mprotect.c 26 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * mm/mprotect.c
  4. *
  5. * (C) Copyright 1994 Linus Torvalds
  6. * (C) Copyright 2002 Christoph Hellwig
  7. *
  8. * Address space accounting code <alan@lxorguk.ukuu.org.uk>
  9. * (C) Copyright 2002 Red Hat Inc, All Rights Reserved
  10. */
  11. #include <linux/pagewalk.h>
  12. #include <linux/hugetlb.h>
  13. #include <linux/shm.h>
  14. #include <linux/mman.h>
  15. #include <linux/fs.h>
  16. #include <linux/highmem.h>
  17. #include <linux/security.h>
  18. #include <linux/mempolicy.h>
  19. #include <linux/personality.h>
  20. #include <linux/syscalls.h>
  21. #include <linux/swap.h>
  22. #include <linux/swapops.h>
  23. #include <linux/mmu_notifier.h>
  24. #include <linux/migrate.h>
  25. #include <linux/perf_event.h>
  26. #include <linux/pkeys.h>
  27. #include <linux/ksm.h>
  28. #include <linux/uaccess.h>
  29. #include <linux/mm_inline.h>
  30. #include <linux/pgtable.h>
  31. #include <linux/userfaultfd_k.h>
  32. #include <uapi/linux/mman.h>
  33. #include <asm/cacheflush.h>
  34. #include <asm/mmu_context.h>
  35. #include <asm/tlbflush.h>
  36. #include <asm/tlb.h>
  37. #include "internal.h"
  38. static bool maybe_change_pte_writable(struct vm_area_struct *vma, pte_t pte)
  39. {
  40. if (WARN_ON_ONCE(!(vma->vm_flags & VM_WRITE)))
  41. return false;
  42. /* Don't touch entries that are not even readable. */
  43. if (pte_protnone(pte))
  44. return false;
  45. /* Do we need write faults for softdirty tracking? */
  46. if (pte_needs_soft_dirty_wp(vma, pte))
  47. return false;
  48. /* Do we need write faults for uffd-wp tracking? */
  49. if (userfaultfd_pte_wp(vma, pte))
  50. return false;
  51. return true;
  52. }
  53. static bool can_change_private_pte_writable(struct vm_area_struct *vma,
  54. unsigned long addr, pte_t pte)
  55. {
  56. struct page *page;
  57. if (!maybe_change_pte_writable(vma, pte))
  58. return false;
  59. /*
  60. * Writable MAP_PRIVATE mapping: We can only special-case on
  61. * exclusive anonymous pages, because we know that our
  62. * write-fault handler similarly would map them writable without
  63. * any additional checks while holding the PT lock.
  64. */
  65. page = vm_normal_page(vma, addr, pte);
  66. return page && PageAnon(page) && PageAnonExclusive(page);
  67. }
  68. static bool can_change_shared_pte_writable(struct vm_area_struct *vma,
  69. pte_t pte)
  70. {
  71. if (!maybe_change_pte_writable(vma, pte))
  72. return false;
  73. VM_WARN_ON_ONCE(is_zero_pfn(pte_pfn(pte)) && pte_dirty(pte));
  74. /*
  75. * Writable MAP_SHARED mapping: "clean" might indicate that the FS still
  76. * needs a real write-fault for writenotify
  77. * (see vma_wants_writenotify()). If "dirty", the assumption is that the
  78. * FS was already notified and we can simply mark the PTE writable
  79. * just like the write-fault handler would do.
  80. */
  81. return pte_dirty(pte);
  82. }
  83. bool can_change_pte_writable(struct vm_area_struct *vma, unsigned long addr,
  84. pte_t pte)
  85. {
  86. if (!(vma->vm_flags & VM_SHARED))
  87. return can_change_private_pte_writable(vma, addr, pte);
  88. return can_change_shared_pte_writable(vma, pte);
  89. }
  90. static int mprotect_folio_pte_batch(struct folio *folio, pte_t *ptep,
  91. pte_t pte, int max_nr_ptes, fpb_t flags)
  92. {
  93. /* No underlying folio, so cannot batch */
  94. if (!folio)
  95. return 1;
  96. if (!folio_test_large(folio))
  97. return 1;
  98. return folio_pte_batch_flags(folio, NULL, ptep, &pte, max_nr_ptes, flags);
  99. }
  100. /* Set nr_ptes number of ptes, starting from idx */
  101. static void prot_commit_flush_ptes(struct vm_area_struct *vma, unsigned long addr,
  102. pte_t *ptep, pte_t oldpte, pte_t ptent, int nr_ptes,
  103. int idx, bool set_write, struct mmu_gather *tlb)
  104. {
  105. /*
  106. * Advance the position in the batch by idx; note that if idx > 0,
  107. * then the nr_ptes passed here is <= batch size - idx.
