Currently if we request a feature that is not set in the Kernel
config we fail silently and return all the available features. However,
the man page indicates we should return an EINVAL.
We need to fix this issue since we can end up with a Kernel warning
should a program request the feature UFFD_FEATURE_WP_UNPOPULATED on
a kernel with the config not set with this feature.
[ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660
[ 200.820738] Modules linked in:
[ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8
[ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022
[ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660
Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API")
Signed-off-by: Audra Mitchell <audra(a)redhat.com>
---
fs/userfaultfd.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c
index eee7320ab0b0..17e409ceaa33 100644
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -2057,7 +2057,7 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
goto out;
features = uffdio_api.features;
ret = -EINVAL;
- if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES))
+ if (uffdio_api.api != UFFD_API)
goto err_out;
ret = -EPERM;
if ((features & UFFD_FEATURE_EVENT_FORK) && !capable(CAP_SYS_PTRACE))
@@ -2081,6 +2081,11 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx,
uffdio_api.features &= ~UFFD_FEATURE_WP_UNPOPULATED;
uffdio_api.features &= ~UFFD_FEATURE_WP_ASYNC;
#endif
+
+ ret = -EINVAL;
+ if (features & ~uffdio_api.features)
+ goto err_out;
+
uffdio_api.ioctls = UFFD_API_IOCTLS;
ret = -EFAULT;
if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api)))
--
2.44.0
Correctable memory errors are very common on servers with large
amount of memory, and are corrected by ECC, but with two
pain points to users:
1. Correction usually happens on the fly and adds latency overhead
2. Not-fully-proved theory states excessive correctable memory
errors can develop into uncorrectable memory error.
Soft offline is kernel's additional solution for memory pages
having (excessive) corrected memory errors. Impacted page is migrated
to healthy page if it is in use, then the original page is discarded
for any future use.
The actual policy on whether (and when) to soft offline should be
maintained by userspace, especially in case of an 1G HugeTLB page.
Soft-offline dissolves the HugeTLB page, either in-use or free, into
chunks of 4K pages, reducing HugeTLB pool capacity by 1 hugepage.
If userspace has not acknowledged such behavior, it may be surprised
when later mmap hugepages MAP_FAILED due to lack of hugepages.
In case of a transparent hugepage, it will be split into 4K pages
as well; userspace will stop enjoying the transparent performance.
In addition, discarding the entire 1G HugeTLB page only because of
corrected memory errors sounds very costly and kernel better not
doing under the hood. But today there are at least 2 such cases:
1. GHES driver sees both GHES_SEV_CORRECTED and
CPER_SEC_ERROR_THRESHOLD_EXCEEDED after parsing CPER.
2. RAS Correctable Errors Collector counts correctable errors per
PFN and when the counter for a PFN reaches threshold
In both cases, userspace has no control of the soft offline performed
by kernel's memory failure recovery.
This patch series give userspace the control of softofflining any page:
kernel only soft offlines raw page / transparent hugepage / HugeTLB
hugepage if userspace has agreed to. The interface to userspace is a
new sysctl called enable_soft_offline under /proc/sys/vm. By default
enable_soft_line is 1 to preserve existing behavior in kernel.
Changelog
v4 => v5:
* incorportate feedbacks from Muhammad Usama Anjum
<usama.anjum(a)collabora.com>
* refactor selftest to use what available in kselftest.h.
* update a comment in soft_offline_page.
v3 => v4:
* incorporate feedbacks from Miaohe Lin <linmiaohe(a)huawei.com>,
Andrew Morton <akpm(a)linux-foundation.org>, and
Oscar Salvador <osalvador(a)suse.de>.
* insert a refactor commit to unify soft offline's logs to follow
"Soft offline: 0x${pfn}: ${message}" format.
* some rewords in document: fail => will not perform.
* v4 is still based on commit 83a7eefedc9b ("Linux 6.10-rc3"),
akpm/mm-stable.
v2 => v3:
* incorporate feedbacks from Miaohe Lin <linmiaohe(a)huawei.com>,
Lance Yang <ioworker0(a)gmail.com>, Oscar Salvador <osalvador(a)suse.de>,
and David Rientjes <rientjes(a)google.com>.
* release potential refcount if enable_soft_offline is 0.
* soft_offline_page() returns EOPNOTSUPP if enable_soft_offline is 0.
* refactor hugetlb-soft-offline.c, for example, introduce
test_soft_offline_common to reduce repeated code.
* rewrite enable_soft_offline's documentation, adds more details about
the cost of soft-offline for transparent and hugetlb hugepages, and
components that are impacted when enable_soft_offline becomes 0.
* fix typos in commit messages.
* v3 is still based on commit 83a7eefedc9b ("Linux 6.10-rc3").
v1 => v2:
* incorporate feedbacks from both Miaohe Lin <linmiaohe(a)huawei.com> and
Jane Chu <jane.chu(a)oracle.com>.
* make the switch to control all pages, instead of HugeTLB specific.
* change the API from
/sys/kernel/mm/hugepages/hugepages-${size}kB/softoffline_corrected_errors
to /proc/sys/vm/enable_soft_offline.
* minor update to test code.
* update documentation of the user control API.
* v2 is based on commit 83a7eefedc9b ("Linux 6.10-rc3").
