len; + if (!IS_ERR_VALUE(addr)) { + if (new_caps && !ignore_reserv) + usrptr = build_owning_capability(addr, len, + mapping_to_capability_perm(prot, + (flags & MAP_SHARED) ? false : true)); + return usrptr; + }

return addr; } @@ -1425,8 +1434,11 @@ user_uintptr_t ksys_mmap_pgoff(user_uintptr_t usrptr, unsigned long len, unsigned long fd, unsigned long pgoff) { struct file *file = NULL; - user_uintptr_t retval; + user_uintptr_t retval = -EINVAL; ptraddr_t addr = (ptraddr_t)usrptr; +#ifdef CONFIG_CHERI_PURECAP_UABI + VMA_ITERATOR(vmi, current->mm, addr); +#endif

if (!(flags & MAP_ANONYMOUS)) { audit_mmap_fd(fd, flags); @@ -1458,6 +1470,26 @@ user_uintptr_t ksys_mmap_pgoff(user_uintptr_t usrptr, unsigned long len, if (IS_ERR(file)) return PTR_ERR(file); } +#ifdef CONFIG_CHERI_PURECAP_UABI + if (!test_bit(MMF_PCUABI_RESERVE, &current->mm->flags)) + goto skip_pcuabi_checks; + if (cheri_tag_get(usrptr)) { + if (!(flags & MAP_FIXED) || !capability_owns_range(usrptr, addr, len)) + goto out_fput; + if (!reserv_vmi_valid_capability(&vmi, usrptr, false)) { + retval = -ERESERVATION; + goto out_fput; + } + if (!reserv_vmi_range_mapped(&vmi, addr, len, false)) { + retval = -ENOMEM; + goto out_fput; + } + } else { + if (!cheri_is_null_derived(usrptr)) + goto out_fput; + } +skip_pcuabi_checks: +#endif

retval = vm_mmap_pgoff(file, usrptr, len, prot, flags, pgoff); out_fput: @@ -2941,15 +2973,29 @@ static int __vm_munmap(unsigned long start, size_t len, bool downgrade) return ret; }

-int vm_munmap(unsigned long start, size_t len) +/* TODO [PCuABI] - Update the users of vm_munmap */ +int vm_munmap(user_uintptr_t usrptr, size_t len) { - return __vm_munmap(start, len, false); + return __vm_munmap((ptraddr_t)usrptr, len, false); } EXPORT_SYMBOL(vm_munmap);

-SYSCALL_DEFINE2(munmap, user_uintptr_t, addr, size_t, len) +SYSCALL_DEFINE2(munmap, user_uintptr_t, usrptr, size_t, len) { - addr = untagged_addr(addr); + ptraddr_t addr = untagged_addr((ptraddr_t)usrptr); + VMA_ITERATOR(vmi, current->mm, addr); + +#ifdef CONFIG_CHERI_PURECAP_UABI + usrptr = cheri_address_set(usrptr, addr); +#else + usrptr = addr; +#endif + if (test_bit(MMF_PCUABI_RESERVE, &current->mm->flags)) { + if (!capability_owns_range(usrptr, addr, len)) + return -EINVAL; + if (!reserv_vmi_valid_capability(&vmi, usrptr, false)) + return -ERESERVATION; + } return __vm_munmap(addr, len, true); }

diff --git a/mm/util.c b/mm/util.c index f6fbfa7d014e..d0f937c334f3 100644 --- a/mm/util.c +++ b/mm/util.c @@ -540,19 +540,12 @@ user_uintptr_t vm_mmap_pgoff(struct file *file, user_uintptr_t addr, if (!ret) { if (mmap_write_lock_killable(mm)) return -EINTR; - /* - * TODO [PCuABI] - might need propagating uintcap further down - * to do_mmap to properly handle capabilities - */ ret = do_mmap(file, addr, len, prot, flag, pgoff, &populate, &uf); mmap_write_unlock(mm); userfaultfd_unmap_complete(mm, &uf); if (populate) mm_populate(ret, populate); - /* TODO [PCuABI] - derive proper capability */ - if (!IS_ERR_VALUE(ret)) - ret = (user_uintptr_t)uaddr_to_user_ptr_safe((ptraddr_t)ret); } return ret; }

Use the recently introduced PCuABI reservation interfaces and add the relevant capability/reservation constraint checks on the different mremap syscall parameters.