  108. */
  109. addr += idx * PAGE_SIZE;
  110. ptep += idx;
  111. oldpte = pte_advance_pfn(oldpte, idx);
  112. ptent = pte_advance_pfn(ptent, idx);
  113. if (set_write)
  114. ptent = pte_mkwrite(ptent, vma);
  115. modify_prot_commit_ptes(vma, addr, ptep, oldpte, ptent, nr_ptes);
  116. if (pte_needs_flush(oldpte, ptent))
  117. tlb_flush_pte_range(tlb, addr, nr_ptes * PAGE_SIZE);
  118. }
  119. /*
  120. * Get max length of consecutive ptes pointing to PageAnonExclusive() pages or
  121. * !PageAnonExclusive() pages, starting from start_idx. Caller must enforce
  122. * that the ptes point to consecutive pages of the same anon large folio.
  123. */
  124. static int page_anon_exclusive_sub_batch(int start_idx, int max_len,
  125. struct page *first_page, bool expected_anon_exclusive)
  126. {
  127. int idx;
  128. for (idx = start_idx + 1; idx < start_idx + max_len; ++idx) {
  129. if (expected_anon_exclusive != PageAnonExclusive(first_page + idx))
  130. break;
  131. }
  132. return idx - start_idx;
  133. }
  134. /*
  135. * This function is a result of trying our very best to retain the
  136. * "avoid the write-fault handler" optimization. In can_change_pte_writable(),
  137. * if the vma is a private vma, and we cannot determine whether to change
  138. * the pte to writable just from the vma and the pte, we then need to look
  139. * at the actual page pointed to by the pte. Unfortunately, if we have a
  140. * batch of ptes pointing to consecutive pages of the same anon large folio,
  141. * the anon-exclusivity (or the negation) of the first page does not guarantee
  142. * the anon-exclusivity (or the negation) of the other pages corresponding to
  143. * the pte batch; hence in this case it is incorrect to decide to change or
  144. * not change the ptes to writable just by using information from the first
  145. * pte of the batch. Therefore, we must individually check all pages and
  146. * retrieve sub-batches.
  147. */
  148. static void commit_anon_folio_batch(struct vm_area_struct *vma,
  149. struct folio *folio, struct page *first_page, unsigned long addr, pte_t *ptep,
  150. pte_t oldpte, pte_t ptent, int nr_ptes, struct mmu_gather *tlb)
  151. {
  152. bool expected_anon_exclusive;
  153. int sub_batch_idx = 0;
  154. int len;
  155. while (nr_ptes) {
  156. expected_anon_exclusive = PageAnonExclusive(first_page + sub_batch_idx);
  157. len = page_anon_exclusive_sub_batch(sub_batch_idx, nr_ptes,
  158. first_page, expected_anon_exclusive);
  159. prot_commit_flush_ptes(vma, addr, ptep, oldpte, ptent, len,
  160. sub_batch_idx, expected_anon_exclusive, tlb);
  161. sub_batch_idx += len;
  162. nr_ptes -= len;
  163. }
  164. }
  165. static void set_write_prot_commit_flush_ptes(struct vm_area_struct *vma,
  166. struct folio *folio, struct page *page, unsigned long addr, pte_t *ptep,
  167. pte_t oldpte, pte_t ptent, int nr_ptes, struct mmu_gather *tlb)
  168. {
  169. bool set_write;
  170. if (vma->vm_flags & VM_SHARED) {
  171. set_write = can_change_shared_pte_writable(vma, ptent);
  172. prot_commit_flush_ptes(vma, addr, ptep, oldpte, ptent, nr_ptes,
  173. /* idx = */ 0, set_write, tlb);
  174. return;
  175. }
  176. set_write = maybe_change_pte_writable(vma, ptent) &&
  177. (folio && folio_test_anon(folio));
  178. if (!set_write) {
  179. prot_commit_flush_ptes(vma, addr, ptep, oldpte, ptent, nr_ptes,
  180. /* idx = */ 0, set_write, tlb);
  181. return;
  182. }
  183. commit_anon_folio_batch(vma, folio, page, addr, ptep, oldpte, ptent, nr_ptes, tlb);
  184. }
  185. static long change_pte_range(struct mmu_gather *tlb,
  186. struct vm_area_struct *vma, pmd_t *pmd, unsigned long addr,
  187. unsigned long end, pgprot_t newprot, unsigned long cp_flags)
  188. {
  189. pte_t *pte, oldpte;
  190. spinlock_t *ptl;
  191. long pages = 0;
  192. bool is_private_single_threaded;
  193. bool prot_numa = cp_flags & MM_CP_PROT_NUMA;
  194. bool uffd_wp = cp_flags & MM_CP_UFFD_WP;
  195. bool uffd_wp_resolve = cp_flags & MM_CP_UFFD_WP_RESOLVE;
  196. int nr_ptes;
  197. tlb_change_page_size(tlb, PAGE_SIZE);
  198. pte = pte_offset_map_lock(vma->vm_mm, pmd, addr, &ptl);
  199. if (!pte)
  200. return -EAGAIN;
  201. if (prot_numa)
  202. is_private_single_threaded = vma_is_single_threaded_private(vma);
  203. flush_tlb_batched_pending(vma->vm_mm);
  204. lazy_mmu_mode_enable();
  205. do {
  206. nr_ptes = 1;
  207. oldpte = ptep_get(pte);
  208. if (pte_present(oldpte)) {
  209. const fpb_t flags = FPB_RESPECT_SOFT_DIRTY | FPB_RESPECT_WRITE;
  210. int max_nr_ptes = (end - addr) >> PAGE_SHIFT;
  211. struct folio *folio = NULL;
  212. struct page *page;
  213. pte_t ptent;
  214. /* Already in the desired state. */
  215. if (prot_numa && pte_protnone(oldpte))
  216. continue;
  217. page = vm_normal_page(vma, addr, oldpte);
  218. if (page)
  219. folio = page_folio(page);
  220. /*
  221. * Avoid trapping faults against the zero or KSM
  222. * pages. See similar comment in change_huge_pmd.