Jiaqi Yan (4):
mm/memory-failure: refactor log format in soft offline code
mm/memory-failure: userspace controls soft-offlining pages
selftest/mm: test enable_soft_offline behaviors
docs: mm: add enable_soft_offline sysctl
Documentation/admin-guide/sysctl/vm.rst | 32 +++
mm/memory-failure.c | 38 ++-
tools/testing/selftests/mm/.gitignore | 1 +
tools/testing/selftests/mm/Makefile | 1 +
.../selftests/mm/hugetlb-soft-offline.c | 227 ++++++++++++++++++
tools/testing/selftests/mm/run_vmtests.sh | 4 +
6 files changed, 295 insertions(+), 8 deletions(-)
create mode 100644 tools/testing/selftests/mm/hugetlb-soft-offline.c
--
2.45.2.741.gdbec12cfda-goog
In arm64 pKVM and QuIC's Gunyah protected VM model, we want to support
grabbing shmem user pages instead of using KVM's guestmemfd. These
hypervisors provide a different isolation model than the CoCo
implementations from x86. KVM's guest_memfd is focused on providing
memory that is more isolated than AVF requires. Some specific examples
include ability to pre-load data onto guest-private pages, dynamically
sharing/isolating guest pages without copy, and (future) migrating
guest-private pages. In sum of those differences after a discussion in
[1] and at PUCK, we want to try to stick with existing shmem and extend
GUP to support the isolation needs for arm64 pKVM and Gunyah. To that
end, we introduce the concept of "exclusive GUP pinning", which enforces
that only one pin of any kind is allowed when using the FOLL_EXCLUSIVE
flag is set. This behavior doesn't affect FOLL_GET or any other folio
refcount operations that don't go through the FOLL_PIN path.
[1]: https://lore.kernel.org/all/20240319143119.GA2736@willie-the-truck/
Tree with patches at:
https://git.codelinaro.org/clo/linux-kernel/gunyah-linux/-/tree/sent/exclus…
anup(a)brainfault.org, paul.walmsley(a)sifive.com,
palmer(a)dabbelt.com, aou(a)eecs.berkeley.edu, seanjc(a)google.com,
viro(a)zeniv.linux.org.uk, brauner(a)kernel.org,
willy(a)infradead.org, akpm(a)linux-foundation.org,
xiaoyao.li(a)intel.com, yilun.xu(a)intel.com,
chao.p.peng(a)linux.intel.com, jarkko(a)kernel.org,
amoorthy(a)google.com, dmatlack(a)google.com,
yu.c.zhang(a)linux.intel.com, isaku.yamahata(a)intel.com,
mic(a)digikod.net, vbabka(a)suse.cz, vannapurve(a)google.com,
ackerleytng(a)google.com, mail(a)maciej.szmigiero.name,
david(a)redhat.com, michael.roth(a)amd.com, wei.w.wang(a)intel.com,
liam.merwick(a)oracle.com, isaku.yamahata(a)gmail.com,
kirill.shutemov(a)linux.intel.com, suzuki.poulose(a)arm.com,
steven.price(a)arm.com, quic_eberman(a)quicinc.com,
quic_mnalajal(a)quicinc.com, quic_tsoni(a)quicinc.com,
quic_svaddagi(a)quicinc.com, quic_cvanscha(a)quicinc.com,
quic_pderrin(a)quicinc.com, quic_pheragu(a)quicinc.com,
catalin.marinas(a)arm.com, james.morse(a)arm.com,
yuzenghui(a)huawei.com, oliver.upton(a)linux.dev, maz(a)kernel.org,
will(a)kernel.org, qperret(a)google.com, keirf(a)google.com,
tabba(a)google.com
Signed-off-by: Elliot Berman <quic_eberman(a)quicinc.com>
---
Elliot Berman (2):
mm/gup-test: Verify exclusive pinned
mm/gup_test: Verify GUP grabs same pages twice
Fuad Tabba (3):
mm/gup: Move GUP_PIN_COUNTING_BIAS to page_ref.h
mm/gup: Add an option for obtaining an exclusive pin
mm/gup: Add support for re-pinning a normal pinned page as exclusive
include/linux/mm.h | 57 ++++----
include/linux/mm_types.h | 2 +
include/linux/page_ref.h | 74 ++++++++++
mm/Kconfig | 5 +
mm/gup.c | 265 ++++++++++++++++++++++++++++++----
mm/gup_test.c | 108 ++++++++++++++
mm/gup_test.h | 1 +
tools/testing/selftests/mm/gup_test.c | 5 +-
8 files changed, 457 insertions(+), 60 deletions(-)
---
base-commit: 6ba59ff4227927d3a8530fc2973b80e94b54d58f
change-id: 20240509-exclusive-gup-66259138bbff
Best regards,
--
Elliot Berman <quic_eberman(a)quicinc.com>
Centralizes the definition of _GNU_SOURCE into lib.mk and addresses all
resulting macro redefinition warnings.
These patches will need to be merged in one shot to avoid redefinition
warnings.
The initial attempt at this patch was abandoned because it affected
lines in many source files and caused a large amount of churn. However,
from earlier discussions, centralizing _GNU_SOURCE is still desireable.
