June 2024 - Linux-kselftest-mirror

[PATCH v2 1/3] Fix userfaultfd_api to return EINVAL as expected

by Audra Mitchell

Currently if we request a feature that is not set in the Kernel config we fail silently and return all the available features. However, the man page indicates we should return an EINVAL. We need to fix this issue since we can end up with a Kernel warning should a program request the feature UFFD_FEATURE_WP_UNPOPULATED on a kernel with the config not set with this feature. [ 200.812896] WARNING: CPU: 91 PID: 13634 at mm/memory.c:1660 zap_pte_range+0x43d/0x660 [ 200.820738] Modules linked in: [ 200.869387] CPU: 91 PID: 13634 Comm: userfaultfd Kdump: loaded Not tainted 6.9.0-rc5+ #8 [ 200.877477] Hardware name: Dell Inc. PowerEdge R6525/0N7YGH, BIOS 2.7.3 03/30/2022 [ 200.885052] RIP: 0010:zap_pte_range+0x43d/0x660 Fixes: e06f1e1dd499 ("userfaultfd: wp: enabled write protection in userfaultfd API") Signed-off-by: Audra Mitchell <audra(a)redhat.com> --- fs/userfaultfd.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index eee7320ab0b0..17e409ceaa33 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -2057,7 +2057,7 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx, goto out; features = uffdio_api.features; ret = -EINVAL; - if (uffdio_api.api != UFFD_API || (features & ~UFFD_API_FEATURES)) + if (uffdio_api.api != UFFD_API) goto err_out; ret = -EPERM; if ((features & UFFD_FEATURE_EVENT_FORK) && !capable(CAP_SYS_PTRACE)) @@ -2081,6 +2081,11 @@ static int userfaultfd_api(struct userfaultfd_ctx *ctx, uffdio_api.features &= ~UFFD_FEATURE_WP_UNPOPULATED; uffdio_api.features &= ~UFFD_FEATURE_WP_ASYNC; #endif + + ret = -EINVAL; + if (features & ~uffdio_api.features) + goto err_out; + uffdio_api.ioctls = UFFD_API_IOCTLS; ret = -EFAULT; if (copy_to_user(buf, &uffdio_api, sizeof(uffdio_api))) -- 2.44.0

1 week

3
13
0 0

[PATCH] selftests/alsa:Add memset to initialize memory

by Zhu Jun

Add memset to initialize the requested memory Signed-off-by: Zhu Jun <zhujun2(a)cmss.chinamobile.com> --- tools/testing/selftests/alsa/test-pcmtest-driver.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/testing/selftests/alsa/test-pcmtest-driver.c b/tools/testing/selftests/alsa/test-pcmtest-driver.c index ca81afa4ee90..0a551b5f41f7 100644 --- a/tools/testing/selftests/alsa/test-pcmtest-driver.c +++ b/tools/testing/selftests/alsa/test-pcmtest-driver.c @@ -134,6 +134,7 @@ FIXTURE_SETUP(pcmtest) { SKIP(return, "Can't read patterns. Probably, module isn't loaded"); card_name = malloc(127); + memset(card_name, 0, 127); ASSERT_NE(card_name, NULL); self->params.buffer_size = 16384; self->params.period_size = 4096; -- 2.17.1

1 week

2
1
0 0

[PATCH] selftests/alsa:Replace malloc with calloc

by Zhu Jun

Using calloc to handling memory allocation, calloc can initialize the allocated memory Signed-off-by: Zhu Jun <zhujun2(a)cmss.chinamobile.com> --- tools/testing/selftests/alsa/test-pcmtest-driver.c | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/testing/selftests/alsa/test-pcmtest-driver.c b/tools/testing/selftests/alsa/test-pcmtest-driver.c index ca81afa4ee90..0a551b5f41f7 100644 --- a/tools/testing/selftests/alsa/test-pcmtest-driver.c +++ b/tools/testing/selftests/alsa/test-pcmtest-driver.c @@ -134,6 +134,7 @@ FIXTURE_SETUP(pcmtest) { SKIP(return, "Can't read patterns. Probably, module isn't loaded"); card_name = malloc(127); + memset(card_name, 0, 127); ASSERT_NE(card_name, NULL); self->params.buffer_size = 16384; self->params.period_size = 4096; -- 2.17.1

