From patchwork Wed Apr 13 13:49:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Catalin Marinas X-Patchwork-Id: 12812045 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 83E61C433EF for ; Wed, 13 Apr 2022 13:49:59 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E42276B0073; Wed, 13 Apr 2022 09:49:58 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id DA3C26B0074; Wed, 13 Apr 2022 09:49:58 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id BCF1B6B0075; Wed, 13 Apr 2022 09:49:58 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0089.hostedemail.com [216.40.44.89]) by kanga.kvack.org (Postfix) with ESMTP id ABE3D6B0073 for ; Wed, 13 Apr 2022 09:49:58 -0400 (EDT) Received: from smtpin28.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with ESMTP id 513D18249980 for ; Wed, 13 Apr 2022 13:49:58 +0000 (UTC) X-FDA: 79351989276.28.AED6E7D Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by imf20.hostedemail.com (Postfix) with ESMTP id BF1421C0002 for ; Wed, 13 Apr 2022 13:49:57 +0000 (UTC) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 67F4EB824CD; Wed, 13 Apr 2022 13:49:56 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1EDBAC385A6; Wed, 13 Apr 2022 13:49:51 +0000 (UTC) From: Catalin Marinas To: Andrew Morton , Christoph Hellwig , Lennart Poettering , =?utf-8?q?Zbigniew_J=C4=99drze?= =?utf-8?q?jewski-Szmek?= Cc: Will Deacon , Alexander Viro , Eric Biederman , Kees Cook , Szabolcs Nagy , Mark Brown , Jeremy Linton , Topi Miettinen , linux-mm@kvack.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linux-abi-devel@lists.sourceforge.net Subject: [PATCH RFC 1/4] mm: Track previously writeable vma permission Date: Wed, 13 Apr 2022 14:49:43 +0100 Message-Id: <20220413134946.2732468-2-catalin.marinas@arm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220413134946.2732468-1-catalin.marinas@arm.com> References: <20220413134946.2732468-1-catalin.marinas@arm.com> MIME-Version: 1.0 X-Rspam-User: Authentication-Results: imf20.hostedemail.com; dkim=none; spf=pass (imf20.hostedemail.com: domain of cmarinas@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=cmarinas@kernel.org; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none) X-Rspamd-Server: rspam03 X-Rspamd-Queue-Id: BF1421C0002 X-Stat-Signature: 3mmek7zkdyy6d7ozmmhf681155bwwyng X-HE-Tag: 1649857797-165116 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: In order to support a memory-deny-write-execute policy for mprotect() and prevent a previously writeable mapping from being made executable, track the past VM_WRITE permission via a new VM_WAS_WRITE flag that is not cleared on permission change. VM_WAS_WRITE is a high VMA flag and since not all architectures may want this feature, only define it if CONFIG_ARCH_ENABLE_DENY_WRITE_EXEC is selected, otherwise it is VM_NONE (zero). Note that the new VM_WAS_WRITE flag would prevent merging of an always read-only vma with a previously writeable vma that was made read-only. I don't consider this a common case and even if we somehow allow such merging, it would be confusing for the user if a read-only vma inherits a VM_WAS_WRITE flag or the VM_WAS_WRITE flag is dropped. Signed-off-by: Catalin Marinas Cc: Andrew Morton --- include/linux/mm.h | 6 ++++++ include/linux/mman.h | 8 +++++++- mm/Kconfig | 4 ++++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/include/linux/mm.h b/include/linux/mm.h index e34edb775334..bec37abc0773 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -317,6 +317,12 @@ extern unsigned int kobjsize(const void *objp); #define VM_HIGH_ARCH_4 BIT(VM_HIGH_ARCH_BIT_4) #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */ +#ifdef CONFIG_ARCH_ENABLE_DENY_WRITE_EXEC +#define VM_WAS_WRITE BIT(37) /* only with ARCH_USES_HIGH_VMA_FLAGS */ +#else +#define VM_WAS_WRITE VM_NONE +#endif + #ifdef CONFIG_ARCH_HAS_PKEYS # define VM_PKEY_SHIFT VM_HIGH_ARCH_BIT_0 # define VM_PKEY_BIT0 VM_HIGH_ARCH_0 /* A protection key is a 4-bit value */ diff --git a/include/linux/mman.h b/include/linux/mman.h index b66e91b8176c..2d841ddae2aa 100644 --- a/include/linux/mman.h +++ b/include/linux/mman.h @@ -141,10 +141,16 @@ static inline bool arch_validate_flags(unsigned long flags) static inline unsigned long calc_vm_prot_bits(unsigned long prot, unsigned long pkey) { - return _calc_vm_trans(prot, PROT_READ, VM_READ ) | + unsigned long vm_flags = + _calc_vm_trans(prot, PROT_READ, VM_READ ) | _calc_vm_trans(prot, PROT_WRITE, VM_WRITE) | _calc_vm_trans(prot, PROT_EXEC, VM_EXEC) | arch_calc_vm_prot_bits(prot, pkey); + + if (vm_flags & VM_WRITE) + vm_flags |= VM_WAS_WRITE; + + return vm_flags; } /* diff --git a/mm/Kconfig b/mm/Kconfig index 034d87953600..f140109f2a1e 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -822,6 +822,10 @@ config ARCH_USES_HIGH_VMA_FLAGS config ARCH_HAS_PKEYS bool +config ARCH_ENABLE_DENY_WRITE_EXEC + bool + depends on ARCH_USES_HIGH_VMA_FLAGS + config PERCPU_STATS bool "Collect percpu memory statistics" help