mte.c 10.4 KB
Newer Older
1
2
3
4
5
// SPDX-License-Identifier: GPL-2.0-only
/*
 * Copyright (C) 2020 ARM Ltd.
 */

6
#include <linux/bitops.h>
7
#include <linux/kernel.h>
8
#include <linux/mm.h>
9
10
#include <linux/prctl.h>
#include <linux/sched.h>
11
#include <linux/sched/mm.h>
12
#include <linux/string.h>
13
14
#include <linux/swap.h>
#include <linux/swapops.h>
15
#include <linux/thread_info.h>
16
#include <linux/types.h>
17
#include <linux/uio.h>
18

19
#include <asm/barrier.h>
20
21
#include <asm/cpufeature.h>
#include <asm/mte.h>
22
#include <asm/ptrace.h>
23
24
#include <asm/sysreg.h>

25
26
u64 gcr_kernel_excl __ro_after_init;

27
28
static bool report_fault_once = true;

29
#ifdef CONFIG_KASAN_HW_TAGS
30
31
32
/* Whether the MTE asynchronous mode is enabled. */
DEFINE_STATIC_KEY_FALSE(mte_async_mode);
EXPORT_SYMBOL_GPL(mte_async_mode);
33
#endif
34

35
36
static void mte_sync_page_tags(struct page *page, pte_t old_pte,
			       bool check_swap, bool pte_is_tagged)
37
38
39
40
41
42
43
44
{
	if (check_swap && is_swap_pte(old_pte)) {
		swp_entry_t entry = pte_to_swp_entry(old_pte);

		if (!non_swap_entry(entry) && mte_restore_tags(entry, page))
			return;
	}

45
46
47
	if (!pte_is_tagged)
		return;

48
49
50
51
52
53
54
55
56
	page_kasan_tag_reset(page);
	/*
	 * We need smp_wmb() in between setting the flags and clearing the
	 * tags because if another thread reads page->flags and builds a
	 * tagged address out of it, there is an actual dependency to the
	 * memory access, but on the current thread we do not guarantee that
	 * the new page->flags are visible before the tags were updated.
	 */
	smp_wmb();
57
58
59
	mte_clear_page_tags(page_address(page));
}

60
void mte_sync_tags(pte_t old_pte, pte_t pte)
61
62
63
{
	struct page *page = pte_page(pte);
	long i, nr_pages = compound_nr(page);
64
	bool check_swap = nr_pages == 1;
65
66
67
68
69
	bool pte_is_tagged = pte_tagged(pte);

	/* Early out if there's nothing to do */
	if (!check_swap && !pte_is_tagged)
		return;
70
71
72
73

	/* if PG_mte_tagged is set, tags have already been initialised */
	for (i = 0; i < nr_pages; i++, page++) {
		if (!test_and_set_bit(PG_mte_tagged, &page->flags))
74
75
			mte_sync_page_tags(page, old_pte, check_swap,
					   pte_is_tagged);
76
77
78
	}
}

79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
int memcmp_pages(struct page *page1, struct page *page2)
{
	char *addr1, *addr2;
	int ret;

	addr1 = page_address(page1);
	addr2 = page_address(page2);
	ret = memcmp(addr1, addr2, PAGE_SIZE);

	if (!system_supports_mte() || ret)
		return ret;

	/*
	 * If the page content is identical but at least one of the pages is
	 * tagged, return non-zero to avoid KSM merging. If only one of the
	 * pages is tagged, set_pte_at() may zero or change the tags of the
	 * other page via mte_sync_tags().
	 */
	if (test_bit(PG_mte_tagged, &page1->flags) ||
	    test_bit(PG_mte_tagged, &page2->flags))
		return addr1 != addr2;

	return ret;
}

104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
void mte_init_tags(u64 max_tag)
{
	static bool gcr_kernel_excl_initialized;

	if (!gcr_kernel_excl_initialized) {
		/*
		 * The format of the tags in KASAN is 0xFF and in MTE is 0xF.
		 * This conversion extracts an MTE tag from a KASAN tag.
		 */
		u64 incl = GENMASK(FIELD_GET(MTE_TAG_MASK >> MTE_TAG_SHIFT,
					     max_tag), 0);

		gcr_kernel_excl = ~incl & SYS_GCR_EL1_EXCL_MASK;
		gcr_kernel_excl_initialized = true;
	}

	/* Enable the kernel exclude mask for random tags generation. */
	write_sysreg_s(SYS_GCR_EL1_RRND | gcr_kernel_excl, SYS_GCR_EL1);
}

124
static inline void __mte_enable_kernel(const char *mode, unsigned long tcf)
125
126
{
	/* Enable MTE Sync Mode for EL1. */
127
	sysreg_clear_set(sctlr_el1, SCTLR_ELx_TCF_MASK, tcf);
128
	isb();
129
130
131
132

	pr_info_once("MTE: enabled in %s mode at EL1\n", mode);
}

133
#ifdef CONFIG_KASAN_HW_TAGS
134
135
void mte_enable_kernel_sync(void)
{
136
137
138
139
140
141
142
	/*
	 * Make sure we enter this function when no PE has set
	 * async mode previously.
	 */
	WARN_ONCE(system_uses_mte_async_mode(),
			"MTE async mode enabled system wide!");

