mm: Allow userspace to reserve VA range for use by userspace only

Add support for ELF binaries to reserve address ranges. Address
range can be reserved at load time by adding an ELF NOTE section, or
at run time with mprotect() with PROT_RESERVED flag. Reserved ranges
can be allocated with mmap(..... MAP_FIXED...) and shmat(....,
SHM_REMAP) later. Any reserved address ranges are annotated with
"[rsvd]" in /proc/<pid>/maps output. A binary can check if the
kernel supports VA range reservation by checking the value of
auxiliary vector AT_VA_RESERVATION.

VA reservation is done by adding a special NOTE section to binary
using declarations similar to following:

        .section .note.rsvd_range, "a", @note
        .p2align 2
        .long 1f - 0f           # name size (not including padding)
        .long 3f - 2f           # desc size (not including padding)
        .long 0x07c10001
0:      .asciz "Reserved VA"        # name
1:      .p2align 2
2:      .quad 0x7f2000000000
        .quad 0x7f2000e00000
        .quad 0x7f5000200000
        .quad 0x7f500d000000
3:  .p2align 2

Each reserved range is specified as pair of addresses (start and
end).  This note section is read by kernel elf loader and address
ranges are reserved for the lifetime of process. A maximum of 64
such entries can be made in NOTE section. Execution of a binary file
with more than 64 pairs of addresses in this note section will be
terminated with ENOEXEC.

NOTE: Kernel can not guarantee all VA ranges in the NOTE section
will be reserved. If the address range is valid but is already in
use (possibly by a shared library loaded earlier), execution of
binary will be terminated with ENOMEM.

NOTE: This feature needs two VMA flag bits. There are no free bits
available in lower 32 bits. As a result this feature can only be
supported on architectures that support high VMA flag bits (bits
32-63).

Orabug: 28438736

Signed-off-by: Khalid Aziz <[email protected]>
Reviewed-by: Konrad Rzeszutek Wilk <[email protected]>
Reviewed-by: Mike Kravetz <[email protected]>
(cherry picked from LUCI 97f7b3403bf1b2c3b4dea2e46e766aa3195a40c4)
Signed-off-by: Khalid Aziz <[email protected]>
Reviewed-by: Mike Kravetz <[email protected]>
Signed-off-by: Somasundaram Krishnasamy <[email protected]>

Author: hikerockies

arch/x86/Kconfig

@@ -29,6 +29,7 @@ config X86_64
 	select HAVE_ARCH_SOFT_DIRTY
 	select MODULES_USE_ELF_RELA
 	select X86_DEV_DMA_OPS
+	select ARCH_USES_HIGH_VMA_FLAGS
 
 #
 # Arch settings

fs/binfmt_elf.c

@@ -51,6 +51,11 @@
 #define user_siginfo_t siginfo_t
 #endif
 
+extern int install_rsvd_mapping(struct mm_struct *mm,
+				struct vm_area_struct *prev, unsigned long addr,
+				unsigned long len);
+
+
 static int load_elf_binary(struct linux_binprm *bprm);
 static unsigned long elf_map(struct file *, unsigned long, struct elf_phdr *,
 				int, int, unsigned long);
@@ -77,6 +82,8 @@ static int elf_core_dump(struct coredump_params *cprm);
 #define ELF_MIN_ALIGN	PAGE_SIZE
 #endif
 
+#define MAX_FILE_NOTE_SIZE (4*1024*1024)
+
 #ifndef ELF_CORE_EFLAGS
 #define ELF_CORE_EFLAGS	0
 #endif
@@ -269,6 +276,7 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
 	if (bprm->interp_flags & BINPRM_FLAGS_EXECFD) {
 		NEW_AUX_ENT(AT_EXECFD, bprm->interp_data);
 	}
+	NEW_AUX_ENT(AT_VA_RESERVATION, 1);
 #undef NEW_AUX_ENT
 	/* AT_NULL is zero; clear the rest too */
 	memset(&elf_info[ei_index], 0,
@@ -676,6 +684,105 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
 #endif
 }
 
