- linux-morello - op-lists.linaro.org

[PATCH v4 0/1] fs: Handle exact bounds for argv and envp

by Teo Couprie Diaz

Hi everyone, Here is the latest revision to make the capabilities to argv and envp strings properly restricted. All my questions have been answered along the different revisions, so hopefully we are getting close to a final patch ! Notable this revision: I changed some comment wordings due to the few reworks of the logic and code removed. Thanks in advance, Téo # Changes from v3-v4[0] - Some comment and commit message clarifcations - Change PC-uABI to PCuABI - Do capability representation operations unconditionally - Putting the capability/pointer to arg strings on the ELF stack is now common between purecap and compat - Fix off by one error in padding traversal - Swap padding traversal while and pre-checks to a single for # Changes from v2-v3[1] - Commit message clarified - Fixed some typing and use issues - Updated the stack alignment to use a define depending on the build type - Changed the put_str_array function to only put one string pointer, the looping over all strings is restored to be handled in create_elf_tables. - Moved the padding calculations to a separate function that returns the updated value of bprm->p rather than the padding. - Reduced the amount of code not shared between purecap/compat - Removed nonsensical check before alignment computation # Changes from v1-v2[2] - Rebased on top of the last release - Update to make use of the properly derived stack capability in binfmt_elf - Move the copying of argv and envp strings in binfmt_elf to a helper function - Check for padding after an arg only - Greatly simplify the change in exec by completely skipping the padding, rather than looping through it and allocating pages in exec - Add more details to the comments explaining the padding process - Rename most variables. I'm not great with names so hopefully they are OK, otherwise feel free to suggest new ones ! - Proper COMPAT handling, but with a slight loss compared to a regular kernel - Detail trade-off in comments and in commit message - Force a greater stack alignment in exec to mitigate issues during relocation - Simplify accesses and use `get_user()` rather than `copy_from_user()` - Use wrappers provided by <cheriintrin.h> rather than builtins - Get rid of the elf_stack_put_user_cap macro Gitlab patch for review : https://git.morello-project.org/Teo-CD/linux/-/commit/5527a39f6e3cd0eb39cc4… [0]: https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [1]: https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [2]: https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… Teo Couprie Diaz (1): fs: Handle exact bounds for argv and envp fs/binfmt_elf.c | 88 +++++++++++++++++++++++++++++++++++++++++-------- fs/exec.c | 55 +++++++++++++++++++++++++++++-- 2 files changed, 126 insertions(+), 17 deletions(-) -- 2.34.1