143
144
145
146
147
148
	__mte_enable_kernel("synchronous", SCTLR_ELx_TCF_SYNC);
}

void mte_enable_kernel_async(void)
{
	__mte_enable_kernel("asynchronous", SCTLR_ELx_TCF_ASYNC);
149
150
151
152
153
154
155
156
157
158
159

	/*
	 * MTE async mode is set system wide by the first PE that
	 * executes this function.
	 *
	 * Note: If in future KASAN acquires a runtime switching
	 * mode in between sync and async, this strategy needs
	 * to be reviewed.
	 */
	if (!system_uses_mte_async_mode())
		static_branch_enable(&mte_async_mode);
160
}
161
#endif
162

163
164
165
166
167
168
169
170
171
172
void mte_set_report_once(bool state)
{
	WRITE_ONCE(report_fault_once, state);
}

bool mte_report_once(void)
{
	return READ_ONCE(report_fault_once);
}

173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
#ifdef CONFIG_KASAN_HW_TAGS
void mte_check_tfsr_el1(void)
{
	u64 tfsr_el1;

	if (!system_supports_mte())
		return;

	tfsr_el1 = read_sysreg_s(SYS_TFSR_EL1);

	if (unlikely(tfsr_el1 & SYS_TFSR_EL1_TF1)) {
		/*
		 * Note: isb() is not required after this direct write
		 * because there is no indirect read subsequent to it
		 * (per ARM DDI 0487F.c table D13-1).
		 */
		write_sysreg_s(0, SYS_TFSR_EL1);

		kasan_report_async();
	}
}
#endif

196
static void set_gcr_el1_excl(u64 excl)
197
{
198
	current->thread.gcr_user_excl = excl;
199
200
201
202
203

	/*
	 * SYS_GCR_EL1 will be set to current->thread.gcr_user_excl value
	 * by mte_set_user_gcr() in kernel_exit,
	 */
204
205
}

206
void mte_thread_init_user(void)
207
208
209
210
211
212
213
214
{
	if (!system_supports_mte())
		return;

	/* clear any pending asynchronous tag fault */
	dsb(ish);
	write_sysreg_s(0, SYS_TFSRE0_EL1);
	clear_thread_flag(TIF_MTE_ASYNC_FAULT);
215
	/* disable tag checking */
216
217
	set_task_sctlr_el1((current->thread.sctlr_user & ~SCTLR_EL1_TCF0_MASK) |
			   SCTLR_EL1_TCF0_NONE);
218
	/* reset tag generation mask */
219
	set_gcr_el1_excl(SYS_GCR_EL1_EXCL_MASK);
220
221
222
223
}

void mte_thread_switch(struct task_struct *next)
{
224
225
226
227
228
229
230
	/*
	 * Check if an async tag exception occurred at EL1.
	 *
	 * Note: On the context switch path we rely on the dsb() present
	 * in __switch_to() to guarantee that the indirect writes to TFSR_EL1
	 * are synchronized before this point.
	 */
231
	isb();
232
	mte_check_tfsr_el1();
233
234
}

235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
void mte_suspend_enter(void)
{
	if (!system_supports_mte())
		return;

	/*
	 * The barriers are required to guarantee that the indirect writes
	 * to TFSR_EL1 are synchronized before we report the state.
	 */
	dsb(nsh);
	isb();

	/* Report SYS_TFSR_EL1 before suspend entry */
	mte_check_tfsr_el1();
}

251
252
253
254
255
void mte_suspend_exit(void)
{
	if (!system_supports_mte())
		return;

256
257
	sysreg_clear_set_s(SYS_GCR_EL1, SYS_GCR_EL1_EXCL_MASK, gcr_kernel_excl);
	isb();
258
259
}

260
long set_mte_ctrl(struct task_struct *task, unsigned long arg)
261
{
262
	u64 sctlr = task->thread.sctlr_user & ~SCTLR_EL1_TCF0_MASK;
263
264
	u64 gcr_excl = ~((arg & PR_MTE_TAG_MASK) >> PR_MTE_TAG_SHIFT) &
		       SYS_GCR_EL1_EXCL_MASK;
265
266
267
268
269
270

	if (!system_supports_mte())
		return 0;

	switch (arg & PR_MTE_TCF_MASK) {
	case PR_MTE_TCF_NONE:
271
		sctlr |= SCTLR_EL1_TCF0_NONE;
272
273
		break;
	case PR_MTE_TCF_SYNC:
274
		sctlr |= SCTLR_EL1_TCF0_SYNC;
275
276
		break;
	case PR_MTE_TCF_ASYNC:
277
		sctlr |= SCTLR_EL1_TCF0_ASYNC;
278
279
280
281
282
		break;
	default:
		return -EINVAL;
	}

