From patchwork Fri Aug  2 06:13:14 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
X-Patchwork-Id: 13751139
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 595DBC52D71
	for <linux-mm@archiver.kernel.org>; Fri,  2 Aug 2024 06:13:38 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id DCDEB6B0085; Fri,  2 Aug 2024 02:13:37 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id D7D1E6B0088; Fri,  2 Aug 2024 02:13:37 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id C44AA6B0089; Fri,  2 Aug 2024 02:13:37 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com
 [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id A83406B0085
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 02:13:37 -0400 (EDT)
Received: from smtpin08.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id 402521A0D1F
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 06:13:37 +0000 (UTC)
X-FDA: 82406288874.08.4878D9A
Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com
 [205.220.165.32])
	by imf29.hostedemail.com (Postfix) with ESMTP id 2C628120005
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 06:13:34 +0000 (UTC)
Authentication-Results: imf29.hostedemail.com;
	dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b=AAJaKO0L;
	spf=pass (imf29.hostedemail.com: domain of aruna.ramakrishna@oracle.com
 designates 205.220.165.32 as permitted sender)
 smtp.mailfrom=aruna.ramakrishna@oracle.com;
	dmarc=pass (policy=reject) header.from=oracle.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722579186; a=rsa-sha256;
	cv=none;
	b=aRPBAFESpUhtHb0pnVcDZt/XRzbplAsrfCdtnnVTK3eCaxGdApdnQpraa2dUicDdzplIYs
	AB1VAHPUHFksz6BCxEVbbUI1ZtjsYEr7N9vT8UQie2qTKBs5LlDVIucLefmjCpPltfSd54
	Vxp3XQ1bQABF0zww6zbE09crKQPbuO0=
ARC-Authentication-Results: i=1;
	imf29.hostedemail.com;
	dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b=AAJaKO0L;
	spf=pass (imf29.hostedemail.com: domain of aruna.ramakrishna@oracle.com
 designates 205.220.165.32 as permitted sender)
 smtp.mailfrom=aruna.ramakrishna@oracle.com;
	dmarc=pass (policy=reject) header.from=oracle.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1722579186;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=MKU+WG2gzC94jUgb0tLE7u9uI0Bei7s8TSL3t2RlLeo=;
	b=E2m8V4BOhZJKnAZ9itkBwUmOUmFJZsL0AEETZ605mQoziynIuBk3zKBHdExR8jK1XkemJ5
	ku4SmH3Wq65BbjaK5zSP1edK/rk61Tw7yEuNJweSD7QYvKctnBpqyT53Ob7fzEVQuDsC/9
	m/8Kc7lOah7ZVl3/0K6H9j251jtXUGU=
Received: from pps.filterd (m0333521.ppops.net [127.0.0.1])
	by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 4723ft2W022569;
	Fri, 2 Aug 2024 06:13:27 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=
	from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding; s=corp-2023-11-20; bh=M
	KU+WG2gzC94jUgb0tLE7u9uI0Bei7s8TSL3t2RlLeo=; b=AAJaKO0Lt2E/BfIvZ
	GBc6utt0Ckp1t98ialbh0Zn8hKiUYaILlBQQ28J2suY6kKTKuws+eJ0u1Vxp2e17
	JNEy+fLnJUsIvdhwpRa3DLQzKaYV8Rl57h2jEQwpgTEHrOOR67IF8tyVoqQJJC+1
	btBQ5133OROjE2ltYvgl5KBbKRWxS8GvS6tirvO4CzRSuIEX4RbfJGtRtaF+vNTf
	FOYtCbCZoAGjXJeLN6lFysR7yGLZQKUTJk2dxE07e4+gu3hfwXaeoRHVSAcRtpMM
	aXWvb/5eeS5rFL/VzqNTsKqm4/3EpMw13iglGqmY8SQ1cnzIB4pguVB986O+IyGH
	bnAfg==
Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com
 (phxpaimrmta03.appoci.oracle.com [138.1.37.129])
	by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 40rjg5gfyy-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 02 Aug 2024 06:13:27 +0000 (GMT)
Received: from pps.filterd
 (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19)
 with ESMTP id 4725TVE3035644;
	Fri, 2 Aug 2024 06:13:26 GMT
Received: from pps.reinject (localhost [127.0.0.1])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id
 40nvp16eb1-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 02 Aug 2024 06:13:26 +0000
Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com
 (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 4726BM9a012716;
	Fri, 2 Aug 2024 06:13:26 GMT
Received: from aruramak-dev.osdevelopmeniad.oraclevcn.com
 (aruramak-dev.allregionaliads.osdevelopmeniad.oraclevcn.com
 [100.100.253.155])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id
 40nvp16e89-2;
	Fri, 02 Aug 2024 06:13:26 +0000
From: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de,
        mingo@kernel.org, linux-mm@kvack.org, keith.lucas@oracle.com,
        jeffxu@chromium.org, rick.p.edgecombe@intel.com, jorgelo@chromium.org,
        keescook@chromium.org, sroettger@google.com, jannh@google.com,
        aruna.ramakrishna@oracle.com
Subject: [PATCH v8 1/5] x86/pkeys: Add PKRU as a parameter in signal handling
 functions
Date: Fri,  2 Aug 2024 06:13:14 +0000
Message-Id: <20240802061318.2140081-2-aruna.ramakrishna@oracle.com>
X-Mailer: git-send-email 2.39.3
In-Reply-To: <20240802061318.2140081-1-aruna.ramakrishna@oracle.com>
References: <20240802061318.2140081-1-aruna.ramakrishna@oracle.com>
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-08-02_03,2024-08-01_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 adultscore=0
 mlxlogscore=999 mlxscore=0 suspectscore=0 malwarescore=0 bulkscore=0
 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2407110000 definitions=main-2408020042
X-Proofpoint-ORIG-GUID: jRagxgvjfVt8Bq3SVJ4BKZjm5pIfO22r
X-Proofpoint-GUID: jRagxgvjfVt8Bq3SVJ4BKZjm5pIfO22r
X-Stat-Signature: bxsop6b34f1g8efeed6eg66hdkyuhbe3
X-Rspamd-Queue-Id: 2C628120005
X-Rspam-User: 
X-Rspamd-Server: rspam10
X-HE-Tag: 1722579214-676004
X-HE-Meta: 
 U2FsdGVkX1+tyO3ZmbaR38+2xJXV31IwA7l0s02gzEwCuHMuKFrQySrCTWrCeTMC0QPJLxVyNV0ANmXQ/oeK7IWozdVyN4Xf0akhNLXkjGVTddyh9p3eFj0uYqTB3SBpYRDy4QbEvajqZaS9Pryx+9MCbF9J8xkdxWlq09rvVuBd4+nB3Ay3doMPYue2Gqi3VipvAgPDQursG8u3gX4IyCh5Ra4n5aLAb8ogGmhUlSQuAj636zVorReE0WLIx/lzpeYdsquajD+f+P5bsciiAW0tOiTNqnO0Rq0PQbbhsE4isLA8EZjDj9+0Vw0bMy22uBgrioEOWGXRAy0+zMoIbkkYxZ6XCpKq3HoZhkw65fdPUbeW/Gi3ht2XYPPf6QCHJvlQHjd+tIUjgDqlyjarq0vJyNvqM5XEjyiiY2mzpTbquQ0ob2SnWsNaeoEBs/r7/x/nG1fYs/glluiOrKf7Wb/JXwh3+OtMvkKxzBph0bi/0fKYPAZ4ruKRwcKiwPMAz5aojRox/JZ8D9+Uk/IatDuWqj0Se3li6ENaOyFLoltvbKjjtd78YPaXqudnn9+a08f1Tx1Z0usqGHez5LGLeSrXDJYuEIo3VZKZ/9UbNisvqaqeEWs0IY32MAzl/Od5FfHTA2CvpjcnOrHfc8vYJSw2WdiOuyxEAKePPv12/DCaOMl/6oxIZoR5KirbSCzpGf7DG9K73IgfxH3QUzP0s8NCumX3NFvvGo5ebDrceLU38WH9YCDzXD/sooHZtsBzljS7Ido20e8gXN6QEnablF8kE0jLteakYKenMLvOVXwOjHejR88fdHRiXh+4kL6YsbmMRE9LeQx9/bwcq3Ep3bU5xvNNwSrapzycR27kTfIIh85IyLyUSvk89kCWdz7IORqJkXTzcWIcpxYER1JaD2DyWG3zJbwbN8RuTntibixN1OxSqpIieRShu1AOweYUhPFvUDZYsQWKYPbo2aD
 9jx/hVzc
 0hqoIJSOE0NE2XhwfpnKv5cFqLDV+gBZVcZ7iVzzc88fdIYIPZGuVyYuXP1TjJiKwBYtP8ZZH4qRNArSPXLBoTMHsXGeeAKl9yS8J8Zd9yt0AH/yz1f+p/cYKbihBNrrDsPB4RLME5gCnsYA8cDt+9QrtM85fEDL/TNc4Re2WD+SFJuT8qtSqlrTzlErYA2JZS8Nt/8VyBPQ2SKrhQiUXln+2Kw==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Problem description:
Let's assume there's a multithreaded application that runs untrusted
user code. Each thread has its stack/code protected by a non-zero pkey,
and the PKRU register is set up such that only that particular non-zero
pkey is enabled. Each thread also sets up an alternate signal stack to
handle signals, which is protected by pkey zero. The pkeys man page
documents that the PKRU will be reset to init_pkru when the signal
handler is invoked, which means that pkey zero access will be enabled.
But this reset happens after the kernel attempts to push fpu state
to the alternate stack, which is not (yet) accessible by the kernel,
which leads to a new SIGSEGV being sent to the application, terminating
it.

Enabling both the non-zero pkey (for the thread) and pkey zero in
userspace will not work for this use case. We cannot have the alt stack
writeable by all - the rationale here is that the code running in that
thread (using a non-zero pkey) is untrusted and should not have access
to the alternate signal stack (that uses pkey zero), to prevent the
return address of a function from being changed. The expectation is that
kernel should be able to set up the alternate signal stack and deliver
the signal to the application even if pkey zero is explicitly disabled
by the application. The signal handler accessibility should not be
dictated by whatever PKRU value the thread sets up.

Solution:
The PKRU register is managed by XSAVE, which means the sigframe contents
must match the register contents - which is not the case here. We want
the sigframe to contain the user-defined PKRU value (so that it is
restored correctly from sigcontext) but the actual register must be
reset to init_pkru so that the alt stack is accessible and the signal
can be delivered to the application. It seems that the proper fix here
would be to remove PKRU from the XSAVE framework and manage it
separately, which is quite complicated. As a workaround, do this:

        orig_pkru = rdpkru();
        wrpkru(orig_pkru & init_pkru_value);
        xsave_to_user_sigframe();
        put_user(pkru_sigframe_addr, orig_pkru)

This change is split over multiple patches.

In preparation for writing PKRU to sigframe in a later patch, pass in
PKRU as an additional parameter down the chain from get_sigframe():
	get_sigframe()
          copy_fpstate_to_sigframe()
            copy_fpregs_to_sigframe()

There are no functional changes in this patch.

Signed-off-by: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
---
 arch/x86/include/asm/fpu/signal.h | 2 +-
 arch/x86/kernel/fpu/signal.c      | 6 +++---
 arch/x86/kernel/signal.c          | 3 ++-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/arch/x86/include/asm/fpu/signal.h b/arch/x86/include/asm/fpu/signal.h
index 611fa41711af..eccc75bc9c4f 100644
--- a/arch/x86/include/asm/fpu/signal.h
+++ b/arch/x86/include/asm/fpu/signal.h
@@ -29,7 +29,7 @@ fpu__alloc_mathframe(unsigned long sp, int ia32_frame,
 
 unsigned long fpu__get_fpstate_size(void);
 
-extern bool copy_fpstate_to_sigframe(void __user *buf, void __user *fp, int size);
+extern bool copy_fpstate_to_sigframe(void __user *buf, void __user *fp, int size, u32 pkru);
 extern void fpu__clear_user_states(struct fpu *fpu);
 extern bool fpu__restore_sig(void __user *buf, int ia32_frame);
 
diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index 247f2225aa9f..2b3b9e140dd4 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -156,7 +156,7 @@ static inline bool save_xstate_epilog(void __user *buf, int ia32_frame,
 	return !err;
 }
 
-static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf)
+static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf, u32 pkru)
 {
 	if (use_xsave())
 		return xsave_to_user_sigframe(buf);
@@ -185,7 +185,7 @@ static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf)
  * For [f]xsave state, update the SW reserved fields in the [f]xsave frame
  * indicating the absence/presence of the extended state to the user.
  */
-bool copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
+bool copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size, u32 pkru)
 {
 	struct task_struct *tsk = current;
 	struct fpstate *fpstate = tsk->thread.fpu.fpstate;
@@ -228,7 +228,7 @@ bool copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
 		fpregs_restore_userregs();
 
 	pagefault_disable();
-	ret = copy_fpregs_to_sigframe(buf_fx);
+	ret = copy_fpregs_to_sigframe(buf_fx, pkru);
 	pagefault_enable();
 	fpregs_unlock();
 
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index 31b6f5dddfc2..1f1e8e0ac5a3 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -84,6 +84,7 @@ get_sigframe(struct ksignal *ksig, struct pt_regs *regs, size_t frame_size,
 	unsigned long math_size = 0;
 	unsigned long sp = regs->sp;
 	unsigned long buf_fx = 0;
+	u32 pkru = read_pkru();
 
 	/* redzone */
 	if (!ia32_frame)
@@ -139,7 +140,7 @@ get_sigframe(struct ksignal *ksig, struct pt_regs *regs, size_t frame_size,
 	}
 
 	/* save i387 and extended state */
-	if (!copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx, math_size))
+	if (!copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx, math_size, pkru))
 		return (void __user *)-1L;
 
 	return (void __user *)sp;

From patchwork Fri Aug  2 06:13:15 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
X-Patchwork-Id: 13751140
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 78C42C52D70
	for <linux-mm@archiver.kernel.org>; Fri,  2 Aug 2024 06:13:39 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 6A2616B0088; Fri,  2 Aug 2024 02:13:38 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 6782C6B0089; Fri,  2 Aug 2024 02:13:38 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 567296B008A; Fri,  2 Aug 2024 02:13:38 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com
 [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id 3A78B6B0088
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 02:13:38 -0400 (EDT)
Received: from smtpin10.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay08.hostedemail.com (Postfix) with ESMTP id D89331410A4
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 06:13:37 +0000 (UTC)
X-FDA: 82406288874.10.F4DCD47
Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com
 [205.220.165.32])
	by imf06.hostedemail.com (Postfix) with ESMTP id AD98D180014
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 06:13:35 +0000 (UTC)
Authentication-Results: imf06.hostedemail.com;
	dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b=ViJ9Ym9Q;
	dmarc=pass (policy=reject) header.from=oracle.com;
	spf=pass (imf06.hostedemail.com: domain of aruna.ramakrishna@oracle.com
 designates 205.220.165.32 as permitted sender)
 smtp.mailfrom=aruna.ramakrishna@oracle.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722579173; a=rsa-sha256;
	cv=none;
	b=QiScPVxQ9JH5VlcbeBVMC0J8n3bZn86skQo64xU9ayjzJZkjbHXl67bSVj2dQW7xA8CQq7
	x5MaZMZwKrkJeODU7/1LBnmpJehhQ5N64BaLKx76BHjgSQt3F+wx6umuluQjcwEgWeH7Ut
	QxXvA+mH8dylUv+ZW5WW7CvUkndO3P0=
ARC-Authentication-Results: i=1;
	imf06.hostedemail.com;
	dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b=ViJ9Ym9Q;
	dmarc=pass (policy=reject) header.from=oracle.com;
	spf=pass (imf06.hostedemail.com: domain of aruna.ramakrishna@oracle.com
 designates 205.220.165.32 as permitted sender)
 smtp.mailfrom=aruna.ramakrishna@oracle.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1722579173;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=ciUF/eIFsWVQEHGUf3W5Z0a0BL+wJJ3TBjudo25Imuw=;
	b=JHDT0N6esA9ZKi33PAy+Q/gu6fop/uFlu7R9c5InO3MKcNXYkbOGgoYku3a1Cnm1czrDzn
	04NDLE+9TDUJpGfHpaJBbp17oRSqhZxhjAnO/M5e79uhBgePha2uiJCmtcdsF2jz7AB1gF
	kr5Sl+AaolUx2AUFdhXVM7Qm8Kg18cs=
Received: from pps.filterd (m0246617.ppops.net [127.0.0.1])
	by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 4723fWOu008206;
	Fri, 2 Aug 2024 06:13:29 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=
	from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding; s=corp-2023-11-20; bh=c
	iUF/eIFsWVQEHGUf3W5Z0a0BL+wJJ3TBjudo25Imuw=; b=ViJ9Ym9Qi9P3w97cw
	9U+ftHX+qD/zDDwIBRHacf8c+eAqZAC4dKNUtndgVVCp1OaaiBfq6B3olV9uyfEv
	xx8NdXrk2LJcMZCMYfAVxZn2fnscURSmW4dqXvoUINMsk5FVxWvC6Mxh/QhJvjkE
	kvtJuLM2OIEC+Sv7sPSTs3anbZVa0M9b4i/si24EcBnBTEBKV4ODIekknBjjCZKk
	mFBJKcyRyDPcEMfM8AWtpnZG0xq4q+NH9tgJaipC50D4pKqVNCgwO15bun+XCGjo
	hSMyx2ucgv6QcjrUSZPg4Hm5jHHQl41008cTeQIReaghqQtFXr+pmWDyWsIISH5F
	+UhbQ==
Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com
 (phxpaimrmta03.appoci.oracle.com [138.1.37.129])
	by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 40rjds8g5q-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 02 Aug 2024 06:13:29 +0000 (GMT)
Received: from pps.filterd
 (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19)
 with ESMTP id 4723Raoe036482;
	Fri, 2 Aug 2024 06:13:28 GMT
Received: from pps.reinject (localhost [127.0.0.1])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id
 40nvp16ebu-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 02 Aug 2024 06:13:28 +0000
Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com
 (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 4726BM9c012716;
	Fri, 2 Aug 2024 06:13:27 GMT
Received: from aruramak-dev.osdevelopmeniad.oraclevcn.com
 (aruramak-dev.allregionaliads.osdevelopmeniad.oraclevcn.com
 [100.100.253.155])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id
 40nvp16e89-3;
	Fri, 02 Aug 2024 06:13:27 +0000
From: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de,
        mingo@kernel.org, linux-mm@kvack.org, keith.lucas@oracle.com,
        jeffxu@chromium.org, rick.p.edgecombe@intel.com, jorgelo@chromium.org,
        keescook@chromium.org, sroettger@google.com, jannh@google.com,
        aruna.ramakrishna@oracle.com
Subject: [PATCH v8 2/5] x86/pkeys: Add helper functions to update PKRU on the
 sigframe
Date: Fri,  2 Aug 2024 06:13:15 +0000
Message-Id: <20240802061318.2140081-3-aruna.ramakrishna@oracle.com>
X-Mailer: git-send-email 2.39.3
In-Reply-To: <20240802061318.2140081-1-aruna.ramakrishna@oracle.com>
References: <20240802061318.2140081-1-aruna.ramakrishna@oracle.com>
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-08-02_03,2024-08-01_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 adultscore=0
 mlxlogscore=999 mlxscore=0 suspectscore=0 malwarescore=0 bulkscore=0
 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2407110000 definitions=main-2408020042
X-Proofpoint-ORIG-GUID: VCM5Jqh7_fwRhudywwKQbXduzurqnPn8
X-Proofpoint-GUID: VCM5Jqh7_fwRhudywwKQbXduzurqnPn8
X-Rspamd-Queue-Id: AD98D180014
X-Rspam-User: 
X-Rspamd-Server: rspam05
X-Stat-Signature: 7k87f6qfcctu19f6s3bfg8cxhi78wi9u
X-HE-Tag: 1722579215-785375
X-HE-Meta: 
 U2FsdGVkX1/4uWTSUh7QHtkOSgReGtnapwSQPwuznYkhYQiwXOOP+Y85zvJZOa45JfnFgO3SS/xdxnMKY/dCbuIu5RlwBXacqGOWGLghTZvwsNSYyIMAs5lR+rUNyrLnsye/LGgOvyZlwM5OVUxNHLutzhDDuZDF5JOmnMNiT5xWvx8Rudr+bkgKEm02Z0/uAqOIeSY4o459z4U0IOgHylzeECIB3zBZMZAMCGfnSHSGMwpNvutNA25RAYeLfIBofv53kGLJ0KEeZKK5AkeKpRrlPCp2tfB0VwAyg4HwSD4YPh7N5doTHH283RcEmx0auyw2YwViUFIOwrtG/u2qLKSx1BJV4OVhwSPeGJN2kVHkZvctagNe8kc7RaUxUTaUbwl3PkTKbaR5SwMVPDvmKhHtsJQkDYWEm6+opPQPnsF+WmCOtdQt3mWgZ+GwIuMzaR+mU+IuoQgGDTTyyprHqwEPw1wTJrtZKVvLuoQ4GODeuUnIvV1tDfx2E+R1sGWyNaOZKMn1Y0Ov+O2ExagNgZ3Af3HstfgbZXR681Slg6mIxXDinU8ZJGuiqF4hAOxVjPIjaGlX0U5+laDOux06J0akCocLjhdE8Hwfvt0JjjqEp+yJ8PRN/SM08Lg7XzGuGOkmG0yWtuz+3t6FsmdK6jw0CPgklk0+Rv+cOiWTkxtSPurnkM+nsyMFsjsnuiJGiIwHzRIw4WhirPzu/VG65U3qv6d4njEZ+nbiZbSlixLdHF4qfMweth8PGLusg+eGVFgeuk0F5ZNvV15uWOecBK62HKf4cFA9fOCTodzp+eUGeZvCWEQEZ3f/ewLalMi5u3saUb8kkz1sXZK6CF36tst5W52LS9cMt0WGVel46JIwaStCBkVFYAkyUrgVqxTI7OPOfagALQK2qp1+XnL229WrZTDla6h430ep5duw2hL3B3n5Bkd+dQfAzTDHHR9JvvnUT6AqiN7R94E0E8w
 Iwi0UDSf
 o0fTKEeVNbmgHiW4M+XfKfoTpTM5zOIM1zQvT+kETWo7IqfTJWF9XFHliTbrO9y5yXI5SYJf1Gok7q9gV640zFgcHsb4lW296I5Gke6o6PMVyU1KzJrt6sUSm9AN1im8tfid/X78VcK12BAhRUx9F0i9LqClwWk9aj36apB8mTR0WtmMFCbm4pEsCrfKQebkZDdVIpfEfWF7LbaN8sg3FHO+HaQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