This attempt limits the changes to 1 source file and 12 Makefiles.
v1: https://lore.kernel.org/linux-kselftest/20240430235057.1351993-1-edliaw@goo…
v2: https://lore.kernel.org/linux-kselftest/20240507214254.2787305-1-edliaw@goo…
- Add -D_GNU_SOURCE to KHDR_INCLUDES so that it is in a single
location.
- Remove #define _GNU_SOURCE from source code to resolve redefinition
warnings.
v3: https://lore.kernel.org/linux-kselftest/20240509200022.253089-1-edliaw@goog…
- Rebase onto linux-next 20240508.
- Split patches by directory.
- Add -D_GNU_SOURCE directly to CFLAGS in lib.mk.
- Delete additional _GNU_SOURCE definitions from source code in
linux-next.
- Delete additional -D_GNU_SOURCE flags from Makefiles.
v4: https://lore.kernel.org/linux-kselftest/20240510000842.410729-1-edliaw@goog…
- Rebase onto linux-next 20240509.
- Remove Fixes tag from patches that drop _GNU_SOURCE definition.
- Restore space between comment and includes for selftests/damon.
v5: https://lore.kernel.org/linux-kselftest/20240522005913.3540131-1-edliaw@goo…
- Rebase onto linux-next 20240521
- Drop initial patches that modify KHDR_INCLUDES.
- Incorporate Mark Brown's patch to replace static_assert with warning.
- Don't drop #define _GNU_SOURCE from nolibc and wireguard.
- Change Makefiles for x86 and vDSO to append to CFLAGS.
v6:
- Rewrite patch to use -D_GNU_SOURCE= form in lib.mk.
- Reduce the amount of churn significantly by allowing definition to
coexist with source code macro defines.
Edward Liaw (13):
selftests/mm: Define _GNU_SOURCE to an empty string
selftests: Add -D_GNU_SOURCE= to CFLAGS in lib.mk
selftests/net: Append to lib.mk CFLAGS in Makefile
selftests/exec: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile
selftests/futex: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile
selftests/intel_pstate: Drop redundant -D_GNU_SOURCE CFLAGS in
Makefile
selftests/iommu: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile
selftests/kvm: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile
selftests/proc: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile
selftests/resctrl: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile
selftests/ring-buffer: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile
selftests/riscv: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile
selftests/sgx: Append CFLAGS from lib.mk to HOST_CFLAGS
tools/testing/selftests/exec/Makefile | 1 -
tools/testing/selftests/futex/functional/Makefile | 2 +-
tools/testing/selftests/intel_pstate/Makefile | 2 +-
tools/testing/selftests/iommu/Makefile | 2 --
tools/testing/selftests/kvm/Makefile | 2 +-
tools/testing/selftests/lib.mk | 3 +++
tools/testing/selftests/mm/thuge-gen.c | 2 +-
tools/testing/selftests/net/Makefile | 2 +-
tools/testing/selftests/net/tcp_ao/Makefile | 2 +-
tools/testing/selftests/proc/Makefile | 1 -
tools/testing/selftests/resctrl/Makefile | 2 +-
tools/testing/selftests/ring-buffer/Makefile | 1 -
tools/testing/selftests/riscv/mm/Makefile | 2 +-
tools/testing/selftests/sgx/Makefile | 2 +-
14 files changed, 12 insertions(+), 14 deletions(-)
--
2.45.2.741.gdbec12cfda-goog
The arm64 Guarded Control Stack (GCS) feature provides support for
hardware protected stacks of return addresses, intended to provide
hardening against return oriented programming (ROP) attacks and to make
it easier to gather call stacks for applications such as profiling.
When GCS is active a secondary stack called the Guarded Control Stack is
maintained, protected with a memory attribute which means that it can
only be written with specific GCS operations. The current GCS pointer
can not be directly written to by userspace. When a BL is executed the
value stored in LR is also pushed onto the GCS, and when a RET is
executed the top of the GCS is popped and compared to LR with a fault
being raised if the values do not match. GCS operations may only be
performed on GCS pages, a data abort is generated if they are not.
The combination of hardware enforcement and lack of extra instructions
in the function entry and exit paths should result in something which
has less overhead and is more difficult to attack than a purely software
implementation like clang's shadow stacks.
This series implements support for use of GCS by userspace, along with
support for use of GCS within KVM guests. It does not enable use of GCS
by either EL1 or EL2, this will be implemented separately. Executables
are started without GCS and must use a prctl() to enable it, it is
expected that this will be done very early in application execution by
the dynamic linker or other startup code. For dynamic linking this will
be done by checking that everything in the executable is marked as GCS
compatible.
x86 has an equivalent feature called shadow stacks, this series depends
on the x86 patches for generic memory management support for the new
guarded/shadow stack page type and shares APIs as much as possible. As
there has been extensive discussion with the wider community around the
ABI for shadow stacks I have as far as practical kept implementation
decisions close to those for x86, anticipating that review would lead to
similar conclusions in the absence of strong reasoning for divergence.
The main divergence I am concious of is that x86 allows shadow stack to
be enabled and disabled repeatedly, freeing the shadow stack for the
thread whenever disabled, while this implementation keeps the GCS
allocated after disable but refuses to reenable it. This is to avoid
races with things actively walking the GCS during a disable, we do
anticipate that some systems will wish to disable GCS at runtime but are
not aware of any demand for subsequently reenabling it.
x86 uses an arch_prctl() to manage enable and disable, since only x86
and S/390 use arch_prctl() a generic prctl() was proposed[1] as part of a
patch set for the equivalent RISC-V Zicfiss feature which I initially
adopted fairly directly but following review feedback has been revised
quite a bit.
