From patchwork Fri Jun 21 20:14:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Kagan, Roman" X-Patchwork-Id: 13708036 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3FC66C27C4F for ; Fri, 21 Jun 2024 20:15:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id B37968D019C; Fri, 21 Jun 2024 16:15:16 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id AC1818D0190; Fri, 21 Jun 2024 16:15:16 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 93A0D8D019C; Fri, 21 Jun 2024 16:15:16 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id 6CF6C8D0190 for ; Fri, 21 Jun 2024 16:15:16 -0400 (EDT) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay06.hostedemail.com (Postfix) with ESMTP id E85A5A3C0A for ; Fri, 21 Jun 2024 20:15:15 +0000 (UTC) X-FDA: 82256000190.30.4A1A6F3 Received: from smtp-fw-80006.amazon.com (smtp-fw-80006.amazon.com [99.78.197.217]) by imf01.hostedemail.com (Postfix) with ESMTP id E43524001F for ; Fri, 21 Jun 2024 20:15:12 +0000 (UTC) Authentication-Results: imf01.hostedemail.com; dkim=pass header.d=amazon.de header.s=amazon201209 header.b=Tcpa6OGI; spf=pass (imf01.hostedemail.com: domain of "prvs=895821b17=rkagan@amazon.de" designates 99.78.197.217 as permitted sender) smtp.mailfrom="prvs=895821b17=rkagan@amazon.de"; dmarc=pass (policy=quarantine) header.from=amazon.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1719000902; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=cgWmlGVHD/WLDCXmIqfk8nrWeurU4qavflNPAcqQXUQ=; b=yUJATC1N7LLCGlxC1HFtoADaTIdQhCMX1J1iynjZP1SptP/g9YkfH4s/5dve3VR7FNmoYN +fiGHjtjoOPaa0u7AeiAq/6jTr+gZVYjMpjxM2Y/CTplK6QtR0Ijcq0GBhiTh9Qbt8R1pP 42bQxS4hhoVwDPlhEXZZbwJUYP4gr0s= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1719000902; a=rsa-sha256; cv=none; b=bKukZjnO0Jq028/C1RM+okfyK+W8XgjSVFzK01uM2Pc+K9qELBW2UZW893j84DX9YHYpoP BGc5Op3mqwEuGFZoB6d7SVFE2QVS9dv9cntghpyw5akRIxkFYNgzCzOOj2brgIAoEOHmuM rU867jDbpFaRxldnKdD+PLdXb4veGKc= ARC-Authentication-Results: i=1; imf01.hostedemail.com; dkim=pass header.d=amazon.de header.s=amazon201209 header.b=Tcpa6OGI; spf=pass (imf01.hostedemail.com: domain of "prvs=895821b17=rkagan@amazon.de" designates 99.78.197.217 as permitted sender) smtp.mailfrom="prvs=895821b17=rkagan@amazon.de"; dmarc=pass (policy=quarantine) header.from=amazon.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1719000913; x=1750536913; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=cgWmlGVHD/WLDCXmIqfk8nrWeurU4qavflNPAcqQXUQ=; b=Tcpa6OGIIVFPmuojUX1LJNt5HqxXi5LMdKL6MqynUuJjIf5doWvrNAM8 sF7TzUMuEWPp7eTe0exXO2tE13UMTw+fOinj9e3R1lTxXhAihsbMukDIh Z7j6qw6KZO9BY9eJ0TNfNb3kFnOyVHFm4MD2s4U6raatxvi8CQeJLnmtE Y=; X-IronPort-AV: E=Sophos;i="6.08,255,1712620800"; d="scan'208";a="303949657" Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO smtpout.prod.us-east-1.prod.farcaster.email.amazon.dev) ([10.25.36.214]) by smtp-border-fw-80006.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jun 2024 20:15:10 +0000 Received: from EX19MTAUEC001.ant.amazon.com [10.0.0.204:38687] by smtpin.naws.us-east-1.prod.farcaster.email.amazon.dev [10.0.50.120:2525] with esmtp (Farcaster) id 6725e830-b8a7-4b4d-9f50-20de851c1f32; Fri, 21 Jun 2024 20:15:08 +0000 (UTC) X-Farcaster-Flow-ID: 6725e830-b8a7-4b4d-9f50-20de851c1f32 Received: from EX19D008UEA002.ant.amazon.com (10.252.134.125) by EX19MTAUEC001.ant.amazon.com (10.252.135.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Fri, 21 Jun 2024 20:15:08 +0000 Received: from EX19MTAUEA001.ant.amazon.com (10.252.134.203) by EX19D008UEA002.ant.amazon.com (10.252.134.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Fri, 21 Jun 2024 20:15:07 +0000 Received: from u40bc5e070a0153.ant.amazon.com (10.95.134.31) by mail-relay.amazon.com (10.252.134.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34 via Frontend Transport; Fri, 21 Jun 2024 20:15:06 +0000 From: Roman Kagan To: CC: Shuah Khan , Dragan Cvetic , Fares Mehanna , Alexander Graf , "Derek Kiernan" , , , Greg Kroah-Hartman , , David Woodhouse , Andrew Morton , Arnd Bergmann Subject: [PATCH RFC 1/3] mseal: expose interface to seal / unseal user memory ranges Date: Fri, 21 Jun 2024 22:14:59 +0200 Message-ID: <20240621201501.1059948-2-rkagan@amazon.de> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240621201501.1059948-1-rkagan@amazon.de> References: <20240621201501.1059948-1-rkagan@amazon.de> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: E43524001F X-Stat-Signature: oajeiftiz13izqas4mqon9fckq94bj6e X-HE-Tag: 1719000912-721771 X-HE-Meta: U2FsdGVkX1/giS+ySmA0SZBkAlpg/9JWfSoJFQJsdJJGO1TzMcrLfcwJZsNBLYg1FUzeWEu0YdCXWTiFuYB0wMRf+Tyf0WVbJA2f8eyJM7M7AUjQOxeObZ41OZt2jEkZgv0oY23faHcLDn9HLlhFO2bjFtvhFLoxKdIIxqUtw3Hhz01evR8sIqr3wQbHg3F606IjAwyoRv7WVFjeMYitwJVUVPMLJ9ejoMDv2uLso8MxkGRn8LGs9WSLlKJV6jNMSoRII9Hm5/DtUHGOi14NWYssetUr8GbclZgVUXJpwLQUJ13Fq0PXSclwTxnvnUDGookBqQTuYbQDM24L+Vq44fHI9qhvqxMeG0Jf72YDBfd34mb+NqNMmO52GZcIaPdoek4ymniZe5cdMOSMhIZbEh/h2aHfIwcS//tXFgq9r9z32C1v36XqGwTMKLuB4qClWZdL2k4aQjyDh/vHSu9xEm1+9rRb57YUFaRp0jc6AMwDFalMVeZ0m+K7wQynGUOcg+ZUKqlcNwnynRwcLRZDEIQMAXybC66GtdANem0z8A8PKoFUcs3sNF73WiNCIXzLhkeQ7WANTcZeZGpkUKNgE0sXs6R/JvNLA+zTOrnLMcmK8nC8cbbnkdKjvh8f7oo1QyP62NAPFdqxpqlhRDLtHhL9b2OMpXxHbAmlN3xwEnyUZz5jYEy2flYtun+J70h6Lc3O01WyecJISmoRk2PYjR5GZkqwtoRN9o/O8toEIraqmGh+/D4U3mj58d8fi2VUA+Vs4yPOdWr4mnQ4RBYS2uetSmJ9nEphn5UePe26aEyGAfyolqdGl+zfuqsM+e4fVoTn4r95Rv1pFCqjzNO7Y6UAdDnNuv/BUypNSPeZGu+4rAOZf/lb/II43p9g5TJ2idLEd+deOcrcgGXrs+kkXE42zDfu7hmDe47l7Wr3RE3vT0xNfRD3XQx0KLPm8I2g3CGoZlJgjJtyyNG2sBO 