From: Maciej Wieczor-Retman With the announcement of ChkTag, it's worth preparing a stable x86 linear address masking (lam) user interface. One important aspect of lam is the tag width, and aligning it with other industry solutions can provide a more popular, generalized interface that other technologies could utilize. ChkTag will use 4-bit tags and since that's the direction other memory tagging implementations seem to be taking too (for example Arm's MTE) it's reasonable to converge lam in linux to the same specification. Even though x86's LAM supports 6-bit tags it is beneficial to shorten lam to 4 bits as ChkTag will likely be the main user of the interface and such connection should simplify things in the future. Present to the user a shrunk tag width from 6 bits to 4 bits. At the same time the kernel internally keeps using the full 6 bits supported by current hardware. The user presented value is different in that it can be relied on to support 4 bit tags even if the underlying mechanism for address masking changes with newer hardware. Signed-off-by: Maciej Wieczor-Retman --- Changelog v7: - Redo most of the code around untag_mask and the last paragraph of this patch message. Changelog v6: - Rename the define constants so they match the arch_prctl() switch case names and update the patch message. - Define LAM most/least significant bits so they fit better into GENMASK(). - Remove 'default' from the patch subject. Changelog v4: - Ditch the default wording in the patch message. - Add the imperative last line as Dave suggested. Changelog v3: - Remove the variability of the lam width after the debugfs part was removed from the patchset. arch/x86/kernel/process_64.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c index 08e72f429870..8b8aaf1d740b 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -797,7 +797,8 @@ static long prctl_map_vdso(const struct vdso_image *image, unsigned long addr) #ifdef CONFIG_ADDRESS_MASKING -#define LAM_U57_BITS 6 +#define LAM_TAG_BITS 4 +#define LAM_UNTAG_MASK ~GENMASK(60, 57) static void enable_lam_func(void *__mm) { @@ -850,7 +851,7 @@ static int prctl_enable_tagged_addr(struct mm_struct *mm, unsigned long nr_bits) return -EBUSY; } - if (!nr_bits || nr_bits > LAM_U57_BITS) { + if (!nr_bits || nr_bits > LAM_TAG_BITS) { mmap_write_unlock(mm); return -EINVAL; } @@ -952,8 +953,9 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2) #endif #ifdef CONFIG_ADDRESS_MASKING case ARCH_GET_UNTAG_MASK: - return put_user(task->mm->context.untag_mask, - (unsigned long __user *)arg2); + if (task->mm->context.lam_cr3_mask) + return put_user(LAM_UNTAG_MASK, (unsigned long __user *)arg2); + return put_user(task->mm->context.untag_mask, (unsigned long __user *)arg2); case ARCH_ENABLE_TAGGED_ADDR: return prctl_enable_tagged_addr(task->mm, arg2); case ARCH_FORCE_TAGGED_SVA: @@ -965,7 +967,7 @@ long do_arch_prctl_64(struct task_struct *task, int option, unsigned long arg2) if (!cpu_feature_enabled(X86_FEATURE_LAM)) return put_user(0, (unsigned long __user *)arg2); else - return put_user(LAM_U57_BITS, (unsigned long __user *)arg2); + return put_user(LAM_TAG_BITS, (unsigned long __user *)arg2); #endif case ARCH_SHSTK_ENABLE: case ARCH_SHSTK_DISABLE: -- 2.53.0 From: Maciej Wieczor-Retman While the user should expect 4 bit tags from the lam interface current hardware supports 6 bit tags. Such tag width is also used internally by the kernel so the kernel-hardware treatment of addresses that came from userspace is consistent. Add a procfs file with the hardware supported untag mask. It may be used by debuggers to recreate hardware or kernel handling of user pointers. At the same time the returned value from this file shouldn't be relied on by regular lam user programs since it might change with future hardware. For a stable interface they should use the ARCH_GET_UNTAG_MASK arch_prctl() syscall instead. Signed-off-by: Maciej Wieczor-Retman --- Changelog v7: - Add the patch to the series. arch/x86/Kconfig | 1 + arch/x86/kernel/process_64.c | 18 ++++++++++++++++++ fs/proc/Kconfig | 4 ++++ fs/proc/base.c | 6 ++++++ include/linux/uaccess.h | 5 +++++ 5 files changed, 34 insertions(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index