Modify vma_expandable() to accept input address as capability pointer since get_unmapped_area() now requires it for MMAP_FIXED type mappings.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- mm/mremap.c | 93 +++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 76 insertions(+), 17 deletions(-)

diff --git a/mm/mremap.c b/mm/mremap.c index b52592303e8b..2e2955417730 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -25,6 +25,7 @@ #include <linux/uaccess.h> #include <linux/userfaultfd_k.h> #include <linux/mempolicy.h> +#include <linux/cap_addr_mgmt.h>

#include <asm/cacheflush.h> #include <asm/tlb.h> @@ -785,16 +786,19 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr, return vma; }

-static unsigned long mremap_to(unsigned long addr, unsigned long old_len, - unsigned long new_addr, unsigned long new_len, bool *locked, +static user_uintptr_t mremap_to(user_uintptr_t usrptr, unsigned long old_len, + user_uintptr_t new_usrptr, unsigned long new_len, bool *locked, unsigned long flags, struct vm_userfaultfd_ctx *uf, struct list_head *uf_unmap_early, struct list_head *uf_unmap) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; - unsigned long ret = -EINVAL; + user_uintptr_t ret = -EINVAL; unsigned long map_flags = 0; + ptraddr_t addr = (ptraddr_t)usrptr; + ptraddr_t new_addr = (ptraddr_t)new_usrptr; + unsigned long old_perm = 0;

if (offset_in_page(new_addr)) goto out; @@ -865,22 +869,38 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len, if (!(flags & MREMAP_FIXED)) new_addr = ret;

+#ifdef CONFIG_CHERI_PURECAP_UABI + old_perm = vma->reserv_perm; +#endif ret = move_vma(vma, addr, old_len, new_len, new_addr, locked, flags, uf, uf_unmap);

+ if (!IS_ERR_VALUE(ret)) { + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags)) { + if (!(flags & MREMAP_FIXED)) + ret = build_owning_capability(new_addr, new_len, old_perm); + else + ret = new_usrptr; + } + } out: return ret; }

-static int vma_expandable(struct vm_area_struct *vma, unsigned long delta) +static int vma_expandable(user_uintptr_t usrptr, struct vm_area_struct *vma, unsigned long delta) { unsigned long end = vma->vm_end + delta;

+#ifdef CONFIG_CHERI_PURECAP_UABI + usrptr = cheri_address_set(usrptr, vma->vm_start); +#else + usrptr = vma->vm_start; +#endif if (end < vma->vm_end) /* overflow */ return 0; if (find_vma_intersection(vma->vm_mm, vma->vm_end, end)) return 0; - if (get_unmapped_area(NULL, vma->vm_start, end - vma->vm_start, + if (get_unmapped_area(NULL, usrptr, end - vma->vm_start, 0, MAP_FIXED) & ~PAGE_MASK) return 0; return 1; @@ -893,9 +913,9 @@ static int vma_expandable(struct vm_area_struct *vma, unsigned long delta) * MREMAP_FIXED option added 5-Dec-1999 by Benjamin LaHaise * This option implies MREMAP_MAYMOVE. */ -SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len, +SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, usrptr, unsigned long, old_len, unsigned long, new_len, unsigned long, flags, - user_uintptr_t, new_addr) + user_uintptr_t, new_usrptr) { struct mm_struct *mm = current->mm; struct vm_area_struct *vma; @@ -903,10 +923,15 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len bool locked = false; bool downgraded = false; struct vm_userfaultfd_ctx uf = NULL_VM_UFFD_CTX; + ptraddr_t addr = (ptraddr_t)usrptr; + ptraddr_t new_addr = (ptraddr_t)new_usrptr; + unsigned long old_perm = 0; LIST_HEAD(uf_unmap_early); LIST_HEAD(uf_unmap); +#ifdef CONFIG_CHERI_PURECAP_UABI + VMA_ITERATOR(vmi, current->mm, new_addr); +#endif