+#define MAX_RSVD_VA_RANGES	64
+#define RSVD_VA_STRING		"Reserved VA"
+#define SZ_RSVD_VA_STRING	sizeof(RSVD_VA_STRING)
+
+static int reserve_va_range(struct elf_phdr *elf_ppnt,
+				struct linux_binprm *bprm)
+{
+	char *note_seg = NULL;
+	struct elf_note *note;
+	loff_t pos = elf_ppnt->p_offset;
+	int retval = 0;
+	size_t note_size = elf_ppnt->p_filesz;
+
+	note_seg = kvmalloc(note_size, GFP_KERNEL);
+	if (!note_seg) {
+		retval = -ENOMEM;
+		return retval;
+	}
+
+	retval = kernel_read(bprm->file, note_seg, note_size, &pos);
+	if (retval != note_size) {
+		if (retval >= 0)
+			retval = -EIO;
+		goto out;
+	}
+
+	note = (struct elf_note *)note_seg;
+	while ((char *)note + sizeof(struct elf_note) <
+	       (char *)(note_seg + note_size)) {
+		char *name;
+		unsigned long *val;
+		unsigned long nentry, i;
+
+		if (note->n_type != 0x07c10001)
+			goto cont_loop;
+
+		/* Sanity check for malformed note entry */
+		if (note->n_namesz > SZ_RSVD_VA_STRING) {
+			retval = -ENOEXEC;
+			goto out;
+		}
+
+		name = (char *)note + sizeof(struct elf_note);
+		if (strncmp(name, RSVD_VA_STRING, SZ_RSVD_VA_STRING) == 0) {
+			nentry = note->n_descsz/sizeof(void *);
+			val = (unsigned long *)(name +
+						roundup(note->n_namesz, 4));
+			/*
+			 * Check if right number of address
+			 * entries exist in note section
+			 */
+			if (((nentry % 2) != 0) ||
+				((nentry % 2) > MAX_RSVD_VA_RANGES)) {
+				retval = -ENOEXEC;
+				goto out;
+			}
+			for (i = 0 ; i < nentry; i += 2) {
+				unsigned long range1, range2;
+				struct mm_struct *mm = current->mm;
+
+				/*
+				 * Ensure we can access two address entries
+				 * in this note segment safely
+				 */
+				if ((char *)(val + 1) >=
+					((char *)note_seg + note_size)) {
+					retval = -ENOEXEC;
+					goto out;
+				}
+				range1 = PAGE_ALIGN((*val++) - PAGE_SIZE + 1);
+				range2 = PAGE_ALIGN(*val++);
+
+				/* Validate the address range being reserved */
+				if ((range2 <= range1) ||
+					(range2 > user_addr_max())) {
+					retval = -ENOEXEC;
+					goto out;
+				}
+
+				down_write(&mm->mmap_sem);
+				retval = install_rsvd_mapping(mm, NULL, range1,
+							      (range2-range1));
+				up_write(&mm->mmap_sem);
+				if (retval < 0)
+					goto out;
+			}
+		}
+cont_loop:
+		note = (struct elf_note *)((char *)note +
+						sizeof(struct elf_note) +
+						roundup(note->n_namesz, 4) +
+						roundup(note->n_descsz, 4));
+	}
+
+out:
+	kvfree(note_seg);
+	return retval;
+}
+
 static int load_elf_binary(struct linux_binprm *bprm)
 {
 	struct file *interpreter = NULL; /* to shut gcc up */
@@ -877,6 +984,24 @@ static int load_elf_binary(struct linux_binprm *bprm)
 
 	current->mm->start_stack = bprm->p;
 
