| Message ID | 20200624175244.25837-14-catalin.marinas@arm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | arm64: Memory Tagging Extension user-space support | expand |
On Wed, 24 Jun 2020 18:52:32 +0100 Catalin Marinas <catalin.marinas@arm.com> wrote: > Similarly to arch_validate_prot() called from do_mprotect_pkey(), an > architecture may need to sanity-check the new vm_flags. > > Define a dummy function always returning true. In addition to > do_mprotect_pkey(), also invoke it from mmap_region() prior to updating > vma->vm_page_prot to allow the architecture code to veto potentially > inconsistent vm_flags. > > ... > > --- a/include/linux/mman.h > +++ b/include/linux/mman.h > @@ -103,6 +103,19 @@ static inline bool arch_validate_prot(unsigned long prot, unsigned long addr) > #define arch_validate_prot arch_validate_prot > #endif > > +#ifndef arch_validate_flags > +/* > + * This is called from mmap() and mprotect() with the updated vma->vm_flags. > + * > + * Returns true if the VM_* flags are valid. > + */ > +static inline bool arch_validate_flags(unsigned long flags) > +{ > + return true; > +} > +#define arch_validate_flags arch_validate_flags > +#endif Again, please let's nail down where the arch should define this. Otherwise, Acked-by: Andrew Morton <akpm@linux-foundation.org>
diff --git a/include/linux/mman.h b/include/linux/mman.h index 15c1162b9d65..09dd414b81b6 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -103,6 +103,19 @@ static inline bool arch_validate_prot(unsigned long prot, unsigned long addr) #define arch_validate_prot arch_validate_prot #endif +#ifndef arch_validate_flags +/* + * This is called from mmap() and mprotect() with the updated vma->vm_flags. + * + * Returns true if the VM_* flags are valid. + */ +static inline bool arch_validate_flags(unsigned long flags) +{ + return true; +} +#define arch_validate_flags arch_validate_flags +#endif + /* * Optimisation macro. It is equivalent to: * (x & bit1) ? bit2 : 0 diff --git a/mm/mmap.c b/mm/mmap.c index 59a4682ebf3f..19518a03fe9a 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -1792,6 +1792,15 @@ unsigned long mmap_region(struct file *file, unsigned long addr, vma_set_anonymous(vma); } + /* Allow architectures to sanity-check the vm_flags */ + if (!arch_validate_flags(vma->vm_flags)) { + error = -EINVAL; + if (file) + goto unmap_and_free_vma; + else + goto free_vma; + } + vma_link(mm, vma, prev, rb_link, rb_parent); /* Once vma denies write, undo our temporary denial count */ if (file) { diff --git a/mm/mprotect.c b/mm/mprotect.c index ce8b8a5eacbb..56c02beb6041 100644 --- a/mm/mprotect.c +++ b/mm/mprotect.c @@ -603,6 +603,12 @@ static int do_mprotect_pkey(unsigned long start, size_t len, goto out; } + /* Allow architectures to sanity-check the new flags */ + if (!arch_validate_flags(newflags)) { + error = -EINVAL; + goto out; + } + error = security_file_mprotect(vma, reqprot, prot); if (error) goto out;
Similarly to arch_validate_prot() called from do_mprotect_pkey(), an architecture may need to sanity-check the new vm_flags. Define a dummy function always returning true. In addition to do_mprotect_pkey(), also invoke it from mmap_region() prior to updating vma->vm_page_prot to allow the architecture code to veto potentially inconsistent vm_flags. Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Cc: Andrew Morton <akpm@linux-foundation.org> --- Notes: v2: - Some comments updated. include/linux/mman.h | 13 +++++++++++++ mm/mmap.c | 9 +++++++++ mm/mprotect.c | 6 ++++++ 3 files changed, 28 insertions(+)