Sherwin da Cruz authored May 20, 2022 and Kevin Brodsky committed Jul 05, 2022

A bug was found in the getrusage syscall where the compat64 version used
a different sized struct to pass arguments. This resulted in some
programs such as time in bash printing wrong values for process usage
times.

This is being fixed by using the native syscall which has the same
implementation since the struct members contain no pointers.
Signed-off-by: Sherwin da Cruz <sherwin.dacruz@arm.com>

Tudor Cretu authored May 16, 2022 and Kevin Brodsky committed Jul 05, 2022

For a compat ELF binary, /proc/pid/auxv will output an extra AT_NULL
entry or garbage at the end. This is because it interprets the auxv
elements using their native layout. The patch moves the auxv parsing
to the binfmt handler, where the correct layout of the auxv elements
is used. This patch is inspired by: https://lkml.org/lkml/2006/4/10/20

Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

Tudor Cretu authored May 04, 2022 and Kevin Brodsky committed Jul 05, 2022

The return value of restart_syscall() is the return value of whatever
syscall is being restarted. Conceptually, this can also be a capability,
but there aren't any syscalls that have implemented a restart function
and return a capability. So, add a comment explaining on why it is left
unmodified.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

Introduce CONFIG_CHERI_PURECAP_UABI in the documentation with the
relevant caveats, and update a few places accordingly.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

There is currently no straightforward way to determine if the kernel
provides PCuABI, so printing some notice very early during the kernel
boot should be helpful.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

arch_validate_sigaction() was introduced to enforce the additional
constraints on sigaction in PCuABI, however it is called by both the
native and the compat handler. Since the compat ABI should be left
unchanged, bail out if the caller is a compat task.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Tudor Cretu authored Apr 25, 2022 and Kevin Brodsky committed Jul 05, 2022

Structs ifconf and ifreq have user pointers as their members, so use the
*_with_captags version of interfaces for PCuABI. This will copy the
capability tag bits associated with the user memory. When config
CHERI_PURECAP_UABI is not present, then simply perform
copy_from_user/copy_to_user.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>
Co-developed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Tudor Cretu authored Apr 12, 2022 and Kevin Brodsky committed Jul 05, 2022

Without returning the creg register, sigreturn clears the metadata
of C0 every time it's invoked. So enable returning a capability for
sigreturn and choose the correct register set.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

Tudor Cretu authored Apr 12, 2022 and Kevin Brodsky committed Jul 05, 2022

Add the macros that allow changing the return type for the COMP syscalls
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

Tudor Cretu authored Apr 12, 2022 and Kevin Brodsky committed Jul 05, 2022

Before this change, only syscalls with parameters were allowed to
return capabilities. This was previously done by modifying the
__SYSCALL_DEFINEx macro, which doesn't handle SYSCALL_DEFINE0.
The SYSCALL_DEFINE0 macros is tweaked to allow the change of the
return type.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Tudor Cretu authored Apr 20, 2022 and Kevin Brodsky committed Jul 05, 2022

In compat64, the syscall never returns a valid capability. Therefore
setting C0 to the return of the syscall will always clear the metadata
of the register. This is problematic in the case of sigreturn syscall,
which must restore all registers, including C0. The change aligns
compat64 with the standard ABI (!PCuABI), where X0 is always merged into
C0 without it being cleared, regardless of the syscall.
Signed-off-by: Tudor Cretu <tudor.cretu@arm.com>

Enable support for the FAT filesystem to be able to mount the EFI
partition (for instance). The CONFIG_NLS_* options are also required
(already included in the standard defconfig).

While at it, reorder CONFIG_HW_RANDOM* to match the output of
make savedefconfig.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

Enable options to use USB, SATA and network devices on the Morello
board.
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

Use PCuABI-friendly functions to convert addresses to capability pointers
or vice-versa.

This is a minimal diff to get ATA to build. It may need to be revisited
for functionality changes for PCuABI.
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

Since commit "fs/ioctl: Modify 3rd argument of fops->unlocked_ioctl to
user_uintptr_t", block_device_operations->ioctl() must take a
user_uintptr_t as its third argument, in order to pass along CHERI
capabilities. Update sd_ioctl() to match.
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>

In compat64, pointers are 64-bit, and cannot be represented as u32;
the appropriate type to represent compat pointers is compat_uptr_t.
Adjust processcompl_compat() accordingly. Since the definition of
USBDEVFS_REAPURB{,NDELAY} is based on the size of void * from a
userspace perspective, USBDEVFS_REAPURB{,NDELAY}32 also need to be
adjusted.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

The USBDEVFS_*32 constants represent the corresponding ioctl
requests in the compat ABI. Userspace should have no need for them
since they are purely intended for internal kernel usage.
Accordingly, move them out of the uapi header.

