mm: Allow userspace to reserve VA range for use by userspace only

Add support for ELF binaries to reserve address ranges. Address
range can be reserved at load time by adding an ELF NOTE section, or
at run time with mprotect() with PROT_RESERVED flag. Reserved ranges
can be allocated with mmap(..... MAP_FIXED...) and shmat(....,
SHM_REMAP) later. Any reserved address ranges are annotated with
"[rsvd]" in /proc/<pid>/maps output. A binary can check if the
kernel supports VA range reservation by checking the value of
auxiliary vector AT_VA_RESERVATION.

VA reservation is done by adding a special NOTE section to binary
using declarations similar to following:

        .section .note.rsvd_range, "a", @note
        .p2align 2
        .long 1f - 0f           # name size (not including padding)
        .long 3f - 2f           # desc size (not including padding)
        .long 0x07c10001
0:      .asciz "Reserved VA"        # name
1:      .p2align 2
2:      .quad 0x7f2000000000
        .quad 0x7f2000e00000
        .quad 0x7f5000200000
        .quad 0x7f500d000000
3:  .p2align 2

Each reserved range is specified as pair of addresses (start and
end).  This note section is read by kernel elf loader and address
ranges are reserved for the lifetime of process. A maximum of 64
such entries can be made in NOTE section. Execution of a binary file
with more than 64 pairs of addresses in this note section will be
terminated with ENOEXEC.

NOTE: Kernel can not guarantee all VA ranges in the NOTE section
will be reserved. If the address range is valid but is already in
use (possibly by a shared library loaded earlier), execution of
binary will be terminated with ENOMEM.

NOTE: This feature needs two VMA flag bits. There are no free bits
available in lower 32 bits. As a result this feature can only be
supported on architectures that support high VMA flag bits (bits
32-63).

NOTE: Due to limitations in the implementation, when mapping a
range over over one or more reserved ranges the range must be
entirely contained within a reserved range or a contiguous set of
reserved ranges. mmap() will fail and set errno to EINVAL if
the range to map is only partly reserved.

-----------------------------
Upstream status of this patch
-----------------------------

This patch will not be submitted upstream. It solves a specific
problem for database in a way that mostly works for DB. It will be
very difficult to get this patch accepted upstream. There are two
issues that make it difficult - (1) These changes do not solve the
problem fully, (2) There are other ways to solve this problem
without kernel changes.

The reason these changes do not solve this problem fully is kernel
does not get called to load ELF binary until after the loader has
already loaded all the libraries. It is possible that one of the
libraries might get loaded at the address we want to reserve and by
the time kernel gets a chance to reserve the address range, it is
already too late.

There are three other ways to solve this problem besides modifying
the kernel:

1. Create a binary that gets started before DB starts, reserves
address ranges using mmap(MAP_FIXED) and then launches DB as child
process with address ranges reserved. This still leaves open the
possibility address ranges were already consumed by libraries but I
believe this is roughly the solution used on Solaris.

2. Use LD_PRELOAD to preload a special library which reserves
address ranges in its init routine. Now when DB starts, it can call
into this special library and get addresses for all the address
ranges that have been reserved. This can work conceptually but it
needs to be prototyped and tested to see if LD_PRELOAD libraries get
loaded before other libraries and if address reservation using mmap
in special library survives.

3. A custom loader which reserves address ranges first before
loading any other libraries. This is the only solution that can
guarantee DB will get the address ranges it wants to reserve.

This feature became more or less a requirement for DB to be able to
enable ASLR which customers were asking for. A custom loader can
provide a potential solution even with ASLR.

Orabug: 30135230

Signed-off-by: Khalid Aziz <[email protected]>
Signed-off-by: Anthony Yznaga <[email protected]>
Reviewed-by: Konrad Rzeszutek Wilk <[email protected]>
Reviewed-by: Mike Kravetz <[email protected]>
Reviewed-by: William Kucharski <[email protected]>
Reviewed-by: Khalid Aziz <[email protected]>

Author: hikerockies

arch/x86/Kconfig

@@ -35,6 +35,7 @@ config X86_64
 	select ARCH_HAS_ELFCORE_COMPAT
 	select ZONE_DMA32
 	select EXECMEM if DYNAMIC_FTRACE
+	select ARCH_USES_HIGH_VMA_FLAGS
 
 config FORCE_DYNAMIC_FTRACE
 	def_bool y

fs/binfmt_elf.c

@@ -90,6 +90,8 @@ static int elf_core_dump(struct coredump_params *cprm);
 #define ELF_MIN_ALIGN	PAGE_SIZE
 #endif
 
