From patchwork Wed Apr 13 13:49:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Catalin Marinas X-Patchwork-Id: 12812049 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 96EDFC433EF for ; Wed, 13 Apr 2022 13:51:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=FFJHM3MFrparAZX1DT6p2BzdkXBMzIl+OdHE63183Sk=; b=j9igMSB1mtppww PQC18yAAbDOIz9NiIveAlsTi9qVNRK4HUnTlILC49PDLvj8LZmjViX3XVAWV5O6W2EyiE8kHzN5zF 1z6OQj/UOxyNlAoANyEBdtO4Mc36U7qLjApqpP6GD3b2OIOkqNRtwzPn6suV2IN2OxsBHyUKKOI56 hIrbZ3CKpaRWk78HzQ1xUoHT6Vgz/qtQol35fCfNthrX6Q1IpekNMdHhFWUKFHDdlyiI8MjUaBt6a Zc0WCnBo8mIVgjwEjG80woaft7Rtck470oxuAADwk5r6E6Ox8WgIhPPajtLg1eU2mYDk66tF+TJZW qUkozpSGrV6UFGhr+BAA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1nedNs-001GU4-KO; Wed, 13 Apr 2022 13:50:12 +0000 Received: from ams.source.kernel.org ([2604:1380:4601:e00::1]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1nedNd-001GLv-M6 for linux-arm-kernel@lists.infradead.org; Wed, 13 Apr 2022 13:50:00 +0000 Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 67F4EB824CD; Wed, 13 Apr 2022 13:49:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EDBAC385A6; Wed, 13 Apr 2022 13:49:51 +0000 (UTC) From: Catalin Marinas To: Andrew Morton , Christoph Hellwig , Lennart Poettering , =?utf-8?q?Zbigniew_J=C4=99drze?= =?utf-8?q?jewski-Szmek?= Cc: Will Deacon , Alexander Viro , Eric Biederman , Kees Cook , Szabolcs Nagy , Mark Brown , Jeremy Linton , Topi Miettinen , linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-abi-devel@lists.sourceforge.net Subject: [PATCH RFC 1/4] mm: Track previously writeable vma permission Date: Wed, 13 Apr 2022 14:49:43 +0100 Message-Id: <20220413134946.2732468-2-catalin.marinas@arm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220413134946.2732468-1-catalin.marinas@arm.com> References: <20220413134946.2732468-1-catalin.marinas@arm.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220413_064958_075758_483A2085 X-CRM114-Status: GOOD ( 18.13 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org In order to support a memory-deny-write-execute policy for mprotect() and prevent a previously writeable mapping from being made executable, track the past VM_WRITE permission via a new VM_WAS_WRITE flag that is not cleared on permission change. VM_WAS_WRITE is a high VMA flag and since not all architectures may want this feature, only define it if CONFIG_ARCH_ENABLE_DENY_WRITE_EXEC is selected, otherwise it is VM_NONE (zero). Note that the new VM_WAS_WRITE flag would prevent merging of an always read-only vma with a previously writeable vma that was made read-only. I don't consider this a common case and even if we somehow allow such merging, it would be confusing for the user if a read-only vma inherits a VM_WAS_WRITE flag or the VM_WAS_WRITE flag is dropped. Signed-off-by: Catalin Marinas Cc: Andrew Morton --- include/linux/mm.h | 6 ++++++ include/linux/mman.h | 8 +++++++- mm/Kconfig | 4 ++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index e34edb775334..bec37abc0773 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -317,6 +317,12 @@ extern unsigned int kobjsize(const void *objp); #define VM_HIGH_ARCH_4 BIT(VM_HIGH_ARCH_BIT_4) #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */ +#ifdef CONFIG_ARCH_ENABLE_DENY_WRITE_EXEC +#define VM_WAS_WRITE BIT(37) /* only with ARCH_USES_HIGH_VMA_FLAGS */ +#else +#define VM_WAS_WRITE VM_NONE +#endif + #ifdef CONFIG_ARCH_HAS_PKEYS # define VM_PKEY_SHIFT VM_HIGH_ARCH_BIT_0 # define VM_PKEY_BIT0 VM_HIGH_ARCH_0 /* A protection key is a 4-bit value */ diff --git a/include/linux/mman.h b/include/linux/mman.h index b66e91b8176c..2d841ddae2aa 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -141,10 +141,16 @@ static inline bool arch_validate_flags(unsigned long flags) static inline unsigned long calc_vm_prot_bits(unsigned long prot, unsigned long pkey) { - return _calc_vm_trans(prot, PROT_READ, VM_READ ) | + unsigned long vm_flags = + _calc_vm_trans(prot, PROT_READ, VM_READ ) | _calc_vm_trans(prot, PROT_WRITE, VM_WRITE) | _calc_vm_trans(prot, PROT_EXEC, VM_EXEC) | arch_calc_vm_prot_bits(prot, pkey); + + if (vm_flags & VM_WRITE) + vm_flags |= VM_WAS_WRITE; + + return vm_flags; } /* diff --git a/mm/Kconfig b/mm/Kconfig index 034d87953600..f140109f2a1e 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -822,6 +822,10 @@ config ARCH_USES_HIGH_VMA_FLAGS config ARCH_HAS_PKEYS bool +config ARCH_ENABLE_DENY_WRITE_EXEC + bool + depends on ARCH_USES_HIGH_VMA_FLAGS + config PERCPU_STATS bool "Collect percpu memory statistics" help