We currently maintain the x86 pattern of implicitly allocating a shadow
stack for threads started with shadow stack enabled, there has been some
discussion of removing this support and requiring the use of clone3()
with explicit allocation of shadow stacks instead. I have no strong
feelings either way, implicit allocation is not really consistent with
anything else we do and creates the potential for errors around thread
exit but on the other hand it is existing ABI on x86 and minimises the
changes needed in userspace code.
glibc and bionic changes using this ABI have been implemented and
tested. Headless Android systems have been validated and Ross Burton
has used this code has been used to bring up a Yocto system with GCS
enabed as standard, a test implementation of V8 support has also been
done.
There is an open issue with support for CRIU, on x86 this required the
ability to set the GCS mode via ptrace. This series supports
configuring mode bits other than enable/disable via ptrace but it needs
to be confirmed if this is sufficient.
The series depends on support for shadow stacks in clone3(), that series
includes the addition of ARCH_HAS_USER_SHADOW_STACK.
https://lore.kernel.org/r/20240623-clone3-shadow-stack-v6-0-9ee7783b1fb9@ke…
You can see a branch with the full set of dependencies against Linus'
tree at:
https://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc.git arm64-gcs
[1] https://lore.kernel.org/lkml/20230213045351.3945824-1-debug@rivosinc.com/
Signed-off-by: Mark Brown <broonie(a)kernel.org>
---
Changes in v9:
- Rebase onto v6.10-rc3.
- Restructure and clarify memory management fault handling.
- Fix up basic-gcs for the latest clone3() changes.
- Convert to newly merged KVM ID register based feature configuration.
- Fixes for NV traps.
- Link to v8: https://lore.kernel.org/r/20240203-arm64-gcs-v8-0-c9fec77673ef@kernel.org
Changes in v8:
- Invalidate signal cap token on stack when consuming.
- Typo and other trivial fixes.
- Don't try to use process_vm_write() on GCS, it intentionally does not
work.
- Fix leak of thread GCSs.
- Rebase onto latest clone3() series.
- Link to v7: https://lore.kernel.org/r/20231122-arm64-gcs-v7-0-201c483bd775@kernel.org
Changes in v7:
- Rebase onto v6.7-rc2 via the clone3() patch series.
- Change the token used to cap the stack during signal handling to be
compatible with GCSPOPM.
- Fix flags for new page types.
- Fold in support for clone3().
- Replace copy_to_user_gcs() with put_user_gcs().
- Link to v6: https://lore.kernel.org/r/20231009-arm64-gcs-v6-0-78e55deaa4dd@kernel.org
Changes in v6:
- Rebase onto v6.6-rc3.
- Add some more gcsb_dsync() barriers following spec clarifications.
- Due to ongoing discussion around clone()/clone3() I've not updated
anything there, the behaviour is the same as on previous versions.
- Link to v5: https://lore.kernel.org/r/20230822-arm64-gcs-v5-0-9ef181dd6324@kernel.org
Changes in v5:
- Don't map any permissions for user GCSs, we always use EL0 accessors
or use a separate mapping of the page.
- Reduce the standard size of the GCS to RLIMIT_STACK/2.
- Enforce a PAGE_SIZE alignment requirement on map_shadow_stack().
- Clarifications and fixes to documentation.
- More tests.
- Link to v4: https://lore.kernel.org/r/20230807-arm64-gcs-v4-0-68cfa37f9069@kernel.org
Changes in v4:
- Implement flags for map_shadow_stack() allowing the cap and end of
stack marker to be enabled independently or not at all.
- Relax size and alignment requirements for map_shadow_stack().
- Add more blurb explaining the advantages of hardware enforcement.
- Link to v3: https://lore.kernel.org/r/20230731-arm64-gcs-v3-0-cddf9f980d98@kernel.org
Changes in v3:
- Rebase onto v6.5-rc4.
- Add a GCS barrier on context switch.
- Add a GCS stress test.
- Link to v2: https://lore.kernel.org/r/20230724-arm64-gcs-v2-0-dc2c1d44c2eb@kernel.org
Changes in v2:
- Rebase onto v6.5-rc3.
- Rework prctl() interface to allow each bit to be locked independently.
- map_shadow_stack() now places the cap token based on the size
requested by the caller not the actual space allocated.
- Mode changes other than enable via ptrace are now supported.
- Expand test coverage.
- Various smaller fixes and adjustments.
