From nobody Fri Dec 19 04:52:38 2025 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 944FB1A2C27 for ; Thu, 27 Jun 2024 21:18:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.165.32 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719523085; cv=none; b=mMD1BlvzPCnzGvukUZOBbH8ozxD6dkG4dNrjmdiyEg7WVqbSA0kW5n3kmd+2o95ieeOwU+rqoiCVhSCH+IW4O7ivPXwTysHZZSyILZEvO8cfukM8CrHXmY0EOVRv2tB19NBqH9SWqlCmkPR+QRvIYkAIonEPYx4pc5R1xhkkqcY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719523085; c=relaxed/simple; bh=HUJ9LSfhhn02zD3UAcctMlo4qwYQVreOVPX1DTop6B0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=uRfH3etb3Xw0Gfqg1iYnWNuSqM1TdnVF93SjiM+lDnS0ZV28pLHFjjnOu9yHJMGLFwVE+woy3R0Lq7mOVX91v22AKwxTUlr0+llavthqO4G3faibdZHTVb/l3pJ+mNCTJ1rQDMrvHpWkVtYTIM4HSNAbHRbAEP+ML0cbAeQl4WY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=b+wqoFUO; arc=none smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="b+wqoFUO" Received: from pps.filterd (m0246627.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 45RKBV5g013620; Thu, 27 Jun 2024 21:17:41 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=corp-2023-11-20; bh=N h+olNtldS0TNFB36AevoAG2xVEmIqKWnI63TyasIG8=; b=b+wqoFUOvmE0+i71+ yTOTvxg1T55mkxCscIN32ODDjw3eO966qav/Iklxxyrs14qLzeF1WiNHtimYRQag H2XrAi2+z0KWiAtxNKmwHG9wSyoqjDVNK+SKGuURTOqajKl6rcnbjivdvkc53kIB 4YTxGYJ+HiXXmJAJBVZZcdUwT7RACsrhLn2DswP+dy+M7DpWlI+LYXV0nVjzHkI+ 2HFv0i1KpT49IANCFDu+Uz4KyZtFbIhgTfFv5bqhawyigc+fBQH3Lcf5iTSaCRSk SsOx/DInvW8Uen7uxkLbOZpUIp6LcDNXPW2khgRHzIzkoZ8atFjv0xiZ7HQeqAO5 Az4/g== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3ywn70f1a0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jun 2024 21:17:40 +0000 (GMT) Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 45RJb9OO017874; Thu, 27 Jun 2024 21:17:40 GMT Received: from pps.reinject (localhost [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3ywn2awm4y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jun 2024 21:17:40 +0000 Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 45RLHct4016897; Thu, 27 Jun 2024 21:17:39 GMT Received: from aruramak-dev.osdevelopmeniad.oraclevcn.com (aruramak-dev.allregionaliads.osdevelopmeniad.oraclevcn.com [100.100.253.155]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id 3ywn2awm35-2; Thu, 27 Jun 2024 21:17:39 +0000 From: Aruna Ramakrishna To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de, mingo@kernel.org, jeffxu@chromium.org, keith.lucas@oracle.com, aruna.ramakrishna@oracle.com Subject: [PATCH v6 1/5] x86/pkeys: Add PKRU as a parameter in signal handling functions Date: Thu, 27 Jun 2024 21:17:33 +0000 Message-Id: <20240627211737.323214-2-aruna.ramakrishna@oracle.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20240627211737.323214-1-aruna.ramakrishna@oracle.com> References: <20240627211737.323214-1-aruna.ramakrishna@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-27_14,2024-06-27_03,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 adultscore=0 phishscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2406180000 definitions=main-2406270158 X-Proofpoint-ORIG-GUID: 4v8vGF-RsacZRG5NNytQx4CT5rOCEK2m X-Proofpoint-GUID: 4v8vGF-RsacZRG5NNytQx4CT5rOCEK2m Content-Type: text/plain; charset="utf-8" Problem description: Let's assume there's a multithreaded application that runs untrusted user code. Each thread has its stack/code protected by a non-zero pkey, and the PKRU register is set up such that only that particular non-zero pkey is enabled. Each thread also sets up an alternate signal stack to handle signals, which is protected by pkey zero. The pkeys man page documents that the PKRU will be reset to init_pkru when the signal handler is invoked, which means that pkey zero access will be enabled. But this reset happens after the kernel attempts to push fpu state to the alternate stack, which is not (yet) accessible by the kernel, which leads to a new SIGSEGV being sent to the application, terminating it. Enabling both the non-zero pkey (for the thread) and pkey zero in userspace will not work for this use case. We cannot have the alt stack writeable by all - the rationale here is that the code running in that thread (using a non-zero pkey) is untrusted and should not have access to the alternate signal stack (that uses pkey zero), to prevent the return address of a function from being changed. The expectation is that kernel should be able to set up the alternate signal stack and deliver the signal to the application even if pkey zero is explicitly disabled by the application. The signal handler accessibility should not be dictated by whatever PKRU value the thread sets up. Solution: The PKRU register is managed by XSAVE, which means the sigframe contents must match the register contents - which is not the case here. We want the sigframe to contain the user-defined PKRU value (so that it is restored correctly from sigcontext) but the actual register must be reset to init_pkru so that the alt stack is accessible and the signal can be delivered to the application. It seems that the proper fix here would be to remove PKRU from the XSAVE framework and manage it separately, which is quite complicated. As a workaround, do this: orig_pkru =3D rdpkru(); wrpkru(orig_pkru & init_pkru_value); xsave_to_user_sigframe(); put_user(pkru_sigframe_addr, orig_pkru) This change is split over multiple patches. In preparation for writing PKRU to sigframe in a later patch, pass in PKRU as an additional parameter down the chain from handle_signal: setup_rt_frame() xxx_setup_rt_frame() get_sigframe() copy_fpstate_to_sigframe() copy_fpregs_to_sigframe() There are no functional changes in this patch. Signed-off-by: Aruna Ramakrishna --- arch/x86/include/asm/fpu/signal.h | 2 +- arch/x86/include/asm/sighandling.h | 10 +++++----- arch/x86/kernel/fpu/signal.c | 6 +++--- arch/x86/kernel/signal.c | 19 ++++++++++--------- arch/x86/kernel/signal_32.c | 8 ++++---- arch/x86/kernel/signal_64.c | 8 ++++---- 6 files changed, 27 insertions(+), 26 deletions(-) diff --git a/arch/x86/include/asm/fpu/signal.h b/arch/x86/include/asm/fpu/s= ignal.h index 611fa41711af..eccc75bc9c4f 100644 --- a/arch/x86/include/asm/fpu/signal.h +++ b/arch/x86/include/asm/fpu/signal.h @@ -29,7 +29,7 @@ fpu__alloc_mathframe(unsigned long sp, int ia32_frame, =20 unsigned long fpu__get_fpstate_size(void); =20 -extern bool copy_fpstate_to_sigframe(void __user *buf, void __user *fp, in= t size); +extern bool copy_fpstate_to_sigframe(void __user *buf, void __user *fp, in= t size, u32 pkru); extern void fpu__clear_user_states(struct