In the case where a user thread sets up an alternate signal stack
protected by the default pkey (i.e. pkey 0), while the thread's stack
is protected by a non-zero pkey, both these pkeys have to be enabled in
the PKRU register for the signal to be delivered to the application
correctly. However, the PKRU value restored after handling the signal
must not enable this extra pkey (i.e. pkey 0) - i.e., the PKRU value on
the on the sigframe should be overwritten with the user-defined value.

Add helper functions that will update PKRU value on the sigframe after
XSAVE. These functions will be called in a later patch; this patch does
not change any behavior as yet.

Note that sig_prepare_pkru() makes no assumption about what pkey could
be used to protect the altstack (i.e. it may not be part of init_pkru),
and so enables all pkeys.

Signed-off-by: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
---
 arch/x86/kernel/fpu/signal.c | 10 ++++++++++
 arch/x86/kernel/fpu/xstate.c | 13 +++++++++++++
 arch/x86/kernel/fpu/xstate.h |  2 ++
 arch/x86/kernel/signal.c     | 18 ++++++++++++++++++
 4 files changed, 43 insertions(+)

diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index 2b3b9e140dd4..931c5469d7f3 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -63,6 +63,16 @@ static inline bool check_xstate_in_sigframe(struct fxregs_state __user *fxbuf,
 	return true;
 }
 
+/*
+ * Update the value of PKRU register that was already pushed onto the signal frame.
+ */
+static inline int update_pkru_in_sigframe(struct xregs_state __user *buf, u32 pkru)
+{
+	if (unlikely(!cpu_feature_enabled(X86_FEATURE_OSPKE)))
+		return 0;
+	return __put_user(pkru, (unsigned int __user *)get_xsave_addr_user(buf, XFEATURE_PKRU));
+}
+
 /*
  * Signal frame handlers.
  */
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index c5a026fee5e0..fa7628bb541b 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -993,6 +993,19 @@ void *get_xsave_addr(struct xregs_state *xsave, int xfeature_nr)
 }
 EXPORT_SYMBOL_GPL(get_xsave_addr);
 
+/*
+ * Given an xstate feature nr, calculate where in the xsave buffer the state is.
+ * The xsave buffer should be in standard format, not compacted (e.g. user mode
+ * signal frames).
+ */
+void __user *get_xsave_addr_user(struct xregs_state __user *xsave, int xfeature_nr)
+{
+	if (WARN_ON_ONCE(!xfeature_enabled(xfeature_nr)))
+		return NULL;
+
+	return (void __user *)xsave + xstate_offsets[xfeature_nr];
+}
+
 #ifdef CONFIG_ARCH_HAS_PKEYS
 
 /*
diff --git a/arch/x86/kernel/fpu/xstate.h b/arch/x86/kernel/fpu/xstate.h
index 2ee0b9c53dcc..5f057e50df81 100644
--- a/arch/x86/kernel/fpu/xstate.h
+++ b/arch/x86/kernel/fpu/xstate.h
@@ -54,6 +54,8 @@ extern int copy_sigframe_from_user_to_xstate(struct task_struct *tsk, const void
 extern void fpu__init_cpu_xstate(void);
 extern void fpu__init_system_xstate(unsigned int legacy_size);
 
+extern void __user *get_xsave_addr_user(struct xregs_state __user *xsave, int xfeature_nr);
+
 static inline u64 xfeatures_mask_supervisor(void)
 {
 	return fpu_kernel_cfg.max_features & XFEATURE_MASK_SUPERVISOR_SUPPORTED;
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index 1f1e8e0ac5a3..9dc77ad03a0e 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -60,6 +60,24 @@ static inline int is_x32_frame(struct ksignal *ksig)
 		ksig->ka.sa.sa_flags & SA_X32_ABI;
 }
 
+/*
+ * Enable all pkeys temporarily, so as to ensure that both the current
+ * execution stack as well as the alternate signal stack are writeable.
+ * The application can use any of the available pkeys to protect the
+ * alternate signal stack, and we don't know which one it is, so enable
+ * all. The PKRU register will be reset to init_pkru later in the flow,
+ * in fpu__clear_user_states(), and it is the application's responsibility
+ * to enable the appropriate pkey as the first step in the signal handler
+ * so that the handler does not segfault.
+ */
+static inline u32 sig_prepare_pkru(void)
+{
+	u32 orig_pkru = read_pkru();
+
+	write_pkru(0);
+	return orig_pkru;
+}
+
 /*
  * Set up a signal frame.
  */

From patchwork Fri Aug  2 06:13:16 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
X-Patchwork-Id: 13751142
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 8AC9DC52D71
	for <linux-mm@archiver.kernel.org>; Fri,  2 Aug 2024 06:13:44 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 3BBAF6B008C; Fri,  2 Aug 2024 02:13:41 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 36B9C6B0092; Fri,  2 Aug 2024 02:13:41 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 171FC6B0093; Fri,  2 Aug 2024 02:13:41 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com
 [216.40.44.14])
	by kanga.kvack.org (Postfix) with ESMTP id EBA286B008C
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 02:13:40 -0400 (EDT)
Received: from smtpin27.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 832E841046
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 06:13:40 +0000 (UTC)
X-FDA: 82406289000.27.5FFDAA5
Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com
 [205.220.177.32])
	by imf11.hostedemail.com (Postfix) with ESMTP id 8D3464000A
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 06:13:38 +0000 (UTC)
Authentication-Results: imf11.hostedemail.com;
	dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b="ly9M5/XM";
	spf=pass (imf11.hostedemail.com: domain of aruna.ramakrishna@oracle.com
 designates 205.220.177.32 as permitted sender)
 smtp.mailfrom=aruna.ramakrishna@oracle.com;
	dmarc=pass (policy=reject) header.from=oracle.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1722579161;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=eZsWPjqt9igVLLfyYoImyfjamrleTEsRR59euvfi/uU=;
	b=GhRb8pJR5LCCNp/qr9J+wd7zhdN/0L6W6pFGK4zHcUxXgN7/eL+ksyTuGTiX0evPOi4CN2
	Uf4fvr8//Eg7QagL+QiMshy+Sb+4+OBqhMajaBL2/qjcGwro7xXuz1fOoFyLysTZjtYuxs
	TKcdZZ8dc4lCdRyiHM+gl8tHSmyCZuY=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722579161; a=rsa-sha256;
	cv=none;
	b=GeM+WVV10bXj7qct8zyDeIXMSh1VCpSCVTrOoVhU8ohh0mMTWoymD6N3Me6qAtloOpWkrv
	AdXgaV4ULukl9jofpjM/YfhdMjsV/Wo3D5w06asIb2bRc0+WNhYvLmUaGhdXPc8y3aVAK/
	frDLyUa0M3RWGqPuEoPRFR37P1Di9qQ=
ARC-Authentication-Results: i=1;
	imf11.hostedemail.com;
	dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b="ly9M5/XM";
	spf=pass (imf11.hostedemail.com: domain of aruna.ramakrishna@oracle.com
 designates 205.220.177.32 as permitted sender)
 smtp.mailfrom=aruna.ramakrishna@oracle.com;
	dmarc=pass (policy=reject) header.from=oracle.com
Received: from pps.filterd (m0246632.ppops.net [127.0.0.1])
	by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 4723fWAO014063;
	Fri, 2 Aug 2024 06:13:32 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=
	from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding; s=corp-2023-11-20; bh=e
	ZsWPjqt9igVLLfyYoImyfjamrleTEsRR59euvfi/uU=; b=ly9M5/XMN50caH+On
	K4wdxhKIIms2UXPoqXPeJI3i/emdC2KlkAHxEZBLwt6WHFNCEyyKUA2qVQ2bEwdF
	o+Kh9NcFLczwRWdf5zAuXKhq0PkHZcwPsHBLXxwQszLd+4Zbinz60FbyAy6Lpxh1
	0cYNAdfiYZPjNPIMrl1xHaWUPD2bC3b5zvCNtoZP0RBY1tfZBmzqV2DTm9j5VAZg
	Sl5uchU4b7Q3LeD4z0AOinvNWiM+rn7Y2nfMDMEOhe2S6bV+LYvGJyHUQHV4Ursu
	lWTgPf/nUSnb+9py3Wf2YZjpIF8sVew2XSqzySN1CjO+c7X5NGi0FPJnulzMQg1U
	i/nMA==
Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com
 (phxpaimrmta03.appoci.oracle.com [138.1.37.129])
	by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 40rje8gfpt-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 02 Aug 2024 06:13:31 +0000 (GMT)
Received: from pps.filterd
 (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19)
 with ESMTP id 4725Kkd2035587;
	Fri, 2 Aug 2024 06:13:30 GMT
Received: from pps.reinject (localhost [127.0.0.1])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id
 40nvp16ecs-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 02 Aug 2024 06:13:30 +0000
Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com
 (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 4726BM9e012716;
	Fri, 2 Aug 2024 06:13:29 GMT
Received: from aruramak-dev.osdevelopmeniad.oraclevcn.com
 (aruramak-dev.allregionaliads.osdevelopmeniad.oraclevcn.com
 [100.100.253.155])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id
 40nvp16e89-4;
	Fri, 02 Aug 2024 06:13:29 +0000
From: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de,
        mingo@kernel.org, linux-mm@kvack.org, keith.lucas@oracle.com,
        jeffxu@chromium.org, rick.p.edgecombe@intel.com, jorgelo@chromium.org,
        keescook@chromium.org, sroettger@google.com, jannh@google.com,
        aruna.ramakrishna@oracle.com
Subject: [PATCH v8 3/5] x86/pkeys: Update PKRU to enable all pkeys before
 XSAVE
Date: Fri,  2 Aug 2024 06:13:16 +0000
Message-Id: <20240802061318.2140081-4-aruna.ramakrishna@oracle.com>
X-Mailer: git-send-email 2.39.3
In-Reply-To: <20240802061318.2140081-1-aruna.ramakrishna@oracle.com>
References: <20240802061318.2140081-1-aruna.ramakrishna@oracle.com>
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-08-02_03,2024-08-01_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 adultscore=0
 mlxlogscore=999 mlxscore=0 suspectscore=0 malwarescore=0 bulkscore=0
 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2407110000 definitions=main-2408020042
X-Proofpoint-ORIG-GUID: S97hVEZBG6yFs3QhGhznPAQKNC_Vjpe_
X-Proofpoint-GUID: S97hVEZBG6yFs3QhGhznPAQKNC_Vjpe_
X-Rspamd-Queue-Id: 8D3464000A
X-Stat-Signature: 7wkxgeix4c3wyxasb3mfrjmup54dakqc
X-Rspamd-Server: rspam09
X-Rspam-User: 
X-HE-Tag: 1722579218-219061
X-HE-Meta: 
 U2FsdGVkX1/XcQaNgsBtyNAf3rUFTBwUINrnKCNDxr4DRG+CViue2WjP2VaBGfwyoMqCgybp31naNH1j2kU10oD8WCmW7mtPzIH3XU/+uLRzVePbWPw4XWB77IDdBRF1DX/T420Q2j1mnikiggVZorPiKQMjCImvR4NDaKshkYVPDWgSTjJnMc3yRJ4rX5dJFH1+84rsSjeAhUPYGtTYC3sTSfOfTCJZuLvD3j/M5xG8Q8JqGoMgZU9A4I5IP5xa2etCOSsSuR1gh3Zrr0j/x5Bzl2rYNrD4vn2QrCbfPnpdYGTb+hDNzzEBhpYcFN9R7+Q2+PJOjywvUL5uagZN9KojduatFMuOWxOJOosuNpxlVNpjmVbLmV7JfA1qyYI3bOi8GZzsPz3llQsIOzY6qiEoodtxFrxhWak3T6O6Nb30BGaLQV7CS3vnJTv2VlDkCGt4v5N4f9idggoLU/u7U8dc51x5pF394KntjOmKWkhQBBRx4ktr4VOQY+vybRwaHnsOZs19iAFrYzhKOQ7PUr8PUdnh298Tvc583gG4V41k7EBG2cJ/B/fBu4mKxWtsENA88mtfkbteE9ZGsTvJsYYcRDmeZRg4D0bWAOCgXXgRXDxvLZKpJ/9BpO9ZOKXHI5aJ68QsKXQdrSPSiZyKMw0e5OaRVXEWfh/ZRYxaiFqH0hWtEqaY8SaAwGj1U7AKJc099wRB6mGvVBytDIuG+yYvcOON36Yc8zdQIkt/Pw/JPP0ytMvkJH81yqrVGeXh2qmza/DgoU3ofEcGMPdgAa3/JbDQrrC1mk9JCIQEFKwgS7HVGBDihiDNLJ+hgxk2yMOGKCnyykYME+uKpJG0Xq3YTxVNmeRPMm2sKL6XbwEIYCj6sm9tu1QjHCZ1Vr+Gyqdi7Yiyo9CXG8P3eJGeKTyFRkT7PQWpn/R61s6UjTgq+XcwJixI4+77ryQK6ZEdTFRvZ2qqUCRbkPJqeb6
 qSTIOWwa
 OzETkvbzUouzMOi/9Dh/Ph04hzQn0Qkk3iCSQ3n5wB+icNTouWSz47CiXDELuFuaissKoVtb+D8F4CG2I3mt/zaTdYKQsyF/Sxuvk69FytRYP47l+oJR2LJqDIwQCPOe8aBOP9NW7d5/wolRRYTHLvb3NXuyDp1fIuJYEw1LQNmOhiyxreQORPY4vFdQu/CF4Cfm++YjR4sJKhYYA0ljX5xGtrA==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

If the alternate signal stack is protected by a different pkey than the
current execution stack, copying xsave data to the sigaltstack will fail
if its pkey is not enabled in the PKRU register.

We do not know which pkey was used by the application for the altstack,
so enable all pkeys before xsave.

But this updated PKRU value is also pushed onto the sigframe, which
means the register value restored from sigcontext will be different from
the user-defined one, which is unexpected. Fix that by overwriting the
PKRU value on the sigframe with the original, user-defined PKRU.

Signed-off-by: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
---
 arch/x86/kernel/fpu/signal.c | 11 +++++++++--
 arch/x86/kernel/signal.c     | 12 ++++++++++--
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index 931c5469d7f3..1065ab995305 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -168,8 +168,15 @@ static inline bool save_xstate_epilog(void __user *buf, int ia32_frame,
 
 static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf, u32 pkru)
 {
-	if (use_xsave())
-		return xsave_to_user_sigframe(buf);
+	int err = 0;
+
+	if (use_xsave()) {
+		err = xsave_to_user_sigframe(buf);
+		if (!err)
+			err = update_pkru_in_sigframe(buf, pkru);
+		return err;
+	}
+
 	if (use_fxsr())
 		return fxsave_to_user_sigframe((struct fxregs_state __user *) buf);
 	else
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index 9dc77ad03a0e..5f441039b572 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -102,7 +102,7 @@ get_sigframe(struct ksignal *ksig, struct pt_regs *regs, size_t frame_size,
 	unsigned long math_size = 0;
 	unsigned long sp = regs->sp;
 	unsigned long buf_fx = 0;
-	u32 pkru = read_pkru();
+	u32 pkru;
 
 	/* redzone */
 	if (!ia32_frame)
@@ -157,9 +157,17 @@ get_sigframe(struct ksignal *ksig, struct pt_regs *regs, size_t frame_size,
 		return (void __user *)-1L;
 	}
 
+	/* Update PKRU to enable access to the alternate signal stack. */
+	pkru = sig_prepare_pkru();
 	/* save i387 and extended state */
-	if (!copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx, math_size, pkru))
+	if (!copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx, math_size, pkru)) {
+		/*
+		 * Restore PKRU to the original, user-defined value; disable
+		 * extra pkeys enabled for the alternate signal stack, if any.
+		 */
+		write_pkru(pkru);
 		return (void __user *)-1L;
+	}
 
 	return (void __user *)sp;
 }

From patchwork Fri Aug  2 06:13:17 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
X-Patchwork-Id: 13751181
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C7A7AC52D71
	for <linux-mm@archiver.kernel.org>; Fri,  2 Aug 2024 07:24:31 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 4BB316B007B; Fri,  2 Aug 2024 03:24:31 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 46BB66B0083; Fri,  2 Aug 2024 03:24:31 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 35A5C6B0085; Fri,  2 Aug 2024 03:24:31 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 1691E6B007B
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 03:24:31 -0400 (EDT)
Received: from smtpin21.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay10.hostedemail.com (Postfix) with ESMTP id 7BC15C061A
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 07:24:30 +0000 (UTC)
X-FDA: 82406467500.21.3BB5ED5
Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com
 [205.220.177.32])
	by imf24.hostedemail.com (Postfix) with ESMTP id 49C8E18000D
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 07:24:27 +0000 (UTC)
Authentication-Results: imf24.hostedemail.com;
	dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b=RHHJ7Oid;
	spf=pass (imf24.hostedemail.com: domain of aruna.ramakrishna@oracle.com
 designates 205.220.177.32 as permitted sender)
 smtp.mailfrom=aruna.ramakrishna@oracle.com;
	dmarc=pass (policy=reject) header.from=oracle.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1722583462;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=dC6+NWDYa9BScJlqOtDM0/iHsWIj1RHBGXEYsjNKXAk=;
	b=8X20O6h0iHBoSiynyQwD/Y/b0PtfcyZL8M/JnrJ5CdVl+yiK1jllDMV4cfsHo0X0O4mfj1
	EyZZb9jW5cM2rzvnxJP07FL4+Eo/9nEkpL+kdpJFHTn/3YoUKI6eJryse7UAlil/D3x6fb
	bGvvd4RbBAC2Vtdom84wyCVMP/Ir6yI=
ARC-Authentication-Results: i=1;
	imf24.hostedemail.com;
	dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b=RHHJ7Oid;
	spf=pass (imf24.hostedemail.com: domain of aruna.ramakrishna@oracle.com
 designates 205.220.177.32 as permitted sender)
 smtp.mailfrom=aruna.ramakrishna@oracle.com;
	dmarc=pass (policy=reject) header.from=oracle.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722583462; a=rsa-sha256;
	cv=none;
	b=vKZfIggV9/VwxoEIB9DaDYqykMk+N9R8rJBb74gZNjR8XfUMQrwLrZ3rTxcosvlbJw0168
	RgiefWuQK0mBaHosuo6g+UQUJJW2PXl+6YPZTXQNSwy1zjydlReU/g+T8l3o3oJQ3AZbV6
	rHEfPHaS+Y6GbN33AidaXu2t1i92hxo=
Received: from pps.filterd (m0246631.ppops.net [127.0.0.1])
	by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 4723fZoU014387;
	Fri, 2 Aug 2024 06:13:33 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=
	from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding; s=corp-2023-11-20; bh=d
	C6+NWDYa9BScJlqOtDM0/iHsWIj1RHBGXEYsjNKXAk=; b=RHHJ7OidTXyI1i/65
	BhPbtj7PWUXU10aGUkvAXr7hfJ56QdhAd1lIufHG3v/KgcQx/sS4qnP6lQ3qjU2h
	fo63xi+/45LqYLeUOz5wxbCbqon/UuRFSK+lePK/X2DUcZlRopQMcqWVjfXvzD6R
	SDeGgwSljAyv2LFjRGqKyOFfnCoXkDCV3HCit5nBUAHUuAwyrL51q593yn4I+mX0
	WVT3o6EMgs2pc2AhNa3ozZlrQJkmVGikd1VesSmhpdqX49Tx2i4SMRLrwth6wNjb
	W0Mvc1yBseSwFcgTLlQpa9uYx9KU3lMPUJEXE3T0ga4RLOvqFOBJoT2hmaPNfP/M
	95K+g==
Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com
 (phxpaimrmta03.appoci.oracle.com [138.1.37.129])
	by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 40rjdy0fvd-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 02 Aug 2024 06:13:33 +0000 (GMT)
Received: from pps.filterd
 (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19)
 with ESMTP id 47263n5e035583;
	Fri, 2 Aug 2024 06:13:32 GMT
Received: from pps.reinject (localhost [127.0.0.1])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id
 40nvp16edt-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 02 Aug 2024 06:13:32 +0000
Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com
 (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 4726BM9g012716;
	Fri, 2 Aug 2024 06:13:31 GMT
Received: from aruramak-dev.osdevelopmeniad.oraclevcn.com
 (aruramak-dev.allregionaliads.osdevelopmeniad.oraclevcn.com
 [100.100.253.155])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id
 40nvp16e89-5;
	Fri, 02 Aug 2024 06:13:31 +0000
From: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de,
        mingo@kernel.org, linux-mm@kvack.org, keith.lucas@oracle.com,
        jeffxu@chromium.org, rick.p.edgecombe@intel.com, jorgelo@chromium.org,
        keescook@chromium.org, sroettger@google.com, jannh@google.com,
        aruna.ramakrishna@oracle.com
Subject: [PATCH v8 4/5] x86/pkeys: Restore altstack access in sigreturn()
Date: Fri,  2 Aug 2024 06:13:17 +0000
Message-Id: <20240802061318.2140081-5-aruna.ramakrishna@oracle.com>
X-Mailer: git-send-email 2.39.3
In-Reply-To: <20240802061318.2140081-1-aruna.ramakrishna@oracle.com>
References: <20240802061318.2140081-1-aruna.ramakrishna@oracle.com>
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-08-02_03,2024-08-01_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 adultscore=0
 mlxlogscore=999 mlxscore=0 suspectscore=0 malwarescore=0 bulkscore=0
 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2407110000 definitions=main-2408020042
X-Proofpoint-ORIG-GUID: KOBn2c5DZ9EALtZZJv3Alwzwb6bZWd_P
X-Proofpoint-GUID: KOBn2c5DZ9EALtZZJv3Alwzwb6bZWd_P
X-Rspam-User: 
X-Stat-Signature: xxus5dyehbgrtqau1chj7qi5u9rhj7ay
X-Rspamd-Queue-Id: 49C8E18000D
X-Rspamd-Server: rspam11
X-HE-Tag: 1722583467-221917
X-HE-Meta: 
 U2FsdGVkX1+WZSNKuSa14P7khS00AmudvdUxdsNuY0bjLG4WC7Zv5CoNvuhzsNqBkm+qn0iRJVAzRsZ4bVPjaxBGTqIreb5spOOio5gog8pGsrGcaupxaT6GCaRtv2yDQlo2xSmIxPs0jG+wNnCZ3jNi14tUlpmHfriInUfFUV/aJdHDjZo94/HwnEcMSl0VpwdTrLChdTdcYmTaYXrHBDrY6oRpOWeZsetau6sewIuNl8O0GXCQMejVW82kS87zMJoNRxk1xvtEz6aLw39PtAKw25fQSPzzs63wp3NrQZeUTPK6RnH6g9n/AxHtF0+FweUQC9c1qPVKiWKb7QMtgrNnQbgLEudUlaXQyOcUTakeDelRpeoV/IU84/xdt+8fZa2RNHinmzYoMqPVmBMByrbjr6bqwscjShn1q7SQA4S+QdkZ4fbN03Qevw4I7Q4LtFRNpUQ1lqC9rNzipOvXQWW3Ul+cAn5RnT7BgC0tCxAsKGPTThpmsTxLbeU1RCc3bLv21XbKUG8o7a9jMKgo8407DkR0xmpqnuM57SOfJebsv8CTccKpB2+wWcBXPAINI6nrjPIW57zPY9GPjqUn0rZ3ilsr+CoofC6I03kgNh65jSt44WwtDbN0ZgLaRR5ZGxLMH4lTtpdFtG7VyfnKn43DwfldRnqjQgCynuYe2qmT38xoTbCLNpJzshPXcnZZlof09xp3uFqoX5zHC79nGCNsRczsrYnm8ToJT3eznWgp80+YDZD2OH3v9eeeRd9uXUzT3X5yNv7k5kErbV+SBKXugtAF1rl1Oz7bX7N+oxmeZAbUlklHexltZhjizYbuXnywIX7lzYV+IoP98s9jx3l/RypJvDRan6QhfUU4/R/XbBoevCfAzCih3nv8SoDDRImPzkKTAO+RHrRo8xX5iq8t1SLEV0kFjXOXAh6R4YKfdlAPbWgbtdFW0VKMU0RluZbHN+9y3qQfkWiGNZP
 +/MBB5Ni
 oLCUWU11Oq30VEgCE7cQKq3NRZvoul+iIabD9kZ3AGnvuBLujMLo0MCdad6O5htM7pYwzYowAHXcG5CMkbTU+aYPZP//rjz1Ly2IJoknJBdUooygujurOX8iyHNqcMVXiZrn/GXQmdu1au7r+mqN4li3QKK/Vj2Rohi2rmS56KOzTQysWM+H8yIfqK4BzSuGqffUO0kpWog6TWSLtPKJqrTNj/Q==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

A process can disable access to the alternate signal stack by not
enabling the altstack's pkey in the PKRU register. Nevertheless, the
kernel updates the PKRU temporarily for signal handling. However, in
sigreturn(), restore_sigcontext() will restore the PKRU to the
user-defined PKRU value. This will cause restore_altstack() to fail with
a SIGSEGV as it needs read access to the altstack which is prohibited
by the user-defined PKRU value.