- /* @TODO [PCuABI] - capability validation */ /* * There is a deliberate asymmetry here: we strip the pointer tag * from the old address but leave the new address alone. This is @@ -918,6 +943,9 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len * See Documentation/arm64/tagged-address-abi.rst for more information. */ addr = untagged_addr(addr); +#ifdef CONFIG_CHERI_PURECAP_UABI + usrptr = cheri_address_set(usrptr, addr); +#endif

if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE | MREMAP_DONTUNMAP)) return ret; @@ -956,6 +984,34 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len goto out; }

+#ifdef CONFIG_CHERI_PURECAP_UABI + if (!test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + goto skip_pcuabi_checks; + if (!capability_owns_range(usrptr, addr, old_len ? old_len : new_len)) + goto out; + if (!reserv_vma_valid_capability(vma, usrptr)) { + ret = -ERESERVATION; + goto out; + } + if ((flags & MREMAP_FIXED)) { + if (!capability_owns_range(new_usrptr, new_addr, new_len)) + goto out; + if (!reserv_vmi_valid_capability(&vmi, new_usrptr, true)) { + ret = -ERESERVATION; + goto out; + } + if (!reserv_vmi_range_mapped(&vmi, new_addr, new_len, true)) { + ret = -ENOMEM; + goto out; + } + } else { + if (!cheri_is_null_derived(new_usrptr)) + goto out; + } + old_perm = vma->reserv_perm; +skip_pcuabi_checks: +#endif + if (is_vm_hugetlb_page(vma)) { struct hstate *h __maybe_unused = hstate_vma(vma);

@@ -977,7 +1033,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len }

if (flags & (MREMAP_FIXED | MREMAP_DONTUNMAP)) { - ret = mremap_to(addr, old_len, new_addr, new_len, + ret = mremap_to(usrptr, old_len, new_usrptr, new_len, &locked, flags, &uf, &uf_unmap_early, &uf_unmap); goto out; @@ -1003,7 +1059,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len goto out; }

- ret = addr; + ret = usrptr; goto out; }

@@ -1020,7 +1076,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len */ if (old_len == vma->vm_end - addr) { /* can we just expand the current mapping? */ - if (vma_expandable(vma, new_len - old_len)) { + if (vma_expandable(usrptr, vma, new_len - old_len)) { long pages = (new_len - old_len) >> PAGE_SHIFT; unsigned long extension_start = addr + old_len; unsigned long extension_end = addr + new_len; @@ -1059,7 +1115,7 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len locked = true; new_addr = addr; } - ret = addr; + ret = usrptr; goto out; } } @@ -1083,8 +1139,14 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len goto out; }

- ret = move_vma(vma, addr, old_len, new_len, new_addr, + ret = move_vma(vma, usrptr, old_len, new_len, new_addr, &locked, flags, &uf, &uf_unmap); + if (!IS_ERR_VALUE(ret)) { + if (test_bit(MMF_PCUABI_RESERVE, &mm->flags)) + ret = build_owning_capability(new_addr, new_len, old_perm); + else + ret = (user_uintptr_t)new_addr; + } } out: if (offset_in_page(ret)) @@ -1098,8 +1160,5 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, addr, unsigned long, old_len userfaultfd_unmap_complete(mm, &uf_unmap_early); mremap_userfaultfd_complete(&uf, addr, ret, old_len); userfaultfd_unmap_complete(mm, &uf_unmap); - /* TODO [PCuABI] - derive proper capability */ - return IS_ERR_VALUE(ret) ? - ret : - (user_intptr_t)uaddr_to_user_ptr_safe((ptraddr_t)ret); + return ret; }

Use the recently introduced PCuABI reservation interfaces to verify the address range for madvise syscall.

do_madvise() function is used by virtual address monitoring damon and this may not satisfy the reservation range criteria so add a parameter to skip the reservation checks.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- include/linux/mm.h | 3 ++- io_uring/advise.c | 2 +- mm/damon/vaddr.c | 2 +- mm/madvise.c | 29 ++++++++++++++++++++++++----- 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h index 8e6541a8d4f9..4269820bb6a5 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -3166,7 +3166,8 @@ extern int do_vmi_munmap(struct vma_iterator *vmi, struct mm_struct *mm, bool downgrade); extern int do_munmap(struct mm_struct *, unsigned long, size_t, struct list_head *uf); -extern int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int behavior); +extern int do_madvise(struct mm_struct *mm, user_uintptr_t usrptr, size_t len_in, + int behavior, bool reserv_ignore);