  223. */
  224. if (prot_numa &&
  225. !folio_can_map_prot_numa(folio, vma,
  226. is_private_single_threaded)) {
  227. /* determine batch to skip */
  228. nr_ptes = mprotect_folio_pte_batch(folio,
  229. pte, oldpte, max_nr_ptes, /* flags = */ 0);
  230. continue;
  231. }
  232. nr_ptes = mprotect_folio_pte_batch(folio, pte, oldpte, max_nr_ptes, flags);
  233. oldpte = modify_prot_start_ptes(vma, addr, pte, nr_ptes);
  234. ptent = pte_modify(oldpte, newprot);
  235. if (uffd_wp)
  236. ptent = pte_mkuffd_wp(ptent);
  237. else if (uffd_wp_resolve)
  238. ptent = pte_clear_uffd_wp(ptent);
  239. /*
  240. * In some writable, shared mappings, we might want
  241. * to catch actual write access -- see
  242. * vma_wants_writenotify().
  243. *
  244. * In all writable, private mappings, we have to
  245. * properly handle COW.
  246. *
  247. * In both cases, we can sometimes still change PTEs
  248. * writable and avoid the write-fault handler, for
  249. * example, if a PTE is already dirty and no other
  250. * COW or special handling is required.
  251. */
  252. if ((cp_flags & MM_CP_TRY_CHANGE_WRITABLE) &&
  253. !pte_write(ptent))
  254. set_write_prot_commit_flush_ptes(vma, folio, page,
  255. addr, pte, oldpte, ptent, nr_ptes, tlb);
  256. else
  257. prot_commit_flush_ptes(vma, addr, pte, oldpte, ptent,
  258. nr_ptes, /* idx = */ 0, /* set_write = */ false, tlb);
  259. pages += nr_ptes;
  260. } else if (pte_none(oldpte)) {
  261. /*
  262. * Nobody plays with any none ptes besides
  263. * userfaultfd when applying the protections.
  264. */
  265. if (likely(!uffd_wp))
  266. continue;
  267. if (userfaultfd_wp_use_markers(vma)) {
  268. /*
  269. * For file-backed mem, we need to be able to
  270. * wr-protect a none pte, because even if the
  271. * pte is none, the page/swap cache could
  272. * exist. Doing that by install a marker.
  273. */
  274. set_pte_at(vma->vm_mm, addr, pte,
  275. make_pte_marker(PTE_MARKER_UFFD_WP));
  276. pages++;
  277. }
  278. } else {
  279. softleaf_t entry = softleaf_from_pte(oldpte);
  280. pte_t newpte;
  281. if (softleaf_is_migration_write(entry)) {
  282. const struct folio *folio = softleaf_to_folio(entry);
  283. /*
  284. * A protection check is difficult so
  285. * just be safe and disable write
  286. */
  287. if (folio_test_anon(folio))
  288. entry = make_readable_exclusive_migration_entry(
  289. swp_offset(entry));
  290. else
  291. entry = make_readable_migration_entry(swp_offset(entry));
  292. newpte = swp_entry_to_pte(entry);
  293. if (pte_swp_soft_dirty(oldpte))
  294. newpte = pte_swp_mksoft_dirty(newpte);
  295. } else if (softleaf_is_device_private_write(entry)) {
  296. /*
  297. * We do not preserve soft-dirtiness. See
  298. * copy_nonpresent_pte() for explanation.