10 months, 1 week

2
6
0 0

[PATCH v4 00/13] update bpf syscall for PCuABI/compat64

by Zachary Leaf

Hi, Here's v4 of the bpf syscall patches, following on from the RFC[1], v1[2], v2[3] and v3[4]. The bpf syscall is updated to propagate user pointers as capabilities in the pure-capability kernel-user ABI (PCuABI). It also includes an approach to support the existing aarch64 ABI (compat64). One complication here is from the fact this syscall supports many multiplexed sub-commands, some of which are themselves multiplexed with a number of further nested/multiplexed options. Another complication is that the existing syscall uses a trick of storing user pointers as u64 to avoid needing a compat handler for 32-bit systems. To retain compatibility with the aarch64 ABI and add Morello support, special compat64 conversion and handling is implemented. Inbound (userspace->kernel) conversion between compat64/native struct layouts is handled upfront on entry to the syscall (with the exception of bpf_xyz_info structs). This minimises changes to subcommand handlers. Some subcommands require conversion back out to userspace and that is by necessity handled where it occurs. Patch 1 is not essential to this series but it's a nice debug feature to have and works[5]. It enables BPF_PROG_TYPE_TRACEPOINT which many eBPF kselftests use. Patches 5,6,8 implement the core compat64 handling. Each commit compiles cleanly but relevant parts will be broken inbetween. Patch 9 fixes the CHECK_ATTR macro to also check configs passed in via compat64. Patch 11 finally enables capabilities in the kernel. Patches 12,13 handles uaccess that occurs in two eBPF helper functions. The rest are setup/helper functions. Testing wise, see associated LTP changes below as posted to LTP mailing list[6]. The eBPF LTP tests are fairly minimal and test only a small part of the changes here. There's a new test to test CHECK_ATTR from patch 9. The kernel kselftests contain many more extensive eBPF tests. They can be built fairly easily natively on aarch64 which is useful for testing compat64. More work needs to be done here though to: a) enable out-of-tree cross-compilation for purecap as well as x86->aarch64 b) replace ptr_to_u64() with casts to uintptr_t in tests c) general libbpf/bpftool enablement and fixes since many tests rely on this d) CONFIG_DEBUG_INFO_BTF required for many tests but this requires the build system to have a recent version of pahole tool Next steps once we have the core kernel support would be porting libbpf and bpftool for purecap plus work on enabling kselftests as above. Kernel branch available at: https://git.morello-project.org/zdleaf/linux/-/tree/morello/bpf_v4 Associated LTP test/changes at: https://git.morello-project.org/zdleaf/morello-linux-test-project/-/tree/mo… Thanks, Zach [1] [RFC PATCH 0/9] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [2] [PATCH 00/10] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [3] [PATCH v2 00/12] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [4] [PATCH v3 00/12] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [5] [PATCH v3 0/5] Restore syscall tracing on Morello https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [6] [PATCH 0/3] add eBPF support https://op-lists.linaro.org/archives/list/linux-morello-ltp@op-lists.linaro… ----------------------------------------------------------------------- v4: - Return EFAULT in bpf_{prog,link}_get_info_by_fd, not err - Fix multiline comment formatting - Reduce number of in_compat_syscall() in copy_bpf_attr_from_user() + copy_bpf_{btf,prog,link}_from_user() - copy_bpf_{btf,prog,link}_to_user() remains the same but s/target_info/src_info - bpf_copy_from_user_with_ptr() helper removed v3: - Renamed all {is,in}_32bit_... to compat32, e.g. is_32bit_compat_task -> is_compat32 task, same for 64bit versions - Removed dispatch_bpf() + bpf_check_perms() and merged back into __sys_bpf - they no longer need to be split now we have no separate compat64 handler - Ensured we memset(0)/zero initialise all compat/non-compat structs for bpf_attr, bpf_{prog,link,btf}_info as appropriate when copying in/out from userspace - Switched order of first two arguments of bpf_put_uattr() to align with bpfptr_put_uattr() and more closely match put_user() - Moved #include <linux/bpf_compat.h> into bpf.h - Moved bpf_copy_{to,from}_user_with_ptr to bpf.h - Renamed bpf_uattr_compat_ptr macro to bpf_compat_ptr_field - Removed const arguments for bpf_copy_from_user(_task) helpers - Fixed pointer type mismatch warnings in void *ptr = in_compat64_syscall() ? type1 : type2; pattern - Replace temporary #define bpfptr_copy with in_compat64_syscall conditional in bpfptr.h:copy_from_bpfptr_with_ptr - only use _with_ptr in purecap v2: - Fixed copy_from_bpfptr_offset_with_ptr - this no longer uses sockptr as of 6.1 (see patch 9) - Rebase on 6.4 - new struct members need conversion/handling: - New BPF_PROG_TYPE_NETFILTER + associated bpf_attr BPF_LINK_CREATE members - New bpf_link_info types BPF_LINK_TYPE_NETFILTER + BPF_LINK_TYPE_STRUCT_OPS - Renamed in_32bit_compat_syscall() to in_compat32_syscall() and added in_compat64_syscall() - Handled uaccess from bpf helper programs bpf/helpers.c:bpf_copy_from_user + bpf_copy_from_user_task - Added new stddef.h macro copy_field() to simplify conversion assignments - bpf: compat64: add handler and convert bpf_attr in - Replaced #ifdef CONFIG_COMPAT64 with in_compat64_syscall() + use copy_bpf_attr_from_user() helper function for inbound compat conversion - This removes the __sys_compat_bpf compat64 handler, now using the existing __sys_bpf + in_compat64_syscall() for reduced diff size, less duplication and clearer code - Conversion now happens in copy_bpf_attr_from_user() for better encapsulation + stack usage - bpf: compat64: bpf_attr convert out - Renamed PUT_USER_ATTR() to bpf_put_uattr() + moved to bpf.h - Introduced bpfptr_put_uattr() in bpfptr.h - Originally missed handling cases writing out to userspace with copy_to_bpfptr_offset() - now replaced with new bpfptr_put_uattr() macro - 6.4 now has a new field showing what log size will be needed - see 47a71c1f9af0 ("bpf: Add log_true_size output field to return necessary log buffer size") - This also requires new macro bpf_field_exists() to handle compat64 when checking that userspace supports this new field - bpf: compat64: handle bpf_xyz_info - Simplified bpf_link_info conversion handling using memcpy - Removed bpf_map_info patch since struct is the same in compat64/native (no ptrs) - Replaced #ifdef CONFIG_COMPAT64 with in_compat64_syscall() + use copy_bpf_xyz_info_{from,to}_user() helper functions for compat conversions - Merged bpf_{btf,prog,link}_info into a single patch - bpf: use user pointer types in uAPI structs - Added new compat_uptr_to_kern() macro to simplify casting/converting in compat ptrs - Usage of copy_{to,from}_user_with_ptr variants now correctly applied with new helpers ----------------------------------------------------------------------- Zachary Leaf (13): arm64: morello: enable syscall tracing arch: rename 32bit_compat to compat32 arch: add compat helpers specific to 64-bit stddef: introduce copy_field helper bpf: compat64: add handler and convert bpf_attr in bpf: compat64: bpf_attr convert out bpf/btf: move zero check into btf.c bpf: compat64: handle bpf_{btf,prog,link}_info bpf: compat64: support CHECK_ATTR macro bpf: copy_{to,from}_user_with_ptr helpers bpf: use user pointer types in uAPI structs bpf: use addr for bpf_copy_from_user_with_task bpf: use addr for bpf_copy_from_user .../morello_transitional_pcuabi_defconfig | 2 +- arch/arm64/include/asm/compat.h | 11 +- arch/arm64/include/asm/ftrace.h | 2 +- arch/arm64/include/asm/mmu_context.h | 2 +- arch/arm64/include/asm/syscall.h | 6 +- arch/arm64/kernel/fpsimd.c | 6 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/arm64/kernel/perf_regs.c | 2 +- arch/arm64/kernel/pointer_auth.c | 6 +- arch/arm64/kernel/process.c | 16 +- arch/arm64/kernel/ptrace.c | 10 +- arch/arm64/kernel/signal.c | 2 +- arch/arm64/kernel/syscall.c | 2 +- arch/mips/include/asm/compat.h | 2 +- arch/parisc/include/asm/compat.h | 2 +- arch/powerpc/include/asm/compat.h | 2 +- arch/s390/include/asm/compat.h | 2 +- arch/sparc/include/asm/compat.h | 4 +- arch/x86/include/asm/compat.h | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +- drivers/input/input.c | 2 +- drivers/media/rc/bpf-lirc.c | 6 +- fs/ext4/dir.c | 2 +- fs/nfs/dir.c | 2 +- include/linux/bpf.h | 18 + include/linux/bpf_compat.h | 415 +++++++++ include/linux/bpfptr.h | 28 +- include/linux/compat.h | 16 +- include/linux/stddef.h | 3 + include/uapi/linux/bpf.h | 94 +- kernel/bpf/bpf_iter.c | 2 +- kernel/bpf/btf.c | 104 ++- kernel/bpf/cgroup.c | 9 +- kernel/bpf/hashtab.c | 12 +- kernel/bpf/helpers.c | 9 +- kernel/bpf/net_namespace.c | 6 +- kernel/bpf/offload.c | 2 +- kernel/bpf/syscall.c | 865 ++++++++++++++---- kernel/bpf/verifier.c | 20 +- kernel/time/time.c | 2 +- kernel/trace/bpf_trace.c | 6 +- mm/util.c | 2 +- net/bpf/bpf_dummy_struct_ops.c | 8 +- net/bpf/test_run.c | 31 +- net/core/sock_map.c | 6 +- 46 files changed, 1415 insertions(+), 342 deletions(-) create mode 100644 include/linux/bpf_compat.h -- 2.34.1

