* [PATCH RFT v12 8/8] selftests/clone3: Test shadow stack support
From: Mark Brown @ 2024-10-31 19:25 UTC (permalink / raw)
To: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan
Cc: linux-kernel, Catalin Marinas, Will Deacon, jannh, bsegall,
Yury Khrustalev, Wilco Dijkstra, linux-kselftest, linux-api,
Mark Brown, Kees Cook, Shuah Khan
In-Reply-To: <20241031-clone3-shadow-stack-v12-0-7183eb8bee17@kernel.org>
Add basic test coverage for specifying the shadow stack for a newly
created thread via clone3(), including coverage of the newly extended
argument structure. We check that a user specified shadow stack can be
provided, and that invalid combinations of parameters are rejected.
In order to facilitate testing on systems without userspace shadow stack
support we manually enable shadow stacks on startup, this is architecture
specific due to the use of an arch_prctl() on x86. Due to interactions with
potential userspace locking of features we actually detect support for
shadow stacks on the running system by attempting to allocate a shadow
stack page during initialisation using map_shadow_stack(), warning if this
succeeds when the enable failed.
In order to allow testing of user configured shadow stacks on
architectures with that feature we need to ensure that we do not return
from the function where the clone3() syscall is called in the child
process, doing so would trigger a shadow stack underflow. To do this we
use inline assembly rather than the standard syscall wrapper to call
clone3(). In order to avoid surprises we also use a syscall rather than
the libc exit() function., this should be overly cautious.
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
tools/testing/selftests/clone3/clone3.c | 143 +++++++++++++++++++++-
tools/testing/selftests/clone3/clone3_selftests.h | 63 ++++++++++
2 files changed, 205 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/clone3/clone3.c b/tools/testing/selftests/clone3/clone3.c
index 5b8b7d640e70132242fc6939450669acd0c534f9..b0378d7418cc8b00caebc6f92f58280bc04b0f80 100644
--- a/tools/testing/selftests/clone3/clone3.c
+++ b/tools/testing/selftests/clone3/clone3.c
@@ -3,6 +3,7 @@
/* Based on Christian Brauner's clone3() example */
#define _GNU_SOURCE
+#include <asm/mman.h>
#include <errno.h>
#include <inttypes.h>
#include <linux/types.h>
@@ -11,6 +12,7 @@
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
+#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/un.h>
@@ -19,8 +21,12 @@
#include <sched.h>
#include "../kselftest.h"
+#include "../ksft_shstk.h"
#include "clone3_selftests.h"
+static bool shadow_stack_supported;
+static size_t max_supported_args_size;
+
enum test_mode {
CLONE3_ARGS_NO_TEST,
CLONE3_ARGS_ALL_0,
@@ -28,6 +34,10 @@ enum test_mode {
CLONE3_ARGS_INVAL_EXIT_SIGNAL_NEG,
CLONE3_ARGS_INVAL_EXIT_SIGNAL_CSIG,
CLONE3_ARGS_INVAL_EXIT_SIGNAL_NSIG,
+ CLONE3_ARGS_SHADOW_STACK,
+ CLONE3_ARGS_SHADOW_STACK_MISALIGNED,
+ CLONE3_ARGS_SHADOW_STACK_NO_TOKEN,
+ CLONE3_ARGS_SHADOW_STACK_NORMAL_MEMORY,
};
typedef bool (*filter_function)(void);
@@ -44,6 +54,44 @@ struct test {
filter_function filter;
};
+
+/*
+ * We check for shadow stack support by attempting to use
+ * map_shadow_stack() since features may have been locked by the
+ * dynamic linker resulting in spurious errors when we attempt to
+ * enable on startup. We warn if the enable failed.
+ */
+static void test_shadow_stack_supported(void)
+{
+ long ret;
+
+ ret = syscall(__NR_map_shadow_stack, 0, getpagesize(), 0);
+ if (ret == -1) {
+ ksft_print_msg("map_shadow_stack() not supported\n");
+ } else if ((void *)ret == MAP_FAILED) {
+ ksft_print_msg("Failed to map shadow stack\n");
+ } else {
+ ksft_print_msg("Shadow stack supportd\n");
+ shadow_stack_supported = true;
+
+ if (!shadow_stack_enabled)
+ ksft_print_msg("Mapped but did not enable shadow stack\n");
+ }
+}
+
+static void *get_shadow_stack_page(unsigned long flags)
+{
+ unsigned long long page;
+
+ page = syscall(__NR_map_shadow_stack, 0, getpagesize(), flags);
+ if ((void *)page == MAP_FAILED) {
+ ksft_print_msg("map_shadow_stack() failed: %d\n", errno);
+ return 0;
+ }
+
+ return (void *)page;
+}
+
static int call_clone3(uint64_t flags, size_t size, enum test_mode test_mode)
{
struct __clone_args args = {
@@ -57,6 +105,7 @@ static int call_clone3(uint64_t flags, size_t size, enum test_mode test_mode)
} args_ext;
pid_t pid = -1;
+ void *p;
int status;
memset(&args_ext, 0, sizeof(args_ext));
@@ -89,6 +138,26 @@ static int call_clone3(uint64_t flags, size_t size, enum test_mode test_mode)
case CLONE3_ARGS_INVAL_EXIT_SIGNAL_NSIG:
args.exit_signal = 0x00000000000000f0ULL;
break;
+ case CLONE3_ARGS_SHADOW_STACK:
+ p = get_shadow_stack_page(SHADOW_STACK_SET_TOKEN);
+ p += getpagesize() - sizeof(void *);
+ args.shadow_stack_pointer = (unsigned long long)p;
+ break;
+ case CLONE3_ARGS_SHADOW_STACK_MISALIGNED:
+ p = get_shadow_stack_page(SHADOW_STACK_SET_TOKEN);
+ p += getpagesize() - sizeof(void *) - 1;
+ args.shadow_stack_pointer = (unsigned long long)p;
+ break;
+ case CLONE3_ARGS_SHADOW_STACK_NORMAL_MEMORY:
+ p = malloc(getpagesize());
+ p += getpagesize() - sizeof(void *);
+ args.shadow_stack_pointer = (unsigned long long)p;
+ break;
+ case CLONE3_ARGS_SHADOW_STACK_NO_TOKEN:
+ p = get_shadow_stack_page(0);
+ p += getpagesize() - sizeof(void *);
+ args.shadow_stack_pointer = (unsigned long long)p;
+ break;
}
memcpy(&args_ext.args, &args, sizeof(struct __clone_args));
@@ -102,7 +171,12 @@ static int call_clone3(uint64_t flags, size_t size, enum test_mode test_mode)
if (pid == 0) {
ksft_print_msg("I am the child, my PID is %d\n", getpid());
- _exit(EXIT_SUCCESS);
+ /*
+ * Use a raw syscall to ensure we don't get issues
+ * with manually specified shadow stack and exit handlers.
+ */
+ syscall(__NR_exit, EXIT_SUCCESS);
+ ksft_print_msg("CHILD FAILED TO EXIT PID is %d\n", getpid());
}
ksft_print_msg("I am the parent (%d). My child's pid is %d\n",
@@ -184,6 +258,26 @@ static bool no_timenamespace(void)
return true;
}
+static bool have_shadow_stack(void)
+{
+ if (shadow_stack_supported) {
+ ksft_print_msg("Shadow stack supported\n");
+ return true;
+ }
+
+ return false;
+}
+
+static bool no_shadow_stack(void)
+{
+ if (!shadow_stack_supported) {
+ ksft_print_msg("Shadow stack not supported\n");
+ return true;
+ }
+
+ return false;
+}
+
static size_t page_size_plus_8(void)
{
return getpagesize() + 8;
@@ -327,6 +421,50 @@ static const struct test tests[] = {
.expected = -EINVAL,
.test_mode = CLONE3_ARGS_NO_TEST,
},
+ {
+ .name = "Shadow stack on system with shadow stack",
+ .size = 0,
+ .expected = 0,
+ .e2big_valid = true,
+ .test_mode = CLONE3_ARGS_SHADOW_STACK,
+ .filter = no_shadow_stack,
+ },
+ {
+ .name = "Shadow stack with misaligned address",
+ .flags = CLONE_VM,
+ .size = 0,
+ .expected = -EINVAL,
+ .e2big_valid = true,
+ .test_mode = CLONE3_ARGS_SHADOW_STACK_MISALIGNED,
+ .filter = no_shadow_stack,
+ },
+ {
+ .name = "Shadow stack with normal memory",
+ .flags = CLONE_VM,
+ .size = 0,
+ .expected = -EFAULT,
+ .e2big_valid = true,
+ .test_mode = CLONE3_ARGS_SHADOW_STACK_NORMAL_MEMORY,
+ .filter = no_shadow_stack,
+ },
+ {
+ .name = "Shadow stack with no token",
+ .flags = CLONE_VM,
+ .size = 0,
+ .expected = -EINVAL,
+ .e2big_valid = true,
+ .test_mode = CLONE3_ARGS_SHADOW_STACK_NO_TOKEN,
+ .filter = no_shadow_stack,
+ },
+ {
+ .name = "Shadow stack on system without shadow stack",
+ .flags = CLONE_VM,
+ .size = 0,
+ .expected = -EINVAL,
+ .e2big_valid = true,
+ .test_mode = CLONE3_ARGS_SHADOW_STACK,
+ .filter = have_shadow_stack,
+ },
};
int main(int argc, char *argv[])
@@ -334,9 +472,12 @@ int main(int argc, char *argv[])
size_t size;
int i;
+ enable_shadow_stack();
+
ksft_print_header();
ksft_set_plan(ARRAY_SIZE(tests));
test_clone3_supported();
+ test_shadow_stack_supported();
for (i = 0; i < ARRAY_SIZE(tests); i++)
test_clone3(&tests[i]);
diff --git a/tools/testing/selftests/clone3/clone3_selftests.h b/tools/testing/selftests/clone3/clone3_selftests.h
index 39b5dcba663c30b9fc2542d9a0d2686105ce5761..26ff1554408a59af26bd708dc9c852210e370828 100644
--- a/tools/testing/selftests/clone3/clone3_selftests.h
+++ b/tools/testing/selftests/clone3/clone3_selftests.h
@@ -31,12 +31,75 @@ struct __clone_args {
__aligned_u64 set_tid;
__aligned_u64 set_tid_size;
__aligned_u64 cgroup;
+#ifndef CLONE_ARGS_SIZE_VER2
+#define CLONE_ARGS_SIZE_VER2 88 /* sizeof third published struct */
+#endif
+ __aligned_u64 shadow_stack_pointer;
+#ifndef CLONE_ARGS_SIZE_VER3
+#define CLONE_ARGS_SIZE_VER3 96 /* sizeof fourth published struct */
+#endif
};
+/*
+ * For architectures with shadow stack support we need to be
+ * absolutely sure that the clone3() syscall will be inline and not a
+ * function call so we open code.
+ */
+#ifdef __x86_64__
+static pid_t __always_inline sys_clone3(struct __clone_args *args, size_t size)
+{
+ long ret;
+ register long _num __asm__ ("rax") = __NR_clone3;
+ register long _args __asm__ ("rdi") = (long)(args);
+ register long _size __asm__ ("rsi") = (long)(size);
+
+ __asm__ volatile (
+ "syscall\n"
+ : "=a"(ret)
+ : "r"(_args), "r"(_size),
+ "0"(_num)
+ : "rcx", "r11", "memory", "cc"
+ );
+
+ if (ret < 0) {
+ errno = -ret;
+ return -1;
+ }
+
+ return ret;
+}
+#elif defined(__aarch64__)
+static pid_t __always_inline sys_clone3(struct __clone_args *args, size_t size)
+{
+ register long _num __asm__ ("x8") = __NR_clone3;
+ register long _args __asm__ ("x0") = (long)(args);
+ register long _size __asm__ ("x1") = (long)(size);
+ register long arg2 __asm__ ("x2") = 0;
+ register long arg3 __asm__ ("x3") = 0;
+ register long arg4 __asm__ ("x4") = 0;
+
+ __asm__ volatile (
+ "svc #0\n"
+ : "=r"(_args)
+ : "r"(_args), "r"(_size),
+ "r"(_num), "r"(arg2),
+ "r"(arg3), "r"(arg4)
+ : "memory", "cc"
+ );
+
+ if ((int)_args < 0) {
+ errno = -((int)_args);
+ return -1;
+ }
+
+ return _args;
+}
+#else
static pid_t sys_clone3(struct __clone_args *args, size_t size)
{
return syscall(__NR_clone3, args, size);
}
+#endif
static inline void test_clone3_supported(void)
{
--
2.39.2
^ permalink raw reply related
* [PATCH RFT v12 7/8] selftests/clone3: Allow tests to flag if -E2BIG is a valid error code
From: Mark Brown @ 2024-10-31 19:25 UTC (permalink / raw)
To: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan
Cc: linux-kernel, Catalin Marinas, Will Deacon, jannh, bsegall,
Yury Khrustalev, Wilco Dijkstra, linux-kselftest, linux-api,
Mark Brown, Kees Cook, Kees Cook, Shuah Khan
In-Reply-To: <20241031-clone3-shadow-stack-v12-0-7183eb8bee17@kernel.org>
The clone_args structure is extensible, with the syscall passing in the
length of the structure. Inside the kernel we use copy_struct_from_user()
to read the struct but this has the unfortunate side effect of silently
accepting some overrun in the structure size providing the extra data is
all zeros. This means that we can't discover the clone3() features that
the running kernel supports by simply probing with various struct sizes.
We need to check this for the benefit of test systems which run newer
kselftests on old kernels.
Add a flag which can be set on a test to indicate that clone3() may return
-E2BIG due to the use of newer struct versions. Currently no tests need
this but it will become an issue for testing clone3() support for shadow
stacks, the support for shadow stacks is already present on x86.
Reviewed-by: Kees Cook <kees@kernel.org>
Tested-by: Kees Cook <kees@kernel.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
tools/testing/selftests/clone3/clone3.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/testing/selftests/clone3/clone3.c b/tools/testing/selftests/clone3/clone3.c
index e066b201fa64eb17c55939b7cec18ac5d109613b..5b8b7d640e70132242fc6939450669acd0c534f9 100644
--- a/tools/testing/selftests/clone3/clone3.c
+++ b/tools/testing/selftests/clone3/clone3.c
@@ -39,6 +39,7 @@ struct test {
size_t size;
size_function size_function;
int expected;
+ bool e2big_valid;
enum test_mode test_mode;
filter_function filter;
};
@@ -146,6 +147,11 @@ static void test_clone3(const struct test *test)
ksft_print_msg("[%d] clone3() with flags says: %d expected %d\n",
getpid(), ret, test->expected);
if (ret != test->expected) {
+ if (test->e2big_valid && ret == -E2BIG) {
+ ksft_print_msg("Test reported -E2BIG\n");
+ ksft_test_result_skip("%s\n", test->name);
+ return;
+ }
ksft_print_msg(
"[%d] Result (%d) is different than expected (%d)\n",
getpid(), ret, test->expected);
--
2.39.2
^ permalink raw reply related
* [PATCH RFT v12 6/8] selftests/clone3: Factor more of main loop into test_clone3()
From: Mark Brown @ 2024-10-31 19:25 UTC (permalink / raw)
To: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan
Cc: linux-kernel, Catalin Marinas, Will Deacon, jannh, bsegall,
Yury Khrustalev, Wilco Dijkstra, linux-kselftest, linux-api,
Mark Brown, Kees Cook, Kees Cook, Shuah Khan
In-Reply-To: <20241031-clone3-shadow-stack-v12-0-7183eb8bee17@kernel.org>
In order to make it easier to add more configuration for the tests and
more support for runtime detection of when tests can be run pass the
structure describing the tests into test_clone3() rather than picking
the arguments out of it and have that function do all the per-test work.
No functional change.
Reviewed-by: Kees Cook <kees@kernel.org>
Tested-by: Kees Cook <kees@kernel.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
tools/testing/selftests/clone3/clone3.c | 77 ++++++++++++++++-----------------
1 file changed, 37 insertions(+), 40 deletions(-)
diff --git a/tools/testing/selftests/clone3/clone3.c b/tools/testing/selftests/clone3/clone3.c
index e61f07973ce5e27aff30047b35e03b1b51875c15..e066b201fa64eb17c55939b7cec18ac5d109613b 100644
--- a/tools/testing/selftests/clone3/clone3.c
+++ b/tools/testing/selftests/clone3/clone3.c
@@ -30,6 +30,19 @@ enum test_mode {
CLONE3_ARGS_INVAL_EXIT_SIGNAL_NSIG,
};
+typedef bool (*filter_function)(void);
+typedef size_t (*size_function)(void);
+
+struct test {
+ const char *name;
+ uint64_t flags;
+ size_t size;
+ size_function size_function;
+ int expected;
+ enum test_mode test_mode;
+ filter_function filter;
+};
+
static int call_clone3(uint64_t flags, size_t size, enum test_mode test_mode)
{
struct __clone_args args = {
@@ -109,30 +122,40 @@ static int call_clone3(uint64_t flags, size_t size, enum test_mode test_mode)
return 0;
}
-static bool test_clone3(uint64_t flags, size_t size, int expected,
- enum test_mode test_mode)
+static void test_clone3(const struct test *test)
{
+ size_t size;
int ret;
+ if (test->filter && test->filter()) {
+ ksft_test_result_skip("%s\n", test->name);
+ return;
+ }
+
+ if (test->size_function)
+ size = test->size_function();
+ else
+ size = test->size;
+
+ ksft_print_msg("Running test '%s'\n", test->name);
+
ksft_print_msg(
"[%d] Trying clone3() with flags %#" PRIx64 " (size %zu)\n",
- getpid(), flags, size);
- ret = call_clone3(flags, size, test_mode);
+ getpid(), test->flags, size);
+ ret = call_clone3(test->flags, size, test->test_mode);
ksft_print_msg("[%d] clone3() with flags says: %d expected %d\n",
- getpid(), ret, expected);
- if (ret != expected) {
+ getpid(), ret, test->expected);
+ if (ret != test->expected) {
ksft_print_msg(
"[%d] Result (%d) is different than expected (%d)\n",
- getpid(), ret, expected);
- return false;
+ getpid(), ret, test->expected);
+ ksft_test_result_fail("%s\n", test->name);
+ return;
}
- return true;
+ ksft_test_result_pass("%s\n", test->name);
}
-typedef bool (*filter_function)(void);
-typedef size_t (*size_function)(void);
-
static bool not_root(void)
{
if (getuid() != 0) {
@@ -160,16 +183,6 @@ static size_t page_size_plus_8(void)
return getpagesize() + 8;
}
-struct test {
- const char *name;
- uint64_t flags;
- size_t size;
- size_function size_function;
- int expected;
- enum test_mode test_mode;
- filter_function filter;
-};
-
static const struct test tests[] = {
{
.name = "simple clone3()",
@@ -319,24 +332,8 @@ int main(int argc, char *argv[])
ksft_set_plan(ARRAY_SIZE(tests));
test_clone3_supported();
- for (i = 0; i < ARRAY_SIZE(tests); i++) {
- if (tests[i].filter && tests[i].filter()) {
- ksft_test_result_skip("%s\n", tests[i].name);
- continue;
- }
-
- if (tests[i].size_function)
- size = tests[i].size_function();
- else
- size = tests[i].size;
-
- ksft_print_msg("Running test '%s'\n", tests[i].name);
-
- ksft_test_result(test_clone3(tests[i].flags, size,
- tests[i].expected,
- tests[i].test_mode),
- "%s\n", tests[i].name);
- }
+ for (i = 0; i < ARRAY_SIZE(tests); i++)
+ test_clone3(&tests[i]);
ksft_finished();
}
--
2.39.2
^ permalink raw reply related
* [PATCH RFT v12 5/8] selftests/clone3: Remove redundant flushes of output streams
From: Mark Brown @ 2024-10-31 19:25 UTC (permalink / raw)
To: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan
Cc: linux-kernel, Catalin Marinas, Will Deacon, jannh, bsegall,
Yury Khrustalev, Wilco Dijkstra, linux-kselftest, linux-api,
Mark Brown, Kees Cook, Kees Cook, Shuah Khan
In-Reply-To: <20241031-clone3-shadow-stack-v12-0-7183eb8bee17@kernel.org>
Since there were widespread issues with output not being flushed the
kselftest framework was modified to explicitly set the output streams
unbuffered in commit 58e2847ad2e6 ("selftests: line buffer test
program's stdout") so there is no need to explicitly flush in the clone3
tests.
Reviewed-by: Kees Cook <kees@kernel.org>
Tested-by: Kees Cook <kees@kernel.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
tools/testing/selftests/clone3/clone3_selftests.h | 2 --
1 file changed, 2 deletions(-)
diff --git a/tools/testing/selftests/clone3/clone3_selftests.h b/tools/testing/selftests/clone3/clone3_selftests.h
index 3d2663fe50ba56f011629e4f2eb68a72bcceb087..39b5dcba663c30b9fc2542d9a0d2686105ce5761 100644
--- a/tools/testing/selftests/clone3/clone3_selftests.h
+++ b/tools/testing/selftests/clone3/clone3_selftests.h
@@ -35,8 +35,6 @@ struct __clone_args {
static pid_t sys_clone3(struct __clone_args *args, size_t size)
{
- fflush(stdout);
- fflush(stderr);
return syscall(__NR_clone3, args, size);
}
--
2.39.2
^ permalink raw reply related
* [PATCH RFT v12 4/8] fork: Add shadow stack support to clone3()
From: Mark Brown @ 2024-10-31 19:25 UTC (permalink / raw)
To: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan
Cc: linux-kernel, Catalin Marinas, Will Deacon, jannh, bsegall,
Yury Khrustalev, Wilco Dijkstra, linux-kselftest, linux-api,
Mark Brown, Kees Cook
In-Reply-To: <20241031-clone3-shadow-stack-v12-0-7183eb8bee17@kernel.org>
Unlike with the normal stack there is no API for configuring the the shadow
stack for a new thread, instead the kernel will dynamically allocate a new
shadow stack with the same size as the normal stack. This appears to be due
to the shadow stack series having been in development since before the more
extensible clone3() was added rather than anything more deliberate.
Add a paramter to clone3() specifying the shadow stack pointer to use
for the new thread, this is inconsistent with the way we specify the
normal stack but during review concerns were expressed about having to
identify where the shadow stack pointer should be placed especially in
cases where the shadow stack has been previously active. If no shadow
stack is specified then the existing implicit allocation behaviour is
maintained.
If a shadow stack pointer is specified then it is required to have an
architecture defined token placed on the stack, this will be consumed by
the new task. If no valid token is present then this will be reported
with -EINVAL. This token prevents new threads being created pointing at
the shadow stack of an existing running thread.
If the architecture does not support shadow stacks the shadow stack
pointer must be not be specified, architectures that do support the
feature are expected to enforce the same requirement on individual
systems that lack shadow stack support.
Update the existing arm64 and x86 implementations to pay attention to
the newly added arguments, in order to maintain compatibility we use the
existing behaviour if no shadow stack is specified. Since we are now
using more fields from the kernel_clone_args we pass that into the
shadow stack code rather than individual fields.
Portions of the x86 architecture code were written by Rick Edgecombe.
Signed-off-by: Mark Brown <broonie@kernel.org>
---
arch/arm64/mm/gcs.c | 54 +++++++++++++++++++++-
arch/x86/include/asm/shstk.h | 11 +++--
arch/x86/kernel/process.c | 2 +-
arch/x86/kernel/shstk.c | 57 +++++++++++++++++++++---
include/asm-generic/cacheflush.h | 11 +++++
include/linux/sched/task.h | 17 +++++++
include/uapi/linux/sched.h | 10 +++--
kernel/fork.c | 96 +++++++++++++++++++++++++++++++++++-----
8 files changed, 232 insertions(+), 26 deletions(-)
diff --git a/arch/arm64/mm/gcs.c b/arch/arm64/mm/gcs.c
index 1f633a482558b59aac5427963d42b37fce08c8a6..c4e93b7ce05c5dfa1128923ad587f9b5a7fb0051 100644
--- a/arch/arm64/mm/gcs.c
+++ b/arch/arm64/mm/gcs.c
@@ -43,8 +43,24 @@ int gcs_alloc_thread_stack(struct task_struct *tsk,
{
unsigned long addr, size;
- if (!system_supports_gcs())
+ if (!system_supports_gcs()) {
+ if (args->shadow_stack_pointer)
+ return -EINVAL;
+
+ return 0;
+ }
+
+ /*
+ * If the user specified a GCS then use it, otherwise fall
+ * back to a default allocation strategy. Validation is done
+ * in arch_shstk_validate_clone().
