vm_map reservations interface #913
Conversation
qwattash
force-pushed
the
dev-purecap-kernel-reservations
branch
from
a713983 to
c674803
Compare
qwattash
force-pushed
the
dev-purecap-kernel-reservations
branch
from
c674803 to
813eead
Compare
sys/kern/sysv_shm.c
Outdated
| @@ -561,22 +565,29 @@ kern_shmat_locked(struct thread *td, int shmid, | |||
| max_va = 0; | |||
| #endif | |||
| vm_object_reference(shmseg->object); | |||
| rv = vm_map_find(&p->p_vmspace->vm_map, shmseg->object, 0, &attach_va, | |||
| attach_addr = attach_va; | |||
There was a problem hiding this comment.
I don't understand this diff, attach_va isn't used again so why do we need to introduce a copy?
There was a problem hiding this comment.
It was done to differentiate the variable holding the hint and the one holding the actual capability, it doesn't add anything to the logic though, I'll take it out and reduce the diff
There was a problem hiding this comment.
shm requires some more work for reservations anyway, but this is probably not the PR for all of it.
sys/kern/uipc_shm.c
Outdated
| goto fail; | ||
| next_entry = vm_map_entry_succ(prev_entry); | ||
| if (next_entry->start < *addr + size) | ||
| /* MAP_FIXED */ |
There was a problem hiding this comment.
The loss of a separate MAP_EXCL case concerns me; do we have kyua tests to cover the upstream behaviour that we can run to verify this doesn't break things?
There was a problem hiding this comment.
This has now changed. I found kyua tests that were not being ran that check this behaviour and fixed them. There is one that seems to be failing in dev as well and I have not debugged it thoroughly. The rest has been checked on amd64, I need to check on riscv as it has superpages but seemingly support for non-transparent large pages is disabled.
Edit: RISCV pmap is missing handling of the PMAP_ENTER_LARGEPAGE flag for pmap_enter() from vm_fault. I believe this is the reason we do not have full non-transparent large page support there.
| @@ -104,11 +104,11 @@ | |||
| #define MAP_EXCL 0x00004000 /* for MAP_FIXED, fail if address is used */ | |||
| #define MAP_NOCORE 0x00020000 /* dont include these pages in a coredump */ | |||
| #define MAP_PREFAULT_READ 0x00040000 /* prefault mapping for reading */ | |||
| #ifdef __LP64__ | |||
| #if defined(__LP64__) || defined(__CHERI_PURE_CAPABILITY__) | |||
There was a problem hiding this comment.
Unrelated. But also wrong for RV32.
| * XXX-AM: we need to recreate the capability for the | ||
| * stack reservation. This is hacky, we should have | ||
| * a way to recover it. Maybe save it as a capability | ||
| * in the map entry? |
There was a problem hiding this comment.
I wonder if @trasz has any thoughts on this. Right now, a "main" stack is extremely integral to maps that apply to single processes, but it's certainly more complicated in colocated processes.
There was a problem hiding this comment.
I think that we may end up having a more complex structure to represent a reservation, instead of a plain vaddr of the start of the reservation. This will allow us to have extra metadata in there, which we also would need to record the original reservation maxprot, depending on how we handle things in vm_map_delete().
qwattash
force-pushed
the
dev-purecap-kernel-reservations
branch
4 times, most recently
from
124fde1 to
b4dedc2
Compare
Switch to using a local scratch variable instead of assiging temporary values to the output parameter.
- Change the vm_map_delete() interface, this is now for internal use only and vm_map_remove() should be used instead. - Add vm_map_clear() to explicitly discard all mappings in a given map. - Add vm_map_reservation_create, vm_map_reservation_delete and their _locked variants, these enforce reservation representability. - Drop the MAP_CREATE_UNMAPPED vm_map flag. - Export vm_map_alignspace(). - Move vm_map_prot2perms() from vm_mmap to vm_map. - Update mmap syscall handlers to use new reservations interface.
This is currently required as vm_map is exported via user.h
Create reservations for the shared page and stack.
qwattash
force-pushed
the
dev-purecap-kernel-reservations
branch
from
b4dedc2 to
8b9a8cf
Compare
qwattash
force-pushed
the
dev-purecap-kernel-reservations
branch
from
8b9a8cf to
9e95fc4
Compare
qwattash
force-pushed
the
dev-purecap-kernel-reservations
branch
from
9e95fc4 to
4b21ef6
Compare
There was a problem hiding this comment.
I think this is basically ready to land. I did point out one style issue (that there are a couple instances of), but I'm not a stickler for it and don't feel it's a blocker.
It looks like we've drained all substantive kernel changes out of morello-dev so I think it's ok to land this.
| if (error != 0) | ||
| goto ret; | ||
|
|
||
| /* Round star/end addresses to representability */ | ||
| imgp->start_addr = CHERI_REPRESENTABLE_BASE(representable_start, |
There was a problem hiding this comment.
I wonder if we should just use the reservation capability here? We can then pass that directly to userspace after an appropriate candperm. Also means we no longer need the local diff that adds both start+end addr and insteadd we just store the mapping cap.
But that can obviously be done as a follow-up cleanup and doesn't need to be part of this PR.
There was a problem hiding this comment.
I have thought about doing that, but have not attempted it. Probably we should land this first as you say. We should do the same for interp_start
- Add capability for the image reservation in the image_params struct. - Update aout imgact to create a reservation for the whole image. - Update ELF imgact to create a reservation for the whole image and then map sections within it. - Replace all uses of vaddr_t with ptraddr_t. - Properly update rbase in ELF imgact to match the start of the reservation. - Remove the representable_start/end parameters from ELF imgact load_sections and related functions as the values can now safely be derived by rounding to representable boundaries.
This will enforce representability in the kernel allocations.
…m_mmap. Introduce vm_map_reservation_get helper to fetch the reservation ID of the reservation spanning spanning a requested range, if one and only one exists.
qwattash
force-pushed
the
dev-purecap-kernel-reservations
branch
from
4b21ef6 to
1f1974f
Compare
- Add root capability for each vm_map. All reservations will be created from this capability. - Allow software permission bits on root map capability so that those can be propagated down to mmap(). - Use vm_pointer_t where vm_offset_t represents a pointer. - Add assertions to check for capability invariants. This allows to propagate sowftware permission bits from the userspace capability down through mmap().
- Use vm_pointer_t for pointers instead of vm_offset_t - Ensure that the purecap kernel vm_map_fixed() will always be given a valid capability, both for purecap and hybrid userland.
… kernel. Cast to uintptr_t via uintcap_t instead.
- Use vm_pointer_t where vm_offset_t is used to hold a pointer. - Properly setup the stack capability for purecap.
qwattash
force-pushed
the
dev-purecap-kernel-reservations
branch
from
1f1974f to
29e4600
Compare
Introduce purecap-kernel reservation changes.