  299. */
  300. entry = make_readable_device_private_entry(
  301. swp_offset(entry));
  302. newpte = swp_entry_to_pte(entry);
  303. if (pte_swp_uffd_wp(oldpte))
  304. newpte = pte_swp_mkuffd_wp(newpte);
  305. } else if (softleaf_is_marker(entry)) {
  306. /*
  307. * Ignore error swap entries unconditionally,
  308. * because any access should sigbus/sigsegv
  309. * anyway.
  310. */
  311. if (softleaf_is_poison_marker(entry) ||
  312. softleaf_is_guard_marker(entry))
  313. continue;
  314. /*
  315. * If this is uffd-wp pte marker and we'd like
  316. * to unprotect it, drop it; the next page
  317. * fault will trigger without uffd trapping.
  318. */
  319. if (uffd_wp_resolve) {
  320. pte_clear(vma->vm_mm, addr, pte);
  321. pages++;
  322. }
  323. continue;
  324. } else {
  325. newpte = oldpte;
  326. }
  327. if (uffd_wp)
  328. newpte = pte_swp_mkuffd_wp(newpte);
  329. else if (uffd_wp_resolve)
  330. newpte = pte_swp_clear_uffd_wp(newpte);
  331. if (!pte_same(oldpte, newpte)) {
  332. set_pte_at(vma->vm_mm, addr, pte, newpte);
  333. pages++;
  334. }
  335. }
  336. } while (pte += nr_ptes, addr += nr_ptes * PAGE_SIZE, addr != end);
  337. lazy_mmu_mode_disable();
  338. pte_unmap_unlock(pte - 1, ptl);
  339. return pages;
  340. }
  341. /*
  342. * Return true if we want to split THPs into PTE mappings in change
  343. * protection procedure, false otherwise.
  344. */
  345. static inline bool
  346. pgtable_split_needed(struct vm_area_struct *vma, unsigned long cp_flags)
  347. {
  348. /*
  349. * pte markers only resides in pte level, if we need pte markers,
  350. * we need to split. For example, we cannot wr-protect a file thp
  351. * (e.g. 2M shmem) because file thp is handled differently when
  352. * split by erasing the pmd so far.
  353. */
  354. return (cp_flags & MM_CP_UFFD_WP) && !vma_is_anonymous(vma);
  355. }
  356. /*
  357. * Return true if we want to populate pgtables in change protection
  358. * procedure, false otherwise
  359. */
  360. static inline bool
  361. pgtable_populate_needed(struct vm_area_struct *vma, unsigned long cp_flags)
  362. {
  363. /* If not within ioctl(UFFDIO_WRITEPROTECT), then don't bother */
  364. if (!(cp_flags & MM_CP_UFFD_WP))
  365. return false;
  366. /* Populate if the userfaultfd mode requires pte markers */
  367. return userfaultfd_wp_use_markers(vma);
  368. }
  369. /*
  370. * Populate the pgtable underneath for whatever reason if requested.
  371. * When {pte|pmd|...}_alloc() failed we treat it the same way as pgtable
  372. * allocation failures during page faults by kicking OOM and returning
  373. * error.
  374. */
  375. #define change_pmd_prepare(vma, pmd, cp_flags) \
  376. ({ \
  377. long err = 0; \
  378. if (unlikely(pgtable_populate_needed(vma, cp_flags))) { \
  379. if (pte_alloc(vma->vm_mm, pmd)) \
  380. err = -ENOMEM; \
  381. } \
  382. err; \
  383. })
  384. /*
  385. * This is the general pud/p4d/pgd version of change_pmd_prepare(). We need to
  386. * have separate change_pmd_prepare() because pte_alloc() returns 0 on success,
  387. * while {pmd|pud|p4d}_alloc() returns the valid pointer on success.
  388. */
  389. #define change_prepare(vma, high, low, addr, cp_flags) \
  390. ({ \
  391. long err = 0; \
  392. if (unlikely(pgtable_populate_needed(vma, cp_flags))) { \
  393. low##_t *p = low##_alloc(vma->vm_mm, high, addr); \
  394. if (p == NULL) \
  395. err = -ENOMEM; \
  396. } \
  397. err; \
  398. })
  399. static inline long change_pmd_range(struct mmu_gather *tlb,
  400. struct vm_area_struct *vma, pud_t *pud, unsigned long addr,
  401. unsigned long end, pgprot_t newprot, unsigned long cp_flags)
  402. {
  403. pmd_t *pmd;
  404. unsigned long next;
  405. long pages = 0;
  406. unsigned long nr_huge_updates = 0;
  407. pmd = pmd_offset(pud, addr);
  408. do {
  409. long ret;
  410. pmd_t _pmd;
  411. again:
  412. next = pmd_addr_end(addr, end);
  413. ret = change_pmd_prepare(vma, pmd, cp_flags);
  414. if (ret) {
  415. pages = ret;
  416. break;
  417. }
  418. if (pmd_none(*pmd))
  419. goto next;
  420. _pmd = pmdp_get_lockless(pmd);
  421. if (pmd_is_huge(_pmd)) {
  422. if ((next - addr != HPAGE_PMD_SIZE) ||
  423. pgtable_split_needed(vma, cp_flags)) {
  424. __split_huge_pmd(vma, pmd, addr, false);
  425. /*
  426. * For file-backed, the pmd could have been
  427. * cleared; make sure pmd populated if
  428. * necessary, then fall-through to pte level.