0LO2qRya K6kIh1tzttGVH7a5bmkBYtAtE8MqL0zEDBd3BkCrDVbA0Z569PfRBE6u7/XDh/6LcJ8KwEGY34OVjn+x3aMoHM3YwJwnkqpnN7Y7UrQtGvtZsMCMDyTgL2I33P+vJB+IqIAAN5j0Mlh2Ez2H5WKNXL+Pbe0/9dV5mZ90FWtwGKzDYlUnv5zZLY9fflzHna9Rzyh8NKWp+OBIuiYRKjUax8ZYdeXzkmJqxZGj4vBQwfV4rLM7Ckftdqv4AKLQcy3g9yBc6w0VAE8nGiMwTdyD5U0+9uzLzduPvWuN7QGGL8Y8u/XREEe44XSOw6UDpgyWX6dAhRb/hvc0Mw7lxVO2YXtZZAzb61dCITKjYT32ZWHnWrnoMXLhRUiT2pw== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Fares Mehanna To make sure the kernel mm-local mapping is untouched by the user, we will seal the VMA before changing the protection to be used by the kernel. This will guarantee that userspace can't unmap or alter this VMA while it is being used by the kernel. After the kernel is done with the secret memory, it will unseal the VMA to be able to unmap and free it. Unseal operation is not exposed to userspace. Signed-off-by: Fares Mehanna Signed-off-by: Roman Kagan --- mm/internal.h | 7 +++++ mm/mseal.c | 81 ++++++++++++++++++++++++++++++++------------------- 2 files changed, 58 insertions(+), 30 deletions(-) diff --git a/mm/internal.h b/mm/internal.h index b2c75b12014e..5278989610f5 100644 --- a/mm/internal.h +++ b/mm/internal.h @@ -1453,6 +1453,8 @@ bool can_modify_mm(struct mm_struct *mm, unsigned long start, unsigned long end); bool can_modify_mm_madv(struct mm_struct *mm, unsigned long start, unsigned long end, int behavior); +/* mm's mmap write lock must be taken before seal/unseal operation */ +int do_mseal(unsigned long start, unsigned long end, bool seal); #else static inline int can_do_mseal(unsigned long flags) { @@ -1470,6 +1472,11 @@ static inline bool can_modify_mm_madv(struct mm_struct *mm, unsigned long start, { return true; } + +static inline int do_mseal(unsigned long start, unsigned long end, bool seal) +{ + return -EINVAL; +} #endif #ifdef CONFIG_SHRINKER_DEBUG diff --git a/mm/mseal.c b/mm/mseal.c index bf783bba8ed0..331745ac7064 100644 --- a/mm/mseal.c +++ b/mm/mseal.c @@ -26,6 +26,11 @@ static inline void set_vma_sealed(struct vm_area_struct *vma) vm_flags_set(vma, VM_SEALED); } +static inline void clear_vma_sealed(struct vm_area_struct *vma) +{ + vm_flags_clear(vma, VM_SEALED); +} + /* * check if a vma is sealed for modification. * return true, if modification is allowed. @@ -109,7 +114,7 @@ bool can_modify_mm_madv(struct mm_struct *mm, unsigned long start, unsigned long static int mseal_fixup(struct vma_iterator *vmi, struct vm_area_struct *vma, struct vm_area_struct **prev, unsigned long start, - unsigned long end, vm_flags_t newflags) + unsigned long end, vm_flags_t newflags, bool seal) { int ret = 0; vm_flags_t oldflags = vma->vm_flags; @@ -123,7 +128,10 @@ static int mseal_fixup(struct vma_iterator *vmi, struct vm_area_struct *vma, goto out; } - set_vma_sealed(vma); + if (seal) + set_vma_sealed(vma); + else + clear_vma_sealed(vma); out: *prev = vma; return ret; @@ -159,9 +167,9 @@ static int check_mm_seal(unsigned long start, unsigned long end) } /* - * Apply sealing. + * Apply sealing / unsealing. */ -static int apply_mm_seal(unsigned long start, unsigned long end) +static int apply_mm_seal(unsigned long start, unsigned long end, bool seal) { unsigned long nstart; struct vm_area_struct *vma, *prev; @@ -183,11 +191,14 @@ static int apply_mm_seal(unsigned long start, unsigned long end) unsigned long tmp; vm_flags_t newflags; - newflags = vma->vm_flags | VM_SEALED; + if (seal) + newflags = vma->vm_flags | VM_SEALED; + else + newflags = vma->vm_flags & ~(VM_SEALED); tmp = vma->vm_end; if (tmp > end) tmp = end; - error = mseal_fixup(&vmi, vma, &prev, nstart, tmp, newflags); + error = mseal_fixup(&vmi, vma, &prev, nstart, tmp, newflags, seal); if (error) return error; nstart = vma_iter_end(&vmi); @@ -196,6 +207,37 @@ static int apply_mm_seal(unsigned long start, unsigned long end) return 0; } +int do_mseal(unsigned long start, unsigned long end, bool seal) +{ + int ret; + + if (end < start) + return -EINVAL; + + if (end == start) + return 0; + + /* + * First pass, this helps to avoid + * partial sealing in case of error in input address range, + * e.g. ENOMEM error. + */ + ret = check_mm_seal(start, end); + if (ret) + goto out; + + /* + * Second pass, this should success, unless there are errors + * from vma_modify_flags, e.g. merge/split error, or process + * reaching the max supported VMAs, however, those cases shall + * be rare. + */ + ret = apply_mm_seal(start, end, seal); + +out: + return ret; +} + /* * mseal(2) seals the VM's meta data from * selected syscalls. @@ -248,7 +290,7 @@ static int apply_mm_seal(unsigned long start, unsigned long end) * * unseal() is not supported. */ -static int do_mseal(unsigned long start, size_t len_in, unsigned long flags) +static int __do_mseal(unsigned long start, size_t len_in, unsigned long flags) { size_t len; int ret = 0; @@ -269,33 +311,12 @@ static int do_mseal(unsigned long start, size_t len_in, unsigned long flags) return -EINVAL; end = start + len; - if (end < start) - return -EINVAL; - - if (end == start) - return 0; if (mmap_write_lock_killable(mm)) return -EINTR; - /* - * First pass, this helps to avoid - * partial sealing in case of error in input address range, - * e.g. ENOMEM error. - */ - ret = check_mm_seal(start, end); - if (ret) - goto out; + ret = do_mseal(start, end, true); - /* - * Second pass, this should success, unless there are errors - * from vma_modify_flags, e.g. merge/split