From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id C0ACDC02197 for ; Tue, 4 Feb 2025 10:02:23 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 2FDBF6B0089; Tue, 4 Feb 2025 05:02:23 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2AED06B008A; Tue, 4 Feb 2025 05:02:23 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 14E96280001; Tue, 4 Feb 2025 05:02:23 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id ED66E6B0089 for ; Tue, 4 Feb 2025 05:02:22 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 68593120923 for ; Tue, 4 Feb 2025 10:02:12 +0000 (UTC) X-FDA: 83081821704.13.6A66AC8 Received: from mail-ej1-f74.google.com (mail-ej1-f74.google.com [209.85.218.74]) by imf30.hostedemail.com (Postfix) with ESMTP id 7BFD180008 for ; Tue, 4 Feb 2025 10:02:10 +0000 (UTC) Authentication-Results: imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=YPlIFrsZ; spf=pass (imf30.hostedemail.com: domain of 3oOWhZwcKCDcWorndhoZhhZeX.Vhfebgnq-ffdoTVd.hkZ@flex--dvyukov.bounces.google.com designates 209.85.218.74 as permitted sender) smtp.mailfrom=3oOWhZwcKCDcWorndhoZhhZeX.Vhfebgnq-ffdoTVd.hkZ@flex--dvyukov.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1738663330; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=R3VK9KPfRS9ADIKsKEkEJDj658krGSJ2N1FxBZpZz/c=; b=5GxunqKXZDXY7GWXEhrfLyNrZA964/AMvV2iC2uOS24GitGyTuornQiKvjCgxCfeKBIUCZ 1oldJSV+NpVwkoJi7bndq25pLZPu532BbBm5yWS5xkr5/kBZ5nQCvU99AIxNwSE4qp0N5j RFz2H4Qpa7ndRJUrw4lPy4TVe7m1aWw= ARC-Authentication-Results: i=1; imf30.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=YPlIFrsZ; spf=pass (imf30.hostedemail.com: domain of 3oOWhZwcKCDcWorndhoZhhZeX.Vhfebgnq-ffdoTVd.hkZ@flex--dvyukov.bounces.google.com designates 209.85.218.74 as permitted sender) smtp.mailfrom=3oOWhZwcKCDcWorndhoZhhZeX.Vhfebgnq-ffdoTVd.hkZ@flex--dvyukov.bounces.google.com; dmarc=pass (policy=reject) header.from=google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1738663330; a=rsa-sha256; cv=none; b=q6/wwXCw9pIbj76yhsezfSbzJbXzWxnB8SXmf3V2ja9dZdl7NGgEi9ZQdPS7WNVGWWQkur zC9ugC8J0GxZEHOq6Hgt1B2oLG6baJtXBiaOGSoiv/3ivtwt4UgVmZiTFrGsa2+9rs0CXq pbIV0rI7wxAd+usFTsLIKeiufOcWPhE= Received: by mail-ej1-f74.google.com with SMTP id a640c23a62f3a-ab2e529dc35so545977966b.3 for ; Tue, 04 Feb 2025 02:02:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1738663329; x=1739268129; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=R3VK9KPfRS9ADIKsKEkEJDj658krGSJ2N1FxBZpZz/c=; b=YPlIFrsZSzRtWV0C+pUs610BFSILhIqi7lFS5gHghK1NjTOwtqMTkjtceuEDfnSQsG wRRZDC/qrCBozQrHFU6MA0Y+CT9NY5Ch+BYPVwupeLWdBBdQpdhP8SPKdYNiIV4HWMfM C7jttdx6zp/h+P88xi0LQsyP1zU3cAR1lOe4+jtoz2VgjN9wlURb6gDdDjIA3Gb6HLKh 4qqNSiL0WFcbXOL06hSysctjZMeuCbkaiUY/r8qRq+W8uIYwekHzS0uGzEoUfur2tfhE 44xo24uaoxQPveDuJimPZZFuumbKT8rDSIBrCJPVZIUc9jeQLheQgJ7HQQsl3M41buTQ /aPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1738663329; x=1739268129; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=R3VK9KPfRS9ADIKsKEkEJDj658krGSJ2N1FxBZpZz/c=; b=jBk3uE4EOW97V4oFZH+DULVKELCQRtpKNpHgU/GooTOt1Hm8EbOaJZ3n7QmgdvEFDJ 6Yq06y3yGO7IKG26X/tzNT/ZkuNdcNk/hcQZByg5P9OmXJh0b6YpW6dUGXT8I+dRGgMw ut55Ht49gm3YTvqzJuggq5pcoihFpDe2Pfz9+yEj/2n50Vre23OGk8lP1es15AYihTU7 P3nWfr3IVqffRSaYjBdC+7VUNE9584mVxJygjj925Gt9LNDWRLxVkpoCnxNtg9EZbtIw GzHkDqRXOSsLPe2KR+avSUT0R8+zvCeaS7PMf1EGEx6G6Pr0S5/4PW+ss9RRXLab+U+k Rmnw== X-Forwarded-Encrypted: i=1; AJvYcCXEr73Or4sJ6fyRBtc7hHRnBPhq2UuXqHyJ7VC7Yo55uA5E4yYI0SOPqVSxayXrVm9P2ENsccuDIw==@kvack.org X-Gm-Message-State: AOJu0Yw/znf2bu3GghNoeWqf71OiOhdqY2X42MPU/pbJdPYACRfrxdSs AhWwFfXXFRMvsslKmtjGyiLMeOOWcjAmRIRFVX+wA+/eUajVoX4QnqEcEiTWo6diNuSxJO3Sv0z 90TDCTQ== X-Google-Smtp-Source: AGHT+IElMyTrr4qYdFWMMlVNSEGR0ZkNHi4Yomz2MjuhwLpcA5rv3gjSfCpET9evIBxb/j6WvHIkH5r9aF7h X-Received: from edbin8.prod.google.com ([2002:a05:6402:2088:b0:5d8:8209:8769]) (user=dvyukov job=prod-delivery.src-stubby-dispatcher) by 2002:a17:907:6d1f:b0:ab6:f06b:4a26 with SMTP id a640c23a62f3a-ab6f06b4c6fmr2158765466b.34.1738663328970; Tue, 04 Feb 2025 02:02:08 -0800 (PST) Date: Tue, 4 Feb 2025 11:01:34 +0100 In-Reply-To: <20240802061318.2140081-4-aruna.ramakrishna@oracle.com> Mime-Version: 1.0 References: <20240802061318.2140081-4-aruna.ramakrishna@oracle.com> X-Mailer: git-send-email 2.48.1.362.g079036d154-goog Message-ID: <20250204100134.1843654-1-dvyukov@google.com> Subject: [PATCH v8 3/5] x86/pkeys: Update PKRU to enable all pkeys before XSAVE From: Dmitry Vyukov To: aruna.ramakrishna@oracle.com, mathieu.desnoyers@efficios.com, peterz@infradead.org, paulmck@kernel.org, boqun.feng@gmail.com Cc: dave.hansen@linux.intel.com, jannh@google.com, jeffxu@chromium.org, jorgelo@chromium.org, keescook@chromium.org, keith.lucas@oracle.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, mingo@kernel.org, rick.p.edgecombe@intel.com, sroettger@google.com, tglx@linutronix.de, x86@kernel.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Server: rspam05 X-Rspamd-Queue-Id: 7BFD180008 X-Stat-Signature: jn1uy81oafrp65akqqkhhxdsbumgg99e X-Rspam-User: X-HE-Tag: 1738663330-342572 X-HE-Meta: U2FsdGVkX1/EE5iR87R0EJ0E4DI4wOd3Wc7d7aJ/qF8PQyxeRQNEKe8zJG6tAFBQqWRVjx2/4LeDOOIE5AM6T3FSmKiV8TXGWyMFGDtPpJEtQr+3rIWUr2B27dSCKDXlFBYoE0LPm+x5gGXRSq2ZfETCbFxcBsqgYc6SEqtnp9LL64ouCNa1DAIxldLrhIiDbEKYdQWcokuV0QevuA9JLPYCBKbPTqgIAEGD5JN3qJ+md7+ZBA7AThmiSMVs+FvwQOtNeP9waH/vPrKvPdzeHJie+jXEBXaAv9wRm5DidgEd7bRTZ64vXeOE4921K/GbzDdnqG8N4DHxgGVsn/a/071MsWSKtmY4UefIhc3hQ75IBii+zawuCgu3/00z05UzT6e1nVG0MUxLBNKjNL4AAHeTb8hUC7pphvZOpNKYsjHrXwpeXpiwdx5+RLXD+0b7J0ukwvXXdGzz+PIDQzAyKc/1lGVrJzp5aJLhBk5xYuKyjmBQAwbJVKPJiTdXbGeMuyUwsChMdTUrVcpl4MPk8JLPSFr5Wkkm1oxEbgO2GlVKZH2Y8GMpogA2hlM0Y5kmGqljXP11qjEbuarcCISVDPotTjsEUKSyARZgmHttCwFUXNj7h4lWnqRRvKlEIm75PNIvDrI9bFndogaQ8DUImjFWqHfb0EC2VeFIVn/q37eVOix5/O70YM+czBY6J0UhDUKPgM7kL+Pp6e+K9k/TlimOTh8snffyA7/EneWV2g/DRcrW20yJjJQVJFZJhIkudsoWT2gvas9OdOJiANacd2f9fyMJtphRBO+84qkAnbiYd5KWn5MizQ06/iRw163OzeIgafRLnskpfeBtuoOAsEblWjKbjsv4pdgt3l/SFGZJdl1bHUPAJkGISeH3H8QVUSeeYLaJ5lGw56IEro4RvgO5hxrILnndKUuhcM68cZ6I096Mni0bbdXK9bXFN2TWo3VRNi+Gb6TaSEVxSUe