1 week

2
1
0 0

[PATCH v5 0/4] Userspace controls soft-offline pages

by Jiaqi Yan

Correctable memory errors are very common on servers with large amount of memory, and are corrected by ECC, but with two pain points to users: 1. Correction usually happens on the fly and adds latency overhead 2. Not-fully-proved theory states excessive correctable memory errors can develop into uncorrectable memory error. Soft offline is kernel's additional solution for memory pages having (excessive) corrected memory errors. Impacted page is migrated to healthy page if it is in use, then the original page is discarded for any future use. The actual policy on whether (and when) to soft offline should be maintained by userspace, especially in case of an 1G HugeTLB page. Soft-offline dissolves the HugeTLB page, either in-use or free, into chunks of 4K pages, reducing HugeTLB pool capacity by 1 hugepage. If userspace has not acknowledged such behavior, it may be surprised when later mmap hugepages MAP_FAILED due to lack of hugepages. In case of a transparent hugepage, it will be split into 4K pages as well; userspace will stop enjoying the transparent performance. In addition, discarding the entire 1G HugeTLB page only because of corrected memory errors sounds very costly and kernel better not doing under the hood. But today there are at least 2 such cases: 1. GHES driver sees both GHES_SEV_CORRECTED and CPER_SEC_ERROR_THRESHOLD_EXCEEDED after parsing CPER. 2. RAS Correctable Errors Collector counts correctable errors per PFN and when the counter for a PFN reaches threshold In both cases, userspace has no control of the soft offline performed by kernel's memory failure recovery. This patch series give userspace the control of softofflining any page: kernel only soft offlines raw page / transparent hugepage / HugeTLB hugepage if userspace has agreed to. The interface to userspace is a new sysctl called enable_soft_offline under /proc/sys/vm. By default enable_soft_line is 1 to preserve existing behavior in kernel. Changelog v4 => v5: * incorportate feedbacks from Muhammad Usama Anjum <usama.anjum(a)collabora.com> * refactor selftest to use what available in kselftest.h. * update a comment in soft_offline_page. v3 => v4: * incorporate feedbacks from Miaohe Lin <linmiaohe(a)huawei.com>, Andrew Morton <akpm(a)linux-foundation.org>, and Oscar Salvador <osalvador(a)suse.de>. * insert a refactor commit to unify soft offline's logs to follow "Soft offline: 0x${pfn}: ${message}" format. * some rewords in document: fail => will not perform. * v4 is still based on commit 83a7eefedc9b ("Linux 6.10-rc3"), akpm/mm-stable. v2 => v3: * incorporate feedbacks from Miaohe Lin <linmiaohe(a)huawei.com>, Lance Yang <ioworker0(a)gmail.com>, Oscar Salvador <osalvador(a)suse.de>, and David Rientjes <rientjes(a)google.com>. * release potential refcount if enable_soft_offline is 0. * soft_offline_page() returns EOPNOTSUPP if enable_soft_offline is 0. * refactor hugetlb-soft-offline.c, for example, introduce test_soft_offline_common to reduce repeated code. * rewrite enable_soft_offline's documentation, adds more details about the cost of soft-offline for transparent and hugetlb hugepages, and components that are impacted when enable_soft_offline becomes 0. * fix typos in commit messages. * v3 is still based on commit 83a7eefedc9b ("Linux 6.10-rc3"). v1 => v2: * incorporate feedbacks from both Miaohe Lin <linmiaohe(a)huawei.com> and Jane Chu <jane.chu(a)oracle.com>. * make the switch to control all pages, instead of HugeTLB specific. * change the API from /sys/kernel/mm/hugepages/hugepages-${size}kB/softoffline_corrected_errors to /proc/sys/vm/enable_soft_offline. * minor update to test code. * update documentation of the user control API. * v2 is based on commit 83a7eefedc9b ("Linux 6.10-rc3"). Jiaqi Yan (4): mm/memory-failure: refactor log format in soft offline code mm/memory-failure: userspace controls soft-offlining pages selftest/mm: test enable_soft_offline behaviors docs: mm: add enable_soft_offline sysctl Documentation/admin-guide/sysctl/vm.rst | 32 +++ mm/memory-failure.c | 38 ++- tools/testing/selftests/mm/.gitignore | 1 + tools/testing/selftests/mm/Makefile | 1 + .../selftests/mm/hugetlb-soft-offline.c | 227 ++++++++++++++++++ tools/testing/selftests/mm/run_vmtests.sh | 4 + 6 files changed, 295 insertions(+), 8 deletions(-) create mode 100644 tools/testing/selftests/mm/hugetlb-soft-offline.c -- 2.45.2.741.gdbec12cfda-goog

1 week

3
13
0 0

[PATCH RFC 0/5] mm/gup: Introduce exclusive GUP pinning

by Elliot Berman

In arm64 pKVM and QuIC's Gunyah protected VM model, we want to support grabbing shmem user pages instead of using KVM's guestmemfd. These hypervisors provide a different isolation model than the CoCo implementations from x86. KVM's guest_memfd is focused on providing memory that is more isolated than AVF requires. Some specific examples include ability to pre-load data onto guest-private pages, dynamically sharing/isolating guest pages without copy, and (future) migrating guest-private pages. In sum of those differences after a discussion in [1] and at PUCK, we want to try to stick with existing shmem and extend GUP to support the isolation needs for arm64 pKVM and Gunyah. To that end, we introduce the concept of "exclusive GUP pinning", which enforces that only one pin of any kind is allowed when using the FOLL_EXCLUSIVE flag is set. This behavior doesn't affect FOLL_GET or any other folio refcount operations that don't go through the FOLL_PIN path. [1]: https://lore.kernel.org/all/20240319143119.GA2736@willie-the-truck/ Tree with patches at: https://git.codelinaro.org/clo/linux-kernel/gunyah-linux/-/tree/sent/exclus… anup(a)brainfault.org, paul.walmsley(a)sifive.com, palmer(a)dabbelt.com, aou(a)eecs.berkeley.edu, seanjc(a)google.com, viro(a)zeniv.linux.org.uk, brauner(a)kernel.org, willy(a)infradead.org, akpm(a)linux-foundation.org, xiaoyao.li(a)intel.com, yilun.xu(a)intel.com, chao.p.peng(a)linux.intel.com, jarkko(a)kernel.org, amoorthy(a)google.com, dmatlack(a)google.com, yu.c.zhang(a)linux.intel.com, isaku.yamahata(a)intel.com, mic(a)digikod.net, vbabka(a)suse.cz, vannapurve(a)google.com, ackerleytng(a)google.com, mail(a)maciej.szmigiero.name, david(a)redhat.com, michael.roth(a)amd.com, wei.w.wang(a)intel.com, liam.merwick(a)oracle.com, isaku.yamahata(a)gmail.com, kirill.shutemov(a)linux.intel.com, suzuki.poulose(a)arm.com, steven.price(a)arm.com, quic_eberman(a)quicinc.com, quic_mnalajal(a)quicinc.com, quic_tsoni(a)quicinc.com, quic_svaddagi(a)quicinc.com, quic_cvanscha(a)quicinc.com, quic_pderrin(a)quicinc.com, quic_pheragu(a)quicinc.com, catalin.marinas(a)arm.com, james.morse(a)arm.com, yuzenghui(a)huawei.com, oliver.upton(a)linux.dev, maz(a)kernel.org, will(a)kernel.org, qperret(a)google.com, keirf(a)google.com, tabba(a)google.com Signed-off-by: Elliot Berman <quic_eberman(a)quicinc.com> --- Elliot Berman (2): mm/gup-test: Verify exclusive pinned mm/gup_test: Verify GUP grabs same pages twice Fuad Tabba (3): mm/gup: Move GUP_PIN_COUNTING_BIAS to page_ref.h mm/gup: Add an option for obtaining an exclusive pin mm/gup: Add support for re-pinning a normal pinned page as exclusive include/linux/mm.h | 57 ++++---- include/linux/mm_types.h | 2 + include/linux/page_ref.h | 74 ++++++++++ mm/Kconfig | 5 + mm/gup.c | 265 ++++++++++++++++++++++++++++++---- mm/gup_test.c | 108 ++++++++++++++ mm/gup_test.h | 1 + tools/testing/selftests/mm/gup_test.c | 5 +- 8 files changed, 457 insertions(+), 60 deletions(-) --- base-commit: 6ba59ff4227927d3a8530fc2973b80e94b54d58f change-id: 20240509-exclusive-gup-66259138bbff Best regards, -- Elliot Berman <quic_eberman(a)quicinc.com>