#ifdef CONFIG_MMU extern int do_vma_munmap(struct vma_iterator *vmi, struct vm_area_struct *vma, diff --git a/io_uring/advise.c b/io_uring/advise.c index 952d9289a311..2e43142cf4df 100644 --- a/io_uring/advise.c +++ b/io_uring/advise.c @@ -55,7 +55,7 @@ int io_madvise(struct io_kiocb *req, unsigned int issue_flags) WARN_ON_ONCE(issue_flags & IO_URING_F_NONBLOCK);

/* TODO [PCuABI] - capability checks for uaccess */ - ret = do_madvise(current->mm, user_ptr_addr(ma->addr), ma->len, ma->advice); + ret = do_madvise(current->mm, (user_uintptr_t)ma->addr, ma->len, ma->advice, false); io_req_set_res(req, ret, 0); return IOU_OK; #else diff --git a/mm/damon/vaddr.c b/mm/damon/vaddr.c index 1fec16d7263e..fcdd3f4f608f 100644 --- a/mm/damon/vaddr.c +++ b/mm/damon/vaddr.c @@ -623,7 +623,7 @@ static unsigned long damos_madvise(struct damon_target *target, if (!mm) return 0;

- applied = do_madvise(mm, start, len, behavior) ? 0 : len; + applied = do_madvise(mm, start, len, behavior, true) ? 0 : len; mmput(mm);

return applied; diff --git a/mm/madvise.c b/mm/madvise.c index ad59e1e07ec9..ea602a2881ef 100644 --- a/mm/madvise.c +++ b/mm/madvise.c @@ -31,6 +31,7 @@ #include <linux/swapops.h> #include <linux/shmem_fs.h> #include <linux/mmu_notifier.h> +#include <linux/cap_addr_mgmt.h>

#include <asm/tlb.h>

@@ -1382,13 +1383,16 @@ int madvise_set_anon_name(struct mm_struct *mm, unsigned long start, * -EBADF - map exists, but area maps something that isn't a file. * -EAGAIN - a kernel resource was temporarily unavailable. */ -int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int behavior) +int do_madvise(struct mm_struct *mm, user_uintptr_t usrptr, size_t len_in, + int behavior, bool reserv_ignore) { unsigned long end; int error; int write; size_t len; struct blk_plug plug; + unsigned long start = (ptraddr_t)usrptr; + struct vma_iterator vmi;

if (!madvise_behavior_valid(behavior)) return -EINVAL; @@ -1421,14 +1425,29 @@ int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int beh mmap_read_lock(mm); }

- /* TODO [PCuABI] - capability checks for uaccess */ start = untagged_addr_remote(mm, start); end = start + len;

+#ifdef CONFIG_CHERI_PURECAP_UABI + usrptr = cheri_address_set(usrptr, start); +#endif + if (!reserv_ignore) { + vma_iter_init(&vmi, current->mm, start); + if (!capability_owns_range(usrptr, start, len)) { + error = -EINVAL; + goto out; + } + /* Check if the range exists within the reservation with mmap lock. */ + if (!reserv_vmi_valid_capability(&vmi, usrptr, true)) { + error = -ERESERVATION; + goto out; + } + } blk_start_plug(&plug); error = madvise_walk_vmas(mm, start, end, behavior, madvise_vma_behavior); blk_finish_plug(&plug); +out: if (write) mmap_write_unlock(mm); else @@ -1437,9 +1456,9 @@ int do_madvise(struct mm_struct *mm, unsigned long start, size_t len_in, int beh return error; }

-SYSCALL_DEFINE3(madvise, user_uintptr_t, start, size_t, len_in, int, behavior) +SYSCALL_DEFINE3(madvise, user_uintptr_t, usrptr, size_t, len_in, int, behavior) { - return do_madvise(current->mm, start, len_in, behavior); + return do_madvise(current->mm, usrptr, len_in, behavior, false); }

SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec, @@ -1494,7 +1513,7 @@ SYSCALL_DEFINE5(process_madvise, int, pidfd, const struct iovec __user *, vec,

while (iov_iter_count(&iter)) { ret = do_madvise(mm, user_ptr_addr(iter_iov_addr(&iter)), - iter_iov_len(&iter), behavior); + iter_iov_len(&iter), behavior, false); if (ret < 0) break; iov_iter_advance(&iter, iter_iov_len(&iter));

Use the recently introduced PCuABI reservation interfaces to verify the address range for msync syscall.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- mm/msync.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/mm/msync.c b/mm/msync.c index ac4c9bfea2e7..1c8700c6c98a 100644 --- a/mm/msync.c +++ b/mm/msync.c @@ -14,6 +14,7 @@ #include <linux/file.h> #include <linux/syscalls.h> #include <linux/sched.h> +#include <linux/cap_addr_mgmt.h>

/* * MS_SYNC syncs the entire file - including mappings. @@ -29,16 +30,20 @@ * So by _not_ starting I/O in MS_ASYNC we provide complete flexibility to * applications. */ -SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags) +SYSCALL_DEFINE3(msync, user_uintptr_t, usrptr, size_t, len, int, flags) { unsigned long end; struct mm_struct *mm = current->mm; struct vm_area_struct *vma; int unmapped_error = 0; int error = -EINVAL; + unsigned long start = untagged_addr((ptraddr_t)usrptr);

- start = untagged_addr(start); - +#ifdef CONFIG_CHERI_PURECAP_UABI + usrptr = cheri_address_set(usrptr, start); +#endif + if (!capability_owns_range(usrptr, start, len)) + return -EINVAL; if (flags & ~(MS_ASYNC | MS_INVALIDATE | MS_SYNC)) goto out; if (offset_in_page(start)) @@ -61,6 +66,11 @@ SYSCALL_DEFINE3(msync, unsigned long, start, size_t, len, int, flags) */ mmap_read_lock(mm); vma = find_vma(mm, start); + /* Check if the range exists within the reservation with mmap lock. */ + if (vma && !reserv_vma_valid_capability(vma, usrptr)) { + error = -ERESERVATION; + goto out_unlock; + } for (;;) { struct file *file; loff_t fstart, fend;

Helper functions capability_may_set_prot(), mapping_to_capability_perm() and build_owning_capability() are added/modified to manage capability permissions in address space management syscalls as per PCuABI specifications.

Also a arch specific hook arch_map_to_cap_perm() is added to manage arch specific capability permissions.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- arch/arm64/include/asm/cap_addr_mgmt.h | 22 +++++++++++ include/linux/cap_addr_mgmt.h | 20 ++++++++++ mm/cap_addr_mgmt.c | 54 +++++++++++++++++++++++--- 3 files changed, 91 insertions(+), 5 deletions(-) create mode 100644 arch/arm64/include/asm/cap_addr_mgmt.h

diff --git a/arch/arm64/include/asm/cap_addr_mgmt.h b/arch/arm64/include/asm/cap_addr_mgmt.h new file mode 100644 index 000000000000..aadb4768d2fd --- /dev/null +++ b/arch/arm64/include/asm/cap_addr_mgmt.h @@ -0,0 +1,22 @@ +/* SPDX-License-Identifier: GPL-2.0-only */ +#ifndef __ASM_CAP_ADDR_MGMT_H +#define __ASM_CAP_ADDR_MGMT_H + +#include <linux/cheri.h> +#include <linux/mman.h> + +static __always_inline cheri_perms_t arch_map_to_cap_perm(int prot, bool has_tag_access) +{ + cheri_perms_t perms = 0; + + if ((prot & PROT_READ) && has_tag_access) + perms |= ARM_CAP_PERMISSION_MUTABLE_LOAD; + + if ((prot & PROT_EXEC) && + (cheri_perms_get(cheri_pcc_get()) & ARM_CAP_PERMISSION_EXECUTIVE)) + perms |= ARM_CAP_PERMISSION_EXECUTIVE; + + return perms; +} +#define arch_map_to_cap_perm arch_map_to_cap_perm +#endif /* __ASM_CAP_ADDR_MGMT_H */ diff --git a/include/linux/cap_addr_mgmt.h b/include/linux/cap_addr_mgmt.h index 6a42e714ecd5..81125cfe74a8 100644 --- a/include/linux/cap_addr_mgmt.h +++ b/include/linux/cap_addr_mgmt.h @@ -9,6 +9,7 @@ #include <linux/mm_types.h> #include <linux/sched/coredump.h> #include <linux/types.h> +#include <asm/cap_addr_mgmt.h>