+ */
+ if (args->shadow_stack_pointer) {
+ tsk->thread.gcs_base = 0;
+ tsk->thread.gcs_size = 0;
+ tsk->thread.gcspr_el0 = args->shadow_stack_pointer;
return 0;
+ }
if (!task_gcs_el0_enabled(tsk))
return 0;
@@ -68,6 +84,42 @@ int gcs_alloc_thread_stack(struct task_struct *tsk,
return 0;
}
+static bool gcs_consume_token(struct vm_area_struct *vma, struct page *page,
+ unsigned long user_addr)
+{
+ u64 expected = GCS_CAP(user_addr);
+ u64 *token = page_address(page) + offset_in_page(user_addr);
+
+ if (!cmpxchg_to_user_page(vma, page, user_addr, token, expected, 0))
+ return false;
+ set_page_dirty_lock(page);
+
+ return true;
+}
+
+int arch_shstk_validate_clone(struct task_struct *tsk,
+ struct vm_area_struct *vma,
+ struct page *page,
+ struct kernel_clone_args *args)
+{
+ unsigned long gcspr_el0;
+ int ret = 0;
+
+ /* Ensure that a token written as a result of a pivot is visible */
+ gcsb_dsync();
+
+ gcspr_el0 = args->shadow_stack_pointer;
+ if (!gcs_consume_token(vma, page, gcspr_el0))
+ return -EINVAL;
+
+ tsk->thread.gcspr_el0 = gcspr_el0 + sizeof(u64);
+
+ /* Ensure that our token consumption visible */
+ gcsb_dsync();
+
+ return ret;
+}
+
SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags)
{
unsigned long alloc_size;
diff --git a/arch/x86/include/asm/shstk.h b/arch/x86/include/asm/shstk.h
index 4cb77e004615dff003426a2eb594460ca1015f4e..252feeda69991e939942c74556e23e27c835e766 100644
--- a/arch/x86/include/asm/shstk.h
+++ b/arch/x86/include/asm/shstk.h
@@ -6,6 +6,7 @@
#include <linux/types.h>
struct task_struct;
+struct kernel_clone_args;
struct ksignal;
#ifdef CONFIG_X86_USER_SHADOW_STACK
@@ -16,8 +17,8 @@ struct thread_shstk {
long shstk_prctl(struct task_struct *task, int option, unsigned long arg2);
void reset_thread_features(void);
-unsigned long shstk_alloc_thread_stack(struct task_struct *p, unsigned long clone_flags,
- unsigned long stack_size);
+unsigned long shstk_alloc_thread_stack(struct task_struct *p,
+ const struct kernel_clone_args *args);
void shstk_free(struct task_struct *p);
int setup_signal_shadow_stack(struct ksignal *ksig);
int restore_signal_shadow_stack(void);
@@ -28,8 +29,10 @@ static inline long shstk_prctl(struct task_struct *task, int option,
unsigned long arg2) { return -EINVAL; }
static inline void reset_thread_features(void) {}
static inline unsigned long shstk_alloc_thread_stack(struct task_struct *p,
- unsigned long clone_flags,
- unsigned long stack_size) { return 0; }
+ const struct kernel_clone_args *args)
+{
+ return 0;
+}
static inline void shstk_free(struct task_struct *p) {}
static inline int setup_signal_shadow_stack(struct ksignal *ksig) { return 0; }
static inline int restore_signal_shadow_stack(void) { return 0; }
diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
index f63f8fd00a91f3d1171f307b92179556ba2d716d..59456ab8d93faee29c3b223b64eb41659df76032 100644
--- a/arch/x86/kernel/process.c
+++ b/arch/x86/kernel/process.c
@@ -207,7 +207,7 @@ int copy_thread(struct task_struct *p, const struct kernel_clone_args *args)
* is disabled, new_ssp will remain 0, and fpu_clone() will know not to
* update it.
*/
- new_ssp = shstk_alloc_thread_stack(p, clone_flags, args->stack_size);
+ new_ssp = shstk_alloc_thread_stack(p, args);
if (IS_ERR_VALUE(new_ssp))
return PTR_ERR((void *)new_ssp);
diff --git a/arch/x86/kernel/shstk.c b/arch/x86/kernel/shstk.c
index 059685612362d7b1865eabf400888fbfa0659c1e..056e2c9ec30531d0901297da07f1842b47d2fcd5 100644
--- a/arch/x86/kernel/shstk.c
+++ b/arch/x86/kernel/shstk.c
@@ -191,18 +191,65 @@ void reset_thread_features(void)
current->thread.features_locked = 0;
}
-unsigned long shstk_alloc_thread_stack(struct task_struct *tsk, unsigned long clone_flags,
- unsigned long stack_size)
+int arch_shstk_validate_clone(struct task_struct *t,
+ struct vm_area_struct *vma,
+ struct page *page,
+ struct kernel_clone_args *args)
+{
+ /*
+ * SSP is aligned, so reserved bits and mode bit are a zero, just mark
+ * the token 64-bit.
+ */
+ void *maddr = kmap_local_page(page);
+ int offset;
+ unsigned long addr, ssp;
+ u64 expected;
+
+ if (!features_enabled(ARCH_SHSTK_SHSTK))
+ return 0;
+
+ ssp = args->shadow_stack_pointer;
+ addr = ssp - SS_FRAME_SIZE;
+ expected = ssp | BIT(0);
+ offset = offset_in_page(addr);
+
+ if (!cmpxchg_to_user_page(vma, page, addr, (unsigned long *)(maddr + offset),
+ expected, 0))
+ return -EINVAL;
+ set_page_dirty_lock(page);
+
+ return 0;
+}
+
+unsigned long shstk_alloc_thread_stack(struct task_struct *tsk,
+ const struct kernel_clone_args *args)
{
struct thread_shstk *shstk = &tsk->thread.shstk;
+ unsigned long clone_flags = args->flags;
unsigned long addr, size;
/*
* If shadow stack is not enabled on the new thread, skip any
- * switch to a new shadow stack.
+ * implicit switch to a new shadow stack and reject attempts to
+ * explicitly specify one.
*/
- if (!features_enabled(ARCH_SHSTK_SHSTK))
+ if (!features_enabled(ARCH_SHSTK_SHSTK)) {
+ if (args->shadow_stack_pointer)
+ return (unsigned long)ERR_PTR(-EINVAL);
+
return 0;
+ }
+
+ /*
+ * If the user specified a shadow stack then use it, otherwise
+ * fall back to a default allocation strategy. Validation is
+ * done in arch_shstk_validate_clone().
+ */
+ if (args->shadow_stack_pointer) {
+ shstk->base = 0;
+ shstk->size = 0;
+ return args->shadow_stack_pointer;
+ }
/*
* For CLONE_VFORK the child will share the parents shadow stack.
@@ -222,7 +269,7 @@ unsigned long shstk_alloc_thread_stack(struct task_struct *tsk, unsigned long cl
if (!(clone_flags & CLONE_VM))
return 0;
- size = adjust_shstk_size(stack_size);
+ size = adjust_shstk_size(args->stack_size);
addr = alloc_shstk(0, size, 0, false);
if (IS_ERR_VALUE(addr))
return addr;
diff --git a/include/asm-generic/cacheflush.h b/include/asm-generic/cacheflush.h
index 7ee8a179d1036e1d8010b8b18a8f3022e41c1695..96cc0c7a5c90fd7e899d0c5fe7c706302265efcf 100644
--- a/include/asm-generic/cacheflush.h
+++ b/include/asm-generic/cacheflush.h
@@ -124,4 +124,15 @@ static inline void flush_cache_vunmap(unsigned long start, unsigned long end)
} while (0)
#endif
+#ifndef cmpxchg_to_user_page
+#define cmpxchg_to_user_page(vma, page, vaddr, ptr, old, new) \
+({ \
+ bool ret; \
+ \
+ ret = try_cmpxchg(ptr, &old, new); \
+ flush_icache_user_page(vma, page, vaddr, sizeof(*ptr)); \
+ ret; \
+})
+#endif
+
#endif /* _ASM_GENERIC_CACHEFLUSH_H */
diff --git a/include/linux/sched/task.h b/include/linux/sched/task.h
index 0f2aeb37bbb047335a399326b31bc8df81b75a3a..cd36389619d5c97401f7b90e177c6027c232783b 100644
--- a/include/linux/sched/task.h
+++ b/include/linux/sched/task.h
@@ -16,6 +16,7 @@ struct task_struct;
struct rusage;
union thread_union;
struct css_set;
+struct vm_area_struct;
/* All the bits taken by the old clone syscall. */
#define CLONE_LEGACY_FLAGS 0xffffffffULL
@@ -43,6 +44,7 @@ struct kernel_clone_args {
void *fn_arg;
struct cgroup *cgrp;
struct css_set *cset;
+ unsigned long shadow_stack_pointer;
};
/*
@@ -236,4 +238,19 @@ static inline void task_unlock(struct task_struct *p)
DEFINE_GUARD(task_lock, struct task_struct *, task_lock(_T), task_unlock(_T))
+#ifdef CONFIG_ARCH_HAS_USER_SHADOW_STACK
+int arch_shstk_validate_clone(struct task_struct *p,
+ struct vm_area_struct *vma,
+ struct page *page,
+ struct kernel_clone_args *args);
+#else
+static inline int arch_shstk_validate_clone(struct task_struct *p,
+ struct vm_area_struct *vma,
+ struct page *page,
+ struct kernel_clone_args *args)
+{
+ return 0;
+}
+#endif
+
#endif /* _LINUX_SCHED_TASK_H */
diff --git a/include/uapi/linux/sched.h b/include/uapi/linux/sched.h
index 359a14cc76a4038aeacef14b2915d5ce60d0cf44..586a1c05a4e4ca05584d4d500223bcf6c3add54c 100644
--- a/include/uapi/linux/sched.h
+++ b/include/uapi/linux/sched.h
@@ -84,6 +84,8 @@
* kernel's limit of nested PID namespaces.
* @cgroup: If CLONE_INTO_CGROUP is specified set this to
* a file descriptor for the cgroup.
+ * @shadow_stack_pointer: Value to use for shadow stack pointer in the
+ * child process.
*
* The structure is versioned by size and thus extensible.
* New struct members must go at the end of the struct and
@@ -101,12 +103,14 @@ struct clone_args {
__aligned_u64 set_tid;
__aligned_u64 set_tid_size;
__aligned_u64 cgroup;
+ __aligned_u64 shadow_stack_pointer;
};
#endif
-#define CLONE_ARGS_SIZE_VER0 64 /* sizeof first published struct */
-#define CLONE_ARGS_SIZE_VER1 80 /* sizeof second published struct */
-#define CLONE_ARGS_SIZE_VER2 88 /* sizeof third published struct */
+#define CLONE_ARGS_SIZE_VER0 64 /* sizeof first published struct */
+#define CLONE_ARGS_SIZE_VER1 80 /* sizeof second published struct */
+#define CLONE_ARGS_SIZE_VER2 88 /* sizeof third published struct */
+#define CLONE_ARGS_SIZE_VER3 96 /* sizeof fourth published struct */
/*
* Scheduling policies
diff --git a/kernel/fork.c b/kernel/fork.c
index 60c0b4868fd4993920f7a615a47f7e915b9a47b5..d925e0c52a5ac4394abd1d46a5eb14386d7ba2ca 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -2109,6 +2109,51 @@ static void rv_task_fork(struct task_struct *p)
#define rv_task_fork(p) do {} while (0)
#endif
+static int shstk_validate_clone(struct task_struct *p,
+ struct kernel_clone_args *args)
+{
+ struct mm_struct *mm;
+ struct vm_area_struct *vma;
+ struct page *page;
+ unsigned long addr;
+ int ret;
+
+ if (!IS_ENABLED(CONFIG_ARCH_HAS_USER_SHADOW_STACK))
+ return 0;
+
+ if (!args->shadow_stack_pointer)
+ return 0;
+
+ mm = get_task_mm(p);
+ if (!mm)
+ return -EFAULT;
+
+ mmap_read_lock(mm);
+
+ addr = untagged_addr_remote(mm, args->shadow_stack_pointer);
+ page = get_user_page_vma_remote(mm, addr, FOLL_FORCE | FOLL_WRITE,
+ &vma);
+ if (IS_ERR(page)) {
+ ret = -EFAULT;
+ goto out;
+ }
+
+ if (!(vma->vm_flags & VM_SHADOW_STACK) ||
+ !(vma->vm_flags & VM_WRITE)) {
+ ret = -EFAULT;
+ goto out_page;
+ }
+
+ ret = arch_shstk_validate_clone(p, vma, page, args);
+
+out_page:
+ put_page(page);
+out:
+ mmap_read_unlock(mm);
+ mmput(mm);
+ return ret;
+}
+
/*
* This creates a new process as a copy of the old one,
* but does not actually start it yet.
@@ -2382,6 +2427,9 @@ __latent_entropy struct task_struct *copy_process(
if (retval)
goto bad_fork_cleanup_namespaces;
retval = copy_thread(p, args);
+ if (retval)
+ goto bad_fork_cleanup_io;
+ retval = shstk_validate_clone(p, args);
if (retval)
goto bad_fork_cleanup_io;
@@ -2945,7 +2993,9 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
CLONE_ARGS_SIZE_VER1);
BUILD_BUG_ON(offsetofend(struct clone_args, cgroup) !=
CLONE_ARGS_SIZE_VER2);
- BUILD_BUG_ON(sizeof(struct clone_args) != CLONE_ARGS_SIZE_VER2);
+ BUILD_BUG_ON(offsetofend(struct clone_args, shadow_stack_pointer) !=
+ CLONE_ARGS_SIZE_VER3);
+ BUILD_BUG_ON(sizeof(struct clone_args) != CLONE_ARGS_SIZE_VER3);
if (unlikely(usize > PAGE_SIZE))
return -E2BIG;
@@ -2978,16 +3028,17 @@ noinline static int copy_clone_args_from_user(struct kernel_clone_args *kargs,
return -EINVAL;
*kargs = (struct kernel_clone_args){
- .flags = args.flags,
- .pidfd = u64_to_user_ptr(args.pidfd),
- .child_tid = u64_to_user_ptr(args.child_tid),
- .parent_tid = u64_to_user_ptr(args.parent_tid),
- .exit_signal = args.exit_signal,
- .stack = args.stack,
- .stack_size = args.stack_size,
- .tls = args.tls,
- .set_tid_size = args.set_tid_size,
- .cgroup = args.cgroup,
+ .flags = args.flags,
+ .pidfd = u64_to_user_ptr(args.pidfd),
+ .child_tid = u64_to_user_ptr(args.child_tid),
+ .parent_tid = u64_to_user_ptr(args.parent_tid),
+ .exit_signal = args.exit_signal,
+ .stack = args.stack,
+ .stack_size = args.stack_size,
+ .tls = args.tls,
+ .set_tid_size = args.set_tid_size,
+ .cgroup = args.cgroup,
+ .shadow_stack_pointer = args.shadow_stack_pointer,
};
if (args.set_tid &&
@@ -3028,6 +3079,27 @@ static inline bool clone3_stack_valid(struct kernel_clone_args *kargs)
return true;
}
+/**
+ * clone3_shadow_stack_valid - check and prepare shadow stack
+ * @kargs: kernel clone args
+ *
+ * Verify that shadow stacks are only enabled if supported.
+ */
+static inline bool clone3_shadow_stack_valid(struct kernel_clone_args *kargs)
+{
+ if (!kargs->shadow_stack_pointer)
+ return true;
+
+ if (!IS_ALIGNED(kargs->shadow_stack_pointer, sizeof(void *)))
+ return false;
+
+ /*
+ * The architecture must check support on the specific
+ * machine.
+ */
+ return IS_ENABLED(CONFIG_ARCH_HAS_USER_SHADOW_STACK);
+}
+
static bool clone3_args_valid(struct kernel_clone_args *kargs)
{
/* Verify that no unknown flags are passed along. */
@@ -3050,7 +3122,7 @@ static bool clone3_args_valid(struct kernel_clone_args *kargs)
kargs->exit_signal)
return false;
- if (!clone3_stack_valid(kargs))
+ if (!clone3_stack_valid(kargs) || !clone3_shadow_stack_valid(kargs))
return false;
return true;
--
2.39.2
^ permalink raw reply related
* [PATCH RFT v12 3/8] selftests: Provide helper header for shadow stack testing
From: Mark Brown @ 2024-10-31 19:25 UTC (permalink / raw)
To: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan
Cc: linux-kernel, Catalin Marinas, Will Deacon, jannh, bsegall,
Yury Khrustalev, Wilco Dijkstra, linux-kselftest, linux-api,
Mark Brown, Kees Cook, Kees Cook, Shuah Khan
In-Reply-To: <20241031-clone3-shadow-stack-v12-0-7183eb8bee17@kernel.org>
While almost all users of shadow stacks should be relying on the dynamic
linker and libc to enable the feature there are several low level test
programs where it is useful to enable without any libc support, allowing
testing without full system enablement. This low level testing is helpful
during bringup of the support itself, and also in enabling coverage by
automated testing without needing all system components in the target root
filesystems to have enablement.
Provide a header with helpers for this purpose, intended for use only by
test programs directly exercising shadow stack interfaces.
Reviewed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Reviewed-by: Kees Cook <kees@kernel.org>
Tested-by: Kees Cook <kees@kernel.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
tools/testing/selftests/ksft_shstk.h | 98 ++++++++++++++++++++++++++++++++++++
1 file changed, 98 insertions(+)
diff --git a/tools/testing/selftests/ksft_shstk.h b/tools/testing/selftests/ksft_shstk.h
new file mode 100644
index 0000000000000000000000000000000000000000..869ecea2bf3ea3d30cead9819d2b3a75f5397754
--- /dev/null
+++ b/tools/testing/selftests/ksft_shstk.h
@@ -0,0 +1,98 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * Helpers for shadow stack enablement, this is intended to only be
+ * used by low level test programs directly exercising interfaces for
+ * working with shadow stacks.
+ *
+ * Copyright (C) 2024 ARM Ltd.
+ */
+
+#ifndef __KSFT_SHSTK_H
+#define __KSFT_SHSTK_H
+
+#include <asm/mman.h>
+
+/* This is currently only defined for x86 */
+#ifndef SHADOW_STACK_SET_TOKEN
+#define SHADOW_STACK_SET_TOKEN (1ULL << 0)
+#endif
+
+static bool shadow_stack_enabled;
+
+#ifdef __x86_64__
+#define ARCH_SHSTK_ENABLE 0x5001
+#define ARCH_SHSTK_SHSTK (1ULL << 0)
+
+#define ARCH_PRCTL(arg1, arg2) \
+({ \
+ long _ret; \
+ register long _num asm("eax") = __NR_arch_prctl; \
+ register long _arg1 asm("rdi") = (long)(arg1); \
+ register long _arg2 asm("rsi") = (long)(arg2); \
+ \
+ asm volatile ( \
+ "syscall\n" \
+ : "=a"(_ret) \
+ : "r"(_arg1), "r"(_arg2), \
+ "0"(_num) \
+ : "rcx", "r11", "memory", "cc" \
+ ); \
+ _ret; \
+})
+
+#define ENABLE_SHADOW_STACK
+static inline __attribute__((always_inline)) void enable_shadow_stack(void)
+{
+ int ret = ARCH_PRCTL(ARCH_SHSTK_ENABLE, ARCH_SHSTK_SHSTK);
+ if (ret == 0)
+ shadow_stack_enabled = true;
+}
+
+#endif
+
+#ifdef __aarch64__
+#define PR_SET_SHADOW_STACK_STATUS 75
+# define PR_SHADOW_STACK_ENABLE (1UL << 0)
+
+#define my_syscall2(num, arg1, arg2) \
+({ \
+ register long _num __asm__ ("x8") = (num); \
+ register long _arg1 __asm__ ("x0") = (long)(arg1); \
+ register long _arg2 __asm__ ("x1") = (long)(arg2); \
+ register long _arg3 __asm__ ("x2") = 0; \
+ register long _arg4 __asm__ ("x3") = 0; \
+ register long _arg5 __asm__ ("x4") = 0; \
+ \
+ __asm__ volatile ( \
+ "svc #0\n" \
+ : "=r"(_arg1) \
+ : "r"(_arg1), "r"(_arg2), \
+ "r"(_arg3), "r"(_arg4), \
+ "r"(_arg5), "r"(_num) \
+ : "memory", "cc" \
+ ); \
+ _arg1; \
+})
+
+#define ENABLE_SHADOW_STACK
+static inline __attribute__((always_inline)) void enable_shadow_stack(void)
+{
+ int ret;
+
+ ret = my_syscall2(__NR_prctl, PR_SET_SHADOW_STACK_STATUS,
+ PR_SHADOW_STACK_ENABLE);
+ if (ret == 0)
+ shadow_stack_enabled = true;
+}
+
+#endif
+
+#ifndef __NR_map_shadow_stack
+#define __NR_map_shadow_stack 453
+#endif
+
+#ifndef ENABLE_SHADOW_STACK
+static inline void enable_shadow_stack(void) { }
+#endif
+
+#endif
--
2.39.2
^ permalink raw reply related
* [PATCH RFT v12 2/8] Documentation: userspace-api: Add shadow stack API documentation
From: Mark Brown @ 2024-10-31 19:25 UTC (permalink / raw)
To: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan
Cc: linux-kernel, Catalin Marinas, Will Deacon, jannh, bsegall,
Yury Khrustalev, Wilco Dijkstra, linux-kselftest, linux-api,
Mark Brown, Kees Cook, Kees Cook, Shuah Khan
In-Reply-To: <20241031-clone3-shadow-stack-v12-0-7183eb8bee17@kernel.org>
There are a number of architectures with shadow stack features which we are
presenting to userspace with as consistent an API as we can (though there
are some architecture specifics). Especially given that there are some
important considerations for userspace code interacting directly with the
feature let's provide some documentation covering the common aspects.
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Kees Cook <kees@kernel.org>
Tested-by: Kees Cook <kees@kernel.org>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
Documentation/userspace-api/index.rst | 1 +
Documentation/userspace-api/shadow_stack.rst | 42 ++++++++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst
index 274cc7546efc2a042d2dc00aa67c71c52372179a..c39709bfba2c5682d0d1a22444db17c17bcf01ce 100644
--- a/Documentation/userspace-api/index.rst
+++ b/Documentation/userspace-api/index.rst
@@ -59,6 +59,7 @@ Everything else
ELF
netlink/index
+ shadow_stack
sysfs-platform_profile
vduse
futex2
diff --git a/Documentation/userspace-api/shadow_stack.rst b/Documentation/userspace-api/shadow_stack.rst
new file mode 100644
index 0000000000000000000000000000000000000000..9d0d4e79cfa7c47d3208dd53071a3d0b86c18575
--- /dev/null
+++ b/Documentation/userspace-api/shadow_stack.rst
@@ -0,0 +1,42 @@
+=============
+Shadow Stacks
+=============
+
+Introduction
+============
+
+Several architectures have features which provide backward edge
+control flow protection through a hardware maintained stack, only
+writeable by userspace through very limited operations. This feature
+is referred to as shadow stacks on Linux, on x86 it is part of Intel
+Control Enforcement Technology (CET), on arm64 it is Guarded Control
+Stacks feature (FEAT_GCS) and for RISC-V it is the Zicfiss extension.
+It is expected that this feature will normally be managed by the
+system dynamic linker and libc in ways broadly transparent to
+application code, this document covers interfaces and considerations.
+
+
+Enabling
+========
+
+Shadow stacks default to disabled when a userspace process is
+executed, they can be enabled for the current thread with a syscall:
+
+ - For x86 the ARCH_SHSTK_ENABLE arch_prctl()
+ - For other architectures the PR_SET_SHADOW_STACK_ENABLE prctl()
+
+It is expected that this will normally be done by the dynamic linker.
+Any new threads created by a thread with shadow stacks enabled will
+themselves have shadow stacks enabled.
+
+
+Enablement considerations
+=========================
+
+- Returning from the function that enables shadow stacks without first
+ disabling them will cause a shadow stack exception. This includes
+ any syscall wrapper or other library functions, the syscall will need
+ to be inlined.
+- A lock feature allows userspace to prevent disabling of shadow stacks.
+- Those that change the stack context like longjmp() or use of ucontext
+ changes on signal return will need support from libc.