10 months, 1 week

2
27
0 0

[PATCH v3 0/1] fs: Handle exact bounds for argv and envp

by Teo Couprie Diaz

Hello all, Here is the v3 of the patch adding capability support for argv and envp strings. This has mostly refinement and fixes compared to v2. This time around the one thing I am unsure of is the *_put_user* part in fs/binfmt_elf.c:put_str_ptr(). I tried using the same code for both paths in PC-uABI, but there was a mismatch in expected pointer/capabilities, so I resorted to keeping a section in #if (ELF_COMPAT == 0) . I must be missing something, so open to suggestions. Happy to take suggestions for any names as well, especially with a new function and a change in behavior in another. Thanks in advance for your comments, Best regards Téo # Changes from v2-v3[0] - Commit message clarified - Fixed some typing and use issues - Updated the stack alignment to use a define depending on the build type - Changed the put_str_array function to only put one string pointer, the looping over all strings is restored to be handled in create_elf_tables. - Moved the padding calculations to a separate function that returns the updated value of bprm->p rather than the padding. - Reduced the amount of code not shared between purecap/compat - Removed nonsensical check before alignment computation # Changes from v1-v2[1] - Rebased on top of the last release - Update to make use of the properly derived stack capability in binfmt_elf - Move the copying of argv and envp strings in binfmt_elf to a helper function - Check for padding after an arg only - Greatly simplify the change in exec by completely skipping the padding, rather than looping through it and allocating pages in exec - Add more details to the comments explaining the padding process - Rename most variables. I'm not great with names so hopefully they are OK, otherwise feel free to suggest new ones ! - Proper COMPAT handling, but with a slight loss compared to a regular kernel - Detail trade-off in comments and in commit message - Force a greater stack alignment in exec to mitigate issues during relocation - Simplify accesses and use `get_user()` rather than `copy_from_user()` - Use wrappers provided by <cheriintrin.h> rather than builtins - Get rid of the elf_stack_put_user_cap macro Gitlab patch for review : https://git.morello-project.org/Teo-CD/linux/-/commit/b92f2f777a327b9e49fea… [0]: https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [1]: https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… Teo Couprie Diaz (1): fs: Handle exact bounds for argv and envp fs/binfmt_elf.c | 101 +++++++++++++++++++++++++++++++++++++++++------- fs/exec.c | 58 +++++++++++++++++++++++++-- 2 files changed, 142 insertions(+), 17 deletions(-) -- 2.34.1

