From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 037A4C4345F for ; Wed, 1 May 2024 01:54:25 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 1BC526B0082; Tue, 30 Apr 2024 21:54:25 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 16D256B0083; Tue, 30 Apr 2024 21:54:25 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 033CB6B0085; Tue, 30 Apr 2024 21:54:24 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id D91976B0082 for ; Tue, 30 Apr 2024 21:54:24 -0400 (EDT) Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 6BB5FC05E3 for ; Wed, 1 May 2024 01:54:24 +0000 (UTC) X-FDA: 82068157248.21.2A585D2 Received: from mail-wm1-f52.google.com (mail-wm1-f52.google.com [209.85.128.52]) by imf02.hostedemail.com (Postfix) with ESMTP id A9D1580006 for ; Wed, 1 May 2024 01:54:22 +0000 (UTC) Authentication-Results: imf02.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=intel.com (policy=none); spf=pass (imf02.hostedemail.com: domain of balrogg@gmail.com designates 209.85.128.52 as permitted sender) smtp.mailfrom=balrogg@gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1714528462; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references; bh=OLnjoLX8ymDEP1c+yitd+kAvKd73++0UdRqIJdMpHHw=; b=NXFgvDZyifMop3cFSY0STMUCzI9T0SRzNH9GaK6iteeRCZHJW1QfjG4Ck0beu1ggxVLKUs CbloXbv+eFylCpw9DhgRAOGo1gQZmB7DJCLqGkxevG1BjSa7F5GVo7UTrG5argCCVl93et ZaPpGF/4uC3iNNIF6glDl9GN2gp2+Ek= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1714528462; a=rsa-sha256; cv=none; b=7TgHGouU2XIlGmJvjjLL2FqOwieANAnG+yvqBnEIEBegdDtU/hggfSarLS4spM27/YVTti wPZFl6WGziZvDbJzcyQkMkqzBUYVwElcV/ZGbtOPogjPR8QV4FHyr2GX+Njq12YNRObk7p ToBN/pnzfW79i5Q8bCj8DsOzbTIrjLs= ARC-Authentication-Results: i=1; imf02.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=intel.com (policy=none); spf=pass (imf02.hostedemail.com: domain of balrogg@gmail.com designates 209.85.128.52 as permitted sender) smtp.mailfrom=balrogg@gmail.com Received: by mail-wm1-f52.google.com with SMTP id 5b1f17b1804b1-418e4cd2196so49935125e9.1 for ; Tue, 30 Apr 2024 18:54:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714528461; x=1715133261; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OLnjoLX8ymDEP1c+yitd+kAvKd73++0UdRqIJdMpHHw=; b=Rf3WkPWU95ZffuaMcjJDCbbWHmm86d0ZaD2B76vlDBUAl/K8J/NagfJq+USGSQiLtj Pd6p7lXakHuxT9cmvgtnefbDlDeQla0k3OLeWzZjXfN/TIdE/HxaYcXmzFiomJlwVj4q hy3eGr35yjK23g/U7uqudll1t8LSn/JFPKRN9XLmCymF1porTisgBsj5M4H5DoFiAUUR RkmakeW5WpTT2FIXUA4mOzPltlWU+IaKUWPcZs1z0qrCMPFke1VjB4EgEv8pTxygWIVS AN0CMeidBM2jw4lUtEK/iXz5iD6bOF/yCXEqENMUhiv6O5/kJsdSZDmWo6BSpgUpPhUd gvMA== X-Forwarded-Encrypted: i=1; AJvYcCW8gDMVC61gsLGYObppz9DyDxKI/ByU0XFwlByA8Gyjos/PDzQyStR4+hXpkpJ8T07fxhlHCr1cEgkw9DFQhLw8kIM= X-Gm-Message-State: AOJu0YxiveuNg837+59RJnPCL+k+eGfgJdDrGWQSJVyC6rWlug7Jjz7X T+bopv1MZdIGnlAHFBloTtkQgRxbzkm2wfc2l6gMSZO/LPDiLXjX X-Google-Smtp-Source: AGHT+IEXntGOgZLf7ytglEirZsNd7AK/UAILjedaAeYsBm0eeI1K+1c8k26dbXqqI5GfXbvxthikbQ== X-Received: by 2002:a05:600c:1e05:b0:418:c1a3:8521 with SMTP id ay5-20020a05600c1e0500b00418c1a38521mr779421wmb.26.1714528461009; Tue, 30 Apr 2024 18:54:21 -0700 (PDT) Received: from localhost.localdomain ([82.213.248.3]) by smtp.gmail.com with ESMTPSA id r10-20020a05600c458a00b0041c130520fbsm618399wmo.46.2024.04.30.18.54.