283
	if (task != current) {
284
		task->thread.sctlr_user = sctlr;
285
		task->thread.gcr_user_excl = gcr_excl;
286
	} else {
287
		set_task_sctlr_el1(sctlr);
288
		set_gcr_el1_excl(gcr_excl);
289
	}
290
291
292
293

	return 0;
}

294
long get_mte_ctrl(struct task_struct *task)
295
{
296
	unsigned long ret;
297
	u64 incl = ~task->thread.gcr_user_excl & SYS_GCR_EL1_EXCL_MASK;
298

299
300
301
	if (!system_supports_mte())
		return 0;

302
	ret = incl << PR_MTE_TAG_SHIFT;
303

304
	switch (task->thread.sctlr_user & SCTLR_EL1_TCF0_MASK) {
305
	case SCTLR_EL1_TCF0_NONE:
306
307
		ret |= PR_MTE_TCF_NONE;
		break;
308
	case SCTLR_EL1_TCF0_SYNC:
309
310
		ret |= PR_MTE_TCF_SYNC;
		break;
311
	case SCTLR_EL1_TCF0_ASYNC:
312
313
		ret |= PR_MTE_TCF_ASYNC;
		break;
314
315
	}

316
	return ret;
317
}
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355

/*
 * Access MTE tags in another process' address space as given in mm. Update
 * the number of tags copied. Return 0 if any tags copied, error otherwise.
 * Inspired by __access_remote_vm().
 */
static int __access_remote_tags(struct mm_struct *mm, unsigned long addr,
				struct iovec *kiov, unsigned int gup_flags)
{
	struct vm_area_struct *vma;
	void __user *buf = kiov->iov_base;
	size_t len = kiov->iov_len;
	int ret;
	int write = gup_flags & FOLL_WRITE;

	if (!access_ok(buf, len))
		return -EFAULT;

	if (mmap_read_lock_killable(mm))
		return -EIO;

	while (len) {
		unsigned long tags, offset;
		void *maddr;
		struct page *page = NULL;

		ret = get_user_pages_remote(mm, addr, 1, gup_flags, &page,
					    &vma, NULL);
		if (ret <= 0)
			break;

		/*
		 * Only copy tags if the page has been mapped as PROT_MTE
		 * (PG_mte_tagged set). Otherwise the tags are not valid and
		 * not accessible to user. Moreover, an mprotect(PROT_MTE)
		 * would cause the existing tags to be cleared if the page
		 * was never mapped with PROT_MTE.
		 */
356
		if (!(vma->vm_flags & VM_MTE)) {
357
358
359
360
			ret = -EOPNOTSUPP;
			put_page(page);
			break;
		}
361
		WARN_ON_ONCE(!test_bit(PG_mte_tagged, &page->flags));
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452

		/* limit access to the end of the page */
		offset = offset_in_page(addr);
		tags = min(len, (PAGE_SIZE - offset) / MTE_GRANULE_SIZE);

		maddr = page_address(page);
		if (write) {
			tags = mte_copy_tags_from_user(maddr + offset, buf, tags);
			set_page_dirty_lock(page);
		} else {
			tags = mte_copy_tags_to_user(buf, maddr + offset, tags);
		}
		put_page(page);

		/* error accessing the tracer's buffer */
		if (!tags)
			break;

		len -= tags;
		buf += tags;
		addr += tags * MTE_GRANULE_SIZE;
	}
	mmap_read_unlock(mm);

	/* return an error if no tags copied */
	kiov->iov_len = buf - kiov->iov_base;
	if (!kiov->iov_len) {
		/* check for error accessing the tracee's address space */
		if (ret <= 0)
			return -EIO;
		else
			return -EFAULT;
	}

	return 0;
}

/*
 * Copy MTE tags in another process' address space at 'addr' to/from tracer's
 * iovec buffer. Return 0 on success. Inspired by ptrace_access_vm().
 */
static int access_remote_tags(struct task_struct *tsk, unsigned long addr,
			      struct iovec *kiov, unsigned int gup_flags)
{
	struct mm_struct *mm;
	int ret;

	mm = get_task_mm(tsk);
	if (!mm)
		return -EPERM;

	if (!tsk->ptrace || (current != tsk->parent) ||
	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
	     !ptracer_capable(tsk, mm->user_ns))) {
		mmput(mm);
		return -EPERM;
	}

	ret = __access_remote_tags(mm, addr, kiov, gup_flags);
	mmput(mm);

	return ret;
}

int mte_ptrace_copy_tags(struct task_struct *child, long request,
			 unsigned long addr, unsigned long data)
{
	int ret;
	struct iovec kiov;
	struct iovec __user *uiov = (void __user *)data;
	unsigned int gup_flags = FOLL_FORCE;

	if (!system_supports_mte())
		return -EIO;

	if (get_user(kiov.iov_base, &uiov->iov_base) ||
	    get_user(kiov.iov_len, &uiov->iov_len))
		return -EFAULT;

	if (request == PTRACE_POKEMTETAGS)
		gup_flags |= FOLL_WRITE;

	/* align addr to the MTE tag granule */
	addr &= MTE_GRANULE_MASK;

	ret = access_remote_tags(child, addr, &kiov, gup_flags);
	if (!ret)
		ret = put_user(kiov.iov_len, &uiov->iov_len);

	return ret;
}