#ifdef CONFIG_CHERI_PURECAP_UABI #define CHERI_REPRESENTABLE_ALIGNMENT(len) \ @@ -165,6 +166,17 @@ bool capability_owns_range(user_uintptr_t cap, ptraddr_t addr, size_t len); */ user_uintptr_t build_owning_capability(ptraddr_t addr, size_t len, cheri_perms_t perm);

+/** + * capability_may_set_prot() - Verify if the mapping protection flags confirms + * with the capability permission flags. + * @cap: Capability value. + * @prot: Memory protection flags. + * + * Return: True if the capability permissions includes the protection flags + * or false otherwise. + */ +bool capability_may_set_prot(user_uintptr_t cap, int prot); + /** * mapping_to_capability_perm() - Converts memory mapping protection flags to * capability permission flags. @@ -245,4 +257,12 @@ static inline cheri_perms_t mapping_to_capability_perm(int prot, bool has_tag_ac

#endif /* CONFIG_CHERI_PURECAP_UABI */

+#ifndef arch_map_to_cap_perm +static __always_inline cheri_perms_t arch_map_to_cap_perm(int prot, + bool has_tag_access) +{ + return 0; +} +#endif /* arch_map_to_cap_perm */ + #endif /* _LINUX_CAP_ADDR_MGMT_H */ diff --git a/mm/cap_addr_mgmt.c b/mm/cap_addr_mgmt.c index 0112b2136755..5ff4fdf26d28 100644 --- a/mm/cap_addr_mgmt.c +++ b/mm/cap_addr_mgmt.c @@ -199,12 +199,56 @@ user_uintptr_t build_owning_capability(ptraddr_t addr, size_t len, cheri_perms_t return cheri_address_set(ret, addr); }

-cheri_perms_t mapping_to_capability_perm(int prot __maybe_unused, - bool has_tag_access __maybe_unused) +static bool mapping_may_have_prot_flag(int prot, int map_val) { - /* TODO [PCuABI] - capability permission conversion from memory permission */ - return (CHERI_PERMS_READ | CHERI_PERMS_WRITE | - CHERI_PERMS_EXEC | CHERI_PERMS_ROOTCAP); + int prot_max = PROT_MAX_EXTRACT(prot); + + if (prot_max) + return !!(prot_max & map_val); + else + return !!(prot & map_val); +} + +bool capability_may_set_prot(user_uintptr_t cap, int prot) +{ + cheri_perms_t perms = cheri_perms_get(cap); + + if (!test_bit(MMF_PCUABI_RESERVE, &current->mm->flags)) + return true; + + if (((prot & PROT_READ) && !(perms & CHERI_PERM_LOAD)) || + ((prot & PROT_WRITE) && !(perms & CHERI_PERM_STORE)) || + ((prot & PROT_EXEC) && !(perms & CHERI_PERM_EXECUTE))) + return false; + + return true; +} + +cheri_perms_t mapping_to_capability_perm(int prot, bool has_tag_access) +{ + cheri_perms_t perms = 0; + + if (mapping_may_have_prot_flag(prot, PROT_READ)) { + perms |= CHERI_PERM_LOAD; + if (has_tag_access) + perms |= CHERI_PERM_LOAD_CAP; + } + if (mapping_may_have_prot_flag(prot, PROT_WRITE)) { + perms |= CHERI_PERM_STORE; + if (has_tag_access) + perms |= (CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_LOCAL_CAP); + } + if (mapping_may_have_prot_flag(prot, PROT_EXEC)) { + perms |= CHERI_PERM_EXECUTE; + if (cheri_perms_get(cheri_pcc_get()) & CHERI_PERM_SYSTEM_REGS) + perms |= CHERI_PERM_SYSTEM_REGS; + } + /* Fetch any extra architecture specific permissions */ + perms |= arch_map_to_cap_perm(PROT_MAX_EXTRACT(prot) ? PROT_MAX_EXTRACT(prot) : prot, + has_tag_access); + perms |= CHERI_PERMS_ROOTCAP; + + return perms; }

#endif /* CONFIG_CHERI_PURECAP_UABI */

The existing userspace may not use the maximum protection bits in the protection flags introduced by PCuABI and hence such applications may have inconsistency in the memory protection flag updated via mprotect() syscall with the capability permission bits.