  429. */
  430. ret = change_pmd_prepare(vma, pmd, cp_flags);
  431. if (ret) {
  432. pages = ret;
  433. break;
  434. }
  435. } else {
  436. ret = change_huge_pmd(tlb, vma, pmd,
  437. addr, newprot, cp_flags);
  438. if (ret) {
  439. if (ret == HPAGE_PMD_NR) {
  440. pages += HPAGE_PMD_NR;
  441. nr_huge_updates++;
  442. }
  443. /* huge pmd was handled */
  444. goto next;
  445. }
  446. }
  447. /* fall through, the trans huge pmd just split */
  448. }
  449. ret = change_pte_range(tlb, vma, pmd, addr, next, newprot,
  450. cp_flags);
  451. if (ret < 0)
  452. goto again;
  453. pages += ret;
  454. next:
  455. cond_resched();
  456. } while (pmd++, addr = next, addr != end);
  457. if (nr_huge_updates)
  458. count_vm_numa_events(NUMA_HUGE_PTE_UPDATES, nr_huge_updates);
  459. return pages;
  460. }
  461. static inline long change_pud_range(struct mmu_gather *tlb,
  462. struct vm_area_struct *vma, p4d_t *p4d, unsigned long addr,
  463. unsigned long end, pgprot_t newprot, unsigned long cp_flags)
  464. {
  465. struct mmu_notifier_range range;
  466. pud_t *pudp, pud;
  467. unsigned long next;
  468. long pages = 0, ret;
  469. range.start = 0;
  470. pudp = pud_offset(p4d, addr);
  471. do {
  472. again:
  473. next = pud_addr_end(addr, end);
  474. ret = change_prepare(vma, pudp, pmd, addr, cp_flags);
  475. if (ret) {
  476. pages = ret;
  477. break;
  478. }
  479. pud = pudp_get(pudp);
  480. if (pud_none(pud))
  481. continue;
  482. if (!range.start) {
  483. mmu_notifier_range_init(&range,
  484. MMU_NOTIFY_PROTECTION_VMA, 0,
  485. vma->vm_mm, addr, end);
  486. mmu_notifier_invalidate_range_start(&range);
  487. }
  488. if (pud_leaf(pud)) {
  489. if ((next - addr != PUD_SIZE) ||
  490. pgtable_split_needed(vma, cp_flags)) {
  491. __split_huge_pud(vma, pudp, addr);
  492. goto again;
  493. } else {
  494. ret = change_huge_pud(tlb, vma, pudp,
  495. addr, newprot, cp_flags);
  496. if (ret == 0)
  497. goto again;
  498. /* huge pud was handled */
  499. if (ret == HPAGE_PUD_NR)
  500. pages += HPAGE_PUD_NR;
  501. continue;
  502. }
  503. }
  504. pages += change_pmd_range(tlb, vma, pudp, addr, next, newprot,
  505. cp_flags);
  506. } while (pudp++, addr = next, addr != end);
  507. if (range.start)
  508. mmu_notifier_invalidate_range_end(&range);
  509. return pages;
  510. }
  511. static inline long change_p4d_range(struct mmu_gather *tlb,
  512. struct vm_area_struct *vma, pgd_t *pgd, unsigned long addr,
  513. unsigned long end, pgprot_t newprot, unsigned long cp_flags)
  514. {
  515. p4d_t *p4d;
  516. unsigned long next;
  517. long pages = 0, ret;
  518. p4d = p4d_offset(pgd, addr);
  519. do {
  520. next = p4d_addr_end(addr, end);
  521. ret = change_prepare(vma, p4d, pud, addr, cp_flags);
  522. if (ret)
  523. return ret;
  524. if (p4d_none_or_clear_bad(p4d))
  525. continue;
  526. pages += change_pud_range(tlb, vma, p4d, addr, next, newprot,
  527. cp_flags);
  528. } while (p4d++, addr = next, addr != end);
  529. return pages;
  530. }
  531. static long change_protection_range(struct mmu_gather *tlb,
  532. struct vm_area_struct *vma, unsigned long addr,
  533. unsigned long end, pgprot_t newprot, unsigned long cp_flags)
  534. {
  535. struct mm_struct *mm = vma->vm_mm;
  536. pgd_t *pgd;
  537. unsigned long next;
  538. long pages = 0, ret;
  539. BUG_ON(addr >= end);
  540. pgd = pgd_offset(mm, addr);
  541. tlb_start_vma(tlb, vma);
  542. do {
  543. next = pgd_addr_end(addr, end);
  544. ret = change_prepare(vma, pgd, p4d, addr, cp_flags);
  545. if (ret) {