--
2.39.2
^ permalink raw reply related
* [PATCH RFT v12 1/8] arm64/gcs: Return a success value from gcs_alloc_thread_stack()
From: Mark Brown @ 2024-10-31 19:25 UTC (permalink / raw)
To: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan
Cc: linux-kernel, Catalin Marinas, Will Deacon, jannh, bsegall,
Yury Khrustalev, Wilco Dijkstra, linux-kselftest, linux-api,
Mark Brown, Kees Cook
In-Reply-To: <20241031-clone3-shadow-stack-v12-0-7183eb8bee17@kernel.org>
Currently as a result of templating from x86 code gcs_alloc_thread_stack()
returns a pointer as an unsigned int however on arm64 we don't actually use
this pointer value as anything other than a pass/fail flag. Simplify the
interface to just return an int with 0 on success and a negative error code
on failure.
Acked-by: Deepak Gupta <debug@rivosinc.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
---
arch/arm64/include/asm/gcs.h | 8 ++++----
arch/arm64/kernel/process.c | 8 ++++----
arch/arm64/mm/gcs.c | 8 ++++----
3 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/arch/arm64/include/asm/gcs.h b/arch/arm64/include/asm/gcs.h
index f50660603ecf5dc09a92740062df3a089b02b219..d8923b5f03b776252aca76ce316ef57399d71fa9 100644
--- a/arch/arm64/include/asm/gcs.h
+++ b/arch/arm64/include/asm/gcs.h
@@ -64,8 +64,8 @@ static inline bool task_gcs_el0_enabled(struct task_struct *task)
void gcs_set_el0_mode(struct task_struct *task);
void gcs_free(struct task_struct *task);
void gcs_preserve_current_state(void);
-unsigned long gcs_alloc_thread_stack(struct task_struct *tsk,
- const struct kernel_clone_args *args);
+int gcs_alloc_thread_stack(struct task_struct *tsk,
+ const struct kernel_clone_args *args);
static inline int gcs_check_locked(struct task_struct *task,
unsigned long new_val)
@@ -91,8 +91,8 @@ static inline bool task_gcs_el0_enabled(struct task_struct *task)
static inline void gcs_set_el0_mode(struct task_struct *task) { }
static inline void gcs_free(struct task_struct *task) { }
static inline void gcs_preserve_current_state(void) { }
-static inline unsigned long gcs_alloc_thread_stack(struct task_struct *tsk,
- const struct kernel_clone_args *args)
+static inline int gcs_alloc_thread_stack(struct task_struct *tsk,
+ const struct kernel_clone_args *args)
{
return -ENOTSUPP;
}
diff --git a/arch/arm64/kernel/process.c b/arch/arm64/kernel/process.c
index fdd095480c3ffb8c13fd4e7c9abc79e88143e08b..8ebd11c29792524dfeeade9cc7826b007329aa6a 100644
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -297,7 +297,7 @@ static void flush_gcs(void)
static int copy_thread_gcs(struct task_struct *p,
const struct kernel_clone_args *args)
{
- unsigned long gcs;
+ int ret;
if (!system_supports_gcs())
return 0;
@@ -305,9 +305,9 @@ static int copy_thread_gcs(struct task_struct *p,
p->thread.gcs_base = 0;
p->thread.gcs_size = 0;
- gcs = gcs_alloc_thread_stack(p, args);
- if (IS_ERR_VALUE(gcs))
- return PTR_ERR((void *)gcs);
+ ret = gcs_alloc_thread_stack(p, args);
+ if (ret != 0)
+ return ret;
p->thread.gcs_el0_mode = current->thread.gcs_el0_mode;
p->thread.gcs_el0_locked = current->thread.gcs_el0_locked;
diff --git a/arch/arm64/mm/gcs.c b/arch/arm64/mm/gcs.c
index 5c46ec527b1cdaa8f52cff445d70ba0f8509d086..1f633a482558b59aac5427963d42b37fce08c8a6 100644
--- a/arch/arm64/mm/gcs.c
+++ b/arch/arm64/mm/gcs.c
@@ -38,8 +38,8 @@ static unsigned long gcs_size(unsigned long size)
return max(PAGE_SIZE, size);
}
-unsigned long gcs_alloc_thread_stack(struct task_struct *tsk,
- const struct kernel_clone_args *args)
+int gcs_alloc_thread_stack(struct task_struct *tsk,
+ const struct kernel_clone_args *args)
{
unsigned long addr, size;
@@ -59,13 +59,13 @@ unsigned long gcs_alloc_thread_stack(struct task_struct *tsk,
size = gcs_size(size);
addr = alloc_gcs(0, size);
if (IS_ERR_VALUE(addr))
- return addr;
+ return PTR_ERR((void *)addr);
tsk->thread.gcs_base = addr;
tsk->thread.gcs_size = size;
tsk->thread.gcspr_el0 = addr + size - sizeof(u64);
- return addr;
+ return 0;
}
SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags)
--
2.39.2
^ permalink raw reply related
* [PATCH RFT v12 0/8] fork: Support shadow stacks in clone3()
From: Mark Brown @ 2024-10-31 19:25 UTC (permalink / raw)
To: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan
Cc: linux-kernel, Catalin Marinas, Will Deacon, jannh, bsegall,
Yury Khrustalev, Wilco Dijkstra, linux-kselftest, linux-api,
Mark Brown, Kees Cook, Kees Cook, Shuah Khan
The kernel has recently added support for shadow stacks, currently
x86 only using their CET feature but both arm64 and RISC-V have
equivalent features (GCS and Zicfiss respectively), I am actively
working on GCS[1]. With shadow stacks the hardware maintains an
additional stack containing only the return addresses for branch
instructions which is not generally writeable by userspace and ensures
that any returns are to the recorded addresses. This provides some
protection against ROP attacks and making it easier to collect call
stacks. These shadow stacks are allocated in the address space of the
userspace process.
Our API for shadow stacks does not currently offer userspace any
flexiblity for managing the allocation of shadow stacks for newly
created threads, instead the kernel allocates a new shadow stack with
the same size as the normal stack whenever a thread is created with the
feature enabled. The stacks allocated in this way are freed by the
kernel when the thread exits or shadow stacks are disabled for the
thread. This lack of flexibility and control isn't ideal, in the vast
majority of cases the shadow stack will be over allocated and the
implicit allocation and deallocation is not consistent with other
interfaces. As far as I can tell the interface is done in this manner
mainly because the shadow stack patches were in development since before
clone3() was implemented.
Since clone3() is readily extensible let's add support for specifying a
shadow stack when creating a new thread or process, keeping the current
implicit allocation behaviour if one is not specified either with
clone3() or through the use of clone(). The user must provide a shadow
stack pointer, this must point to memory mapped for use as a shadow
stackby map_shadow_stack() with an architecture specified shadow stack
token at the top of the stack.
Please note that the x86 portions of this code are build tested only, I
don't appear to have a system that can run CET available to me.
[1] https://lore.kernel.org/linux-arm-kernel/20241001-arm64-gcs-v13-0-222b78d87eee@kernel.org/T/#mc58f97f27461749ccf400ebabf6f9f937116a86b
Signed-off-by: Mark Brown <broonie@kernel.org>
---
Changes in v12:
- Add the regular prctl() to the userspace API document since arm64
support is queued in -next.
- Link to v11: https://lore.kernel.org/r/20241005-clone3-shadow-stack-v11-0-2a6a2bd6d651@kernel.org
Changes in v11:
- Rebase onto arm64 for-next/gcs, which is based on v6.12-rc1, and
integrate arm64 support.
- Rework the interface to specify a shadow stack pointer rather than a
base and size like we do for the regular stack.
- Link to v10: https://lore.kernel.org/r/20240821-clone3-shadow-stack-v10-0-06e8797b9445@kernel.org
Changes in v10:
- Integrate fixes & improvements for the x86 implementation from Rick
Edgecombe.
- Require that the shadow stack be VM_WRITE.
- Require that the shadow stack base and size be sizeof(void *) aligned.
- Clean up trailing newline.
- Link to v9: https://lore.kernel.org/r/20240819-clone3-shadow-stack-v9-0-962d74f99464@kernel.org
Changes in v9:
- Pull token validation earlier and report problems with an error return
to parent rather than signal delivery to the child.
- Verify that the top of the supplied shadow stack is VM_SHADOW_STACK.
- Rework token validation to only do the page mapping once.
- Drop no longer needed support for testing for signals in selftest.
- Fix typo in comments.
- Link to v8: https://lore.kernel.org/r/20240808-clone3-shadow-stack-v8-0-0acf37caf14c@kernel.org
Changes in v8:
- Fix token verification with user specified shadow stack.
- Don't track user managed shadow stacks for child processes.
- Link to v7: https://lore.kernel.org/r/20240731-clone3-shadow-stack-v7-0-a9532eebfb1d@kernel.org
Changes in v7:
- Rebase onto v6.11-rc1.
- Typo fixes.
- Link to v6: https://lore.kernel.org/r/20240623-clone3-shadow-stack-v6-0-9ee7783b1fb9@kernel.org
Changes in v6:
- Rebase onto v6.10-rc3.
- Ensure we don't try to free the parent shadow stack in error paths of
x86 arch code.
- Spelling fixes in userspace API document.
- Additional cleanups and improvements to the clone3() tests to support
the shadow stack tests.
- Link to v5: https://lore.kernel.org/r/20240203-clone3-shadow-stack-v5-0-322c69598e4b@kernel.org
Changes in v5:
- Rebase onto v6.8-rc2.
- Rework ABI to have the user allocate the shadow stack memory with
map_shadow_stack() and a token.
- Force inlining of the x86 shadow stack enablement.
- Move shadow stack enablement out into a shared header for reuse by
other tests.
- Link to v4: https://lore.kernel.org/r/20231128-clone3-shadow-stack-v4-0-8b28ffe4f676@kernel.org
Changes in v4:
- Formatting changes.
- Use a define for minimum shadow stack size and move some basic
validation to fork.c.
- Link to v3: https://lore.kernel.org/r/20231120-clone3-shadow-stack-v3-0-a7b8ed3e2acc@kernel.org
Changes in v3:
- Rebase onto v6.7-rc2.
- Remove stale shadow_stack in internal kargs.
- If a shadow stack is specified unconditionally use it regardless of
CLONE_ parameters.
- Force enable shadow stacks in the selftest.
- Update changelogs for RISC-V feature rename.
- Link to v2: https://lore.kernel.org/r/20231114-clone3-shadow-stack-v2-0-b613f8681155@kernel.org
Changes in v2:
- Rebase onto v6.7-rc1.
- Remove ability to provide preallocated shadow stack, just specify the
desired size.
- Link to v1: https://lore.kernel.org/r/20231023-clone3-shadow-stack-v1-0-d867d0b5d4d0@kernel.org
---
Mark Brown (8):
arm64/gcs: Return a success value from gcs_alloc_thread_stack()
Documentation: userspace-api: Add shadow stack API documentation
selftests: Provide helper header for shadow stack testing
fork: Add shadow stack support to clone3()
selftests/clone3: Remove redundant flushes of output streams
selftests/clone3: Factor more of main loop into test_clone3()
selftests/clone3: Allow tests to flag if -E2BIG is a valid error code
selftests/clone3: Test shadow stack support
Documentation/userspace-api/index.rst | 1 +
Documentation/userspace-api/shadow_stack.rst | 42 ++++
arch/arm64/include/asm/gcs.h | 8 +-
arch/arm64/kernel/process.c | 8 +-
arch/arm64/mm/gcs.c | 62 +++++-
arch/x86/include/asm/shstk.h | 11 +-
arch/x86/kernel/process.c | 2 +-
arch/x86/kernel/shstk.c | 57 +++++-
include/asm-generic/cacheflush.h | 11 ++
include/linux/sched/task.h | 17 ++
include/uapi/linux/sched.h | 10 +-
kernel/fork.c | 96 +++++++--
tools/testing/selftests/clone3/clone3.c | 226 ++++++++++++++++++----
tools/testing/selftests/clone3/clone3_selftests.h | 65 ++++++-
tools/testing/selftests/ksft_shstk.h | 98 ++++++++++
15 files changed, 633 insertions(+), 81 deletions(-)
---
base-commit: d17cd7b7cc92d37ee8b2df8f975fc859a261f4dc
change-id: 20231019-clone3-shadow-stack-15d40d2bf536
Best regards,
--
Mark Brown <broonie@kernel.org>
^ permalink raw reply
* Re: [PATCH RFT v11 2/8] Documentation: userspace-api: Add shadow stack API documentation
From: Deepak Gupta @ 2024-10-30 21:42 UTC (permalink / raw)
To: Mark Brown
Cc: Rick P. Edgecombe, Szabolcs Nagy, H.J. Lu, Florian Weimer,
Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen, x86,
H. Peter Anvin, Peter Zijlstra, Juri Lelli, Vincent Guittot,
Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman,
Valentin Schneider, Christian Brauner, Shuah Khan, linux-kernel,
Catalin Marinas, Will Deacon, jannh, Yury Khrustalev,
Wilco Dijkstra, linux-kselftest, linux-api, Kees Cook, Shuah Khan
In-Reply-To: <20241005-clone3-shadow-stack-v11-2-2a6a2bd6d651@kernel.org>
On Sat, Oct 05, 2024 at 11:31:29AM +0100, Mark Brown wrote:
>There are a number of architectures with shadow stack features which we are
>presenting to userspace with as consistent an API as we can (though there
>are some architecture specifics). Especially given that there are some
>important considerations for userspace code interacting directly with the
>feature let's provide some documentation covering the common aspects.
>
>Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
>Reviewed-by: Kees Cook <kees@kernel.org>
>Tested-by: Kees Cook <kees@kernel.org>
>Acked-by: Shuah Khan <skhan@linuxfoundation.org>
>Signed-off-by: Mark Brown <broonie@kernel.org>
>---
> Documentation/userspace-api/index.rst | 1 +
> Documentation/userspace-api/shadow_stack.rst | 41 ++++++++++++++++++++++++++++
> 2 files changed, 42 insertions(+)
>
>diff --git a/Documentation/userspace-api/index.rst b/Documentation/userspace-api/index.rst
>index 274cc7546efc2a042d2dc00aa67c71c52372179a..c39709bfba2c5682d0d1a22444db17c17bcf01ce 100644
>--- a/Documentation/userspace-api/index.rst
>+++ b/Documentation/userspace-api/index.rst
>@@ -59,6 +59,7 @@ Everything else
>
> ELF
> netlink/index
>+ shadow_stack
> sysfs-platform_profile
> vduse
> futex2
>diff --git a/Documentation/userspace-api/shadow_stack.rst b/Documentation/userspace-api/shadow_stack.rst
>new file mode 100644
>index 0000000000000000000000000000000000000000..c576ad3d7ec12f0f75bffa4e2bafd0c9d7230c9f
>--- /dev/null
>+++ b/Documentation/userspace-api/shadow_stack.rst
>@@ -0,0 +1,41 @@
>+=============
>+Shadow Stacks
>+=============
>+
>+Introduction
>+============
>+
>+Several architectures have features which provide backward edge
>+control flow protection through a hardware maintained stack, only
>+writeable by userspace through very limited operations. This feature
>+is referred to as shadow stacks on Linux, on x86 it is part of Intel
>+Control Enforcement Technology (CET), on arm64 it is Guarded Control
>+Stacks feature (FEAT_GCS) and for RISC-V it is the Zicfiss extension.
>+It is expected that this feature will normally be managed by the
>+system dynamic linker and libc in ways broadly transparent to
>+application code, this document covers interfaces and considerations.
>+
>+
>+Enabling
>+========
>+
>+Shadow stacks default to disabled when a userspace process is
>+executed, they can be enabled for the current thread with a syscall:
>+
>+ - For x86 the ARCH_SHSTK_ENABLE arch_prctl()
I know when you started out, gcs and risc-v shadow stack patches were
only catching up. But now that gcs patches are in -next and risc-v
patches have also reached some maturity. And considering this generic
generic shadow stack documentation, may be it's worth to mention
arch agnostic prctls here for shadow stack (that will be used by arm64
and riscv)? What do you think?
>+
>+It is expected that this will normally be done by the dynamic linker.
>+Any new threads created by a thread with shadow stacks enabled will
>+themselves have shadow stacks enabled.
>+
>+
>+Enablement considerations
>+=========================
>+
>+- Returning from the function that enables shadow stacks without first
>+ disabling them will cause a shadow stack exception.
nit:
s/shadow stack exception/arch specific exception indicating control flow
violation
>+ This includes
>+ any syscall wrapper or other library functions, the syscall will need
>+ to be inlined.
>+- A lock feature allows userspace to prevent disabling of shadow stacks.
>+- Those that change the stack context like longjmp() or use of ucontext
>+ changes on signal return will need support from libc.
>
>--
>2.39.2
>
^ permalink raw reply
* Re: [PATCH RFT v11 1/8] arm64/gcs: Return a success value from gcs_alloc_thread_stack()
From: Deepak Gupta @ 2024-10-30 21:11 UTC (permalink / raw)
To: Mark Brown
Cc: Rick P. Edgecombe, Szabolcs Nagy, H.J. Lu, Florian Weimer,
Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen, x86,
H. Peter Anvin, Peter Zijlstra, Juri Lelli, Vincent Guittot,
Dietmar Eggemann, Steven Rostedt, Ben Segall, Mel Gorman,
Valentin Schneider, Christian Brauner, Shuah Khan, linux-kernel,
Catalin Marinas, Will Deacon, jannh, Yury Khrustalev,
Wilco Dijkstra, linux-kselftest, linux-api, Kees Cook
In-Reply-To: <20241005-clone3-shadow-stack-v11-1-2a6a2bd6d651@kernel.org>
On Sat, Oct 05, 2024 at 11:31:28AM +0100, Mark Brown wrote:
>Currently as a result of templating from x86 code gcs_alloc_thread_stack()
>returns a pointer as an unsigned int however on arm64 we don't actually use
>this pointer value as anything other than a pass/fail flag. Simplify the
>interface to just return an int with 0 on success and a negative error code
>on failure.
>
>Signed-off-by: Mark Brown <broonie@kernel.org>
Acked-by: Deepak Gupta <debug@rivosinc.com>
^ permalink raw reply
* Re: [PATCH v6 2/5] pidfd: add PIDFD_SELF_* sentinels to refer to own thread/process
From: Lorenzo Stoakes @ 2024-10-30 16:37 UTC (permalink / raw)
To: Christian Brauner
Cc: Oleg Nesterov, Christian Brauner, Shuah Khan, Liam R . Howlett,
Suren Baghdasaryan, Vlastimil Babka, pedro.falcato,
linux-kselftest, linux-mm, linux-fsdevel, linux-api, linux-kernel,
Oliver Sang, John Hubbard
In-Reply-To: <c96df57a-fa1b-4301-9556-94a6b8c93a31@lucifer.local>
On Mon, Oct 28, 2024 at 04:06:07PM +0000, Lorenzo Stoakes wrote:
> I guess I'll try to adapt that and respin a v7 when I get a chance.
Hm looking at this draft patch, it seems like a total rework of pidfd's
across the board right (now all pidfd's will need to be converted to
pid_fd)? Correct me if I'm wrong.
If only for the signal case, it seems like overkill to define a whole
pid_fd and to use this CLASS() wrapper just for this one instance.
If the intent is to convert _all_ pidfd's to use this type, it feels really
out of scope for this series and I think we'd probably instead want to go
off and do that as a separate series and put this on hold until that is
done.
If instead you mean that we ought to do something like this just for the
signal case, it feels like it'd be quite a bit of extra abstraction just
used in this one case but nowhere else, I think if you did an abstraction
like this it would _have_ to be across the board right?
I agree that the issue is with this one signal case that pins only the fd
(rather than this pid) where this 'pinning' doesn't _necessary_ mess around
with reference counts.
So we definitely must address this, but the issue you had with the first
approach was that I think (correct me if I'm wrong) I was passing a pointer
to a struct fd which is not permitted right?
Could we pass the struct fd by value to avoid this? I think we'd have to
unfortunately special-case this and probably duplicate some code which is a
pity as I liked the idea of abstracting everything to one place, but we can
obviously do that.
So I guess to TL;DR it, the options are:
1. Implement pid_fd everywhere, in which case I will leave off on
this series and I guess, if I have time I could look at trying to
implement that or perhaps you'd prefer to?
2. We are good for the sake of this series to special-case a pidfd_to_pid()
implementation (used only by the pidfd_send_signal() syscall)
3. Something else, or I am misunderstanding your point :)
Let me know how you want me to proceed on this as we're at v6 already and I
want to be _really_ sure I'm doing what you want here.
Thanks!
^ permalink raw reply
* Re: [PATCH RFT v11 0/8] fork: Support shadow stacks in clone3()
From: Yury Khrustalev @ 2024-10-30 14:41 UTC (permalink / raw)
To: Mark Brown
Cc: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan,
linux-kernel, Catalin Marinas, Will Deacon, jannh, Wilco Dijkstra,
linux-kselftest, linux-api, Kees Cook, Shuah Khan
In-Reply-To: <9843cdfb-6cc6-40b1-94b3-768c48351945@sirena.org.uk>
On Wed, Oct 30, 2024 at 02:08:59PM +0000, Mark Brown wrote:
> On Sat, Oct 05, 2024 at 11:31:27AM +0100, Mark Brown wrote:
> > The kernel has recently added support for shadow stacks, currently
> > x86 only using their CET feature but both arm64 and RISC-V have
> > equivalent features (GCS and Zicfiss respectively), I am actively
> > working on GCS[1]. With shadow stacks the hardware maintains an
> > additional stack containing only the return addresses for branch
> > instructions which is not generally writeable by userspace and ensures
> > that any returns are to the recorded addresses. This provides some
> > protection against ROP attacks and making it easier to collect call
> > stacks. These shadow stacks are allocated in the address space of the
> > userspace process.
>
> Does anyone have any thoughts on this? I reworked things to specify the
> address for the shadow stack pointer rather than the extent of the stack
> as Rick and Yuri suggested, otherwise the only change from the prior
> version was rebasing onto the arm64 GCS support since that's queued in
> -next. I think the only substantial question is picking the ABI for
> specifying the shadow stack.
I will need more time to review this as both my primary and shadow stacks
are full with other work. At a glance, I cannot offer any informed opinion
for choosing ABI atm. Apologies for the delay.
Kind regards,
Yury
^ permalink raw reply
* Re: [PATCH RFT v11 0/8] fork: Support shadow stacks in clone3()
From: Mark Brown @ 2024-10-30 14:08 UTC (permalink / raw)
To: Rick P. Edgecombe, Deepak Gupta, Szabolcs Nagy, H.J. Lu,
Florian Weimer, Thomas Gleixner, Ingo Molnar, Borislav Petkov,
Dave Hansen, x86, H. Peter Anvin, Peter Zijlstra, Juri Lelli,
Vincent Guittot, Dietmar Eggemann, Steven Rostedt, Ben Segall,
Mel Gorman, Valentin Schneider, Christian Brauner, Shuah Khan
Cc: linux-kernel, Catalin Marinas, Will Deacon, jannh,
Yury Khrustalev, Wilco Dijkstra, linux-kselftest, linux-api,
Kees Cook, Shuah Khan
In-Reply-To: <20241005-clone3-shadow-stack-v11-0-2a6a2bd6d651@kernel.org>
[-- Attachment #1: Type: text/plain, Size: 1089 bytes --]
On Sat, Oct 05, 2024 at 11:31:27AM +0100, Mark Brown wrote:
> The kernel has recently added support for shadow stacks, currently
> x86 only using their CET feature but both arm64 and RISC-V have
> equivalent features (GCS and Zicfiss respectively), I am actively
> working on GCS[1]. With shadow stacks the hardware maintains an
> additional stack containing only the return addresses for branch
> instructions which is not generally writeable by userspace and ensures
> that any returns are to the recorded addresses. This provides some
> protection against ROP attacks and making it easier to collect call
> stacks. These shadow stacks are allocated in the address space of the
> userspace process.
Does anyone have any thoughts on this? I reworked things to specify the
address for the shadow stack pointer rather than the extent of the stack
as Rick and Yuri suggested, otherwise the only change from the prior
version was rebasing onto the arm64 GCS support since that's queued in
-next. I think the only substantial question is picking the ABI for
specifying the shadow stack.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply
* Re: [PATCH v4 3/5] mm: madvise: implement lightweight guard page mechanism
From: Vlastimil Babka @ 2024-10-29 10:32 UTC (permalink / raw)
To: Lorenzo Stoakes, Andrew Morton
Cc: Suren Baghdasaryan, Liam R . Howlett, Matthew Wilcox,
Paul E . McKenney, Jann Horn, David Hildenbrand, linux-mm,
linux-kernel, Muchun Song, Richard Henderson, Matt Turner,
Thomas Bogendoerfer, James E . J . Bottomley, Helge Deller,
Chris Zankel, Max Filippov, Arnd Bergmann, linux-alpha,
linux-mips, linux-parisc, linux-arch, Shuah Khan,
Christian Brauner, linux-kselftest, Sidhartha Kumar, Jeff Xu,
Christoph Hellwig, linux-api, John Hubbard
In-Reply-To: <6aafb5821bf209f277dfae0787abb2ef87a37542.1730123433.git.lorenzo.stoakes@oracle.com>
On 10/28/24 15:13, Lorenzo Stoakes wrote:
> Implement a new lightweight guard page feature, that is regions of userland
> virtual memory that, when accessed, cause a fatal signal to arise.