Reduce the impact of such failures by setting the capability to maximum permission if no maximum protection bits are detected.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- mm/cap_addr_mgmt.c | 7 +++++++ 1 file changed, 7 insertions(+)

diff --git a/mm/cap_addr_mgmt.c b/mm/cap_addr_mgmt.c index 5ff4fdf26d28..68139abd004a 100644 --- a/mm/cap_addr_mgmt.c +++ b/mm/cap_addr_mgmt.c @@ -228,6 +228,12 @@ cheri_perms_t mapping_to_capability_perm(int prot, bool has_tag_access) { cheri_perms_t perms = 0;

+ if (!PROT_MAX_EXTRACT(prot)) { + perms = CHERI_PERMS_READ | CHERI_PERMS_WRITE | + CHERI_PERMS_EXEC | CHERI_PERMS_ROOTCAP; + goto skip_calc_perm; + } + if (mapping_may_have_prot_flag(prot, PROT_READ)) { perms |= CHERI_PERM_LOAD; if (has_tag_access) @@ -247,6 +253,7 @@ cheri_perms_t mapping_to_capability_perm(int prot, bool has_tag_access) perms |= arch_map_to_cap_perm(PROT_MAX_EXTRACT(prot) ? PROT_MAX_EXTRACT(prot) : prot, has_tag_access); perms |= CHERI_PERMS_ROOTCAP; +skip_calc_perm:

return perms; }

MAP_GROWSDOWN flag is not supported by PCuABI specification. Hence reject such requests with -EOPNOTSUPP error.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- mm/mmap.c | 9 +++++++++ 1 file changed, 9 insertions(+)

diff --git a/mm/mmap.c b/mm/mmap.c index 95d16e306559..6b66e94f0dfb 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1473,6 +1473,15 @@ user_uintptr_t ksys_mmap_pgoff(user_uintptr_t usrptr, unsigned long len, #ifdef CONFIG_CHERI_PURECAP_UABI if (!test_bit(MMF_PCUABI_RESERVE, &current->mm->flags)) goto skip_pcuabi_checks; + /* + * Introduce checks for PCuABI: + * - MAP_GROWSDOWN flag do not have fixed bounds and hence not + * supported in PCuABI reservation model. + */ + if (flags & MAP_GROWSDOWN) { + retval = -EOPNOTSUPP; + goto out_fput; + } if (cheri_tag_get(usrptr)) { if (!(flags & MAP_FIXED) || !capability_owns_range(usrptr, addr, len)) goto out_fput;

Check that the permission of new user address does not exceed the permission of old user address for mremap syscall.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- mm/mremap.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/mm/mremap.c b/mm/mremap.c index 2e2955417730..d36ed780bca8 100644 --- a/mm/mremap.c +++ b/mm/mremap.c @@ -996,6 +996,9 @@ SYSCALL_DEFINE5(__retptr__(mremap), user_uintptr_t, usrptr, unsigned long, old_l if ((flags & MREMAP_FIXED)) { if (!capability_owns_range(new_usrptr, new_addr, new_len)) goto out; + if ((cheri_perms_get(usrptr) | cheri_perms_get(new_usrptr)) + != cheri_perms_get(usrptr)) + goto out; if (!reserv_vmi_valid_capability(&vmi, new_usrptr, true)) { ret = -ERESERVATION; goto out;

Different capability permission and bound constraints are added as per PCuABI specification for mincore() syscall. mincore() does not need VMem permission and any of RWX memory permission so standard capability_owns_range() interface is not used and permissions are verified explicitly.

Also as mincore() allows the address range to not span whole pages so checking only a single byte at the page intersection is sufficient.

