| 1 | /* |
| 2 | * Intel Memory Protection Keys management |
| 3 | * Copyright (c) 2015, Intel Corporation. |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify it |
| 6 | * under the terms and conditions of the GNU General Public License, |
| 7 | * version 2, as published by the Free Software Foundation. |
| 8 | * |
| 9 | * This program is distributed in the hope it will be useful, but WITHOUT |
| 10 | * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 11 | * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for |
| 12 | * more details. |
| 13 | */ |
| 14 | #include <linux/mm_types.h> /* mm_struct, vma, etc... */ |
| 15 | #include <linux/pkeys.h> /* PKEY_* */ |
| 16 | #include <uapi/asm-generic/mman-common.h> |
| 17 | |
| 18 | #include <asm/cpufeature.h> /* boot_cpu_has, ... */ |
| 19 | #include <asm/mmu_context.h> /* vma_pkey() */ |
| 20 | #include <asm/fpu/internal.h> /* fpregs_active() */ |
| 21 | |
| 22 | int __execute_only_pkey(struct mm_struct *mm) |
| 23 | { |
| 24 | int ret; |
| 25 | |
| 26 | /* |
| 27 | * We do not want to go through the relatively costly |
| 28 | * dance to set PKRU if we do not need to. Check it |
| 29 | * first and assume that if the execute-only pkey is |
| 30 | * write-disabled that we do not have to set it |
| 31 | * ourselves. We need preempt off so that nobody |
| 32 | * can make fpregs inactive. |
| 33 | */ |
| 34 | preempt_disable(); |
| 35 | if (fpregs_active() && |
| 36 | !__pkru_allows_read(read_pkru(), PKEY_DEDICATED_EXECUTE_ONLY)) { |
| 37 | preempt_enable(); |
| 38 | return PKEY_DEDICATED_EXECUTE_ONLY; |
| 39 | } |
| 40 | preempt_enable(); |
| 41 | ret = arch_set_user_pkey_access(current, PKEY_DEDICATED_EXECUTE_ONLY, |
| 42 | PKEY_DISABLE_ACCESS); |
| 43 | /* |
| 44 | * If the PKRU-set operation failed somehow, just return |
| 45 | * 0 and effectively disable execute-only support. |
| 46 | */ |
| 47 | if (ret) |
| 48 | return 0; |
| 49 | |
| 50 | return PKEY_DEDICATED_EXECUTE_ONLY; |
| 51 | } |
| 52 | |
| 53 | static inline bool vma_is_pkey_exec_only(struct vm_area_struct *vma) |
| 54 | { |
| 55 | /* Do this check first since the vm_flags should be hot */ |
| 56 | if ((vma->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) != VM_EXEC) |
| 57 | return false; |
| 58 | if (vma_pkey(vma) != PKEY_DEDICATED_EXECUTE_ONLY) |
| 59 | return false; |
| 60 | |
| 61 | return true; |
| 62 | } |
| 63 | |
| 64 | /* |
| 65 | * This is only called for *plain* mprotect calls. |
| 66 | */ |
| 67 | int __arch_override_mprotect_pkey(struct vm_area_struct *vma, int prot, int pkey) |
| 68 | { |
| 69 | /* |
| 70 | * Is this an mprotect_pkey() call? If so, never |
| 71 | * override the value that came from the user. |
| 72 | */ |
| 73 | if (pkey != -1) |
| 74 | return pkey; |
| 75 | /* |
| 76 | * Look for a protection-key-drive execute-only mapping |
| 77 | * which is now being given permissions that are not |
| 78 | * execute-only. Move it back to the default pkey. |
| 79 | */ |
| 80 | if (vma_is_pkey_exec_only(vma) && |
| 81 | (prot & (PROT_READ|PROT_WRITE))) { |
| 82 | return 0; |
| 83 | } |
| 84 | /* |
| 85 | * The mapping is execute-only. Go try to get the |
| 86 | * execute-only protection key. If we fail to do that, |
| 87 | * fall through as if we do not have execute-only |
| 88 | * support. |
| 89 | */ |
| 90 | if (prot == PROT_EXEC) { |
| 91 | pkey = execute_only_pkey(vma->vm_mm); |
| 92 | if (pkey > 0) |
| 93 | return pkey; |
| 94 | } |
| 95 | /* |
| 96 | * This is a vanilla, non-pkey mprotect (or we failed to |
| 97 | * setup execute-only), inherit the pkey from the VMA we |
| 98 | * are working on. |
| 99 | */ |
| 100 | return vma_pkey(vma); |
| 101 | } |