1 week

11
58
0 0

[PATCH v6 00/13] Centralize _GNU_SOURCE definition into lib.mk

by Edward Liaw

Centralizes the definition of _GNU_SOURCE into lib.mk and addresses all resulting macro redefinition warnings. These patches will need to be merged in one shot to avoid redefinition warnings. The initial attempt at this patch was abandoned because it affected lines in many source files and caused a large amount of churn. However, from earlier discussions, centralizing _GNU_SOURCE is still desireable. This attempt limits the changes to 1 source file and 12 Makefiles. v1: https://lore.kernel.org/linux-kselftest/20240430235057.1351993-1-edliaw@goo… v2: https://lore.kernel.org/linux-kselftest/20240507214254.2787305-1-edliaw@goo… - Add -D_GNU_SOURCE to KHDR_INCLUDES so that it is in a single location. - Remove #define _GNU_SOURCE from source code to resolve redefinition warnings. v3: https://lore.kernel.org/linux-kselftest/20240509200022.253089-1-edliaw@goog… - Rebase onto linux-next 20240508. - Split patches by directory. - Add -D_GNU_SOURCE directly to CFLAGS in lib.mk. - Delete additional _GNU_SOURCE definitions from source code in linux-next. - Delete additional -D_GNU_SOURCE flags from Makefiles. v4: https://lore.kernel.org/linux-kselftest/20240510000842.410729-1-edliaw@goog… - Rebase onto linux-next 20240509. - Remove Fixes tag from patches that drop _GNU_SOURCE definition. - Restore space between comment and includes for selftests/damon. v5: https://lore.kernel.org/linux-kselftest/20240522005913.3540131-1-edliaw@goo… - Rebase onto linux-next 20240521 - Drop initial patches that modify KHDR_INCLUDES. - Incorporate Mark Brown's patch to replace static_assert with warning. - Don't drop #define _GNU_SOURCE from nolibc and wireguard. - Change Makefiles for x86 and vDSO to append to CFLAGS. v6: - Rewrite patch to use -D_GNU_SOURCE= form in lib.mk. - Reduce the amount of churn significantly by allowing definition to coexist with source code macro defines. Edward Liaw (13): selftests/mm: Define _GNU_SOURCE to an empty string selftests: Add -D_GNU_SOURCE= to CFLAGS in lib.mk selftests/net: Append to lib.mk CFLAGS in Makefile selftests/exec: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile selftests/futex: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile selftests/intel_pstate: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile selftests/iommu: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile selftests/kvm: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile selftests/proc: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile selftests/resctrl: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile selftests/ring-buffer: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile selftests/riscv: Drop redundant -D_GNU_SOURCE CFLAGS in Makefile selftests/sgx: Append CFLAGS from lib.mk to HOST_CFLAGS tools/testing/selftests/exec/Makefile | 1 - tools/testing/selftests/futex/functional/Makefile | 2 +- tools/testing/selftests/intel_pstate/Makefile | 2 +- tools/testing/selftests/iommu/Makefile | 2 -- tools/testing/selftests/kvm/Makefile | 2 +- tools/testing/selftests/lib.mk | 3 +++ tools/testing/selftests/mm/thuge-gen.c | 2 +- tools/testing/selftests/net/Makefile | 2 +- tools/testing/selftests/net/tcp_ao/Makefile | 2 +- tools/testing/selftests/proc/Makefile | 1 - tools/testing/selftests/resctrl/Makefile | 2 +- tools/testing/selftests/ring-buffer/Makefile | 1 - tools/testing/selftests/riscv/mm/Makefile | 2 +- tools/testing/selftests/sgx/Makefile | 2 +- 14 files changed, 12 insertions(+), 14 deletions(-) -- 2.45.2.741.gdbec12cfda-goog