+	/*
+	 * Read the notes segment to find notes to reserve address space
+	 */
+	elf_ppnt = elf_phdata;
+	for (i = 0; i < loc->elf_ex.e_phnum; i++, elf_ppnt++)
+		if (elf_ppnt->p_type == PT_NOTE) {
+			/* Sanity check for bogus note segment */
+			if ((elf_ppnt->p_filesz > MAX_FILE_NOTE_SIZE) ||
+				(elf_ppnt->p_filesz < sizeof(struct elf_note))) {
+				retval = -ENOEXEC;
+				goto out_free_ph;
+			}
+			retval = reserve_va_range(elf_ppnt, bprm);
+			if (retval < 0)
+				goto out_free_ph;
+		}
+
+
 	/* Now we do a little grungy work by mmapping the ELF image into
 	   the correct location in memory. */
 	for(i = 0, elf_ppnt = elf_phdata;
@@ -1565,7 +1690,6 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
 	fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
 }
 
-#define MAX_FILE_NOTE_SIZE (4*1024*1024)
 /*
  * Format of NT_FILE note:
  *

include/linux/mm.h

@@ -214,11 +214,15 @@ extern unsigned int kobjsize(const void *objp);
 #define VM_HIGH_ARCH_BIT_2	34	/* bit only usable on 64-bit architectures */
 #define VM_HIGH_ARCH_BIT_3	35	/* bit only usable on 64-bit architectures */
 #define VM_HIGH_ARCH_BIT_4	36	/* bit only usable on 64-bit architectures */
+#define VM_HIGH_ARCH_BIT_16	48	/* bit only usable on 64-bit architectures */
+#define VM_HIGH_ARCH_BIT_17	49	/* bit only usable on 64-bit architectures */
 #define VM_HIGH_ARCH_0	BIT(VM_HIGH_ARCH_BIT_0)
 #define VM_HIGH_ARCH_1	BIT(VM_HIGH_ARCH_BIT_1)
 #define VM_HIGH_ARCH_2	BIT(VM_HIGH_ARCH_BIT_2)
 #define VM_HIGH_ARCH_3	BIT(VM_HIGH_ARCH_BIT_3)
 #define VM_HIGH_ARCH_4	BIT(VM_HIGH_ARCH_BIT_4)
+#define VM_HIGH_ARCH_16	BIT(VM_HIGH_ARCH_BIT_16)
+#define VM_HIGH_ARCH_17	BIT(VM_HIGH_ARCH_BIT_17)
 #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */
 
 #if defined(CONFIG_X86)
@@ -242,6 +246,17 @@ extern unsigned int kobjsize(const void *objp);
 # define VM_MAPPED_COPY	VM_ARCH_1	/* T if mapped copy of data (nommu mmap) */
 #endif
 
+#ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS
+# define VM_RSVD_VA	VM_HIGH_ARCH_16	/* Reserved VA range */
+# define VM_RSVD_NORELINK	VM_HIGH_ARCH_17	/* VA range unmapped by
+						 * userspace but still reserved
+						 * for use by userspace only
+						 */
+#else
+# define VM_RSVD_VA		VM_NONE
+# define VM_RSVD_NORELINK	VM_NONE
+#endif
+
 #if defined(CONFIG_X86_INTEL_MPX)
 /* MPX specific bounds table or bounds directory */
 # define VM_MPX		VM_HIGH_ARCH_4

include/uapi/asm-generic/mman-common.h

@@ -14,6 +14,7 @@
 #define PROT_NONE	0x0		/* page can not be accessed */
 #define PROT_GROWSDOWN	0x01000000	/* mprotect flag: extend change to start of growsdown vma */
 #define PROT_GROWSUP	0x02000000	/* mprotect flag: extend change to end of growsup vma */
+#define PROT_RESERVED	0x10000000	/* Reserve this VA range */
 
 #define MAP_SHARED	0x01		/* Share changes */
 #define MAP_PRIVATE	0x02		/* Changes are private */

include/uapi/linux/auxvec.h

@@ -30,6 +30,7 @@
 				 * differ from AT_PLATFORM. */
 #define AT_RANDOM 25	/* address of 16 random bytes */
 #define AT_HWCAP2 26	/* extension of AT_HWCAP */
+#define AT_VA_RESERVATION	27	/* VA reservation support */
 
 #define AT_EXECFN  31	/* filename of program */