+#define MAX_FILE_NOTE_SIZE (4*1024*1024)
+
 #ifndef ELF_CORE_EFLAGS
 #define ELF_CORE_EFLAGS	0
 #endif
@@ -274,6 +276,7 @@ create_elf_tables(struct linux_binprm *bprm, const struct elfhdr *exec,
 	NEW_AUX_ENT(AT_RSEQ_FEATURE_SIZE, offsetof(struct rseq, end));
 	NEW_AUX_ENT(AT_RSEQ_ALIGN, __alignof__(struct rseq));
 #endif
+	NEW_AUX_ENT(AT_VA_RESERVATION, 1);
 #undef NEW_AUX_ENT
 	/* AT_NULL is zero; clear the rest too */
 	memset(elf_info, 0, (char *)mm->saved_auxv +
@@ -816,6 +819,106 @@ static int parse_elf_properties(struct file *f, const struct elf_phdr *phdr,
 	return ret == -ENOENT ? 0 : ret;
 }
 
+#define MAX_RSVD_VA_RANGES	64
+#define RSVD_VA_STRING		"Reserved VA"
+#define SZ_RSVD_VA_STRING	sizeof(RSVD_VA_STRING)
+
+static int reserve_va_range(struct elf_phdr *elf_ppnt,
+				struct linux_binprm *bprm)
+{
+	char *note_seg = NULL;
+	struct elf_note *note;
+	loff_t pos = elf_ppnt->p_offset;
+	int retval = 0;
+	size_t note_size = elf_ppnt->p_filesz;
+
+	note_seg = kvmalloc(note_size, GFP_KERNEL);
+	if (!note_seg) {
+		retval = -ENOMEM;
+		return retval;
+	}
+
+	retval = kernel_read(bprm->file, note_seg, note_size, &pos);
+	if (retval != note_size) {
+		if (retval >= 0)
+			retval = -EIO;
+		goto out;
+	}
+
+	note = (struct elf_note *)note_seg;
+	while ((char *)note + sizeof(struct elf_note) <
+	       (char *)(note_seg + note_size)) {
+		char *name;
+		unsigned long *val;
+		unsigned long nentry, i;
+
+		if (note->n_type != 0x07c10001)
+			goto cont_loop;
+
+		/* Sanity check for malformed note entry */
+		if (note->n_namesz > SZ_RSVD_VA_STRING) {
+			retval = -ENOEXEC;
+			goto out;
+		}
+
+		name = (char *)note + sizeof(struct elf_note);
+		if (strncmp(name, RSVD_VA_STRING, SZ_RSVD_VA_STRING) == 0) {
+			nentry = note->n_descsz/sizeof(void *);
+			val = (unsigned long *)(name +
+						roundup(note->n_namesz, 4));
+			/*
+			 * Check if right number of address
+			 * entries exist in note section
+			 */
+			if (((nentry % 2) != 0) ||
+				((nentry / 2) > MAX_RSVD_VA_RANGES)) {
+				retval = -ENOEXEC;
+				goto out;
+			}
+			for (i = 0 ; i < nentry; i += 2) {
+				unsigned long range1, range2, size;
+				struct mm_struct *mm = current->mm;
+
+				/*
+				 * Ensure we can access two address entries
+				 * in this note segment safely
+				 */
+				if ((char *)(val + 1) >=
+					((char *)note_seg + note_size)) {
+					retval = -ENOEXEC;
+					goto out;
+				}
+				range1 = PAGE_ALIGN((*val++) - PAGE_SIZE + 1);
+				range2 = PAGE_ALIGN(*val++);
+				size = range2 - range1;
+
+				/* Validate the address range being reserved */
+				if ((range2 <= range1) ||
+					(!access_ok((void *)range1, size))) {
+					retval = -ENOEXEC;
+					goto out;
+				}
+
+				mmap_write_lock(mm);
+				retval = install_rsvd_mapping(mm, range1,
+							      (range2-range1));
+				mmap_write_unlock(mm);
+				if (retval < 0)
+					goto out;
+			}
+		}
+cont_loop:
+		note = (struct elf_note *)((char *)note +
+						sizeof(struct elf_note) +
+						roundup(note->n_namesz, 4) +
+						roundup(note->n_descsz, 4));
+	}
+
+out:
+	kvfree(note_seg);
+	return retval;
+}
+
 static int load_elf_binary(struct linux_binprm *bprm)
 {
 	struct file *interpreter = NULL; /* to shut gcc up */
@@ -1022,6 +1125,24 @@ static int load_elf_binary(struct linux_binprm *bprm)
 	start_data = 0;
 	end_data = 0;
 