>
> Currently users must establish PROT_NONE ranges to achieve this.
>
> However this is very costly memory-wise - we need a VMA for each and every
> one of these regions AND they become unmergeable with surrounding VMAs.
>
> In addition repeated mmap() calls require repeated kernel context switches
> and contention of the mmap lock to install these ranges, potentially also
> having to unmap memory if installed over existing ranges.
>
> The lightweight guard approach eliminates the VMA cost altogether - rather
> than establishing a PROT_NONE VMA, it operates at the level of page table
> entries - establishing PTE markers such that accesses to them cause a fault
> followed by a SIGSGEV signal being raised.
>
> This is achieved through the PTE marker mechanism, which we have already
> extended to provide PTE_MARKER_GUARD, which we installed via the generic
> page walking logic which we have extended for this purpose.
>
> These guard ranges are established with MADV_GUARD_INSTALL. If the range in
> which they are installed contain any existing mappings, they will be
> zapped, i.e. free the range and unmap memory (thus mimicking the behaviour
> of MADV_DONTNEED in this respect).
>
> Any existing guard entries will be left untouched. There is therefore no
> nesting of guarded pages.
>
> Guarded ranges are NOT cleared by MADV_DONTNEED nor MADV_FREE (in both
> instances the memory range may be reused at which point a user would expect
> guards to still be in place), but they are cleared via MADV_GUARD_REMOVE,
> process teardown or unmapping of memory ranges.
>
> The guard property can be removed from ranges via MADV_GUARD_REMOVE. The
> ranges over which this is applied, should they contain non-guard entries,
> will be untouched, with only guard entries being cleared.
>
> We permit this operation on anonymous memory only, and only VMAs which are
> non-special, non-huge and not mlock()'d (if we permitted this we'd have to
> drop locked pages which would be rather counterintuitive).
>
> Racing page faults can cause repeated attempts to install guard pages that
> are interrupted, result in a zap, and this process can end up being
> repeated. If this happens more than would be expected in normal operation,
> we rescind locks and retry the whole thing, which avoids lock contention in
> this scenario.
>
> Suggested-by: Vlastimil Babka <vbabka@suse.cz>
> Suggested-by: Jann Horn <jannh@google.com>
> Suggested-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
^ permalink raw reply
* Re: [PATCH 2/6] futex: Implement FUTEX2_NUMA
From: Christoph Lameter (Ampere) @ 2024-10-28 22:37 UTC (permalink / raw)
To: Peter Zijlstra
Cc: tglx, linux-kernel, mingo, dvhart, dave, andrealmeid,
Andrew Morton, urezki, hch, lstoakes, Arnd Bergmann, linux-api,
linux-mm, linux-arch, malteskarupke, llong
In-Reply-To: <20241028094618.GL9767@noisy.programming.kicks-ass.net>
On Mon, 28 Oct 2024, Peter Zijlstra wrote:
> Using get_task_policy() seems very dangerous to me. It is explicitly
> possible for different tasks in a process to have different policies,
> which means (private) futexes would fail to work correctly.
>
> We need something that is process wide consistent -- like the vma
> policies. Except at current, those are to expensive to readily access.
The vma policies are bound to addresses that in turn yields address space
wide validity.
However, different threads may run on processes on different nodes and
therefore having different numa nodes close to them etc.
^ permalink raw reply
* Re: [PATCH 2/6] futex: Implement FUTEX2_NUMA
From: Christoph Lameter (Ampere) @ 2024-10-28 22:34 UTC (permalink / raw)
To: Davidlohr Bueso
Cc: Peter Zijlstra, tglx, linux-kernel, mingo, dvhart, andrealmeid,
Andrew Morton, urezki, hch, lstoakes, Arnd Bergmann, linux-api,
linux-mm, linux-arch, malteskarupke, llong
In-Reply-To: <whmqaksbwuksdobz2fomqi3pa7btf2ucjtr3i4bz3oglidz3n2@27zggp5udztd>
On Sun, 27 Oct 2024, Davidlohr Bueso wrote:
> On Fri, 25 Oct 2024, Christoph Lameter (Ampere) wrote:\n
>
> > Would it be possible to follow the NUMA memory policy set up for a task
> > when making these decisions? We may not need a separate FUTEX2_NUMA
> > option. There are supportive functions in mm/mempolicy.c that will yield
> > a node for the futex logic to use.
>
> With numa-awareness, when would lookups ever want to be anywhere but
> local? mempolicy is about allocations, futexes are not that.
futexes use kernel metadata right? Those allocations are controlled by
the tasks memory policy.
^ permalink raw reply
* Re: [PATCH v1 11/14] futex: Implement FUTEX2_NUMA
From: Christoph Lameter (Ampere) @ 2024-10-28 22:32 UTC (permalink / raw)
To: Peter Zijlstra
Cc: tglx, axboe, linux-kernel, mingo, dvhart, dave, andrealmeid,
Andrew Morton, urezki, hch, lstoakes, Arnd Bergmann, linux-api,
linux-mm, linux-arch, malteskarupke
In-Reply-To: <20241026072119.GH9767@noisy.programming.kicks-ass.net>
On Sat, 26 Oct 2024, Peter Zijlstra wrote:
> I'll look into the per task thing, which I'm hoping means per-process.
> We need something that is mm wide consistent.
Each thread can modify its policy and that is used f.e. to control memory
allocations for syscalls. For example a thread wants to allocate kernel
metadata on a specific node then the policy would be set to that node.
Syscall is done and then the tasks resets the policy to the default.
mm wide memory policies are set at an VMA level and are associated with
addresses.
> But since futexes play in the address space, I was really rather
> thinking we ought to use the vma policy.
If they are associated with an address then you can use the address space
policy.
^ permalink raw reply
* Re: [PATCH v4 0/5] implement lightweight guard pages
From: Lorenzo Stoakes @ 2024-10-28 22:22 UTC (permalink / raw)
To: SeongJae Park
Cc: Andrew Morton, Liam R . Howlett, Matthew Wilcox, Vlastimil Babka,
Paul E . McKenney, Jann Horn, David Hildenbrand, linux-mm,
linux-kernel, Muchun Song, Richard Henderson, Matt Turner,
Thomas Bogendoerfer, James E . J . Bottomley, Helge Deller,
Chris Zankel, Max Filippov, Arnd Bergmann, linux-alpha,
linux-mips, linux-parisc, linux-arch, Shuah Khan,
Christian Brauner, linux-kselftest, Sidhartha Kumar, Jeff Xu,
Christoph Hellwig, linux-api, John Hubbard
In-Reply-To: <20241028182413.277218-1-sj@kernel.org>
On Mon, Oct 28, 2024 at 11:24:13AM -0700, SeongJae Park wrote:
> On Mon, 28 Oct 2024 14:13:26 +0000 Lorenzo Stoakes <lorenzo.stoakes@oracle.com> wrote:
>
> > Userland library functions such as allocators and threading implementations
> > often require regions of memory to act as 'guard pages' - mappings which,
> > when accessed, result in a fatal signal being sent to the accessing
> > process.
> >
> > The current means by which these are implemented is via a PROT_NONE mmap()
> > mapping, which provides the required semantics however incur an overhead of
> > a VMA for each such region.
> >
> > With a great many processes and threads, this can rapidly add up and incur
> > a significant memory penalty. It also has the added problem of preventing
> > merges that might otherwise be permitted.
> >
> > This series takes a different approach - an idea suggested by Vlasimil
> > Babka (and before him David Hildenbrand and Jann Horn - perhaps more - the
>
> Nit. s/Vlasimil/Vlastimil/ ;)
Ugh oops sorry Vlastimil! This was a silly typo... Andrew would you mind fixing
this up? I'll edit my local file for this so if I respin this will be corrected.
Thanks!
>
>
> Thanks,
> SJ
>
> [...]
^ permalink raw reply
* Re: [PATCH v3 1/5] mm: pagewalk: add the ability to install PTEs
From: Lorenzo Stoakes @ 2024-10-28 21:49 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: Andrew Morton, Suren Baghdasaryan, Liam R . Howlett,
Matthew Wilcox, Vlastimil Babka, Paul E . McKenney, Jann Horn,
David Hildenbrand, linux-mm, linux-kernel, Muchun Song,
Richard Henderson, Matt Turner, Thomas Bogendoerfer,
James E . J . Bottomley, Helge Deller, Chris Zankel, Max Filippov,
Arnd Bergmann, linux-alpha, linux-mips, linux-parisc, linux-arch,
Shuah Khan, Christian Brauner, linux-kselftest, Sidhartha Kumar,
Jeff Xu, Christoph Hellwig, linux-api, John Hubbard
In-Reply-To: <D57Q27X7GB4O.3P6DI32885K96@kernel.org>
Note there's a v4 :)
On Mon, Oct 28, 2024 at 10:29:44PM +0200, Jarkko Sakkinen wrote:
> On Wed Oct 23, 2024 at 7:24 PM EEST, Lorenzo Stoakes wrote:
> > The existing generic pagewalk logic permits the walking of page tables,
> > invoking callbacks at individual page table levels via user-provided
> > mm_walk_ops callbacks.
> >
> > This is useful for traversing existing page table entries, but precludes
> > the ability to establish new ones.
> >
> > Existing mechanism for performing a walk which also installs page table
> > entries if necessary are heavily duplicated throughout the kernel, each
> > with semantic differences from one another and largely unavailable for use
> > elsewhere.
> >
> > Rather than add yet another implementation, we extend the generic pagewalk
> > logic to enable the installation of page table entries by adding a new
> > install_pte() callback in mm_walk_ops. If this is specified, then upon
> > encountering a missing page table entry, we allocate and install a new one
> > and continue the traversal.
> >
> > If a THP huge page is encountered at either the PMD or PUD level we split
> > it only if there are ops->pte_entry() (or ops->pmd_entry at PUD level),
> > otherwise if there is only an ops->install_pte(), we avoid the unnecessary
> > split.
>
> Just for interest: does this mean that the operation is always
> "destructive" (i.e. modifying state) even when install_pte() does not
> do anything, i.e. does the split alway happen despite what the callback
> does? Not really expert on this but this paragraph won't leave me
> alone :-)
Well no as I say (perhaps not clearly) if something already exists we don't
even split huge pages. We only do so if you explicitly ask to examine page
tables levels below those where a huge page may exist.
The guard page code goes to great lengths to avoid this in all cases and
doesn't split at all.
>
> >
> > We do not support hugetlb at this stage.
> >
> > If this function returns an error, or an allocation fails during the
> > operation, we abort the operation altogether. It is up to the caller to
> > deal appropriately with partially populated page table ranges.
> >
> > If install_pte() is defined, the semantics of pte_entry() change - this
> > callback is then only invoked if the entry already exists. This is a useful
> > property, as it allows a caller to handle existing PTEs while installing
> > new ones where necessary in the specified range.
> >
> > If install_pte() is not defined, then there is no functional difference to
> > this patch, so all existing logic will work precisely as it did before.
> >
> > As we only permit the installation of PTEs where a mapping does not already
> > exist there is no need for TLB management, however we do invoke
> > update_mmu_cache() for architectures which require manual maintenance of
> > mappings for other CPUs.
> >
> > We explicitly do not allow the existing page walk API to expose this
> > feature as it is dangerous and intended for internal mm use only. Therefore
> > we provide a new walk_page_range_mm() function exposed only to
> > mm/internal.h.
> >
> > Reviewed-by: Jann Horn <jannh@google.com>
> > Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> > ---
> > include/linux/pagewalk.h | 18 +++-
> > mm/internal.h | 6 ++
> > mm/pagewalk.c | 227 +++++++++++++++++++++++++++------------
> > 3 files changed, 182 insertions(+), 69 deletions(-)
> >
> > diff --git a/include/linux/pagewalk.h b/include/linux/pagewalk.h
> > index f5eb5a32aeed..9700a29f8afb 100644
> > --- a/include/linux/pagewalk.h
> > +++ b/include/linux/pagewalk.h
> > @@ -25,12 +25,15 @@ enum page_walk_lock {
> > * this handler is required to be able to handle
> > * pmd_trans_huge() pmds. They may simply choose to
> > * split_huge_page() instead of handling it explicitly.
> > - * @pte_entry: if set, called for each PTE (lowest-level) entry,
> > - * including empty ones
> > + * @pte_entry: if set, called for each PTE (lowest-level) entry
> > + * including empty ones, except if @install_pte is set.
> > + * If @install_pte is set, @pte_entry is called only for
> > + * existing PTEs.
> > * @pte_hole: if set, called for each hole at all levels,
> > * depth is -1 if not known, 0:PGD, 1:P4D, 2:PUD, 3:PMD.
> > * Any folded depths (where PTRS_PER_P?D is equal to 1)
> > - * are skipped.
> > + * are skipped. If @install_pte is specified, this will
> > + * not trigger for any populated ranges.
> > * @hugetlb_entry: if set, called for each hugetlb entry. This hook
> > * function is called with the vma lock held, in order to
> > * protect against a concurrent freeing of the pte_t* or
> > @@ -51,6 +54,13 @@ enum page_walk_lock {
> > * @pre_vma: if set, called before starting walk on a non-null vma.
> > * @post_vma: if set, called after a walk on a non-null vma, provided
> > * that @pre_vma and the vma walk succeeded.
> > + * @install_pte: if set, missing page table entries are installed and
> > + * thus all levels are always walked in the specified
> > + * range. This callback is then invoked at the PTE level
> > + * (having split any THP pages prior), providing the PTE to
> > + * install. If allocations fail, the walk is aborted. This
> > + * operation is only available for userland memory. Not
> > + * usable for hugetlb ranges.
>
> Given that especially walk_page_range_novma() has bunch of call sites,
> it would not hurt to mention here simply that only for mm-internal use
> with not much other explanation.
We explicitly document this in multiple places. A user will very quickly
discover this is not available.
I will adjust this blurb if I need to do a respin.
>
> > *
> > * p?d_entry callbacks are called even if those levels are folded on a
> > * particular architecture/configuration.
> > @@ -76,6 +86,8 @@ struct mm_walk_ops {
> > int (*pre_vma)(unsigned long start, unsigned long end,
> > struct mm_walk *walk);
> > void (*post_vma)(struct mm_walk *walk);
> > + int (*install_pte)(unsigned long addr, unsigned long next,
> > + pte_t *ptep, struct mm_walk *walk);
> > enum page_walk_lock walk_lock;
> > };
> >
> > diff --git a/mm/internal.h b/mm/internal.h
> > index 508f7802dd2b..fb1fb0c984e4 100644
> > --- a/mm/internal.h
> > +++ b/mm/internal.h
> > @@ -12,6 +12,7 @@
> > #include <linux/mm.h>
> > #include <linux/mm_inline.h>
> > #include <linux/pagemap.h>
> > +#include <linux/pagewalk.h>
> > #include <linux/rmap.h>
> > #include <linux/swap.h>
> > #include <linux/swapops.h>
> > @@ -1451,4 +1452,9 @@ static inline void accept_page(struct page *page)
> > }
> > #endif /* CONFIG_UNACCEPTED_MEMORY */
> >
> > +/* pagewalk.c */
> > +int walk_page_range_mm(struct mm_struct *mm, unsigned long start,
> > + unsigned long end, const struct mm_walk_ops *ops,
> > + void *private);
> > +
> > #endif /* __MM_INTERNAL_H */
> > diff --git a/mm/pagewalk.c b/mm/pagewalk.c
> > index 5f9f01532e67..f3cbad384344 100644
> > --- a/mm/pagewalk.c
> > +++ b/mm/pagewalk.c
> > @@ -3,9 +3,14 @@
> > #include <linux/highmem.h>
> > #include <linux/sched.h>
> > #include <linux/hugetlb.h>
> > +#include <linux/mmu_context.h>
> > #include <linux/swap.h>
> > #include <linux/swapops.h>
> >
> > +#include <asm/tlbflush.h>
> > +
> > +#include "internal.h"
> > +
> > /*
> > * We want to know the real level where a entry is located ignoring any
> > * folding of levels which may be happening. For example if p4d is folded then
> > @@ -29,9 +34,23 @@ static int walk_pte_range_inner(pte_t *pte, unsigned long addr,
> > int err = 0;
> >
> > for (;;) {
> > - err = ops->pte_entry(pte, addr, addr + PAGE_SIZE, walk);
> > - if (err)
> > - break;
> > + if (ops->install_pte && pte_none(ptep_get(pte))) {
> > + pte_t new_pte;
> > +
> > + err = ops->install_pte(addr, addr + PAGE_SIZE, &new_pte,
> > + walk);
> > + if (err)
> > + break;
> > +
> > + set_pte_at(walk->mm, addr, pte, new_pte);
> > + /* Non-present before, so for arches that need it. */
> > + if (!WARN_ON_ONCE(walk->no_vma))
> > + update_mmu_cache(walk->vma, addr, pte);
> > + } else {
> > + err = ops->pte_entry(pte, addr, addr + PAGE_SIZE, walk);
> > + if (err)
> > + break;
> > + }
> > if (addr >= end - PAGE_SIZE)
> > break;
> > addr += PAGE_SIZE;
> > @@ -89,11 +108,14 @@ static int walk_pmd_range(pud_t *pud, unsigned long addr, unsigned long end,
> > again:
> > next = pmd_addr_end(addr, end);
> > if (pmd_none(*pmd)) {
> > - if (ops->pte_hole)
> > + if (ops->install_pte)
> > + err = __pte_alloc(walk->mm, pmd);
> > + else if (ops->pte_hole)
> > err = ops->pte_hole(addr, next, depth, walk);
> > if (err)
> > break;
> > - continue;
> > + if (!ops->install_pte)
> > + continue;
> > }
> >
> > walk->action = ACTION_SUBTREE;
> > @@ -109,18 +131,19 @@ static int walk_pmd_range(pud_t *pud, unsigned long addr, unsigned long end,
> >
> > if (walk->action == ACTION_AGAIN)
> > goto again;
> > -
> > - /*
> > - * Check this here so we only break down trans_huge
> > - * pages when we _need_ to
> > - */
> > - if ((!walk->vma && (pmd_leaf(*pmd) || !pmd_present(*pmd))) ||
> > - walk->action == ACTION_CONTINUE ||
> > - !(ops->pte_entry))
> > + if (walk->action == ACTION_CONTINUE)
> > continue;
> > + if (!ops->install_pte && !ops->pte_entry)
> > + continue; /* Nothing to do. */
> > + if (!ops->pte_entry && ops->install_pte &&
> > + pmd_present(*pmd) &&
> > + (pmd_trans_huge(*pmd) || pmd_devmap(*pmd)))
> > + continue; /* Avoid unnecessary split. */
> >
> > if (walk->vma)
> > split_huge_pmd(walk->vma, pmd, addr);
> > + else if (pmd_leaf(*pmd) || !pmd_present(*pmd))
> > + continue; /* Nothing to do. */
> >
> > err = walk_pte_range(pmd, addr, next, walk);
> > if (err)
> > @@ -148,11 +171,14 @@ static int walk_pud_range(p4d_t *p4d, unsigned long addr, unsigned long end,
> > again:
> > next = pud_addr_end(addr, end);
> > if (pud_none(*pud)) {
> > - if (ops->pte_hole)
> > + if (ops->install_pte)
> > + err = __pmd_alloc(walk->mm, pud, addr);
> > + else if (ops->pte_hole)
> > err = ops->pte_hole(addr, next, depth, walk);
> > if (err)
> > break;
> > - continue;
> > + if (!ops->install_pte)
> > + continue;
> > }
> >
> > walk->action = ACTION_SUBTREE;
> > @@ -164,14 +190,20 @@ static int walk_pud_range(p4d_t *p4d, unsigned long addr, unsigned long end,
> >
> > if (walk->action == ACTION_AGAIN)
> > goto again;
> > -
> > - if ((!walk->vma && (pud_leaf(*pud) || !pud_present(*pud))) ||
> > - walk->action == ACTION_CONTINUE ||
> > - !(ops->pmd_entry || ops->pte_entry))
> > + if (walk->action == ACTION_CONTINUE)
> > continue;
> > + if (!ops->install_pte && !ops->pte_entry && !ops->pmd_entry)
> > + continue; /* Nothing to do. */
> > + if (!ops->pmd_entry && !ops->pte_entry && ops->install_pte &&
> > + pud_present(*pud) &&
> > + (pud_trans_huge(*pud) || pud_devmap(*pud)))
> > + continue; /* Avoid unnecessary split. */
> >
> > if (walk->vma)
> > split_huge_pud(walk->vma, pud, addr);
> > + else if (pud_leaf(*pud) || !pud_present(*pud))
> > + continue; /* Nothing to do. */
> > +
> > if (pud_none(*pud))
> > goto again;
> >
> > @@ -196,18 +228,22 @@ static int walk_p4d_range(pgd_t *pgd, unsigned long addr, unsigned long end,
> > do {
> > next = p4d_addr_end(addr, end);
> > if (p4d_none_or_clear_bad(p4d)) {
> > - if (ops->pte_hole)
> > + if (ops->install_pte)
> > + err = __pud_alloc(walk->mm, p4d, addr);
> > + else if (ops->pte_hole)
> > err = ops->pte_hole(addr, next, depth, walk);
> > if (err)
> > break;
> > - continue;
> > + if (!ops->install_pte)
> > + continue;
> > }
> > if (ops->p4d_entry) {
> > err = ops->p4d_entry(p4d, addr, next, walk);
> > if (err)
> > break;
> > }
> > - if (ops->pud_entry || ops->pmd_entry || ops->pte_entry)
> > + if (ops->pud_entry || ops->pmd_entry || ops->pte_entry ||
> > + ops->install_pte)
> > err = walk_pud_range(p4d, addr, next, walk);
> > if (err)
> > break;
> > @@ -231,18 +267,22 @@ static int walk_pgd_range(unsigned long addr, unsigned long end,
> > do {
> > next = pgd_addr_end(addr, end);
> > if (pgd_none_or_clear_bad(pgd)) {
> > - if (ops->pte_hole)
> > + if (ops->install_pte)
> > + err = __p4d_alloc(walk->mm, pgd, addr);
> > + else if (ops->pte_hole)
> > err = ops->pte_hole(addr, next, 0, walk);
> > if (err)
> > break;
> > - continue;
> > + if (!ops->install_pte)
> > + continue;
> > }
> > if (ops->pgd_entry) {
> > err = ops->pgd_entry(pgd, addr, next, walk);
> > if (err)
> > break;
> > }
> > - if (ops->p4d_entry || ops->pud_entry || ops->pmd_entry || ops->pte_entry)
> > + if (ops->p4d_entry || ops->pud_entry || ops->pmd_entry ||
> > + ops->pte_entry || ops->install_pte)
> > err = walk_p4d_range(pgd, addr, next, walk);
> > if (err)
> > break;
> > @@ -334,6 +374,11 @@ static int __walk_page_range(unsigned long start, unsigned long end,
> > int err = 0;
> > struct vm_area_struct *vma = walk->vma;
> > const struct mm_walk_ops *ops = walk->ops;
> > + bool is_hugetlb = is_vm_hugetlb_page(vma);
> > +
> > + /* We do not support hugetlb PTE installation. */
> > + if (ops->install_pte && is_hugetlb)
> > + return -EINVAL;
> >
> > if (ops->pre_vma) {
> > err = ops->pre_vma(start, end, walk);
> > @@ -341,7 +386,7 @@ static int __walk_page_range(unsigned long start, unsigned long end,
> > return err;
> > }
> >
> > - if (is_vm_hugetlb_page(vma)) {
> > + if (is_hugetlb) {
> > if (ops->hugetlb_entry)
> > err = walk_hugetlb_range(start, end, walk);
> > } else
> > @@ -380,47 +425,14 @@ static inline void process_vma_walk_lock(struct vm_area_struct *vma,
> > #endif
> > }
> >
> > -/**
> > - * walk_page_range - walk page table with caller specific callbacks
> > - * @mm: mm_struct representing the target process of page table walk
> > - * @start: start address of the virtual address range
> > - * @end: end address of the virtual address range
> > - * @ops: operation to call during the walk
> > - * @private: private data for callbacks' usage
> > - *
> > - * Recursively walk the page table tree of the process represented by @mm
> > - * within the virtual address range [@start, @end). During walking, we can do
> > - * some caller-specific works for each entry, by setting up pmd_entry(),
> > - * pte_entry(), and/or hugetlb_entry(). If you don't set up for some of these
> > - * callbacks, the associated entries/pages are just ignored.
