2017-11-01 14:08:43 +00:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
2009-05-13 22:56:24 +00:00
|
|
|
#ifndef __ASM_GENERIC_MMAN_COMMON_H
|
|
|
|
#define __ASM_GENERIC_MMAN_COMMON_H
|
2006-02-15 23:17:39 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
Author: Michael S. Tsirkin <mst@mellanox.co.il>, Mellanox Technologies Ltd.
|
|
|
|
Based on: asm-xxx/mman.h
|
|
|
|
*/
|
|
|
|
|
|
|
|
#define PROT_READ 0x1 /* page can be read */
|
|
|
|
#define PROT_WRITE 0x2 /* page can be written */
|
|
|
|
#define PROT_EXEC 0x4 /* page can be executed */
|
|
|
|
#define PROT_SEM 0x8 /* page may be used for atomic ops */
|
|
|
|
#define PROT_NONE 0x0 /* page can not be accessed */
|
|
|
|
#define PROT_GROWSDOWN 0x01000000 /* mprotect flag: extend change to start of growsdown vma */
|
|
|
|
#define PROT_GROWSUP 0x02000000 /* mprotect flag: extend change to end of growsup vma */
|
|
|
|
|
|
|
|
#define MAP_SHARED 0x01 /* Share changes */
|
|
|
|
#define MAP_PRIVATE 0x02 /* Changes are private */
|
mm: introduce MAP_SHARED_VALIDATE, a mechanism to safely define new mmap flags
The mmap(2) syscall suffers from the ABI anti-pattern of not validating
unknown flags. However, proposals like MAP_SYNC need a mechanism to
define new behavior that is known to fail on older kernels without the
support. Define a new MAP_SHARED_VALIDATE flag pattern that is
guaranteed to fail on all legacy mmap implementations.
It is worth noting that the original proposal was for a standalone
MAP_VALIDATE flag. However, when that could not be supported by all
archs Linus observed:
I see why you *think* you want a bitmap. You think you want
a bitmap because you want to make MAP_VALIDATE be part of MAP_SYNC
etc, so that people can do
ret = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED
| MAP_SYNC, fd, 0);
and "know" that MAP_SYNC actually takes.
And I'm saying that whole wish is bogus. You're fundamentally
depending on special semantics, just make it explicit. It's already
not portable, so don't try to make it so.
Rename that MAP_VALIDATE as MAP_SHARED_VALIDATE, make it have a value
of 0x3, and make people do
ret = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED_VALIDATE
| MAP_SYNC, fd, 0);
and then the kernel side is easier too (none of that random garbage
playing games with looking at the "MAP_VALIDATE bit", but just another
case statement in that map type thing.
Boom. Done.
Similar to ->fallocate() we also want the ability to validate the
support for new flags on a per ->mmap() 'struct file_operations'
instance basis. Towards that end arrange for flags to be generically
validated against a mmap_supported_flags exported by 'struct
file_operations'. By default all existing flags are implicitly
supported, but new flags require MAP_SHARED_VALIDATE and
per-instance-opt-in.
Cc: Jan Kara <jack@suse.cz>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Suggested-by: Christoph Hellwig <hch@lst.de>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
2017-11-01 15:36:30 +00:00
|
|
|
#define MAP_SHARED_VALIDATE 0x03 /* share + validate extension flags */
|
2006-02-15 23:17:39 +00:00
|
|
|
#define MAP_TYPE 0x0f /* Mask for type of mapping */
|
|
|
|
#define MAP_FIXED 0x10 /* Interpret addr exactly */
|
|
|
|
#define MAP_ANONYMOUS 0x20 /* don't use a file */
|
2009-12-15 02:00:02 +00:00
|
|
|
#ifdef CONFIG_MMAP_ALLOW_UNINITIALIZED
|
|
|
|
# define MAP_UNINITIALIZED 0x4000000 /* For anonymous mmap, memory could be uninitialized */
|
|
|
|
#else
|
|
|
|
# define MAP_UNINITIALIZED 0x0 /* Don't support this flag */
|
|
|
|
#endif
|
2006-02-15 23:17:39 +00:00
|
|
|
|
2015-11-06 02:51:39 +00:00
|
|
|
/*
|
|
|
|
* Flags for mlock
|
|
|
|
*/
|
|
|
|
#define MLOCK_ONFAULT 0x01 /* Lock pages in range after they are faulted in, do not prefault */
|
|
|
|
|
2006-02-15 23:17:39 +00:00
|
|
|
#define MS_ASYNC 1 /* sync memory asynchronously */
|
|
|
|
#define MS_INVALIDATE 2 /* invalidate the caches */
|
|
|
|
#define MS_SYNC 4 /* synchronous memory sync */
|
|
|
|
|
|
|
|
#define MADV_NORMAL 0 /* no further special treatment */
|
|
|
|
#define MADV_RANDOM 1 /* expect random page references */
|
|
|
|
#define MADV_SEQUENTIAL 2 /* expect sequential page references */
|
|
|
|
#define MADV_WILLNEED 3 /* will need these pages */
|
|
|
|
#define MADV_DONTNEED 4 /* don't need these pages */
|
|
|
|
|
|
|
|
/* common parameters: try to keep these consistent across architectures */
|
2016-01-16 00:55:02 +00:00
|
|
|
#define MADV_FREE 8 /* free pages only if memory pressure */
|
2006-02-15 23:17:39 +00:00
|
|
|
#define MADV_REMOVE 9 /* remove these pages & resources */
|
|
|
|
#define MADV_DONTFORK 10 /* don't inherit across fork */
|
|
|
|
#define MADV_DOFORK 11 /* do inherit across fork */
|
2009-09-16 09:50:17 +00:00
|
|
|
#define MADV_HWPOISON 100 /* poison a page for testing */
|
2009-12-16 11:20:00 +00:00
|
|
|
#define MADV_SOFT_OFFLINE 101 /* soft offline page for testing */
|
2006-02-15 23:17:39 +00:00
|
|
|
|
2009-09-22 00:01:53 +00:00
|
|
|
#define MADV_MERGEABLE 12 /* KSM may merge identical pages */
|
|
|
|
#define MADV_UNMERGEABLE 13 /* KSM may not merge identical pages */
|
|
|
|
|
2011-01-13 23:46:31 +00:00
|
|
|
#define MADV_HUGEPAGE 14 /* Worth backing with hugepages */
|
2011-01-13 23:47:17 +00:00
|
|
|
#define MADV_NOHUGEPAGE 15 /* Not worth backing with hugepages */
|
2011-01-13 23:46:31 +00:00
|
|
|
|
2012-03-23 22:02:51 +00:00
|
|
|
#define MADV_DONTDUMP 16 /* Explicity exclude from the core dump,
|
|
|
|
overrides the coredump filter bits */
|
2014-04-07 22:37:56 +00:00
|
|
|
#define MADV_DODUMP 17 /* Clear the MADV_DONTDUMP flag */
|
2012-03-23 22:02:51 +00:00
|
|
|
|
mm,fork: introduce MADV_WIPEONFORK
Introduce MADV_WIPEONFORK semantics, which result in a VMA being empty
in the child process after fork. This differs from MADV_DONTFORK in one
important way.
If a child process accesses memory that was MADV_WIPEONFORK, it will get
zeroes. The address ranges are still valid, they are just empty.
If a child process accesses memory that was MADV_DONTFORK, it will get a
segmentation fault, since those address ranges are no longer valid in
the child after fork.
Since MADV_DONTFORK also seems to be used to allow very large programs
to fork in systems with strict memory overcommit restrictions, changing
the semantics of MADV_DONTFORK might break existing programs.
MADV_WIPEONFORK only works on private, anonymous VMAs.
The use case is libraries that store or cache information, and want to
know that they need to regenerate it in the child process after fork.
Examples of this would be:
- systemd/pulseaudio API checks (fail after fork) (replacing a getpid
check, which is too slow without a PID cache)
- PKCS#11 API reinitialization check (mandated by specification)
- glibc's upcoming PRNG (reseed after fork)
- OpenSSL PRNG (reseed after fork)
The security benefits of a forking server having a re-inialized PRNG in
every child process are pretty obvious. However, due to libraries
having all kinds of internal state, and programs getting compiled with
many different versions of each library, it is unreasonable to expect
calling programs to re-initialize everything manually after fork.
A further complication is the proliferation of clone flags, programs
bypassing glibc's functions to call clone directly, and programs calling
unshare, causing the glibc pthread_atfork hook to not get called.
It would be better to have the kernel take care of this automatically.
The patch also adds MADV_KEEPONFORK, to undo the effects of a prior
MADV_WIPEONFORK.
