root/mm/mseal.c 
// SPDX-License-Identifier: GPL-2.0
/*
 *  Implement mseal() syscall.
 *
 *  Copyright (c) 2023,2024 Google, Inc.
 *
 *  Author: Jeff Xu <jeffxu@chromium.org>
 */

#include <linux/mempolicy.h>
#include <linux/mman.h>
#include <linux/mm.h>
#include <linux/mm_inline.h>
#include <linux/syscalls.h>
#include <linux/sched.h>
#include "internal.h"

/*
 * mseal() disallows an input range which contain unmapped ranges (VMA holes).
 *
 * It disallows unmapped regions from start to end whether they exist at the
 * start, in the middle, or at the end of the range, or any combination thereof.
 *
 * This is because after sealing a range, there's nothing to stop memory mapping
 * of ranges in the remaining gaps later, meaning that the user might then
 * wrongly consider the entirety of the mseal()'d range to be sealed when it
 * in fact isn't.
 */

/*
 * Does the [start, end) range contain any unmapped memory?
 *
 * We ensure that:
 * - start is part of a valid VMA.
 * - end is part of a valid VMA.
 * - no gap (unallocated memory) exists between start and end.
 */
static bool range_contains_unmapped(struct mm_struct *mm,
                unsigned long start, unsigned long end)
{
        struct vm_area_struct *vma;
        unsigned long prev_end = start;
        VMA_ITERATOR(vmi, current->mm, start);

        for_each_vma_range(vmi, vma, end) {
                if (vma->vm_start > prev_end)
                        return true;

                prev_end = vma->vm_end;
        }

        return prev_end < end;
}

static int mseal_apply(struct mm_struct *mm,
                unsigned long start, unsigned long end)
{
        struct vm_area_struct *vma, *prev;
        VMA_ITERATOR(vmi, mm, start);

        /* We know there are no gaps so this will be non-NULL. */
        vma = vma_iter_load(&vmi);
        prev = vma_prev(&vmi);
        if (start > vma->vm_start)
                prev = vma;

        for_each_vma_range(vmi, vma, end) {
                const unsigned long curr_start = MAX(vma->vm_start, start);
                const unsigned long curr_end = MIN(vma->vm_end, end);

                if (!(vma->vm_flags & VM_SEALED)) {
                        vm_flags_t vm_flags = vma->vm_flags | VM_SEALED;

                        vma = vma_modify_flags(&vmi, prev, vma, curr_start,
                                               curr_end, &vm_flags);
                        if (IS_ERR(vma))
                                return PTR_ERR(vma);
                        vm_flags_set(vma, VM_SEALED);
                }

                prev = vma;
        }

        return 0;
}

/*
 * mseal(2) seals the VM's meta data from
 * selected syscalls.
 *
 * addr/len: VM address range.
 *
 *  The address range by addr/len must meet:
 *   start (addr) must be in a valid VMA.
 *   end (addr + len) must be in a valid VMA.
 *   no gap (unallocated memory) between start and end.
 *   start (addr) must be page aligned.
 *
 *  len: len will be page aligned implicitly.
 *
 *   Below VMA operations are blocked after sealing.
 *   1> Unmapping, moving to another location, and shrinking
 *      the size, via munmap() and mremap(), can leave an empty
 *      space, therefore can be replaced with a VMA with a new
 *      set of attributes.
 *   2> Moving or expanding a different vma into the current location,
 *      via mremap().
 *   3> Modifying a VMA via mmap(MAP_FIXED).
 *   4> Size expansion, via mremap(), does not appear to pose any
 *      specific risks to sealed VMAs. It is included anyway because
 *      the use case is unclear. In any case, users can rely on
 *      merging to expand a sealed VMA.
 *   5> mprotect and pkey_mprotect.
 *   6> Some destructive madvice() behavior (e.g. MADV_DONTNEED)
 *      for anonymous memory, when users don't have write permission to the
 *      memory. Those behaviors can alter region contents by discarding pages,
 *      effectively a memset(0) for anonymous memory.
 *
 *  flags: reserved.
 *
 * return values:
 *  zero: success.
 *  -EINVAL:
 *   invalid input flags.
 *   start address is not page aligned.
 *   Address range (start + len) overflow.
 *  -ENOMEM:
 *   addr is not a valid address (not allocated).
 *   end (start + len) is not a valid address.
 *   a gap (unallocated memory) between start and end.
 *  -EPERM:
 *  - In 32 bit architecture, sealing is not supported.
 * Note:
 *  user can call mseal(2) multiple times, adding a seal on an
 *  already sealed memory is a no-action (no error).
 *
 *  unseal() is not supported.
 */
int do_mseal(unsigned long start, size_t len_in, unsigned long flags)
{
        size_t len;
        int ret = 0;
        unsigned long end;
        struct mm_struct *mm = current->mm;

        /* Verify flags not set. */
        if (flags)
                return -EINVAL;

        start = untagged_addr(start);
        if (!PAGE_ALIGNED(start))
                return -EINVAL;

        len = PAGE_ALIGN(len_in);
        /* Check to see whether len was rounded up from small -ve to zero. */
        if (len_in && !len)
                return -EINVAL;

        end = start + len;
        if (end < start)
                return -EINVAL;

        if (end == start)
                return 0;

        if (mmap_write_lock_killable(mm))
                return -EINTR;

        if (range_contains_unmapped(mm, start, end)) {
                ret = -ENOMEM;
                goto out;
        }

        /*
         * Second pass, this should success, unless there are errors
         * from vma_modify_flags, e.g. merge/split error, or process
         * reaching the max supported VMAs, however, those cases shall
         * be rare.
         */
        ret = mseal_apply(mm, start, end);

out:
        mmap_write_unlock(mm);
        return ret;
}

SYSCALL_DEFINE3(mseal, unsigned long, start, size_t, len, unsigned long,
                flags)
{
        return do_mseal(start, len, flags);
}