- Link to v1: https://lore.kernel.org/r/20230716-arm64-gcs-v1-0-bf567f93bba6@kernel.org
---
Mark Brown (39):
arm64/mm: Restructure arch_validate_flags() for extensibility
prctl: arch-agnostic prctl for shadow stack
mman: Add map_shadow_stack() flags
arm64: Document boot requirements for Guarded Control Stacks
arm64/gcs: Document the ABI for Guarded Control Stacks
arm64/sysreg: Add definitions for architected GCS caps
arm64/gcs: Add manual encodings of GCS instructions
arm64/gcs: Provide put_user_gcs()
arm64/cpufeature: Runtime detection of Guarded Control Stack (GCS)
arm64/mm: Allocate PIE slots for EL0 guarded control stack
mm: Define VM_SHADOW_STACK for arm64 when we support GCS
arm64/mm: Map pages for guarded control stack
KVM: arm64: Manage GCS registers for guests
arm64/gcs: Allow GCS usage at EL0 and EL1
arm64/idreg: Add overrride for GCS
arm64/hwcap: Add hwcap for GCS
arm64/traps: Handle GCS exceptions
arm64/mm: Handle GCS data aborts
arm64/gcs: Context switch GCS state for EL0
arm64/gcs: Ensure that new threads have a GCS
arm64/gcs: Implement shadow stack prctl() interface
arm64/mm: Implement map_shadow_stack()
arm64/signal: Set up and restore the GCS context for signal handlers
arm64/signal: Expose GCS state in signal frames
arm64/ptrace: Expose GCS via ptrace and core files
arm64: Add Kconfig for Guarded Control Stack (GCS)
kselftest/arm64: Verify the GCS hwcap
kselftest: Provide shadow stack enable helpers for arm64
selftests/clone3: Enable arm64 shadow stack testing
kselftest/arm64: Add GCS as a detected feature in the signal tests
kselftest/arm64: Add framework support for GCS to signal handling tests
kselftest/arm64: Allow signals tests to specify an expected si_code
kselftest/arm64: Always run signals tests with GCS enabled
kselftest/arm64: Add very basic GCS test program
kselftest/arm64: Add a GCS test program built with the system libc
kselftest/arm64: Add test coverage for GCS mode locking
kselftest/arm64: Add GCS signal tests
kselftest/arm64: Add a GCS stress test
kselftest/arm64: Enable GCS for the FP stress tests
Documentation/admin-guide/kernel-parameters.txt | 6 +
Documentation/arch/arm64/booting.rst | 22 +
Documentation/arch/arm64/elf_hwcaps.rst | 2 +
Documentation/arch/arm64/gcs.rst | 233 +++++++
Documentation/arch/arm64/index.rst | 1 +
Documentation/filesystems/proc.rst | 2 +-
arch/arm64/Kconfig | 20 +
arch/arm64/include/asm/cpufeature.h | 6 +
arch/arm64/include/asm/el2_setup.h | 17 +
arch/arm64/include/asm/esr.h | 28 +-
arch/arm64/include/asm/exception.h | 2 +
arch/arm64/include/asm/gcs.h | 107 +++
arch/arm64/include/asm/hwcap.h | 1 +
arch/arm64/include/asm/kvm_host.h | 14 +
arch/arm64/include/asm/mman.h | 23 +-
arch/arm64/include/asm/pgtable-prot.h | 14 +-
arch/arm64/include/asm/processor.h | 7 +
arch/arm64/include/asm/sysreg.h | 20 +
arch/arm64/include/asm/uaccess.h | 40 ++
arch/arm64/include/asm/vncr_mapping.h | 2 +
arch/arm64/include/uapi/asm/hwcap.h | 1 +
arch/arm64/include/uapi/asm/ptrace.h | 8 +
arch/arm64/include/uapi/asm/sigcontext.h | 9 +
arch/arm64/kernel/cpufeature.c | 19 +
arch/arm64/kernel/cpuinfo.c | 1 +
arch/arm64/kernel/entry-common.c | 23 +
arch/arm64/kernel/pi/idreg-override.c | 2 +
arch/arm64/kernel/process.c | 85 +++
arch/arm64/kernel/ptrace.c | 59 ++
arch/arm64/kernel/signal.c | 242 ++++++-
arch/arm64/kernel/traps.c | 11 +
arch/arm64/kvm/hyp/include/hyp/sysreg-sr.h | 48 +-
arch/arm64/kvm/sys_regs.c | 25 +-
arch/arm64/mm/Makefile | 1 +
arch/arm64/mm/fault.c | 43 ++
arch/arm64/mm/gcs.c | 325 +++++++++
arch/arm64/mm/mmap.c | 13 +-
arch/arm64/tools/cpucaps | 1 +
arch/x86/include/uapi/asm/mman.h | 3 -
fs/proc/task_mmu.c | 3 +
include/linux/mm.h | 16 +-
include/uapi/asm-generic/mman.h | 4 +
include/uapi/linux/elf.h | 1 +
include/uapi/linux/prctl.h | 22 +
kernel/sys.c | 30 +
tools/testing/selftests/arm64/Makefile | 2 +-
tools/testing/selftests/arm64/abi/hwcap.c | 19 +
tools/testing/selftests/arm64/fp/assembler.h | 15 +
tools/testing/selftests/arm64/fp/fpsimd-test.S | 2 +
tools/testing/selftests/arm64/fp/sve-test.S | 2 +
tools/testing/selftests/arm64/fp/za-test.S | 2 +
tools/testing/selftests/arm64/fp/zt-test.S | 2 +
tools/testing/selftests/arm64/gcs/.gitignore | 5 +
tools/testing/selftests/arm64/gcs/Makefile | 24 +
tools/testing/selftests/arm64/gcs/asm-offsets.h | 0
tools/testing/selftests/arm64/gcs/basic-gcs.c | 357 ++++++++++
tools/testing/selftests/arm64/gcs/gcs-locking.c | 200 ++++++
.../selftests/arm64/gcs/gcs-stress-thread.S | 311 +++++++++
tools/testing/selftests/arm64/gcs/gcs-stress.c | 532 +++++++++++++++
tools/testing/selftests/arm64/gcs/gcs-util.h | 100 +++
tools/testing/selftests/arm64/gcs/libc-gcs.c | 736 +++++++++++++++++++++
tools/testing/selftests/arm64/signal/.gitignore | 1 +
.../testing/selftests/arm64/signal/test_signals.c | 17 +-
