From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58CA7C3DA64 for ; Tue, 6 Aug 2024 07:51:57 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C57B06B0083; Tue, 6 Aug 2024 03:51:56 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id C07846B0085; Tue, 6 Aug 2024 03:51:56 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id ACF446B0088; Tue, 6 Aug 2024 03:51:56 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 8DA6F6B0083 for ; Tue, 6 Aug 2024 03:51:56 -0400 (EDT) Received: from smtpin18.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id C4DEA1C21D7 for ; Tue, 6 Aug 2024 07:51:55 +0000 (UTC) X-FDA: 82421051790.18.D54BA6C Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf21.hostedemail.com (Postfix) with ESMTP id 774481C0015 for ; Tue, 6 Aug 2024 07:51:53 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=FUIzBhdM; dmarc=none; spf=none (imf21.hostedemail.com: domain of peterz@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=peterz@infradead.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722930644; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=mScFChza4Xuu9BVBPiQYDEHuyj8H5oe5eSPQdjI0NHE=; b=CegOOGxCwoI+d6U41OgK7OTuEs1+c9BVhaKTHZ2/m6guD7iMg6jxuiHqeQsfed7jZmQbBP l/Ka7rJGKEvMrB+L5keIKntWrX21mUI+hWA3FOidDik9cGubK3U9p0fV/NQ01AQdmv13ns xr4EeDFgJT3P3+x7+ZbjPUxR6Q7Rvmk= ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722930644; a=rsa-sha256; cv=none; b=JjzfqbzeB03e/FYi/975r71ly1NIXJM0DpFk8rZBqAiXAbLZc6r6wPzDboEbGidowSEg7n CClut4gFZfPceomsLp9NkUyO+bDftEDU2xmAVcRUFPusF/DkWR2aJaDNYV8xNbhRusny0a X2KJvdYgAIQh4EskhPn3IwrTK/GdPxw= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=FUIzBhdM; dmarc=none; spf=none (imf21.hostedemail.com: domain of peterz@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=peterz@infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=mScFChza4Xuu9BVBPiQYDEHuyj8H5oe5eSPQdjI0NHE=; b=FUIzBhdMu+Kx6ooAgTBhhaHRXE c04XsK6uUJ9CSBZlv8QcLHnyqbOx1Goa5LcbQhm2CQI3COldGEhJjd5sOpkwvLcNByRRwnDCcVXU1 oIA9DyepUyEUhQ28kNGlycN4C2nTe5837hIj7PpGJ4rdESvdYiSqfE4tETdisQgUlpmAe30VqhVVg vjU7HGq5Hjp/lpd0z1cjh20SxrdvmGfztZe9BOLGWGSqxV0V/AkQQ04nBir+NtBs26uRAU/gjA4kl Y2/BTMhX3H8q1vgbCW3WGRSmoEwIHoGxHkesCf1FHEJ5+d8URszlNmGcXnWrfh73shIlZ7A8hb6Lk tD/qoCcw==; Received: from j130084.upc-j.chello.nl ([24.132.130.84] helo=noisy.programming.kicks-ass.net) by casper.infradead.org with esmtpsa (Exim 4.97.1 #2 (Red Hat Linux)) id 1sbEyx-00000005Oqq-2F2c; Tue, 06 Aug 2024 07:51:47 +0000 Received: by noisy.programming.kicks-ass.net (Postfix, from userid 1000) id 8BDA930049D; Tue, 6 Aug 2024 09:51:46 +0200 (CEST) Date: Tue, 6 Aug 2024 09:51:46 +0200 From: Peter Zijlstra To: Kees Cook Cc: Andrew Zaborowski , linux-edac@vger.kernel.org, linux-mm@kvack.org, Tony Luck , Eric Biederman , Borislav Petkov , Mathieu Desnoyers , "Paul E. McKenney" , Boqun Feng , oleg@redhat.com Subject: Re: [RESEND][PATCH 3/3] rseq: Ensure SIGBUS delivered on memory failure Message-ID: <20240806075146.GQ39708@noisy.programming.kicks-ass.net> References: <20240723144752.1478226-1-andrew.zaborowski@intel.com> <20240723144752.1478226-3-andrew.zaborowski@intel.com> <202408052136.119CD53B@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202408052136.119CD53B@keescook> X-Rspamd-Server: rspam07 X-Rspamd-Queue-Id: 774481C0015 X-Stat-Signature: hweetijmeenkuhzpy4i9oxb7uztkqr8f X-Rspam-User: X-HE-Tag: 1722930713-361950 X-HE-Meta: U2FsdGVkX1+/zuATrDm6HFItvpb3Q9c+3TUF30fY8rrUM1S7mjyjn3SE/s7lAZGxls3TA1Zr3qZ4820E7zqurW2Hmfr42QawAHOc4jQNLE908Gu07WsM3vmRw4B8l2ye+CiU3tb37x1sfwkphdjE7jwV1hwl9fjJVnqk0CgQ6ov56ON/INP6cl++HeEYEnc3ChGGVWPqq39LnXH6qQDr6F5ZjO+bmRF2MKvOisl3vnzkH2I4CKSg9TiCxIkdNg/kuALI+R8yrKCIR/19MiZh0b543RYhzg5pFqxXogQPuwQJ7Qh3pBKjI8/M+rFCW68DBvsIcSGLyYlK4OPhWWOW9trz8wi7qpl7SCtRP/5NTt9kAyhcrWXfomjCM/et76xSKKypt1E0EVyq+Ca2bXtAqJfwhPaNj3OdJS60WWOdXdbTYwSgJ7WRHAmJYspPJnEMpn9nyok6CA+jfOSzh+lC4s1lJU2IwngHTEm8Eq3xFq6r6l43MNrWeyRdwQb52z0nr1l7QkfyJcZ1zQOddF5sS7kLBY5LdD0FBFdQKbUF7TOJAqBrb63f8g/Ux2EjL2jjTND+VczdHRc8lS7fxxSIEN1T5cb+ti86dfsVrYNTP5dqADtcjwjgZy2ImKFYLkOK4kXrihl5qxOzH+BgRKgvA83U1C2a83PuLtcZfxDv4rWe+PrNvTGs+qj1HTATg6T2PdiuNEVe5aaOtwhdRjuP3ohzXppqivA+OjlbxKdVAORwTQm5kH/Qin61jgQWT8iuz/CCg1HiZwv2zeOUmt7y9Ykb8t7xlEFGwoX2BDwJTVMKMMk1/sPIxJQpikzb+41UJuKdA+U6kIMZfMu9cggTKrdf4JCx5qbznsihXM1IJgE8DyfqUF5kiL4tYr24nrD7PE622ge0hnMK1yhTdsYTYyPMn2yGDgwh4I2uZUtqqvKZKcxXlco/7CtWcBUmf9n0EUgDHH6OQGNcLbJv7lX