> > - * The return values of these callbacks are commonly defined like below:
> > - *
> > - * - 0 : succeeded to handle the current entry, and if you don't reach the
> > - * end address yet, continue to walk.
> > - * - >0 : succeeded to handle the current entry, and return to the caller
> > - * with caller specific value.
> > - * - <0 : failed to handle the current entry, and return to the caller
> > - * with error code.
> > - *
> > - * Before starting to walk page table, some callers want to check whether
> > - * they really want to walk over the current vma, typically by checking
> > - * its vm_flags. walk_page_test() and @ops->test_walk() are used for this
> > - * purpose.
> > - *
> > - * If operations need to be staged before and committed after a vma is walked,
> > - * there are two callbacks, pre_vma() and post_vma(). Note that post_vma(),
> > - * since it is intended to handle commit-type operations, can't return any
> > - * errors.
> > - *
> > - * struct mm_walk keeps current values of some common data like vma and pmd,
> > - * which are useful for the access from callbacks. If you want to pass some
> > - * caller-specific data to callbacks, @private should be helpful.
> > +/*
> > + * See the comment for walk_page_range(), this performs the heavy lifting of the
> > + * operation, only sets no restrictions on how the walk proceeds.
> > *
> > - * Locking:
> > - * Callers of walk_page_range() and walk_page_vma() should hold @mm->mmap_lock,
> > - * because these function traverse vma list and/or access to vma's data.
> > + * We usually restrict the ability to install PTEs, but this functionality is
> > + * available to internal memory management code and provided in mm/internal.h.
> > */
> > -int walk_page_range(struct mm_struct *mm, unsigned long start,
> > +int walk_page_range_mm(struct mm_struct *mm, unsigned long start,
> > unsigned long end, const struct mm_walk_ops *ops,
> > void *private)
> > {
> > @@ -479,6 +491,80 @@ int walk_page_range(struct mm_struct *mm, unsigned long start,
> > return err;
> > }
> >
> > +/*
> > + * Determine if the walk operations specified are permitted to be used for a
> > + * page table walk.
> > + *
> > + * This check is performed on all functions which are parameterised by walk
> > + * operations and exposed in include/linux/pagewalk.h.
> > + *
> > + * Internal memory management code can use the walk_page_range_mm() function to
> > + * be able to use all page walking operations.
> > + */
> > +static bool check_ops_valid(const struct mm_walk_ops *ops)
> > +{
> > + /*
> > + * The installation of PTEs is solely under the control of memory
> > + * management logic and subject to many subtle locking, security and
> > + * cache considerations so we cannot permit other users to do so, and
> > + * certainly not for exported symbols.
> > + */
> > + if (ops->install_pte)
> > + return false;
> > +
> > + return true;
>
> or "return !!(ops->install_pte);"
>
> > +}
>
> Alternatively one could consider defining "struct mm_walk_internal_ops",
> which would be only available in internal.h but I guess there is good
> reasons to do it way it is.
Yes.
>
> > +
> > +/**
> > + * walk_page_range - walk page table with caller specific callbacks
> > + * @mm: mm_struct representing the target process of page table walk
> > + * @start: start address of the virtual address range
> > + * @end: end address of the virtual address range
> > + * @ops: operation to call during the walk
> > + * @private: private data for callbacks' usage
> > + *
> > + * Recursively walk the page table tree of the process represented by @mm
> > + * within the virtual address range [@start, @end). During walking, we can do
> > + * some caller-specific works for each entry, by setting up pmd_entry(),
> > + * pte_entry(), and/or hugetlb_entry(). If you don't set up for some of these
> > + * callbacks, the associated entries/pages are just ignored.
> > + * The return values of these callbacks are commonly defined like below:
> > + *
> > + * - 0 : succeeded to handle the current entry, and if you don't reach the
> > + * end address yet, continue to walk.
> > + * - >0 : succeeded to handle the current entry, and return to the caller
> > + * with caller specific value.
> > + * - <0 : failed to handle the current entry, and return to the caller
> > + * with error code.
> > + *
> > + * Before starting to walk page table, some callers want to check whether
> > + * they really want to walk over the current vma, typically by checking
> > + * its vm_flags. walk_page_test() and @ops->test_walk() are used for this
> > + * purpose.
> > + *
> > + * If operations need to be staged before and committed after a vma is walked,
> > + * there are two callbacks, pre_vma() and post_vma(). Note that post_vma(),
> > + * since it is intended to handle commit-type operations, can't return any
> > + * errors.
> > + *
> > + * struct mm_walk keeps current values of some common data like vma and pmd,
> > + * which are useful for the access from callbacks. If you want to pass some
> > + * caller-specific data to callbacks, @private should be helpful.
> > + *
> > + * Locking:
> > + * Callers of walk_page_range() and walk_page_vma() should hold @mm->mmap_lock,
> > + * because these function traverse vma list and/or access to vma's data.
> > + */
> > +int walk_page_range(struct mm_struct *mm, unsigned long start,
> > + unsigned long end, const struct mm_walk_ops *ops,
> > + void *private)
> > +{
> > + if (!check_ops_valid(ops))
> > + return -EINVAL;
> > +
> > + return walk_page_range_mm(mm, start, end, ops, private);
> > +}
> > +
> > /**
> > * walk_page_range_novma - walk a range of pagetables not backed by a vma
> > * @mm: mm_struct representing the target process of page table walk
> > @@ -494,7 +580,7 @@ int walk_page_range(struct mm_struct *mm, unsigned long start,
> > * walking the kernel pages tables or page tables for firmware.
> > *
> > * Note: Be careful to walk the kernel pages tables, the caller may be need to
> > - * take other effective approache (mmap lock may be insufficient) to prevent
> > + * take other effective approaches (mmap lock may be insufficient) to prevent
> > * the intermediate kernel page tables belonging to the specified address range
> > * from being freed (e.g. memory hot-remove).
> > */
> > @@ -513,6 +599,8 @@ int walk_page_range_novma(struct mm_struct *mm, unsigned long start,
> >
> > if (start >= end || !walk.mm)
> > return -EINVAL;
> > + if (!check_ops_valid(ops))
> > + return -EINVAL;
> >
> > /*
> > * 1) For walking the user virtual address space:
> > @@ -556,6 +644,8 @@ int walk_page_range_vma(struct vm_area_struct *vma, unsigned long start,
> > return -EINVAL;
> > if (start < vma->vm_start || end > vma->vm_end)
> > return -EINVAL;
> > + if (!check_ops_valid(ops))
> > + return -EINVAL;
> >
> > process_mm_walk_lock(walk.mm, ops->walk_lock);
> > process_vma_walk_lock(vma, ops->walk_lock);
> > @@ -574,6 +664,8 @@ int walk_page_vma(struct vm_area_struct *vma, const struct mm_walk_ops *ops,
> >
> > if (!walk.mm)
> > return -EINVAL;
> > + if (!check_ops_valid(ops))
> > + return -EINVAL;
> >
> > process_mm_walk_lock(walk.mm, ops->walk_lock);
> > process_vma_walk_lock(vma, ops->walk_lock);
> > @@ -623,6 +715,9 @@ int walk_page_mapping(struct address_space *mapping, pgoff_t first_index,
> > unsigned long start_addr, end_addr;
> > int err = 0;
> >
> > + if (!check_ops_valid(ops))
> > + return -EINVAL;
> > +
> > lockdep_assert_held(&mapping->i_mmap_rwsem);
> > vma_interval_tree_foreach(vma, &mapping->i_mmap, first_index,
> > first_index + nr - 1) {
>
> So I took a random patch set in order to learn how to compile Fedora Ark
> kernel out of any upstream tree (mm in this case), thus making noise
> here.
>
> With this goal, which mainly to be able to do such thing once or twice
> per release cycle:
>
> Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
>
> BR, Jarkko
Thanks!
^ permalink raw reply
* Re: [PATCH v3 3/5] mm: madvise: implement lightweight guard page mechanism
From: Jarkko Sakkinen @ 2024-10-28 20:45 UTC (permalink / raw)
To: Lorenzo Stoakes, Andrew Morton
Cc: Suren Baghdasaryan, Liam R . Howlett, Matthew Wilcox,
Vlastimil Babka, Paul E . McKenney, Jann Horn, David Hildenbrand,
linux-mm, linux-kernel, Muchun Song, Richard Henderson,
Matt Turner, Thomas Bogendoerfer, James E . J . Bottomley,
Helge Deller, Chris Zankel, Max Filippov, Arnd Bergmann,
linux-alpha, linux-mips, linux-parisc, linux-arch, Shuah Khan,
Christian Brauner, linux-kselftest, Sidhartha Kumar, Jeff Xu,
Christoph Hellwig, linux-api, John Hubbard
In-Reply-To: <415da1e6c5828d96db3af480d243a7f68ccabf6d.1729699916.git.lorenzo.stoakes@oracle.com>
On Wed Oct 23, 2024 at 7:24 PM EEST, Lorenzo Stoakes wrote:
> Implement a new lightweight guard page feature, that is regions of userland
> virtual memory that, when accessed, cause a fatal signal to arise.
>
> Currently users must establish PROT_NONE ranges to achieve this.
A bit off-topic but other hack with PROT_NONE is to allocate naturally
aligned ranges:
1. mmap() of 2*N size with PROT_NONE.
2. mmap(MAP_FIXED) of N size from that range.
>
> However this is very costly memory-wise - we need a VMA for each and every
> one of these regions AND they become unmergeable with surrounding VMAs.
>
> In addition repeated mmap() calls require repeated kernel context switches
> and contention of the mmap lock to install these ranges, potentially also
> having to unmap memory if installed over existing ranges.
>
> The lightweight guard approach eliminates the VMA cost altogether - rather
> than establishing a PROT_NONE VMA, it operates at the level of page table
> entries - establishing PTE markers such that accesses to them cause a fault
> followed by a SIGSGEV signal being raised.
>
> This is achieved through the PTE marker mechanism, which we have already
> extended to provide PTE_MARKER_GUARD, which we installed via the generic
> page walking logic which we have extended for this purpose.
>
> These guard ranges are established with MADV_GUARD_INSTALL. If the range in
> which they are installed contain any existing mappings, they will be
> zapped, i.e. free the range and unmap memory (thus mimicking the behaviour
> of MADV_DONTNEED in this respect).
>
> Any existing guard entries will be left untouched. There is therefore no
> nesting of guarded pages.
>
> Guarded ranges are NOT cleared by MADV_DONTNEED nor MADV_FREE (in both
> instances the memory range may be reused at which point a user would expect
> guards to still be in place), but they are cleared via MADV_GUARD_REMOVE,
> process teardown or unmapping of memory ranges.
>
> The guard property can be removed from ranges via MADV_GUARD_REMOVE. The
> ranges over which this is applied, should they contain non-guard entries,
> will be untouched, with only guard entries being cleared.
>
> We permit this operation on anonymous memory only, and only VMAs which are
> non-special, non-huge and not mlock()'d (if we permitted this we'd have to
> drop locked pages which would be rather counterintuitive).
>
> Racing page faults can cause repeated attempts to install guard pages that
> are interrupted, result in a zap, and this process can end up being
> repeated. If this happens more than would be expected in normal operation,
> we rescind locks and retry the whole thing, which avoids lock contention in
> this scenario.
>
> Suggested-by: Vlastimil Babka <vbabka@suse.cz>
> Suggested-by: Jann Horn <jannh@google.com>
> Suggested-by: David Hildenbrand <david@redhat.com>
> Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> ---
> arch/alpha/include/uapi/asm/mman.h | 3 +
> arch/mips/include/uapi/asm/mman.h | 3 +
> arch/parisc/include/uapi/asm/mman.h | 3 +
> arch/xtensa/include/uapi/asm/mman.h | 3 +
> include/uapi/asm-generic/mman-common.h | 3 +
> mm/internal.h | 6 +
> mm/madvise.c | 225 +++++++++++++++++++++++++
> mm/mseal.c | 1 +
> 8 files changed, 247 insertions(+)
>
> diff --git a/arch/alpha/include/uapi/asm/mman.h b/arch/alpha/include/uapi/asm/mman.h
> index 763929e814e9..1e700468a685 100644
> --- a/arch/alpha/include/uapi/asm/mman.h
> +++ b/arch/alpha/include/uapi/asm/mman.h
> @@ -78,6 +78,9 @@
>
> #define MADV_COLLAPSE 25 /* Synchronous hugepage collapse */
>
> +#define MADV_GUARD_INSTALL 102 /* fatal signal on access to range */
> +#define MADV_GUARD_REMOVE 103 /* unguard range */
> +
> /* compatibility flags */
> #define MAP_FILE 0
>
> diff --git a/arch/mips/include/uapi/asm/mman.h b/arch/mips/include/uapi/asm/mman.h
> index 9c48d9a21aa0..b700dae28c48 100644
> --- a/arch/mips/include/uapi/asm/mman.h
> +++ b/arch/mips/include/uapi/asm/mman.h
> @@ -105,6 +105,9 @@
>
> #define MADV_COLLAPSE 25 /* Synchronous hugepage collapse */
>
> +#define MADV_GUARD_INSTALL 102 /* fatal signal on access to range */
> +#define MADV_GUARD_REMOVE 103 /* unguard range */
> +
> /* compatibility flags */
> #define MAP_FILE 0
>
> diff --git a/arch/parisc/include/uapi/asm/mman.h b/arch/parisc/include/uapi/asm/mman.h
> index 68c44f99bc93..b6a709506987 100644
> --- a/arch/parisc/include/uapi/asm/mman.h
> +++ b/arch/parisc/include/uapi/asm/mman.h
> @@ -75,6 +75,9 @@
> #define MADV_HWPOISON 100 /* poison a page for testing */
> #define MADV_SOFT_OFFLINE 101 /* soft offline page for testing */
>
> +#define MADV_GUARD_INSTALL 102 /* fatal signal on access to range */
> +#define MADV_GUARD_REMOVE 103 /* unguard range */
> +
> /* compatibility flags */
> #define MAP_FILE 0
>
> diff --git a/arch/xtensa/include/uapi/asm/mman.h b/arch/xtensa/include/uapi/asm/mman.h
> index 1ff0c858544f..99d4ccee7f6e 100644
> --- a/arch/xtensa/include/uapi/asm/mman.h
> +++ b/arch/xtensa/include/uapi/asm/mman.h
> @@ -113,6 +113,9 @@
>
> #define MADV_COLLAPSE 25 /* Synchronous hugepage collapse */
>
> +#define MADV_GUARD_INSTALL 102 /* fatal signal on access to range */
> +#define MADV_GUARD_REMOVE 103 /* unguard range */
> +
> /* compatibility flags */
> #define MAP_FILE 0
>
> diff --git a/include/uapi/asm-generic/mman-common.h b/include/uapi/asm-generic/mman-common.h
> index 6ce1f1ceb432..1ea2c4c33b86 100644
> --- a/include/uapi/asm-generic/mman-common.h
> +++ b/include/uapi/asm-generic/mman-common.h
> @@ -79,6 +79,9 @@
>
> #define MADV_COLLAPSE 25 /* Synchronous hugepage collapse */
>
> +#define MADV_GUARD_INSTALL 102 /* fatal signal on access to range */
> +#define MADV_GUARD_REMOVE 103 /* unguard range */
> +
> /* compatibility flags */
> #define MAP_FILE 0
>
> diff --git a/mm/internal.h b/mm/internal.h
> index fb1fb0c984e4..fcf08b5e64dc 100644
> --- a/mm/internal.h
> +++ b/mm/internal.h
> @@ -423,6 +423,12 @@ extern unsigned long highest_memmap_pfn;
> */
> #define MAX_RECLAIM_RETRIES 16
>
> +/*
> + * Maximum number of attempts we make to install guard pages before we give up
> + * and return -ERESTARTNOINTR to have userspace try again.
> + */
> +#define MAX_MADVISE_GUARD_RETRIES 3
> +
> /*
> * in mm/vmscan.c:
> */
> diff --git a/mm/madvise.c b/mm/madvise.c
> index e871a72a6c32..48eba25e25fe 100644
> --- a/mm/madvise.c
> +++ b/mm/madvise.c
> @@ -60,6 +60,8 @@ static int madvise_need_mmap_write(int behavior)
> case MADV_POPULATE_READ:
> case MADV_POPULATE_WRITE:
> case MADV_COLLAPSE:
> + case MADV_GUARD_INSTALL:
> + case MADV_GUARD_REMOVE:
> return 0;
> default:
> /* be safe, default to 1. list exceptions explicitly */
> @@ -1017,6 +1019,214 @@ static long madvise_remove(struct vm_area_struct *vma,
> return error;
> }
>
> +static bool is_valid_guard_vma(struct vm_area_struct *vma, bool allow_locked)
> +{
> + vm_flags_t disallowed = VM_SPECIAL | VM_HUGETLB;
> +
> + /*
> + * A user could lock after setting a guard range but that's fine, as
> + * they'd not be able to fault in. The issue arises when we try to zap
> + * existing locked VMAs. We don't want to do that.
> + */
> + if (!allow_locked)
> + disallowed |= VM_LOCKED;
> +
> + if (!vma_is_anonymous(vma))
> + return false;
> +
> + if ((vma->vm_flags & (VM_MAYWRITE | disallowed)) != VM_MAYWRITE)
> + return false;
> +
> + return true;
> +}
> +
> +static bool is_guard_pte_marker(pte_t ptent)
> +{
> + return is_pte_marker(ptent) &&
> + is_guard_swp_entry(pte_to_swp_entry(ptent));
> +}
> +
> +static int guard_install_pud_entry(pud_t *pud, unsigned long addr,
> + unsigned long next, struct mm_walk *walk)
> +{
> + pud_t pudval = pudp_get(pud);
> +
> + /* If huge return >0 so we abort the operation + zap. */
> + return pud_trans_huge(pudval) || pud_devmap(pudval);
> +}
> +
> +static int guard_install_pmd_entry(pmd_t *pmd, unsigned long addr,
> + unsigned long next, struct mm_walk *walk)
> +{
> + pmd_t pmdval = pmdp_get(pmd);
> +
> + /* If huge return >0 so we abort the operation + zap. */
> + return pmd_trans_huge(pmdval) || pmd_devmap(pmdval);
> +}
> +
> +static int guard_install_pte_entry(pte_t *pte, unsigned long addr,
> + unsigned long next, struct mm_walk *walk)
> +{
> + pte_t pteval = ptep_get(pte);
> + unsigned long *nr_pages = (unsigned long *)walk->private;
> +
> + /* If there is already a guard page marker, we have nothing to do. */
> + if (is_guard_pte_marker(pteval)) {
> + (*nr_pages)++;
> +
> + return 0;
> + }
> +
> + /* If populated return >0 so we abort the operation + zap. */
> + return 1;
> +}
> +
> +static int guard_install_set_pte(unsigned long addr, unsigned long next,
> + pte_t *ptep, struct mm_walk *walk)
> +{
> + unsigned long *nr_pages = (unsigned long *)walk->private;
> +
> + /* Simply install a PTE marker, this causes segfault on access. */
> + *ptep = make_pte_marker(PTE_MARKER_GUARD);
> + (*nr_pages)++;
> +
> + return 0;
> +}
> +
> +static const struct mm_walk_ops guard_install_walk_ops = {
> + .pud_entry = guard_install_pud_entry,
> + .pmd_entry = guard_install_pmd_entry,
> + .pte_entry = guard_install_pte_entry,
> + .install_pte = guard_install_set_pte,
> + .walk_lock = PGWALK_RDLOCK,
> +};
> +
> +static long madvise_guard_install(struct vm_area_struct *vma,
> + struct vm_area_struct **prev,
> + unsigned long start, unsigned long end)
> +{
> + long err;
> + int i;
> +
> + *prev = vma;
> + if (!is_valid_guard_vma(vma, /* allow_locked = */false))
> + return -EINVAL;
> +
> + /*
> + * If we install guard markers, then the range is no longer
> + * empty from a page table perspective and therefore it's
> + * appropriate to have an anon_vma.
> + *
> + * This ensures that on fork, we copy page tables correctly.
> + */
> + err = anon_vma_prepare(vma);
> + if (err)
> + return err;
> +
> + /*
> + * Optimistically try to install the guard marker pages first. If any
> + * non-guard pages are encountered, give up and zap the range before
> + * trying again.
> + *
> + * We try a few times before giving up and releasing back to userland to
> + * loop around, releasing locks in the process to avoid contention. This
> + * would only happen if there was a great many racing page faults.
> + *
> + * In most cases we should simply install the guard markers immediately
> + * with no zap or looping.
> + */
> + for (i = 0; i < MAX_MADVISE_GUARD_RETRIES; i++) {
> + unsigned long nr_pages = 0;
> +
> + /* Returns < 0 on error, == 0 if success, > 0 if zap needed. */
> + err = walk_page_range_mm(vma->vm_mm, start, end,
> + &guard_install_walk_ops, &nr_pages);
> + if (err < 0)
> + return err;
> +
> + if (err == 0) {
> + unsigned long nr_expected_pages = PHYS_PFN(end - start);
> +
> + VM_WARN_ON(nr_pages != nr_expected_pages);
> + return 0;
> + }
> +
> + /*
> + * OK some of the range have non-guard pages mapped, zap
> + * them. This leaves existing guard pages in place.
> + */
> + zap_page_range_single(vma, start, end - start, NULL);
> + }
> +
> + /*
> + * We were unable to install the guard pages due to being raced by page
> + * faults. This should not happen ordinarily. We return to userspace and
> + * immediately retry, relieving lock contention.
> + */
> + return -ERESTARTNOINTR;
> +}
> +
> +static int guard_remove_pud_entry(pud_t *pud, unsigned long addr,
> + unsigned long next, struct mm_walk *walk)
> +{
> + pud_t pudval = pudp_get(pud);
> +
> + /* If huge, cannot have guard pages present, so no-op - skip. */
> + if (pud_trans_huge(pudval) || pud_devmap(pudval))
> + walk->action = ACTION_CONTINUE;
> +
> + return 0;
> +}
> +
> +static int guard_remove_pmd_entry(pmd_t *pmd, unsigned long addr,
> + unsigned long next, struct mm_walk *walk)
> +{
> + pmd_t pmdval = pmdp_get(pmd);
> +
> + /* If huge, cannot have guard pages present, so no-op - skip. */
> + if (pmd_trans_huge(pmdval) || pmd_devmap(pmdval))
> + walk->action = ACTION_CONTINUE;
> +
> + return 0;
> +}
> +
> +static int guard_remove_pte_entry(pte_t *pte, unsigned long addr,
> + unsigned long next, struct mm_walk *walk)
> +{
> + pte_t ptent = ptep_get(pte);
> +
> + if (is_guard_pte_marker(ptent)) {
> + /* Simply clear the PTE marker. */
> + pte_clear_not_present_full(walk->mm, addr, pte, false);
> + update_mmu_cache(walk->vma, addr, pte);
> + }
> +
> + return 0;
> +}
> +
> +static const struct mm_walk_ops guard_remove_walk_ops = {
> + .pud_entry = guard_remove_pud_entry,
> + .pmd_entry = guard_remove_pmd_entry,
> + .pte_entry = guard_remove_pte_entry,
> + .walk_lock = PGWALK_RDLOCK,
> +};
> +
> +static long madvise_guard_remove(struct vm_area_struct *vma,
> + struct vm_area_struct **prev,
> + unsigned long start, unsigned long end)
> +{
> + *prev = vma;
> + /*
> + * We're ok with removing guards in mlock()'d ranges, as this is a
> + * non-destructive action.
> + */
> + if (!is_valid_guard_vma(vma, /* allow_locked = */true))
> + return -EINVAL;
> +
> + return walk_page_range(vma->vm_mm, start, end,
> + &guard_remove_walk_ops, NULL);
> +}
> +
> /*
> * Apply an madvise behavior to a region of a vma. madvise_update_vma
> * will handle splitting a vm area into separate areas, each area with its own
> @@ -1098,6 +1308,10 @@ static int madvise_vma_behavior(struct vm_area_struct *vma,
> break;
> case MADV_COLLAPSE:
> return madvise_collapse(vma, prev, start, end);
> + case MADV_GUARD_INSTALL:
> + return madvise_guard_install(vma, prev, start, end);
> + case MADV_GUARD_REMOVE:
> + return madvise_guard_remove(vma, prev, start, end);
> }
>
> anon_name = anon_vma_name(vma);
> @@ -1197,6 +1411,8 @@ madvise_behavior_valid(int behavior)
> case MADV_DODUMP:
> case MADV_WIPEONFORK:
> case MADV_KEEPONFORK:
> + case MADV_GUARD_INSTALL:
> + case MADV_GUARD_REMOVE:
> #ifdef CONFIG_MEMORY_FAILURE
> case MADV_SOFT_OFFLINE:
> case MADV_HWPOISON:
> @@ -1490,6 +1706,15 @@ static ssize_t vector_madvise(struct mm_struct *mm, struct iov_iter *iter,
> while (iov_iter_count(iter)) {
> ret = do_madvise(mm, (unsigned long)iter_iov_addr(iter),
> iter_iov_len(iter), behavior);
> + /*
> + * We cannot return this, as we instead return the number of
> + * successful operations. Since all this would achieve in a
> + * single madvise() invocation is to re-enter the syscall, and
> + * we have already rescinded locks, it should be no problem to
> + * simply try again.