.../testing/selftests/arm64/signal/test_signals.h | 6 +
.../selftests/arm64/signal/test_signals_utils.c | 32 +-
.../selftests/arm64/signal/test_signals_utils.h | 39 ++
.../arm64/signal/testcases/gcs_exception_fault.c | 62 ++
.../selftests/arm64/signal/testcases/gcs_frame.c | 88 +++
.../arm64/signal/testcases/gcs_write_fault.c | 67 ++
.../selftests/arm64/signal/testcases/testcases.c | 7 +
.../selftests/arm64/signal/testcases/testcases.h | 1 +
tools/testing/selftests/clone3/clone3_selftests.h | 26 +
tools/testing/selftests/ksft_shstk.h | 37 ++
73 files changed, 4213 insertions(+), 41 deletions(-)
---
base-commit: 4c8cf8814957090ce50ad18f318f72e6fe0d1a32
change-id: 20230303-arm64-gcs-e311ab0d8729
Best regards,
--
Mark Brown <broonie(a)kernel.org>
The kernel has recently added support for shadow stacks, currently
x86 only using their CET feature but both arm64 and RISC-V have
equivalent features (GCS and Zicfiss respectively), I am actively
working on GCS[1]. With shadow stacks the hardware maintains an
additional stack containing only the return addresses for branch
instructions which is not generally writeable by userspace and ensures
that any returns are to the recorded addresses. This provides some
protection against ROP attacks and making it easier to collect call
stacks. These shadow stacks are allocated in the address space of the
userspace process.
Our API for shadow stacks does not currently offer userspace any
flexiblity for managing the allocation of shadow stacks for newly
created threads, instead the kernel allocates a new shadow stack with
the same size as the normal stack whenever a thread is created with the
feature enabled. The stacks allocated in this way are freed by the
kernel when the thread exits or shadow stacks are disabled for the
thread. This lack of flexibility and control isn't ideal, in the vast
majority of cases the shadow stack will be over allocated and the
implicit allocation and deallocation is not consistent with other
interfaces. As far as I can tell the interface is done in this manner
mainly because the shadow stack patches were in development since before
clone3() was implemented.
Since clone3() is readily extensible let's add support for specifying a
shadow stack when creating a new thread or process in a similar manner
to how the normal stack is specified, keeping the current implicit
allocation behaviour if one is not specified either with clone3() or
through the use of clone(). The user must provide a shadow stack
address and size, this must point to memory mapped for use as a shadow
stackby map_shadow_stack() with a shadow stack token at the top of the
stack.
Please note that the x86 portions of this code are build tested only, I
don't appear to have a system that can run CET avaible to me, I have
done testing with an integration into my pending work for GCS. There is
some possibility that the arm64 implementation may require the use of
clone3() and explicit userspace allocation of shadow stacks, this is
still under discussion.
Please further note that the token consumption done by clone3() is not
currently implemented in an atomic fashion, Rick indicated that he would
look into fixing this if people are OK with the implementation.
A new architecture feature Kconfig option for shadow stacks is added as
here, this was suggested as part of the review comments for the arm64
GCS series and since we need to detect if shadow stacks are supported it
seemed sensible to roll it in here.
[1] https://lore.kernel.org/r/20231009-arm64-gcs-v6-0-78e55deaa4dd@kernel.org/
Signed-off-by: Mark Brown <broonie(a)kernel.org>
---
Changes in v6:
- Rebase onto v6.10-rc3.
- Ensure we don't try to free the parent shadow stack in error paths of
x86 arch code.
- Spelling fixes in userspace API document.
- Additional cleanups and improvements to the clone3() tests to support
the shadow stack tests.
- Link to v5: https://lore.kernel.org/r/20240203-clone3-shadow-stack-v5-0-322c69598e4b@ke…
Changes in v5:
- Rebase onto v6.8-rc2.
- Rework ABI to have the user allocate the shadow stack memory with
map_shadow_stack() and a token.
- Force inlining of the x86 shadow stack enablement.
- Move shadow stack enablement out into a shared header for reuse by
other tests.
- Link to v4: https://lore.kernel.org/r/20231128-clone3-shadow-stack-v4-0-8b28ffe4f676@ke…
Changes in v4:
- Formatting changes.
- Use a define for minimum shadow stack size and move some basic
validation to fork.c.
- Link to v3: https://lore.kernel.org/r/20231120-clone3-shadow-stack-v3-0-a7b8ed3e2acc@ke…
Changes in v3:
- Rebase onto v6.7-rc2.
- Remove stale shadow_stack in internal kargs.
- If a shadow stack is specified unconditionally use it regardless of
CLONE_ parameters.
- Force enable shadow stacks in the selftest.
- Update changelogs for RISC-V feature rename.
