Commit 6c7559f2 authored by Deepak Gupta's avatar Deepak Gupta Committed by Paul Walmsley
Browse files

riscv/mm: ensure PROT_WRITE leads to VM_READ | VM_WRITE 



'arch_calc_vm_prot_bits' is implemented on risc-v to return VM_READ |
VM_WRITE if PROT_WRITE is specified. Similarly 'riscv_sys_mmap' is
updated to convert all incoming PROT_WRITE to (PROT_WRITE | PROT_READ).
This is to make sure that any existing apps using PROT_WRITE still work.

Earlier 'protection_map[VM_WRITE]' used to pick read-write PTE encodings.
Now 'protection_map[VM_WRITE]' will always pick PAGE_SHADOWSTACK PTE
encodings for shadow stack. The above changes ensure that existing apps
continue to work because underneath, the kernel will be picking
'protection_map[VM_WRITE|VM_READ]' PTE encodings.

Reviewed-by: default avatarZong Li <zong.li@sifive.com>
Reviewed-by: default avatarAlexandre Ghiti <alexghiti@rivosinc.com>
Signed-off-by: default avatarDeepak Gupta <debug@rivosinc.com>
Tested-by: Andreas Korb <andreas.korb@aisec.fraunhofer.de> # QEMU, custom CVA6
Tested-by: default avatarValentin Haudiquet <valentin.haudiquet@canonical.com>
Link: https://patch.msgid.link/20251112-v5_user_cfi_series-v23-6-b55691eacf4f@rivosinc.com


Signed-off-by: default avatarPaul Walmsley <pjw@kernel.org>
parent 79dd4f2f

arch/riscv/include/asm/mman.h

0 → 100644
+26 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */

#ifndef __ASM_MMAN_H__

#define __ASM_MMAN_H__



#include <linux/compiler.h>

#include <linux/types.h>

#include <linux/mm.h>

#include <uapi/asm/mman.h>



static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot,

						   unsigned long pkey __always_unused)

{

	unsigned long ret = 0;



	/*

	 * If PROT_WRITE was specified, force it to VM_READ | VM_WRITE.

	 * Only VM_WRITE means shadow stack.

	 */

	if (prot & PROT_WRITE)

		ret = (VM_READ | VM_WRITE);

	return ret;

}



#define arch_calc_vm_prot_bits(prot, pkey) arch_calc_vm_prot_bits(prot, pkey)



#endif /* ! __ASM_MMAN_H__ */

arch/riscv/include/asm/pgtable.h

+1 −0
Original line number Diff line number Diff line
@@ -178,6 +178,7 @@ extern struct pt_alloc_ops pt_ops __meminitdata; 
#define PAGE_READ_EXEC		__pgprot(_PAGE_BASE | _PAGE_READ | _PAGE_EXEC)

#define PAGE_WRITE_EXEC		__pgprot(_PAGE_BASE | _PAGE_READ |	\

					 _PAGE_EXEC | _PAGE_WRITE)

#define PAGE_SHADOWSTACK       __pgprot(_PAGE_BASE | _PAGE_WRITE)



#define PAGE_COPY		PAGE_READ

#define PAGE_COPY_EXEC		PAGE_READ_EXEC

arch/riscv/kernel/sys_riscv.c

+10 −0
Original line number Diff line number Diff line
@@ -7,6 +7,7 @@ 


#include <linux/syscalls.h>

#include <asm/cacheflush.h>

#include <asm-generic/mman-common.h>



static long riscv_sys_mmap(unsigned long addr, unsigned long len,

			   unsigned long prot, unsigned long flags,
@@ -16,6 +17,15 @@ static long riscv_sys_mmap(unsigned long addr, unsigned long len, 
	if (unlikely(offset & (~PAGE_MASK >> page_shift_offset)))

		return -EINVAL;



	/*

	 * If PROT_WRITE is specified then extend that to PROT_READ

	 * protection_map[VM_WRITE] is now going to select shadow stack encodings.

	 * So specifying PROT_WRITE actually should select protection_map [VM_WRITE | VM_READ]

	 * If user wants to create shadow stack then they should use `map_shadow_stack` syscall.

	 */

	if (unlikely((prot & PROT_WRITE) && !(prot & PROT_READ)))

		prot |= PROT_READ;



	return ksys_mmap_pgoff(addr, len, prot, flags, fd,

			       offset >> (PAGE_SHIFT - page_shift_offset));

}

arch/riscv/mm/init.c

+1 −1
Original line number Diff line number Diff line
@@ -376,7 +376,7 @@ pgd_t early_pg_dir[PTRS_PER_PGD] __initdata __aligned(PAGE_SIZE); 
static const pgprot_t protection_map[16] = {

	[VM_NONE]					= PAGE_NONE,

	[VM_READ]					= PAGE_READ,

	[VM_WRITE]					= PAGE_COPY,

	[VM_WRITE]					= PAGE_SHADOWSTACK,

	[VM_WRITE | VM_READ]				= PAGE_COPY,

	[VM_EXEC]					= PAGE_EXEC,

	[VM_EXEC | VM_READ]				= PAGE_READ_EXEC,