1 week

3
17
0 0

[PATCH v9 00/39] arm64/gcs: Provide support for GCS in userspace

by Mark Brown

The arm64 Guarded Control Stack (GCS) feature provides support for hardware protected stacks of return addresses, intended to provide hardening against return oriented programming (ROP) attacks and to make it easier to gather call stacks for applications such as profiling. When GCS is active a secondary stack called the Guarded Control Stack is maintained, protected with a memory attribute which means that it can only be written with specific GCS operations. The current GCS pointer can not be directly written to by userspace. When a BL is executed the value stored in LR is also pushed onto the GCS, and when a RET is executed the top of the GCS is popped and compared to LR with a fault being raised if the values do not match. GCS operations may only be performed on GCS pages, a data abort is generated if they are not. The combination of hardware enforcement and lack of extra instructions in the function entry and exit paths should result in something which has less overhead and is more difficult to attack than a purely software implementation like clang's shadow stacks. This series implements support for use of GCS by userspace, along with support for use of GCS within KVM guests. It does not enable use of GCS by either EL1 or EL2, this will be implemented separately. Executables are started without GCS and must use a prctl() to enable it, it is expected that this will be done very early in application execution by the dynamic linker or other startup code. For dynamic linking this will be done by checking that everything in the executable is marked as GCS compatible. x86 has an equivalent feature called shadow stacks, this series depends on the x86 patches for generic memory management support for the new guarded/shadow stack page type and shares APIs as much as possible. As there has been extensive discussion with the wider community around the ABI for shadow stacks I have as far as practical kept implementation decisions close to those for x86, anticipating that review would lead to similar conclusions in the absence of strong reasoning for divergence. The main divergence I am concious of is that x86 allows shadow stack to be enabled and disabled repeatedly, freeing the shadow stack for the thread whenever disabled, while this implementation keeps the GCS allocated after disable but refuses to reenable it. This is to avoid races with things actively walking the GCS during a disable, we do anticipate that some systems will wish to disable GCS at runtime but are not aware of any demand for subsequently reenabling it. x86 uses an arch_prctl() to manage enable and disable, since only x86 and S/390 use arch_prctl() a generic prctl() was proposed[1] as part of a patch set for the equivalent RISC-V Zicfiss feature which I initially adopted fairly directly but following review feedback has been revised quite a bit. We currently maintain the x86 pattern of implicitly allocating a shadow stack for threads started with shadow stack enabled, there has been some discussion of removing this support and requiring the use of clone3() with explicit allocation of shadow stacks instead. I have no strong feelings either way, implicit allocation is not really consistent with anything else we do and creates the potential for errors around thread exit but on the other hand it is existing ABI on x86 and minimises the changes needed in userspace code. glibc and bionic changes using this ABI have been implemented and tested. Headless Android systems have been validated and Ross Burton has used this code has been used to bring up a Yocto system with GCS enabed as standard, a test implementation of V8 support has also been done. There is an open issue with support for CRIU, on x86 this required the ability to set the GCS mode via ptrace. This series supports configuring mode bits other than enable/disable via ptrace but it needs to be confirmed if this is sufficient. The series depends on support for shadow stacks in clone3(), that series includes the addition of ARCH_HAS_USER_SHADOW_STACK. https://lore.kernel.org/r/20240623-clone3-shadow-stack-v6-0-9ee7783b1fb9@ke… You can see a branch with the full set of dependencies against Linus' tree at: https://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc.git arm64-gcs [1] https://lore.kernel.org/lkml/20230213045351.3945824-1-debug@rivosinc.com/ Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Changes in v9: - Rebase onto v6.10-rc3. - Restructure and clarify memory management fault handling. - Fix up basic-gcs for the latest clone3() changes. - Convert to newly merged KVM ID register based feature configuration. - Fixes for NV traps. - Link to v8: https://lore.kernel.org/r/20240203-arm64-gcs-v8-0-c9fec77673ef@kernel.org Changes in v8: - Invalidate signal cap token on stack when consuming. - Typo and other trivial fixes. - Don't try to use process_vm_write() on GCS, it intentionally does not work. - Fix leak of thread GCSs. - Rebase onto latest clone3() series. - Link to v7: https://lore.kernel.org/r/20231122-arm64-gcs-v7-0-201c483bd775@kernel.org Changes in v7: - Rebase onto v6.7-rc2 via the clone3() patch series. - Change the token used to cap the stack during signal handling to be compatible with GCSPOPM. - Fix flags for new page types. - Fold in support for clone3(). - Replace copy_to_user_gcs() with put_user_gcs(). - Link to v6: https://lore.kernel.org/r/20231009-arm64-gcs-v6-0-78e55deaa4dd@kernel.org Changes in v6: - Rebase onto v6.6-rc3. - Add some more gcsb_dsync() barriers following spec clarifications. - Due to ongoing discussion around clone()/clone3() I've not updated anything there, the behaviour is the same as on previous versions. - Link to v5: https://lore.kernel.org/r/20230822-arm64-gcs-v5-0-9ef181dd6324@kernel.org Changes in v5: - Don't map any permissions for user GCSs, we always use EL0 accessors or use a separate mapping of the page. - Reduce the standard size of the GCS to RLIMIT_STACK/2. - Enforce a PAGE_SIZE alignment requirement on map_shadow_stack(). - Clarifications and fixes to documentation. - More tests. - Link to v4: https://lore.kernel.org/r/20230807-arm64-gcs-v4-0-68cfa37f9069@kernel.org Changes in v4: - Implement flags for map_shadow_stack() allowing the cap and end of stack