- Link to v2: https://lore.kernel.org/r/20231114-clone3-shadow-stack-v2-0-b613f8681155@ke…
Changes in v2:
- Rebase onto v6.7-rc1.
- Remove ability to provide preallocated shadow stack, just specify the
desired size.
- Link to v1: https://lore.kernel.org/r/20231023-clone3-shadow-stack-v1-0-d867d0b5d4d0@ke…
---
Mark Brown (9):
Documentation: userspace-api: Add shadow stack API documentation
selftests: Provide helper header for shadow stack testing
mm: Introduce ARCH_HAS_USER_SHADOW_STACK
fork: Add shadow stack support to clone3()
selftests/clone3: Remove redundant flushes of output streams
selftests/clone3: Factor more of main loop into test_clone3()
selftests/clone3: Explicitly handle child exits due to signals
selftests/clone3: Allow tests to flag if -E2BIG is a valid error code
selftests/clone3: Test shadow stack support
Documentation/userspace-api/index.rst | 1 +
Documentation/userspace-api/shadow_stack.rst | 41 ++++
arch/x86/Kconfig | 1 +
arch/x86/include/asm/shstk.h | 11 +-
arch/x86/kernel/process.c | 2 +-
arch/x86/kernel/shstk.c | 104 +++++++---
fs/proc/task_mmu.c | 2 +-
include/linux/mm.h | 2 +-
include/linux/sched/task.h | 13 ++
include/uapi/linux/sched.h | 13 +-
kernel/fork.c | 76 ++++++--
mm/Kconfig | 6 +
tools/testing/selftests/clone3/clone3.c | 225 ++++++++++++++++++----
tools/testing/selftests/clone3/clone3_selftests.h | 40 +++-
tools/testing/selftests/ksft_shstk.h | 63 ++++++
15 files changed, 512 insertions(+), 88 deletions(-)
---
base-commit: 83a7eefedc9b56fe7bfeff13b6c7356688ffa670
change-id: 20231019-clone3-shadow-stack-15d40d2bf536
Best regards,
--
Mark Brown <broonie(a)kernel.org>
This series introduces the selftests/arm directory, which tests 32 and
64-bit kernel compatibility with 32-bit ELFs running on the Aarch platform.
The need for this bucket of tests is that 32 bit applications built on
legacy ARM architecture must not break on the new Aarch64 platforms and
the 64-bit kernel. The kernel must emulate the data structures, system
calls and the registers according to Aarch32, when running a 32-bit
process; this directory fills that testing requirement.
One may find similarity between this directory and selftests/arm64; it is
advisable to refer to that since a lot has been pulled from there itself.
The mm directory includes a test for checking 4GB limit of the virtual
address space of a process.
The signal directory contains two tests, following a common theme: mangle
with arm_cpsr, dumped by the kernel to user space while invoking the signal
handler; kernel must spot this illegal attempt and terminate the program by
SEGV.
The elf directory includes a test for checking the 32-bit status of the ELF.
The abi directory includes two ptrace tests, in the first, a 32-bit parent
debugs a 32-bit child, and in the second, a 64-bit parent debugs a 32-bit
child. The second test will be skipped when running on a 32-bit kernel.
Credits to Mark Brown for suggesting this work.
Testing:
The series has been tested on the Aarch64 kernel. For the Aarch32 kernel,
I used qemu-system-arm with machine 'vexpress-a15', along with a buildroot
rootfs; the individual statically built tests pass on that, but building
the entire test suite on that remains untested, due to my lack of
experience with qemu and rootfses.
Since I have done some changes in selftests/arm64, I have tested that
those tests do not break.
v2->v3:
- mm, elf: Split into multiple testcases
- Eliminate copying in signal/ using ifdeffery and pulling from selftests/arm64
- Delete config file, since it does not make sense for testing a 32-bit kernel
- Split ptrace in selftests/arm64, and pull some stuff from there
- Add abi tests containing ptrace and ptrace_64
- Fix build warnings in selftests/arm64 (can be applied independent of this series)
v1->v2:
- Formatting changes
- Add .gitignore files and config file
v1:
- https://lore.kernel.org/all/20240405084410.256788-1-dev.jain@arm.com/
Dev Jain (9):
selftests/arm: Add mm test
selftests/arm: Add elf test
selftests: arm, arm64: Use ifdeffery to pull signal infrastructure
selftests/arm: Add signal tests
selftests/arm64: Fix build warnings for ptrace
selftests/arm64: Split ptrace, use ifdeffery
selftests/arm: Add ptrace test
selftests/arm: Add ptrace_64 test
selftests: Add build infrastructure along with README
tools/testing/selftests/Makefile | 1 +
tools/testing/selftests/arm/Makefile | 56 ++++++++
tools/testing/selftests/arm/README | 32 +++++
tools/testing/selftests/arm/abi/.gitignore | 4 +
tools/testing/selftests/arm/abi/Makefile | 26 ++++
tools/testing/selftests/arm/abi/ptrace.c | 82 +++++++++++
tools/testing/selftests/arm/abi/ptrace.h | 57 ++++++++