10 months, 1 week

2
6
0 0

[PATCH v5 0/2] Support capabilities for struct mmc_ioc_{multi_}cmd

by Akram Ahmad

Hi everyone, This patch aims to enable purecap applications to make use of the MMC block driver by adding PCuABI support to the MMC_IOC_CMD and MMC_IOC_MULTI_CMD ioctls. This also includes compat64 support for the ioctls. V4 -> V5: Improvement to readability and fix to user-space macro. V3 -> V4: Minor corrections and improvements to readability of code. - Remove unnecessary explicit checks on capabilities. - Revert modification to struct mmc_ioc_multi_cmd. - Remove unnecessary parentheses. V2 -> V3: - Implement support for capabilities in the ioctls. - Correct formatting errors in patches. - Correct formatting and syntax errors in code. V1 -> V2: Various improvements to the code including: - Preference for native structs over (void __user *) - Complying with code styling guidelines - Improvement in code readability via removing unnecessary casts GitLab Issue: https://git.morello-project.org/morello/kernel/linux/-/issues/51 Review branch: https://git.morello-project.org/arkamnite/linux/-/commits/morello%2Fmmc_v5 Many thanks, Akram Akram Ahmad (2): mmc: Implement compat handling for struct mmc_ioc_{multi_}cmd mmc: Support capabilities in MMC_IOC_{MULTI_}CMD ioctls drivers/mmc/core/block.c | 100 ++++++++++++++++++++++++++++++--- include/uapi/linux/mmc/ioctl.h | 7 ++- 2 files changed, 97 insertions(+), 10 deletions(-) -- 2.34.1

10 months, 1 week

5
14
0 0

[PATCH v4 0/2] Support capabilities for struct mmc_ioc_{multi_}cmd

by Akram Ahmad

Hi everyone, This patch aims to enable purecap applications to make use of the MMC block driver by adding PCuABI support to the MMC_IOC_CMD and MMC_IOC_MULTI_CMD ioctls. This also includes compat64 support for the ioctls. V3 -> V4: Minor corrections and improvements to readability of code. - Remove unnecessary explicit checks on capabilities. - Revert modification to struct mmc_ioc_multi_cmd. - Remove unnecessary parentheses. V2 -> V3: - Implement support for capabilities in the ioctls. - Correct formatting errors in patches. - Correct formatting and syntax errors in code. V1 -> V2: Various improvements to the code including: - Preference for native structs over (void __user *) - Complying with code styling guidelines - Improvement in code readability via removing unnecessary casts GitLab Issue: https://git.morello-project.org/morello/kernel/linux/-/issues/51 Review branch: https://git.morello-project.org/arkamnite/linux/-/commits/morello%2Fmmc_v4 Many thanks, Akram Akram Ahmad (2): mmc: Implement compat handling for struct mmc_ioc_{multi_}cmd mmc: Support capabilities in MMC_IOC_{MULTI_}CMD ioctls drivers/mmc/core/block.c | 100 ++++++++++++++++++++++++++++++--- include/uapi/linux/mmc/ioctl.h | 2 +- 2 files changed, 93 insertions(+), 9 deletions(-) -- 2.34.1