marker to be enabled independently or not at all. - Relax size and alignment requirements for map_shadow_stack(). - Add more blurb explaining the advantages of hardware enforcement. - Link to v3: https://lore.kernel.org/r/20230731-arm64-gcs-v3-0-cddf9f980d98@kernel.org Changes in v3: - Rebase onto v6.5-rc4. - Add a GCS barrier on context switch. - Add a GCS stress test. - Link to v2: https://lore.kernel.org/r/20230724-arm64-gcs-v2-0-dc2c1d44c2eb@kernel.org Changes in v2: - Rebase onto v6.5-rc3. - Rework prctl() interface to allow each bit to be locked independently. - map_shadow_stack() now places the cap token based on the size requested by the caller not the actual space allocated. - Mode changes other than enable via ptrace are now supported. - Expand test coverage. - Various smaller fixes and adjustments. - Link to v1: https://lore.kernel.org/r/20230716-arm64-gcs-v1-0-bf567f93bba6@kernel.org --- Mark Brown (39): arm64/mm: Restructure arch_validate_flags() for extensibility prctl: arch-agnostic prctl for shadow stack mman: Add map_shadow_stack() flags arm64: Document boot requirements for Guarded Control Stacks arm64/gcs: Document the ABI for Guarded Control Stacks arm64/sysreg: Add definitions for architected GCS caps arm64/gcs: Add manual encodings of GCS instructions arm64/gcs: Provide put_user_gcs() arm64/cpufeature: Runtime detection of Guarded Control Stack (GCS) arm64/mm: Allocate PIE slots for EL0 guarded control stack mm: Define VM_SHADOW_STACK for arm64 when we support GCS arm64/mm: Map pages for guarded control stack KVM: arm64: Manage GCS registers for guests arm64/gcs: Allow GCS usage at EL0 and EL1 arm64/idreg: Add overrride for GCS arm64/hwcap: Add hwcap for GCS arm64/traps: Handle GCS exceptions arm64/mm: Handle GCS data aborts arm64/gcs: Context switch GCS state for EL0 arm64/gcs: Ensure that new threads have a GCS arm64/gcs: Implement shadow stack prctl() interface arm64/mm: Implement map_shadow_stack() arm64/signal: Set up and restore the GCS context for signal handlers arm64/signal: Expose GCS state in signal frames arm64/ptrace: Expose GCS via ptrace and core files arm64: Add Kconfig for Guarded Control Stack (GCS) kselftest/arm64: Verify the GCS hwcap kselftest: Provide shadow stack enable helpers for arm64 selftests/clone3: Enable arm64 shadow stack testing kselftest/arm64: Add GCS as a detected feature in the signal tests kselftest/arm64: Add framework support for GCS to signal handling tests kselftest/arm64: Allow signals tests to specify an expected si_code kselftest/arm64: Always run signals tests with GCS enabled kselftest/arm64: Add very basic GCS test program kselftest/arm64: Add a GCS test program built with the system libc kselftest/arm64: Add test coverage for GCS mode locking kselftest/arm64: Add GCS signal tests kselftest/arm64: Add a GCS stress test kselftest/arm64: Enable GCS for the FP stress tests Documentation/admin-guide/kernel-parameters.txt | 6 + Documentation/arch/arm64/booting.rst | 22 + Documentation/arch/arm64/elf_hwcaps.rst | 2 + Documentation/arch/arm64/gcs.rst | 233 +++++++ Documentation/arch/arm64/index.rst | 1 + Documentation/filesystems/proc.rst | 2 +- arch/arm64/Kconfig | 20 + arch/arm64/include/asm/cpufeature.h | 6 + arch/arm64/include/asm/el2_setup.h | 17 + arch/arm64/include/asm/esr.h | 28 +- arch/arm64/include/asm/exception.h | 2 + arch/arm64/include/asm/gcs.h | 107 +++ arch/arm64/include/asm/hwcap.h | 1 + arch/arm64/include/asm/kvm_host.h | 14 + arch/arm64/include/asm/mman.h | 23 +- arch/arm64/include/asm/pgtable-prot.h | 14 +- arch/arm64/include/asm/processor.h | 7 + arch/arm64/include/asm/sysreg.h | 20 + arch/arm64/include/asm/uaccess.h | 40 ++ arch/arm64/include/asm/vncr_mapping.h | 2 + arch/arm64/include/uapi/asm/hwcap.h | 1 + arch/arm64/include/uapi/asm/ptrace.h | 8 + arch/arm64/include/uapi/asm/sigcontext.h | 9 + arch/arm64/kernel/cpufeature.c | 19 + arch/arm64/kernel/cpuinfo.c | 1 + arch/arm64/kernel/entry-common.c | 23 + arch/arm64/kernel/pi/idreg-override.c | 2 + arch/arm64/kernel/process.c | 85 +++ arch/arm64/kernel/ptrace.c | 59 ++ arch/arm64/kernel/signal.c | 242 ++++++- arch/arm64/kernel/traps.c | 11 + arch/arm64/kvm/hyp/include/hyp/sysreg-sr.h | 48 +- arch/arm64/kvm/sys_regs.c | 25 +- arch/arm64/mm/Makefile | 1 + arch/arm64/mm/fault.c | 43 ++ arch/arm64/mm/gcs.c | 325 +++++++++ arch/arm64/mm/mmap.c | 13 +- arch/arm64/tools/cpucaps | 1 + arch/x86/include/uapi/asm/mman.h | 3 - fs/proc/task_mmu.c | 3 + include/linux/mm.h | 16 +- include/uapi/asm-generic/mman.h | 4 + include/uapi/linux/elf.h | 1 + include/uapi/linux/prctl.h | 22 + kernel/sys.c | 30 + tools/testing/selftests/arm64/Makefile | 2 +- tools/testing/selftests/arm64/abi/hwcap.c | 19 + tools/testing/selftests/arm64/fp/assembler.h | 15 + tools/testing/selftests/arm64/fp/fpsimd-test.S | 2 + tools/testing/selftests/arm64/fp/sve-test.S | 2 + tools/testing/selftests/arm64/fp/za-test.S | 2 + tools/testing/selftests/arm64/fp/zt-test.S | 2 + tools/testing/selftests/arm64/gcs/.gitignore | 5 + tools/testing/selftests/arm64/gcs/Makefile | 24 + tools/testing/selftests/arm64/gcs/asm-offsets.h | 0 tools/testing/selftests/arm64/gcs/basic-gcs.c | 357 ++++++++++ tools/testing/selftests/arm64/gcs/gcs-locking.c | 200 ++++++ .../selftests/arm64/gcs/gcs-stress-thread.S | 311 +++++++++ tools/testing/selftests/arm64/gcs/gcs-stress.c | 532 +++++++++++++++ tools/testing/selftests/arm64/gcs/gcs-util.h | 100 +++ tools/testing/selftests/arm64/gcs/libc-gcs.c | 736 +++++++++++++++++++++ tools/testing/selftests/arm64/signal/.gitignore | 1 + .../testing/selftests/arm64/signal/test_signals.c | 17 +- .../testing/selftests/arm64/signal/test_signals.h | 6 + .../selftests/arm64/signal/test_signals_utils.c | 32 +- .../selftests/arm64/signal/test_signals_utils.h | 39 ++ .../arm64/signal/testcases/gcs_exception_fault.c | 62 ++ .../selftests/arm64/signal/testcases/gcs_frame.c | 88 +++ .../arm64/signal/testcases/gcs_write_fault.c | 67 ++ .../selftests/arm64/signal/testcases/testcases.c | 7 + .../selftests/arm64/signal/testcases/testcases.h | 1 + tools/testing/selftests/clone3/clone3_selftests.h | 26 + tools/testing/selftests/ksft_shstk.h | 37 ++ 73 files changed, 4213 insertions(+), 41 deletions(-) --- base-commit: 4c8cf8814957090ce50ad18f318f72e6fe0d1a32 change-id: 20230303-arm64-gcs-e311ab0d8729 Best regards, -- Mark Brown <broonie(a)kernel.org>

