From patchwork Tue Jul 23 14:47:50 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Zaborowski <andrew.zaborowski@intel.com>
X-Patchwork-Id: 13740152
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B1051C3DA63
	for <linux-mm@archiver.kernel.org>; Tue, 23 Jul 2024 14:48:06 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 26E816B0099; Tue, 23 Jul 2024 10:48:06 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 21E836B009A; Tue, 23 Jul 2024 10:48:06 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 10C656B009C; Tue, 23 Jul 2024 10:48:06 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com
 [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id E1D6B6B0099
	for <linux-mm@kvack.org>; Tue, 23 Jul 2024 10:48:05 -0400 (EDT)
Received: from smtpin11.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 4E0D91A018D
	for <linux-mm@kvack.org>; Tue, 23 Jul 2024 14:48:05 +0000 (UTC)
X-FDA: 82371297330.11.0C75398
Received: from mail-lf1-f41.google.com (mail-lf1-f41.google.com
 [209.85.167.41])
	by imf13.hostedemail.com (Postfix) with ESMTP id 748292000E
	for <linux-mm@kvack.org>; Tue, 23 Jul 2024 14:48:03 +0000 (UTC)
Authentication-Results: imf13.hostedemail.com;
	dkim=none;
	spf=pass (imf13.hostedemail.com: domain of balrogg@gmail.com designates
 209.85.167.41 as permitted sender) smtp.mailfrom=balrogg@gmail.com;
	dmarc=fail reason="SPF not aligned (relaxed),
 No valid DKIM" header.from=intel.com (policy=none)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1721746021;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:references; bh=jiq/XSgm3wHfgQ0AwWBkVwnpN/AUkG0btoxuVvCcj1g=;
	b=mD44dMMePpVHajncm30qxn7CnOSTa3Glvl6KZzQ1Mg7w6ah4puAFhxUO3NQ0+QVoxa4QRK
	s8m9rUumYCsnh4sblIP3CDWZUpBBB7v6hDt/RqiIMN8D665uLLEmPIwRLVbcKujQUFdHiY
	e2iWNtTS/wvKLRZyscRV3PTZj4aZu68=
ARC-Authentication-Results: i=1;
	imf13.hostedemail.com;
	dkim=none;
	spf=pass (imf13.hostedemail.com: domain of balrogg@gmail.com designates
 209.85.167.41 as permitted sender) smtp.mailfrom=balrogg@gmail.com;
	dmarc=fail reason="SPF not aligned (relaxed),
 No valid DKIM" header.from=intel.com (policy=none)
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721746021; a=rsa-sha256;
	cv=none;
	b=oEJ3xcLzBRXbKxywEnv8FRki6G5iBsMFXLjHZDAByLA8IdQ2LVz9/s4ITaxeMw8rVrVzTm
	Z5e2Xwp3kfja94t90HXAmAUO6NCd0XudOgTz0/YQ9oy4aXucXYXdouT6kIGy+GBX52RD5Q
	AA0ZLw+/kXHlaDabaegekE1EbJ5Utio=
Received: by mail-lf1-f41.google.com with SMTP id
 2adb3069b0e04-52f01afa11cso3812008e87.0
        for <linux-mm@kvack.org>; Tue, 23 Jul 2024 07:48:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721746082; x=1722350882;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=jiq/XSgm3wHfgQ0AwWBkVwnpN/AUkG0btoxuVvCcj1g=;
        b=hli/sLB3u6bJTSJv9rLaXc5/ni8Wgdjlo2QPBMRlAeyD5TYF6oxfouDgpdf2Ty4huy
         Lt9I5DLvGK49gkVQLEo96mF21+oa0ft9+Sl1w/1xJb69N44Pjf1CKdB0d6Szh1u35kbc
         Y6Gkho1KpHbwOyQLKCIsGDteHjeEKZbtsNoz19vuHrDsudizeJLiD5c+eVgYMLpeCs/7
         SgRMpd66IeAajBqTEDwN7SiMIaVbl2eDO4jPtBV5Pb3YEqEM9TSXsJsumpH+k1xa983m
         7Tfkhl/ZbJ2Xo9eRAUK7Esn0NLFUvn/18n8mskGJ+ERGE9ChNfYyqMS9M1si813KdAOl
         TU9A==
X-Forwarded-Encrypted: i=1;
 AJvYcCWjJ/h1eAiWzV1xmxYsvN+edjfGfo/PTHEU8f0LYYK30nDtKxCapyKy0rqZVf+npN6TlV+UOhrajdyA6qEh4YlckSY=
X-Gm-Message-State: AOJu0Yy2CXW5tva+AxYS97xYSEhVVMmaOV1vd3R8vbYrnBArfzqQmcIH
	Reu0CExVQV3wLedfafjt10RDWGkLnZsmQ00nRDuTtPPXvgiSkZcc
X-Google-Smtp-Source: 
 AGHT+IHCQf5Q3yQ7wuWmrukqnqvyvVU47RfROrNLyLGWiYU8odqK5t3MOgLCXUBBhnWdnvC2PwqZCw==
X-Received: by 2002:a05:6512:132a:b0:52c:825e:3b1c with SMTP id
 2adb3069b0e04-52fc404b78fmr2191607e87.26.1721746081489;
        Tue, 23 Jul 2024 07:48:01 -0700 (PDT)
Received: from localhost.localdomain
 ([2a01:110f:4a11:8500:e7a:15ff:fe95:b9d8])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-5a30c7d36f3sm7555071a12.91.2024.07.23.07.48.00
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Jul 2024 07:48:00 -0700 (PDT)
From: Andrew Zaborowski <andrew.zaborowski@intel.com>
To: linux-edac@vger.kernel.org,
	linux-mm@kvack.org
Cc: Kees Cook <keescook@chromium.org>,
	Tony Luck <tony.luck@intel.com>,
	Eric Biederman <ebiederm@xmission.com>,
	Borislav Petkov <bp@alien8.de>
Subject: [RESEND][PATCH 1/3] x86: Add task_struct flag to force SIGBUS on MCE
Date: Tue, 23 Jul 2024 16:47:50 +0200
Message-ID: <20240723144752.1478226-1-andrew.zaborowski@intel.com>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: 748292000E
X-Stat-Signature: gp9hm8ps3s87wyjw7ic55g7gyurrnez7
X-Rspam-User: 
X-HE-Tag: 1721746083-195271
X-HE-Meta: 
 U2FsdGVkX1+9Xdq9d5o+Bt0hwMMSh6DOw/yKT58OPv3+zcMH8SxBEztflFLD/YpOEQCUPwmVlH6XaVHjKa5uKRef1CZlzKTUk1sfzX5eQEI1vkvja/Ln5U2QfPeCSCnaPDc4eN/EjpeIi+aY7x9tK8NZJt9Q3z7Nad2QL++qnHJu6b1Aw2N27U2qFgoHJrquL10fpVkdbPtJ2RsoTcFl6dkD51H7VdDeNHKGdzFlouVAj8wYLdJYr752UiEj9U44PxiijqPmD4XbFpLfh02qbsO8RQn0E8sbHm8DMJ4um75YTcTRHhir4TK8vQuGWjz7lD77RtydFjmWkhphMVaiAX0xFzqAwNQ20vZwDNB1p4oa9wc3eu2Oc2gxAXgaTSAGAjf7aU6NYmRZTYMSIX/rH7aDGa8fZQXCHWWDkHiNYuT5MLemC9pdda1RokUfmOc6avgMQna0hmn/ZKr0QHhguo72UKifxc1K5wR/TmWqUFdaUtXtotMZj+/KnIsNyuxqduaJJWE3KQQog6fMdRtiX5SjQ96mdCWs6jQUymPHYuZslhMBUpjOjncv6RkBT734c4ibjmqP2+aYsSIVeNDPYkXbAiiQGLbK3rHyIDYDmW6jjfcK1vCIT04A1+m8iCb/NYqu3rWqZFwQmFPqkQmslzBo+HCG57u2Jd5VsKgR3q39xrq7C64TiXKofre7Lm0/CvxKHzv30RMe2X0YG7wyu1H6fZMvVzcjj5iLySIPO3WP08qdf70M8yexjg67+jLGcGfpCUDTJAaQskvPXN9C+EOBNSG2kmKhRDI7GaLbnC1Ryu8FrhMn/olkhgNaXCmoqJd+QeLLm0m3/3VLH6idMQMsBNu1BdgzYnb7nno4CGj8H3oS8sb+fVHOhpIqaDofTkbZKYtSq40swS12V/922XaFCWQ2WX0MUmfu5l+/chEfsxDlkwfDHfC7D5j1PBB4MzCup2UUyHJiJqo3VTx
 JlDNJrkg
 JRn/gETrj+VxxAg9+05tB/qxFUf0JO/lQ77DQrw/eIyKAqPSxnhpOX27O3029WtCmIYqDF1SQzyiYl+IxaxCEgZiR85HAAmIBWh9CJfOqCVcI3BysQ70mbbuH8AwFjpLx/YBQSD0jmq0oI8jxpTZPxVyIYaTcD2sUmuhvsU19zskYDSrgpb6aoJm8vcF3tOq7rvDsqCY9xYgcq0uLeK8wk1IW3F05tRu83Ig12mxKzXW7pmdLYmyR5OVPWORlZ83/6NQzu7ozsxLgOcktD2OzRGJNbESFudqHFvYzu1yXzSaljViAqYjGyks9SIuMl9C693c1D9dMMp5Pk/MFf9XfSwI00F+HAbGL2JvISkvIPNoIFOfXY2/Es5c3il1fvHMTyDePEdbvyXlSbKChLxxgtAHjoG9uJMWykHicVRGFQda5rIfHkT+kw3d0NF2kROqxuGz4K2Jg0o79wfrwJcHoZQxCcA0cRus8T7q21MIt3puwKLP8e6qfKYGitb0FOnAMTLMWrVHergCsx/8=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Uncorrected memory errors for user pages are signaled to processes
using SIGBUS or, if the error happens in a syscall, an error retval
from the syscall.  The SIGBUS is documented in
Documentation/mm/hwpoison.rst#failure-recovery-modes

But there are corner cases where we cannot or don't want to return a
plain error from the syscall.  Subsequent commits covers two such cases:
execve and rseq.  Current code, in both places, will kill the task with a
SIGSEGV on error.  While not explicitly stated, it can be argued that it
should be a SIGBUS, for consistency and for the benefit of the userspace
signal handlers.  Even if the process cannot handle the signal, perhaps
the parent process can.  This was the case in the scenario that
motivated this patch.

In both cases, the architecture's exception handler (MCE handler on x86)
will queue a call to memory_failure.  This doesn't work because the
syscall-specific code sees the -EFAULT and terminates the task before
the queued work runs.

To fix this: 1. let pending work run in the error cases in both places.

And 2. on MCE, ensure memory_failure() is passed MF_ACTION_REQUIRED so
that the SIGBUS is queued.  Normally when the MCE is in a syscall,
a fixup of return IP and a call to kill_me_never() are what we want.
But in this case it's necessary to queue kill_me_maybe() which will set
MF_ACTION_REQUIRED which is checked by memory_failure().

To do this the syscall code will set current->kill_on_efault, a new
task_struct flag.  Check that flag in
arch/x86/kernel/cpu/mce/core.c:do_machine_check()

Note: the flag is not x86 specific even if only x86 handling is being
added here.  The definition could be guarded by #ifdef
CONFIG_MEMORY_FAILURE, but it would then need set/clear utilities.

Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
---
Resending through an SMTP server that won't add the company footer.

This is a v2 of
https://lore.kernel.org/linux-mm/20240501015340.3014724-1-andrew.zaborowski@intel.com/
In the v1 the existing flag current->in_execve was being reused instead
of adding a new one.  Kees Cook commented in
https://lore.kernel.org/linux-mm/202405010915.465AF19@keescook/ that
current->in_execve is going away.  Lacking a better idea and seeing
that execve() and rseq() would benefit from using a common mechanism, I
decided to add this new flag.

Perhaps with a better name current->kill_on_efault could replace
brpm->point_of_no_return to offset the pain of having this extra flag.
---
 arch/x86/kernel/cpu/mce/core.c | 18 +++++++++++++++++-
 include/linux/sched.h          |  2 ++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/mce/core.c b/arch/x86/kernel/cpu/mce/core.c
index ad0623b65..13f2ace3d 100644
--- a/arch/x86/kernel/cpu/mce/core.c
+++ b/arch/x86/kernel/cpu/mce/core.c
@@ -1611,7 +1611,7 @@ noinstr void do_machine_check(struct pt_regs *regs)
 			if (p)
 				SetPageHWPoison(p);
 		}
-	} else {
+	} else if (!current->kill_on_efault) {
 		/*
 		 * Handle an MCE which has happened in kernel space but from
 		 * which the kernel can recover: ex_has_fault_handler() has
@@ -1628,6 +1628,22 @@ noinstr void do_machine_check(struct pt_regs *regs)
 
 		if (m.kflags & MCE_IN_KERNEL_COPYIN)
 			queue_task_work(&m, msg, kill_me_never);
+	} else {
+		/*
+		 * Even with recovery code extra handling is required when
+		 * we're not returning to userspace after error (e.g. in
+		 * execve() beyond the point of no return) to ensure that
+		 * a SIGBUS is delivered.
+		 */
+		if (m.kflags & MCE_IN_KERNEL_RECOV) {
+			if (!fixup_exception(regs, X86_TRAP_MC, 0, 0))
+				mce_panic("Failed kernel mode recovery", &m, msg);
+		}
+
+		if (!mce_usable_address(&m))
+			queue_task_work(&m, msg, kill_me_now);
+		else
+			queue_task_work(&m, msg, kill_me_maybe);
 	}
 
 out:
diff --git a/include/linux/sched.h b/include/linux/sched.h
index 61591ac6e..0cde1ba11 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -975,6 +975,8 @@ struct task_struct {
 	/* delay due to memory thrashing */
 	unsigned                        in_thrashing:1;
 #endif
+	/* Kill task on user memory access error */
+	unsigned                        kill_on_efault:1;
 
 	unsigned long			atomic_flags; /* Flags requiring atomic access. */
 

From patchwork Tue Jul 23 14:47:51 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Zaborowski <andrew.zaborowski@intel.com>
X-Patchwork-Id: 13740153
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 77A84C3DA49
	for <linux-mm@archiver.kernel.org>; Tue, 23 Jul 2024 14:48:08 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id F18766B00AD; Tue, 23 Jul 2024 10:48:07 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id EA1476B00AE; Tue, 23 Jul 2024 10:48:07 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id D44046B00B0; Tue, 23 Jul 2024 10:48:07 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com
 [216.40.44.15])
	by kanga.kvack.org (Postfix) with ESMTP id B719B6B00AD
	for <linux-mm@kvack.org>; Tue, 23 Jul 2024 10:48:07 -0400 (EDT)
Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id 4D60FA019F
	for <linux-mm@kvack.org>; Tue, 23 Jul 2024 14:48:07 +0000 (UTC)
X-FDA: 82371297414.22.F97D594
Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com
 [209.85.208.54])
	by imf17.hostedemail.com (Postfix) with ESMTP id 625E24001B
	for <linux-mm@kvack.org>; Tue, 23 Jul 2024 14:48:05 +0000 (UTC)
Authentication-Results: imf17.hostedemail.com;
	dkim=none;
	spf=pass (imf17.hostedemail.com: domain of balrogg@gmail.com designates
 209.85.208.54 as permitted sender) smtp.mailfrom=balrogg@gmail.com;
	dmarc=fail reason="SPF not aligned (relaxed),
 No valid DKIM" header.from=intel.com (policy=none)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1721746023;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=Uk7q0YZEAexRwDC7TlJ8MY8yGZV+7BAd5qc9ovT0Rfs=;
	b=2Q8CTX2vbDwgCXJ1rSWlrYjqwxvT+vppMrTg+thqLFhOhiRMQVKGjeOeceLI5E/ZYhzfRD
	pOzZiCqn0KKvq2jE8kVEgMUbo5EacANa9y3ZSSpu2HGPjVXRTDOJijnGoxywXxtZheBlx9
	SfoEz7M1YC2UImKbQ/pTDSv/7nW89Qo=
ARC-Authentication-Results: i=1;
	imf17.hostedemail.com;
	dkim=none;
	spf=pass (imf17.hostedemail.com: domain of balrogg@gmail.com designates
 209.85.208.54 as permitted sender) smtp.mailfrom=balrogg@gmail.com;
	dmarc=fail reason="SPF not aligned (relaxed),
 No valid DKIM" header.from=intel.com (policy=none)
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721746023; a=rsa-sha256;
	cv=none;
	b=A55JmmpmM5cYZA/SzvYS9ZZYcS/B8wbXuIgsVvoatE6kKqsUq4gZcCdN4ZPSM+rxZITD32
	WpaSJgT7VksCLaN/MrQ8TZdgi4mbXfD10+3Q5yCRfZM7ObvUcs+JdiK9cfe5B614TPdvqw
	46vinwHzrcMc573J9sBLrLly5y1bI1Y=
Received: by mail-ed1-f54.google.com with SMTP id
 4fb4d7f45d1cf-5a3b866ebc9so3710714a12.3
        for <linux-mm@kvack.org>; Tue, 23 Jul 2024 07:48:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721746084; x=1722350884;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Uk7q0YZEAexRwDC7TlJ8MY8yGZV+7BAd5qc9ovT0Rfs=;
        b=chYRtJtTGoz4fAV9yF+F+OTllBu5zju80soM9ExBPdMxYbDZHrWFW/GTv+8eMaOJEs
         JLC/32bTfki/eyP9j4fi+LDf0FA1wNkQGhaQlUnFdXKk8TEfVfnnNG20ukZ/9jjdpEee
         BDJUDfDH3leqw5lFUICI1qRokJyQdgUyzO7w/vODHFGbGKcn3EgQHz6jnvZ+mu+2ubgH
         DR3hj4OtcPY02p8kqJ7M4OSKMt6UDp7xkMJHa8yz1cJbaZZFz7fiArJ1l+SEmOUaIOlh
         tP+XvcCbUXe3dQUJ2ynFEU7PKv64LrBbp7Gwc4MCoO5OuggB3xXnDJ/c1h15utmUyr3d
         OVSw==
X-Forwarded-Encrypted: i=1;
 AJvYcCWyWDJDMn+4Y5VFavZKw2BVd35dprO2awCHsyDaG6GiQ191nXB/1rYfPyX5EcHYcL88n2aqWddo99vWRNmZTNchfEk=
X-Gm-Message-State: AOJu0YxetO43cHZSwH6NYWesKEBzGRfGInDh/jrdQIfPJ4Ly439xLiqo
	LW7yQ7TGTQgyI2yjuYXSl7u0xglJDUs5MGbkNz1116LsC/gIEraj
X-Google-Smtp-Source: 
 AGHT+IFha2h6a6MvQHTcjWMHo++g83oEpo5lFlYgf69Px3ng8ztnl88jC5Ynwb7213r/pEK/4abM0g==
X-Received: by 2002:a50:9b4a:0:b0:5a3:b866:eae0 with SMTP id
 4fb4d7f45d1cf-5aaa596d039mr76881a12.32.1721746083530;
        Tue, 23 Jul 2024 07:48:03 -0700 (PDT)
Received: from localhost.localdomain
 ([2a01:110f:4a11:8500:e7a:15ff:fe95:b9d8])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-5a30c7d36f3sm7555071a12.91.2024.07.23.07.48.01
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Jul 2024 07:48:02 -0700 (PDT)
From: Andrew Zaborowski <andrew.zaborowski@intel.com>
To: linux-edac@vger.kernel.org,
	linux-mm@kvack.org
Cc: Kees Cook <keescook@chromium.org>,
	Tony Luck <tony.luck@intel.com>,
	Eric Biederman <ebiederm@xmission.com>,
	Borislav Petkov <bp@alien8.de>
Subject: [RESEND][PATCH 2/3] execve: Ensure SIGBUS delivered on memory failure
Date: Tue, 23 Jul 2024 16:47:51 +0200
Message-ID: <20240723144752.1478226-2-andrew.zaborowski@intel.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240723144752.1478226-1-andrew.zaborowski@intel.com>
References: <20240723144752.1478226-1-andrew.zaborowski@intel.com>
MIME-Version: 1.0
X-Rspamd-Server: rspam06
X-Rspamd-Queue-Id: 625E24001B
X-Stat-Signature: zaor8p36t7p9njpg1q3gp9gfmbhhctgz
X-Rspam-User: 
X-HE-Tag: 1721746085-626553
X-HE-Meta: 
 U2FsdGVkX18AJkckUB42ZrdwV7VFxGDVYNkgSYMh3cuAQmUCs6HyGHKkIZkLQoiI8B0s7fLa/W8lnb66zRhosTIhINgvNBT40amryEuFi6Sc50lwYsVu6PYoB5ue6ccaafWx9ybzVeTL3fUJI+XZfVMWdqqDjx1fVfoPVZAlAOqTIxAwsrO2ubdukxggAy6ojXW0c3ggyiRZc+g2yPUP/rSUVm+3Y9K/rKkU4oTtpXQfvnEy1o69JQtYLWBrZBpoXZ/aCyeV0qRUX+/pgmLH2iBN14xXPt1F5Gln8ayT0pN5HM2VCmho/CelWsyMGV/c9/VxwT4waJqyJuxUi819zwplVkEqR2LB+Vi0Xa999c2WIUS5O0jOLUwwMKCrHECvRRNXKB6RTJ+wHjvn+QmBWrNmCEgI4wq3DssUd0QZtIvwYMfsEbYNuExwA9/6TCOZOtrMqrmmaZT8ehxzJWF87jr8nxE8CK+x99FmER+OVk5iMHdXJOAaPEF4Y7E6H4qXD62TifrfC0/VNkV7BCluAwY/MOZz/8f6ijNQYJg5P/7BLw3hvcv2zgM5J6JMp7cbu4bkE45nEBKrnI4mugy8qAnvFvoeIhX+SbTU98HS0gfmesJUBxuAZ6BKMmVuvHzeDDWzBeWa+b2ebc7EjXaSRHGii3PQV79u6IOCZRWTn2lSbG5UynpE5u99GD/aZ/TmbLdZgThSMaf9g2UAfe8zhkrt3JlSVPMMslaRnk87CjJqobPrqCWSCeQSifR3md5gruN+Q+OWPbG6cueo+7iV0OjXHla+GPa5Xv4UnRXF2rWb1we6liRjLkv17n0TtyVug9YvzjFe67cib6+Y0hBQkmvnywbkbMhXkuZtbbyl+IvbR60wTyFulIeyW0Hv98raON/Zd8E+XURuLugkIYCi3iya8yLlsj/dq6zWzOC/1ZWp0mZSKa6ayuTSkmwT0misTuquJcnt0ToLL3+ZhNt
 6thk/gah
 Qq2YzfmI+vxmrQIHQqFKpPWOxqe2agFfn/AUQg5GXUhoYAtSRvO/cxShWUDIvxSTE3ooAX6SVju35P6Ti6SKzxwKlK6RQjh869+R0ANsBai8dWuNxnTxE9qAh2PTOcANS+rlwvi/9g8D9nfATkHmgp33Uhlm75AAoU3uW/sHT8zfF86mAsJsl2q91aK/doPhzDMViUgJ3UAyN9u+wpP6zDGcOFHIiApkzkkRowFJGcMz8OvW48f92aO9uYACCB+oWAXUk++642fQoaUdZKix8VupFeUJQPKqi1kGW0MOCP8+eotd8582UlIJYHilA7F3KcT6EiUsNlWryWnOfqlf91blqssLpFx2ZNRSUnhKqrINYt6x6gyv/mKC3I2FInAXs1Kp9sJt1S641P2SBZiDay+/tPxc1hhvYfkFTV5LXMxb3P85kiF7e4pthqMO250IeZ6Xo
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Uncorrected memory errors for user pages are signaled to processes
using SIGBUS or, if the error happens in a syscall, an error retval
from the syscall.  The SIGBUS is documented in
Documentation/mm/hwpoison.rst#failure-recovery-modes

In execve() there is a point of no return
(bprm->point_of_no_return) after which the syscall... cannot return.
The binary loading happens after this point so if the loader triggers
a memory error reading user pages, and after control returns to
bprm_execve(), that function reacts by sending a SIGSEGV.

Set the new current->kill_on_efault flag and run pending task work to
ensure that a SIGBUS is queued in memory_failure()

Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
---
 fs/exec.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 400731422..26c4efe1a 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -68,6 +68,7 @@
 #include <linux/user_events.h>
 #include <linux/rseq.h>
 #include <linux/ksm.h>
+#include <linux/task_work.h>
 
 #include <linux/uaccess.h>
 #include <asm/mmu_context.h>
@@ -1290,6 +1291,7 @@ int begin_new_exec(struct linux_binprm * bprm)
 	 * Ensure all future errors are fatal.
 	 */
 	bprm->point_of_no_return = true;
+	me->kill_on_efault = true;
 
 	/*
 	 * Make this the only thread in the thread group.
@@ -1896,6 +1898,7 @@ static int bprm_execve(struct linux_binprm *bprm)
 	/* execve succeeded */
 	current->fs->in_exec = 0;
 	current->in_execve = 0;
+	current->kill_on_efault = false;
 	rseq_execve(current);
 	user_events_execve(current);
 	acct_update_integrals(current);
@@ -1907,14 +1910,20 @@ static int bprm_execve(struct linux_binprm *bprm)
 	 * If past the point of no return ensure the code never
 	 * returns to the userspace process.  Use an existing fatal
 	 * signal if present otherwise terminate the process with
-	 * SIGSEGV.
+	 * SIGSEGV.  Run pending work before that in case it is
+	 * terminating the process with a different signal.
 	 */
-	if (bprm->point_of_no_return && !fatal_signal_pending(current))
-		force_fatal_sig(SIGSEGV);
+	if (bprm->point_of_no_return) {
+		task_work_run();
+
+		if (!fatal_signal_pending(current))
+			force_fatal_sig(SIGSEGV);
+	}
 
 	sched_mm_cid_after_execve(current);
 	current->fs->in_exec = 0;
 	current->in_execve = 0;
+	current->kill_on_efault = false;
 
 	return retval;
 }

From patchwork Tue Jul 23 14:47:52 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrew Zaborowski <andrew.zaborowski@intel.com>
X-Patchwork-Id: 13740154
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D1848C3DA70
	for <linux-mm@archiver.kernel.org>; Tue, 23 Jul 2024 14:48:10 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 26FCB6B00AE; Tue, 23 Jul 2024 10:48:09 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 2220A6B00B1; Tue, 23 Jul 2024 10:48:09 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id F3FC26B00B2; Tue, 23 Jul 2024 10:48:08 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com
 [216.40.44.12])
	by kanga.kvack.org (Postfix) with ESMTP id D451C6B00AE
	for <linux-mm@kvack.org>; Tue, 23 Jul 2024 10:48:08 -0400 (EDT)
Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay01.hostedemail.com (Postfix) with ESMTP id 5A7D71C054F
	for <linux-mm@kvack.org>; Tue, 23 Jul 2024 14:48:08 +0000 (UTC)
X-FDA: 82371297456.14.73714D1
Received: from mail-ed1-f51.google.com (mail-ed1-f51.google.com
 [209.85.208.51])
	by imf11.hostedemail.com (Postfix) with ESMTP id 7C3E040017
	for <linux-mm@kvack.org>; Tue, 23 Jul 2024 14:48:06 +0000 (UTC)
Authentication-Results: imf11.hostedemail.com;
	dkim=none;
	spf=pass (imf11.hostedemail.com: domain of balrogg@gmail.com designates
 209.85.208.51 as permitted sender) smtp.mailfrom=balrogg@gmail.com;
	dmarc=fail reason="SPF not aligned (relaxed),
 No valid DKIM" header.from=intel.com (policy=none)
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1721746050;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=+dSTBvmiXsKIJg1nIDwcRbXdVetMzZpCGukJXuNM8Mg=;
	b=8Quobsc7Y7Swd9Zzbhhszp4VMC+PD9/GJA7pxb5v3s4HIQaHfeOBntTRd0TlUJv+2sixAE
	F1s5w2o9dMIyU0a/nV25EIFDn5E/4P77fFbb4oNCAMFiGV2b72IuepUpY0jar6dKGqkSlD
	amI/uJKffuFw5BXfhdAi9Fr/dIwW3Wo=
ARC-Authentication-Results: i=1;
	imf11.hostedemail.com;
	dkim=none;
	spf=pass (imf11.hostedemail.com: domain of balrogg@gmail.com designates
 209.85.208.51 as permitted sender) smtp.mailfrom=balrogg@gmail.com;
	dmarc=fail reason="SPF not aligned (relaxed),
 No valid DKIM" header.from=intel.com (policy=none)
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1721746050; a=rsa-sha256;
	cv=none;
	b=fHgzU4nq9qRBFZIhLxrZk9DeVMv50ADnfT/7UTRQVjFwFb10BkwkuhhP8q9e6p6yKgb96J
	EXbYnze6pyg+fJr29QpjW4v4+/UvzNvCELBdIcTP6pcosEzHpU6NDyFeoA7iI2RpH0kDB7
	Bi3tC0PnCTR5qqDM6yxvAMCxDilcUPM=
Received: by mail-ed1-f51.google.com with SMTP id
 4fb4d7f45d1cf-5a20de39cfbso4983965a12.1
        for <linux-mm@kvack.org>; Tue, 23 Jul 2024 07:48:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1721746085; x=1722350885;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=+dSTBvmiXsKIJg1nIDwcRbXdVetMzZpCGukJXuNM8Mg=;
        b=gA8ZNpsdYeDFmmk9/oB6zrdBJDVCaSsvfw3R90VakWi+6G7fXO/fCP8r/NvxrCWFbl
         jv4EMcKQy5qaNrq7AyFTUo0TzncpE1tLkcnwHIjbdu2T1NjeKb7MrLRhSABq3JOBZ1Xv
         5QYG3PXprzMRWzRiMVchTSZtKYekDtZ6REMn0o5ptJ358TJOl/pWXiARGTvbo+m+uDIi
         TXp0ay/GHUhSdhUeR/iaGdkY/b+5xupstnSzsUkbsJcNjid7EiJAJ3F3vNsxQT5RtM47
         QqK+l7paxJ1ilgNEoyB5EqqrJ5+Ybem1aS/aLJ2B8cX4WrApmv//9bHqbiul5TnK21tO
         3+yQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCUZ4YUnKP8CuEpQz5eC833hushrX/QgCKGXFyoZwDn3QmFTECRup4hS+YNGtc3ExSfBhZmgN8UKxH8CmNTlBhTEu+U=
X-Gm-Message-State: AOJu0Yz9IKR+esGN4dZxbrBWnEowVLCvA078GlrcR6IODYQsOTH0Azhh
	lesXRMjEOjSPaLRZQuwLW4TqwjwPhquCngncWZIcHDjD0FgOI3zp
X-Google-Smtp-Source: 
 AGHT+IFsLZAKyynJoDJ+VTBxNc87Aq7bXNUhQFN3SUw3iTssqlxbS/Hb3ixCOgUjFnM2sQsZonSapg==
X-Received: by 2002:a05:6402:3584:b0:59c:31fd:266b with SMTP id
 4fb4d7f45d1cf-5a3f08931a3mr9333027a12.28.1721746084919;
        Tue, 23 Jul 2024 07:48:04 -0700 (PDT)
Received: from localhost.localdomain
 ([2a01:110f:4a11:8500:e7a:15ff:fe95:b9d8])
        by smtp.gmail.com with ESMTPSA id
 4fb4d7f45d1cf-5a30c7d36f3sm7555071a12.91.2024.07.23.07.48.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 23 Jul 2024 07:48:04 -0700 (PDT)
From: Andrew Zaborowski <andrew.zaborowski@intel.com>
To: linux-edac@vger.kernel.org,
	linux-mm@kvack.org
Cc: Kees Cook <keescook@chromium.org>,
	Tony Luck <tony.luck@intel.com>,
	Eric Biederman <ebiederm@xmission.com>,
	Borislav Petkov <bp@alien8.de>
Subject: [RESEND][PATCH 3/3] rseq: Ensure SIGBUS delivered on memory failure
Date: Tue, 23 Jul 2024 16:47:52 +0200
Message-ID: <20240723144752.1478226-3-andrew.zaborowski@intel.com>
X-Mailer: git-send-email 2.43.0
In-Reply-To: <20240723144752.1478226-1-andrew.zaborowski@intel.com>
References: <20240723144752.1478226-1-andrew.zaborowski@intel.com>
MIME-Version: 1.0
X-Stat-Signature: yckkx8eakjxiq5kuwmaeq5miepe9wygq
X-Rspam-User: 
X-Rspamd-Queue-Id: 7C3E040017
X-Rspamd-Server: rspam02
X-HE-Tag: 1721746086-284220
X-HE-Meta: 
 U2FsdGVkX1/kVv/48giOruucruyH0C2FNaA6mSoYRdpZgwLGhNjLH4RKciMmx4CfegZ2iNof5Y2jR5UNWSX/wAAzvd5jEe+71xUKnPUC5uukuShO1GfurxZ/86T8yyBtCYqluNNNX91Y5Z6QxdjMTJhh7pO92QCBH6IPznZUMJ/XkvDFQr8m9lg+wyiViFgtN4UvUy1D4//i0Wl05SkWpPVfEpJ8eJ6taNZtiMPc9CyIkxgmFohJxfgDn+0SIG2Cyhr6nO1W5jf1DjXuwvzDKk7v7/LcyXpN50vkOlPUuwqw+71escrETYwpYk+mZaDkwA9OLcVZm2llet52Nb7ZPgCiSt/zj8AV+JNM0vAvZ19kBOBGvhz/U6IsShGr1gVEOCMGy3W/FmnNzmjUoGG3cAWa+curZnheVHiN2LrmTv25Ib0OHTKkcIPRKijv8t1n353vdSixwNxsqF3j0VUTiaZdMdptf/mNfkJgP3Pc+kFH1OiD926PwuOYoiQ0AcnA9PSOHMhlxjqNP9L6EDQLlf1ZKcbKlt4czCE8B0R/KTc75+r6gIA5M3O+3u946gDibhgBHQ01w/GH4vX8nYaPumU/iCN0UXIReylU4lzxU0i0hYuf3T4f74W0xuovJsiHmJsvXWnUeZJmSFEH0PKGpndKYSc6mGT7G8Y2S+MqUkoxttlbGV6quRO6aHgg1LxTT1tmXHBnfl4FX/UduhpiV2P0SeWT9quw6YQDq6I5XKckLnjKVqXoLky+wMWSE5pCS+QC1YJX3lPMadvxcpMcRBpfHL51lyrBqgJfZ958dZmWDnY35fEj7wgwtKk6zWWmjmYR11uL7bYQ7tQtefzLx7H4GjGw2LrrWoCiAlrCJlq8cUcpswJAhLHAzVPz/gGXgXFP9FG0+ePi3FfmTdd0sYO7Ti0tnRVGe6yz4+gaMUVBSBaQcMVDZb0aIHwZOy5PFBh1dU4GIR4CxzoYjAN
 KgMi1KzL
 dvOYCXe7aMfM0xwOwRTflT9VkMiK595w2b8gwDtN3pO52+sQNQuE1q/jechiisDe7Sg/8l/2B7C/cLJjDBbXs2ohmwXlQ76DXQPR5r6x/nSYAc7S/DJMz3M9lRFkE3PeK0gZVA46I7y9bAG/ImWQbpS/CQLW7zy/WZ3KcYnyRC3owOsIatEp1J/7n/bACPedcH/vqvDbwlqR5ldMpQE40s0+zPCPoZxrmNAF3lBd91tqbViPhp32/NwztWmRIm7x2UQU+HI8A0PhDbdw26LaQu78+1eF4paiETTpDl9uy0/t9OncI4zU/IstA3pDsKNAJbz1vkAGU23kuNynf8aIIOIUi0dfMarDaUni+sRlEWnVRnaiCDZTVx5I3bO0Ub/Xb6RzKrQIc5B4DNFbHWAsdQv/0cA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000001, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Uncorrected memory errors for user pages are signaled to processes
using SIGBUS or, if the error happens in a syscall, an error retval
from the syscall.  The SIGBUS is documented in
Documentation/mm/hwpoison.rst#failure-recovery-modes

Once a user task sets t->rseq in the rseq() syscall, if the kernel
cannot access the memory pointed to by t->rseq->rseq_cs, that initial
rseq() and all future syscalls should return an error so understandably
the code just kills the task.

To ensure that SIGBUS is used set the new t->kill_on_efault flag and
run queued task work on rseq_get_rseq_cs() errors to give memory_failure
the chance to run.

Note: the rseq checks run inside resume_user_mode_work() so whenever
_TIF_NOTIFY_RESUME is set.  They do not run on every syscall exit so
I'm not concerned that these extra flag operations are in a hot path,
except with CONFIG_DEBUG_RSEQ.

Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
---
 kernel/rseq.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/kernel/rseq.c b/kernel/rseq.c
index 9de6e35fe..c5809cd13 100644
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -13,6 +13,7 @@
 #include <linux/syscalls.h>
 #include <linux/rseq.h>
 #include <linux/types.h>
+#include <linux/task_work.h>
 #include <asm/ptrace.h>
 
 #define CREATE_TRACE_POINTS
@@ -320,6 +321,8 @@ void __rseq_handle_notify_resume(struct ksignal *ksig, struct pt_regs *regs)
 	if (unlikely(t->flags & PF_EXITING))
 		return;
 
+	t->kill_on_efault = true;
+
 	/*
 	 * regs is NULL if and only if the caller is in a syscall path.  Skip
 	 * fixup and leave rseq_cs as is so that rseq_sycall() will detect and
@@ -330,13 +333,18 @@ void __rseq_handle_notify_resume(struct ksignal *ksig, struct pt_regs *regs)
 		if (unlikely(ret < 0))
 			goto error;
 	}
-	if (unlikely(rseq_update_cpu_node_id(t)))
-		goto error;
-	return;
+	if (likely(!rseq_update_cpu_node_id(t)))
+		goto out;
 
 error:
+	/* Allow task work to override signr */
+	task_work_run();
+
 	sig = ksig ? ksig->sig : 0;
 	force_sigsegv(sig);
+
+out:
+	t->kill_on_efault = false;
 }
 
 #ifdef CONFIG_DEBUG_RSEQ
@@ -353,8 +361,17 @@ void rseq_syscall(struct pt_regs *regs)
 
 	if (!t->rseq)
 		return;
-	if (rseq_get_rseq_cs(t, &rseq_cs) || in_rseq_cs(ip, &rseq_cs))
+
+	t->kill_on_efault = true;
+
+	if (rseq_get_rseq_cs(t, &rseq_cs) || in_rseq_cs(ip, &rseq_cs)) {
+		/* Allow task work to override signr */
+		task_work_run();
+
 		force_sig(SIGSEGV);
+	}
+
+	t->kill_on_efault = false;
 }
 
 #endif