This is similar to the OpenBSD minherit syscall with MAP_INHERIT_ZERO:
https://man.openbsd.org/minherit.2
[akpm@linux-foundation.org: numerically order arch/parisc/include/uapi/asm/mman.h #defines]
Link: http://lkml.kernel.org/r/20170811212829.29186-3-riel@redhat.com
Signed-off-by: Rik van Riel <riel@redhat.com>
Reported-by: Florian Weimer <fweimer@redhat.com>
Reported-by: Colm MacCártaigh <colm@allcosts.net>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Helge Deller <deller@gmx.de>
Cc: Kees Cook <keescook@chromium.org>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Will Drewry <wad@chromium.org>
Cc: <linux-api@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-09-06 23:25:15 +00:00
|
|
|
#define MADV_WIPEONFORK 18 /* Zero memory on fork, child only */
|
|
|
|
#define MADV_KEEPONFORK 19 /* Undo MADV_WIPEONFORK */
|
|
|
|
|
2006-02-15 23:17:39 +00:00
|
|
|
/* compatibility flags */
|
|
|
|
#define MAP_FILE 0
|
|
|
|
|
x86/pkeys: Allocation/free syscalls
This patch adds two new system calls:
int pkey_alloc(unsigned long flags, unsigned long init_access_rights)
int pkey_free(int pkey);
These implement an "allocator" for the protection keys
themselves, which can be thought of as analogous to the allocator
that the kernel has for file descriptors. The kernel tracks
which numbers are in use, and only allows operations on keys that
are valid. A key which was not obtained by pkey_alloc() may not,
for instance, be passed to pkey_mprotect().
These system calls are also very important given the kernel's use
of pkeys to implement execute-only support. These help ensure
that userspace can never assume that it has control of a key
unless it first asks the kernel. The kernel does not promise to
preserve PKRU (right register) contents except for allocated
pkeys.
The 'init_access_rights' argument to pkey_alloc() specifies the
rights that will be established for the returned pkey. For
instance:
pkey = pkey_alloc(flags, PKEY_DENY_WRITE);
will allocate 'pkey', but also sets the bits in PKRU[1] such that
writing to 'pkey' is already denied.
The kernel does not prevent pkey_free() from successfully freeing
in-use pkeys (those still assigned to a memory range by
pkey_mprotect()). It would be expensive to implement the checks
for this, so we instead say, "Just don't do it" since sane
software will never do it anyway.
Any piece of userspace calling pkey_alloc() needs to be prepared
for it to fail. Why? pkey_alloc() returns the same error code
(ENOSPC) when there are no pkeys and when pkeys are unsupported.
They can be unsupported for a whole host of reasons, so apps must
be prepared for this. Also, libraries or LD_PRELOADs might steal
keys before an application gets access to them.
This allocation mechanism could be implemented in userspace.
Even if we did it in userspace, we would still need additional
user/kernel interfaces to tell userspace which keys are being
used by the kernel internally (such as for execute-only
mappings). Having the kernel provide this facility completely
removes the need for these additional interfaces, or having an
implementation of this in userspace at all.
Note that we have to make changes to all of the architectures
that do not use mman-common.h because we use the new
PKEY_DENY_ACCESS/WRITE macros in arch-independent code.
1. PKRU is the Protection Key Rights User register. It is a
usermode-accessible register that controls whether writes
and/or access to each individual pkey is allowed or denied.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Mel Gorman <mgorman@techsingularity.net>
Cc: linux-arch@vger.kernel.org
Cc: Dave Hansen <dave@sr71.net>
Cc: arnd@arndb.de
Cc: linux-api@vger.kernel.org
Cc: linux-mm@kvack.org
Cc: luto@kernel.org
Cc: akpm@linux-foundation.org
Cc: torvalds@linux-foundation.org
Link: http://lkml.kernel.org/r/20160729163015.444FE75F@viggo.jf.intel.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-07-29 16:30:15 +00:00
|
|
|
#define PKEY_DISABLE_ACCESS 0x1
|
|
|
|
#define PKEY_DISABLE_WRITE 0x2
|
|
|
|
#define PKEY_ACCESS_MASK (PKEY_DISABLE_ACCESS |\
|
|
|
|
PKEY_DISABLE_WRITE)
|
|
|
|
|
2009-05-13 22:56:24 +00:00
|
|
|
#endif /* __ASM_GENERIC_MMAN_COMMON_H */
|