+	/*
+	 * Read the notes segment to find notes to reserve address space
+	 */
+	elf_ppnt = elf_phdata;
+	for (i = 0; i < elf_ex->e_phnum; i++, elf_ppnt++)
+		if (elf_ppnt->p_type == PT_NOTE) {
+			/* Sanity check for bogus note segment */
+			if ((elf_ppnt->p_filesz > MAX_FILE_NOTE_SIZE) ||
+				(elf_ppnt->p_filesz < sizeof(struct elf_note))) {
+				retval = -ENOEXEC;
+				goto out_free_ph;
+			}
+			retval = reserve_va_range(elf_ppnt, bprm);
+			if (retval < 0)
+				goto out_free_ph;
+		}
+
+
 	/* Now we do a little grungy work by mmapping the ELF image into
 	   the correct location in memory. */
 	for(i = 0, elf_ppnt = elf_phdata;

include/linux/mm.h

@@ -321,12 +321,16 @@ extern unsigned int kobjsize(const void *objp);
 #define VM_HIGH_ARCH_BIT_3	35	/* bit only usable on 64-bit architectures */
 #define VM_HIGH_ARCH_BIT_4	36	/* bit only usable on 64-bit architectures */
 #define VM_HIGH_ARCH_BIT_5	37	/* bit only usable on 64-bit architectures */
+#define VM_HIGH_ARCH_BIT_16	48	/* bit only usable on 64-bit architectures */
+#define VM_HIGH_ARCH_BIT_17	49	/* bit only usable on 64-bit architectures */
 #define VM_HIGH_ARCH_0	BIT(VM_HIGH_ARCH_BIT_0)
 #define VM_HIGH_ARCH_1	BIT(VM_HIGH_ARCH_BIT_1)
 #define VM_HIGH_ARCH_2	BIT(VM_HIGH_ARCH_BIT_2)
 #define VM_HIGH_ARCH_3	BIT(VM_HIGH_ARCH_BIT_3)
 #define VM_HIGH_ARCH_4	BIT(VM_HIGH_ARCH_BIT_4)
 #define VM_HIGH_ARCH_5	BIT(VM_HIGH_ARCH_BIT_5)
+#define VM_HIGH_ARCH_16	BIT(VM_HIGH_ARCH_BIT_16)
+#define VM_HIGH_ARCH_17	BIT(VM_HIGH_ARCH_BIT_17)
 #endif /* CONFIG_ARCH_USES_HIGH_VMA_FLAGS */
 
 #ifdef CONFIG_ARCH_HAS_PKEYS
@@ -381,6 +385,17 @@ extern unsigned int kobjsize(const void *objp);
 # define VM_MTE_ALLOWED	VM_NONE
 #endif
 
+#ifdef CONFIG_ARCH_USES_HIGH_VMA_FLAGS
+# define VM_RSVD_VA		VM_HIGH_ARCH_16	/* Reserved VA range */
+# define VM_RSVD_NORELINK	VM_HIGH_ARCH_17	/* VA range unmapped by
+						 * userspace but still reserved
+						 * for use by userspace only
+						 */
+#else
+# define VM_RSVD_VA		VM_NONE
+# define VM_RSVD_NORELINK	VM_NONE
+#endif
+
 #ifndef VM_GROWSUP
 # define VM_GROWSUP	VM_NONE
 #endif
@@ -3319,6 +3334,8 @@ void anon_vma_interval_tree_verify(struct anon_vma_chain *node);
 	     avc; avc = anon_vma_interval_tree_iter_next(avc, start, last))
 
 /* mmap.c */
+extern int install_rsvd_mapping(struct mm_struct *mm, unsigned long addr,
+				unsigned long len);
 extern int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin);
 extern int vma_expand(struct vma_iterator *vmi, struct vm_area_struct *vma,
 		      unsigned long start, unsigned long end, pgoff_t pgoff,

include/uapi/asm-generic/mman-common.h

@@ -16,6 +16,7 @@
 #define PROT_NONE	0x0		/* page can not be accessed */
 #define PROT_GROWSDOWN	0x01000000	/* mprotect flag: extend change to start of growsdown vma */
 #define PROT_GROWSUP	0x02000000	/* mprotect flag: extend change to end of growsup vma */
+#define PROT_RESERVED	0x10000000	/* Reserve this VA range */
 
 /* 0x01 - 0x03 are defined in linux/mman.h */
 #define MAP_TYPE	0x0f		/* Mask for type of mapping */

include/uapi/linux/auxvec.h

@@ -41,4 +41,6 @@
 #define AT_MINSIGSTKSZ	51	/* minimal stack size for signal delivery */
 #endif
 
+#define AT_VA_RESERVATION	71	/* VA reservation support */
+
 #endif /* _UAPI_LINUX_AUXVEC_H */