e2df1b147184..1ec303cca1ab 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -2194,6 +2194,7 @@ config ADDRESS_MASKING bool "Linear Address Masking support" depends on X86_64 depends on COMPILE_TEST || !CPU_MITIGATIONS # wait for LASS + select PROC_ADDRESS_MASKING if PROC_FS help Linear Address Masking (LAM) modifies the checking that is applied to 64-bit linear addresses, allowing software to use of the diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c index 8b8aaf1d740b..44c4a80fc658 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -800,6 +800,24 @@ static long prctl_map_vdso(const struct vdso_image *image, unsigned long addr) #define LAM_TAG_BITS 4 #define LAM_UNTAG_MASK ~GENMASK(60, 57) +#ifdef CONFIG_PROC_ADDRESS_MASKING + +int proc_address_mask(struct seq_file *s, struct pid_namespace *ns, + struct pid *pid, struct task_struct *tsk) +{ + struct mm_struct *mm; + + mm = get_task_mm(tsk); + if (mm) { + seq_printf(s, "0x%llx\n", mm->context.untag_mask); + mmput(mm); + } + + return 0; +} + +#endif + static void enable_lam_func(void *__mm) { struct mm_struct *mm = __mm; diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig index 6ae966c561e7..0094e185a7b2 100644 --- a/fs/proc/Kconfig +++ b/fs/proc/Kconfig @@ -127,3 +127,7 @@ config PROC_PID_ARCH_STATUS config PROC_CPU_RESCTRL def_bool n depends on PROC_FS + +config PROC_ADDRESS_MASKING + def_bool n + depends on PROC_FS diff --git a/fs/proc/base.c b/fs/proc/base.c index 4c863d17dfb4..9483ad4197e1 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -3421,6 +3421,9 @@ static const struct pid_entry tgid_base_stuff[] = { ONE("ksm_merging_pages", S_IRUSR, proc_pid_ksm_merging_pages), ONE("ksm_stat", S_IRUSR, proc_pid_ksm_stat), #endif +#ifdef CONFIG_PROC_ADDRESS_MASKING + ONE("address_mask", S_IRUSR, proc_address_mask), +#endif }; static int proc_tgid_base_readdir(struct file *file, struct dir_context *ctx) @@ -3755,6 +3758,9 @@ static const struct pid_entry tid_base_stuff[] = { ONE("ksm_merging_pages", S_IRUSR, proc_pid_ksm_merging_pages), ONE("ksm_stat", S_IRUSR, proc_pid_ksm_stat), #endif +#ifdef CONFIG_PROC_ADDRESS_MASKING + ONE("address_mask", S_IRUSR, proc_address_mask), +#endif }; static int proc_tid_base_readdir(struct file *file, struct dir_context *ctx) diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h index 4fe63169d5a2..c02d254a1a1e 100644 --- a/include/linux/uaccess.h +++ b/include/linux/uaccess.h @@ -869,4 +869,9 @@ void __noreturn usercopy_abort(const char *name, const char *detail, unsigned long len); #endif +#ifdef CONFIG_PROC_ADDRESS_MASKING +int proc_address_mask(struct seq_file *s, struct pid_namespace *ns, + struct pid *pid, struct task_struct *tsk); +#endif + #endif /* __LINUX_UACCESS_H__ */ -- 2.53.0 From: Maciej Wieczor-Retman For simplicity only the LAM_U57 mode is implemented in the kernel. No matter whether the enabled paging mode is 5-level or 4-level the masked tag bits are the same as on a 5-level system. Remove two mentions of LAM_U48 which implied that it could be enabled. Signed-off-by: Maciej Wieczor-Retman Reviewed-by: Sohil Mehta --- Changelog v6: - Add Sohil's Reviewed-by. arch/x86/include/asm/mmu.h | 2 +- arch/x86/include/asm/tlbflush.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h index 0fe9c569d171..9dcfce439c19 100644 --- a/arch/x86/include/asm/mmu.h +++ b/arch/x86/include/asm/mmu.h @@ -49,7 +49,7 @@ typedef struct { unsigned long flags; #ifdef CONFIG_ADDRESS_MASKING - /* Active LAM mode: X86_CR3_LAM_U48 or X86_CR3_LAM_U57 or 0 (disabled) */ + /* Active LAM mode: X86_CR3_LAM_U57 or 0 (disabled) */ unsigned long lam_cr3_mask; /* Significant bits of the virtual address. Excludes tag bits. */ diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h index 5a3cdc439e38..94c5ca1febaf 100644 --- a/arch/x86/include/asm/tlbflush.h +++ b/arch/x86/include/asm/tlbflush.h @@ -110,7 +110,7 @@ struct tlb_state { /* * Active LAM mode. * - * X86_CR3_LAM_U57/U48 shifted right by X86_CR3_LAM_U57_BIT or 0 if LAM + * X86_CR3_LAM_U57 shifted right by X86_CR3_LAM_U57_BIT or 0 if LAM * disabled. */ u8 lam; -- 2.53.0 From: Maciej Wieczor-Retman After the tag width in LAM (Linear Address Masking) is set to 4 bits, the