10 months, 3 weeks

2
3
0 0

[PATCH v3 00/13] update bpf syscall for PCuABI/compat64

by Zachary Leaf

Hi, Here's v3 of the bpf syscall patches, following on from the RFC[1], v1[2] and v2[3]. The bpf syscall is updated to propagate user pointers as capabilities in the pure-capability kernel-user ABI (PCuABI). It also includes an approach to support the existing aarch64 ABI (compat64). One complication here is from the fact this syscall supports many multiplexed sub-commands, some of which are themselves multiplexed with a number of nested multiplexed options. A further complication is that the existing syscall uses a trick of storing user pointers as u64 to avoid needing a compat handler for 32-bit systems. To retain compatibility with the aarch64 ABI and add Morello support, special compat64 conversion and handling is implemented. Inbound (userspace->kernel) conversion between compat64/native struct layouts is handled upfront on entry to the syscall (with the exception of bpf_xyz_info structs). This minimises changes to subcommand handlers. Some subcommands require conversion back out to userspace and that is by necessity handled where it occurs. Patch 1 is not essential to this series but it's a nice debug feature to have and works[4]. It enables BPF_PROG_TYPE_TRACEPOINT which many eBPF kselftests use. Patches 5,6,8 implement the core compat64 handling. Each commit compiles cleanly but relevant parts will be broken inbetween. Patch 9 fixes the CHECK_ATTR macro to also check configs passed in via compat64. Patch 11 finally enables capabilities in the kernel. Patches 12,13 handles uaccess that occurs in two eBPF helper functions. The rest are setup/helper functions. Testing wise, see associated LTP changes below as posted to LTP mailing list[5]. The eBPF LTP tests are fairly minimal and test only a small part of the changes here. There's a new test to test CHECK_ATTR from patch 9. The kernel kselftests contain many more extensive eBPF tests. They can be built fairly easily natively on aarch64 which is useful for testing compat64. More work needs to be done here though to: a) enable out-of-tree cross-compilation for purecap as well as x86->aarch64 b) replace ptr_to_u64() with casts to uintptr_t in tests c) general libbpf/bpftool enablement and fixes since many tests rely on this d) CONFIG_DEBUG_INFO_BTF required for many tests but this requires the build system to have a recent version of pahole tool Next steps once we have the core kernel support would be porting libbpf and bpftool for purecap plus work on enabling kselftests as above. Kernel branch available at: https://git.morello-project.org/zdleaf/linux/-/tree/morello/bpf_v3 Associated LTP test/changes at: https://git.morello-project.org/zdleaf/morello-linux-test-project/-/tree/mo… Thanks, Zach [1] [RFC PATCH 0/9] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [2] [PATCH 00/10] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [3] [PATCH v2 00/12] update bpf syscall for PCuABI/compat64 https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [4] [PATCH v3 0/5] Restore syscall tracing on Morello https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org… [5] [PATCH 0/3] add eBPF support https://op-lists.linaro.org/archives/list/linux-morello-ltp@op-lists.linaro… ----------------------------------------------------------------------- v3: - Renamed all {is,in}_32bit_... to compat32, e.g. is_32bit_compat_task -> is_compat32 task, same for 64bit versions - Removed dispatch_bpf() + bpf_check_perms() and merged back into __sys_bpf - they no longer need to be split now we have no separate compat64 handler - Ensured we memset(0)/zero initialise all compat/non-compat structs for bpf_attr, bpf_{prog,link,btf}_info as appropriate when copying in/out from userspace - Switched order of first two arguments of bpf_put_uattr() to align with bpfptr_put_uattr() and more closely match put_user() - Moved #include <linux/bpf_compat.h> into bpf.h - Moved bpf_copy_{to,from}_user_with_ptr to bpf.h - Renamed bpf_uattr_compat_ptr macro to bpf_compat_ptr_field - Removed const arguments for bpf_copy_from_user(_task) helpers - Fixed pointer type mismatch warnings in void *ptr = in_compat64_syscall() ? type1 : type2; pattern - Replace temporary #define bpfptr_copy with in_compat64_syscall conditional in bpfptr.h:copy_from_bpfptr_with_ptr - only use _with_ptr in purecap v2: - Fixed copy_from_bpfptr_offset_with_ptr - this no longer uses sockptr as of 6.1 (see patch 9) - Rebase on 6.4 - new struct members need conversion/handling: - New BPF_PROG_TYPE_NETFILTER + associated bpf_attr BPF_LINK_CREATE members - New bpf_link_info types BPF_LINK_TYPE_NETFILTER + BPF_LINK_TYPE_STRUCT_OPS - Renamed in_32bit_compat_syscall() to in_compat32_syscall() and added in_compat64_syscall() - Handled uaccess from bpf helper programs bpf/helpers.c:bpf_copy_from_user + bpf_copy_from_user_task - Added new stddef.h macro copy_field() to simplify conversion assignments - bpf: compat64: add handler and convert bpf_attr in - Replaced #ifdef CONFIG_COMPAT64 with in_compat64_syscall() + use copy_bpf_attr_from_user() helper function for inbound compat conversion - This removes the __sys_compat_bpf compat64 handler, now using the existing __sys_bpf + in_compat64_syscall() for reduced diff size, less duplication and clearer code - Conversion now happens in copy_bpf_attr_from_user() for better encapsulation + stack usage - bpf: compat64: bpf_attr convert out - Renamed PUT_USER_ATTR() to bpf_put_uattr() + moved to bpf.h - Introduced bpfptr_put_uattr() in bpfptr.h - Originally missed handling cases writing out to userspace with copy_to_bpfptr_offset() - now replaced with new bpfptr_put_uattr() macro - 6.4 now has a new field showing what log size will be needed - see 47a71c1f9af0 ("bpf: Add log_true_size output field to return necessary log buffer size") - This also requires new macro bpf_field_exists() to handle compat64 when checking that userspace supports this new field - bpf: compat64: handle bpf_xyz_info - Simplified bpf_link_info conversion handling using memcpy - Removed bpf_map_info patch since struct is the same in compat64/native (no ptrs) - Replaced #ifdef CONFIG_COMPAT64 with in_compat64_syscall() + use copy_bpf_xyz_info_{from,to}_user() helper functions for compat conversions - Merged bpf_{btf,prog,link}_info into a single patch - bpf: use user pointer types in uAPI structs - Added new compat_uptr_to_kern() macro to simplify casting/converting in compat ptrs - Usage of copy_{to,from}_user_with_ptr variants now correctly applied with new helpers ----------------------------------------------------------------------- Zachary Leaf (13): arm64: morello: enable syscall tracing arch: rename to 32bit_compat to compat32 arch: add compat helpers specific to 64-bit stddef: introduce copy_field helper bpf: compat64: add handler and convert bpf_attr in bpf: compat64: bpf_attr convert out bpf/btf: move zero check into btf.c bpf: compat64: handle bpf_{btf,prog,link}_info bpf: compat64: support CHECK_ATTR macro bpf: copy_{to,from}_user_with_ptr helpers bpf: use user pointer types in uAPI structs bpf: use addr for bpf_copy_from_user_with_task bpf: use addr for bpf_copy_from_user .../morello_transitional_pcuabi_defconfig | 2 +- arch/arm64/include/asm/compat.h | 11 +- arch/arm64/include/asm/ftrace.h | 2 +- arch/arm64/include/asm/mmu_context.h | 2 +- arch/arm64/include/asm/syscall.h | 6 +- arch/arm64/kernel/fpsimd.c | 6 +- arch/arm64/kernel/hw_breakpoint.c | 2 +- arch/arm64/kernel/perf_regs.c | 2 +- arch/arm64/kernel/pointer_auth.c | 6 +- arch/arm64/kernel/process.c | 16 +- arch/arm64/kernel/ptrace.c | 10 +- arch/arm64/kernel/signal.c | 2 +- arch/arm64/kernel/syscall.c | 2 +- arch/mips/include/asm/compat.h | 2 +- arch/parisc/include/asm/compat.h | 2 +- arch/powerpc/include/asm/compat.h | 2 +- arch/s390/include/asm/compat.h | 2 +- arch/sparc/include/asm/compat.h | 4 +- arch/x86/include/asm/compat.h | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +- drivers/input/input.c | 2 +- drivers/media/rc/bpf-lirc.c | 6 +- fs/ext4/dir.c | 2 +- fs/nfs/dir.c | 2 +- include/linux/bpf.h | 22 + include/linux/bpf_compat.h | 415 +++++++++ include/linux/bpfptr.h | 30 +- include/linux/compat.h | 16 +- include/linux/stddef.h | 3 + include/uapi/linux/bpf.h | 94 +- kernel/bpf/bpf_iter.c | 2 +- kernel/bpf/btf.c | 105 ++- kernel/bpf/cgroup.c | 9 +- kernel/bpf/hashtab.c | 12 +- kernel/bpf/helpers.c | 9 +- kernel/bpf/net_namespace.c | 6 +- kernel/bpf/offload.c | 2 +- kernel/bpf/syscall.c | 871 ++++++++++++++---- kernel/bpf/verifier.c | 20 +- kernel/time/time.c | 2 +- kernel/trace/bpf_trace.c | 6 +- mm/util.c | 2 +- net/bpf/bpf_dummy_struct_ops.c | 8 +- net/bpf/test_run.c | 31 +- net/core/sock_map.c | 6 +- 46 files changed, 1425 insertions(+), 345 deletions(-) create mode 100644 include/linux/bpf_compat.h -- 2.34.1