fpu *fpu); extern bool fpu__restore_sig(void __user *buf, int ia32_frame); =20 diff --git a/arch/x86/include/asm/sighandling.h b/arch/x86/include/asm/sigh= andling.h index e770c4fc47f4..de458354a3ea 100644 --- a/arch/x86/include/asm/sighandling.h +++ b/arch/x86/include/asm/sighandling.h @@ -17,11 +17,11 @@ void signal_fault(struct pt_regs *regs, void __user *fr= ame, char *where); =20 void __user * get_sigframe(struct ksignal *ksig, struct pt_regs *regs, size_t frame_size, - void __user **fpstate); + void __user **fpstate, u32 pkru); =20 -int ia32_setup_frame(struct ksignal *ksig, struct pt_regs *regs); -int ia32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); -int x64_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); -int x32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs); +int ia32_setup_frame(struct ksignal *ksig, struct pt_regs *regs, u32 pkru); +int ia32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs, u32 pk= ru); +int x64_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs, u32 pkr= u); +int x32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs, u32 pkr= u); =20 #endif /* _ASM_X86_SIGHANDLING_H */ diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c index 247f2225aa9f..2b3b9e140dd4 100644 --- a/arch/x86/kernel/fpu/signal.c +++ b/arch/x86/kernel/fpu/signal.c @@ -156,7 +156,7 @@ static inline bool save_xstate_epilog(void __user *buf,= int ia32_frame, return !err; } =20 -static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf) +static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf, = u32 pkru) { if (use_xsave()) return xsave_to_user_sigframe(buf); @@ -185,7 +185,7 @@ static inline int copy_fpregs_to_sigframe(struct xregs_= state __user *buf) * For [f]xsave state, update the SW reserved fields in the [f]xsave frame * indicating the absence/presence of the extended state to the user. */ -bool copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int s= ize) +bool copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int s= ize, u32 pkru) { struct task_struct *tsk =3D current; struct fpstate *fpstate =3D tsk->thread.fpu.fpstate; @@ -228,7 +228,7 @@ bool copy_fpstate_to_sigframe(void __user *buf, void __= user *buf_fx, int size) fpregs_restore_userregs(); =20 pagefault_disable(); - ret =3D copy_fpregs_to_sigframe(buf_fx); + ret =3D copy_fpregs_to_sigframe(buf_fx, pkru); pagefault_enable(); fpregs_unlock(); =20 diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c index 31b6f5dddfc2..94b894437327 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -74,7 +74,7 @@ static inline int is_x32_frame(struct ksignal *ksig) */ void __user * get_sigframe(struct ksignal *ksig, struct pt_regs *regs, size_t frame_size, - void __user **fpstate) + void __user **fpstate, u32 pkru) { struct k_sigaction *ka =3D &ksig->ka; int ia32_frame =3D is_ia32_frame(ksig); @@ -139,7 +139,7 @@ get_sigframe(struct ksignal *ksig, struct pt_regs *regs= , size_t frame_size, } =20 /* save i387 and extended state */ - if (!copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx, math_size)) + if (!copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx, math_size,= pkru)) return (void __user *)-1L; =20 return (void __user *)sp; @@ -206,7 +206,7 @@ unsigned long get_sigframe_size(void) } =20 static int -setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) +setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs, u32 pkru) { /* Perform fixup for the pre-signal frame. */ rseq_signal_deliver(ksig, regs); @@ -214,21 +214,22 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *= regs) /* Set up the stack frame */ if (is_ia32_frame(ksig)) { if (ksig->ka.sa.sa_flags & SA_SIGINFO) - return ia32_setup_rt_frame(ksig, regs); + return ia32_setup_rt_frame(ksig, regs, pkru); else - return ia32_setup_frame(ksig, regs); + return ia32_setup_frame(ksig, regs, pkru); } else if (is_x32_frame(ksig)) { - return x32_setup_rt_frame(ksig, regs); + return x32_setup_rt_frame(ksig, regs, pkru); } else { - return x64_setup_rt_frame(ksig, regs); + return x64_setup_rt_frame(ksig, regs, pkru); } } =20 static void handle_signal(struct ksignal *ksig, struct pt_regs *regs) { - bool stepping, failed; struct fpu *fpu =3D ¤t->thread.fpu; + u32 pkru =3D read_pkru(); + bool stepping, failed; =20 if (v8086_mode(regs)) save_v86_state((struct kernel_vm86_regs *) regs, VM86_SIGNAL); @@ -264,7 +265,7 @@ handle_signal(struct ksignal *ksig, struct pt_regs *reg= s) if (stepping) user_disable_single_step(current); =20 - failed =3D (setup_rt_frame(ksig, regs) < 0); + failed =3D (setup_rt_frame(ksig, regs, pkru) < 0); if (!failed) { /* * Clear the direction flag as per the ABI for function entry. diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c index ef654530bf5a..b437d02ecfd7 100644 --- a/arch/x86/kernel/signal_32.c +++ b/arch/x86/kernel/signal_32.c @@ -228,7 +228,7 @@ do { \ goto label; \ } while(0) =20 -int ia32_setup_frame(struct ksignal *ksig, struct pt_regs *regs) +int ia32_setup_frame(struct ksignal *ksig, struct pt_regs *regs, u32 pkru) { sigset32_t *set =3D (sigset32_t *) sigmask_to_save(); struct sigframe_ia32 __user *frame; @@ -246,7 +246,7 @@ int ia32_setup_frame(struct ksignal *ksig, struct pt_re= gs *regs) 0x80cd, /* int $0x80 */ }; =20 - frame =3D get_sigframe(ksig, regs, sizeof(*frame), &fp); + frame =3D get_sigframe(ksig, regs, sizeof(*frame), &fp, pkru); =20 if (ksig->ka.sa.sa_flags & SA_RESTORER) { restorer =3D ksig->ka.sa.sa_restorer; @@ -299,7 +299,7 @@ int ia32_setup_frame(struct ksignal *ksig, struct pt_re= gs *regs) return -EFAULT; } =20 -int ia32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) +int ia32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs, u32 pk= ru) { sigset32_t *set =3D (sigset32_t *) sigmask_to_save(); struct rt_sigframe_ia32 __user *frame; @@ -319,7 +319,7 @@ int ia32_setup_rt_frame(struct ksignal *ksig, struct pt= _regs *regs) 0, }; =20 - frame =3D get_sigframe(ksig, regs, sizeof(*frame), &fp); + frame =3D get_sigframe(ksig, regs, sizeof(*frame), &fp, pkru); =20 if (!user_access_begin(frame, sizeof(*frame))) return -EFAULT; diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c index 8a94053c5444..ccfb7824ab2c 100644 --- a/arch/x86/kernel/signal_64.c +++ b/arch/x86/kernel/signal_64.c @@ -161,7 +161,7 @@ static unsigned long frame_uc_flags(struct pt_regs *reg= s) return flags; } =20 -int x64_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) +int x64_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs, u32 pkr= u) { sigset_t *set =3D sigmask_to_save(); struct rt_sigframe __user *frame; @@ -172,7 +172,7 @@ int x64_setup_rt_frame(struct ksignal *ksig, struct pt_= regs *regs) if (!(ksig->ka.sa.sa_flags & SA_RESTORER)) return -EFAULT; =20 - frame =3D get_sigframe(ksig, regs, sizeof(struct rt_sigframe), &fp); + frame =3D get_sigframe(ksig, regs, sizeof(struct rt_sigframe), &fp, pkru); uc_flags =3D frame_uc_flags(regs); =20 if (!user_access_begin(frame, sizeof(*frame))) @@ -300,7 +300,7 @@ int copy_siginfo_to_user32(struct compat_siginfo __user= *to, return __copy_siginfo_to_user32(to, from); } =20 -int x32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs) +int x32_setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs, u32 pkr= u) { compat_sigset_t *set =3D (compat_sigset_t *) sigmask_to_save(); struct rt_sigframe_x32 __user *frame; @@ -311,7 +311,7 @@ int x32_setup_rt_frame(struct ksignal *ksig, struct pt_= regs *regs) if (!(ksig->ka.sa.sa_flags & SA_RESTORER)) return -EFAULT; =20 - frame =3D get_sigframe(ksig, regs, sizeof(*frame), &fp); + frame =3D get_sigframe(ksig, regs, sizeof(*frame), &fp, pkru); =20 uc_flags =3D frame_uc_flags(regs); =20 --=20 2.39.3 From nobody Fri Dec 19 04:52:38 2025 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 890311A01D1 for ; Thu, 27 Jun 2024 21:17:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.177.32 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719523081; cv=none; b=louU/sSgkCiaeEpoq0CVjC2UxF30iXEUjP1tHS7QnUw/0aryVlAfkmMgxzwMad0SMY2yRw+FxUy0/829+8XYlcxMnl71m7ZZj4l4i94WJuCawnBXJlZ/eymto/Xk3W0im4/LNCiCDIbqlrRq5KyQw0j0i7N8YioOjoxLeaeT7j8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719523081; c=relaxed/simple; bh=usC0gVWFFeKhkaoGk7YZQ5gknIX9QQpM2gBaqwaFA4A=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ssLfj4RhgkGkCg9X8SmKI1TZ9NAwZtg3C29G88/aK3VL/BP9T1IjueLIy9ode7msbRU+1vGux2zTfxObaxahbPWfEiSAUlCaqT/FHhnsxDUooM6MbMmPTVVNcxOfAfiewOtaNTzr48R7IY127Xi62nU3NwEoigvioJ9+eoRvWYk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=kqLUXb3/; arc=none smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="kqLUXb3/" Received: from pps.filterd (m0246630.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 45RKBYv1020067; Thu, 27 Jun 2024 21:17:42 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=corp-2023-11-20; bh=/ bpoyyF5uJHD4UYEbSfLk4sRr8XdJCgUA9Ij/0t8DU0=; b=kqLUXb3/848ptWF8V 0FtBbBroU88pEwdzFhbeSq6VnVhe8ZNhB18UPWXyArDbLVXRnbdYu+lX3RhUJiWn posEbs8sG9Y/e1ll5utUm+eqUdnHa8jqYyv9Uj61it6P6vFJj6IgAePGhKFsXDIY UpGaCLiTg3nqX2Xk17WoVT7Q6EpyF6y0v9O8C3VwaUfwfeYtfD9V0tL7KExGZeJe dAmXPPaPFcYLulQTFDS2NJ9IiNbE8e8MEm5mw21yRzw/d79q5L3hgqXffWcrhv23 oic3CDGvNockiNNBngyZC9KQ3xZi3i1r56YtKfKIWwlGaqM//ospi2TKtmtl5cj4 eDAhw== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3ywn1d6s9e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jun 2024 21:17:42 +0000 (GMT) Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 45RL9ZZu017868; Thu, 27 Jun 2024 21:17:41 GMT Received: from pps.reinject (localhost [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3ywn2awm5f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jun 2024 21:17:41 +0000 Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 45RLHct6016897; Thu, 27 Jun 2024 21:17:40 GMT Received: from aruramak-dev.osdevelopmeniad.oraclevcn.com (aruramak-dev.allregionaliads.osdevelopmeniad.oraclevcn.com [100.100.253.155]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id 3ywn2awm35-3; Thu, 27 Jun 2024 21:17:40 +0000 From: Aruna Ramakrishna To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de, mingo@kernel.org, jeffxu@chromium.org, keith.lucas@oracle.com, aruna.ramakrishna@oracle.com Subject: [PATCH v6 2/5] x86/pkeys: Add helper functions to update PKRU on the sigframe Date: Thu, 27 Jun 2024 21:17:34 +0000 Message-Id: <20240627211737.323214-3-aruna.ramakrishna@oracle.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20240627211737.323214-1-aruna.ramakrishna@oracle.com> References: <20240627211737.323214-1-aruna.ramakrishna@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-27_14,2024-06-27_03,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 adultscore=0 phishscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2406180000 definitions=main-2406270158 X-Proofpoint-GUID: fg02PAaXTSY_aUHghVvWIzM9Gy3xmFfz X-Proofpoint-ORIG-GUID: fg02PAaXTSY_aUHghVvWIzM9Gy3xmFfz Content-Type: text/plain; charset="utf-8" In the case where a user thread sets up an alternate signal stack protected by the default pkey (i.e. pkey 0), while the thread's stack is protected by a non-zero pkey, both these pkeys have to be enabled in the PKRU register for the signal to be delivered to the application correctly. However, the PKRU value restored after handling the signal must not enable this extra pkey (i.e. pkey 0), so the PKRU value on the on the sigframe should be overwritten with the user-defined value. Add helper functions that will update PKRU value on the sigframe after XSAVE. These functions will be called in a later patch; this patch does not change any behavior as yet. Note that sig_prepare_pkru() makes no assumption about what pkey could be used to protect the altstack (i.e. it may not be part of init_pkru), and so enables all pkeys. Signed-off-by: Aruna Ramakrishna --- arch/x86/kernel/fpu/signal.c | 10 ++++++++++ arch/x86/kernel/fpu/xstate.c | 13 +++++++++++++ arch/x86/kernel/fpu/xstate.h | 2 ++ arch/x86/kernel/signal.c | 18 ++++++++++++++++++ 4 files changed, 43 insertions(+) diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c index 2b3b9e140dd4..931c5469d7f3 100644 --- a/arch/x86/kernel/fpu/signal.c +++ b/arch/x86/kernel/fpu/signal.c @@ -63,6 +63,16 @@ static inline bool check_xstate_in_sigframe(struct fxreg= s_state __user *fxbuf, return true; } =20 +/* + * Update the value of PKRU register that was already pushed onto the sign= al frame. + */ +static inline int update_pkru_in_sigframe(struct xregs_state __user *buf, = u32 pkru) +{ + if (unlikely(!cpu_feature_enabled(X86_FEATURE_OSPKE))) + return 0; + return __put_user(pkru, (unsigned int __user *)get_xsave_addr_user(buf, X= FEATURE_PKRU)); +} + /* * Signal frame handlers. */ diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c index c5a026fee5e0..fa7628bb541b 100644 --- a/arch/x86/kernel/fpu/xstate.c +++ b/arch/x86/kernel/fpu/xstate.c @@ -993,6 +993,19 @@ void *get_xsave_addr(struct xregs_state *xsave, int xf= eature_nr) } EXPORT_SYMBOL_GPL(get_xsave_addr); =20 +/* + * Given an xstate feature nr, calculate where in the xsave buffer the sta= te is. + * The xsave buffer should be in standard format, not compacted (e.g. user= mode + * signal frames). + */ +void __user *get_xsave_addr_user(struct xregs_state __user *xsave, int xfe= ature_nr) +{ + if (WARN_ON_ONCE(!xfeature_enabled(xfeature_nr))) + return NULL; + + return (void __user *)xsave + xstate_offsets[xfeature_nr]; +} + #ifdef CONFIG_ARCH_HAS_PKEYS =20 /* diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h index 05df04f39628..bc2ce703055a 100644 --- a/arch/x86/kernel/fpu/xstate.h +++ b/arch/x86/kernel/fpu/xstate.h @@ -54,6 +54,8 @@ extern int copy_sigframe_from_user_to_xstate(struct task_= struct *tsk, const void extern void fpu__init_cpu_xstate(void); extern void fpu__init_system_xstate(unsigned int legacy_size); =20 +extern void __user *get_xsave_addr_user(struct xregs_state *xsave, int xfe= ature_nr); + static inline u64 xfeatures_mask_supervisor(void) { return fpu_kernel_cfg.max_features & XFEATURE_MASK_SUPERVISOR_SUPPORTED; diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c index 94b894437327..131eb4ae20fe 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -224,6 +224,24 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *r= egs, u32 pkru) } } =20 +/* + * Enable all pkeys temporarily, so as to ensure that both the current + * execution stack as well as the alternate signal stack are writeable. + * The application can use any of the available pkeys to protect the + * alternate signal stack, and we don't know which one it is, so enable + * all. The PKRU register will be reset to init_pkru later in the flow, + * in fpu__clear_user_states(), and it is the application's responsibility + * to enable the appropriate pkey as the first step in the signal handler + * so that the handler does not segfault. + */ +static inline u32 sig_prepare_pkru(void) +{ + u32 orig_pkru =3D read_pkru(); + + write_pkru(0); + return orig_pkru; +} + static void handle_signal(struct ksignal *ksig, struct pt_regs *regs) { --=20 2.39.3 From nobody Fri Dec 19 04:52:38 2025 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id ABA501A2C32 for ; Thu, 27 Jun 2024 21:18:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.165.32 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719523087; cv=none; b=AfLq09/zpxBguJ5wZBuEzliL7MqpSRyy3j0i4IgvXSNIdb7wbFW6IvQeF/hh2OYGPM9Igfui+vPjiqcJBn4rDImh5IQSwkYYeMaRtyH/f4h520CaA0KEQqHeerUXtThx5vTDHYZ6/LFfkDNmwwUbuKyIQEQkVAp0q13ZIncMcsg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719523087; c=relaxed/simple; bh=EQ+m9x/RB4JhTpSSPOnC/ubtsKp4Z1TY6JREJsqsRts=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=COGt8lUzoNrZUyXKdlP6MJqjuN4q7rJsctlHqj8ZNkQz59+v7peKL6RH2zUdUaD8baUBsuGiAmH7xcFj3gJRfBqTYgzEOjo04iOcFXusrdx3DSiqg6ELHHhVRm4nC+sZp15iOfZQJDvHppVGVXoMSY1/sfvT4yoMwtKgnWyME3o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=aGZii6Xr; arc=none smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="aGZii6Xr" Received: from pps.filterd (m0333521.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 45RKBZFg019352; Thu, 27 Jun 2024 21:17:43 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=corp-2023-11-20; bh=J +TDyC8n1wGiozFBM71Y8mumIlo1Loss3Xu4f04WTog=; b=aGZii6XrVqSyOQqNo GrVGxN7wRLzZj9aukZ0TLhI73/k5My+igX25Jzi48O8/XacFQl1b75noU+gC5oct 7s+kJp2GVi+iLt+xZA707YvOT8cAHyWFLW0VDj7a6Nta7CZ8kIuUz4Y4U7qSyPMn x/Si9o4Uzr6pbsqb+NTj6aXMJA7Imipy5BZhkHtPYpMSxq7UcE6rRhNX0ujGVWy3 IpzB8ACK47mUgCOIvUfckA7uA2PHYX330W0CJhqcHW7qGYBDNnqAHhSoCxYfzNs/ ygpeLVAXpCSVLHbDofCOmyJ4uuiLHJI0kIgBJufKhQh3p6a6xS4u28ssKoJO5qnE ACM1w== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3ywnhb733y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jun 2024 21:17:43 +0000 (GMT) Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 45RKbDEA017795; Thu, 27 Jun 2024 21:17:42 GMT Received: from pps.reinject (localhost [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3ywn2awm65-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jun 2024 21:17:42 +0000 Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 45RLHct8016897; Thu, 27 Jun 2024 21:17:42 GMT Received: from aruramak-dev.osdevelopmeniad.oraclevcn.com (aruramak-dev.allregionaliads.osdevelopmeniad.oraclevcn.com [100.100.253.155]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id 3ywn2awm35-4; Thu, 27 Jun 2024 21:17:42 +0000 From: Aruna Ramakrishna To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de, mingo@kernel.org, jeffxu@chromium.org, keith.lucas@oracle.com, aruna.ramakrishna@oracle.com Subject: [PATCH v6 3/5] x86/pkeys: Update PKRU to enable all pkeys before XSAVE Date: Thu, 27 Jun 2024 21:17:35 +0000 Message-Id: <20240627211737.323214-4-aruna.ramakrishna@oracle.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20240627211737.323214-1-aruna.ramakrishna@oracle.com> References: <20240627211737.323214-1-aruna.ramakrishna@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-27_14,2024-06-27_03,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 adultscore=0 phishscore=0 bulkscore=0 mlxlogscore=708 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2406180000 definitions=main-2406270158 X-Proofpoint-GUID: 14Hfe2wu_-y3N6oyfjDSRgW-6sji9Hp- X-Proofpoint-ORIG-GUID: 14Hfe2wu_-y3N6oyfjDSRgW-6sji9Hp- Content-Type: text/plain; charset="utf-8" If the alternate signal stack is protected by a different pkey than the current execution stack, copying xsave data to the sigaltstack will fail if its pkey is not enabled. We do not know which pkey was used by the application for the sigaltstack, so enable all pkeys before xsave so that the signal handler accessibility is not dictated by the PKRU value that the thread sets up. But this updated PKRU value is also pushed onto the sigframe, so overwrite that with the original, user-defined PKRU value so that the value restored from sigcontext does not have the extra pkey enabled. Signed-off-by: Aruna Ramakrishna --- arch/x86/kernel/fpu/signal.c | 11 +++++++++-- arch/x86/kernel/signal.c | 10 +++++++++- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c index 931c5469d7f3..1065ab995305 100644 --- a/arch/x86/kernel/fpu/signal.c +++ b/arch/x86/kernel/fpu/signal.c @@ -168,8 +168,15 @@ static inline bool save_xstate_epilog(void __user *buf= , int ia32_frame, =20 static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf, = u32 pkru) { - if (use_xsave()) - return xsave_to_user_sigframe(buf); + int err =3D 0; + + if (use_xsave()) { + err =3D xsave_to_user_sigframe(buf); + if (!err) + err =3D update_pkru_in_sigframe(buf, pkru); + return err; + } + if (use_fxsr()) return fxsave_to_user_sigframe((struct fxregs_state __user *) buf); else diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c index 131eb4ae20fe..94147d85b0ee 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -246,8 +246,8 @@ static void handle_signal(struct ksignal *ksig, struct pt_regs *regs) { struct fpu *fpu =3D ¤t->thread.fpu; - u32 pkru =3D read_pkru(); bool stepping, failed; + u32 pkru; =20 if (v8086_mode(regs)) save_v86_state((struct kernel_vm86_regs *) regs, VM86_SIGNAL); @@ -283,6 +283,8 @@ handle_signal(struct ksignal *ksig, struct pt_regs *reg= s) if (stepping) user_disable_single_step(current); =20 + /* Update PKRU to enable access to the alternate signal stack. */ + pkru =3D sig_prepare_pkru(); failed =3D (setup_rt_frame(ksig, regs, pkru) < 0); if (!failed) { /* @@ -300,6 +302,12 @@ handle_signal(struct ksignal *ksig, struct pt_regs *re= gs) * Ensure the signal handler starts with the new fpu state. */ fpu__clear_user_states(fpu); + } else { + /* + * Restore PKRU to the original, user-defined value; disable + * extra pkeys enabled for the alternate signal stack, if any. + */ + write_pkru(pkru); } signal_setup_done(failed, ksig, stepping); } --=20 2.39.3 From nobody Fri Dec 19 04:52:38 2025 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6D0401A2FAB for ; Thu, 27 Jun 2024 21:18:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.165.32 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719523085; cv=none; b=krb51WKVIea1SpeSwedaTuwMin5lzCTV5CdWKzWV1yM8kWNq12iiBdrYa5SUobdnj58E0RNWbzu0MIH18DyRv4nPOOslK/yQh2gXAnx9ANSwz4vR82PqxMLbcRETghDvNoNoO39FzNgjbh9n78Ydz47hYkmskW8GQbs2pmUpFzc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719523085; c=relaxed/simple; bh=UMqyaDLPn8qyAuBlK5GPRRhciqBeRqd+6Q8p2+QrOGE=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ShpZwPZu4rEtssSQnUK3ZQlBZ1ps84WB1vyhPYjqO4TPTu4wPLFWIS47xjnPzt6NrBFhOHBko3CVjmpuusA4MCgsmBxT4/OgiGog3DPb7J+psm5vFcZHMPJzAA0cPtpfCZESUy33YEuMllwn9cGM/dz8Nzs/fP+GZbI4zEQUyqo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=BlDeKEOf; arc=none smtp.client-ip=205.220.165.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="BlDeKEOf" Received: from pps.filterd (m0246629.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 45RKBZMs016826; Thu, 27 Jun 2024 21:17:44 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=corp-2023-11-20; bh=o xEkNOypdOO9MwzY548tCrP7QTtxGB1isXsL/qXNrtQ=; b=BlDeKEOfa64pC50W/ J+6yVpEozPaSMDIfoVp0KMixHpxFWX1sC3Ozrels2oo/z11Tm4+1/rm1/NT4mXwU AQNIEC+qTN7gIVTzOT6UWkJhxeZgOqKsfCkQ9FWaYTT2hi05zsKUPUv4FQ/8X+z3 takg7NXe4C7Nkw60hX/Xy6tBolmprgBEPRnqVb9/RKYVv5T02nR/E6rd7gTSyLhj F34s/M96XUs3OJGJHuyS0kWpjbzM5RMkoYP2QhnNrGbEzREvVSUg6TPG7RCjOIUF j1K/aJ/HOJmqcvALwXESy8PpJ/zP1yjIyAJd2uhay8Yqixwg6PEQ47qtA8NkzCv+ tin2Q== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3ywpg9eqj7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jun 2024 21:17:44 +0000 (GMT) Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 45RK7HL8017872; Thu, 27 Jun 2024 21:17:43 GMT Received: from pps.reinject (localhost [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3ywn2awm6t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jun 2024 21:17:43 +0000 Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 45RLHctA016897; Thu, 27 Jun 2024 21:17:43 GMT Received: from aruramak-dev.osdevelopmeniad.oraclevcn.com (aruramak-dev.allregionaliads.osdevelopmeniad.oraclevcn.com [100.100.253.155]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id 3ywn2awm35-5; Thu, 27 Jun 2024 21:17:43 +0000 From: Aruna Ramakrishna To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de, mingo@kernel.org, jeffxu@chromium.org, keith.lucas@oracle.com, aruna.ramakrishna@oracle.com Subject: [PATCH v6 4/5] x86/pkeys: Restore altstack before sigcontext Date: Thu, 27 Jun 2024 21:17:36 +0000 Message-Id: <20240627211737.323214-5-aruna.ramakrishna@oracle.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20240627211737.323214-1-aruna.ramakrishna@oracle.com> References: <20240627211737.323214-1-aruna.ramakrishna@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-27_14,2024-06-27_03,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 adultscore=0 phishscore=0 bulkscore=0 mlxlogscore=659 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2406180000 definitions=main-2406270158 X-Proofpoint-ORIG-GUID: GTYHIgk2PUpN0USsvsy_aHMWSglM7yAF X-Proofpoint-GUID: GTYHIgk2PUpN0USsvsy_aHMWSglM7yAF Content-Type: text/plain; charset="utf-8" A process can disable access to the alternate signal stack and still expect signals to be delivered correctly. handle_signal() updates the PKRU value to enable access to the altstack, and makes sure that the value on the sigframe is the user-defined PKRU value so that it is correctly restored. However, in sigreturn(), restore_altstack() needs read access to the altstack. But the PKRU has already been restored from the sigframe (in restore_sigcontext()) which will disable access to the altstack, resulting in a SIGSEGV. Fix this by restoring altstack before restoring PKRU. Signed-off-by: Aruna Ramakrishna --- arch/x86/kernel/signal_32.c | 4 ++-- arch/x86/kernel/signal_64.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/arch/x86/kernel/signal_32.c b/arch/x86/kernel/signal_32.c index b437d02ecfd7..348e855cecc6 100644 --- a/arch/x86/kernel/signal_32.c +++ b/arch/x86/kernel/signal_32.c @@ -160,10 +160,10 @@ SYSCALL32_DEFINE0(rt_sigreturn) =20 set_current_blocked(&set); =20 - if (!ia32_restore_sigcontext(regs, &frame->uc.uc_mcontext)) + if (restore_altstack32(&frame->uc.uc_stack)) goto badframe; =20 - if (restore_altstack32(&frame->uc.uc_stack)) + if (!ia32_restore_sigcontext(regs, &frame->uc.uc_mcontext)) goto badframe; =20 return regs->ax; diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c index ccfb7824ab2c..c5cf01898e83 100644 --- a/arch/x86/kernel/signal_64.c +++ b/arch/x86/kernel/signal_64.c @@ -260,13 +260,13 @@ SYSCALL_DEFINE0(rt_sigreturn) =20 set_current_blocked(&set); =20 - if (!restore_sigcontext(regs, &frame->uc.uc_mcontext, uc_flags)) + if (restore_altstack(&frame->uc.uc_stack)) goto badframe; =20 - if (restore_signal_shadow_stack()) + if (!restore_sigcontext(regs, &frame->uc.uc_mcontext, uc_flags)) goto badframe; =20 - if (restore_altstack(&frame->uc.uc_stack)) + if (restore_signal_shadow_stack()) goto badframe; =20 return regs->ax; --=20 2.39.3 From nobody Fri Dec 19 04:52:38 2025 Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com [205.220.177.