> + */
> + if (ret == -ERESTARTNOINTR)
> + continue;
> if (ret < 0)
> break;
> iov_iter_advance(iter, iter_iov_len(iter));
> diff --git a/mm/mseal.c b/mm/mseal.c
> index ece977bd21e1..81d6e980e8a9 100644
> --- a/mm/mseal.c
> +++ b/mm/mseal.c
> @@ -30,6 +30,7 @@ static bool is_madv_discard(int behavior)
> case MADV_REMOVE:
> case MADV_DONTFORK:
> case MADV_WIPEONFORK:
> + case MADV_GUARD_INSTALL:
> return true;
> }
>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
^ permalink raw reply
* Re: [PATCH v3 2/5] mm: add PTE_MARKER_GUARD PTE marker
From: Jarkko Sakkinen @ 2024-10-28 20:34 UTC (permalink / raw)
To: Lorenzo Stoakes, Andrew Morton
Cc: Suren Baghdasaryan, Liam R . Howlett, Matthew Wilcox,
Vlastimil Babka, Paul E . McKenney, Jann Horn, David Hildenbrand,
linux-mm, linux-kernel, Muchun Song, Richard Henderson,
Matt Turner, Thomas Bogendoerfer, James E . J . Bottomley,
Helge Deller, Chris Zankel, Max Filippov, Arnd Bergmann,
linux-alpha, linux-mips, linux-parisc, linux-arch, Shuah Khan,
Christian Brauner, linux-kselftest, Sidhartha Kumar, Jeff Xu,
Christoph Hellwig, linux-api, John Hubbard
In-Reply-To: <7f81287792eef318a7a711d358c00e2e48216f15.1729699916.git.lorenzo.stoakes@oracle.com>
On Wed Oct 23, 2024 at 7:24 PM EEST, Lorenzo Stoakes wrote:
> Add a new PTE marker that results in any access causing the accessing
> process to segfault.
>
> This is preferable to PTE_MARKER_POISONED, which results in the same
> handling as hardware poisoned memory, and is thus undesirable for cases
> where we simply wish to 'soft' poison a range.
>
> This is in preparation for implementing the ability to specify guard pages
> at the page table level, i.e. ranges that, when accessed, should cause
> process termination.
>
> Additionally, rename zap_drop_file_uffd_wp() to zap_drop_markers() - the
> function checks the ZAP_FLAG_DROP_MARKER flag so naming it for this single
> purpose was simply incorrect.
>
> We then reuse the same logic to determine whether a zap should clear a
> guard entry - this should only be performed on teardown and never on
> MADV_DONTNEED or MADV_FREE.
>
> We additionally add a WARN_ON_ONCE() in hugetlb logic should a guard marker
> be encountered there, as we explicitly do not support this operation and
> this should not occur.
>
> Acked-by: Vlastimil Babka <vbabkba@suse.cz>
> Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> ---
> include/linux/mm_inline.h | 2 +-
> include/linux/swapops.h | 24 +++++++++++++++++++++++-
> mm/hugetlb.c | 4 ++++
> mm/memory.c | 18 +++++++++++++++---
> mm/mprotect.c | 6 ++++--
> 5 files changed, 47 insertions(+), 7 deletions(-)
>
> diff --git a/include/linux/mm_inline.h b/include/linux/mm_inline.h
> index 355cf46a01a6..1b6a917fffa4 100644
> --- a/include/linux/mm_inline.h
> +++ b/include/linux/mm_inline.h
> @@ -544,7 +544,7 @@ static inline pte_marker copy_pte_marker(
> {
> pte_marker srcm = pte_marker_get(entry);
> /* Always copy error entries. */
> - pte_marker dstm = srcm & PTE_MARKER_POISONED;
> + pte_marker dstm = srcm & (PTE_MARKER_POISONED | PTE_MARKER_GUARD);
>
> /* Only copy PTE markers if UFFD register matches. */
> if ((srcm & PTE_MARKER_UFFD_WP) && userfaultfd_wp(dst_vma))
> diff --git a/include/linux/swapops.h b/include/linux/swapops.h
> index cb468e418ea1..96f26e29fefe 100644
> --- a/include/linux/swapops.h
> +++ b/include/linux/swapops.h
> @@ -426,9 +426,19 @@ typedef unsigned long pte_marker;
> * "Poisoned" here is meant in the very general sense of "future accesses are
> * invalid", instead of referring very specifically to hardware memory errors.
> * This marker is meant to represent any of various different causes of this.
> + *
> + * Note that, when encountered by the faulting logic, PTEs with this marker will
> + * result in VM_FAULT_HWPOISON and thus regardless trigger hardware memory error
> + * logic.
> */
> #define PTE_MARKER_POISONED BIT(1)
> -#define PTE_MARKER_MASK (BIT(2) - 1)
> +/*
> + * Indicates that, on fault, this PTE will case a SIGSEGV signal to be
> + * sent. This means guard markers behave in effect as if the region were mapped
> + * PROT_NONE, rather than if they were a memory hole or equivalent.
> + */
> +#define PTE_MARKER_GUARD BIT(2)
> +#define PTE_MARKER_MASK (BIT(3) - 1)
>
> static inline swp_entry_t make_pte_marker_entry(pte_marker marker)
> {
> @@ -464,6 +474,18 @@ static inline int is_poisoned_swp_entry(swp_entry_t entry)
> {
> return is_pte_marker_entry(entry) &&
> (pte_marker_get(entry) & PTE_MARKER_POISONED);
> +
> +}
> +
> +static inline swp_entry_t make_guard_swp_entry(void)
> +{
> + return make_pte_marker_entry(PTE_MARKER_GUARD);
> +}
> +
> +static inline int is_guard_swp_entry(swp_entry_t entry)
> +{
> + return is_pte_marker_entry(entry) &&
> + (pte_marker_get(entry) & PTE_MARKER_GUARD);
> }
>
> /*
> diff --git a/mm/hugetlb.c b/mm/hugetlb.c
> index 906294ac85dc..2c8c5da0f5d3 100644
> --- a/mm/hugetlb.c
> +++ b/mm/hugetlb.c
> @@ -6353,6 +6353,10 @@ vm_fault_t hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
> ret = VM_FAULT_HWPOISON_LARGE |
> VM_FAULT_SET_HINDEX(hstate_index(h));
> goto out_mutex;
> + } else if (WARN_ON_ONCE(marker & PTE_MARKER_GUARD)) {
> + /* This isn't supported in hugetlb. */
> + ret = VM_FAULT_SIGSEGV;
> + goto out_mutex;
> }
> }
>
> diff --git a/mm/memory.c b/mm/memory.c
> index 0f614523b9f4..551455cd453f 100644
> --- a/mm/memory.c
> +++ b/mm/memory.c
> @@ -1455,7 +1455,7 @@ static inline bool should_zap_folio(struct zap_details *details,
> return !folio_test_anon(folio);
> }
>
> -static inline bool zap_drop_file_uffd_wp(struct zap_details *details)
> +static inline bool zap_drop_markers(struct zap_details *details)
> {
> if (!details)
> return false;
> @@ -1476,7 +1476,7 @@ zap_install_uffd_wp_if_needed(struct vm_area_struct *vma,
> if (vma_is_anonymous(vma))
> return;
>
> - if (zap_drop_file_uffd_wp(details))
> + if (zap_drop_markers(details))
> return;
>
> for (;;) {
> @@ -1671,7 +1671,15 @@ static unsigned long zap_pte_range(struct mmu_gather *tlb,
> * drop the marker if explicitly requested.
> */
> if (!vma_is_anonymous(vma) &&
> - !zap_drop_file_uffd_wp(details))
> + !zap_drop_markers(details))
> + continue;
> + } else if (is_guard_swp_entry(entry)) {
> + /*
> + * Ordinary zapping should not remove guard PTE
> + * markers. Only do so if we should remove PTE markers
> + * in general.
> + */
> + if (!zap_drop_markers(details))
> continue;
> } else if (is_hwpoison_entry(entry) ||
> is_poisoned_swp_entry(entry)) {
> @@ -4003,6 +4011,10 @@ static vm_fault_t handle_pte_marker(struct vm_fault *vmf)
> if (marker & PTE_MARKER_POISONED)
> return VM_FAULT_HWPOISON;
>
> + /* Hitting a guard page is always a fatal condition. */
> + if (marker & PTE_MARKER_GUARD)
> + return VM_FAULT_SIGSEGV;
> +
> if (pte_marker_entry_uffd_wp(entry))
> return pte_marker_handle_uffd_wp(vmf);
>
> diff --git a/mm/mprotect.c b/mm/mprotect.c
> index 0c5d6d06107d..1f671b0667bd 100644
> --- a/mm/mprotect.c
> +++ b/mm/mprotect.c
> @@ -236,9 +236,11 @@ static long change_pte_range(struct mmu_gather *tlb,
> } else if (is_pte_marker_entry(entry)) {
> /*
> * Ignore error swap entries unconditionally,
> - * because any access should sigbus anyway.
> + * because any access should sigbus/sigsegv
> + * anyway.
> */
> - if (is_poisoned_swp_entry(entry))
> + if (is_poisoned_swp_entry(entry) ||
> + is_guard_swp_entry(entry))
> continue;
> /*
> * If this is uffd-wp pte marker and we'd like
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
^ permalink raw reply
* Re: [PATCH v3 5/5] selftests/mm: add self tests for guard page feature
From: Jarkko Sakkinen @ 2024-10-28 20:32 UTC (permalink / raw)
To: Lorenzo Stoakes, Andrew Morton
Cc: Suren Baghdasaryan, Liam R . Howlett, Matthew Wilcox,
Vlastimil Babka, Paul E . McKenney, Jann Horn, David Hildenbrand,
linux-mm, linux-kernel, Muchun Song, Richard Henderson,
Matt Turner, Thomas Bogendoerfer, James E . J . Bottomley,
Helge Deller, Chris Zankel, Max Filippov, Arnd Bergmann,
linux-alpha, linux-mips, linux-parisc, linux-arch, Shuah Khan,
Christian Brauner, linux-kselftest, Sidhartha Kumar, Jeff Xu,
Christoph Hellwig, linux-api, John Hubbard
In-Reply-To: <53efeca2f9db78f7accbeb721106f5786fec9e90.1729699916.git.lorenzo.stoakes@oracle.com>
On Wed Oct 23, 2024 at 7:24 PM EEST, Lorenzo Stoakes wrote:
> Utilise the kselftest harmness to implement tests for the guard page
> implementation.
>
> We start by implement basic tests asserting that guard pages can be
> installed, removed and that touching guard pages result in SIGSEGV. We also
> assert that, in removing guard pages from a range, non-guard pages remain
> intact.
>
> We then examine different operations on regions containing guard markers
> behave to ensure correct behaviour:
>
> * Operations over multiple VMAs operate as expected.
> * Invoking MADV_GUARD_INSTALL / MADV_GUARD_REMOVE via process_madvise() in
> batches works correctly.
> * Ensuring that munmap() correctly tears down guard markers.
> * Using mprotect() to adjust protection bits does not in any way override
> or cause issues with guard markers.
> * Ensuring that splitting and merging VMAs around guard markers causes no
> issue - i.e. that a marker which 'belongs' to one VMA can function just
> as well 'belonging' to another.
> * Ensuring that madvise(..., MADV_DONTNEED) and madvise(..., MADV_FREE)
> do not remove guard markers.
> * Ensuring that mlock()'ing a range containing guard markers does not
> cause issues.
> * Ensuring that mremap() can move a guard range and retain guard markers.
> * Ensuring that mremap() can expand a guard range and retain guard
> markers (perhaps moving the range).
> * Ensuring that mremap() can shrink a guard range and retain guard markers.
> * Ensuring that forking a process correctly retains guard markers.
> * Ensuring that forking a VMA with VM_WIPEONFORK set behaves sanely.
> * Ensuring that lazyfree simply clears guard markers.
> * Ensuring that userfaultfd can co-exist with guard pages.
> * Ensuring that madvise(..., MADV_POPULATE_READ) and
> madvise(..., MADV_POPULATE_WRITE) error out when encountering
> guard markers.
> * Ensuring that madvise(..., MADV_COLD) and madvise(..., MADV_PAGEOUT) do
> not remove guard markers.
>
> If any test is unable to be run due to lack of permissions, that test is
> skipped.
>
> Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
> Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> ---
> tools/testing/selftests/mm/.gitignore | 1 +
> tools/testing/selftests/mm/Makefile | 1 +
> tools/testing/selftests/mm/guard-pages.c | 1239 ++++++++++++++++++++++
> 3 files changed, 1241 insertions(+)
> create mode 100644 tools/testing/selftests/mm/guard-pages.c
>
> diff --git a/tools/testing/selftests/mm/.gitignore b/tools/testing/selftests/mm/.gitignore
> index 689bbd520296..8f01f4da1c0d 100644
> --- a/tools/testing/selftests/mm/.gitignore
> +++ b/tools/testing/selftests/mm/.gitignore
> @@ -54,3 +54,4 @@ droppable
> hugetlb_dio
> pkey_sighandler_tests_32
> pkey_sighandler_tests_64
> +guard-pages
> diff --git a/tools/testing/selftests/mm/Makefile b/tools/testing/selftests/mm/Makefile
> index 02e1204971b0..15c734d6cfec 100644
> --- a/tools/testing/selftests/mm/Makefile
> +++ b/tools/testing/selftests/mm/Makefile
> @@ -79,6 +79,7 @@ TEST_GEN_FILES += hugetlb_fault_after_madv
> TEST_GEN_FILES += hugetlb_madv_vs_map
> TEST_GEN_FILES += hugetlb_dio
> TEST_GEN_FILES += droppable
> +TEST_GEN_FILES += guard-pages
>
> ifneq ($(ARCH),arm64)
> TEST_GEN_FILES += soft-dirty
> diff --git a/tools/testing/selftests/mm/guard-pages.c b/tools/testing/selftests/mm/guard-pages.c
> new file mode 100644
> index 000000000000..7db9c913e9db
> --- /dev/null
> +++ b/tools/testing/selftests/mm/guard-pages.c
> @@ -0,0 +1,1239 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +
> +#define _GNU_SOURCE
> +#include "../kselftest_harness.h"
> +#include <asm-generic/mman.h> /* Force the import of the tools version. */
> +#include <assert.h>
> +#include <errno.h>
> +#include <fcntl.h>
> +#include <linux/userfaultfd.h>
> +#include <setjmp.h>
> +#include <signal.h>
> +#include <stdbool.h>
> +#include <stdio.h>
> +#include <stdlib.h>
> +#include <string.h>
> +#include <sys/ioctl.h>
> +#include <sys/mman.h>
> +#include <sys/syscall.h>
> +#include <sys/uio.h>
> +#include <unistd.h>
> +
> +/*
> + * Ignore the checkpatch warning, as per the C99 standard, section 7.14.1.1:
> + *
> + * "If the signal occurs other than as the result of calling the abort or raise
> + * function, the behavior is undefined if the signal handler refers to any
> + * object with static storage duration other than by assigning a value to an
> + * object declared as volatile sig_atomic_t"
> + */
> +static volatile sig_atomic_t signal_jump_set;
> +static sigjmp_buf signal_jmp_buf;
> +
> +/*
> + * Ignore the checkpatch warning, we must read from x but don't want to do
> + * anything with it in order to trigger a read page fault. We therefore must use
> + * volatile to stop the compiler from optimising this away.
> + */
> +#define FORCE_READ(x) (*(volatile typeof(x) *)x)
> +
> +static int userfaultfd(int flags)
> +{
> + return syscall(SYS_userfaultfd, flags);
> +}
> +
> +static void handle_fatal(int c)
> +{
> + if (!signal_jump_set)
> + return;
> +
> + siglongjmp(signal_jmp_buf, c);
> +}
> +
> +static int pidfd_open(pid_t pid, unsigned int flags)
> +{
> + return syscall(SYS_pidfd_open, pid, flags);
> +}
> +
> +/*
> + * Enable our signal catcher and try to read/write the specified buffer. The
> + * return value indicates whether the read/write succeeds without a fatal
> + * signal.
> + */
> +static bool try_access_buf(char *ptr, bool write)
> +{
> + bool failed;
> +
> + /* Tell signal handler to jump back here on fatal signal. */
> + signal_jump_set = true;
> + /* If a fatal signal arose, we will jump back here and failed is set. */
> + failed = sigsetjmp(signal_jmp_buf, 0) != 0;
> +
> + if (!failed) {
> + if (write)
> + *ptr = 'x';
> + else
> + FORCE_READ(ptr);
> + }
> +
> + signal_jump_set = false;
> + return !failed;
> +}
> +
> +/* Try and read from a buffer, return true if no fatal signal. */
> +static bool try_read_buf(char *ptr)
> +{
> + return try_access_buf(ptr, false);
> +}
> +
> +/* Try and write to a buffer, return true if no fatal signal. */
> +static bool try_write_buf(char *ptr)
> +{
> + return try_access_buf(ptr, true);
> +}
> +
> +/*
> + * Try and BOTH read from AND write to a buffer, return true if BOTH operations
> + * succeed.
> + */
> +static bool try_read_write_buf(char *ptr)
> +{
> + return try_read_buf(ptr) && try_write_buf(ptr);
> +}
> +
> +FIXTURE(guard_pages)
> +{
> + unsigned long page_size;
> +};
> +
> +FIXTURE_SETUP(guard_pages)
> +{
> + struct sigaction act = {
> + .sa_handler = &handle_fatal,
> + .sa_flags = SA_NODEFER,
> + };
> +
> + sigemptyset(&act.sa_mask);
> + if (sigaction(SIGSEGV, &act, NULL))
> + ksft_exit_fail_perror("sigaction");
> +
> + self->page_size = (unsigned long)sysconf(_SC_PAGESIZE);
> +};
> +
> +FIXTURE_TEARDOWN(guard_pages)
> +{
> + struct sigaction act = {
> + .sa_handler = SIG_DFL,
> + .sa_flags = SA_NODEFER,
> + };
> +
> + sigemptyset(&act.sa_mask);
> + sigaction(SIGSEGV, &act, NULL);
> +}
> +
> +TEST_F(guard_pages, basic)
> +{
> + const unsigned long NUM_PAGES = 10;
> + const unsigned long page_size = self->page_size;
> + char *ptr;
> + int i;
> +
> + ptr = mmap(NULL, NUM_PAGES * page_size, PROT_READ | PROT_WRITE,
> + MAP_PRIVATE | MAP_ANON, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Trivially assert we can touch the first page. */
> + ASSERT_TRUE(try_read_write_buf(ptr));
> +
> + ASSERT_EQ(madvise(ptr, page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Establish that 1st page SIGSEGV's. */
> + ASSERT_FALSE(try_read_write_buf(ptr));
> +
> + /* Ensure we can touch everything else.*/
> + for (i = 1; i < NUM_PAGES; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + /* Establish a guard page at the end of the mapping. */
> + ASSERT_EQ(madvise(&ptr[(NUM_PAGES - 1) * page_size], page_size,
> + MADV_GUARD_INSTALL), 0);
> +
> + /* Check that both guard pages result in SIGSEGV. */
> + ASSERT_FALSE(try_read_write_buf(ptr));
> + ASSERT_FALSE(try_read_write_buf(&ptr[(NUM_PAGES - 1) * page_size]));
> +
> + /* Remove the first guard page. */
> + ASSERT_FALSE(madvise(ptr, page_size, MADV_GUARD_REMOVE));
> +
> + /* Make sure we can touch it. */
> + ASSERT_TRUE(try_read_write_buf(ptr));
> +
> + /* Remove the last guard page. */
> + ASSERT_FALSE(madvise(&ptr[(NUM_PAGES - 1) * page_size], page_size,
> + MADV_GUARD_REMOVE));
> +
> + /* Make sure we can touch it. */
> + ASSERT_TRUE(try_read_write_buf(&ptr[(NUM_PAGES - 1) * page_size]));
> +
> + /*
> + * Test setting a _range_ of pages, namely the first 3. The first of
> + * these be faulted in, so this also tests that we can install guard
> + * pages over backed pages.
> + */
> + ASSERT_EQ(madvise(ptr, 3 * page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Make sure they are all guard pages. */
> + for (i = 0; i < 3; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Make sure the rest are not. */
> + for (i = 3; i < NUM_PAGES; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + /* Remove guard pages. */
> + ASSERT_EQ(madvise(ptr, NUM_PAGES * page_size, MADV_GUARD_REMOVE), 0);
> +
> + /* Now make sure we can touch everything. */
> + for (i = 0; i < NUM_PAGES; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + /*
> + * Now remove all guard pages, make sure we don't remove existing
> + * entries.
> + */
> + ASSERT_EQ(madvise(ptr, NUM_PAGES * page_size, MADV_GUARD_REMOVE), 0);
> +
> + for (i = 0; i < NUM_PAGES * page_size; i += page_size) {
> + char chr = ptr[i];
> +
> + ASSERT_EQ(chr, 'x');
> + }
> +
> + ASSERT_EQ(munmap(ptr, NUM_PAGES * page_size), 0);
> +}
> +
> +/* Assert that operations applied across multiple VMAs work as expected. */
> +TEST_F(guard_pages, multi_vma)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr_region, *ptr, *ptr1, *ptr2, *ptr3;
> + int i;
> +
> + /* Reserve a 100 page region over which we can install VMAs. */
> + ptr_region = mmap(NULL, 100 * page_size, PROT_NONE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr_region, MAP_FAILED);
> +
> + /* Place a VMA of 10 pages size at the start of the region. */
> + ptr1 = mmap(ptr_region, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr1, MAP_FAILED);
> +
> + /* Place a VMA of 5 pages size 50 pages into the region. */
> + ptr2 = mmap(&ptr_region[50 * page_size], 5 * page_size,
> + PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr2, MAP_FAILED);
> +
> + /* Place a VMA of 20 pages size at the end of the region. */
> + ptr3 = mmap(&ptr_region[80 * page_size], 20 * page_size,
> + PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr3, MAP_FAILED);
> +
> + /* Unmap gaps. */
> + ASSERT_EQ(munmap(&ptr_region[10 * page_size], 40 * page_size), 0);
> + ASSERT_EQ(munmap(&ptr_region[55 * page_size], 25 * page_size), 0);
> +
> + /*
> + * We end up with VMAs like this:
> + *
> + * 0 10 .. 50 55 .. 80 100
> + * [---] [---] [---]
> + */
> +
> + /*
> + * Now mark the whole range as guard pages and make sure all VMAs are as
> + * such.
> + */
> +
> + /*
> + * madvise() is certifiable and lets you perform operations over gaps,
> + * everything works, but it indicates an error and errno is set to
> + * -ENOMEM. Also if anything runs out of memory it is set to
> + * -ENOMEM. You are meant to guess which is which.
> + */
> + ASSERT_EQ(madvise(ptr_region, 100 * page_size, MADV_GUARD_INSTALL), -1);
> + ASSERT_EQ(errno, ENOMEM);
> +
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr1[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + for (i = 0; i < 5; i++) {
> + char *curr = &ptr2[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + for (i = 0; i < 20; i++) {
> + char *curr = &ptr3[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Now remove guar pages over range and assert the opposite. */
> +
> + ASSERT_EQ(madvise(ptr_region, 100 * page_size, MADV_GUARD_REMOVE), -1);
> + ASSERT_EQ(errno, ENOMEM);
> +
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr1[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + for (i = 0; i < 5; i++) {
> + char *curr = &ptr2[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + for (i = 0; i < 20; i++) {
> + char *curr = &ptr3[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + /* Now map incompatible VMAs in the gaps. */
> + ptr = mmap(&ptr_region[10 * page_size], 40 * page_size,
> + PROT_READ | PROT_WRITE | PROT_EXEC,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> + ptr = mmap(&ptr_region[55 * page_size], 25 * page_size,
> + PROT_READ | PROT_WRITE | PROT_EXEC,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /*
> + * We end up with VMAs like this:
> + *
> + * 0 10 .. 50 55 .. 80 100
> + * [---][xxxx][---][xxxx][---]
> + *
> + * Where 'x' signifies VMAs that cannot be merged with those adjacent to
> + * them.