error, or process - * reaching the max supported VMAs, however, those cases shall - * be rare. - */ - ret = apply_mm_seal(start, end); - -out: mmap_write_unlock(current->mm); return ret; } @@ -303,5 +324,5 @@ static int do_mseal(unsigned long start, size_t len_in, unsigned long flags) SYSCALL_DEFINE3(mseal, unsigned long, start, size_t, len, unsigned long, flags) { - return do_mseal(start, len, flags); + return __do_mseal(start, len, flags); } From patchwork Fri Jun 21 20:15:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Kagan, Roman" X-Patchwork-Id: 13708037 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 614B8C2BD05 for ; Fri, 21 Jun 2024 20:15:19 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E1E608D019D; Fri, 21 Jun 2024 16:15:18 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DCE948D0190; Fri, 21 Jun 2024 16:15:18 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BAB208D019D; Fri, 21 Jun 2024 16:15:18 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 924D88D0190 for ; Fri, 21 Jun 2024 16:15:18 -0400 (EDT) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 4D10D121148 for ; Fri, 21 Jun 2024 20:15:18 +0000 (UTC) X-FDA: 82256000316.09.3EE39EA Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) by imf21.hostedemail.com (Postfix) with ESMTP id 42E5F1C0010 for ; Fri, 21 Jun 2024 20:15:16 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=amazon.de header.s=amazon201209 header.b="gB/KkC7o"; dmarc=pass (policy=quarantine) header.from=amazon.de; spf=pass (imf21.hostedemail.com: domain of "prvs=895821b17=rkagan@amazon.de" designates 52.95.48.154 as permitted sender) smtp.mailfrom="prvs=895821b17=rkagan@amazon.de" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1719000904; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=8A8fBnTBJUktIhE7t/qfVb2lWMxrmgjjk5MKWEGnJ74=; b=YlQNQdYVukEDekD4OP+2cd/9yxHDhqc6DKxMsL2hxpwyvSkyZOpOmZUlP6DLX9mdIK8PCp UEShnIprYFMMZAgj/gYObfrjF0CqboJf834VDy3HMMmgvPwV8CF+a0754MryssO7L1E7bu eBxq/hstRyF3h0OAthPuAqAkFNIpt5k= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1719000904; a=rsa-sha256; cv=none; b=NkXCLsc8SuBRrCrV7yjWRY5rFQnOvpQLQma3d9uxo9bwtibSWaId/lujPfZwfl0IJfjq1I Fma5shLtdYjFRTrZ2UFV2TiUPxENaID+CX9CcJId5u4KwPu/zWqM3pCIH5wQRidkBJn3iy UggQcOYD6N8PEudh5N4jsGC1ZSgkDyc= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=amazon.de header.s=amazon201209 header.b="gB/KkC7o"; dmarc=pass (policy=quarantine) header.from=amazon.de; spf=pass (imf21.hostedemail.com: domain of "prvs=895821b17=rkagan@amazon.de" designates 52.95.48.154 as permitted sender) smtp.mailfrom="prvs=895821b17=rkagan@amazon.de" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1719000917; x=1750536917; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=8A8fBnTBJUktIhE7t/qfVb2lWMxrmgjjk5MKWEGnJ74=; b=gB/KkC7oeMGCCpFEHJNhmD+BvJk1BNlXoqtuO5uxXQmJmcb/P8/yDOxJ 7z5e6dewyPO5/6LYEUFFM2QUyN6nn6saebiswR0+lq5a3kddcgIjQtBGR A2yI7z1S2mpBWlWcQ0hdLubXoyEzD5KPuMnBZv2dOlmYUFkMcdwFeuE+Y I=; X-IronPort-AV: E=Sophos;i="6.08,255,1712620800"; d="scan'208";a="404915380" Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO smtpout.prod.us-east-1.prod.farcaster.email.amazon.dev) ([10.43.8.2]) by smtp-border-fw-6001.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jun 2024 20:15:14 +0000 Received: from EX19MTAUEA001.ant.amazon.com [10.0.29.78:50033] by smtpin.naws.us-east-1.prod.farcaster.email.amazon.dev [10.0.42.217:2525] with esmtp (Farcaster) id 96bdc7d3-11c3-449e-b050-961be9d82a02; Fri, 21 Jun 2024 20:15:13 +0000 (UTC) X-Farcaster-Flow-ID: 96bdc7d3-11c3-449e-b050-961be9d82a02 Received: from EX19D008UEA004.ant.amazon.com (10.252.134.191) by EX19MTAUEA001.ant.amazon.com (10.252.134.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Fri, 21 Jun 2024 20:15:10 +0000 Received: from EX19MTAUEA001.ant.amazon.com (10.252.134.203) by EX19D008UEA004.ant.amazon.com (10.252.134.191) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Fri, 21 Jun 2024 20:15:09 +0000 Received: from u40bc5e070a0153.ant.amazon.com (10.95.134.31) by mail-relay.amazon.com (10.252.134.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34 via Frontend Transport; Fri, 21 Jun 2024 20:15:08 +0000 From: Roman Kagan To: CC: Shuah Khan , Dragan Cvetic , Fares Mehanna , Alexander Graf , "Derek Kiernan" , , , Greg Kroah-Hartman , , David Woodhouse , Andrew Morton , Arnd Bergmann Subject: [PATCH RFC 2/3] mm/secretmem: implement mm-local kernel allocations Date: Fri, 21 Jun 2024 22:15:00 +0200 Message-ID: <20240621201501.1059948-3-rkagan@amazon.de> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240621201501.1059948-1-rkagan@amazon.de> References: <20240621201501.1059948-1-rkagan@amazon.de> MIME-Version: 1.0 X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 42E5F1C0010 X-Stat-Signature: 8o75hqr6yiqzsq1nxxj6k7e6tc157caw X-Rspam-User: X-HE-Tag: 1719000916-245504 X-HE-Meta: U2FsdGVkX18bpGdYrvclH8eMGuUEPzGLasguebJwAmZtjHWgggU8eCQ7jOUbN8IWGZUUlV+M83AJ/F80XYDbKmDBLQneavhx4wW/u4KxWNhnEv35bxfutie8hJl+ldKFL9U7+SElBcebGQq3YUzAjJIHuUppx/38f743oIZKDPzLgOZRDuIiI/0hPDW8Se5V5HUQort6fXJBNHf500sjpnvLYY9+42zTDx9ug5OJJ8eaKm38K40bbf+ei0/VRr6ISg7TFzF6HvZzGN+AY8Lxo+unGurjxn3E6ql45Ca2P4iWsrncwGjdDXPrDwyiTgAi9otace1y+vYmHndoMU3/AzZxwjdISJDSZBjoIqHZRa4ChmxILnKQxKwmSrscLvE5NEHtC2yBTQ2AIumpn5yWQ6H37SFR4SuRk7iwigXCpol/nHIqEL9zR+BAbSRu1oiylzF1lH0P6NQyr653LWCVk+NYUXypPYpTfPVbO3Jzyr2kjjC/osceLSGTZv/5uKLSahVbTXWIHwIsFFebbcetINXsZq+z0SYkDmt/oDDkFX1SmX7HK5fMgg4aePZahWYywBvWsfxd+/2+2gDQqhvm7Nm76svmk7LOl0c4hyfC+XZ36C0lrVYLtYTOimek8o+7nuvzmojOa7kkEvzptrdlg4ozN+aK3nzU7LO+1t8cAYYEYCOAo9OGbbkCy0whd79DaiEbYQwxWjnGFKtWi3J/2aoUYEFXNHO3WxRMxHjMNd0zGb2ZxF/YAm8BDa2VbCy8t6RHaTo0R/D1P6IziqXtAp39ZIsDkoSqBV08RKNFGargTqAUeE4Pa0S32pn159GSSsicc/tWBXvHKD78qlmUIfnbLAYSu8FX/rOvaQq6+cmpp0Usgw8y5zzyc94uRSnzfDaYchh157Bkz2qEki3Xic2EI+bWjAn3IL1wCM/M4m4LDlOf8/ZHbD3FsFXpsY1pUoT9wEm+qzBQR0FY2nZ /7PRSGHG wj1psq+hWRRxN3kMC+Tmo3k/YBQ0M3zGuBbfBNmoiMD57kE0lFlRlvrp1S/GHNBlPBh6Q2hFZM1u/NKUu4QqAM0F1QdFWfHrudSe56hm9I9c1Kd4IUWGY5O+And2rjFDsK/oEEFO2e4rslOhTywDT80AETwkfB7fC8TUfxvhDuzCoUF/pSysrUrhKqYIiuuxC1TSc7qid2eOpmNQ6SJe2omYAFUYiQsVkA8NcU4OjzyKCDrcmeOI+Pru/uyMF3VNccEyww++rk5G+R6I9ccB2xbdP2NAoYyMHkRKDMpu5/QNfAvdppN8RY0O7P4RUEcncrOJVRMa3V6IH7HiJwnYjvF3+JzvMQC+hlXP1ThBfUyjkyR8= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Fares Mehanna In order to be resilient against cross-process speculation-based attacks, it makes sense to store certain (secret) items in kernel memory local to mm. Implement such allocations on top of secretmem infrastructure. Specifically, on allocate 1. Create secretmem file. 2. To distinguish it from the conventional memfd_secret()-created one and to maintain associated mm-local allocation context, put the latter on ->private_data of the file. 3. Create virtual mapping in user virtual address space using mmap(). 4. Seal the virtual mapping to disallow the user from affecting it in any way. 5. Fault the pages in, effectively calling secretmem fault handler to remove the pages from kernel linear address and make them local to process mm. 6. Change the PTE from user mode to kernel mode, any access from userspace will result in segmentation fault. Kernel can access this virtual address now. 7. Return the secure area as a struct containing the pointer to the actual memory and providing the context for the release function later. On release, - if called while mm is still in use, remove the mapping - otherwise, if performed at mm teardown, no unmapping is necessary The rest is taken care of by secretmem file cleanup, including returning the pages to the kernel direct map. Signed-off-by: Fares Mehanna Signed-off-by: Roman Kagan --- include/linux/secretmem.h | 8 ++ mm/gup.c | 4 +- mm/secretmem.c | 208 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 218 insertions(+), 2 deletions(-) diff --git a/include/linux/secretmem.h b/include/linux/secretmem.h index e918f96881f5..c6d65b5a89bd 100644 --- a/include/linux/secretmem.h +++ b/include/linux/secretmem.h @@ -4,6 +4,10 @@ #ifdef CONFIG_SECRETMEM +struct secretmem_area { + void *ptr; +}; + extern const struct address_space_operations secretmem_aops; static inline bool secretmem_mapping(struct address_space *mapping) @@ -12,8 +16,12 @@ static inline bool secretmem_mapping(struct address_space *mapping) } bool vma_is_secretmem(struct vm_area_struct *vma); +bool can_access_secretmem_vma(struct vm_area_struct *vma); bool secretmem_active(void); +struct secretmem_area *secretmem_allocate_pages(unsigned int order); +void secretmem_release_pages(struct secretmem_area *data); + #else static inline bool vma_is_secretmem(struct vm_area_struct *vma) diff --git a/mm/gup.c b/mm/gup.c index ca0f5cedce9b..ccf28b7baab9 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -1172,7 +1172,7 @@ struct page *follow_page(struct vm_area_struct *vma, unsigned long address, struct follow_page_context ctx = { NULL }; struct page *page; - if (vma_is_secretmem(vma)) + if (!can_access_secretmem_vma(vma)) return NULL; if (WARN_ON_ONCE(foll_flags & FOLL_PIN)) @@ -1377,7 +1377,7 @@ static int check_vma_flags(struct vm_area_struct *vma, unsigned long gup_flags) if ((gup_flags & FOLL_LONGTERM) && vma_is_fsdax(vma)) return -EOPNOTSUPP; - if (vma_is_secretmem(vma)) + if (!can_access_secretmem_vma(vma)) return -EFAULT; if (write) { diff --git a/mm/secretmem.c b/mm/secretmem.c index 3afb5ad701e1..de6860a0cb1b 100644 --- a/mm/secretmem.c +++ b/mm/secretmem.c @@ -13,13 +13,17 @@ #include #include #include +#include #include #include #include #include #include +#include +#include #include +#include #include @@ -42,6 +46,15 @@ MODULE_PARM_DESC(secretmem_enable, static atomic_t secretmem_users; +/* secretmem file private context */ +struct secretmem_ctx { + struct secretmem_area _area; + struct page **_pages; + unsigned long _nr_pages; + struct file *_file; + struct mm_struct *_mm; +}; + bool secretmem_active(void) { return !!atomic_read(&secretmem_users); @@ -116,6 +129,7 @@ static const struct vm_operations_struct secretmem_vm_ops = { static int secretmem_release(struct inode *inode, struct file *file) { + kfree(file->private_data); atomic_dec(&secretmem_users); return 0; } @@ -123,13 +137,23 @@ static int secretmem_release(struct inode *inode, struct file *file) static int secretmem_mmap(struct file *file, struct vm_area_struct *vma) { unsigned long len = vma->vm_end - vma->vm_start; + struct secretmem_ctx *ctx = file->private_data; + unsigned long kernel_no_permissions; + + kernel_no_permissions = (VM_READ | VM_WRITE | VM_EXEC | VM_MAYEXEC); if ((vma->vm_flags & (VM_SHARED | VM_MAYSHARE)) == 0) return -EINVAL; + if (ctx && (vma->vm_flags & kernel_no_permissions)) + return -EINVAL; + if (!mlock_future_ok(vma->vm_mm, vma->vm_flags | VM_LOCKED, len)) return -EAGAIN; + if (ctx) + vm_flags_set(vma, VM_MIXEDMAP); + vm_flags_set(vma, VM_LOCKED | VM_DONTDUMP); vma->vm_ops = &secretmem_vm_ops; @@ -141,6 +165,24 @@ bool vma_is_secretmem(struct vm_area_struct *vma) return vma->vm_ops == &secretmem_vm_ops; } +bool can_access_secretmem_vma(struct vm_area_struct *vma) +{ + struct secretmem_ctx *ctx; + + if (!vma_is_secretmem(vma)) + return true; + + /* + * If VMA is owned by running process, and marked for kernel + * usage, then allow access. + */ + ctx = vma->vm_file->private_data; + if (ctx && current->mm == vma->vm_mm) + return true; + + return false; +} + static const struct file_operations secretmem_fops = { .release = secretmem_release, .mmap = secretmem_mmap, @@ -230,6 +272,172 @@ static struct file *secretmem_file_create(unsigned long flags) return file; } +struct secretmem_area *secretmem_allocate_pages(unsigned int order) +{ + unsigned long uvaddr, uvaddr_inc, unused, nr_pages, bytes_length; + struct file *kernel_secfile; + struct vm_area_struct *vma; + struct secretmem_ctx *ctx; + struct page **sec_pages; + struct mm_struct *mm; + long nr_pinned_pages; + pte_t pte, old_pte; + spinlock_t *ptl; + pte_t *upte; + int rc; + + nr_pages = (1 << order); + bytes_length = nr_pages * PAGE_SIZE; + mm = current->mm; + + if (!mm || !mmget_not_zero(mm)) + return NULL; + + /* Create secret memory file / truncate it */ + kernel_secfile = secretmem_file_create(0); + if (IS_ERR(kernel_secfile)) + goto put_mm; + + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); + if (IS_ERR(ctx)) + goto close_secfile; + kernel_secfile->private_data = ctx; + + rc = do_truncate(file_mnt_idmap(kernel_secfile), + file_dentry(kernel_secfile), bytes_length, 0, NULL); + if (rc) + goto close_secfile; + + if (mmap_write_lock_killable(mm)) + goto close_secfile; + + /* Map pages to the secretmem file */ + uvaddr = do_mmap(kernel_secfile, 0, bytes_length, PROT_NONE, + MAP_SHARED, 0, 0, &unused, NULL); + if (IS_ERR_VALUE(uvaddr)) + goto unlock_mmap; + + /* mseal() the VMA to make sure it won't change */ + rc = do_mseal(uvaddr, uvaddr + bytes_length, true); + if (rc) + goto unmap_pages; + + /* Make sure VMA is there, and is kernel-secure */ + vma = find_vma(current->mm, uvaddr); + if (!vma) + goto unseal_vma; + + if (!vma_is_secretmem(vma) || + !can_access_secretmem_vma(vma)) + goto unseal_vma; + + /* Pin user pages; fault them in */ + sec_pages = kzalloc(sizeof(struct page *) * nr_pages, GFP_KERNEL); + if (!sec_pages) + goto unseal_vma; + + nr_pinned_pages = pin_user_pages(uvaddr, nr_pages, FOLL_FORCE | FOLL_LONGTERM, sec_pages); + if (nr_pinned_pages < 0) + goto free_sec_pages; + if (nr_pinned_pages != nr_pages) + goto unpin_pages; + + /* Modify the existing mapping to be kernel accessible, local to this process mm */ + uvaddr_inc = uvaddr; + while (uvaddr_inc < uvaddr + bytes_length) { + upte = get_locked_pte(mm, uvaddr_inc, &ptl); + if (!upte) + goto unpin_pages; + old_pte = ptep_modify_prot_start(vma, uvaddr_inc, upte); + pte = pte_modify(old_pte, PAGE_KERNEL); + ptep_modify_prot_commit(vma, uvaddr_inc, upte, old_pte, pte); + pte_unmap_unlock(upte, ptl); + uvaddr_inc += PAGE_SIZE; + } + flush_tlb_range(vma, uvaddr, uvaddr + bytes_length); + + /* Return data */ + mmgrab(mm); + ctx->_area.ptr = (void *) uvaddr; + ctx->_pages = sec_pages; + ctx->_nr_pages = nr_pages; + ctx->_mm = mm; + ctx->_file = kernel_secfile; + + mmap_write_unlock(mm); + mmput(mm); + + return &(ctx->_area); + +unpin_pages: + unpin_user_pages(sec_pages, nr_pinned_pages); +free_sec_pages: + kfree(sec_pages); +unseal_vma: + rc = do_mseal(uvaddr, uvaddr + bytes_length, false); + if (rc) + BUG(); +unmap_pages: + rc = do_munmap(mm, uvaddr, bytes_length, NULL); + if (rc) + BUG(); +unlock_mmap: + mmap_write_unlock(mm); +close_secfile: + fput(kernel_secfile); +put_mm: + mmput(mm); + return NULL; +} + +void secretmem_release_pages(struct secretmem_area *data) +{ + unsigned long uvaddr, bytes_length; + struct secretmem_ctx *ctx; + int rc; + + if (!data || !data->ptr) + BUG(); + + ctx = container_of(data, struct secretmem_ctx, _area); + if (!ctx || !ctx->_file || !ctx->_pages || !ctx->_mm) + BUG(); + + bytes_length = ctx->_nr_pages * PAGE_SIZE; + uvaddr = (unsigned long) data->ptr; + + /* + * Remove the mapping if mm is still in use. + * Not secure to continue if unmapping failed. + */ + if (mmget_not_zero(ctx->_mm)) { + mmap_write_lock(ctx->_mm); + rc = do_mseal(uvaddr, uvaddr + bytes_length, false); + if (rc) { + mmap_write_unlock(ctx->_mm); + BUG(); + } + rc = do_munmap(ctx->_mm, uvaddr, bytes_length, NULL); + if (rc) { + mmap_write_unlock(ctx->_mm); + BUG(); + } + mmap_write_unlock(ctx->_mm); + mmput(ctx->_mm); + } + + mmdrop(ctx->_mm); + unpin_user_pages(ctx->_pages, ctx->_nr_pages); + fput(ctx->_file); + kfree(ctx->_pages); + + ctx->_nr_pages = 0; + ctx->_pages = NULL; + ctx->_file = NULL; + ctx->_mm = NULL; + ctx->_area.ptr = NULL; +} + SYSCALL_DEFINE1(memfd_secret, unsigned int, flags) { struct file *file; From patchwork Fri Jun 21 20:15:01 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Kagan, Roman" X-Patchwork-Id: 13708038 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5E274C2BB85 for ; Fri, 21 Jun 2024 20:15:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id DFF3B8D019E; Fri, 21 Jun 2024 16:15:22 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id D31668D0190; Fri, 21 Jun 2024 16:15:22 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id A9A8C8D019E; Fri, 21 Jun 2024 16:15:22 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 880DF8D0190 for ; Fri, 21 Jun 2024 16:15:22 