1 week

2
40
0 0

[PATCH RFT v6 0/9] fork: Support shadow stacks in clone3()

by Mark Brown

The kernel has recently added support for shadow stacks, currently x86 only using their CET feature but both arm64 and RISC-V have equivalent features (GCS and Zicfiss respectively), I am actively working on GCS[1]. With shadow stacks the hardware maintains an additional stack containing only the return addresses for branch instructions which is not generally writeable by userspace and ensures that any returns are to the recorded addresses. This provides some protection against ROP attacks and making it easier to collect call stacks. These shadow stacks are allocated in the address space of the userspace process. Our API for shadow stacks does not currently offer userspace any flexiblity for managing the allocation of shadow stacks for newly created threads, instead the kernel allocates a new shadow stack with the same size as the normal stack whenever a thread is created with the feature enabled. The stacks allocated in this way are freed by the kernel when the thread exits or shadow stacks are disabled for the thread. This lack of flexibility and control isn't ideal, in the vast majority of cases the shadow stack will be over allocated and the implicit allocation and deallocation is not consistent with other interfaces. As far as I can tell the interface is done in this manner mainly because the shadow stack patches were in development since before clone3() was implemented. Since clone3() is readily extensible let's add support for specifying a shadow stack when creating a new thread or process in a similar manner to how the normal stack is specified, keeping the current implicit allocation behaviour if one is not specified either with clone3() or through the use of clone(). The user must provide a shadow stack address and size, this must point to memory mapped for use as a shadow stackby map_shadow_stack() with a shadow stack token at the top of the stack. Please note that the x86 portions of this code are build tested only, I don't appear to have a system that can run CET avaible to me, I have done testing with an integration into my pending work for GCS. There is some possibility that the arm64 implementation may require the use of clone3() and explicit userspace allocation of shadow stacks, this is still under discussion. Please further note that the token consumption done by clone3() is not currently implemented in an atomic fashion, Rick indicated that he would look into fixing this if people are OK with the implementation. A new architecture feature Kconfig option for shadow stacks is added as here, this was suggested as part of the review comments for the arm64 GCS series and since we need to detect if shadow stacks are supported it seemed sensible to roll it in here. [1] https://lore.kernel.org/r/20231009-arm64-gcs-v6-0-78e55deaa4dd@kernel.org/ Signed-off-by: Mark Brown <broonie(a)kernel.org> --- Changes in v6: - Rebase onto v6.10-rc3. - Ensure we don't try to free the parent shadow stack in error paths of x86 arch code. - Spelling fixes in userspace API document. - Additional cleanups and improvements to the clone3() tests to support the shadow stack tests. - Link to v5: https://lore.kernel.org/r/20240203-clone3-shadow-stack-v5-0-322c69598e4b@ke… Changes in v5: - Rebase onto v6.8-rc2. - Rework ABI to have the user allocate the shadow stack memory with map_shadow_stack() and a token. - Force inlining of the x86 shadow stack enablement. - Move shadow stack enablement out into a shared header for reuse by other tests. - Link to v4: https://lore.kernel.org/r/20231128-clone3-shadow-stack-v4-0-8b28ffe4f676@ke… Changes in v4: - Formatting changes. - Use a define for minimum shadow stack size and move some basic validation to fork.c. - Link to v3: https://lore.kernel.org/r/20231120-clone3-shadow-stack-v3-0-a7b8ed3e2acc@ke… Changes in v3: - Rebase onto v6.7-rc2. - Remove stale shadow_stack in internal kargs. - If a shadow stack is specified unconditionally use it regardless of CLONE_ parameters. - Force enable shadow stacks in the selftest. - Update changelogs for RISC-V feature rename. - Link to v2: https://lore.kernel.org/r/20231114-clone3-shadow-stack-v2-0-b613f8681155@ke… Changes in v2: - Rebase onto v6.7-rc1. - Remove ability to provide preallocated shadow stack, just specify the desired size. - Link to v1: https://lore.kernel.org/r/20231023-clone3-shadow-stack-v1-0-d867d0b5d4d0@ke… --- Mark Brown (9): Documentation: userspace-api: Add shadow stack API documentation selftests: Provide helper header for shadow stack testing mm: Introduce ARCH_HAS_USER_SHADOW_STACK fork: Add shadow stack support to clone3() selftests/clone3: Remove redundant flushes of output streams selftests/clone3: Factor more of main loop into test_clone3() selftests/clone3: Explicitly handle child exits due to signals selftests/clone3: Allow tests to flag if -E2BIG is a valid error code selftests/clone3: Test shadow stack support Documentation/userspace-api/index.rst | 1 + Documentation/userspace-api/shadow_stack.rst | 41 ++++ arch/x86/Kconfig | 1 + arch/x86/include/asm/shstk.h | 11 +- arch/x86/kernel/process.c | 2 +- arch/x86/kernel/shstk.c | 104 +++++++--- fs/proc/task_mmu.c | 2 +- include/linux/mm.h | 2 +- include/linux/sched/task.h | 13 ++ include/uapi/linux/sched.h | 13 +- kernel/fork.c | 76 ++++++-- mm/Kconfig | 6 + tools/testing/selftests/clone3/clone3.c | 225 ++++++++++++++++++---- tools/testing/selftests/clone3/clone3_selftests.h | 40 +++- tools/testing/selftests/ksft_shstk.h | 63 ++++++ 15 files changed, 512 insertions(+), 88 deletions(-) --- base-commit: 83a7eefedc9b56fe7bfeff13b6c7356688ffa670 change-id: 20231019-clone3-shadow-stack-15d40d2bf536 Best regards, -- Mark Brown <broonie(a)kernel.org>