tools/testing/selftests/arm/abi/ptrace_64.c | 91 ++++++++++++
.../selftests/arm/abi/trivial_32bit_program.c | 14 ++
tools/testing/selftests/arm/elf/.gitignore | 2 +
tools/testing/selftests/arm/elf/Makefile | 6 +
tools/testing/selftests/arm/elf/parse_elf.c | 77 ++++++++++
tools/testing/selftests/arm/mm/.gitignore | 2 +
tools/testing/selftests/arm/mm/Makefile | 6 +
tools/testing/selftests/arm/mm/compat_va.c | 89 ++++++++++++
tools/testing/selftests/arm/signal/.gitignore | 3 +
tools/testing/selftests/arm/signal/Makefile | 30 ++++
.../selftests/arm/signal/test_signals.c | 2 +
.../selftests/arm/signal/test_signals.h | 2 +
.../selftests/arm/signal/test_signals_utils.c | 2 +
.../selftests/arm/signal/test_signals_utils.h | 2 +
.../testcases/mangle_cpsr_invalid_aif_bits.c | 33 +++++
.../mangle_cpsr_invalid_compat_toggle.c | 29 ++++
tools/testing/selftests/arm64/abi/ptrace.c | 121 ++--------------
tools/testing/selftests/arm64/abi/ptrace.h | 135 ++++++++++++++++++
.../selftests/arm64/signal/test_signals.h | 12 ++
.../arm64/signal/test_signals_utils.c | 51 +++++--
.../arm64/signal/test_signals_utils.h | 3 +
28 files changed, 850 insertions(+), 120 deletions(-)
create mode 100644 tools/testing/selftests/arm/Makefile
create mode 100644 tools/testing/selftests/arm/README
create mode 100644 tools/testing/selftests/arm/abi/.gitignore
create mode 100644 tools/testing/selftests/arm/abi/Makefile
create mode 100644 tools/testing/selftests/arm/abi/ptrace.c
create mode 100644 tools/testing/selftests/arm/abi/ptrace.h
create mode 100644 tools/testing/selftests/arm/abi/ptrace_64.c
create mode 100644 tools/testing/selftests/arm/abi/trivial_32bit_program.c
create mode 100644 tools/testing/selftests/arm/elf/.gitignore
create mode 100644 tools/testing/selftests/arm/elf/Makefile
create mode 100644 tools/testing/selftests/arm/elf/parse_elf.c
create mode 100644 tools/testing/selftests/arm/mm/.gitignore
create mode 100644 tools/testing/selftests/arm/mm/Makefile
create mode 100644 tools/testing/selftests/arm/mm/compat_va.c
create mode 100644 tools/testing/selftests/arm/signal/.gitignore
create mode 100644 tools/testing/selftests/arm/signal/Makefile
create mode 100644 tools/testing/selftests/arm/signal/test_signals.c
create mode 100644 tools/testing/selftests/arm/signal/test_signals.h
create mode 100644 tools/testing/selftests/arm/signal/test_signals_utils.c
create mode 100644 tools/testing/selftests/arm/signal/test_signals_utils.h
create mode 100644 tools/testing/selftests/arm/signal/testcases/mangle_cpsr_invalid_aif_bits.c
create mode 100644 tools/testing/selftests/arm/signal/testcases/mangle_cpsr_invalid_compat_toggle.c
create mode 100644 tools/testing/selftests/arm64/abi/ptrace.h
--
2.39.2
This patch series fix a minor issue in a program for DAMON selftest, and
implement new functionality selftests for DAMOS tried regions and
{min,max}_nr_regions. The test for max_nr_regions also test the
recovery from online tuning-caused limit violation, which was fixed by a
previous patch [1] titled "mm/damon/core: merge regions aggressively
when max_nr_regions is unmet".
The first patch fixes a minor problem in the articial memory access
pattern generator for tests. Following 3 patches (2-4) implement
schemes tried regions test. Then a couple of patches (5-6) implementing
static setup based {min,max}_nr_regions functionality test follows.
Final two patches (7-8) implement dynamic max_nr_regions update test.
[1] https://lore.kernel.org/20240624210650.53960C2BBFC@smtp.kernel.org
SeongJae Park (8):
selftests/damon/access_memory: use user-defined region size
selftests/damon/_damon_sysfs: support schemes_update_tried_regions
selftests/damon: implement a program for even-numbered memory regions
access
selftests/damon: implement DAMOS tried regions test
selftests/damon/_damon_sysfs: implement kdamonds stop function
selftests/damon: implement test for min/max_nr_regions
_damon_sysfs: implement commit() for online parameters update
selftests/damon/damon_nr_regions: test online-tuned max_nr_regions
tools/testing/selftests/damon/Makefile | 3 +-
tools/testing/selftests/damon/_damon_sysfs.py | 65 +++++++-
tools/testing/selftests/damon/access_memory.c | 2 +-
.../selftests/damon/access_memory_even.c | 42 +++++
.../selftests/damon/damon_nr_regions.py | 145 ++++++++++++++++++
.../selftests/damon/damos_tried_regions.py | 65 ++++++++
6 files changed, 319 insertions(+), 3 deletions(-)
create mode 100644 tools/testing/selftests/damon/access_memory_even.c
create mode 100644 tools/testing/selftests/damon/damon_nr_regions.py
create mode 100644 tools/testing/selftests/damon/damos_tried_regions.py
base-commit: 99348045d11f3bac71146b381f90b0aa39855ee7
--
2.39.2