> + */
> +
> + /* Multiple VMAs adjacent to one another should result in no error. */
> + ASSERT_EQ(madvise(ptr_region, 100 * page_size, MADV_GUARD_INSTALL), 0);
> + for (i = 0; i < 100; i++) {
> + char *curr = &ptr_region[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> + ASSERT_EQ(madvise(ptr_region, 100 * page_size, MADV_GUARD_REMOVE), 0);
> + for (i = 0; i < 100; i++) {
> + char *curr = &ptr_region[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr_region, 100 * page_size), 0);
> +}
> +
> +/*
> + * Assert that batched operations performed using process_madvise() work as
> + * expected.
> + */
> +TEST_F(guard_pages, process_madvise)
> +{
> + const unsigned long page_size = self->page_size;
> + pid_t pid = getpid();
> + int pidfd = pidfd_open(pid, 0);
> + char *ptr_region, *ptr1, *ptr2, *ptr3;
> + ssize_t count;
> + struct iovec vec[6];
> +
> + ASSERT_NE(pidfd, -1);
> +
> + /* Reserve region to map over. */
> + ptr_region = mmap(NULL, 100 * page_size, PROT_NONE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr_region, MAP_FAILED);
> +
> + /* 10 pages offset 1 page into reserve region. */
> + ptr1 = mmap(&ptr_region[page_size], 10 * page_size,
> + PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr1, MAP_FAILED);
> + /* We want guard markers at start/end of each VMA. */
> + vec[0].iov_base = ptr1;
> + vec[0].iov_len = page_size;
> + vec[1].iov_base = &ptr1[9 * page_size];
> + vec[1].iov_len = page_size;
> +
> + /* 5 pages offset 50 pages into reserve region. */
> + ptr2 = mmap(&ptr_region[50 * page_size], 5 * page_size,
> + PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr2, MAP_FAILED);
> + vec[2].iov_base = ptr2;
> + vec[2].iov_len = page_size;
> + vec[3].iov_base = &ptr2[4 * page_size];
> + vec[3].iov_len = page_size;
> +
> + /* 20 pages offset 79 pages into reserve region. */
> + ptr3 = mmap(&ptr_region[79 * page_size], 20 * page_size,
> + PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr3, MAP_FAILED);
> + vec[4].iov_base = ptr3;
> + vec[4].iov_len = page_size;
> + vec[5].iov_base = &ptr3[19 * page_size];
> + vec[5].iov_len = page_size;
> +
> + /* Free surrounding VMAs. */
> + ASSERT_EQ(munmap(ptr_region, page_size), 0);
> + ASSERT_EQ(munmap(&ptr_region[11 * page_size], 39 * page_size), 0);
> + ASSERT_EQ(munmap(&ptr_region[55 * page_size], 24 * page_size), 0);
> + ASSERT_EQ(munmap(&ptr_region[99 * page_size], page_size), 0);
> +
> + /* Now guard in one step. */
> + count = process_madvise(pidfd, vec, 6, MADV_GUARD_INSTALL, 0);
> +
> + /* OK we don't have permission to do this, skip. */
> + if (count == -1 && errno == EPERM)
> + ksft_exit_skip("No process_madvise() permissions, try running as root.\n");
> +
> + /* Returns the number of bytes advised. */
> + ASSERT_EQ(count, 6 * page_size);
> +
> + /* Now make sure the guarding was applied. */
> +
> + ASSERT_FALSE(try_read_write_buf(ptr1));
> + ASSERT_FALSE(try_read_write_buf(&ptr1[9 * page_size]));
> +
> + ASSERT_FALSE(try_read_write_buf(ptr2));
> + ASSERT_FALSE(try_read_write_buf(&ptr2[4 * page_size]));
> +
> + ASSERT_FALSE(try_read_write_buf(ptr3));
> + ASSERT_FALSE(try_read_write_buf(&ptr3[19 * page_size]));
> +
> + /* Now do the same with unguard... */
> + count = process_madvise(pidfd, vec, 6, MADV_GUARD_REMOVE, 0);
> +
> + /* ...and everything should now succeed. */
> +
> + ASSERT_TRUE(try_read_write_buf(ptr1));
> + ASSERT_TRUE(try_read_write_buf(&ptr1[9 * page_size]));
> +
> + ASSERT_TRUE(try_read_write_buf(ptr2));
> + ASSERT_TRUE(try_read_write_buf(&ptr2[4 * page_size]));
> +
> + ASSERT_TRUE(try_read_write_buf(ptr3));
> + ASSERT_TRUE(try_read_write_buf(&ptr3[19 * page_size]));
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr1, 10 * page_size), 0);
> + ASSERT_EQ(munmap(ptr2, 5 * page_size), 0);
> + ASSERT_EQ(munmap(ptr3, 20 * page_size), 0);
> + close(pidfd);
> +}
> +
> +/* Assert that unmapping ranges does not leave guard markers behind. */
> +TEST_F(guard_pages, munmap)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr, *ptr_new1, *ptr_new2;
> +
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Guard first and last pages. */
> + ASSERT_EQ(madvise(ptr, page_size, MADV_GUARD_INSTALL), 0);
> + ASSERT_EQ(madvise(&ptr[9 * page_size], page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Assert that they are guarded. */
> + ASSERT_FALSE(try_read_write_buf(ptr));
> + ASSERT_FALSE(try_read_write_buf(&ptr[9 * page_size]));
> +
> + /* Unmap them. */
> + ASSERT_EQ(munmap(ptr, page_size), 0);
> + ASSERT_EQ(munmap(&ptr[9 * page_size], page_size), 0);
> +
> + /* Map over them.*/
> + ptr_new1 = mmap(ptr, page_size, PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr_new1, MAP_FAILED);
> + ptr_new2 = mmap(&ptr[9 * page_size], page_size, PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr_new2, MAP_FAILED);
> +
> + /* Assert that they are now not guarded. */
> + ASSERT_TRUE(try_read_write_buf(ptr_new1));
> + ASSERT_TRUE(try_read_write_buf(ptr_new2));
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +/* Assert that mprotect() operations have no bearing on guard markers. */
> +TEST_F(guard_pages, mprotect)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr;
> + int i;
> +
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Guard the middle of the range. */
> + ASSERT_EQ(madvise(&ptr[5 * page_size], 2 * page_size,
> + MADV_GUARD_INSTALL), 0);
> +
> + /* Assert that it is indeed guarded. */
> + ASSERT_FALSE(try_read_write_buf(&ptr[5 * page_size]));
> + ASSERT_FALSE(try_read_write_buf(&ptr[6 * page_size]));
> +
> + /* Now make these pages read-only. */
> + ASSERT_EQ(mprotect(&ptr[5 * page_size], 2 * page_size, PROT_READ), 0);
> +
> + /* Make sure the range is still guarded. */
> + ASSERT_FALSE(try_read_buf(&ptr[5 * page_size]));
> + ASSERT_FALSE(try_read_buf(&ptr[6 * page_size]));
> +
> + /* Make sure we can guard again without issue.*/
> + ASSERT_EQ(madvise(&ptr[5 * page_size], 2 * page_size,
> + MADV_GUARD_INSTALL), 0);
> +
> + /* Make sure the range is, yet again, still guarded. */
> + ASSERT_FALSE(try_read_buf(&ptr[5 * page_size]));
> + ASSERT_FALSE(try_read_buf(&ptr[6 * page_size]));
> +
> + /* Now unguard the whole range. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_REMOVE), 0);
> +
> + /* Make sure the whole range is readable. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_TRUE(try_read_buf(curr));
> + }
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +/* Split and merge VMAs and make sure guard pages still behave. */
> +TEST_F(guard_pages, split_merge)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr, *ptr_new;
> + int i;
> +
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Guard the whole range. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Make sure the whole range is guarded. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Now unmap some pages in the range so we split. */
> + ASSERT_EQ(munmap(&ptr[2 * page_size], page_size), 0);
> + ASSERT_EQ(munmap(&ptr[5 * page_size], page_size), 0);
> + ASSERT_EQ(munmap(&ptr[8 * page_size], page_size), 0);
> +
> + /* Make sure the remaining ranges are guarded post-split. */
> + for (i = 0; i < 2; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> + for (i = 2; i < 5; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> + for (i = 6; i < 8; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> + for (i = 9; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Now map them again - the unmap will have cleared the guards. */
> + ptr_new = mmap(&ptr[2 * page_size], page_size, PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr_new, MAP_FAILED);
> + ptr_new = mmap(&ptr[5 * page_size], page_size, PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr_new, MAP_FAILED);
> + ptr_new = mmap(&ptr[8 * page_size], page_size, PROT_READ | PROT_WRITE,
> + MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr_new, MAP_FAILED);
> +
> + /* Now make sure guard pages are established. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> + bool result = try_read_write_buf(curr);
> + bool expect_true = i == 2 || i == 5 || i == 8;
> +
> + ASSERT_TRUE(expect_true ? result : !result);
> + }
> +
> + /* Now guard everything again. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Make sure the whole range is guarded. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Now split the range into three. */
> + ASSERT_EQ(mprotect(ptr, 3 * page_size, PROT_READ), 0);
> + ASSERT_EQ(mprotect(&ptr[7 * page_size], 3 * page_size, PROT_READ), 0);
> +
> + /* Make sure the whole range is guarded for read. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_buf(curr));
> + }
> +
> + /* Now reset protection bits so we merge the whole thing. */
> + ASSERT_EQ(mprotect(ptr, 3 * page_size, PROT_READ | PROT_WRITE), 0);
> + ASSERT_EQ(mprotect(&ptr[7 * page_size], 3 * page_size,
> + PROT_READ | PROT_WRITE), 0);
> +
> + /* Make sure the whole range is still guarded. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Split range into 3 again... */
> + ASSERT_EQ(mprotect(ptr, 3 * page_size, PROT_READ), 0);
> + ASSERT_EQ(mprotect(&ptr[7 * page_size], 3 * page_size, PROT_READ), 0);
> +
> + /* ...and unguard the whole range. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_REMOVE), 0);
> +
> + /* Make sure the whole range is remedied for read. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_TRUE(try_read_buf(curr));
> + }
> +
> + /* Merge them again. */
> + ASSERT_EQ(mprotect(ptr, 3 * page_size, PROT_READ | PROT_WRITE), 0);
> + ASSERT_EQ(mprotect(&ptr[7 * page_size], 3 * page_size,
> + PROT_READ | PROT_WRITE), 0);
> +
> + /* Now ensure the merged range is remedied for read/write. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +/* Assert that MADV_DONTNEED does not remove guard markers. */
> +TEST_F(guard_pages, dontneed)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr;
> + int i;
> +
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Back the whole range. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + *curr = 'y';
> + }
> +
> + /* Guard every other page. */
> + for (i = 0; i < 10; i += 2) {
> + char *curr = &ptr[i * page_size];
> + int res = madvise(curr, page_size, MADV_GUARD_INSTALL);
> +
> + ASSERT_EQ(res, 0);
> + }
> +
> + /* Indicate that we don't need any of the range. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_DONTNEED), 0);
> +
> + /* Check to ensure guard markers are still in place. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> + bool result = try_read_buf(curr);
> +
> + if (i % 2 == 0) {
> + ASSERT_FALSE(result);
> + } else {
> + ASSERT_TRUE(result);
> + /* Make sure we really did get reset to zero page. */
> + ASSERT_EQ(*curr, '\0');
> + }
> +
> + /* Now write... */
> + result = try_write_buf(&ptr[i * page_size]);
> +
> + /* ...and make sure same result. */
> + ASSERT_TRUE(i % 2 != 0 ? result : !result);
> + }
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +/* Assert that mlock()'ed pages work correctly with guard markers. */
> +TEST_F(guard_pages, mlock)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr;
> + int i;
> +
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Populate. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + *curr = 'y';
> + }
> +
> + /* Lock. */
> + ASSERT_EQ(mlock(ptr, 10 * page_size), 0);
> +
> + /* Now try to guard, should fail with EINVAL. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_INSTALL), -1);
> + ASSERT_EQ(errno, EINVAL);
> +
> + /* OK unlock. */
> + ASSERT_EQ(munlock(ptr, 10 * page_size), 0);
> +
> + /* Guard first half of range, should now succeed. */
> + ASSERT_EQ(madvise(ptr, 5 * page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Make sure guard works. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> + bool result = try_read_write_buf(curr);
> +
> + if (i < 5) {
> + ASSERT_FALSE(result);
> + } else {
> + ASSERT_TRUE(result);
> + ASSERT_EQ(*curr, 'x');
> + }
> + }
> +
> + /*
> + * Now lock the latter part of the range. We can't lock the guard pages,
> + * as this would result in the pages being populated and the guarding
> + * would cause this to error out.
> + */
> + ASSERT_EQ(mlock(&ptr[5 * page_size], 5 * page_size), 0);
> +
> + /*
> + * Now remove guard pages, we permit mlock()'d ranges to have guard
> + * pages removed as it is a non-destructive operation.
> + */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_REMOVE), 0);
> +
> + /* Now check that no guard pages remain. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +/*
> + * Assert that moving, extending and shrinking memory via mremap() retains
> + * guard markers where possible.
> + *
> + * - Moving a mapping alone should retain markers as they are.
> + */
> +TEST_F(guard_pages, mremap_move)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr, *ptr_new;
> +
> + /* Map 5 pages. */
> + ptr = mmap(NULL, 5 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Place guard markers at both ends of the 5 page span. */
> + ASSERT_EQ(madvise(ptr, page_size, MADV_GUARD_INSTALL), 0);
> + ASSERT_EQ(madvise(&ptr[4 * page_size], page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Make sure the guard pages are in effect. */
> + ASSERT_FALSE(try_read_write_buf(ptr));
> + ASSERT_FALSE(try_read_write_buf(&ptr[4 * page_size]));
> +
> + /* Map a new region we will move this range into. Doing this ensures
> + * that we have reserved a range to map into.
> + */
> + ptr_new = mmap(NULL, 5 * page_size, PROT_NONE, MAP_ANON | MAP_PRIVATE,
> + -1, 0);
> + ASSERT_NE(ptr_new, MAP_FAILED);
> +
> + ASSERT_EQ(mremap(ptr, 5 * page_size, 5 * page_size,
> + MREMAP_MAYMOVE | MREMAP_FIXED, ptr_new), ptr_new);
> +
> + /* Make sure the guard markers are retained. */
> + ASSERT_FALSE(try_read_write_buf(ptr_new));
> + ASSERT_FALSE(try_read_write_buf(&ptr_new[4 * page_size]));
> +
> + /*
> + * Clean up - we only need reference the new pointer as we overwrote the
> + * PROT_NONE range and moved the existing one.
> + */
> + munmap(ptr_new, 5 * page_size);
> +}
> +
> +/*
> + * Assert that moving, extending and shrinking memory via mremap() retains
> + * guard markers where possible.
> + *
> + * Expanding should retain guard pages, only now in different position. The user
> + * will have to remove guard pages manually to fix up (they'd have to do the
> + * same if it were a PROT_NONE mapping).
> + */
> +TEST_F(guard_pages, mremap_expand)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr, *ptr_new;
> +
> + /* Map 10 pages... */
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> + /* ...But unmap the last 5 so we can ensure we can expand into them. */
> + ASSERT_EQ(munmap(&ptr[5 * page_size], 5 * page_size), 0);
> +
> + /* Place guard markers at both ends of the 5 page span. */
> + ASSERT_EQ(madvise(ptr, page_size, MADV_GUARD_INSTALL), 0);
> + ASSERT_EQ(madvise(&ptr[4 * page_size], page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Make sure the guarding is in effect. */
> + ASSERT_FALSE(try_read_write_buf(ptr));
> + ASSERT_FALSE(try_read_write_buf(&ptr[4 * page_size]));
> +
> + /* Now expand to 10 pages. */
> + ptr = mremap(ptr, 5 * page_size, 10 * page_size, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /*
> + * Make sure the guard markers are retained in their original positions.
> + */
> + ASSERT_FALSE(try_read_write_buf(ptr));
> + ASSERT_FALSE(try_read_write_buf(&ptr[4 * page_size]));
> +
> + /* Reserve a region which we can move to and expand into. */
> + ptr_new = mmap(NULL, 20 * page_size, PROT_NONE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr_new, MAP_FAILED);
> +
> + /* Now move and expand into it. */
> + ptr = mremap(ptr, 10 * page_size, 20 * page_size,
> + MREMAP_MAYMOVE | MREMAP_FIXED, ptr_new);
> + ASSERT_EQ(ptr, ptr_new);
> +
> + /*
> + * Again, make sure the guard markers are retained in their original positions.
> + */
> + ASSERT_FALSE(try_read_write_buf(ptr));
> + ASSERT_FALSE(try_read_write_buf(&ptr[4 * page_size]));
> +
> + /*
> + * A real user would have to remove guard markers, but would reasonably
> + * expect all characteristics of the mapping to be retained, including
> + * guard markers.
> + */
> +
> + /* Cleanup. */
> + munmap(ptr, 20 * page_size);
> +}
> +/*
> + * Assert that moving, extending and shrinking memory via mremap() retains
> + * guard markers where possible.
> + *
> + * Shrinking will result in markers that are shrunk over being removed. Again,
> + * if the user were using a PROT_NONE mapping they'd have to manually fix this
> + * up also so this is OK.
> + */
> +TEST_F(guard_pages, mremap_shrink)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr;
> + int i;
> +
> + /* Map 5 pages. */
> + ptr = mmap(NULL, 5 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Place guard markers at both ends of the 5 page span. */
> + ASSERT_EQ(madvise(ptr, page_size, MADV_GUARD_INSTALL), 0);
> + ASSERT_EQ(madvise(&ptr[4 * page_size], page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Make sure the guarding is in effect. */
> + ASSERT_FALSE(try_read_write_buf(ptr));
> + ASSERT_FALSE(try_read_write_buf(&ptr[4 * page_size]));
> +
> + /* Now shrink to 3 pages. */
> + ptr = mremap(ptr, 5 * page_size, 3 * page_size, MREMAP_MAYMOVE);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* We expect the guard marker at the start to be retained... */
> + ASSERT_FALSE(try_read_write_buf(ptr));
> +
> + /* ...But remaining pages will not have guard markers. */
> + for (i = 1; i < 3; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + /*
> + * As with expansion, a real user would have to remove guard pages and
> + * fixup. But you'd have to do similar manual things with PROT_NONE
> + * mappings too.
> + */
> +
> + /*
> + * If we expand back to the original size, the end marker will, of
> + * course, no longer be present.
> + */
> + ptr = mremap(ptr, 3 * page_size, 5 * page_size, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Again, we expect the guard marker at the start to be retained... */
> + ASSERT_FALSE(try_read_write_buf(ptr));
> +
> + /* ...But remaining pages will not have guard markers. */
> + for (i = 1; i < 5; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + /* Cleanup. */
> + munmap(ptr, 5 * page_size);
> +}
> +
> +/*
> + * Assert that forking a process with VMAs that do not have VM_WIPEONFORK set
> + * retain guard pages.
> + */
> +TEST_F(guard_pages, fork)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr;
> + pid_t pid;
> + int i;
> +
> + /* Map 10 pages. */
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Establish guard apges in the first 5 pages. */
> + ASSERT_EQ(madvise(ptr, 5 * page_size, MADV_GUARD_INSTALL), 0);
> +
> + pid = fork();
> + ASSERT_NE(pid, -1);
> + if (!pid) {
> + /* This is the child process now. */
> +
> + /* Assert that the guarding is in effect. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> + bool result = try_read_write_buf(curr);
> +
> + ASSERT_TRUE(i >= 5 ? result : !result);
> + }
> +
> + /* Now unguard the range.*/
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_REMOVE), 0);
> +
> + exit(0);
> + }
> +
> + /* Parent process. */
> +
> + /* Parent simply waits on child. */
> + waitpid(pid, NULL, 0);
> +
> + /* Child unguard does not impact parent page table state. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> + bool result = try_read_write_buf(curr);
> +
> + ASSERT_TRUE(i >= 5 ? result : !result);
> + }
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +/*
> + * Assert that forking a process with VMAs that do have VM_WIPEONFORK set
> + * behave as expected.
> + */
> +TEST_F(guard_pages, fork_wipeonfork)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr;
> + pid_t pid;
> + int i;
> +
> + /* Map 10 pages. */
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Mark wipe on fork. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_WIPEONFORK), 0);
> +
> + /* Guard the first 5 pages. */
> + ASSERT_EQ(madvise(ptr, 5 * page_size, MADV_GUARD_INSTALL), 0);
> +
> + pid = fork();
> + ASSERT_NE(pid, -1);
> + if (!pid) {
> + /* This is the child process now. */
> +
> + /* Guard will have been wiped. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_TRUE(try_read_write_buf(curr));
> + }
> +
> + exit(0);
> + }
> +
> + /* Parent process. */
> +
> + waitpid(pid, NULL, 0);
> +
> + /* Guard markers should be in effect.*/
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> + bool result = try_read_write_buf(curr);
> +
> + ASSERT_TRUE(i >= 5 ? result : !result);
> + }
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +/* Ensure that MADV_FREE retains guard entries as expected. */
> +TEST_F(guard_pages, lazyfree)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr;
> + int i;
> +
> + /* Map 10 pages. */
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Guard range. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Ensure guarded. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Lazyfree range. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_FREE), 0);
> +
> + /* This should leave the guard markers in place. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +/* Ensure that MADV_POPULATE_READ, MADV_POPULATE_WRITE behave as expected. */
> +TEST_F(guard_pages, populate)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr;
> +
> + /* Map 10 pages. */
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Guard range. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Populate read should error out... */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_POPULATE_READ), -1);
> + ASSERT_EQ(errno, EFAULT);
> +
> + /* ...as should populate write. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_POPULATE_WRITE), -1);
> + ASSERT_EQ(errno, EFAULT);
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +/* Ensure that MADV_COLD, MADV_PAGEOUT do not remove guard markers. */
> +TEST_F(guard_pages, cold_pageout)
> +{
> + const unsigned long page_size = self->page_size;
> + char *ptr;
> + int i;
> +
> + /* Map 10 pages. */
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Guard range. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* Ensured guarded. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Now mark cold. This should have no impact on guard markers. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_COLD), 0);
> +
> + /* Should remain guarded. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* OK, now page out. This should equally, have no effect on markers. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_PAGEOUT), 0);
> +
> + /* Should remain guarded. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Cleanup. */
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +/* Ensure that guard pages do not break userfaultd. */
> +TEST_F(guard_pages, uffd)
> +{
> + const unsigned long page_size = self->page_size;
> + int uffd;
> + char *ptr;
> + int i;
> + struct uffdio_api api = {
> + .api = UFFD_API,
> + .features = 0,
> + };
> + struct uffdio_register reg;
> + struct uffdio_range range;
> +
> + /* Set up uffd. */
> + uffd = userfaultfd(0);
> + if (uffd == -1 && errno == EPERM)
> + ksft_exit_skip("No userfaultfd permissions, try running as root.\n");
> + ASSERT_NE(uffd, -1);
> +
> + ASSERT_EQ(ioctl(uffd, UFFDIO_API, &api), 0);
> +
> + /* Map 10 pages. */
> + ptr = mmap(NULL, 10 * page_size, PROT_READ | PROT_WRITE,
> + MAP_ANON | MAP_PRIVATE, -1, 0);
> + ASSERT_NE(ptr, MAP_FAILED);
> +
> + /* Register the range with uffd. */
> + range.start = (unsigned long)ptr;
> + range.len = 10 * page_size;
> + reg.range = range;
> + reg.mode = UFFDIO_REGISTER_MODE_MISSING;
> + ASSERT_EQ(ioctl(uffd, UFFDIO_REGISTER, ®), 0);
> +
> + /* Guard the range. This should not trigger the uffd. */
> + ASSERT_EQ(madvise(ptr, 10 * page_size, MADV_GUARD_INSTALL), 0);
> +
> + /* The guarding should behave as usual with no uffd intervention. */
> + for (i = 0; i < 10; i++) {
> + char *curr = &ptr[i * page_size];
> +
> + ASSERT_FALSE(try_read_write_buf(curr));
> + }
> +
> + /* Cleanup. */
> + ASSERT_EQ(ioctl(uffd, UFFDIO_UNREGISTER, &range), 0);
> + close(uffd);
> + ASSERT_EQ(munmap(ptr, 10 * page_size), 0);
> +}
> +
> +TEST_HARNESS_MAIN
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
^ permalink raw reply
* Re: [PATCH v3 1/5] mm: pagewalk: add the ability to install PTEs
From: Jarkko Sakkinen @ 2024-10-28 20:29 UTC (permalink / raw)
To: Lorenzo Stoakes, Andrew Morton
Cc: Suren Baghdasaryan, Liam R . Howlett, Matthew Wilcox,
Vlastimil Babka, Paul E . McKenney, Jann Horn, David Hildenbrand,
linux-mm, linux-kernel, Muchun Song, Richard Henderson,
Matt Turner, Thomas Bogendoerfer, James E . J . Bottomley,
Helge Deller, Chris Zankel, Max Filippov, Arnd Bergmann,
linux-alpha, linux-mips, linux-parisc, linux-arch, Shuah Khan,
Christian Brauner, linux-kselftest, Sidhartha Kumar, Jeff Xu,
Christoph Hellwig, linux-api, John Hubbard
In-Reply-To: <9be732fd0e897453116b433fe2f468ef7795602e.1729699916.git.lorenzo.stoakes@oracle.com>
On Wed Oct 23, 2024 at 7:24 PM EEST, Lorenzo Stoakes wrote:
> The existing generic pagewalk logic permits the walking of page tables,
> invoking callbacks at individual page table levels via user-provided
> mm_walk_ops callbacks.
