[PATCH 1/5] mm: Introduce vm_mmap_shadow_stack() as a helper for VM_SHADOW_STACK mappings
Edgecombe, Rick P
rick.p.edgecombe at intel.com
Tue Feb 24 11:47:10 PST 2026
On Tue, 2026-02-24 at 17:57 +0000, Catalin Marinas wrote:
> arm64, riscv and x86 use a similar pattern for mapping the user shadow
> stack (cloned from x86). Extract this into a helper to facilitate code
> reuse.
>
> The call to do_mmap() from the new helper uses PROT_READ|PROT_WRITE prot
> bits instead of the PROT_READ with an explicit VM_WRITE vm_flag. The
> x86 intent was to avoid PROT_WRITE implying normal write since the
> shadow stack is not writable by normal stores. However, from a kernel
> perspective, the vma is writeable. Functionally there is no difference.
We allow mprotect()ing shadow stack memory with PROT_WRITE to set or clear
shadow stack type of writability. So PROT_WRITE doesn't even imply normal
writable memory in the real mmap() syscall. I agree the code is clearer with
this change.
>
> Signed-off-by: Catalin Marinas <catalin.marinas at arm.com>
> Cc: Andrew Morton <akpm at linux-foundation.org>
> Cc: David Hildenbrand <david at kernel.org>
> ---
> include/linux/mm.h | 4 ++++
> mm/util.c | 25 +++++++++++++++++++++++++
> 2 files changed, 29 insertions(+)
>
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index 5be3d8a8f806..1f28be975f86 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -3908,6 +3908,10 @@ extern int vm_munmap(unsigned long, size_t);
> extern unsigned long __must_check vm_mmap(struct file *, unsigned long,
> unsigned long, unsigned long,
> unsigned long, unsigned long);
> +#ifdef CONFIG_ARCH_HAS_USER_SHADOW_STACK
Why does it need to compile out the declaration here?
> +extern unsigned long __must_check vm_mmap_shadow_stack(unsigned long addr,
> + unsigned long len, unsigned long flags);
> +#endif
>
> struct vm_unmapped_area_info {
> #define VM_UNMAPPED_AREA_TOPDOWN 1
> diff --git a/mm/util.c b/mm/util.c
> index b05ab6f97e11..2592291948f0 100644
> --- a/mm/util.c
> +++ b/mm/util.c
> @@ -618,6 +618,31 @@ unsigned long vm_mmap(struct file *file, unsigned long addr,
> }
> EXPORT_SYMBOL(vm_mmap);
>
> +#ifdef CONFIG_ARCH_HAS_USER_SHADOW_STACK
> +/*
> + * Perform a userland memory mapping for a shadow stack into the current
> + * process address space. This is intended to be used by architectures that
> + * support user shadow stacks.
> + */
> +unsigned long vm_mmap_shadow_stack(unsigned long addr, unsigned long len,
> + unsigned long flags)
> +{
> + struct mm_struct *mm = current->mm;
> + unsigned long ret, unused;
> +
> + flags |= MAP_ANONYMOUS | MAP_PRIVATE;
> + if (addr)
> + flags |= MAP_FIXED_NOREPLACE;
> +
> + mmap_write_lock(mm);
> + ret = do_mmap(NULL, addr, len, PROT_READ | PROT_WRITE, flags,
> + VM_SHADOW_STACK, 0, &unused, NULL);
> + mmap_write_unlock(mm);
> +
> + return ret;
> +}
> +#endif /* CONFIG_ARCH_HAS_USER_SHADOW_STACK */
> +
> /**
> * __vmalloc_array - allocate memory for a virtually contiguous array.
> * @n: number of elements.
More information about the linux-arm-kernel
mailing list