10 months, 3 weeks

3
23
0 0

[linux-morello][PATCH 0/3] Provide a vDSO to purecap processes and write tests

by Aditya Deshpande

Hello, This patch series implements a pure-capability vDSO which purecap userspace applications can directly use. It also fixes the vDSO selftests so that they can be built as purecap binaries, therefore allowing the new purecap vDSO to be tested. The existing aarch64 vDSO implementation is unchanged - it has simply been redefined as the compat vDSO. Therefore, processes using both the standard and purecap ABIs will have a vDSO to use. I have tested both vDSOs using the patched versions of the selftests. I have tested the selftests by by feeding it broken vDSOs and seeing ensuring they fail appropriately. The first patch fixes the tests, the second patch builds the purecap vDSO, and the third patch sets up the mapping for it and makes it available for use. If you think the patches should be ordered differently, and/or if we should possibly combine the building and mapping patches into one vDSO implementation patch, please let me know. Thanks, Aditya GitLab Issue: - https://git.morello-project.org/morello/kernel/linux/-/issues/24 GitLab Review Branch: - https://git.morello-project.org/aditya/linux/-/tree/purecap_vdso?ref_type=h… Aditya Deshpande (3): selftests/vDSO: Add support for purecap vDSO testing arm64: vdso: Build a pure-capability vDSO arm64: vDSO: Map the purecap vDSO into userspace application address space arch/arm64/Makefile | 6 + arch/arm64/include/asm/elf.h | 16 ++- arch/arm64/include/asm/vdso.h | 1 + arch/arm64/include/asm/vdso/gettimeofday.h | 92 ++++++++++++++ arch/arm64/kernel/Makefile | 4 +- arch/arm64/kernel/vdso-purecap-wrap.S | 22 ++++ arch/arm64/kernel/vdso-purecap/.gitignore | 2 + arch/arm64/kernel/vdso-purecap/Makefile | 101 ++++++++++++++++ arch/arm64/kernel/vdso-purecap/note.S | 23 ++++ arch/arm64/kernel/vdso-purecap/sigreturn.S | 80 ++++++++++++ arch/arm64/kernel/vdso-purecap/vdso.lds.S | 114 ++++++++++++++++++ .../arm64/kernel/vdso-purecap/vgettimeofday.c | 25 ++++ arch/arm64/kernel/vdso.c | 58 ++++++++- fs/compat_binfmt_elf.c | 16 +++ include/linux/compiler.h | 9 ++ include/linux/elf.h | 2 +- include/linux/user_ptr.h | 1 + tools/testing/selftests/vDSO/Makefile | 16 +-- tools/testing/selftests/vDSO/vdso_config.h | 11 ++ tools/testing/selftests/vDSO/vdso_test_abi.c | 4 +- .../selftests/vDSO/vdso_test_gettimeofday.c | 6 +- 21 files changed, 587 insertions(+), 22 deletions(-) create mode 100644 arch/arm64/kernel/vdso-purecap-wrap.S create mode 100644 arch/arm64/kernel/vdso-purecap/.gitignore create mode 100644 arch/arm64/kernel/vdso-purecap/Makefile create mode 100644 arch/arm64/kernel/vdso-purecap/note.S create mode 100644 arch/arm64/kernel/vdso-purecap/sigreturn.S create mode 100644 arch/arm64/kernel/vdso-purecap/vdso.lds.S create mode 100644 arch/arm64/kernel/vdso-purecap/vgettimeofday.c -- 2.25.1