>
> This is useful for traversing existing page table entries, but precludes
> the ability to establish new ones.
>
> Existing mechanism for performing a walk which also installs page table
> entries if necessary are heavily duplicated throughout the kernel, each
> with semantic differences from one another and largely unavailable for use
> elsewhere.
>
> Rather than add yet another implementation, we extend the generic pagewalk
> logic to enable the installation of page table entries by adding a new
> install_pte() callback in mm_walk_ops. If this is specified, then upon
> encountering a missing page table entry, we allocate and install a new one
> and continue the traversal.
>
> If a THP huge page is encountered at either the PMD or PUD level we split
> it only if there are ops->pte_entry() (or ops->pmd_entry at PUD level),
> otherwise if there is only an ops->install_pte(), we avoid the unnecessary
> split.
Just for interest: does this mean that the operation is always
"destructive" (i.e. modifying state) even when install_pte() does not
do anything, i.e. does the split alway happen despite what the callback
does? Not really expert on this but this paragraph won't leave me
alone :-)
>
> We do not support hugetlb at this stage.
>
> If this function returns an error, or an allocation fails during the
> operation, we abort the operation altogether. It is up to the caller to
> deal appropriately with partially populated page table ranges.
>
> If install_pte() is defined, the semantics of pte_entry() change - this
> callback is then only invoked if the entry already exists. This is a useful
> property, as it allows a caller to handle existing PTEs while installing
> new ones where necessary in the specified range.
>
> If install_pte() is not defined, then there is no functional difference to
> this patch, so all existing logic will work precisely as it did before.
>
> As we only permit the installation of PTEs where a mapping does not already
> exist there is no need for TLB management, however we do invoke
> update_mmu_cache() for architectures which require manual maintenance of
> mappings for other CPUs.
>
> We explicitly do not allow the existing page walk API to expose this
> feature as it is dangerous and intended for internal mm use only. Therefore
> we provide a new walk_page_range_mm() function exposed only to
> mm/internal.h.
>
> Reviewed-by: Jann Horn <jannh@google.com>
> Signed-off-by: Lorenzo Stoakes <lorenzo.stoakes@oracle.com>
> ---
> include/linux/pagewalk.h | 18 +++-
> mm/internal.h | 6 ++
> mm/pagewalk.c | 227 +++++++++++++++++++++++++++------------
> 3 files changed, 182 insertions(+), 69 deletions(-)
>
> diff --git a/include/linux/pagewalk.h b/include/linux/pagewalk.h
> index f5eb5a32aeed..9700a29f8afb 100644
> --- a/include/linux/pagewalk.h
> +++ b/include/linux/pagewalk.h
> @@ -25,12 +25,15 @@ enum page_walk_lock {
> * this handler is required to be able to handle
> * pmd_trans_huge() pmds. They may simply choose to
> * split_huge_page() instead of handling it explicitly.
> - * @pte_entry: if set, called for each PTE (lowest-level) entry,
> - * including empty ones
> + * @pte_entry: if set, called for each PTE (lowest-level) entry
> + * including empty ones, except if @install_pte is set.
> + * If @install_pte is set, @pte_entry is called only for
> + * existing PTEs.
> * @pte_hole: if set, called for each hole at all levels,
> * depth is -1 if not known, 0:PGD, 1:P4D, 2:PUD, 3:PMD.
> * Any folded depths (where PTRS_PER_P?D is equal to 1)
> - * are skipped.
> + * are skipped. If @install_pte is specified, this will
> + * not trigger for any populated ranges.
> * @hugetlb_entry: if set, called for each hugetlb entry. This hook
> * function is called with the vma lock held, in order to
> * protect against a concurrent freeing of the pte_t* or
> @@ -51,6 +54,13 @@ enum page_walk_lock {
> * @pre_vma: if set, called before starting walk on a non-null vma.
> * @post_vma: if set, called after a walk on a non-null vma, provided
> * that @pre_vma and the vma walk succeeded.
> + * @install_pte: if set, missing page table entries are installed and
> + * thus all levels are always walked in the specified
> + * range. This callback is then invoked at the PTE level
> + * (having split any THP pages prior), providing the PTE to
> + * install. If allocations fail, the walk is aborted. This
> + * operation is only available for userland memory. Not
> + * usable for hugetlb ranges.
Given that especially walk_page_range_novma() has bunch of call sites,
it would not hurt to mention here simply that only for mm-internal use
with not much other explanation.
> *
> * p?d_entry callbacks are called even if those levels are folded on a
> * particular architecture/configuration.
> @@ -76,6 +86,8 @@ struct mm_walk_ops {
> int (*pre_vma)(unsigned long start, unsigned long end,
> struct mm_walk *walk);
> void (*post_vma)(struct mm_walk *walk);
> + int (*install_pte)(unsigned long addr, unsigned long next,
> + pte_t *ptep, struct mm_walk *walk);
> enum page_walk_lock walk_lock;
> };
>
> diff --git a/mm/internal.h b/mm/internal.h
> index 508f7802dd2b..fb1fb0c984e4 100644
> --- a/mm/internal.h
> +++ b/mm/internal.h
> @@ -12,6 +12,7 @@
> #include <linux/mm.h>
> #include <linux/mm_inline.h>
> #include <linux/pagemap.h>
> +#include <linux/pagewalk.h>
> #include <linux/rmap.h>
> #include <linux/swap.h>
> #include <linux/swapops.h>
> @@ -1451,4 +1452,9 @@ static inline void accept_page(struct page *page)
> }
> #endif /* CONFIG_UNACCEPTED_MEMORY */
>
> +/* pagewalk.c */
> +int walk_page_range_mm(struct mm_struct *mm, unsigned long start,
> + unsigned long end, const struct mm_walk_ops *ops,
> + void *private);
> +
> #endif /* __MM_INTERNAL_H */
> diff --git a/mm/pagewalk.c b/mm/pagewalk.c
> index 5f9f01532e67..f3cbad384344 100644
> --- a/mm/pagewalk.c
> +++ b/mm/pagewalk.c
> @@ -3,9 +3,14 @@
> #include <linux/highmem.h>
> #include <linux/sched.h>
> #include <linux/hugetlb.h>
> +#include <linux/mmu_context.h>
> #include <linux/swap.h>
> #include <linux/swapops.h>
>
> +#include <asm/tlbflush.h>
> +
> +#include "internal.h"
> +
> /*
> * We want to know the real level where a entry is located ignoring any
> * folding of levels which may be happening. For example if p4d is folded then
> @@ -29,9 +34,23 @@ static int walk_pte_range_inner(pte_t *pte, unsigned long addr,
> int err = 0;
>
> for (;;) {
> - err = ops->pte_entry(pte, addr, addr + PAGE_SIZE, walk);
> - if (err)
> - break;
> + if (ops->install_pte && pte_none(ptep_get(pte))) {
> + pte_t new_pte;
> +
> + err = ops->install_pte(addr, addr + PAGE_SIZE, &new_pte,
> + walk);
> + if (err)
> + break;
> +
> + set_pte_at(walk->mm, addr, pte, new_pte);
> + /* Non-present before, so for arches that need it. */
> + if (!WARN_ON_ONCE(walk->no_vma))
> + update_mmu_cache(walk->vma, addr, pte);
> + } else {
> + err = ops->pte_entry(pte, addr, addr + PAGE_SIZE, walk);
> + if (err)
> + break;
> + }
> if (addr >= end - PAGE_SIZE)
> break;
> addr += PAGE_SIZE;
> @@ -89,11 +108,14 @@ static int walk_pmd_range(pud_t *pud, unsigned long addr, unsigned long end,
> again:
> next = pmd_addr_end(addr, end);
> if (pmd_none(*pmd)) {
> - if (ops->pte_hole)
> + if (ops->install_pte)
> + err = __pte_alloc(walk->mm, pmd);
> + else if (ops->pte_hole)
> err = ops->pte_hole(addr, next, depth, walk);
> if (err)
> break;
> - continue;
> + if (!ops->install_pte)
> + continue;
> }
>
> walk->action = ACTION_SUBTREE;
> @@ -109,18 +131,19 @@ static int walk_pmd_range(pud_t *pud, unsigned long addr, unsigned long end,
>
> if (walk->action == ACTION_AGAIN)
> goto again;
> -
> - /*
> - * Check this here so we only break down trans_huge
> - * pages when we _need_ to
> - */
> - if ((!walk->vma && (pmd_leaf(*pmd) || !pmd_present(*pmd))) ||
> - walk->action == ACTION_CONTINUE ||
> - !(ops->pte_entry))
> + if (walk->action == ACTION_CONTINUE)
> continue;
> + if (!ops->install_pte && !ops->pte_entry)
> + continue; /* Nothing to do. */
> + if (!ops->pte_entry && ops->install_pte &&
> + pmd_present(*pmd) &&
> + (pmd_trans_huge(*pmd) || pmd_devmap(*pmd)))
> + continue; /* Avoid unnecessary split. */
>
> if (walk->vma)
> split_huge_pmd(walk->vma, pmd, addr);
> + else if (pmd_leaf(*pmd) || !pmd_present(*pmd))
> + continue; /* Nothing to do. */
>
> err = walk_pte_range(pmd, addr, next, walk);
> if (err)
> @@ -148,11 +171,14 @@ static int walk_pud_range(p4d_t *p4d, unsigned long addr, unsigned long end,
> again:
> next = pud_addr_end(addr, end);
> if (pud_none(*pud)) {
> - if (ops->pte_hole)
> + if (ops->install_pte)
> + err = __pmd_alloc(walk->mm, pud, addr);
> + else if (ops->pte_hole)
> err = ops->pte_hole(addr, next, depth, walk);
> if (err)
> break;
> - continue;
> + if (!ops->install_pte)
> + continue;
> }
>
> walk->action = ACTION_SUBTREE;
> @@ -164,14 +190,20 @@ static int walk_pud_range(p4d_t *p4d, unsigned long addr, unsigned long end,
>
> if (walk->action == ACTION_AGAIN)
> goto again;
> -
> - if ((!walk->vma && (pud_leaf(*pud) || !pud_present(*pud))) ||
> - walk->action == ACTION_CONTINUE ||
> - !(ops->pmd_entry || ops->pte_entry))
> + if (walk->action == ACTION_CONTINUE)
> continue;
> + if (!ops->install_pte && !ops->pte_entry && !ops->pmd_entry)
> + continue; /* Nothing to do. */
> + if (!ops->pmd_entry && !ops->pte_entry && ops->install_pte &&
> + pud_present(*pud) &&
> + (pud_trans_huge(*pud) || pud_devmap(*pud)))
> + continue; /* Avoid unnecessary split. */
>
> if (walk->vma)
> split_huge_pud(walk->vma, pud, addr);
> + else if (pud_leaf(*pud) || !pud_present(*pud))
> + continue; /* Nothing to do. */
> +
> if (pud_none(*pud))
> goto again;
>
> @@ -196,18 +228,22 @@ static int walk_p4d_range(pgd_t *pgd, unsigned long addr, unsigned long end,
> do {
> next = p4d_addr_end(addr, end);
> if (p4d_none_or_clear_bad(p4d)) {
> - if (ops->pte_hole)
> + if (ops->install_pte)
> + err = __pud_alloc(walk->mm, p4d, addr);
> + else if (ops->pte_hole)
> err = ops->pte_hole(addr, next, depth, walk);
> if (err)
> break;
> - continue;
> + if (!ops->install_pte)
> + continue;
> }
> if (ops->p4d_entry) {
> err = ops->p4d_entry(p4d, addr, next, walk);
> if (err)
> break;
> }
> - if (ops->pud_entry || ops->pmd_entry || ops->pte_entry)
> + if (ops->pud_entry || ops->pmd_entry || ops->pte_entry ||
> + ops->install_pte)
> err = walk_pud_range(p4d, addr, next, walk);
> if (err)
> break;
> @@ -231,18 +267,22 @@ static int walk_pgd_range(unsigned long addr, unsigned long end,
> do {
> next = pgd_addr_end(addr, end);
> if (pgd_none_or_clear_bad(pgd)) {
> - if (ops->pte_hole)
> + if (ops->install_pte)
> + err = __p4d_alloc(walk->mm, pgd, addr);
> + else if (ops->pte_hole)
> err = ops->pte_hole(addr, next, 0, walk);
> if (err)
> break;
> - continue;
> + if (!ops->install_pte)
> + continue;
> }
> if (ops->pgd_entry) {
> err = ops->pgd_entry(pgd, addr, next, walk);
> if (err)
> break;
> }
> - if (ops->p4d_entry || ops->pud_entry || ops->pmd_entry || ops->pte_entry)
> + if (ops->p4d_entry || ops->pud_entry || ops->pmd_entry ||
> + ops->pte_entry || ops->install_pte)
> err = walk_p4d_range(pgd, addr, next, walk);
> if (err)
> break;
> @@ -334,6 +374,11 @@ static int __walk_page_range(unsigned long start, unsigned long end,
> int err = 0;
> struct vm_area_struct *vma = walk->vma;
> const struct mm_walk_ops *ops = walk->ops;
> + bool is_hugetlb = is_vm_hugetlb_page(vma);
> +
> + /* We do not support hugetlb PTE installation. */
> + if (ops->install_pte && is_hugetlb)
> + return -EINVAL;
>
> if (ops->pre_vma) {
> err = ops->pre_vma(start, end, walk);
> @@ -341,7 +386,7 @@ static int __walk_page_range(unsigned long start, unsigned long end,
> return err;
> }
>
> - if (is_vm_hugetlb_page(vma)) {
> + if (is_hugetlb) {
> if (ops->hugetlb_entry)
> err = walk_hugetlb_range(start, end, walk);
> } else
> @@ -380,47 +425,14 @@ static inline void process_vma_walk_lock(struct vm_area_struct *vma,
> #endif
> }
>
> -/**
> - * walk_page_range - walk page table with caller specific callbacks
> - * @mm: mm_struct representing the target process of page table walk
> - * @start: start address of the virtual address range
> - * @end: end address of the virtual address range
> - * @ops: operation to call during the walk
> - * @private: private data for callbacks' usage
> - *
> - * Recursively walk the page table tree of the process represented by @mm
> - * within the virtual address range [@start, @end). During walking, we can do
> - * some caller-specific works for each entry, by setting up pmd_entry(),
> - * pte_entry(), and/or hugetlb_entry(). If you don't set up for some of these
> - * callbacks, the associated entries/pages are just ignored.
> - * The return values of these callbacks are commonly defined like below:
> - *
> - * - 0 : succeeded to handle the current entry, and if you don't reach the
> - * end address yet, continue to walk.
> - * - >0 : succeeded to handle the current entry, and return to the caller
> - * with caller specific value.
> - * - <0 : failed to handle the current entry, and return to the caller
> - * with error code.
> - *
> - * Before starting to walk page table, some callers want to check whether
> - * they really want to walk over the current vma, typically by checking
> - * its vm_flags. walk_page_test() and @ops->test_walk() are used for this
> - * purpose.
> - *
> - * If operations need to be staged before and committed after a vma is walked,
> - * there are two callbacks, pre_vma() and post_vma(). Note that post_vma(),
> - * since it is intended to handle commit-type operations, can't return any
> - * errors.
> - *
> - * struct mm_walk keeps current values of some common data like vma and pmd,
> - * which are useful for the access from callbacks. If you want to pass some
> - * caller-specific data to callbacks, @private should be helpful.
> +/*
> + * See the comment for walk_page_range(), this performs the heavy lifting of the
> + * operation, only sets no restrictions on how the walk proceeds.
> *
> - * Locking:
> - * Callers of walk_page_range() and walk_page_vma() should hold @mm->mmap_lock,
> - * because these function traverse vma list and/or access to vma's data.
> + * We usually restrict the ability to install PTEs, but this functionality is
> + * available to internal memory management code and provided in mm/internal.h.
> */
> -int walk_page_range(struct mm_struct *mm, unsigned long start,
> +int walk_page_range_mm(struct mm_struct *mm, unsigned long start,
> unsigned long end, const struct mm_walk_ops *ops,
> void *private)
> {
> @@ -479,6 +491,80 @@ int walk_page_range(struct mm_struct *mm, unsigned long start,
> return err;
> }
>
> +/*
> + * Determine if the walk operations specified are permitted to be used for a
> + * page table walk.
> + *
> + * This check is performed on all functions which are parameterised by walk
> + * operations and exposed in include/linux/pagewalk.h.
> + *
> + * Internal memory management code can use the walk_page_range_mm() function to
> + * be able to use all page walking operations.
> + */
> +static bool check_ops_valid(const struct mm_walk_ops *ops)
> +{
> + /*
> + * The installation of PTEs is solely under the control of memory
> + * management logic and subject to many subtle locking, security and
> + * cache considerations so we cannot permit other users to do so, and
> + * certainly not for exported symbols.
> + */
> + if (ops->install_pte)
> + return false;
> +
> + return true;
or "return !!(ops->install_pte);"
> +}
Alternatively one could consider defining "struct mm_walk_internal_ops",
which would be only available in internal.h but I guess there is good
reasons to do it way it is.
> +
> +/**
> + * walk_page_range - walk page table with caller specific callbacks
> + * @mm: mm_struct representing the target process of page table walk
> + * @start: start address of the virtual address range
> + * @end: end address of the virtual address range
> + * @ops: operation to call during the walk
> + * @private: private data for callbacks' usage
> + *
> + * Recursively walk the page table tree of the process represented by @mm
> + * within the virtual address range [@start, @end). During walking, we can do
> + * some caller-specific works for each entry, by setting up pmd_entry(),
> + * pte_entry(), and/or hugetlb_entry(). If you don't set up for some of these
> + * callbacks, the associated entries/pages are just ignored.
> + * The return values of these callbacks are commonly defined like below:
> + *
> + * - 0 : succeeded to handle the current entry, and if you don't reach the
> + * end address yet, continue to walk.
> + * - >0 : succeeded to handle the current entry, and return to the caller
> + * with caller specific value.
> + * - <0 : failed to handle the current entry, and return to the caller
> + * with error code.
> + *
> + * Before starting to walk page table, some callers want to check whether
> + * they really want to walk over the current vma, typically by checking
> + * its vm_flags. walk_page_test() and @ops->test_walk() are used for this
> + * purpose.
> + *
> + * If operations need to be staged before and committed after a vma is walked,
> + * there are two callbacks, pre_vma() and post_vma(). Note that post_vma(),
> + * since it is intended to handle commit-type operations, can't return any
> + * errors.
> + *
> + * struct mm_walk keeps current values of some common data like vma and pmd,
> + * which are useful for the access from callbacks. If you want to pass some
> + * caller-specific data to callbacks, @private should be helpful.
> + *
> + * Locking:
> + * Callers of walk_page_range() and walk_page_vma() should hold @mm->mmap_lock,
> + * because these function traverse vma list and/or access to vma's data.
> + */
> +int walk_page_range(struct mm_struct *mm, unsigned long start,
> + unsigned long end, const struct mm_walk_ops *ops,
> + void *private)
> +{
> + if (!check_ops_valid(ops))
> + return -EINVAL;
> +
> + return walk_page_range_mm(mm, start, end, ops, private);
> +}
> +
> /**
> * walk_page_range_novma - walk a range of pagetables not backed by a vma
> * @mm: mm_struct representing the target process of page table walk
> @@ -494,7 +580,7 @@ int walk_page_range(struct mm_struct *mm, unsigned long start,
> * walking the kernel pages tables or page tables for firmware.
> *
> * Note: Be careful to walk the kernel pages tables, the caller may be need to
> - * take other effective approache (mmap lock may be insufficient) to prevent
> + * take other effective approaches (mmap lock may be insufficient) to prevent
> * the intermediate kernel page tables belonging to the specified address range
> * from being freed (e.g. memory hot-remove).
> */
> @@ -513,6 +599,8 @@ int walk_page_range_novma(struct mm_struct *mm, unsigned long start,
>
> if (start >= end || !walk.mm)
> return -EINVAL;
> + if (!check_ops_valid(ops))
> + return -EINVAL;
>
> /*
> * 1) For walking the user virtual address space:
> @@ -556,6 +644,8 @@ int walk_page_range_vma(struct vm_area_struct *vma, unsigned long start,
> return -EINVAL;
> if (start < vma->vm_start || end > vma->vm_end)
> return -EINVAL;
> + if (!check_ops_valid(ops))
> + return -EINVAL;
>
> process_mm_walk_lock(walk.mm, ops->walk_lock);
> process_vma_walk_lock(vma, ops->walk_lock);
> @@ -574,6 +664,8 @@ int walk_page_vma(struct vm_area_struct *vma, const struct mm_walk_ops *ops,
>
> if (!walk.mm)
> return -EINVAL;
> + if (!check_ops_valid(ops))
> + return -EINVAL;
>
> process_mm_walk_lock(walk.mm, ops->walk_lock);
> process_vma_walk_lock(vma, ops->walk_lock);
> @@ -623,6 +715,9 @@ int walk_page_mapping(struct address_space *mapping, pgoff_t first_index,
> unsigned long start_addr, end_addr;
> int err = 0;
>
> + if (!check_ops_valid(ops))
> + return -EINVAL;
> +
> lockdep_assert_held(&mapping->i_mmap_rwsem);
> vma_interval_tree_foreach(vma, &mapping->i_mmap, first_index,
> first_index + nr - 1) {
So I took a random patch set in order to learn how to compile Fedora Ark
kernel out of any upstream tree (mm in this case), thus making noise
here.
With this goal, which mainly to be able to do such thing once or twice
per release cycle:
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
BR, Jarkko
^ permalink raw reply
* Re: [PATCH v4 0/5] implement lightweight guard pages
From: SeongJae Park @ 2024-10-28 18:24 UTC (permalink / raw)
To: Lorenzo Stoakes
Cc: SeongJae Park, Andrew Morton, Liam R . Howlett, Matthew Wilcox,
Vlastimil Babka, Paul E . McKenney, Jann Horn, David Hildenbrand,
linux-mm, linux-kernel, Muchun Song, Richard Henderson,
Matt Turner, Thomas Bogendoerfer, James E . J . Bottomley,
Helge Deller, Chris Zankel, Max Filippov, Arnd Bergmann,
linux-alpha, linux-mips, linux-parisc, linux-arch, Shuah Khan,
Christian Brauner, linux-kselftest, Sidhartha Kumar, Jeff Xu,
Christoph Hellwig, linux-api, John Hubbard
In-Reply-To: <cover.1730123433.git.lorenzo.stoakes@oracle.com>
On Mon, 28 Oct 2024 14:13:26 +0000 Lorenzo Stoakes <lorenzo.stoakes@oracle.com> wrote:
> Userland library functions such as allocators and threading implementations
> often require regions of memory to act as 'guard pages' - mappings which,
> when accessed, result in a fatal signal being sent to the accessing
> process.
>
> The current means by which these are implemented is via a PROT_NONE mmap()
> mapping, which provides the required semantics however incur an overhead of
> a VMA for each such region.
>
> With a great many processes and threads, this can rapidly add up and incur
> a significant memory penalty. It also has the added problem of preventing
> merges that might otherwise be permitted.
>
> This series takes a different approach - an idea suggested by Vlasimil
> Babka (and before him David Hildenbrand and Jann Horn - perhaps more - the
Nit. s/Vlasimil/Vlastimil/ ;)
Thanks,
SJ
[...]
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox