From nobody Wed Feb 11 03:42:01 2026 Received: from mail-ed1-f73.google.com (mail-ed1-f73.google.com [209.85.208.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7A6FD26FDA8 for ; Tue, 25 Feb 2025 13:54:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740491649; cv=none; b=JCGMRqk2FNHf01nfDkPoXpG8fXpZQxwBVZDR2c/oM/xCxqhgEI7zEereSGtjfRLQBIvpuHxqXRJmzEz1+IxxpA6DK7NTuZ5m8ySASP0kgXSrhC7IO+xOh46ErTXvvQualbDlK0b5UVAW1jHRCFXKBvpptS3b+6Ddt8tYs5ghPvk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740491649; c=relaxed/simple; bh=g+n3TAVbRYeopfv2thFyRpDHZ0uzmD8PYIu8wMyexJA=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=o2uHlP6A/ybxmBL5D2YRZ35mEayeTu9GZaPlxeOqPelF8g2ptosDKiR/zRhkLOCVvXPPKvR12ApBMPq+bchZhUQUqZ5oY1Kh1vu3NfNsGc6Un95aB/K/41yscRQ2oOUX9H2lKS9sQQAKRhYD5CO6KPf6PpieN6VHIKZZxeoRG0E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--dvyukov.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=IhJLznCr; arc=none smtp.client-ip=209.85.208.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--dvyukov.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="IhJLznCr" Received: by mail-ed1-f73.google.com with SMTP id 4fb4d7f45d1cf-5e08b755856so4802512a12.1 for ; Tue, 25 Feb 2025 05:54:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740491645; x=1741096445; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=qdyNR/l9tUX5mWYlAxYoBmtPUMPfXZLm9s3JeHQDuDg=; b=IhJLznCr3K5I5oKqePnOJVgooMNnkhE4pKCoaTnkTWMajcizpOqW3nLgULwdgO3f3g gjPieaN9Kfa+s108/PUzBe4gon00AA9OS7LIhar4u8vChHLvgsbpjTokpVIGrQOD4fhE EbKpuALPoWloKNpV5Ka5nSahZnjMhgZWKAP8sDS94V5G5RNs5DxvBgrGJbDAdYgZRg46 uDpkqkQ9lBL34+HNWetWGDJShF1dhfqCBprOCOadCellVXUIXqrdwsWlYnNEDGc5sdVL jO0nbltHWqT6b2Xavm76wky6maQN6b4anG4ZdZhsblk8gGfE859wC0WaG025Y7GCHwMd 2AGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740491645; x=1741096445; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=qdyNR/l9tUX5mWYlAxYoBmtPUMPfXZLm9s3JeHQDuDg=; b=nOtCKXc7FSky0dTKMYrPu861+cip13JjJEKkSwhylqisC6gvBLDUS9u1ZNKi1Aicy/ B866tKugFbdRd0tWowlSSIGMsAA/0efvPCpAYf627NM7rycq4xvaCj5TnlbduVq2uEqm qdEZg7bGNqt5RG9rkK1NYpLe6v8lqo96sj8TTQbxi2CHeuIwE5L4WM7FBqQ5jMIWhyoJ ilBsTfL8VoPqtxmlzyoxtWCmWT/e9UzqykZ+fm6iEEiikyzyXlsV2qI3m51ThgjW2ouG xyl7Os7wUe6crjWjSHKuCtaIblC9TP+m+eWe3+pB1K/L1ic/Sg/DgKSGv5CQqBXiXZSM 9oDQ== X-Forwarded-Encrypted: i=1; AJvYcCUYKFRaWBRelRmJDRlCahl7nRZppgp85nuGeNB2qrTudMItAkyIXxBtDTC7lyC7nsGn0H4XeNvyUghXwQU=@vger.kernel.org X-Gm-Message-State: AOJu0YyrqaUgCEMIboulOF2uz/hF2LZeyQru+sHILShu2IM/f5N0jIwN SxnoCNqMi7kqNi7gfuMZzxXDtLV0AK91+L2bqNT+tDlMh+SeyE9U91WEfxBZk4AIOUmvm5n2D4u efqYg7A== X-Google-Smtp-Source: AGHT+IEGPaJGqqLzhk9TVJVTOjR4kEA4ZifYmUctOEbv4wTcMB36xiJLmFQsK5lJK7Mvd7hfDjnnd6qGjQvh X-Received: from edc20.prod.google.com ([2002:a05:6402:4614:b0:5de:d7ab:eca2]) (user=dvyukov job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6402:50c7:b0:5dc:cc02:5d25 with SMTP id 4fb4d7f45d1cf-5e0b70d5729mr18190417a12.11.1740491644884; Tue, 25 Feb 2025 05:54:04 -0800 (PST) Date: Tue, 25 Feb 2025 14:53:43 +0100 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog Message-ID: Subject: [PATCH v5 1/4] pkeys: add API to switch to permissive/zero pkey register From: Dmitry Vyukov To: mathieu.desnoyers@efficios.com, peterz@infradead.org, boqun.feng@gmail.com, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, aruna.ramakrishna@oracle.com, elver@google.com Cc: Dmitry Vyukov , "Paul E. McKenney" , x86@kernel.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The API allows to switch to permissive pkey register that allows accesses to all PKEYs, and to a value that allows access to the 0 (default) PKEY. x86 signal delivery already uses switching to permissive PKEY register value, and rseq needs to allow access to PKEY 0 while accessing struct rseq/rseq_cs. Signed-off-by: Dmitry Vyukov Cc: Mathieu Desnoyers Cc: Peter Zijlstra Cc: "Paul E. McKenney" Cc: Boqun Feng Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc: "H. Peter Anvin" Cc: Aruna Ramakrishna Cc: x86@kernel.org Cc: linux-kernel@vger.kernel.org Reviewed-by: Mathieu Desnoyers Fixes: d7822b1e24f2 ("rseq: Introduce restartable sequences system call") --- Changes in v5: - Removed leftover dead code in enable_zero_pkey_val - Clarified commit message Changes in v4: - Added Fixes tag Changes in v3: - Renamed API functions to write_permissive_pkey_val/write_pkey_val - Added enable_zero_pkey_val for rseq - Added Reviewed-by: Mathieu Desnoyers Changes in v2: - Fixed typo in commit description --- arch/x86/Kconfig | 1 + arch/x86/include/asm/pkeys.h | 30 ++++++++++++++++++++++++++++++ arch/x86/include/asm/pkru.h | 10 +++++++--- include/linux/pkeys.h | 31 +++++++++++++++++++++++++++++++ mm/Kconfig | 2 ++ 5 files changed, 71 insertions(+), 3 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index be2c311f5118d..43af2840d098f 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1881,6 +1881,7 @@ config X86_INTEL_MEMORY_PROTECTION_KEYS depends on X86_64 && (CPU_SUP_INTEL || CPU_SUP_AMD) select ARCH_USES_HIGH_VMA_FLAGS select ARCH_HAS_PKEYS + select ARCH_HAS_PERMISSIVE_PKEY help Memory Protection Keys provides a mechanism for enforcing page-based protections, but without requiring modification of the diff --git a/arch/x86/include/asm/pkeys.h b/arch/x86/include/asm/pkeys.h index 2e6c04d8a45b4..614099766d5f2 100644 --- a/arch/x86/include/asm/pkeys.h +++ b/arch/x86/include/asm/pkeys.h @@ -2,6 +2,8 @@ #ifndef _ASM_X86_PKEYS_H #define _ASM_X86_PKEYS_H =20 +#include "pkru.h" + /* * If more than 16 keys are ever supported, a thorough audit * will be necessary to ensure that the types that store key @@ -123,4 +125,32 @@ static inline int vma_pkey(struct vm_area_struct *vma) return (vma->vm_flags & vma_pkey_mask) >> VM_PKEY_SHIFT; } =20 +typedef u32 pkey_reg_t; + +static inline pkey_reg_t write_permissive_pkey_val(void) +{ + return write_pkru(0); +} + +static inline pkey_reg_t enable_zero_pkey_val(void) +{ + u32 pkru; + + if (!cpu_feature_enabled(X86_FEATURE_OSPKE)) + return 0; + /* + * WRPKRU is relatively expensive compared to RDPKRU, + * avoid it if possible. + */ + pkru =3D rdpkru(); + if ((pkru & (PKRU_AD_BIT|PKRU_WD_BIT)) !=3D 0) + wrpkru(pkru & ~(PKRU_AD_BIT|PKRU_WD_BIT)); + return pkru; +} + +static inline void write_pkey_val(pkey_reg_t val) +{ + write_pkru(val); +} + #endif /*_ASM_X86_PKEYS_H */ diff --git a/arch/x86/include/asm/pkru.h b/arch/x86/include/asm/pkru.h index 74f0a2d34ffdd..b9bf9b7f2753b 100644 --- a/arch/x86/include/asm/pkru.h +++ b/arch/x86/include/asm/pkru.h @@ -39,16 +39,20 @@ static inline u32 read_pkru(void) return 0; } =20 -static inline void write_pkru(u32 pkru) +static inline u32 write_pkru(u32 pkru) { + u32 old_pkru; + if (!cpu_feature_enabled(X86_FEATURE_OSPKE)) - return; + return 0; /* * WRPKRU is relatively expensive compared to RDPKRU. * Avoid WRPKRU when it would not change the value. */ - if (pkru !=3D rdpkru()) + old_pkru =3D rdpkru(); + if (pkru !=3D old_pkru) wrpkru(pkru); + return old_pkru; } =20 static inline void pkru_write_default(void) diff --git a/include/linux/pkeys.h b/include/linux/pkeys.h index 86be8bf27b41b..262d60f6a15f8 100644 --- a/include/linux/pkeys.h +++ b/include/linux/pkeys.h @@ -48,4 +48,35 @@ static inline bool arch_pkeys_enabled(void) =20 #endif /* ! CONFIG_ARCH_HAS_PKEYS */ =20 +#ifndef CONFIG_ARCH_HAS_PERMISSIVE_PKEY + +/* + * Common name for value of the register that controls access to PKEYs + * (called differently on different arches: PKRU, POR, AMR). + */ +typedef char pkey_reg_t; + +/* + * Sets PKEY access register to the most permissive value that allows + * accesses to all PKEYs. Returns the current value of PKEY register. + * Code should generally arrange switching back to the old value + * using write_pkey_val(old_value). + */ +static inline pkey_reg_t write_permissive_pkey_val(void) +{ + return 0; +} + +/* + * Sets PKEY access register to a value that allows access to the 0 (defau= lt) + * PKEY. Returns the current value of PKEY register. + */ +static inline pkey_reg_t enable_zero_pkey_val(void) +{ + return 0; +} + +static inline void write_pkey_val(pkey_reg_t val) {} +#endif /* ! CONFIG_ARCH_HAS_PERMISSIVE_PKEY */ + #endif /* _LINUX_PKEYS_H */ diff --git a/mm/Kconfig b/mm/Kconfig index 1b501db064172..9e874f7713a2b 100644 --- a/mm/Kconfig +++ b/mm/Kconfig @@ -1147,6 +1147,8 @@ config ARCH_USES_HIGH_VMA_FLAGS bool config ARCH_HAS_PKEYS bool +config ARCH_HAS_PERMISSIVE_PKEY + bool =20 config ARCH_USES_PG_ARCH_2 bool --=20 2.48.1.658.g4767266eb4-goog From nobody Wed Feb 11 03:42:01 2026 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0D1CA26AAAF for ; Tue, 25 Feb 2025 13:54:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740491650; cv=none; b=h0GhAO9dOudMrQ1NZ+kTppK6sdC8fTkQqVhhp94WpUuR1RW4L1t/69MUDQJcWF8OOpTNzfEIk36SEkIcvb4+jWYbOfxNTHxY+g/+nfVIYLHcTsBU0pOcvbhic88VuB0fkyqJ1KzHytldbkd9gKm3gt6xuHv2ru28PiwvyE1Ttvc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740491650; c=relaxed/simple; bh=CpsQ8gPZhCNNexBNxcXW/ScOiO2pyTQCoBkZQKi+y/U=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=OfhiWawtXT1gV7dF1V5eGfX4c+/C25aKcVOD+GCpJyYp8ySw+ylM1pzJD0yjhwr0Ds34Rm9Cy6kujR+qEehm1PovXzdnBowI58VS/PnD0wi9NuaT54OZn0Dsilk8yUL2CWNQnWiHmE/imHF9kQugOW4q32c5YYDkcUVP5CRBdfE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--dvyukov.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=dPVD7ypB; arc=none smtp.client-ip=209.85.208.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--dvyukov.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="dPVD7ypB" Received: by mail-ed1-f74.google.com with SMTP id 4fb4d7f45d1cf-5de5172cc5bso4811072a12.0 for ; Tue, 25 Feb 2025 05:54:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740491647; x=1741096447; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=zNcMrV7t1QnfFYP1kD7TtFwTsf7x6jGURXQgshyNxRc=; b=dPVD7ypBEcH2hIWK8HjU8OU6luGYHfP7Yku1IH2wB+ElYfHrExF6rwRTLhM2YW1k7I jCGjq6q90FyfixiogqD9EW4ZC6rpyzPFd+ml6smtujYKAVCb76KRC2WKWfv1lops2mhh rcK+omkfqTBTWGnr0c4dhJsflpdxcWzg2wWgxcq6PpO7f7p30P1Pgba3Fur83Fp2LmXS hinw7qBDGwZqNGN+K3uLdNYCI10DnqdAQo2FTlXWJfVzX0mnJgZFwHxNCFmuqkxxTpTS WRT0yWli/tUgQ/FcpWxQOE6iQhxTuqxVke/qnJWc+4evrOqkx//BOMCngZzjr/0yC6pd b7HA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740491647; x=1741096447; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zNcMrV7t1QnfFYP1kD7TtFwTsf7x6jGURXQgshyNxRc=; b=lezDXZ1PG8xluB+EuFzwTEV/aKGUPSpcuvqJgOL1mA4ZgkqvujvQXTmChudchjGOr8 pKmW2UIUnJLPToYkKR+YEs4XhF2NMczQrLcwrtrjPY2AeVEIRAmVsK07XM4HDAUzRi00 OFmuTLEC3YRGFL064nQRaF/TCY6yITOzsrna1IYKBoxybtd9/piwsSERpuMviMPpxVm2 yQuf5chxkyRZB/t6yGS/9uy8Bxnfzydrsc+AjYiPXNR/LiBaOQQvRTz5SM5ynKABIAAG gkunUik94L2YQ3IkMXd+3r7D0LM2AmihhwjSZ2HISjzc82AhZDP3ZnXG9qm5taqFx5Ep eUEA== X-Forwarded-Encrypted: i=1; AJvYcCWMc7gf7+lukUZKU9LkK5yvhp0H4n2HVct+vsvM/FzEgvmAIBISRQJIDjvB5LX/vfF2fUklBrGzuF6d0/E=@vger.kernel.org X-Gm-Message-State: AOJu0Yx5ElGiNgtEidSuIfNj8Qz5ReWaZRfKiMkznCcojAroDiMIch4l vmr6mLTZ65AHPq/eZuMVhZhg768reKfthyWMGfloGIQEYfT7HrQK9wXuYbTclchI4jQfnxmbxF5 Vauuc9w== X-Google-Smtp-Source: AGHT+IFxodJDTXypywDkt61TczRf0gGeUjt1+FG8Dyr0eG2KGB3O90aQZqb5frhvH8jrUSKxouqiQUQwpBM/ X-Received: from edbij26.prod.google.com ([2002:a05:6402:159a:b0:5db:e930:604c]) (user=dvyukov job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6402:210d:b0:5df:6a:54ea with SMTP id 4fb4d7f45d1cf-5e4457abbc9mr8775424a12.11.1740491647399; Tue, 25 Feb 2025 05:54:07 -0800 (PST) Date: Tue, 25 Feb 2025 14:53:44 +0100 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog Message-ID: Subject: [PATCH v5 2/4] x86/signal: Use write_permissive_pkey_val() helper From: Dmitry Vyukov To: mathieu.desnoyers@efficios.com, peterz@infradead.org, boqun.feng@gmail.com, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, aruna.ramakrishna@oracle.com, elver@google.com Cc: Dmitry Vyukov , "Paul E. McKenney" , x86@kernel.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Use the new switch_to_permissive_pkey_reg() helper instead of the custom code. No functional changes intended. Signed-off-by: Dmitry Vyukov Cc: Mathieu Desnoyers Cc: Peter Zijlstra Cc: "Paul E. McKenney" Cc: Boqun Feng Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc: "H. Peter Anvin" Cc: Aruna Ramakrishna Cc: x86@kernel.org Cc: linux-kernel@vger.kernel.org --- Changes in v3: - restore sig_prepare_pkru with the large comment and make it call the new write_permissive_pkey_val --- arch/x86/kernel/signal.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c index 5f441039b5725..27a66a0697dd2 100644 --- a/arch/x86/kernel/signal.c +++ b/arch/x86/kernel/signal.c @@ -28,6 +28,7 @@ #include #include #include +#include =20 #include #include @@ -72,10 +73,7 @@ static inline int is_x32_frame(struct ksignal *ksig) */ static inline u32 sig_prepare_pkru(void) { - u32 orig_pkru =3D read_pkru(); - - write_pkru(0); - return orig_pkru; + return write_permissive_pkey_val(); } =20 /* --=20 2.48.1.658.g4767266eb4-goog From nobody Wed Feb 11 03:42:01 2026 Received: from mail-ed1-f74.google.com (mail-ed1-f74.google.com [209.85.208.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA0D5270ED6 for ; Tue, 25 Feb 2025 13:54:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740491653; cv=none; b=sB08PtMbJYLUC53tCpG3xLmq3OCtFNRTYpjLCu/dXImjFAX1QS8Xo5n1PaS+9LTKrnr7LDbbgfTWYD+5C0lCrkB4ut4NwOHspdAmmgRu41n+rJ4qRS/MAMiJS+VHnFNtNw0vg+cVKwo3IawTCDkfLFen69jASgHJzw+QvYCw4EI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740491653; c=relaxed/simple; bh=mxDSTV22DiCZLVFJCl4A43B/Ycht0NkS/AjZis6gklI=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=TUjMVnIEgcTmyGNnL0p+98h4laReByRKwTHgNp99ia1dq6WRfWrsL4Ce5TY3MIaQ9nPCMddNRAVmZS5SM5wQfCiJqExkXWwW1Z358bWAQ9O/m3/NFJvthEKaEBO4zffrQqVmNXe8Hl9FnWtzmdv3q7wadPzT+loD2gJSLs01G5o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--dvyukov.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=LbqzLesD; arc=none smtp.client-ip=209.85.208.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--dvyukov.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="LbqzLesD" Received: by mail-ed1-f74.google.com with SMTP id 4fb4d7f45d1cf-5dca72b752fso4749689a12.0 for ; Tue, 25 Feb 2025 05:54:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740491650; x=1741096450; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=ChERg0C5IMhC+KsYfx8s1jLwzf306OmVcGDjMs1a3W4=; b=LbqzLesDXYOnJEi9nH+QwW4yAp+e0Bv2SngsYrkEiZJChLSVh199iwAiOZWqA1ddY/ SmQ1c3UaHNo1t7T+ld9+hBoSP1mzFfTSBUdfZ8dwdAZnBIhB+aT4qm5nqIwLFFVcZ43b zfih7ouoxml78BZRwSPK80LfyCZlGCt+uVBjcfyGwQtFvNzigMgRIuTuRVJ8is5Evuah eh06NbrfdO8RFZ5hSzQ3yrvGDt8i3GQViPkNeOvusXSAJx03aR+2tLKw/qdk5Z4gr6Id OXdWx4AdRJKcC8dpDZPTb44k5pdKLWXQQSiRvAAO6Ln9oEGgogZNy8jC4rzdXJQ8uY89 MtHg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740491650; x=1741096450; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ChERg0C5IMhC+KsYfx8s1jLwzf306OmVcGDjMs1a3W4=; b=cZcWL/wm0szBQou48rc/ev+LenzdyvwDAjc7pG7/j22f9f7rIY+5QzlLTCqx1WAFN4 LWePyCDqmHNE82MkensRzZm3R25T682R6cBf4J4kZv9deCLSRULzozBxAq8CXhNvQzQS 8xCbPcRdHyBSTZdis37qIo/HFahijO09U3x+q3gvx2cgp3biZV7kPKvlpTwo1UAirRRH e/R25diOe6HUBLjFWgDHAD6SozSmh+si0dz0eW2YdiYqNuiJUd0pxntZPlg8Fg94m8E8 pPUc4bNKoFtSCNiRh+Lrvm9oxnwBGQGnQfPh49Y4cxPaJgg1AFTY9iqNSFMt3PxMUTzm hrPw== X-Forwarded-Encrypted: i=1; AJvYcCVO8pXEKf2KAAwi0qKhTTf84mLuGv/krkFXP+u2FexxiFJMTo7jq4FJzzKUdvM/RA2AehsGV6ywVXkZrIk=@vger.kernel.org X-Gm-Message-State: AOJu0YxESUr1dxSSOpRDNZLoePVvGkDOBRBah2zxUCnDL9t/TIpGBR2s tkNSjFB7J6TMXiHkpAHNDKFf/U8pW9fKR87waNQyndMl1TbCg1Q5JHsKAD0kLZqHvd+PYAvTSV6 I5JOOqg== X-Google-Smtp-Source: AGHT+IGR4ye76RG7GGhfnoDpouhotKvLlIH8/k3O7dfNt7egFDh7xZ6VjoDI16/iX0GRZKK4+UHXURQUOnI2 X-Received: from edat32.prod.google.com ([2002:a05:6402:2420:b0:5de:6258:5aae]) (user=dvyukov job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6402:2790:b0:5dc:1173:bfa3 with SMTP id 4fb4d7f45d1cf-5e0b7247814mr18073474a12.29.1740491650230; Tue, 25 Feb 2025 05:54:10 -0800 (PST) Date: Tue, 25 Feb 2025 14:53:45 +0100 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog Message-ID: <659cbdf4c59910d3d3a7ce3f7ea6f6935c102fcf.1740491413.git.dvyukov@google.com> Subject: [PATCH v5 3/4] rseq: Make rseq work with protection keys From: Dmitry Vyukov To: mathieu.desnoyers@efficios.com, peterz@infradead.org, boqun.feng@gmail.com, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, aruna.ramakrishna@oracle.com, elver@google.com Cc: Dmitry Vyukov , "Paul E. McKenney" , x86@kernel.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" If an application registers rseq, and ever switches to another pkey protection (such that the rseq becomes inaccessible), then any context switch will cause failure in __rseq_handle_notify_resume() attempting to read/write struct rseq and/or rseq_cs. Since context switches are asynchronous and are outside of the application control (not part of the restricted code scope), temporarily switch to pkey value that allows access to the 0 (default) PKEY. Signed-off-by: Dmitry Vyukov Cc: Mathieu Desnoyers Cc: Peter Zijlstra Cc: "Paul E. McKenney" Cc: Boqun Feng Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc: "H. Peter Anvin" Cc: Aruna Ramakrishna Cc: x86@kernel.org Cc: linux-kernel@vger.kernel.org Fixes: d7822b1e24f2 ("rseq: Introduce restartable sequences system call") --- Changes in v4: - Added Fixes tag Changes in v3: - simplify control flow to always enable access to 0 pkey Changes in v2: - fixed typos and reworded the comment --- kernel/rseq.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/kernel/rseq.c b/kernel/rseq.c index 2cb16091ec0ae..9d9c976d3b78c 100644 --- a/kernel/rseq.c +++ b/kernel/rseq.c @@ -10,6 +10,7 @@ =20 #include #include +#include #include #include #include @@ -402,11 +403,19 @@ static int rseq_ip_fixup(struct pt_regs *regs) void __rseq_handle_notify_resume(struct ksignal *ksig, struct pt_regs *reg= s) { struct task_struct *t =3D current; + pkey_reg_t saved_pkey; int ret, sig; =20 if (unlikely(t->flags & PF_EXITING)) return; =20 + /* + * Enable access to the default (0) pkey in case the thread has + * currently disabled access to it and struct rseq/rseq_cs has + * 0 pkey assigned (the only supported value for now). + */ + saved_pkey =3D enable_zero_pkey_val(); + /* * regs is NULL if and only if the caller is in a syscall path. Skip * fixup and leave rseq_cs as is so that rseq_sycall() will detect and @@ -419,9 +428,11 @@ void __rseq_handle_notify_resume(struct ksignal *ksig,= struct pt_regs *regs) } if (unlikely(rseq_update_cpu_node_id(t))) goto error; + write_pkey_val(saved_pkey); return; =20 error: + write_pkey_val(saved_pkey); sig =3D ksig ? ksig->sig : 0; force_sigsegv(sig); } --=20 2.48.1.658.g4767266eb4-goog From nobody Wed Feb 11 03:42:01 2026 Received: from mail-ej1-f73.google.com (mail-ej1-f73.google.com [209.85.218.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65970271278 for ; Tue, 25 Feb 2025 13:54:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.73 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740491656; cv=none; b=K53KvEuSQZd3pzVgahvJj5niusdsR6EpDD3XoO/SPu0drSTUZZVYk7KB4vegpWvIb9Z25xUu9uqcSbK6s8GWhfZERLFH6elVYhJ5vobr327NUFfX1mXm/Z/Gt2FM1Ku3XvYqV0ZOCWLXmSI9Z3kFpRRfrcCTcjJiwN80sFZwn7g= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1740491656; c=relaxed/simple; bh=yRnlyHY5sj0nPolyHcCX0W1VmtYMVBh6HOo3S9R4zcs=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=jBuV42zOSkg47Qi8XcUHA/nttNCeX8y55hTLRU/0f/ukREuFwG7MIrIBbxzADDlsHyM+VcpTD6ksFTbL0LtsI0SmBHGVQRoIdzVEh+kbeXdolCmLio97NHXBMn+euFVpW9tK6hS+vZYtyovjCqmWc3b30LF/b5cVe6sphfMwvGA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--dvyukov.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Goj85YWV; arc=none smtp.client-ip=209.85.218.73 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--dvyukov.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Goj85YWV" Received: by mail-ej1-f73.google.com with SMTP id a640c23a62f3a-abb8f65af3dso505112666b.1 for ; Tue, 25 Feb 2025 05:54:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1740491653; x=1741096453; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=i4/DXlVSjcMlIzI08dLupqZQFFeRwmRS51ToDVNdHuU=; b=Goj85YWVL8QmgeTATw+IbrC3/qeWtOTx//V68u7TjNv0n3FqMaS+Vsotz2hzM63HZl XlTEYwocKGrD1n07ZqGzfh+frCGmRAC02UGarbQmu4bvLdfuP5yFTMU3KmCCfPUXekb8 YVF2cs2g/EU28I0uK4BlBhVVA38bOb/YwmWeLZxEjnKUHnPsuUHZNd2emN9xjdNpL4My Uw3XnsgL9Oa19S2JmFW5iPAv6Z5OFbwDYj8WJRhIO+oslPajK16XBmKiU9iHG9xekmrf xpHkMFFFBKEacHzIovnqLCpWwxbGpOOxzlQmNhLa8rKM7pkat1fPeE5rOcHPluJvpts/ VPQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740491653; x=1741096453; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=i4/DXlVSjcMlIzI08dLupqZQFFeRwmRS51ToDVNdHuU=; b=vHsIcdhVLRRZOhZeQ5bsJmANdAWpFrTxOKwBl24bc4eyCFhJvELt85t1rt8wX5vHwk kE9hFx3tzwchUfnFAXmn9BAlBW5PMB4/meIxspYX0+f+OJVPIOqTOQ3rLQJHEzZav7lM VHxS4UjvBvEsgRV0WHUBO0xM4SCRYytizXznu+34sMiIqVh9zGw8TGYDJ4b9JcZMUvyu CZyOXJ7Yq//xAcx869c+d3kvwcfAyWiNgqxd8gK5pt1qSawW0HKWVg0i6yC5uELrb+Cy L0LQEywCPRyRlWnYjL7+2Uefl2wRt9aNxOinfhVnB9av4A0RhspU6/pTxM/Pj2wE2F0P WsDg== X-Forwarded-Encrypted: i=1; AJvYcCWS1wUg1S7FFKUxHAdt+20TNTSJ53w+GCttiM1sSduFjphb1gDtjed8nCkAO29bvLLys2xSZtRMP08GumM=@vger.kernel.org X-Gm-Message-State: AOJu0YxvM6qIqQMUZ4IjTMPBcHOSz0NExCU547NrNtJ/datPS38zvdwv Km5IkfsiRXgU/fLmTgyfVA6Kq4JUth8QFvdqXMRsWDg/W/xUJSv/NlHkGlKLt8dwlJicax8aouk XPsyW2Q== X-Google-Smtp-Source: AGHT+IGoDWk/TpcFuDY40DBypweVg4CXS82/Nz6prX7/2RhjV/lp4W5V7+glWTjinPnVUuy1Ux3dqkfPTmYt X-Received: from ejcun1.prod.google.com ([2002:a17:907:cb81:b0:abb:8b18:27f3]) (user=dvyukov job=prod-delivery.src-stubby-dispatcher) by 2002:a17:906:314c:b0:ab7:ec8b:c642 with SMTP id a640c23a62f3a-abc099e9473mr1556633066b.5.1740491652676; Tue, 25 Feb 2025 05:54:12 -0800 (PST) Date: Tue, 25 Feb 2025 14:53:46 +0100 In-Reply-To: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.48.1.658.g4767266eb4-goog Message-ID: Subject: [PATCH v5 4/4] selftests/rseq: Add test for rseq+pkeys From: Dmitry Vyukov To: mathieu.desnoyers@efficios.com, peterz@infradead.org, boqun.feng@gmail.com, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, hpa@zytor.com, aruna.ramakrishna@oracle.com, elver@google.com Cc: Dmitry Vyukov , "Paul E. McKenney" , x86@kernel.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a test that ensures that PKEY-protected struct rseq_cs works and does not lead to process kills. Signed-off-by: Dmitry Vyukov Cc: Mathieu Desnoyers Cc: Peter Zijlstra Cc: "Paul E. McKenney" Cc: Boqun Feng Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Dave Hansen Cc: "H. Peter Anvin" Cc: Aruna Ramakrishna Cc: x86@kernel.org Cc: linux-kernel@vger.kernel.org Acked-by: Dave Hansen Fixes: d7822b1e24f2 ("rseq: Introduce restartable sequences system call") --- Changes in v5: - Use static for variables/functions - Use RSEQ_READ/WRITE_ONCE instead of volatile Changes in v4: - Added Fixes tag Changes in v3: - added Acked-by: Dave Hansen - rework the test to work when only pkey 0 is supported for rseq Changes in v2: - change test to install protected rseq_cs instead of rseq --- tools/testing/selftests/rseq/Makefile | 2 +- tools/testing/selftests/rseq/pkey_test.c | 98 ++++++++++++++++++++++++ tools/testing/selftests/rseq/rseq.h | 1 + 3 files changed, 100 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/rseq/Makefile b/tools/testing/selftest= s/rseq/Makefile index 5a3432fceb586..9111d25fea3af 100644 --- a/tools/testing/selftests/rseq/Makefile +++ b/tools/testing/selftests/rseq/Makefile @@ -16,7 +16,7 @@ OVERRIDE_TARGETS =3D 1 =20 TEST_GEN_PROGS =3D basic_test basic_percpu_ops_test basic_percpu_ops_mm_ci= d_test param_test \ param_test_benchmark param_test_compare_twice param_test_mm_cid \ - param_test_mm_cid_benchmark param_test_mm_cid_compare_twice + param_test_mm_cid_benchmark param_test_mm_cid_compare_twice pkey_test =20 TEST_GEN_PROGS_EXTENDED =3D librseq.so =20 diff --git a/tools/testing/selftests/rseq/pkey_test.c b/tools/testing/selft= ests/rseq/pkey_test.c new file mode 100644 index 0000000000000..cc4dd98190942 --- /dev/null +++ b/tools/testing/selftests/rseq/pkey_test.c @@ -0,0 +1,98 @@ +// SPDX-License-Identifier: LGPL-2.1 +/* + * Ensure that rseq works when rseq data is inaccessible due to PKEYs. + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "rseq.h" +#include "rseq-abi.h" + +static int pkey; +static ucontext_t ucp0, ucp1; + +static void coroutine(void) +{ + int i, orig_pk0, old_pk0, old_pk1, pk0, pk1; + /* + * When we disable access to pkey 0, globals and TLS become + * inaccessible too, so we need to tread carefully. + * Pkey is global so we need to copy it onto the stack. + */ + int pk =3D RSEQ_READ_ONCE(pkey); + struct timespec ts; + + orig_pk0 =3D pkey_get(0); + if (pkey_set(0, PKEY_DISABLE_ACCESS)) + err(1, "pkey_set failed"); + old_pk0 =3D pkey_get(0); + old_pk1 =3D pkey_get(pk); + + /* + * Prevent compiler from initializing it by loading a 16-global. + */ + RSEQ_WRITE_ONCE(ts.tv_sec, 0); + RSEQ_WRITE_ONCE(ts.tv_nsec, 10 * 1000); + /* + * If the kernel misbehaves, context switches in the following loop + * will terminate the process with SIGSEGV. + * Trigger preemption w/o accessing TLS. + * Note that glibc's usleep touches errno always. + */ + for (i =3D 0; i < 10; i++) + syscall(SYS_clock_nanosleep, CLOCK_MONOTONIC, 0, &ts, NULL); + + pk0 =3D pkey_get(0); + pk1 =3D pkey_get(pk); + if (pkey_set(0, orig_pk0)) + err(1, "pkey_set failed"); + + /* + * Ensure that the kernel has restored the previous value of pkeys + * register after changing them. + */ + if (old_pk0 !=3D pk0) + errx(1, "pkey 0 changed %d->%d", old_pk0, pk0); + if (old_pk1 !=3D pk1) + errx(1, "pkey 1 changed %d->%d", old_pk1, pk1); + + swapcontext(&ucp1, &ucp0); + abort(); +} + +int main(int argc, char **argv) +{ + pkey =3D pkey_alloc(0, 0); + if (pkey =3D=3D -1) { + printf("[SKIP]\tKernel does not support PKEYs: %s\n", + strerror(errno)); + return 0; + } + + if (rseq_register_current_thread()) + err(1, "rseq_register_current_thread failed"); + + if (getcontext(&ucp1)) + err(1, "getcontext failed"); + ucp1.uc_stack.ss_size =3D getpagesize() * 4; + ucp1.uc_stack.ss_sp =3D mmap(NULL, ucp1.uc_stack.ss_size, + PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0); + if (ucp1.uc_stack.ss_sp =3D=3D MAP_FAILED) + err(1, "mmap failed"); + if (pkey_mprotect(ucp1.uc_stack.ss_sp, ucp1.uc_stack.ss_size, + PROT_READ | PROT_WRITE, pkey)) + err(1, "pkey_mprotect failed"); + makecontext(&ucp1, coroutine, 0); + if (swapcontext(&ucp0, &ucp1)) + err(1, "swapcontext failed"); + return 0; +} diff --git a/tools/testing/selftests/rseq/rseq.h b/tools/testing/selftests/= rseq/rseq.h index ba424ce80a719..65da4a727c550 100644 --- a/tools/testing/selftests/rseq/rseq.h +++ b/tools/testing/selftests/rseq/rseq.h @@ -8,6 +8,7 @@ #ifndef RSEQ_H #define RSEQ_H =20 +#include #include #include #include --=20 2.48.1.658.g4767266eb4-goog