This move will be required to modify USBDEVFS_REAPURB{,NDELAY}32 to
support compat64, as compat_* types cannot be used in uapi headers.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

The definition of USBDEVFS_REAPURB{,NDELAY} is currently based on
the size of void *, which is not appropriate in PCuABI where user
pointers are of a different size. Annotate the pointers with __user
to fix this.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

Since commit "fs/ioctl: Modify 3rd argument of fops->unlocked_ioctl to
user_uintptr_t", file_operations->unlocked_ioctl() must take a
user_uintptr_t as its third argument, in order to pass along CHERI
capabilities. Update usbdev_ioctl() to match.
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

Use PCuABI-friendly functions to convert addresses to capability pointers
or vice-versa. Also use put_user_ptr to store user pointers.

This is a minimal diff to get USB to build. It may need to be revisited
for functionality changes for PCuABI.
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Co-developed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Kristina Martsenko authored Mar 23, 2022 and Kevin Brodsky committed Jul 05, 2022

CHERI compilers mandatorily need __capability annotations after the
pointer[*] in case of double pointers.

In order to minimise the need to disambiguate double user pointers,
user pointers are now passed around as straightforward void __user *
instead of double user pointers. This also allows us to get rid of a
number of casts. Note that the actual type that processcompl() takes
is a double user pointer (as per the cast when calling put_user()).
Signed-off-by: Kristina Martsenko <kristina.martsenko@arm.com>
Co-developed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

For some reason, compat_sys_ptrace() is only used in some
arch-specific <asm/unistd.h>. Make use of it in
<asm-generic/unistd.h> too, so that it is used on architectures
where compat uses <asm-generic/unistd.h>, such as in the arm64 +
compat64 case.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

compat_arch_ptrace() is currently entirely specific to AArch32. In
order to support compat64, introduce an appropriate implementation
of compat_arch_ptrace() that mirrors the native arch_ptrace().
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

compat_ptrace_request() does not currently handle all requests where
the addr or data argument is a user pointer. Make it do so in order
to support compat64, in which case compat_ptr() must always be used
to obtain a valid user pointer from a compat user pointer.

To avoid duplication, the handling of PTRACE_{GET,SET}SIGMASK is
moved to helpers that are now called from both ptrace_request() and
compat_ptrace_request() (like most other requests).

Note that PTRACE_PEEKSIGINFO is a special case as it interprets both
addr and data as user pointers, but ptrace_peek_siginfo() converts
the data argument to a user pointer itself if currently in a compat
syscall, so there is no need to do so in compat_ptrace_request().
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Since commit "arm64: morello: Add support for TLS as capabilities",
thread.uw.tp_value is a capability in PCuABI. A few places have not
been updated accordingly, in particular
morello_flush_cap_regs_to_64_regs(), which truncates CTPIDR to a
64-bit integer before storing it in tp_value. Cast it to
user_uintptr_t instead to make it work as intended with and without
PCuABI. This fixes ptrace(PTRACE_SETREGSET, NT_ARM_MORELLO).

Conversely, tls_get() still operates on 64-bit integers (to preserve
the existing uapi), but the size it writes to user memory is
currently inferred from the size of tp_value, which is a full
capability in PCuABI. Cast it to unsigned long explicitly to avoid
this. This fixes ptrace(PTRACE_GETREGSET, NT_ARM_TLS).

While at it, also add casts in tls_set() to make the conversions
explicit. This change is only cosmetic.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

These are not particularly useful, and they cause problems when
running some LTP tests. CONFIG_EXT4_FS was implicitly selected, we
now need to select it explicitly.

Note that the ext{2,3} filesystems remain available in userspace, as
they can be handled by the ext4 driver itself.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Most of what compat_blkdev_ioctl() does works regardless of the
compat bitness, but a few parts are specific to 32-bit. Make these
work for compat64 too by using the appropriate compat_* types to
match native types, instead of hardcoding 32-bit integers.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Victor Do Nascimento authored Feb 03, 2022 and Kevin Brodsky committed Jul 05, 2022

Add very basic tests for address space management syscalls
with the intent on validating their capabilities support.
Signed-off-by: Victor Do Nascimento <victor.donascimento@arm.com>
Co-developed-by: Beata Michalska <beata.michalska@arm.com>
Signed-off-by: Beata Michalska <beata.michalska@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

Victor Do Nascimento authored Feb 03, 2022 and Kevin Brodsky committed Jul 05, 2022

Create a simple test to check our ability to modify and retrieve a
process' scheduler policy.
Signed-off-by: Victor Do Nascimento <victor.donascimento@arm.com>
Co-developed-by: Beata Michalska <beata.michalska@arm.com>
Signed-off-by: Beata Michalska <beata.michalska@arm.com>

Victor Do Nascimento authored Feb 03, 2022 and Kevin Brodsky committed Jul 05, 2022