  546. pages = ret;
  547. break;
  548. }
  549. if (pgd_none_or_clear_bad(pgd))
  550. continue;
  551. pages += change_p4d_range(tlb, vma, pgd, addr, next, newprot,
  552. cp_flags);
  553. } while (pgd++, addr = next, addr != end);
  554. tlb_end_vma(tlb, vma);
  555. return pages;
  556. }
  557. long change_protection(struct mmu_gather *tlb,
  558. struct vm_area_struct *vma, unsigned long start,
  559. unsigned long end, unsigned long cp_flags)
  560. {
  561. pgprot_t newprot = vma->vm_page_prot;
  562. long pages;
  563. BUG_ON((cp_flags & MM_CP_UFFD_WP_ALL) == MM_CP_UFFD_WP_ALL);
  564. #ifdef CONFIG_NUMA_BALANCING
  565. /*
  566. * Ordinary protection updates (mprotect, uffd-wp, softdirty tracking)
  567. * are expected to reflect their requirements via VMA flags such that
  568. * vma_set_page_prot() will adjust vma->vm_page_prot accordingly.
  569. */
  570. if (cp_flags & MM_CP_PROT_NUMA)
  571. newprot = PAGE_NONE;
  572. #else
  573. WARN_ON_ONCE(cp_flags & MM_CP_PROT_NUMA);
  574. #endif
  575. if (is_vm_hugetlb_page(vma))
  576. pages = hugetlb_change_protection(vma, start, end, newprot,
  577. cp_flags);
  578. else
  579. pages = change_protection_range(tlb, vma, start, end, newprot,
  580. cp_flags);
  581. return pages;
  582. }
  583. static int prot_none_pte_entry(pte_t *pte, unsigned long addr,
  584. unsigned long next, struct mm_walk *walk)
  585. {
  586. return pfn_modify_allowed(pte_pfn(ptep_get(pte)),
  587. *(pgprot_t *)(walk->private)) ?
  588. 0 : -EACCES;
  589. }
  590. static int prot_none_hugetlb_entry(pte_t *pte, unsigned long hmask,
  591. unsigned long addr, unsigned long next,
  592. struct mm_walk *walk)
  593. {
  594. return pfn_modify_allowed(pte_pfn(ptep_get(pte)),
  595. *(pgprot_t *)(walk->private)) ?
  596. 0 : -EACCES;
  597. }
  598. static int prot_none_test(unsigned long addr, unsigned long next,
  599. struct mm_walk *walk)
  600. {
  601. return 0;
  602. }
  603. static const struct mm_walk_ops prot_none_walk_ops = {
  604. .pte_entry = prot_none_pte_entry,
  605. .hugetlb_entry = prot_none_hugetlb_entry,
  606. .test_walk = prot_none_test,
  607. .walk_lock = PGWALK_WRLOCK,
  608. };
  609. int
  610. mprotect_fixup(struct vma_iterator *vmi, struct mmu_gather *tlb,
  611. struct vm_area_struct *vma, struct vm_area_struct **pprev,
  612. unsigned long start, unsigned long end, vm_flags_t newflags)
  613. {
  614. struct mm_struct *mm = vma->vm_mm;
  615. vm_flags_t oldflags = READ_ONCE(vma->vm_flags);
  616. long nrpages = (end - start) >> PAGE_SHIFT;
  617. unsigned int mm_cp_flags = 0;
  618. unsigned long charged = 0;
  619. int error;
  620. if (vma_is_sealed(vma))
  621. return -EPERM;
  622. if (newflags == oldflags) {
  623. *pprev = vma;
  624. return 0;
  625. }
  626. /*
  627. * Do PROT_NONE PFN permission checks here when we can still
  628. * bail out without undoing a lot of state. This is a rather
  629. * uncommon case, so doesn't need to be very optimized.
  630. */
  631. if (arch_has_pfn_modify_check() &&
  632. (oldflags & (VM_PFNMAP|VM_MIXEDMAP)) &&
  633. (newflags & VM_ACCESS_FLAGS) == 0) {
  634. pgprot_t new_pgprot = vm_get_page_prot(newflags);
  635. error = walk_page_range(current->mm, start, end,
  636. &prot_none_walk_ops, &new_pgprot);
  637. if (error)
  638. return error;
  639. }
  640. /*
  641. * If we make a private mapping writable we increase our commit;
  642. * but (without finer accounting) cannot reduce our commit if we
  643. * make it unwritable again except in the anonymous case where no
  644. * anon_vma has yet to be assigned.
