mirror of
https://github.com/torvalds/linux.git
synced 2026-04-18 06:44:00 -04:00
845e0af362
Replace the arm64 map_shadow_stack() content with a call to vm_mmap_shadow_stack(). There is no functional change. Link: https://lkml.kernel.org/r/20260225161404.3157851-3-catalin.marinas@arm.com Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Reviewed-by: David Hildenbrand (Arm) <david@kernel.org> Reviewed-by: Mark Brown <broonie@kernel.org> Cc: Will Deacon <will@kernel.org> Cc: Albert Ou <aou@eecs.berkeley.edu> Cc: Alexandre Ghiti <alex@ghiti.fr> Cc: "Borislav Petkov (AMD)" <bp@alien8.de> Cc: Dave Hansen <dave.hansen@linux.intel.com> Cc: Deepak Gupta <debug@rivosinc.com> Cc: "Edgecombe, Rick P" <rick.p.edgecombe@intel.com> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: "Liam R. Howlett" <Liam.Howlett@oracle.com> Cc: Lorenzo Stoakes <lorenzo.stoakes@oracle.com> Cc: Michal Hocko <mhocko@suse.com> Cc: Mike Rapoport <rppt@kernel.org> Cc: Palmer Dabbelt <palmer@dabbelt.com> Cc: Paul Walmsley <pjw@kernel.org> Cc: Suren Baghdasaryan <surenb@google.com> Cc: Thomas Gleixner <tglx@kernel.org> Cc: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
237 lines
5.1 KiB
C
237 lines
5.1 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
#include <linux/mm.h>
|
|
#include <linux/mman.h>
|
|
#include <linux/syscalls.h>
|
|
#include <linux/types.h>
|
|
|
|
#include <asm/cmpxchg.h>
|
|
#include <asm/cpufeature.h>
|
|
#include <asm/gcs.h>
|
|
#include <asm/page.h>
|
|
|
|
static unsigned long alloc_gcs(unsigned long addr, unsigned long size)
|
|
{
|
|
return vm_mmap_shadow_stack(addr, size, 0);
|
|
}
|
|
|
|
static unsigned long gcs_size(unsigned long size)
|
|
{
|
|
if (size)
|
|
return PAGE_ALIGN(size);
|
|
|
|
/* Allocate RLIMIT_STACK/2 with limits of PAGE_SIZE..2G */
|
|
size = PAGE_ALIGN(min_t(unsigned long long,
|
|
rlimit(RLIMIT_STACK) / 2, SZ_2G));
|
|
return max(PAGE_SIZE, size);
|
|
}
|
|
|
|
unsigned long gcs_alloc_thread_stack(struct task_struct *tsk,
|
|
const struct kernel_clone_args *args)
|
|
{
|
|
unsigned long addr, size;
|
|
|
|
if (!system_supports_gcs())
|
|
return 0;
|
|
|
|
if (!task_gcs_el0_enabled(tsk))
|
|
return 0;
|
|
|
|
if ((args->flags & (CLONE_VFORK | CLONE_VM)) != CLONE_VM) {
|
|
tsk->thread.gcspr_el0 = read_sysreg_s(SYS_GCSPR_EL0);
|
|
return 0;
|
|
}
|
|
|
|
size = args->stack_size / 2;
|
|
|
|
size = gcs_size(size);
|
|
addr = alloc_gcs(0, size);
|
|
if (IS_ERR_VALUE(addr))
|
|
return addr;
|
|
|
|
tsk->thread.gcs_base = addr;
|
|
tsk->thread.gcs_size = size;
|
|
tsk->thread.gcspr_el0 = addr + size - sizeof(u64);
|
|
|
|
return addr;
|
|
}
|
|
|
|
SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags)
|
|
{
|
|
unsigned long alloc_size;
|
|
unsigned long __user *cap_ptr;
|
|
unsigned long cap_val;
|
|
int ret = 0;
|
|
int cap_offset;
|
|
|
|
if (!system_supports_gcs())
|
|
return -EOPNOTSUPP;
|
|
|
|
if (flags & ~(SHADOW_STACK_SET_TOKEN | SHADOW_STACK_SET_MARKER))
|
|
return -EINVAL;
|
|
|
|
if (!PAGE_ALIGNED(addr))
|
|
return -EINVAL;
|
|
|
|
if (size == 8 || !IS_ALIGNED(size, 8))
|
|
return -EINVAL;
|
|
|
|
/*
|
|
* An overflow would result in attempting to write the restore token
|
|
* to the wrong location. Not catastrophic, but just return the right
|
|
* error code and block it.
|
|
*/
|
|
alloc_size = PAGE_ALIGN(size);
|
|
if (alloc_size < size)
|
|
return -EOVERFLOW;
|
|
|
|
addr = alloc_gcs(addr, alloc_size);
|
|
if (IS_ERR_VALUE(addr))
|
|
return addr;
|
|
|
|
/*
|
|
* Put a cap token at the end of the allocated region so it
|
|
* can be switched to.