YLTlawLR c+AyBg3oLS7coloj91I98HigqHNhodhD6TrPLe7jfDchrNe3+N+qId64evoAnka1IuC/25fV8EZnrK79sLrGEr/TbVu9EmQ9ntMp+W9Jpxb2Jaj6xKhNuLXTdxQ5nTktygkEI/q0bjmSsZbu449jtL6uOzdvuGWFbmeP+X5Lh6VtEkHpNtzWOTALu30RJt6PjI4pZh8ir4Mi1tgwsRbqaqYeJP5ed4T901eAqHPRxPyzTJBvoTuDpz+Hf4N+ZzaxARd7h42z4u1ixZ1MGmj+0X68LER2InKtBd7fS3UrvFrXcJ0fYjrV2w7GX/pfXLMqgPzvERURu0y7ZDQwnBPAynlU/hvYevbEl8LunlPkNqVttQ3qmSGH+psluJJ4ardlaDbsXtWPjvZnJGFYqP8CyRutnz0KOED6fZ0NmEkG7snUMYxr4kyD7oxFpNzCJx3e8yYHyhanwgv/cbTDTDfA3vV2bK1u+MvE2o5yOEOEyrPrRICPwtrakkrgSU9x0jEdC06mZETid8p/p/MEayfkl1ufkVZ8frY/rUDN0gvCX0qkkKQ5rxl0ZCC6JCdiLLGH/cuF4C5QKTa1Y+197viPrP9A67L8dEytypcfGyIxlY5ZnJSctBT5dC5qvEI7J279LibhpJBJorEqeNJiB3GtYvR4HWcZXKl6xWqfg X-Bogosity: Ham, tests=bogofilter, spamicity=0.000033, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: Re commit 70044df250d022572e26cd301bddf75eac1fe50e: https://lore.kernel.org/all/20240802061318.2140081-4-aruna.ramakrishna@oracle.com/ > If the alternate signal stack is protected by a different pkey than the > current execution stack, copying xsave data to the sigaltstack will fail > if its pkey is not enabled in the PKRU register. > > We do not know which pkey was used by the application for the altstack, > so enable all pkeys before xsave. > > But this updated PKRU value is also pushed onto the sigframe, which > means the register value restored from sigcontext will be different from > the user-defined one, which is unexpected. Fix that by overwriting the > PKRU value on the sigframe with the original, user-defined PKRU. Hi, This unfortunatly seems to be broken for rseq user-space writes. If the signal is caused by rseq struct being inaccessible due to PKEYs, we try to write to rseq again at setup_rt_frame->rseq_signal_deliver, which happens _before_ sig_prepare_pkru and won't succeed (PKEY is still inaccessible, hard kills the process). Any PKEY sandbox would want to restict untrusted access to rseq as well (otherwise allows easy sandbox escapes). If we do sig_prepare_pkru before rseq_signal_deliver (and generally before any copy_to_userpace), then user-space handler gets SIGSEGV and could unregister rseq and retry. However, I am not sure if it's the best solution performance- and complexity-wise (for user-space). A better solution may be to change __rseq_handle_notify_resume to temporary switch to default PKEY if user accesses fail. Rseq is similar to signals in this respect. Since rseq updates happen asynchronously with respect to user-space control flow, if a program uses rseq and ever makes rseq inaccessible with PKEYs, it's in trouble and will be randomly killed. Since rseq updates are asynchronous as signals, they shouldn't assume PKEY is set to default value that allows access to rseq descriptor. Thoughts?