Morello fixes for copy_*_user with caps#21
Open
heshamelmatary wants to merge 4 commits into
Open
Conversation
This patch implements the low-level tag-preserving uaccess routines.
Most of the existing logic for __arch_copy_{from,to}_user() is reused to
implement the new __arch_copy_{from,to}_user_with_captags().
copy_template.S is extended to copy capability tags for the
*_with_captags() variants (controlled by the COPY_CAPTAGS macro).
The approach is the same as a generic tag-preserving memcpy()
implementation (i.e. copy tags whenever possible, which requires at
least the source and destination addresses to be mutually aligned).
The existing {ldr,str}1 assembler macros can be reused as-is to
operate on capabilities, unfortunately this is not the case of
{ldp,stp}1, because they need to know the register size (8 for X, 16
for C). user_{ldp,stp} are extended and a new {ldp,stp}c1 pair
introduced accordingly.
Note: the implementation of __arch_copy_{from,to}_user() remains
unchanged (i.e. they never preserve tags).
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>
copy_template currently copies the destination pointer to x6 then operates on that copy, while it directly operates on the source pointer (x1). In both cases a copy of the original pointer is required for the final fixup in copy_*_user, but not in copy_template itself. Make things a little easier to follow by saving both pointers in copy_*_user, letting copy_template operate on the original pointers (x0 and x1) directly. While at it, remove the "Returns" comment in copy_template, which is irrelevant. Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>
We have already amended {get,put}_user so that they access user
memory directly via the user capability in PCuABI; now is time to
convert copy_*_user too. As a result, the copy will be aborted if
the user capability is unsuitable to perform the access (potentially
partway, in case the tail of the targeted region is out of bounds).
__arch_copy_{from,to}_user present an additional challenge in
that they are implemented fully in assembly. Fortunately, the
registers holding the source and destination pointers are mostly
used as base registers for load/store instructions. After switching
to C64, such instructions operate on C registers instead of X, so it
becomes simply a matter of modifying the register aliases in PCuABI;
the req_reg_pcuabi macro is introduced for that purpose. Explicit
ADD instructions are also used in the user_{ldst,ldp,stp} helpers;
those are unproblematic as they can operate on both X and C
registers.
In the few situations where the pointers are being somehow
inspected, we keep operating on their address only, by using the
corresponding X register; srcx and dstx are introduced for that
purpose. This is necessary in some cases due to the instruction
simply not accepting C registers (e.g. TST), while in others it is
rather a matter of convenience, as it means we don't need to convert
additional register aliases to capabilities (CMP, SUB).
Signed-off-by: Kevin Brodsky <kevin.brodsky@arm.com>
Morello LLVM allows opting into distinguishing between function pointers (which may be interposed on by a compartmentalisation runtime) and code pointers (which always directly point to specific instructions, for cases like C++ landing pads and GNU C indirect goto). Supporting both relocations (which are equivalent for kselftest's non-compartmentalised purposes) will allow for Morello LLVM to make this opt-in behaviour always-on, reducing the number of ABI combinations. Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
jrtc27
approved these changes
May 19, 2026
jrtc27
left a comment
jrtc27
left a comment
There was a problem hiding this comment.
(For applying my R_MORELLO_FUNC_RELATIVE commit)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes broken integration of Morello support specifically to copy in/out capabilities to/from the user. e56f377 missed most parts and there are missing commits as well.
While here, also sync with latest Morello Linux and add a latest commit to support
R_MORELLO_FUNC_RELATIVE