k9mZr27S S1rki71Q4PNFBnlo11qdxjNDtdScauKUBD9Ku+vv/St6cJjt+K5gQuU7iblo6VX9eOn51fCAYYxOL6ZVx5/YE+hM/Ez2ql8OwSWcyIOP9AnJAFOlNkWhuhZxz+s+owlcZPhJ8w+BUQNx1czlKADkeDJ0utUAwKOhsid58oy7Z1rlFpI1UIctrqZ/Y4wBtB/ydo40vBhR4ZzVWbqx06SI36b7LU5herKOm9YcNbbUqo4Iug42zBVJcGGCpiMdWgQ4F+Gx2qZ+LHGh0cpSAFGKkUT2PC8gJH87SnzoYhEXtA72ZEO8= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Aug 05, 2024 at 09:37:48PM -0700, Kees Cook wrote: > On Tue, Jul 23, 2024 at 04:47:52PM +0200, Andrew Zaborowski wrote: > > Uncorrected memory errors for user pages are signaled to processes > > using SIGBUS or, if the error happens in a syscall, an error retval > > from the syscall. The SIGBUS is documented in > > Documentation/mm/hwpoison.rst#failure-recovery-modes > > > > Once a user task sets t->rseq in the rseq() syscall, if the kernel > > cannot access the memory pointed to by t->rseq->rseq_cs, that initial > > rseq() and all future syscalls should return an error so understandably > > the code just kills the task. > > > > To ensure that SIGBUS is used set the new t->kill_on_efault flag and > > run queued task work on rseq_get_rseq_cs() errors to give memory_failure > > the chance to run. > > > > Note: the rseq checks run inside resume_user_mode_work() so whenever > > _TIF_NOTIFY_RESUME is set. They do not run on every syscall exit so > > I'm not concerned that these extra flag operations are in a hot path, > > except with CONFIG_DEBUG_RSEQ. > > > > Signed-off-by: Andrew Zaborowski > > --- > > kernel/rseq.c | 25 +++++++++++++++++++++---- > > Can an rseq maintainer please review this? I can carry it via the execve > tree with the related patches... *sigh*,.. because get_maintainers just doesn't work or something? Anyway, I'm confused by the signal code (as always), why isn't the task_work_run() in get_signal() sufficient? At some point we're going to run into trouble with sprinkling task_work_run() around willy nilly :/ > > > 1 file changed, 21 insertions(+), 4 deletions(-) > > > > diff --git a/kernel/rseq.c b/kernel/rseq.c > > index 9de6e35fe..c5809cd13 100644 > > --- a/kernel/rseq.c > > +++ b/kernel/rseq.c > > @@ -13,6 +13,7 @@ > > #include > > #include > > #include > > +#include > > #include > > > > #define CREATE_TRACE_POINTS > > @@ -320,6 +321,8 @@ void __rseq_handle_notify_resume(struct ksignal *ksig, struct pt_regs *regs) > > if (unlikely(t->flags & PF_EXITING)) > > return; > > > > + t->kill_on_efault = true; > > + > > /* > > * regs is NULL if and only if the caller is in a syscall path. Skip > > * fixup and leave rseq_cs as is so that rseq_sycall() will detect and > > @@ -330,13 +333,18 @@ void __rseq_handle_notify_resume(struct ksignal *ksig, struct pt_regs *regs) > > if (unlikely(ret < 0)) > > goto error; > > } > > - if (unlikely(rseq_update_cpu_node_id(t))) > > - goto error; > > - return; > > + if (likely(!rseq_update_cpu_node_id(t))) > > + goto out; > > > > error: > > + /* Allow task work to override signr */ > > + task_work_run(); > > + > > sig = ksig ? ksig->sig : 0; > > force_sigsegv(sig); > > + > > +out: > > + t->kill_on_efault = false; > > } > > > > #ifdef CONFIG_DEBUG_RSEQ > > @@ -353,8 +361,17 @@ void rseq_syscall(struct pt_regs *regs) > > > > if (!t->rseq) > > return; > > - if (rseq_get_rseq_cs(t, &rseq_cs) || in_rseq_cs(ip, &rseq_cs)) > > + > > + t->kill_on_efault = true; > > + > > + if (rseq_get_rseq_cs(t, &rseq_cs) || in_rseq_cs(ip, &rseq_cs)) { > > + /* Allow task work to override signr */ > > + task_work_run(); > > + > > force_sig(SIGSEGV); > > + } > > + > > + t->kill_on_efault = false; > > } > > > > #endif > > -- > > 2.43.0 > > > > -- > Kees Cook