Add very basic test cases for waitid ensuring correct behaviour
and capability support for struct siginfo and struct rusage pointer
args.
Signed-off-by: Victor Do Nascimento <victor.donascimento@arm.com>
Co-developed-by: Beata Michalska <beata.michalska@arm.com>
Signed-off-by: Beata Michalska <beata.michalska@arm.com>

Victor Do Nascimento authored Feb 03, 2022 and Kevin Brodsky committed Jul 05, 2022

Provide provisional (minimalistic) implementation for mmap that will
perform very basic validation on the obtained capability (if any),
along with mmap syscall direct wrapper for quick memory allocations.
Both made available from within main header file, exposing it for use
to diverse unit tests.
Signed-off-by: Victor Do Nascimento <victor.donascimento@arm.com>
Co-developed-by: Beata Michalska <beata.michalska@arm.com>
Signed-off-by: Beata Michalska <beata.michalska@arm.com>

AMIT KACHHAP authored Feb 15, 2022 and Kevin Brodsky committed Jul 05, 2022

Now most of the building blocks are in place so let's enable compat64
signal handling support. In order to do so, add a new file
signal_compat64.c which implements the compat frame setup functions by
re-using the existing signal.c codes. This new file redefines some of the
structures and functions to point to the corresponding compat versions.

As signal.c is re-used, few global functions, native frame setup structures
and PCuABI specific changes causes warnings and errors so add a compat64
specific definition SIGNAL_COMPAT64 to filter out such codes for compat64
case.
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Co-developed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

From a uapi perspective, siginfo_t has a fixed size of 128 bytes
regardless of the ABI and architecture. This is achieved through a
union that includes a padding array. In compat_siginfo_t, the union
does not include the "header" of common members (si_signo / si_errno
/ si_code), as a result the padding array needs to account for them.

The calculation is unfortunately invalid in compat64 as it assumes
that the _sifields union has the same alignment as an int (4), which
is no longer true as compat_uptr_t is 8 bytes, requiring the whole
union to be aligned to 8 bytes. Fix this by accounting for the
alignment requirement in the calculation.
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

AMIT KACHHAP authored Feb 15, 2022 and Kevin Brodsky committed Jul 05, 2022

The native {set/get}itimer system call is suitable for 64-bit compat.
The user parameter struct itimerval maps to kernel struct
__kernel_old_timeval directly instead of struct old_itimerval32 for
compat64 mode.
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>

AMIT KACHHAP authored Oct 14, 2021 and Kevin Brodsky committed Jul 05, 2022

get_compat_sigset and put_compat_sigset are used by compat rt_sigaction
syscall and few other compat syscalls so it needs to be modified for 64-bit
compat.

As compat_sigset_t and sigset_t is similar for compat64 and native
so use only copy_from_user/copy_to_user as done for native case and
maskout the 32-bit specific changes.
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>

AMIT KACHHAP authored Oct 14, 2021 and Kevin Brodsky committed Jul 05, 2022

In compat64 case, structure sigset_t and compat_sigset_t can be defined
as same so modify the datatypes (compat_old_sigset_t, compat_sigset_word)
and macros (_COMPAT_NSIG, _COMPAT_NSIG_BPW) to same as native.
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Co-developed-by: Kevin Brodsky <kevin.brodsky@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

AMIT KACHHAP authored Feb 25, 2022 and Kevin Brodsky committed Jul 05, 2022

The compat layer for PCuABI is compat64 and hence AArch32 specific
code (signal32.c and sigreturn32.c) are compiled only when COMPAT32
config is present.

The native sigreturn syscall handler is temporarily used for compat
sigreturn syscall to let the compilation go through. This will be
removed after the full compat64 signal support is added.
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>

AMIT KACHHAP authored Jan 18, 2022 and Kevin Brodsky committed Jul 05, 2022

The existing 4K stack size is not sufficient to hold different signal
contexts and registers (arm64, morello, fpsimd etc.) and causes stack
corruption when signals occurs. Increase the stack size to a safe limit
SIGSTKSZ or 16K.
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>

AMIT KACHHAP authored Sep 09, 2021 and Kevin Brodsky committed Jul 05, 2022

This tests verifies that the signals SIGALRM and SIGILL are raised and
received in the registered signal handler. Few sanity checks are
done on the different signal frame parameters.
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>

AMIT KACHHAP authored Oct 05, 2021 and Kevin Brodsky committed Jul 05, 2022

Assign suitable capabilities along with values for stack pointer, frame
pointer, sa_handler, siginfo_t, ucontext etc when setting up the user
signal frame.

All instances of uaddr_to_user_ptr() to create capabilities are removed
by using capabilities from user CSP register. Make use of user_ptr_addr()
function for capability pointer to address conversion.

The code for parsing extra context is re-structured to avoid creating
capability.
Signed-off-by: Amit Daniel Kachhap <amit.kachhap@arm.com>
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>