1 week, 1 day

2
10
0 0

[PATCH v3 0/9] A new selftests/ directory for arm compatibility testing

by Dev Jain

This series introduces the selftests/arm directory, which tests 32 and 64-bit kernel compatibility with 32-bit ELFs running on the Aarch platform. The need for this bucket of tests is that 32 bit applications built on legacy ARM architecture must not break on the new Aarch64 platforms and the 64-bit kernel. The kernel must emulate the data structures, system calls and the registers according to Aarch32, when running a 32-bit process; this directory fills that testing requirement. One may find similarity between this directory and selftests/arm64; it is advisable to refer to that since a lot has been pulled from there itself. The mm directory includes a test for checking 4GB limit of the virtual address space of a process. The signal directory contains two tests, following a common theme: mangle with arm_cpsr, dumped by the kernel to user space while invoking the signal handler; kernel must spot this illegal attempt and terminate the program by SEGV. The elf directory includes a test for checking the 32-bit status of the ELF. The abi directory includes two ptrace tests, in the first, a 32-bit parent debugs a 32-bit child, and in the second, a 64-bit parent debugs a 32-bit child. The second test will be skipped when running on a 32-bit kernel. Credits to Mark Brown for suggesting this work. Testing: The series has been tested on the Aarch64 kernel. For the Aarch32 kernel, I used qemu-system-arm with machine 'vexpress-a15', along with a buildroot rootfs; the individual statically built tests pass on that, but building the entire test suite on that remains untested, due to my lack of experience with qemu and rootfses. Since I have done some changes in selftests/arm64, I have tested that those tests do not break. v2->v3: - mm, elf: Split into multiple testcases - Eliminate copying in signal/ using ifdeffery and pulling from selftests/arm64 - Delete config file, since it does not make sense for testing a 32-bit kernel - Split ptrace in selftests/arm64, and pull some stuff from there - Add abi tests containing ptrace and ptrace_64 - Fix build warnings in selftests/arm64 (can be applied independent of this series) v1->v2: - Formatting changes - Add .gitignore files and config file v1: - https://lore.kernel.org/all/20240405084410.256788-1-dev.jain@arm.com/ Dev Jain (9): selftests/arm: Add mm test selftests/arm: Add elf test selftests: arm, arm64: Use ifdeffery to pull signal infrastructure selftests/arm: Add signal tests selftests/arm64: Fix build warnings for ptrace selftests/arm64: Split ptrace, use ifdeffery selftests/arm: Add ptrace test selftests/arm: Add ptrace_64 test selftests: Add build infrastructure along with README tools/testing/selftests/Makefile | 1 + tools/testing/selftests/arm/Makefile | 56 ++++++++ tools/testing/selftests/arm/README | 32 +++++ tools/testing/selftests/arm/abi/.gitignore | 4 + tools/testing/selftests/arm/abi/Makefile | 26 ++++ tools/testing/selftests/arm/abi/ptrace.c | 82 +++++++++++ tools/testing/selftests/arm/abi/ptrace.h | 57 ++++++++ tools/testing/selftests/arm/abi/ptrace_64.c | 91 ++++++++++++ .../selftests/arm/abi/trivial_32bit_program.c | 14 ++ tools/testing/selftests/arm/elf/.gitignore | 2 + tools/testing/selftests/arm/elf/Makefile | 6 + tools/testing/selftests/arm/elf/parse_elf.c | 77 ++++++++++ tools/testing/selftests/arm/mm/.gitignore | 2 + tools/testing/selftests/arm/mm/Makefile | 6 + tools/testing/selftests/arm/mm/compat_va.c | 89 ++++++++++++ tools/testing/selftests/arm/signal/.gitignore | 3 + tools/testing/selftests/arm/signal/Makefile | 30 ++++ .../selftests/arm/signal/test_signals.c | 2 + .../selftests/arm/signal/test_signals.h | 2 + .../selftests/arm/signal/test_signals_utils.c | 2 + .../selftests/arm/signal/test_signals_utils.h | 2 + .../testcases/mangle_cpsr_invalid_aif_bits.c | 33 +++++ .../mangle_cpsr_invalid_compat_toggle.c | 29 ++++ tools/testing/selftests/arm64/abi/ptrace.c | 121 ++-------------- tools/testing/selftests/arm64/abi/ptrace.h | 135 ++++++++++++++++++ .../selftests/arm64/signal/test_signals.h | 12 ++ .../arm64/signal/test_signals_utils.c | 51 +++++-- .../arm64/signal/test_signals_utils.h | 3 + 28 files changed, 850 insertions(+), 120 deletions(-) create mode 100644 tools/testing/selftests/arm/Makefile create mode 100644 tools/testing/selftests/arm/README create mode 100644 tools/testing/selftests/arm/abi/.gitignore create mode 100644 tools/testing/selftests/arm/abi/Makefile create mode 100644 tools/testing/selftests/arm/abi/ptrace.c create mode 100644 tools/testing/selftests/arm/abi/ptrace.h create mode 100644 tools/testing/selftests/arm/abi/ptrace_64.c create mode 100644 tools/testing/selftests/arm/abi/trivial_32bit_program.c create mode 100644 tools/testing/selftests/arm/elf/.gitignore create mode 100644 tools/testing/selftests/arm/elf/Makefile create mode 100644 tools/testing/selftests/arm/elf/parse_elf.c create mode 100644 tools/testing/selftests/arm/mm/.gitignore create mode 100644 tools/testing/selftests/arm/mm/Makefile create mode 100644 tools/testing/selftests/arm/mm/compat_va.c create mode 100644 tools/testing/selftests/arm/signal/.gitignore create mode 100644 tools/testing/selftests/arm/signal/Makefile create mode 100644 tools/testing/selftests/arm/signal/test_signals.c create mode 100644 tools/testing/selftests/arm/signal/test_signals.h create mode 100644 tools/testing/selftests/arm/signal/test_signals_utils.c create mode 100644 tools/testing/selftests/arm/signal/test_signals_utils.h create mode 100644 tools/testing/selftests/arm/signal/testcases/mangle_cpsr_invalid_aif_bits.c create mode 100644 tools/testing/selftests/arm/signal/testcases/mangle_cpsr_invalid_compat_toggle.c create mode 100644 tools/testing/selftests/arm64/abi/ptrace.h -- 2.39.2

1 week, 1 day

2
15
0 0

[PATCH 0/8] selftests/damon: test DAMOS tried regions and {min,max}_nr_regions

by SeongJae Park

This patch series fix a minor issue in a program for DAMON selftest, and implement new functionality selftests for DAMOS tried regions and {min,max}_nr_regions. The test for max_nr_regions also test the recovery from online tuning-caused limit violation, which was fixed by a previous patch [1] titled "mm/damon/core: merge regions aggressively when max_nr_regions is unmet". The first patch fixes a minor problem in the articial memory access pattern generator for tests. Following 3 patches (2-4) implement schemes tried regions test. Then a couple of patches (5-6) implementing static setup based {min,max}_nr_regions functionality test follows. Final two patches (7-8) implement dynamic max_nr_regions update test. [1] https://lore.kernel.org/20240624210650.53960C2BBFC@smtp.kernel.org SeongJae Park (8): selftests/damon/access_memory: use user-defined region size selftests/damon/_damon_sysfs: support schemes_update_tried_regions selftests/damon: implement a program for even-numbered memory regions access selftests/damon: implement DAMOS tried regions test selftests/damon/_damon_sysfs: implement kdamonds stop function selftests/damon: implement test for min/max_nr_regions _damon_sysfs: implement commit() for online parameters update selftests/damon/damon_nr_regions: test online-tuned max_nr_regions tools/testing/selftests/damon/Makefile | 3 +- tools/testing/selftests/damon/_damon_sysfs.py | 65 +++++++- tools/testing/selftests/damon/access_memory.c | 2 +- .../selftests/damon/access_memory_even.c | 42 +++++ .../selftests/damon/damon_nr_regions.py | 145 ++++++++++++++++++ .../selftests/damon/damos_tried_regions.py | 65 ++++++++ 6 files changed, 319 insertions(+), 3 deletions(-) create mode 100644 tools/testing/selftests/damon/access_memory_even.c create mode 100644 tools/testing/selftests/damon/damon_nr_regions.py create mode 100644 tools/testing/selftests/damon/damos_tried_regions.py base-commit: 99348045d11f3bac71146b381f90b0aa39855ee7 -- 2.39.2

1 week, 1 day

1
8
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-kselftest-mirror June 2024