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 39D2AA09A5 for ; Fri, 21 Jun 2024 20:15:22 +0000 (UTC) X-FDA: 82256000484.07.EC54116 Received: from smtp-fw-52005.amazon.com (smtp-fw-52005.amazon.com [52.119.213.156]) by imf14.hostedemail.com (Postfix) with ESMTP id 4052F10000C for ; Fri, 21 Jun 2024 20:15:20 +0000 (UTC) Authentication-Results: imf14.hostedemail.com; dkim=pass header.d=amazon.de header.s=amazon201209 header.b=t+pmnxLP; spf=pass (imf14.hostedemail.com: domain of "prvs=895821b17=rkagan@amazon.de" designates 52.119.213.156 as permitted sender) smtp.mailfrom="prvs=895821b17=rkagan@amazon.de"; dmarc=pass (policy=quarantine) header.from=amazon.de ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1719000915; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=sakrS84DsySzhYnlE0QEvKaSeb66y1GOVt2jX6UWYYE=; b=Vq4wqQtkYJTUK/0kXzkE1LuYMYpPPbOJMAOygGqABRLyK4JYJoRUFbK3yyvGWz9VtSv4gj JY4S88vDIBPhA/mpTufaPqmV5CUG+NPxRGviUYu6yA9sScIoMiqtdcxpJY1Mg901j23APX ER3gAkWjt1s7q6uBFr8PV19QrlhlAWQ= ARC-Authentication-Results: i=1; imf14.hostedemail.com; dkim=pass header.d=amazon.de header.s=amazon201209 header.b=t+pmnxLP; spf=pass (imf14.hostedemail.com: domain of "prvs=895821b17=rkagan@amazon.de" designates 52.119.213.156 as permitted sender) smtp.mailfrom="prvs=895821b17=rkagan@amazon.de"; dmarc=pass (policy=quarantine) header.from=amazon.de ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1719000915; a=rsa-sha256; cv=none; b=znsFCXCxWikK9KTloOYQHMFvBfgVLM5OBHtSoob1F0NxYfCtFJ1oqt2Zj4IO4N0vnhhsYi UBVHP1hPzz6V9zgHs6Mo0DZy/DJsi5H12yXSctwXQEQxWcCpARC66kgw13XnAH31QQ7XXe 1UPeFEQvy4evi0sNR2M/EJUDAsssqP4= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1719000920; x=1750536920; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=sakrS84DsySzhYnlE0QEvKaSeb66y1GOVt2jX6UWYYE=; b=t+pmnxLPO5GZZ+MbxeYQzZ9a4NhcUOlrZmMfDVPZJ+kbR9OGg1sRi/3V z0yURIffAb9Ogt7Z3dGD41sn9psG8V+H/qnk76kZmgpLR7iDB4E/QYquL GBuI970kqPbdjBTbhnVDeCfVPVsxOoXx/maC5ojfOnAb7gxrRDTVZtgst M=; X-IronPort-AV: E=Sophos;i="6.08,255,1712620800"; d="scan'208";a="662205944" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-east-1.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-52005.iad7.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jun 2024 20:15:18 +0000 Received: from EX19MTAUEB002.ant.amazon.com [10.0.0.204:44808] by smtpin.naws.us-east-1.prod.farcaster.email.amazon.dev [10.0.94.206:2525] with esmtp (Farcaster) id 07fadb7d-beb5-4264-a68d-b24ca92dbe93; Fri, 21 Jun 2024 20:15:17 +0000 (UTC) X-Farcaster-Flow-ID: 07fadb7d-beb5-4264-a68d-b24ca92dbe93 Received: from EX19D008UEA002.ant.amazon.com (10.252.134.125) by EX19MTAUEB002.ant.amazon.com (10.252.135.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Fri, 21 Jun 2024 20:15:12 +0000 Received: from EX19MTAUEA001.ant.amazon.com (10.252.134.203) by EX19D008UEA002.ant.amazon.com (10.252.134.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Fri, 21 Jun 2024 20:15:11 +0000 Received: from u40bc5e070a0153.ant.amazon.com (10.95.134.31) by mail-relay.amazon.com (10.252.134.102) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34 via Frontend Transport; Fri, 21 Jun 2024 20:15:10 +0000 From: Roman Kagan To: CC: Shuah Khan , Dragan Cvetic , Fares Mehanna , Alexander Graf , "Derek Kiernan" , , , Greg Kroah-Hartman , , David Woodhouse , Andrew Morton , Arnd Bergmann Subject: [PATCH RFC 3/3] drivers/misc: add test driver and selftest for proclocal allocator Date: Fri, 21 Jun 2024 22:15:01 +0200 Message-ID: <20240621201501.1059948-4-rkagan@amazon.de> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240621201501.1059948-1-rkagan@amazon.de> References: <20240621201501.1059948-1-rkagan@amazon.de> MIME-Version: 1.0 X-Rspam-User: X-Rspamd-Server: rspam01 X-Rspamd-Queue-Id: 4052F10000C X-Stat-Signature: dd1p1emaan6smkcempwdccfuetdyotpr X-HE-Tag: 1719000920-372481 X-HE-Meta: U2FsdGVkX1/CeUHvf0XJdKX5rjD2zAMU1ZCk8AnxbrLf8Z2dNKWtpAeq5/g0g5+c9JWaoHJuTF/ouDuZIqok44Yc9wDAsMdsbrV07gZXP1f4BB+qkS49PFFee8MSQ3E24sBi/fjKknh0mfHH9TGkrDYyqhtvkQdvS7YPs1hUc9jt0PNvx28rVxiBq+f/eztny+y8ShDxAzqVYkUdNcMLiTx+Njm/g6Subvnj1Bk7kFm5xZ8X+y8CGCij2aPyz1d1IWb0Vf8kLU9/cKwbYsvzk3Wr06MXNBOGGkQIvvajUj5zpbTXvYfynaB3kJZRQBsZlYsXEKQD27lMkqE+RRxAEZkeWclnbJHlNpILUx4mFXCcSxlvTXQkoOFm/U9zIDiGWdYP1SwS5nkook4AsNA66qiXOYzhdrbIUw1Pyrsuf8A6iryB/LSMHgyTKDkGR9kA+aRcFLc+V15exU8qJBtsklfVr6LDlLRUzf2lo4TIijMIpaH/P0zaFKR6EiGNBBCLUasyvSRBWqfFzYLs5e0nmn1IF8jZxu/yD+XORWQ06gSTQ5J5suDQOm55GomnXG975X8RDa9oK4Yqg5PgpfBcHswK7f0N1zlX543UorcDzKVwZAiCxHAy6lRtnXmk7U8H9DyQZyeptFUa1qP6aAYpPQXUOgoBSDoWcMFJQA4FNLqDfP2wSNrVzZLjTyIkZDKrd2rr2VxyUsdzblAV23Xe4dHBQakxySIxPbFyJGgREKFXPVGMrqR3Ac4JSZRV3KptfhyW61F5zuB1aHfDFHNYxCNRHl7JCF2MtkuAI50ikEIIP/gc6oHjA9jcjot2c7prCuP02kngoKuTJxLeUeesykf8q529GH3WoInqr6IuPycZoNCAlnaUYcN24qFJDPbBVoXGoyAqXVluq/lZAtVzbt6/rsKgA3kztcoAUjxKbCD2quhQzFiiphEzJCYIKsa8jhQB5t2HSilDnXL+lJx 6+AynHVd APix4lqFcgbQdpuvG0dF+Wum1RuZvnL1H5gyXAS+Bm8M6WSZLY4jUPDGLcR5/w8QM90dpk7Zu/XIzp7lW+IemhSC/yOvOAhtcADVQQwyj7KM9h3l+zXBAeL0ms6rGWUdfVGm1OLegJx5zzwHQ+lXAGfWnZMesvNjNZKqj4ALn8Mjl6/9U8ES6utT+vKGGXnQz5dBEyo4BXB8YJyCN5nQUoVwjqFYUiZszp/lkTlEqcXtLg5itMoQCswWTwuwjOT11dugC145O77cLvIqYuNKh/2nZw21q1Nw7WWggOSYT4GeepDH+1vk8em7mBzKuMdqUaTZYTE1OQoufrPcu+P1slDhUIyvncT9GC+85mld5jDke5/E2ILY2QzAnYrCTz057vwJ8itscBTSj7gjHAJzUm8EEfRr5QSMrmBDGdlI/N7H+Us0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Introduce a simple driver for functional and stress testing of proclocal kernel allocator. The driver exposes a device