Fix this by restoring altstack before restoring PKRU.

Signed-off-by: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
---
 arch/x86/kernel/signal_64.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c
index 8a94053c5444..ee9453891901 100644
--- a/arch/x86/kernel/signal_64.c
+++ b/arch/x86/kernel/signal_64.c
@@ -260,13 +260,13 @@ SYSCALL_DEFINE0(rt_sigreturn)
 
 	set_current_blocked(&set);
 
-	if (!restore_sigcontext(regs, &frame->uc.uc_mcontext, uc_flags))
+	if (restore_altstack(&frame->uc.uc_stack))
 		goto badframe;
 
-	if (restore_signal_shadow_stack())
+	if (!restore_sigcontext(regs, &frame->uc.uc_mcontext, uc_flags))
 		goto badframe;
 
-	if (restore_altstack(&frame->uc.uc_stack))
+	if (restore_signal_shadow_stack())
 		goto badframe;
 
 	return regs->ax;

From patchwork Fri Aug  2 06:13:18 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
X-Patchwork-Id: 13751143
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 93DD5C52D71
	for <linux-mm@archiver.kernel.org>; Fri,  2 Aug 2024 06:13:47 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 93D306B0093; Fri,  2 Aug 2024 02:13:45 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8EBCE6B0095; Fri,  2 Aug 2024 02:13:45 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 73F6A6B0096; Fri,  2 Aug 2024 02:13:45 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com
 [216.40.44.16])
	by kanga.kvack.org (Postfix) with ESMTP id 4F70B6B0093
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 02:13:45 -0400 (EDT)
Received: from smtpin16.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay03.hostedemail.com (Postfix) with ESMTP id DE8D6A10B5
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 06:13:44 +0000 (UTC)
X-FDA: 82406289168.16.777B035
Received: from mx0b-00069f02.pphosted.com (mx0b-00069f02.pphosted.com
 [205.220.177.32])
	by imf02.hostedemail.com (Postfix) with ESMTP id C13E880013
	for <linux-mm@kvack.org>; Fri,  2 Aug 2024 06:13:42 +0000 (UTC)
Authentication-Results: imf02.hostedemail.com;
	dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b=aWFE9IR8;
	dmarc=pass (policy=reject) header.from=oracle.com;
	spf=pass (imf02.hostedemail.com: domain of aruna.ramakrishna@oracle.com
 designates 205.220.177.32 as permitted sender)
 smtp.mailfrom=aruna.ramakrishna@oracle.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1722579158;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=IjUdlPOb1E7Q+iz0SVeqCKwYttFwvKwhUlSnaNmML3o=;
	b=VBBuYjTCooQMndfGii7JwXjBCjhJvA3qPZoZbaQaBBQoVQn8tCOzn/QdM7zTKSZVR0teeo
	vNZnZEZW6YLzOEVpVdA/3VKE1QifetA08ijGhQJNzoYFvjHIaqhdwBnKxIQYfzCRa2gwAJ
	JTkQyub8KcMdT4MfV0WnPpkyIb7g2FM=
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722579158; a=rsa-sha256;
	cv=none;
	b=INIjufBwFZasurnlU5JVeC3YwKHM0RqeQrvdFdjFeVLczGlD3B5hSbatw/MY0C+EHojySq
	V3A12ISGQ1ZhME/gFxoSzvHb1w8N58CG6sFT8jFLIcqKCU1Z5p5pE/uPCh7PzI16xrkegX
	LbO7soyAtmADpwQy3YImyZ16lCLKKU8=
ARC-Authentication-Results: i=1;
	imf02.hostedemail.com;
	dkim=pass header.d=oracle.com header.s=corp-2023-11-20 header.b=aWFE9IR8;
	dmarc=pass (policy=reject) header.from=oracle.com;
	spf=pass (imf02.hostedemail.com: domain of aruna.ramakrishna@oracle.com
 designates 205.220.177.32 as permitted sender)
 smtp.mailfrom=aruna.ramakrishna@oracle.com
Received: from pps.filterd (m0246632.ppops.net [127.0.0.1])
	by mx0b-00069f02.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id
 4723fWAP014063;
	Fri, 2 Aug 2024 06:13:35 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=
	from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding; s=corp-2023-11-20; bh=I
	jUdlPOb1E7Q+iz0SVeqCKwYttFwvKwhUlSnaNmML3o=; b=aWFE9IR80Lhy6ai1M
	xiR6/eb2WaJkICvmf2WuBu9GVTQK5ZgM4MHM3GorvYsYEmnq4ATOSxNSkCkx7ZM9
	1e6XMgLzkf2W1pSeFovBUZxf3qkOMBYQuc8Un8jYnlnY++iWenex9U64DalIRfyH
	UlO6u6rLGdqcgDWjg4ZAFWOD6vX+b5thQ7k0k4aR8m9EnyIG9u0WSl7Ahr6AmtcV
	RZFs+ELXwlcZCZKuC4eNC/xFavvZ2cD4jlbXKsM61ZieIFSdrfMMqzmPzYe+FoTK
	QbA3LXrkjvP4jYYu+Dwf9nviCjQqlS0KSAjQYHLOmumUn9RKYqBkU4xcB7fwnvkC
	1+pPg==
Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com
 (phxpaimrmta03.appoci.oracle.com [138.1.37.129])
	by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 40rje8gfpu-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 02 Aug 2024 06:13:34 +0000 (GMT)
Received: from pps.filterd
 (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (8.17.1.19/8.17.1.19)
 with ESMTP id 4725d7cm036451;
	Fri, 2 Aug 2024 06:13:33 GMT
Received: from pps.reinject (localhost [127.0.0.1])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTPS id
 40nvp16eek-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Fri, 02 Aug 2024 06:13:33 +0000
Received: from phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com
 (phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com [127.0.0.1])
	by pps.reinject (8.17.1.5/8.17.1.5) with ESMTP id 4726BM9i012716;
	Fri, 2 Aug 2024 06:13:33 GMT
Received: from aruramak-dev.osdevelopmeniad.oraclevcn.com
 (aruramak-dev.allregionaliads.osdevelopmeniad.oraclevcn.com
 [100.100.253.155])
	by phxpaimrmta03.imrmtpd1.prodappphxaev1.oraclevcn.com (PPS) with ESMTP id
 40nvp16e89-6;
	Fri, 02 Aug 2024 06:13:33 +0000
From: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
To: linux-kernel@vger.kernel.org
Cc: x86@kernel.org, dave.hansen@linux.intel.com, tglx@linutronix.de,
        mingo@kernel.org, linux-mm@kvack.org, keith.lucas@oracle.com,
        jeffxu@chromium.org, rick.p.edgecombe@intel.com, jorgelo@chromium.org,
        keescook@chromium.org, sroettger@google.com, jannh@google.com,
        aruna.ramakrishna@oracle.com
Subject: [PATCH v8 5/5] selftests/mm: Add new testcases for pkeys
Date: Fri,  2 Aug 2024 06:13:18 +0000
Message-Id: <20240802061318.2140081-6-aruna.ramakrishna@oracle.com>
X-Mailer: git-send-email 2.39.3
In-Reply-To: <20240802061318.2140081-1-aruna.ramakrishna@oracle.com>
References: <20240802061318.2140081-1-aruna.ramakrishna@oracle.com>
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16
 definitions=2024-08-02_03,2024-08-01_01,2024-05-17_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0
 adultscore=0
 mlxlogscore=999 mlxscore=0 suspectscore=0 malwarescore=0 bulkscore=0
 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.12.0-2407110000 definitions=main-2408020042
X-Proofpoint-ORIG-GUID: xm6xV5Q-rRTguZ6N2eTFJsggAxl-BFei
X-Proofpoint-GUID: xm6xV5Q-rRTguZ6N2eTFJsggAxl-BFei
X-Rspamd-Server: rspam07
X-Rspamd-Queue-Id: C13E880013
X-Stat-Signature: wwqxa4i7ncisjissppxcjd6crndhaeu4
X-Rspam-User: 
X-HE-Tag: 1722579222-696460
X-HE-Meta: 
 U2FsdGVkX1+2WbBEJYsSuVGMKh6Z0QTql/1Dn6MaiWTfvHZP2FzOtEbZa4axl+pcVssRNDU2XOpmaJ9V7rFDMczGAYy3+IZHO/ShuQzxG98N7nxGLordeYnkJkd6CZEzvlhPuqsVlEQ45iU+YC1yML8zI6gQyKvqL7ZVvKcaKEbk+h36sDDcEdXhxMer3ie7u7FW+mJap5XmLQBQ8VgQu96i1uT+hbqyqmszpdGzK1IXekk68SD3XVbhg6Pb35RKUYEWnjz9OOSlSHiJl8MVai6Up0ezr6LQOFajd+mdlUbGmD+oCsg6U6am0m14/jGDCKvp5p22Cf4Y2b82eTMQEycl4HpxHZtHyawgz5HTXkldesQOV0DN0WhagwgRaXyCekqG/n9PKrIUqu8bKnKJPPm65SX+0bq7R3UdWEarjhbHqdJuxn+J3ygL7HrRDbqH/P4nCRf8cT7OwvL14cSdaRs+62tcdx2sdqfpF10dDw/oXy57pQhB++mUAZBWw71IrOqSbEdT71vEPgNDu5DcyIJESykKfRuqHZnBD67as4YStfDOtKXJBuPqyxeApbKCxYnbr6sdU7ZduWuvLIUrLFaAtD1JbfGlMkXGxztP3DLcZCJrmJdGFeFLrfMTgFIR+ZtijfR/deQxQGYO+26qQkXYVjgPUJLYXUtBy43xMZSUDp45ugUt3UB7GknUQfTrDQg8nKqHuhPRn6CFFUKKDiEwUJRk5ZZgyGqUgHNRrvFFuIJIlzK5HvOEQw0upCNBVnQC67DIaK283dY7c61KS8aCvTB1F3z49MzFaBmVGIFUxs7GRMmeGq0po725BLD+X9SXym10I7g6SDps5p+4PE1eN/3YuLGhyr8yGEpNW8s9N6ZXkn3kz0oCpJ0rUPuHExp1/ECJaxIL9FaB82iNMTBquOtJAqK8dUn/l3xaEBAY55QAFLHtJx5CEt1ftpguqeny/s68ky86mNSDjZ7
 JUoh9MI5
 t3ivmykoVvmdZfCXoJisaaIivws9RJUKVOzVB/XLmV+R1X6sOFp0+u2MkgbdgxndvTktGpsdXbXE9on+kClTD0JQvL5DcCnVsiNrXjVfrLWh8PxhIxQ3SGmQ/HKGxS3O+/YXrNw5+uWuNPsEYZrgF+kLblSTr+0T3KfaCm0pqp++Fw9veSa5sKmP/K+WnzmlP4NE2eZhvn7LtltBjTpH3QIWWPg==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

From: Keith Lucas <keith.lucas@oracle.com>

Add a few new tests to exercise the signal handler flow,
especially with pkey 0 disabled.