value isn't strictly related to the CPU features like LAM_U57 or LAM_U48. To emphasise this, remove mentions of _U57 from the selftest and update the tag width. Define GENMASK() so the selftest defines can match the kernel ones. That way it's easier to find or synchronize the two sets of values. Signed-off-by: Maciej Wieczor-Retman Reviewed-by: Sohil Mehta --- Changelog v7: - Apply Sohil's suggestions to LAM_UNTAG_MASK and to defining GENMASK. - Add Sohil's Reviewed-by tag. Changelog v6: - Update the patch subject that was not accurate after debugfs part got removed. - Fix one comment I missed. - Define GENMASK() and change defined constants so they match the ones in the kernel (from patch 1/3). Changelog v4: - Remove the 'default' wording. Changelog v3: - Redo the patch after the removal of the debugfs part. tools/testing/selftests/x86/lam.c | 94 ++++++++++++++++--------------- 1 file changed, 49 insertions(+), 45 deletions(-) diff --git a/tools/testing/selftests/x86/lam.c b/tools/testing/selftests/x86/lam.c index 1919fa6daec0..4c0cadea80cc 100644 --- a/tools/testing/selftests/x86/lam.c +++ b/tools/testing/selftests/x86/lam.c @@ -18,17 +18,21 @@ #include #include +#include +#include #include "kselftest.h" #ifndef __x86_64__ # error This test is 64-bit only #endif +#define GENMASK(h, l) __GENMASK(h, l) + /* LAM modes, these definitions were copied from kernel code */ #define LAM_NONE 0 -#define LAM_U57_BITS 6 +#define LAM_TAG_BITS 4 +#define LAM_UNTAG_MASK ~GENMASK(60, 57) -#define LAM_U57_MASK (0x3fULL << 57) /* arch prctl for LAM */ #define ARCH_GET_UNTAG_MASK 0x4001 #define ARCH_ENABLE_TAGGED_ADDR 0x4002 @@ -51,8 +55,8 @@ #define GET_USER_KERNEL 3 #define TEST_MASK 0x7f -#define L5_SIGN_EXT_MASK (0xFFUL << 56) -#define L4_SIGN_EXT_MASK (0x1FFFFUL << 47) +#define L5_SIGN_EXT_MASK GENMASK(63, 56) +#define L4_SIGN_EXT_MASK GENMASK(63, 47) #define LOW_ADDR (0x1UL << 30) #define HIGH_ADDR (0x3UL << 48) @@ -175,7 +179,7 @@ static int set_lam(unsigned long lam) int ret = 0; uint64_t ptr = 0; - if (lam != LAM_U57_BITS && lam != LAM_NONE) + if (lam != LAM_TAG_BITS && lam != LAM_NONE) return -1; /* Skip check return */ @@ -185,8 +189,8 @@ static int set_lam(unsigned long lam) syscall(SYS_arch_prctl, ARCH_GET_UNTAG_MASK, &ptr); /* Check mask returned is expected */ - if (lam == LAM_U57_BITS) - ret = (ptr != ~(LAM_U57_MASK)); + if (lam == LAM_TAG_BITS) + ret = (ptr != LAM_UNTAG_MASK); else if (lam == LAM_NONE) ret = (ptr != -1ULL); @@ -204,8 +208,8 @@ static unsigned long get_default_tag_bits(void) perror("Fork failed."); } else if (pid == 0) { /* Set LAM mode in child process */ - if (set_lam(LAM_U57_BITS) == 0) - lam = LAM_U57_BITS; + if (set_lam(LAM_TAG_BITS) == 0) + lam = LAM_TAG_BITS; else lam = LAM_NONE; exit(lam); @@ -230,8 +234,8 @@ static int get_lam(void) return -1; /* Check mask returned is expected */ - if (ptr == ~(LAM_U57_MASK)) - ret = LAM_U57_BITS; + if (ptr == LAM_UNTAG_MASK) + ret = LAM_TAG_BITS; else if (ptr == -1ULL) ret = LAM_NONE; @@ -247,10 +251,10 @@ static uint64_t set_metadata(uint64_t src, unsigned long lam) srand(time(NULL)); switch (lam) { - case LAM_U57_BITS: /* Set metadata in bits 62:57 */ + case LAM_TAG_BITS: /* Set metadata in bits 60:57 */ /* Get a random non-zero value as metadata */ - metadata = (rand() % ((1UL << LAM_U57_BITS) - 1) + 1) << 57; - metadata |= (src & ~(LAM_U57_MASK)); + metadata = (rand() % ((1UL << LAM_TAG_BITS) - 1) + 1) << 57; + metadata |= (src & LAM_UNTAG_MASK); break; default: metadata = src; @@ -291,7 +295,7 @@ int handle_max_bits(struct testcases *test) unsigned long bits = 0; if (exp_bits != LAM_NONE) - exp_bits = LAM_U57_BITS; + exp_bits = LAM_TAG_BITS; /* Get LAM max tag bits */ if (syscall(SYS_arch_prctl, ARCH_GET_MAX_TAG_BITS, &bits) == -1) @@ -719,8 +723,8 @@ int do_uring(unsigned long lam) uint64_t addr = ((uint64_t)fi->iovecs[i].iov_base); switch (lam) { - case LAM_U57_BITS: /* Clear bits 62:57 */ - addr = (addr & ~(LAM_U57_MASK)); + case LAM_TAG_BITS: /* Clear bits 60:57 */ + addr = (addr & LAM_UNTAG_MASK); break; } free((void *)addr); @@ -937,14 +941,14 @@ static void run_test(struct testcases *test, int count) static struct testcases uring_cases[] = { { .later = 0, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_uring, - .msg = "URING: LAM_U57. Dereferencing pointer with metadata\n", + .msg = "URING: LAM. Dereferencing pointer with metadata\n", }, { .later = 1, .expected = 1, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_uring, .msg = "URING:[Negative] Disable LAM. Dereferencing pointer with metadata.