node /dev/proclocal-test, which allows userland programs to request creation of proclocal areas and to obtain their addresses as seen by the kernel, and in addition to read and write kernel memory at arbitrary address content (simplified /dev/kmem good enough to access proclocal allocations under selftest responsibility). The driver is not meant for use with production kernels, as it exposes internal kernel pointers and data. Also add a basic selftest that uses this driver. Signed-off-by: Roman Kagan --- drivers/misc/Makefile | 1 + tools/testing/selftests/proclocal/Makefile | 6 + drivers/misc/proclocal-test.c | 200 ++++++++++++++++++ .../selftests/proclocal/proclocal-test.c | 150 +++++++++++++ drivers/misc/Kconfig | 15 ++ tools/testing/selftests/proclocal/.gitignore | 1 + 6 files changed, 373 insertions(+) create mode 100644 tools/testing/selftests/proclocal/Makefile create mode 100644 drivers/misc/proclocal-test.c create mode 100644 tools/testing/selftests/proclocal/proclocal-test.c create mode 100644 tools/testing/selftests/proclocal/.gitignore diff --git a/drivers/misc/Makefile b/drivers/misc/Makefile index 153a3f4837e8..33c244cee92d 100644 --- a/drivers/misc/Makefile +++ b/drivers/misc/Makefile @@ -69,3 +69,4 @@ obj-$(CONFIG_TMR_INJECT) += xilinx_tmr_inject.o obj-$(CONFIG_TPS6594_ESM) += tps6594-esm.o obj-$(CONFIG_TPS6594_PFSM) += tps6594-pfsm.o obj-$(CONFIG_NSM) += nsm.o +obj-$(CONFIG_PROCLOCAL_TEST) += proclocal-test.o diff --git a/tools/testing/selftests/proclocal/Makefile b/tools/testing/selftests/proclocal/Makefile new file mode 100644 index 000000000000..b93baecee762 --- /dev/null +++ b/tools/testing/selftests/proclocal/Makefile @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0 + +TEST_GEN_PROGS := proclocal-test +CFLAGS += -O2 -g -Wall $(KHDR_INCLUDES) + +include ../lib.mk diff --git a/drivers/misc/proclocal-test.c b/drivers/misc/proclocal-test.c new file mode 100644 index 000000000000..9b3d0ed9b2f9 --- /dev/null +++ b/drivers/misc/proclocal-test.c @@ -0,0 +1,200 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* Copyright (C) 2024 Amazon.com, Inc. or its affiliates. All rights reserved. + * Author: Roman Kagan + * + * test driver for proclocal memory allocator + */ + +#include +#include +#include +#include +#include +#include + +struct proclocal_test_alloc { + u64 size; + u64 ptr; +}; + +#define PROCLOCAL_TEST_ALLOC _IOWR('A', 0x10, struct proclocal_test_alloc) + +#define BOUNCE_BUF_SIZE PAGE_SIZE + +struct proclocal_test { + struct secretmem_area *area; + size_t size; + void *bounce; +}; + +static int proclocal_test_open(struct inode *inode, struct file *f) +{ + struct proclocal_test *plt; + + plt = kzalloc(sizeof(*plt), GFP_KERNEL); + if (!plt) + return -ENOMEM; + + plt->bounce = kmalloc(BOUNCE_BUF_SIZE, GFP_KERNEL); + if (!plt->bounce) { + kfree(plt); + return -ENOMEM; + } + + f->f_mode |= FMODE_UNSIGNED_OFFSET; + f->private_data = plt; + return 0; +} + +static int proclocal_test_release(struct inode *inode, struct file *f) +{ + struct proclocal_test *plt = f->private_data; + if (plt->area) + secretmem_release_pages(plt->area); + kfree(plt->bounce); + kfree(plt); + return 0; +} + +static ssize_t proclocal_test_read(struct file *f, char __user *buf, + size_t count, loff_t *ppos) +{ + struct proclocal_test *plt = f->private_data; + const void *p = (const void *)*ppos; + ssize_t ret = -EFAULT; + + if (p + count < p) + return -EINVAL; + + while (count) { + size_t chunk = min_t(size_t, count, BOUNCE_BUF_SIZE); + size_t left; + + /* + * copy_to_user() disables superuser checks, so need to copy to + * bounce buffer first to test the access + */ + memcpy(plt->bounce, p, chunk); + + left = copy_to_user(buf, plt->bounce, chunk); + if (left == chunk) + goto out; + chunk -= left; + + buf += chunk; + p += chunk; + count -= chunk; + } + + ret = p - (const void *)*ppos; + *ppos = (loff_t)p; +out: + return ret; +} + +static ssize_t proclocal_test_write(struct file *f, const char __user *buf, + size_t count, loff_t *ppos) +{ + struct proclocal_test *plt = f->private_data; + void *p = (void *)*ppos; + ssize_t ret = -EFAULT; + + if (p + count < p) + return -EINVAL; + + while (count) { + size_t chunk = min_t(size_t, count, BOUNCE_BUF_SIZE); + size_t left; + + /* + * copy_from_user() disables superuser checks, so need to copy + * to bounce buffer first to test the access + */ + left = copy_from_user(plt->bounce, buf, chunk); + if (left == chunk) + goto out; + chunk -= left; + + memcpy(p, plt->bounce, chunk); + + buf += chunk; + p += chunk; + count -= chunk; + } + + ret = p - (void *)*ppos; + *ppos = (loff_t)p; +out: + return ret; +} + +static long proclocal_test_alloc(struct proclocal_test *plt, + void __user *argp) +{ + struct proclocal_test_alloc pta; + unsigned long pages_needed; + + if (plt->size) + return -EEXIST; + + if (copy_from_user(&pta, argp, sizeof(pta))) + return -EFAULT; + + if (!pta.size) + return -EINVAL; + + pages_needed = (pta.size + PAGE_SIZE - 1) / PAGE_SIZE; + plt->area = secretmem_allocate_pages(fls(pages_needed - 1)); + if (!plt->area) + return -ENOMEM; + + plt->size = pta.size; + + pta.ptr = (u64)plt->area->ptr; + if (copy_to_user(argp, &pta, sizeof(pta))) + goto err; + + return 0; +err: + secretmem_release_pages(plt->area); + plt->area = NULL; + plt->size = 0; + return -EFAULT; +} + +static long proclocal_test_ioctl(struct file *f, unsigned int ioctl, + unsigned long arg) +{ + struct proclocal_test *plt = f->private_data; + void __user *argp = (void __user *)arg; + + switch (ioctl) { + case PROCLOCAL_TEST_ALLOC: + return proclocal_test_alloc(plt, argp); + default: + return -EINVAL; + } +} + +static const struct file_operations proclocal_test_fops = { + .owner = THIS_MODULE, + .release = proclocal_test_release, + .unlocked_ioctl = proclocal_test_ioctl, + .compat_ioctl = compat_ptr_ioctl, + .open = proclocal_test_open, + .read = proclocal_test_read, + .write = proclocal_test_write, + .llseek = no_seek_end_llseek, +}; + +static struct miscdevice proclocal_test_misc = { + .minor = MISC_DYNAMIC_MINOR, + .name = "proclocal-test", + .fops = &proclocal_test_fops, +}; +module_misc_device(proclocal_test_misc); + +MODULE_VERSION("0.0.1"); +MODULE_LICENSE("GPL v2"); +MODULE_AUTHOR("Roman Kagan"); +MODULE_DESCRIPTION("Test driver for proclocal allocator"); diff --git a/tools/testing/selftests/proclocal/proclocal-test.c b/tools/testing/selftests/proclocal/proclocal-test.c new file mode 100644 index 000000000000..386cc5d9e51a --- /dev/null +++ b/tools/testing/selftests/proclocal/proclocal-test.c @@ -0,0 +1,150 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* Copyright (C) 2024 Amazon.com, Inc. or its affiliates. All rights reserved. + * Author: Roman Kagan + * + * test for proclocal memory allocator using the corresponding test device + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include "../kselftest_harness.h" + +struct proclocal_test_alloc { + uint64_t size; + uint64_t ptr; +}; + +#define PROCLOCAL_TEST_ALLOC _IOWR('A', 0x10, struct proclocal_test_alloc) + +const char proclocal_content[] = "this is test"; +char buf[256]; + +FIXTURE(proclocal) { + int fd; + void *ptr; +}; + +FIXTURE_SETUP(proclocal) +{ + struct proclocal_test_alloc pta = { + .size = sizeof(buf), + }; + + self->fd = open("/dev/proclocal-test", O_RDWR); + ASSERT_LE(0, self->fd); + + ASSERT_LE(0, ioctl(self->fd, PROCLOCAL_TEST_ALLOC, &pta)); + + self->ptr = (void *) pta.ptr; + TH_LOG("self->ptr = %p\n", self->ptr); +} + +FIXTURE_TEARDOWN(proclocal) +{ +} + +TEST_F(proclocal, kernel_access) +{ + ASSERT_EQ((off_t)self->ptr, + lseek(self->fd, (off_t)self->ptr, SEEK_SET)); + EXPECT_EQ(sizeof(proclocal_content), + write(self->fd, + proclocal_content, sizeof(proclocal_content))); + ASSERT_EQ((off_t)self->ptr, + lseek(self->fd, (off_t)self->ptr, SEEK_SET)); + EXPECT_EQ(sizeof(proclocal_content), + read(self->fd, buf, sizeof(proclocal_content))); + EXPECT_STREQ(proclocal_content, buf); +} + +sigjmp_buf jmpbuf; +void segv_handler(int signum, siginfo_t *si, void *uc) +{ + if (signum == SIGSEGV) + siglongjmp(jmpbuf, 1); +} + +TEST_F(proclocal, direct_access) +{ + bool access_succeeded; + struct sigaction sa; + + if (sigsetjmp(jmpbuf, 1) == 0) { + sa.sa_sigaction = segv_handler; + sa.sa_flags = SA_SIGINFO | SA_RESETHAND; + sigemptyset(&sa.sa_mask); + + sigaction(SIGSEGV, &sa, NULL); + + (void)((volatile char *)self->ptr)[0]; + + access_succeeded = true; + } else + access_succeeded = false; + + EXPECT_FALSE(access_succeeded); +} + +#define PAGE_SIZE 0x1000 + +TEST_F(proclocal, map_over) +{ + void *ptr_page = (void *)((uintptr_t)self->ptr & ~(PAGE_SIZE - 1)); + void *map; + int errno_save; + + errno = 0; + map = mmap(ptr_page, PAGE_SIZE, PROT_NONE, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); + errno_save = errno; + + EXPECT_EQ(MAP_FAILED, map); + TH_LOG("errno = %d", errno_save); + + if (map != MAP_FAILED) + munmap(map, PAGE_SIZE); +} + +TEST_F(proclocal, release) +{ + EXPECT_EQ(0, close(self->fd)); +} + +TEST_F(proclocal, map_over_closed) +{ + void *ptr_page = (void *)((uintptr_t)self->ptr & ~(PAGE_SIZE - 1)); + void *map; + int errno_save; + + ASSERT_EQ(0, close(self->fd)); + + errno = 0; + map = mmap(ptr_page, PAGE_SIZE, PROT_NONE, + MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0); + errno_save = errno; + + EXPECT_EQ(ptr_page, map); + TH_LOG("errno = %d", errno_save); + + if (map != MAP_FAILED) + munmap(map, PAGE_SIZE); +} + +TEST_F(proclocal, kernel_access_closed) +{ + ASSERT_EQ(0, close(self->fd)); + self->fd = open("/dev/proclocal-test", O_RDWR); + ASSERT_LE(0, self->fd); + + ASSERT_EQ((off_t)self->ptr, + lseek(self->fd, (off_t)self->ptr, SEEK_SET)); + EXPECT_EQ(-1, read(self->fd, buf, sizeof(proclocal_content))); +} + +TEST_HARNESS_MAIN diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig index faf983680040..29a334de0ca8 100644 --- a/drivers/misc/Kconfig +++ b/drivers/misc/Kconfig @@ -585,6 +585,21 @@ config NSM To compile this driver as a module, choose M here. The module will be called nsm. +config PROCLOCAL_TEST + tristate "Proclocal allocator test driver" + depends on SECRETMEM + help + This driver allows to perform functional and stress tests for + proclocal memory allocator. It exposes /dev/proclocal-test that + userland test programs can use to create and manipulate proclocal + kernel allocations. + + To compile this driver as a module, choose M here: the module will be + called proclocal-test. + + If unsure, say N. + This driver is not meant to be used on production systems. + source "drivers/misc/c2port/Kconfig" source "drivers/misc/eeprom/Kconfig" source "drivers/misc/cb710/Kconfig" diff --git a/tools/testing/selftests/proclocal/.gitignore b/tools/testing/selftests/proclocal/.gitignore new file mode 100644 index 000000000000..47e0fdcd6e3a --- /dev/null +++ b/tools/testing/selftests/proclocal/.gitignore @@ -0,0 +1 @@ +/proclocal-test