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E7DFD1A0B0F for ; Thu, 27 Jun 2024 21:18:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=205.220.177.32 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719523083; cv=none; b=r1VFa3lb3TTNXpxWILDBlp/OdJOwQNi35iaKK5NqLwxwSsSQS348xxtuVmIa84zBjgP4y4jR6fkk99pOQHLhkH75HTU6P5ILXdl64S8MR/Hv0Ty7SPjYM+V272SFzK5lc19TFS97K0AAWkJ7fRu5H56EA6+IihuA6wt8bfltEMY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1719523083; c=relaxed/simple; bh=lwTQoOwQbrggrPI1xwQr6S9dtOJsS1RUAD+m19D9ZdI=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KlaYhdQ2W9WGldjDhQteTvTt0en6f/a1nsZzMqiR7GU07OuGRl0yqu16VK+y9D1kKWys3RkQMHtfGQePf1UaFoFu+FmkBYrBtQpdVdXO2AJBxhhIvr0r1//T8XwXc581F2VXRC+ZHv0sGjEy+0/qhcThAYmGq9rJqy6XJ0rIpMs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com; spf=pass smtp.mailfrom=oracle.com; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b=KGp4oj8I; arc=none smtp.client-ip=205.220.177.32 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=oracle.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=oracle.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=oracle.com header.i=@oracle.com header.b="KGp4oj8I" Received: from pps.filterd (m0246632.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 45RKBVUn015570; Thu, 27 Jun 2024 21:17:46 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h= from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; s=corp-2023-11-20; bh=Z IfAoTDQcYCPM+KPMy2NTDZy0M5p60Bh+rtLYoQjLcw=; b=KGp4oj8I4MWr6QEEf F4iUnlWz97Q28TicAswcc/4c2C6vSWCtSUFsxslb0/thmf9zWUwDkAHGsmdk3TGs 0sQ5fFDv2FZoeBVPEcbnmhX4v75bvm5R7cHbKmTRMTIdKYNIUznX0a97xmnmhU0v OoCTMlQnGN1oIUzzibwGd4RtkDX0MRmKK0VfW8HNnDDbUSZeYGeHz2V3jA1risqr VRs8dgogn/Bb0ZWP9WvwPy5hWdz+gWHF+/uzdNUOdNiqtiBLdzsEctVm8WrBnIWW hEs9hqiIxpizo3tXlV14s+WFyURn15MWT6nF4rT79VloYqbMLG0Js0GTLjeN0kWl 2kHfw== Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.appoci.oracle.com [147.154.114.232]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3ywp7sq0b8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jun 2024 21:17:45 +0000 (GMT) Received: from pps.filterd (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19) with ESMTP id 45RL7bER017811; Thu, 27 Jun 2024 21:17:45 GMT Received: from pps.reinject (localhost [127.0.0.1]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id 3ywn2awm7f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 27 Jun 2024 21:17:44 +0000 Received: from phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1]) by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 45RLHctC016897; Thu, 27 Jun 2024 21:17:44 GMT Received: from aruramak-dev.osdevelopmeniad.oraclevcn.com (aruramak-dev.allregionaliads.osdevelopmeniad.oraclevcn.com [100.100.253.155]) by phxpaimrmta02.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id 3ywn2awm35-6; Thu, 27 Jun 2024 21:17:44 +0000 From: Aruna Ramakrishna To: linux-kernel@vger.kernel.org Cc: x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de, mingo@kernel.org, jeffxu@chromium.org, keith.lucas@oracle.com, aruna.ramakrishna@oracle.com Subject: [PATCH v6 5/5] selftests/mm: Add new testcases for pkeys Date: Thu, 27 Jun 2024 21:17:37 +0000 Message-Id: <20240627211737.323214-6-aruna.ramakrishna@oracle.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: <20240627211737.323214-1-aruna.ramakrishna@oracle.com> References: <20240627211737.323214-1-aruna.ramakrishna@oracle.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-27_14,2024-06-27_03,2024-05-17_01 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 malwarescore=0 adultscore=0 phishscore=0 bulkscore=0 mlxlogscore=999 suspectscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2406180000 definitions=main-2406270158 X-Proofpoint-GUID: fgS8EnRCSY1uN2SZ45ONpiA5py4wG2vE X-Proofpoint-ORIG-GUID: fgS8EnRCSY1uN2SZ45ONpiA5py4wG2vE Content-Type: text/plain; charset="utf-8" From: Keith Lucas Add a few new tests to exercise the signal handler flow, especially with pkey 0 disabled. There are 5 new tests added: - test_sigsegv_handler_with_pkey0_disabled - test_sigsegv_handler_cannot_access_stack - test_sigsegv_handler_with_different_pkey_for_stack - test_pkru_preserved_after_sigusr1 - test_pkru_sigreturn [ Aruna: Adapted to upstream ] Signed-off-by: Keith Lucas Signed-off-by: Aruna Ramakrishna --- tools/testing/selftests/mm/Makefile | 2 + tools/testing/selftests/mm/pkey-helpers.h | 11 +- .../selftests/mm/pkey_sighandler_tests.c | 479 ++++++++++++++++++ tools/testing/selftests/mm/protection_keys.c | 10 - 4 files changed, 491 insertions(+), 11 deletions(-) create mode 100644 tools/testing/selftests/mm/pkey_sighandler_tests.c diff --git a/tools/testing/selftests/mm/Makefile b/tools/testing/selftests/= mm/Makefile index 3b49bc3d0a3b..0112bbcde181 100644 --- a/tools/testing/selftests/mm/Makefile +++ b/tools/testing/selftests/mm/Makefile @@ -84,6 +84,7 @@ CAN_BUILD_X86_64 :=3D $(shell ./../x86/check_cc.sh "$(CC)= " ../x86/trivial_64bit_pr CAN_BUILD_WITH_NOPIE :=3D $(shell ./../x86/check_cc.sh "$(CC)" ../x86/triv= ial_program.c -no-pie) =20 VMTARGETS :=3D protection_keys +VMTARGETS :=3D pkey_sighandler_tests BINARIES_32 :=3D $(VMTARGETS:%=3D%_32) BINARIES_64 :=3D $(VMTARGETS:%=3D%_64) =20 @@ -102,6 +103,7 @@ else =20 ifneq (,$(findstring $(ARCH),powerpc)) TEST_GEN_FILES +=3D protection_keys +TEST_GEN_FILES +=3D pkey_sighandler_tests endif =20 endif diff --git a/tools/testing/selftests/mm/pkey-helpers.h b/tools/testing/self= tests/mm/pkey-helpers.h index 1af3156a9db8..2b1189c27167 100644 --- a/tools/testing/selftests/mm/pkey-helpers.h +++ b/tools/testing/selftests/mm/pkey-helpers.h @@ -12,6 +12,7 @@ #include #include #include +#include =20 #include "../kselftest.h" =20 @@ -79,7 +80,15 @@ extern void abort_hooks(void); } \ } while (0) =20 -__attribute__((noinline)) int read_ptr(int *ptr); +noinline int read_ptr(int *ptr) +{ + /* + * Keep GCC from optimizing this away somehow + */ + barrier(); + return *ptr; +} + void expected_pkey_fault(int pkey); int sys_pkey_alloc(unsigned long flags, unsigned long init_val); int sys_pkey_free(unsigned long pkey); diff --git a/tools/testing/selftests/mm/pkey_sighandler_tests.c b/tools/tes= ting/selftests/mm/pkey_sighandler_tests.c new file mode 100644 index 000000000000..c43030c7056d --- /dev/null +++ b/tools/testing/selftests/mm/pkey_sighandler_tests.c @@ -0,0 +1,479 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Tests Memory Protection Keys (see Documentation/core-api/protection-key= s.rst) + * + * The testcases in this file exercise various flows related to signal han= dling, + * using an alternate signal stack, with the default pkey (pkey 0) disable= d. + * + * Compile with: + * gcc -mxsave -o pkey_sighandler_tests -O2 -g -std=3Dgnu99 -pthread = -Wall pkey_sighandler_tests.c -I../../../../tools/include -lrt -ldl -lm + * gcc -mxsave -m32 -o pkey_sighandler_tests -O2 -g -std=3Dgnu99 -pthread = -Wall pkey_sighandler_tests.c -I../../../../tools/include -lrt -ldl -lm + */ +#define _GNU_SOURCE +#define __SANE_USERSPACE_TYPES__ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "pkey-helpers.h" + +#define STACK_SIZE PTHREAD_STACK_MIN + +void expected_pkey_fault(int pkey) {} + +pthread_mutex_t mutex =3D PTHREAD_MUTEX_INITIALIZER; +pthread_cond_t cond =3D PTHREAD_COND_INITIALIZER; +siginfo_t siginfo =3D {0}; + +/* + * We need to use inline assembly instead of glibc's syscall because glibc= 's + * syscall will attempt to access the PLT in order to call a library funct= ion + * which is protected by MPK 0 which we don't have access to. + */ +static inline __always_inline +long syscall_raw(long n, long a1, long a2, long a3, long a4, long a5, long= a6) +{ + unsigned long ret; +#ifdef __x86_64__ + register long r10 asm("r10") =3D a4; + register long r8 asm("r8") =3D a5; + register long r9 asm("r9") =3D a6; + asm volatile ("syscall" + : "=3Da"(ret) + : "a"(n), "D"(a1), "S"(a2), "d"(a3), "r"(r10), "r"(r8), "r"(r9) + : "rcx", "r11", "memory"); +#elif defined __i386__ + asm volatile ("int $0x80" + : "=3Da"(ret) + : "a"(n), "b"(a1), "c"(a2), "d"(a3), "S"(a4), "D"(a5) + : "memory"); +#endif + return ret; +} + +static void sigsegv_handler(int signo, siginfo_t *info, void *ucontext) +{ + pthread_mutex_lock(&mutex); + + memcpy(&siginfo, info, sizeof(siginfo_t)); + + pthread_cond_signal(&cond); + pthread_mutex_unlock(&mutex); + + syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0); +} + +static void sigusr1_handler(int signo, siginfo_t *info, void *ucontext) +{ + pthread_mutex_lock(&mutex); + + memcpy(&siginfo, info, sizeof(siginfo_t)); + + pthread_cond_signal(&cond); + pthread_mutex_unlock(&mutex); +} + +static void sigusr2_handler(int signo, siginfo_t *info, void *ucontext) +{ + /* + * pkru should be the init_pkru value which enabled MPK 0 so + * we can use library functions. + */ + printf("%s invoked.\n", __func__); +} + +static void raise_sigusr2(void) +{ + pid_t tid =3D 0; + + tid =3D syscall_raw(SYS_gettid, 0, 0, 0, 0, 0, 0); + + syscall_raw(SYS_tkill, tid, SIGUSR2, 0, 0, 0, 0); + + /* + * We should return from the signal handler here and be able to + * return to the interrupted thread. + */ +} + +static void *thread_segv_with_pkey0_disabled(void *ptr) +{ + /* Disable MPK 0 (and all others too) */ + __write_pkey_reg(0x55555555); + + /* Segfault (with SEGV_MAPERR) */ + *(int *) (0x1) =3D 1; + return NULL; +} + +static void *thread_segv_pkuerr_stack(void *ptr) +{ + /* Disable MPK 0 (and all others too) */ + __write_pkey_reg(0x55555555); + + /* After we disable MPK 0, we can't access the stack to return */ + return NULL; +} + +static void *thread_segv_maperr_ptr(void *ptr) +{ + stack_t *stack =3D ptr; + int *bad =3D (int *)1; + + /* + * Setup alternate signal stack, which should be pkey_mprotect()ed by + * MPK 0. The thread's stack cannot be used for signals because it is + * not accessible by the default init_pkru value of 0x55555554. + */ + syscall_raw(SYS_sigaltstack, (long)stack, 0, 0, 0, 0, 0); + + /* Disable MPK 0. Only MPK 1 is enabled. */ + __write_pkey_reg(0x55555551); + + /* Segfault */ + *bad =3D 1; + syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0); + return NULL; +} + +/* + * Verify that the sigsegv handler is invoked when pkey 0 is disabled. + * Note that the new thread stack and the alternate signal stack is + * protected by MPK 0. + */ +static void test_sigsegv_handler_with_pkey0_disabled(void) +{ + struct sigaction sa; + pthread_attr_t attr; + pthread_t thr; + + sa.sa_flags =3D SA_SIGINFO; + + sa.sa_sigaction =3D sigsegv_handler; + sigemptyset(&sa.sa_mask); + if (sigaction(SIGSEGV, &sa, NULL) =3D=3D -1) { + perror("sigaction"); + exit(EXIT_FAILURE); + } + + memset(&siginfo, 0, sizeof(siginfo)); + + pthread_attr_init(&attr); + pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); + + pthread_create(&thr, &attr, thread_segv_with_pkey0_disabled, NULL); + + pthread_mutex_lock(&mutex); + while (siginfo.si_signo =3D=3D 0) + pthread_cond_wait(&cond, &mutex); + pthread_mutex_unlock(&mutex); + + ksft_test_result(siginfo.si_signo =3D=3D SIGSEGV && + siginfo.si_code =3D=3D SEGV_MAPERR && + siginfo.si_addr =3D=3D (void *)1, + "%s\n", __func__); +} + +/* + * Verify that the sigsegv handler is invoked when pkey 0 is disabled. + * Note that the new thread stack and the alternate signal stack is + * protected by MPK 0, which renders them inaccessible when MPK 0 + * is disabled. So just the return from the thread should cause a + * segfault with SEGV_PKUERR. + */ +static void test_sigsegv_handler_cannot_access_stack(void) +{ + struct sigaction sa; + pthread_attr_t attr; + pthread_t thr; + + sa.sa_flags =3D SA_SIGINFO; + + sa.sa_sigaction =3D sigsegv_handler; + sigemptyset(&sa.sa_mask); + if (sigaction(SIGSEGV, &sa, NULL) =3D=3D -1) { + perror("sigaction"); + exit(EXIT_FAILURE); + } + + memset(&siginfo, 0, sizeof(siginfo)); + + pthread_attr_init(&attr); + pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED); + + pthread_create(&thr, &attr, thread_segv_pkuerr_stack, NULL); + + pthread_mutex_lock(&mutex); + while (siginfo.si_signo =3D=3D 0) + pthread_cond_wait(&cond, &mutex); + pthread_mutex_unlock(&mutex); + + ksft_test_result(siginfo.si_signo =3D=3D SIGSEGV && + siginfo.si_code =3D=3D SEGV_PKUERR, + "%s\n", __func__); +} + +/* + * Verify that the sigsegv handler that uses an alternate signal stack + * is correctly invoked for a thread which uses a non-zero MPK to protect + * its own stack, and disables all other MPKs (including 0). + */ +static void test_sigsegv_handler_with_different_pkey_for_stack(void) +{ + struct sigaction sa; + static stack_t sigstack; + void *stack; + int pkey; + int parent_pid =3D 0; + int child_pid =3D 0; + + sa.sa_flags =3D SA_SIGINFO | SA_ONSTACK; + + sa.sa_sigaction =3D sigsegv_handler; + + sigemptyset(&sa.sa_mask); + if (sigaction(SIGSEGV, &sa, NULL) =3D=3D -1) { + perror("sigaction"); + exit(EXIT_FAILURE); + } + + stack =3D mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + + assert(stack !