\n", }, @@ -953,14 +957,14 @@ static struct testcases uring_cases[] = { static struct testcases malloc_cases[] = { { .later = 0, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_malloc, - .msg = "MALLOC: LAM_U57. Dereferencing pointer with metadata\n", + .msg = "MALLOC: LAM. Dereferencing pointer with metadata\n", }, { .later = 1, .expected = 2, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_malloc, .msg = "MALLOC:[Negative] Disable LAM. Dereferencing pointer with metadata.\n", }, @@ -976,41 +980,41 @@ static struct testcases bits_cases[] = { static struct testcases syscall_cases[] = { { .later = 0, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_syscall, - .msg = "SYSCALL: LAM_U57. syscall with metadata\n", + .msg = "SYSCALL: LAM. syscall with metadata\n", }, { .later = 1, .expected = 1, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_syscall, .msg = "SYSCALL:[Negative] Disable LAM. Dereferencing pointer with metadata.\n", }, { .later = GET_USER_USER, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = get_user_syscall, .msg = "GET_USER: get_user() and pass a properly tagged user pointer.\n", }, { .later = GET_USER_KERNEL_TOP, .expected = 1, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = get_user_syscall, .msg = "GET_USER:[Negative] get_user() with a kernel pointer and the top bit cleared.\n", }, { .later = GET_USER_KERNEL_BOT, .expected = 1, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = get_user_syscall, .msg = "GET_USER:[Negative] get_user() with a kernel pointer and the bottom sign-extension bit cleared.\n", }, { .later = GET_USER_KERNEL, .expected = 1, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = get_user_syscall, .msg = "GET_USER:[Negative] get_user() and pass a kernel pointer.\n", }, @@ -1020,60 +1024,60 @@ static struct testcases mmap_cases[] = { { .later = 1, .expected = 0, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .addr = HIGH_ADDR, .test_func = handle_mmap, - .msg = "MMAP: First mmap high address, then set LAM_U57.\n", + .msg = "MMAP: First mmap high address, then set LAM.\n", }, { .later = 0, .expected = 0, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .addr = HIGH_ADDR, .test_func = handle_mmap, - .msg = "MMAP: First LAM_U57, then High address.\n", + .msg = "MMAP: First LAM, then High address.\n", }, { .later = 0, .expected = 0, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .addr = LOW_ADDR, .test_func = handle_mmap, - .msg = "MMAP: First LAM_U57, then Low address.\n", + .msg = "MMAP: First LAM, then Low address.\n", }, }; static struct testcases inheritance_cases[] = { { .expected = 0, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_inheritance, - .msg = "FORK: LAM_U57, child process should get LAM mode same as parent\n", + .msg = "FORK: LAM, child process should get LAM mode same as parent\n", }, { .expected = 0, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_thread, - .msg = "THREAD: LAM_U57, child thread should get LAM mode same as parent\n", + .msg = "THREAD: LAM, child thread should get LAM mode same as parent\n", }, { .expected = 1, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_thread_enable, .msg = "THREAD: [NEGATIVE] Enable LAM in child.\n", }, { .expected = 1, .later = 1, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_thread, .msg = "THREAD: [NEGATIVE] Enable LAM in parent after thread created.\n", }, { .expected = 0, - .lam = LAM_U57_BITS, + .lam = LAM_TAG_BITS, .test_func = handle_execve, - .msg = "EXECVE: LAM_U57, child process should get disabled LAM mode\n", + .msg = "EXECVE: LAM, child process should get disabled LAM mode\n", }, }; @@ -1224,7 +1228,7 @@ int handle_pasid(struct testcases *test) if (tmp & 0x1) { /* run set lam mode*/ if ((runed & 0x1) == 0) { - err = set_lam(LAM_U57_BITS); + err = set_lam(LAM_TAG_BITS); runed = runed | 0x1; } else err = 1; -- 2.53.0