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Apr 2024 18:54:20 -0700 (PDT) From: Andrew Zaborowski To: linux-edac@vger.kernel.org, linux-mm@kvack.org Cc: Tony Luck , Borislav Petkov , Eric Biederman , Kees Cook Subject: [PATCH][RFC] exec: x86: Ensure SIGBUS delivered on MCE Date: Wed, 1 May 2024 03:53:40 +0200 Message-Id: <20240501015340.3014724-1-andrew.zaborowski@intel.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspam08 X-Rspamd-Queue-Id: A9D1580006 X-Stat-Signature: uu6px4qmczrfajrhs7tn8pxchqjsgwrc X-Rspam-User: X-HE-Tag: 1714528462-899925 X-HE-Meta: U2FsdGVkX1+HI0mqpyB8oFmmNnWic8VF7IxBbsXlEfpZ5evA6DN9M5qeyQYsb3RSnRpFazhT0EX0+cAqQZBGyONNaqG2IuH0Wk0nCoJ0lumgknnz+RI5PrZ949l42coERW6XANZkZo23tjWA3VVGLujBqf5hAcqMn5qqXwoYSZeTItX4+S35C4g3TUtGsxskjbiez+xjwgX8zcE3SdjU5NWufoSnvvxsnHLujIpBGI8RI+hW//qFqC3db+jMxx0cJIC3WO+IBoWiB65XWwESRQKIv7B6+/7NTVx9gXEVtIa2BzTcJYrv+a4jeBPKJYfaILOLpX4gumvIuB+0N/jFm+hHH1QFJY06vnS7yeDhFDzXpy2pbKYWnRStnwI8wFbg8mibVzJRMljgkD6hPC2af8NPUuWZsps1k2YKUruGZZlAI4Z4PVactGoX/w/jaHuOP+zFL8OUBNJA7x9osNUAVDWyzIcE/p2KOJTTEU4UGSHm2h6ekLDL7Dmeq/iTixqC8w55vb1yI5yh21u740NW4L0iAECrLqegjZdZ++KiL+GuZdesS+ExCBIjuNTN3O1WZF3jQAqSkNXbptVwzw2RxoPuOpszdggCO6Tsc4pE7jznEtREaKfJ+euxTOy8zYUW4Zb+IRmKsB7NGA8M2+gCopKGLUGdAWNvsf0mbaYg6lrJRVRpJDR28R5cJ6QFqbZ8S4PacfNXfq8c0z/Lg/2Tkmw2hw0Ru4oSUa4aJf13Dy5qLjEp5+SgF0kjaZb5HiTnVsluS5MrKCI6oNp2y9NRQRTVm+4zFR2A5PsQguHkUJZCxp32WCVaAFMov5A5VC/WIixBKo9Z/kdxP8yJSlv4y5iPhu0oJAgpoQFbh0AQx2/ApWDDoHDEAqgSSC7xSUArwgA3IEeRl8C2wLGlAsXikAw8pzodriXmeM1Q0g6CPdKAIdm3P8oMaCz3+f/F3Leg15m/5gRKhTVRdEwLzZI ul8YMVTZ pVCsII4XF3NB8k+tJLghnr6LMKWJCXoGHprF6VpTaqqmDau7+1qMtjcbEzClxGQ8wyZQpV4ldaVbXJMOx3AzKUrf1qDZR6yUdplfFtXlOHQNqechzEG0XEaafwTE7C2dGuSDBWsY/NcCeYN1Ydpv6mK8ejoZSw8eE1iVI+zjpm4v08szXeDhg5xEzM6OHxmqXNLMCQ7mSZXC/OzZTlAam5HjzI3q0DHEXaEQ8YZh00qNZSCUg2G0W3/hjVQY/oBKbqF6mkLyfVExNC4RzaTtmlVTgcnQ3mFcixSDQ16Y8RsBB3Tw3/rqTQtGgktpaBbsFT+ZQRVDbTQLle/hMeQRQt6eS770NS/AT8OnuJG4TBudZBQsH3ppGObmfqAZ+hiDfXQ8T4dBZAlJ83KOhzg2BlyZUVs5qZcevQFDm++XKCIcq0EbYwJAeOkiMwDFHSQ+ZFX4iMZQHYsCkq9vQ2xGIUtgFA/ooYPfz7fKnNLZOD9bQYqr876q3nvSPKFXCng2giE1lQNhuQjCfzm3hNYFgY0G9gA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Uncorrected memory errors are signaled to processes using SIGBUS or an error retval from a syscall. But there's a corner cases in execve where a SIGSEGV will be delivered. Specifically this will happen if the binary loader triggers a memory error reading user pages. The architecture's handler (MCE handler on x86) may queue a call to memory_failure but that won't run until the execve() returns. The binary loader is called after bprm->point_of_no_return is set meaning that any error is handled by bprm_execve() with a SIGSEGV to the process. To ensure it is terminated with a SIGBUS we 1. let pending work run in the bprm_execve error case. And 2. ensure memory_failure() is passed MF_ACTION_REQUIRED so that the SIGBUS is queued. Normally when the MCE is in a syscall, a fixup of return IP and a call to kill_me_never are enough. But in this case it's necessary to queue kill_me_maybe() which will set MF_ACTION_REQUIRED. Reuse current->in_execve to make the decision. Signed-off-by: Andrew Zaborowski --- arch/x86/kernel/cpu/mce/core.c | 14 ++++++++++++++ fs/exec.c | 12 +++++++++--- include/linux/sched.h | 2 +- 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c index 84d41be6d06b..11effdff942c 100644 --- a/arch/x86/kernel/cpu/mce/core.c +++ b/arch/x86/kernel/cpu/mce/core.c @@ -1593,6 +1593,20 @@ noinstr void do_machine_check(struct pt_regs *regs) else queue_task_work(&m, msg, kill_me_maybe); + } else if (current->in_execve) { + /* + * Cannot recover a task in execve() beyond point of no + * return but stop further user memory accesses. + */ + if (m.kflags & MCE_IN_KERNEL_RECOV) { + if (!fixup_exception(regs, X86_TRAP_MC, 0, 0)) + mce_panic("Failed kernel mode recovery", &m, msg); + } + + if (!mce_usable_address(&m)) + queue_task_work(&m, msg, kill_me_now); + else + queue_task_work(&m, msg, kill_me_maybe); } else { /* * Handle an MCE which has happened in kernel space but from diff --git a/fs/exec.c b/fs/exec.c index cf1df7f16e55..1bea9c252a11 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -67,6 +67,7 @@ #include #include #include +#include #include #include @@ -1888,10 +1889,15 @@ static int bprm_execve(struct linux_binprm *bprm) * If past the point of no return ensure the code never * returns to the userspace process. Use an existing fatal * signal if present otherwise terminate the process with - * SIGSEGV. + * SIGSEGV. Run pending work before that in case it is + * terminating the process with a different signal. */ - if (bprm->point_of_no_return && !fatal_signal_pending(current)) - force_fatal_sig(SIGSEGV); + if (bprm->point_of_no_return) { + task_work_run(); + + if (!fatal_signal_pending(current)) + force_fatal_sig(SIGSEGV); + } sched_mm_cid_after_execve(current); current->fs->in_exec = 0; diff --git a/include/linux/sched.h b/include/linux/sched.h index 3c2abbc587b4..8970a191d8fe 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -922,7 +922,7 @@ struct task_struct { unsigned sched_rt_mutex:1; #endif - /* Bit to tell TOMOYO we're in execve(): */ + /* Bit to tell TOMOYO and x86 MCE code we're in execve(): */ unsigned in_execve:1; unsigned in_iowait:1; #ifndef TIF_RESTORE_SIGMASK -- 2.39.3