There are 5 new tests added:
- test_sigsegv_handler_with_pkey0_disabled
- test_sigsegv_handler_cannot_access_stack
- test_sigsegv_handler_with_different_pkey_for_stack
- test_pkru_preserved_after_sigusr1
- test_pkru_sigreturn

[ Aruna: Adapted to upstream ]

Signed-off-by: Keith Lucas <keith.lucas@oracle.com>
Signed-off-by: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
---
 tools/testing/selftests/mm/Makefile           |   2 +
 tools/testing/selftests/mm/pkey-helpers.h     |  11 +-
 .../selftests/mm/pkey_sighandler_tests.c      | 479 ++++++++++++++++++
 tools/testing/selftests/mm/protection_keys.c  |  10 -
 4 files changed, 491 insertions(+), 11 deletions(-)
 create mode 100644 tools/testing/selftests/mm/pkey_sighandler_tests.c

diff --git a/tools/testing/selftests/mm/Makefile b/tools/testing/selftests/mm/Makefile
index 901e0d07765b..0123a3a0bb17 100644
--- a/tools/testing/selftests/mm/Makefile
+++ b/tools/testing/selftests/mm/Makefile
@@ -88,6 +88,7 @@ CAN_BUILD_X86_64 := $(shell ./../x86/check_cc.sh "$(CC)" ../x86/trivial_64bit_pr
 CAN_BUILD_WITH_NOPIE := $(shell ./../x86/check_cc.sh "$(CC)" ../x86/trivial_program.c -no-pie)
 
 VMTARGETS := protection_keys
+VMTARGETS := pkey_sighandler_tests
 BINARIES_32 := $(VMTARGETS:%=%_32)
 BINARIES_64 := $(VMTARGETS:%=%_64)
 
@@ -106,6 +107,7 @@ else
 
 ifneq (,$(findstring $(ARCH),powerpc))
 TEST_GEN_FILES += protection_keys
+TEST_GEN_FILES += pkey_sighandler_tests
 endif
 
 endif
diff --git a/tools/testing/selftests/mm/pkey-helpers.h b/tools/testing/selftests/mm/pkey-helpers.h
index 1af3156a9db8..2b1189c27167 100644
--- a/tools/testing/selftests/mm/pkey-helpers.h
+++ b/tools/testing/selftests/mm/pkey-helpers.h
@@ -12,6 +12,7 @@
 #include <stdlib.h>
 #include <ucontext.h>
 #include <sys/mman.h>
+#include <linux/compiler.h>
 
 #include "../kselftest.h"
 
@@ -79,7 +80,15 @@ extern void abort_hooks(void);
 	}					\
 } while (0)
 