|
|
*/
|
|
if (flags & SHADOW_STACK_SET_TOKEN) {
|
|
/* Leave an extra empty frame as a top of stack marker? */
|
|
if (flags & SHADOW_STACK_SET_MARKER)
|
|
cap_offset = 2;
|
|
else
|
|
cap_offset = 1;
|
|
|
|
cap_ptr = (unsigned long __user *)(addr + size -
|
|
(cap_offset * sizeof(unsigned long)));
|
|
cap_val = GCS_CAP(cap_ptr);
|
|
|
|
put_user_gcs(cap_val, cap_ptr, &ret);
|
|
if (ret != 0) {
|
|
vm_munmap(addr, size);
|
|
return -EFAULT;
|
|
}
|
|
|
|
/*
|
|
* Ensure the new cap is ordered before standard
|
|
* memory accesses to the same location.
|
|
*/
|
|
gcsb_dsync();
|
|
}
|
|
|
|
return addr;
|
|
}
|
|
|
|
/*
|
|
* Apply the GCS mode configured for the specified task to the
|
|
* hardware.
|
|
*/
|
|
void gcs_set_el0_mode(struct task_struct *task)
|
|
{
|
|
u64 gcscre0_el1 = GCSCRE0_EL1_nTR;
|
|
|
|
if (task->thread.gcs_el0_mode & PR_SHADOW_STACK_ENABLE)
|
|
gcscre0_el1 |= GCSCRE0_EL1_RVCHKEN | GCSCRE0_EL1_PCRSEL;
|
|
|
|
if (task->thread.gcs_el0_mode & PR_SHADOW_STACK_WRITE)
|
|
gcscre0_el1 |= GCSCRE0_EL1_STREn;
|
|
|
|
if (task->thread.gcs_el0_mode & PR_SHADOW_STACK_PUSH)
|
|
gcscre0_el1 |= GCSCRE0_EL1_PUSHMEn;
|
|
|
|
write_sysreg_s(gcscre0_el1, SYS_GCSCRE0_EL1);
|
|
}
|
|
|
|
void gcs_free(struct task_struct *task)
|
|
{
|
|
if (!system_supports_gcs())
|
|
return;
|
|
|
|
if (!task->mm || task->mm != current->mm)
|
|
return;
|
|
|
|
if (task->thread.gcs_base)
|
|
vm_munmap(task->thread.gcs_base, task->thread.gcs_size);
|
|
|
|
task->thread.gcspr_el0 = 0;
|
|
task->thread.gcs_base = 0;
|
|
task->thread.gcs_size = 0;
|
|
}
|
|
|
|
int arch_set_shadow_stack_status(struct task_struct *task, unsigned long arg)
|
|
{
|
|
unsigned long gcs, size;
|
|
int ret;
|
|
|
|
if (!system_supports_gcs())
|
|
return -EINVAL;
|
|
|
|
if (is_compat_thread(task_thread_info(task)))
|
|
return -EINVAL;
|
|
|
|
/* Reject unknown flags */
|
|
if (arg & ~PR_SHADOW_STACK_SUPPORTED_STATUS_MASK)
|
|
return -EINVAL;
|
|
|
|
ret = gcs_check_locked(task, arg);
|
|
if (ret != 0)
|
|
return ret;
|
|
|
|
/* If we are enabling GCS then make sure we have a stack */
|
|
if (arg & PR_SHADOW_STACK_ENABLE &&
|
|
!task_gcs_el0_enabled(task)) {
|
|
/* Do not allow GCS to be reenabled */
|
|
if (task->thread.gcs_base || task->thread.gcspr_el0)
|
|
return -EINVAL;
|
|
|
|
if (task != current)
|
|
return -EBUSY;
|
|
|
|
size = gcs_size(0);
|
|
gcs = alloc_gcs(0, size);
|
|
if (IS_ERR_VALUE(gcs))
|
|
return gcs;
|
|
|
|
task->thread.gcspr_el0 = gcs + size - sizeof(u64);
|
|
task->thread.gcs_base = gcs;
|
|
task->thread.gcs_size = size;
|
|
if (task == current)
|
|
write_sysreg_s(task->thread.gcspr_el0,
|
|
SYS_GCSPR_EL0);
|
|
}
|
|
|
|
task->thread.gcs_el0_mode = arg;
|
|
if (task == current)
|
|
gcs_set_el0_mode(task);
|
|
|
|
return 0;
|
|
}
|
|
|
|
int arch_get_shadow_stack_status(struct task_struct *task,
|
|
unsigned long __user *arg)
|
|
{
|
|
if (!system_supports_gcs())
|
|
return -EINVAL;
|
|
|
|
if (is_compat_thread(task_thread_info(task)))
|
|
return -EINVAL;
|
|
|
|
return put_user(task->thread.gcs_el0_mode, arg);
|
|
}
|
|
|
|
int arch_lock_shadow_stack_status(struct task_struct *task,
|
|
unsigned long arg)
|
|
{
|
|
if (!system_supports_gcs())
|
|
return -EINVAL;
|
|
|
|
if (is_compat_thread(task_thread_info(task)))
|
|
return -EINVAL;
|
|
|
|
/*
|
|
* We support locking unknown bits so applications can prevent
|
|
* any changes in a future proof manner.
|
|
*/
|
|
task->thread.gcs_el0_locked |= arg;
|
|
|
|
return 0;
|
|
}
|