10 months, 4 weeks

2
9
0 0

[PATCH v3 0/2] Support capabilities for struct mmc_ioc_{multi_}cmd

by Akram Ahmad

This patch aims to enable purecap applications to make use of the MMC block driver by adding PCuABI support to the MMC_IOC_CMD and MMC_IOC_MULTI_CMD ioctls. This also includes compat64 support for the ioctls. V2 -> V3: - Implement support for capabilities in the ioctls. - Correct formatting errors in patches. - Correct formatting and syntax errors in code. V1 -> V2: Various improvements to the code including: - Preference for native structs over (void __user *) - Complying with code styling guidelines - Improvement in code readability via removing unnecessary casts GitLab Issue: https://git.morello-project.org/morello/kernel/linux/-/issues/51 Review branch: https://git.morello-project.org/arkamnite/linux/-/commits/morello%2Fmmc_v3 Akram Ahmad (1): mmc: Implement compat handling for struct mmc_ioc_{multi_}cmd mmc: Support capabilities in MMC_IOC_{MULTI_}CMD ioctls drivers/mmc/core/block.c | 108 ++++++++++++++++++++++++++++++--- include/uapi/linux/mmc/ioctl.h | 4 +- 2 files changed, 102 insertions(+), 10 deletions(-) -- 2.34.1

11 months

2
4
0 0

[PATCH] selftests/arm64: morello: Improve __EXPECT()

by Kevin Brodsky

__EXPECT() currently prints the stringified arguments on failure but not their value, which is not very helpful. Let's use the same message as the original macro in kselftest_harness.h, printing the values too. For simplicity's sake they are always printed as signed, which is generally appropriate (only 64-bit unsigned values with the top bit set are an issue, and these are rarely encountered). Signed-off-by: Kevin Brodsky <kevin.brodsky(a)arm.com> --- tools/testing/selftests/arm64/morello/freestanding.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/arm64/morello/freestanding.h b/tools/testing/selftests/arm64/morello/freestanding.h index 2beb52eafae1..8dab905d2b54 100644 --- a/tools/testing/selftests/arm64/morello/freestanding.h +++ b/tools/testing/selftests/arm64/morello/freestanding.h @@ -91,8 +91,12 @@ int __attribute__ ((format(printf, 1, 2))) printf(const char *fmt, ...); /* this macro emulates its harness counterpart but is not API compatible */ #define __EXPECT(exp, seen, op, exit_on_fail) \ do { \ - if (!((exp) op (seen))) { \ - __TH_LOG_ERROR("'(%s) %s (%s)' was false", #exp, #op, #seen); \ + __typeof__(exp) __exp = (exp); \ + __typeof__(seen) __seen = (seen); \ + if (!((__exp) op (__seen))) { \ + __TH_LOG_ERROR("Expected %s (%lld) %s %s (%lld)", \ + #exp, (long long)__exp, #op, \ + #seen, (long long)__seen); \ __cur_test->message = 1; \ } \ } while (0); \ -- 2.38.1