Signed-off-by: Amit Daniel Kachhap amitdaniel.kachhap@arm.com --- mm/mincore.c | 46 +++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 5 deletions(-)

diff --git a/mm/mincore.c b/mm/mincore.c index 3a307bfa91c4..7bc6e0a7a7f3 100644 --- a/mm/mincore.c +++ b/mm/mincore.c @@ -19,6 +19,7 @@ #include <linux/hugetlb.h> #include <linux/pgtable.h>

+#include <linux/cap_addr_mgmt.h> #include <linux/uaccess.h> #include "swap.h"

@@ -184,15 +185,19 @@ static const struct mm_walk_ops mincore_walk_ops = { * all the arguments, we hold the mmap semaphore: we should * just return the amount of info we're asked for. */ -static long do_mincore(unsigned long addr, unsigned long pages, unsigned char *vec) +static long do_mincore(user_uintptr_t usrptr, unsigned long pages, unsigned char *vec) { struct vm_area_struct *vma; unsigned long end; + unsigned long addr = (ptraddr_t)usrptr; int err;

vma = vma_lookup(current->mm, addr); if (!vma) return -ENOMEM; + /* Check if the capability range is valid with mmap lock. */ + if (!reserv_vma_valid_capability(vma, usrptr)) + return -ERESERVATION; end = min(vma->vm_end, addr + (pages << PAGE_SHIFT)); if (!can_do_mincore(vma)) { unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE); @@ -229,14 +234,16 @@ static long do_mincore(unsigned long addr, unsigned long pages, unsigned char *v * mapped * -EAGAIN - A kernel resource was temporarily unavailable. */ -SYSCALL_DEFINE3(mincore, unsigned long, start, size_t, len, +SYSCALL_DEFINE3(mincore, user_uintptr_t, usrptr, size_t, len, unsigned char __user *, vec) { long retval; unsigned long pages; unsigned char *tmp; - - start = untagged_addr(start); + unsigned long start = untagged_addr((ptraddr_t)usrptr); +#ifdef CONFIG_CHERI_PURECAP_UABI + unsigned long cap_start, cap_len; +#endif

/* Check the start address: needs to be page-aligned.. */ if (start & ~PAGE_MASK) @@ -253,6 +260,35 @@ SYSCALL_DEFINE3(mincore, unsigned long, start, size_t, len, if (!access_ok(vec, pages)) return -EFAULT;

+#ifdef CONFIG_CHERI_PURECAP_UABI + if (!test_bit(MMF_PCUABI_RESERVE, &current->mm->flags)) + goto skip_pcuabi_checks; + /* + * mincore syscall does not need VMem permission so as to allow ordinary pages. + * Also at least one of the standard memory permissions RWX will help to reject + * non memory capabilities. + */ + usrptr = cheri_address_set(usrptr, start); + if (cheri_is_invalid(usrptr) || cheri_is_sealed(usrptr) || + !(CHERI_PERM_GLOBAL & cheri_perms_get(usrptr)) || + !((CHERI_PERM_LOAD | CHERI_PERM_STORE | CHERI_PERM_EXECUTE) + & cheri_perms_get(usrptr))) + return -EINVAL; + /* + * mincore syscall can be invoked as: + * mincore(align_down(p, PAGE_SIZE), sz + (p.addr % PAGE_SIZE), vec) + * Hence, the capability might not consider the increased range due to + * alignment. In this scenario, check only the single byte at the page + * intersection. + */ + cap_start = cheri_base_get(usrptr); + cap_len = cheri_length_get(usrptr); + if ((start + PAGE_SIZE <= cap_start) || + (cap_start + cap_len < start + len - offset_in_page(len))) + return -EINVAL; +skip_pcuabi_checks: +#endif + tmp = (void *) __get_free_page(GFP_USER); if (!tmp) return -EAGAIN; @@ -264,7 +300,7 @@ SYSCALL_DEFINE3(mincore, unsigned long, start, size_t, len, * the temporary buffer size. */ mmap_read_lock(current->mm); - retval = do_mincore(start, min(pages, PAGE_SIZE), tmp); + retval = do_mincore(usrptr, min(pages, PAGE_SIZE), tmp); mmap_read_unlock(current->mm);

if (retval <= 0)