=3D MAP_FAILED); + + /* Allow access to MPK 0 and MPK 1 */ + __write_pkey_reg(0x55555550); + + /* Protect the new stack with MPK 1 */ + pkey =3D pkey_alloc(0, 0); + pkey_mprotect(stack, STACK_SIZE, PROT_READ | PROT_WRITE, pkey); + + /* Set up alternate signal stack that will use the default MPK */ + sigstack.ss_sp =3D mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + sigstack.ss_flags =3D 0; + sigstack.ss_size =3D STACK_SIZE; + + memset(&siginfo, 0, sizeof(siginfo)); + + /* Use clone to avoid newer glibcs using rseq on new threads */ + long ret =3D syscall_raw(SYS_clone, + CLONE_VM | CLONE_FS | CLONE_FILES | + CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM | + CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID | + CLONE_DETACHED, + (long) ((char *)(stack) + STACK_SIZE), + (long) &parent_pid, + (long) &child_pid, 0, 0); + + if (ret < 0) { + errno =3D -ret; + perror("clone"); + } else if (ret =3D=3D 0) { + thread_segv_maperr_ptr(&sigstack); + syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0); + } + + pthread_mutex_lock(&mutex); + while (siginfo.si_signo =3D=3D 0) + pthread_cond_wait(&cond, &mutex); + pthread_mutex_unlock(&mutex); + + ksft_test_result(siginfo.si_signo =3D=3D SIGSEGV && + siginfo.si_code =3D=3D SEGV_MAPERR && + siginfo.si_addr =3D=3D (void *)1, + "%s\n", __func__); +} + +/* + * Verify that the PKRU value set by the application is correctly + * restored upon return from signal handling. + */ +static void test_pkru_preserved_after_sigusr1(void) +{ + struct sigaction sa; + unsigned long pkru =3D 0x45454544; + + sa.sa_flags =3D SA_SIGINFO; + + sa.sa_sigaction =3D sigusr1_handler; + sigemptyset(&sa.sa_mask); + if (sigaction(SIGUSR1, &sa, NULL) =3D=3D -1) { + perror("sigaction"); + exit(EXIT_FAILURE); + } + + memset(&siginfo, 0, sizeof(siginfo)); + + __write_pkey_reg(pkru); + + raise(SIGUSR1); + + pthread_mutex_lock(&mutex); + while (siginfo.si_signo =3D=3D 0) + pthread_cond_wait(&cond, &mutex); + pthread_mutex_unlock(&mutex); + + /* Ensure the pkru value is the same after returning from signal. */ + ksft_test_result(pkru =3D=3D __read_pkey_reg() && + siginfo.si_signo =3D=3D SIGUSR1, + "%s\n", __func__); +} + +static noinline void *thread_sigusr2_self(void *ptr) +{ + /* + * A const char array like "Resuming after SIGUSR2" won't be stored on + * the stack and the code could access it via an offset from the program + * counter. This makes sure it's on the function's stack frame. + */ + char str[] =3D {'R', 'e', 's', 'u', 'm', 'i', 'n', 'g', ' ', + 'a', 'f', 't', 'e', 'r', ' ', + 'S', 'I', 'G', 'U', 'S', 'R', '2', + '.', '.', '.', '\n', '\0'}; + stack_t *stack =3D ptr; + + /* + * Setup alternate signal stack, which should be pkey_mprotect()ed by + * MPK 0. The thread's stack cannot be used for signals because it is + * not accessible by the default init_pkru value of 0x55555554. + */ + syscall(SYS_sigaltstack, (long)stack, 0, 0, 0, 0, 0); + + /* Disable MPK 0. Only MPK 2 is enabled. */ + __write_pkey_reg(0x55555545); + + raise_sigusr2(); + + /* Do something, to show the thread resumed execution after the signal */ + syscall_raw(SYS_write, 1, (long) str, sizeof(str) - 1, 0, 0, 0); + + /* + * We can't return to test_pkru_sigreturn because it + * will attempt to use a %rbp value which is on the stack + * of the main thread. + */ + syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0); + return NULL; +} + +/* + * Verify that sigreturn is able to restore altstack even if the thread had + * disabled pkey 0. + */ +static void test_pkru_sigreturn(void) +{ + struct sigaction sa =3D {0}; + static stack_t sigstack; + void *stack; + int pkey; + int parent_pid =3D 0; + int child_pid =3D 0; + + sa.sa_handler =3D SIG_DFL; + sa.sa_flags =3D 0; + sigemptyset(&sa.sa_mask); + + /* + * For this testcase, we do not want to handle SIGSEGV. Reset handler + * to default so that the application can crash if it receives SIGSEGV. + */ + if (sigaction(SIGSEGV, &sa, NULL) =3D=3D -1) { + perror("sigaction"); + exit(EXIT_FAILURE); + } + + sa.sa_flags =3D SA_SIGINFO | SA_ONSTACK; + sa.sa_sigaction =3D sigusr2_handler; + sigemptyset(&sa.sa_mask); + + if (sigaction(SIGUSR2, &sa, NULL) =3D=3D -1) { + perror("sigaction"); + exit(EXIT_FAILURE); + } + + stack =3D mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + + assert(stack !=3D MAP_FAILED); + + /* + * Allow access to MPK 0 and MPK 2. The child thread (to be created + * later in this flow) will have its stack protected by MPK 2, whereas + * the current thread's stack is protected by the default MPK 0. Hence + * both need to be enabled. + */ + __write_pkey_reg(0x55555544); + + /* Protect the stack with MPK 2 */ + pkey =3D pkey_alloc(0, 0); + pkey_mprotect(stack, STACK_SIZE, PROT_READ | PROT_WRITE, pkey); + + /* Set up alternate signal stack that will use the default MPK */ + sigstack.ss_sp =3D mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); + sigstack.ss_flags =3D 0; + sigstack.ss_size =3D STACK_SIZE; + + /* Use clone to avoid newer glibcs using rseq on new threads */ + long ret =3D syscall_raw(SYS_clone, + CLONE_VM | CLONE_FS | CLONE_FILES | + CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM | + CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID | + CLONE_DETACHED, + (long) ((char *)(stack) + STACK_SIZE), + (long) &parent_pid, + (long) &child_pid, 0, 0); + + if (ret < 0) { + errno =3D -ret; + perror("clone"); + } else if (ret =3D=3D 0) { + thread_sigusr2_self(&sigstack); + syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0); + } + + child_pid =3D ret; + /* Check that thread exited */ + do { + sched_yield(); + ret =3D syscall_raw(SYS_tkill, child_pid, 0, 0, 0, 0, 0); + } while (ret !=3D -ESRCH && ret !=3D -EINVAL); + + ksft_test_result_pass("%s\n", __func__); +} + +void (*pkey_tests[])(void) =3D { + test_sigsegv_handler_with_pkey0_disabled, + test_sigsegv_handler_cannot_access_stack, + test_sigsegv_handler_with_different_pkey_for_stack, + test_pkru_preserved_after_sigusr1, + test_pkru_sigreturn +}; + +int main(int argc, char *argv[]) +{ + int i; + + ksft_print_header(); + ksft_set_plan(ARRAY_SIZE(pkey_tests)); + + for (i =3D 0; i < ARRAY_SIZE(pkey_tests); i++) + (*pkey_tests[i])(); + + ksft_finished(); + return 0; +} diff --git a/tools/testing/selftests/mm/protection_keys.c b/tools/testing/s= elftests/mm/protection_keys.c index 48dc151f8fca..2af344e55d37 100644 --- a/tools/testing/selftests/mm/protection_keys.c +++ b/tools/testing/selftests/mm/protection_keys.c @@ -950,16 +950,6 @@ void close_test_fds(void) nr_test_fds =3D 0; } =20 -#define barrier() __asm__ __volatile__("": : :"memory") -__attribute__((noinline)) int read_ptr(int *ptr) -{ - /* - * Keep GCC from optimizing this away somehow - */ - barrier(); - return *ptr; -} - void test_pkey_alloc_free_attach_pkey0(int *ptr, u16 pkey) { int i, err; --=20 2.39.3