11 months

2
4
0 0

[PATCH V2] mmc: Implement compat handling for struct mmc_ioc_{multi_}cmd

by Akram Ahmad

Introduce a compat version of the struct mmc_ioc_cmd and struct mmc_ioc_multi_cmd. Also implement helper functions which convert between the native and compat versions of these two structs. A subsequent patch will change the structs to enable it to support new architectures. On such architectures, the current struct layout must still be supported for compat tasks. V1 -> V2: Various improvements to the code including: - Preference for native structs over (void __user *) - Complying with code styling guidelines - Improvement in code readability via removing unnecessary casts Signed-off-by: Akram Ahmad <Akram.Ahmad(a)arm.com> --- drivers/mmc/core/block.c | 95 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 90 insertions(+), 5 deletions(-) diff --git a/drivers/mmc/core/block.c b/drivers/mmc/core/block.c index 2f8884e3d4c2..311944c82313 100644 --- a/drivers/mmc/core/block.c +++ b/drivers/mmc/core/block.c @@ -101,6 +101,33 @@ struct mmc_blk_busy_data { u32 status; }; +static inline bool in_compat64(void) +{ + return IS_ENABLED(CONFIG_COMPAT64) && in_compat_syscall(); +} + +struct compat_mmc_ioc_cmd { + int write_flag; + int is_acmd; + __u32 opcode; + __u32 arg; + __u32 response[4]; + unsigned int flags; + unsigned int blksz; + unsigned int blocks; + unsigned int postsleep_min_us; + unsigned int postsleep_max_us; + unsigned int data_timeout_ns; + unsigned int cmd_timeout_ms; + __u32 __pad; + __u64 data_ptr; +}; + +struct compat_mmc_ioc_multi_cmd { + __u64 num_of_cmds; + struct compat_mmc_ioc_cmd cmds[]; +}; + /* * There is one mmc_blk_data per slot. */ @@ -401,6 +428,48 @@ struct mmc_blk_ioc_data { struct mmc_rpmb_data *rpmb; }; +/* + * Copy the data from a `compat_mmc_ioc_cmd` user pointer, `src`, + * to kernel space, storing it in `native_cmd`. Returns 0 for + * a successful copy. + */ +static int get_mmc_ioc_cmd_from_compat64( + struct mmc_ioc_cmd *native_cmd, + void * __user src) +{ + struct compat_mmc_ioc_cmd compat_cmd; + + if (copy_from_user(&compat_cmd, src, sizeof(struct compat_mmc_ioc_cmd))) + return -EFAULT; + + native_cmd->arg = compat_cmd.arg; + native_cmd->is_acmd = compat_cmd.is_acmd; + native_cmd->opcode = compat_cmd.opcode; + native_cmd->arg = compat_cmd.arg; + memcpy(native_cmd->response, compat_cmd.response, sizeof(compat_cmd.response)); + native_cmd->flags = compat_cmd.flags; + native_cmd->blksz = compat_cmd.blksz; + native_cmd->blocks = compat_cmd.blocks; + native_cmd->postsleep_min_us = compat_cmd.postsleep_min_us; + native_cmd->postsleep_max_us = compat_cmd.postsleep_max_us; + native_cmd->data_timeout_ns = compat_cmd.data_timeout_ns; + native_cmd->cmd_timeout_ms = compat_cmd.cmd_timeout_ms; + native_cmd->__pad = compat_cmd.__pad; + native_cmd->data_ptr = compat_cmd.data_ptr; + + return 0; +} + +static int copy_mmc_ioc_cmd_from_user(struct mmc_ioc_cmd *to, void * __user src) +{ + if (in_compat64()) + return get_mmc_ioc_cmd_from_compat64(to, src); + + if (copy_from_user(to, src, sizeof(*to))) + return -EFAULT; + return 0; +} + static struct mmc_blk_ioc_data *mmc_blk_ioctl_copy_from_user( struct mmc_ioc_cmd __user *user) { @@ -413,7 +482,7 @@ static struct mmc_blk_ioc_data *mmc_blk_ioctl_copy_from_user( goto out; } - if (copy_from_user(&idata->ic, user, sizeof(idata->ic))) { + if (copy_mmc_ioc_cmd_from_user(&idata->ic, user)) { err = -EFAULT; goto idata_err; } @@ -449,8 +518,11 @@ static int mmc_blk_ioctl_copy_to_user(struct mmc_ioc_cmd __user *ic_ptr, { struct mmc_ioc_cmd *ic = &idata->ic; - if (copy_to_user(&(ic_ptr->response), ic->response, - sizeof(ic->response))) + __u32 __user *response_uptr = in_compat64() ? + *(&((struct compat_mmc_ioc_cmd __user *)ic_ptr)->response) : + *(&ic_ptr->response); + + if (copy_to_user(response_uptr, ic->response, sizeof(ic->response))) return -EFAULT; if (!idata->ic.write_flag) { @@ -666,6 +738,15 @@ static int mmc_blk_ioctl_cmd(struct mmc_blk_data *md, return ioc_err ? ioc_err : err; } +static inline struct mmc_ioc_cmd __user *get_ith_mmc_ioc_cmd_uptr( + struct mmc_ioc_cmd __user *cmds_array, + unsigned int i) +{ + if (in_compat64()) + return (struct mmc_ioc_cmd __user *)&((struct compat_mmc_ioc_cmd __user *)cmds_array)[i]; + return &(cmds_array)[i]; +} + static int mmc_blk_ioctl_multi_cmd(struct mmc_blk_data *md, struct mmc_ioc_multi_cmd __user *user, struct mmc_rpmb_data *rpmb) @@ -679,6 +760,10 @@ static int mmc_blk_ioctl_multi_cmd(struct mmc_blk_data *md, unsigned int i, n; struct request *req; + // Both native and compat64 versions of mmc_ioc_multi_cmd + // have num_of_cmds as the first field, so the offset + // does not need to be recalculated based on the differing + // layouts. if (copy_from_user(&num_of_cmds, &user->num_of_cmds, sizeof(num_of_cmds))) return -EFAULT; @@ -695,7 +780,7 @@ static int mmc_blk_ioctl_multi_cmd(struct mmc_blk_data *md, return -ENOMEM; for (i = 0; i < n; i++) { - idata[i] = mmc_blk_ioctl_copy_from_user(&cmds[i]); + idata[i] = mmc_blk_ioctl_copy_from_user(get_ith_mmc_ioc_cmd_uptr(cmds, i)); if (IS_ERR(idata[i])) { err = PTR_ERR(idata[i]); n = i; @@ -732,7 +817,7 @@ static int mmc_blk_ioctl_multi_cmd(struct mmc_blk_data *md, /* copy to user if data and response */ for (i = 0; i < n && !err; i++) - err = mmc_blk_ioctl_copy_to_user(&cmds[i], idata[i]); + err = mmc_blk_ioctl_copy_to_user(get_ith_mmc_ioc_cmd_uptr(cmds, i), idata[i]); blk_mq_free_request(req); -- 2.34.1

11 months, 1 week

2
1
0 0

2024

2023

2022

linux-morello