  645. *
  646. * hugetlb mapping were accounted for even if read-only so there is
  647. * no need to account for them here.
  648. */
  649. if (newflags & VM_WRITE) {
  650. /* Check space limits when area turns into data. */
  651. if (!may_expand_vm(mm, newflags, nrpages) &&
  652. may_expand_vm(mm, oldflags, nrpages))
  653. return -ENOMEM;
  654. if (!(oldflags & (VM_ACCOUNT|VM_WRITE|VM_HUGETLB|
  655. VM_SHARED|VM_NORESERVE))) {
  656. charged = nrpages;
  657. if (security_vm_enough_memory_mm(mm, charged))
  658. return -ENOMEM;
  659. newflags |= VM_ACCOUNT;
  660. }
  661. } else if ((oldflags & VM_ACCOUNT) && vma_is_anonymous(vma) &&
  662. !vma->anon_vma) {
  663. newflags &= ~VM_ACCOUNT;
  664. }
  665. vma = vma_modify_flags(vmi, *pprev, vma, start, end, &newflags);
  666. if (IS_ERR(vma)) {
  667. error = PTR_ERR(vma);
  668. goto fail;
  669. }
  670. *pprev = vma;
  671. /*
  672. * vm_flags and vm_page_prot are protected by the mmap_lock
  673. * held in write mode.
  674. */
  675. vma_start_write(vma);
  676. vm_flags_reset_once(vma, newflags);
  677. if (vma_wants_manual_pte_write_upgrade(vma))
  678. mm_cp_flags |= MM_CP_TRY_CHANGE_WRITABLE;
  679. vma_set_page_prot(vma);
  680. change_protection(tlb, vma, start, end, mm_cp_flags);
  681. if ((oldflags & VM_ACCOUNT) && !(newflags & VM_ACCOUNT))
  682. vm_unacct_memory(nrpages);
  683. /*
  684. * Private VM_LOCKED VMA becoming writable: trigger COW to avoid major
  685. * fault on access.
  686. */
  687. if ((oldflags & (VM_WRITE | VM_SHARED | VM_LOCKED)) == VM_LOCKED &&
  688. (newflags & VM_WRITE)) {
  689. populate_vma_page_range(vma, start, end, NULL);
  690. }
  691. vm_stat_account(mm, oldflags, -nrpages);
  692. vm_stat_account(mm, newflags, nrpages);
  693. perf_event_mmap(vma);
  694. return 0;
  695. fail:
  696. vm_unacct_memory(charged);
  697. return error;
  698. }
  699. /*
  700. * pkey==-1 when doing a legacy mprotect()
  701. */
  702. static int do_mprotect_pkey(unsigned long start, size_t len,
  703. unsigned long prot, int pkey)
  704. {
  705. unsigned long nstart, end, tmp, reqprot;
  706. struct vm_area_struct *vma, *prev;
  707. int error;
  708. const int grows = prot & (PROT_GROWSDOWN|PROT_GROWSUP);
  709. const bool rier = (current->personality & READ_IMPLIES_EXEC) &&
  710. (prot & PROT_READ);
  711. struct mmu_gather tlb;
  712. struct vma_iterator vmi;
  713. start = untagged_addr(start);
  714. prot &= ~(PROT_GROWSDOWN|PROT_GROWSUP);
  715. if (grows == (PROT_GROWSDOWN|PROT_GROWSUP)) /* can't be both */
  716. return -EINVAL;
  717. if (start & ~PAGE_MASK)
  718. return -EINVAL;
  719. if (!len)
  720. return 0;
  721. len = PAGE_ALIGN(len);
  722. end = start + len;
  723. if (end <= start)
  724. return -ENOMEM;
  725. if (!arch_validate_prot(prot, start))
  726. return -EINVAL;
  727. reqprot = prot;
  728. if (mmap_write_lock_killable(current->mm))
  729. return -EINTR;
  730. /*
  731. * If userspace did not allocate the pkey, do not let
  732. * them use it here.
  733. */
  734. error = -EINVAL;
  735. if ((pkey != -1) && !mm_pkey_is_allocated(current->mm, pkey))
  736. goto out;
  737. vma_iter_init(&vmi, current->mm, start);
  738. vma = vma_find(&vmi, end);
  739. error = -ENOMEM;
  740. if (!vma)
  741. goto out;
  742. if (unlikely(grows & PROT_GROWSDOWN)) {
  743. if (vma->vm_start >= end)
  744. goto out;
  745. start = vma->vm_start;
  746. error = -EINVAL;
  747. if (!(vma->vm_flags & VM_GROWSDOWN))
  748. goto out;
  749. } else {
  750. if (vma->vm_start > start)
  751. goto out;
  752. if (unlikely(grows & PROT_GROWSUP)) {
  753. end = vma->vm_end;
  754. error = -EINVAL;
  755. if (!(vma->vm_flags & VM_GROWSUP))
  756. goto out;
  757. }
  758. }
  759. prev = vma_prev(&vmi);
  760. if (start > vma->vm_start)
  761. prev = vma;
  762. tlb_gather_mmu(&tlb, current->mm);
  763. nstart = start;
  764. tmp = vma->vm_start;
  765. for_each_vma_range(vmi, vma, end) {
  766. vm_flags_t mask_off_old_flags;
  767. vm_flags_t newflags;
  768. int new_vma_pkey;
  769. if (vma->vm_start != tmp) {
  770. error = -ENOMEM;
  771. break;
  772. }
  773. /* Does the application expect PROT_READ to imply PROT_EXEC */
  774. if (rier && (vma->vm_flags & VM_MAYEXEC))
  775. prot |= PROT_EXEC;
  776. /*
  777. * Each mprotect() call explicitly passes r/w/x permissions.
  778. * If a permission is not passed to mprotect(), it must be
  779. * cleared from the VMA.
  780. */
  781. mask_off_old_flags = VM_ACCESS_FLAGS | VM_FLAGS_CLEAR;
  782. new_vma_pkey = arch_override_mprotect_pkey(vma, prot, pkey);
  783. newflags = calc_vm_prot_bits(prot, new_vma_pkey);
  784. newflags |= (vma->vm_flags & ~mask_off_old_flags);
  785. /* newflags >> 4 shift VM_MAY% in place of VM_% */
  786. if ((newflags & ~(newflags >> 4)) & VM_ACCESS_FLAGS) {
  787. error = -EACCES;
  788. break;
  789. }
  790. if (map_deny_write_exec(vma->vm_flags, newflags)) {
  791. error = -EACCES;
  792. break;
  793. }
  794. /* Allow architectures to sanity-check the new flags */
  795. if (!arch_validate_flags(newflags)) {
  796. error = -EINVAL;
  797. break;
  798. }
  799. error = security_file_mprotect(vma, reqprot, prot);
  800. if (error)
  801. break;
  802. tmp = vma->vm_end;
  803. if (tmp > end)
  804. tmp = end;
  805. if (vma->vm_ops && vma->vm_ops->mprotect) {
  806. error = vma->vm_ops->mprotect(vma, nstart, tmp, newflags);
  807. if (error)
  808. break;
  809. }
  810. error = mprotect_fixup(&vmi, &tlb, vma, &prev, nstart, tmp, newflags);
  811. if (error)
  812. break;
  813. tmp = vma_iter_end(&vmi);
  814. nstart = tmp;
  815. prot = reqprot;
  816. }
  817. tlb_finish_mmu(&tlb);
  818. if (!error && tmp < end)
  819. error = -ENOMEM;
  820. out:
  821. mmap_write_unlock(current->mm);
  822. return error;
  823. }
  824. SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
  825. unsigned long, prot)
  826. {
  827. return do_mprotect_pkey(start, len, prot, -1);
  828. }
  829. #ifdef CONFIG_ARCH_HAS_PKEYS
  830. SYSCALL_DEFINE4(pkey_mprotect, unsigned long, start, size_t, len,
  831. unsigned long, prot, int, pkey)
  832. {
  833. return do_mprotect_pkey(start, len, prot, pkey);
  834. }
  835. SYSCALL_DEFINE2(pkey_alloc, unsigned long, flags, unsigned long, init_val)
  836. {
  837. int pkey;
  838. int ret;
  839. /* No flags supported yet. */
  840. if (flags)
  841. return -EINVAL;
  842. /* check for unsupported init values */
  843. if (init_val & ~PKEY_ACCESS_MASK)
  844. return -EINVAL;
  845. mmap_write_lock(current->mm);
  846. pkey = mm_pkey_alloc(current->mm);
  847. ret = -ENOSPC;
  848. if (pkey == -1)
  849. goto out;
  850. ret = arch_set_user_pkey_access(current, pkey, init_val);
  851. if (ret) {
  852. mm_pkey_free(current->mm, pkey);
  853. goto out;
  854. }
  855. ret = pkey;
  856. out:
  857. mmap_write_unlock(current->mm);
  858. return ret;
  859. }
  860. SYSCALL_DEFINE1(pkey_free, int, pkey)
  861. {
  862. int ret;
  863. mmap_write_lock(current->mm);
  864. ret = mm_pkey_free(current->mm, pkey);
  865. mmap_write_unlock(current->mm);
  866. /*
  867. * We could provide warnings or errors if any VMA still
  868. * has the pkey set here.
  869. */
  870. return ret;
  871. }
  872. #endif /* CONFIG_ARCH_HAS_PKEYS */