-__attribute__((noinline)) int read_ptr(int *ptr);
+noinline int read_ptr(int *ptr)
+{
+	/*
+	 * Keep GCC from optimizing this away somehow
+	 */
+	barrier();
+	return *ptr;
+}
+
 void expected_pkey_fault(int pkey);
 int sys_pkey_alloc(unsigned long flags, unsigned long init_val);
 int sys_pkey_free(unsigned long pkey);
diff --git a/tools/testing/selftests/mm/pkey_sighandler_tests.c b/tools/testing/selftests/mm/pkey_sighandler_tests.c
new file mode 100644
index 000000000000..c43030c7056d
--- /dev/null
+++ b/tools/testing/selftests/mm/pkey_sighandler_tests.c
@@ -0,0 +1,479 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Tests Memory Protection Keys (see Documentation/core-api/protection-keys.rst)
+ *
+ * The testcases in this file exercise various flows related to signal handling,
+ * using an alternate signal stack, with the default pkey (pkey 0) disabled.
+ *
+ * Compile with:
+ * gcc -mxsave      -o pkey_sighandler_tests -O2 -g -std=gnu99 -pthread -Wall pkey_sighandler_tests.c -I../../../../tools/include -lrt -ldl -lm
+ * gcc -mxsave -m32 -o pkey_sighandler_tests -O2 -g -std=gnu99 -pthread -Wall pkey_sighandler_tests.c -I../../../../tools/include -lrt -ldl -lm
+ */
+#define _GNU_SOURCE
+#define __SANE_USERSPACE_TYPES__
+#include <errno.h>
+#include <sys/syscall.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdbool.h>
+#include <signal.h>
+#include <assert.h>
+#include <stdlib.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <pthread.h>
+#include <limits.h>
+
+#include "pkey-helpers.h"
+
+#define STACK_SIZE PTHREAD_STACK_MIN
+
+void expected_pkey_fault(int pkey) {}
+
+pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
+pthread_cond_t cond = PTHREAD_COND_INITIALIZER;
+siginfo_t siginfo = {0};
+
+/*
+ * We need to use inline assembly instead of glibc's syscall because glibc's
+ * syscall will attempt to access the PLT in order to call a library function
+ * which is protected by MPK 0 which we don't have access to.
+ */
+static inline __always_inline
+long syscall_raw(long n, long a1, long a2, long a3, long a4, long a5, long a6)
+{
+	unsigned long ret;
+#ifdef __x86_64__
+	register long r10 asm("r10") = a4;
+	register long r8 asm("r8") = a5;
+	register long r9 asm("r9") = a6;
+	asm volatile ("syscall"
+		      : "=a"(ret)
+		      : "a"(n), "D"(a1), "S"(a2), "d"(a3), "r"(r10), "r"(r8), "r"(r9)
+		      : "rcx", "r11", "memory");
+#elif defined __i386__
+	asm volatile ("int $0x80"
+		      : "=a"(ret)
+		      : "a"(n), "b"(a1), "c"(a2), "d"(a3), "S"(a4), "D"(a5)
+		      : "memory");
+#endif
+	return ret;
+}
+
+static void sigsegv_handler(int signo, siginfo_t *info, void *ucontext)
+{
+	pthread_mutex_lock(&mutex);
+
+	memcpy(&siginfo, info, sizeof(siginfo_t));
+
+	pthread_cond_signal(&cond);
+	pthread_mutex_unlock(&mutex);
+
+	syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0);
+}
+
+static void sigusr1_handler(int signo, siginfo_t *info, void *ucontext)
+{
+	pthread_mutex_lock(&mutex);
+
+	memcpy(&siginfo, info, sizeof(siginfo_t));
+
+	pthread_cond_signal(&cond);
+	pthread_mutex_unlock(&mutex);
+}
+
+static void sigusr2_handler(int signo, siginfo_t *info, void *ucontext)
+{
+	/*
+	 * pkru should be the init_pkru value which enabled MPK 0 so
+	 * we can use library functions.
+	 */
+	printf("%s invoked.\n", __func__);
+}
+
+static void raise_sigusr2(void)
+{
+	pid_t tid = 0;
+
+	tid = syscall_raw(SYS_gettid, 0, 0, 0, 0, 0, 0);
+
+	syscall_raw(SYS_tkill, tid, SIGUSR2, 0, 0, 0, 0);
+
+	/*
+	 * We should return from the signal handler here and be able to
+	 * return to the interrupted thread.
+	 */
+}
+
+static void *thread_segv_with_pkey0_disabled(void *ptr)
+{
+	/* Disable MPK 0 (and all others too) */
+	__write_pkey_reg(0x55555555);
+
+	/* Segfault (with SEGV_MAPERR) */
+	*(int *) (0x1) = 1;
+	return NULL;
+}
+
+static void *thread_segv_pkuerr_stack(void *ptr)
+{
+	/* Disable MPK 0 (and all others too) */
+	__write_pkey_reg(0x55555555);
+
+	/* After we disable MPK 0, we can't access the stack to return */
+	return NULL;
+}
+
+static void *thread_segv_maperr_ptr(void *ptr)
+{
+	stack_t *stack = ptr;
+	int *bad = (int *)1;
+
+	/*
+	 * Setup alternate signal stack, which should be pkey_mprotect()ed by
+	 * MPK 0. The thread's stack cannot be used for signals because it is
+	 * not accessible by the default init_pkru value of 0x55555554.
+	 */
+	syscall_raw(SYS_sigaltstack, (long)stack, 0, 0, 0, 0, 0);
+
+	/* Disable MPK 0.  Only MPK 1 is enabled. */
+	__write_pkey_reg(0x55555551);
+
+	/* Segfault */
+	*bad = 1;
+	syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0);
+	return NULL;
+}
+
+/*
+ * Verify that the sigsegv handler is invoked when pkey 0 is disabled.
+ * Note that the new thread stack and the alternate signal stack is
+ * protected by MPK 0.
+ */
+static void test_sigsegv_handler_with_pkey0_disabled(void)
+{
+	struct sigaction sa;
+	pthread_attr_t attr;
+	pthread_t thr;
+
+	sa.sa_flags = SA_SIGINFO;
+
+	sa.sa_sigaction = sigsegv_handler;
+	sigemptyset(&sa.sa_mask);
+	if (sigaction(SIGSEGV, &sa, NULL) == -1) {
+		perror("sigaction");
+		exit(EXIT_FAILURE);
+	}
+
+	memset(&siginfo, 0, sizeof(siginfo));
+
+	pthread_attr_init(&attr);
+	pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
+
+	pthread_create(&thr, &attr, thread_segv_with_pkey0_disabled, NULL);
+
+	pthread_mutex_lock(&mutex);
+	while (siginfo.si_signo == 0)
+		pthread_cond_wait(&cond, &mutex);
+	pthread_mutex_unlock(&mutex);
+
+	ksft_test_result(siginfo.si_signo == SIGSEGV &&
+			 siginfo.si_code == SEGV_MAPERR &&
+			 siginfo.si_addr == (void *)1,
+			 "%s\n", __func__);
+}
+
+/*
+ * Verify that the sigsegv handler is invoked when pkey 0 is disabled.
+ * Note that the new thread stack and the alternate signal stack is
+ * protected by MPK 0, which renders them inaccessible when MPK 0
+ * is disabled. So just the return from the thread should cause a
+ * segfault with SEGV_PKUERR.
+ */
+static void test_sigsegv_handler_cannot_access_stack(void)
+{
+	struct sigaction sa;
+	pthread_attr_t attr;
+	pthread_t thr;
+
+	sa.sa_flags = SA_SIGINFO;
+
+	sa.sa_sigaction = sigsegv_handler;
+	sigemptyset(&sa.sa_mask);
+	if (sigaction(SIGSEGV, &sa, NULL) == -1) {
+		perror("sigaction");
+		exit(EXIT_FAILURE);
+	}
+
+	memset(&siginfo, 0, sizeof(siginfo));
+
+	pthread_attr_init(&attr);
+	pthread_attr_setdetachstate(&attr, PTHREAD_CREATE_DETACHED);
+
+	pthread_create(&thr, &attr, thread_segv_pkuerr_stack, NULL);
+
+	pthread_mutex_lock(&mutex);
+	while (siginfo.si_signo == 0)
+		pthread_cond_wait(&cond, &mutex);
+	pthread_mutex_unlock(&mutex);
+
+	ksft_test_result(siginfo.si_signo == SIGSEGV &&
+			 siginfo.si_code == SEGV_PKUERR,
+			 "%s\n", __func__);
+}
+
+/*
+ * Verify that the sigsegv handler that uses an alternate signal stack
+ * is correctly invoked for a thread which uses a non-zero MPK to protect
+ * its own stack, and disables all other MPKs (including 0).
+ */
+static void test_sigsegv_handler_with_different_pkey_for_stack(void)
+{
+	struct sigaction sa;
+	static stack_t sigstack;
+	void *stack;
+	int pkey;
+	int parent_pid = 0;
+	int child_pid = 0;
+
+	sa.sa_flags = SA_SIGINFO | SA_ONSTACK;
+
+	sa.sa_sigaction = sigsegv_handler;
+
+	sigemptyset(&sa.sa_mask);
+	if (sigaction(SIGSEGV, &sa, NULL) == -1) {
+		perror("sigaction");
+		exit(EXIT_FAILURE);
+	}
+
+	stack = mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE,
+		     MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+	assert(stack != MAP_FAILED);
+
+	/* Allow access to MPK 0 and MPK 1 */
+	__write_pkey_reg(0x55555550);
+
+	/* Protect the new stack with MPK 1 */
+	pkey = pkey_alloc(0, 0);
+	pkey_mprotect(stack, STACK_SIZE, PROT_READ | PROT_WRITE, pkey);
+
+	/* Set up alternate signal stack that will use the default MPK */
+	sigstack.ss_sp = mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
+			      MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	sigstack.ss_flags = 0;
+	sigstack.ss_size = STACK_SIZE;
+
+	memset(&siginfo, 0, sizeof(siginfo));
+
+	/* Use clone to avoid newer glibcs using rseq on new threads */
+	long ret = syscall_raw(SYS_clone,
+			       CLONE_VM | CLONE_FS | CLONE_FILES |
+			       CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM |
+			       CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
+			       CLONE_DETACHED,
+			       (long) ((char *)(stack) + STACK_SIZE),
+			       (long) &parent_pid,
+			       (long) &child_pid, 0, 0);
+
+	if (ret < 0) {
+		errno = -ret;
+		perror("clone");
+	} else if (ret == 0) {
+		thread_segv_maperr_ptr(&sigstack);
+		syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0);
+	}
+
+	pthread_mutex_lock(&mutex);
+	while (siginfo.si_signo == 0)
+		pthread_cond_wait(&cond, &mutex);
+	pthread_mutex_unlock(&mutex);
+
+	ksft_test_result(siginfo.si_signo == SIGSEGV &&
+			 siginfo.si_code == SEGV_MAPERR &&
+			 siginfo.si_addr == (void *)1,
+			 "%s\n", __func__);
+}
+
+/*
+ * Verify that the PKRU value set by the application is correctly
+ * restored upon return from signal handling.
+ */
+static void test_pkru_preserved_after_sigusr1(void)
+{
+	struct sigaction sa;
+	unsigned long pkru = 0x45454544;
+
+	sa.sa_flags = SA_SIGINFO;
+
+	sa.sa_sigaction = sigusr1_handler;
+	sigemptyset(&sa.sa_mask);
+	if (sigaction(SIGUSR1, &sa, NULL) == -1) {
+		perror("sigaction");
+		exit(EXIT_FAILURE);
+	}
+
+	memset(&siginfo, 0, sizeof(siginfo));
+
+	__write_pkey_reg(pkru);
+
+	raise(SIGUSR1);
+
+	pthread_mutex_lock(&mutex);
+	while (siginfo.si_signo == 0)
+		pthread_cond_wait(&cond, &mutex);
+	pthread_mutex_unlock(&mutex);
+
+	/* Ensure the pkru value is the same after returning from signal. */
+	ksft_test_result(pkru == __read_pkey_reg() &&
+			 siginfo.si_signo == SIGUSR1,
+			 "%s\n", __func__);
+}
+
+static noinline void *thread_sigusr2_self(void *ptr)
+{
+	/*
+	 * A const char array like "Resuming after SIGUSR2" won't be stored on
+	 * the stack and the code could access it via an offset from the program
+	 * counter. This makes sure it's on the function's stack frame.
+	 */
+	char str[] = {'R', 'e', 's', 'u', 'm', 'i', 'n', 'g', ' ',
+		'a', 'f', 't', 'e', 'r', ' ',
+		'S', 'I', 'G', 'U', 'S', 'R', '2',
+		'.', '.', '.', '\n', '\0'};
+	stack_t *stack = ptr;
+
+	/*
+	 * Setup alternate signal stack, which should be pkey_mprotect()ed by
+	 * MPK 0. The thread's stack cannot be used for signals because it is
+	 * not accessible by the default init_pkru value of 0x55555554.
+	 */
+	syscall(SYS_sigaltstack, (long)stack, 0, 0, 0, 0, 0);
+
+	/* Disable MPK 0.  Only MPK 2 is enabled. */
+	__write_pkey_reg(0x55555545);
+
+	raise_sigusr2();
+
+	/* Do something, to show the thread resumed execution after the signal */
+	syscall_raw(SYS_write, 1, (long) str, sizeof(str) - 1, 0, 0, 0);
+
+	/*
+	 * We can't return to test_pkru_sigreturn because it
+	 * will attempt to use a %rbp value which is on the stack
+	 * of the main thread.
+	 */
+	syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0);
+	return NULL;
+}
+
+/*
+ * Verify that sigreturn is able to restore altstack even if the thread had
+ * disabled pkey 0.
+ */
+static void test_pkru_sigreturn(void)
+{
+	struct sigaction sa = {0};
+	static stack_t sigstack;
+	void *stack;
+	int pkey;
+	int parent_pid = 0;
+	int child_pid = 0;
+
+	sa.sa_handler = SIG_DFL;
+	sa.sa_flags = 0;
+	sigemptyset(&sa.sa_mask);
+
+	/*
+	 * For this testcase, we do not want to handle SIGSEGV. Reset handler
+	 * to default so that the application can crash if it receives SIGSEGV.
+	 */
+	if (sigaction(SIGSEGV, &sa, NULL) == -1) {
+		perror("sigaction");
+		exit(EXIT_FAILURE);
+	}
+
+	sa.sa_flags = SA_SIGINFO | SA_ONSTACK;
+	sa.sa_sigaction = sigusr2_handler;
+	sigemptyset(&sa.sa_mask);
+
+	if (sigaction(SIGUSR2, &sa, NULL) == -1) {
+		perror("sigaction");
+		exit(EXIT_FAILURE);
+	}
+
+	stack = mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE,
+		     MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+	assert(stack != MAP_FAILED);
+
+	/*
+	 * Allow access to MPK 0 and MPK 2. The child thread (to be created
+	 * later in this flow) will have its stack protected by MPK 2, whereas
+	 * the current thread's stack is protected by the default MPK 0. Hence
+	 * both need to be enabled.
+	 */
+	__write_pkey_reg(0x55555544);
+
+	/* Protect the stack with MPK 2 */
+	pkey = pkey_alloc(0, 0);
+	pkey_mprotect(stack, STACK_SIZE, PROT_READ | PROT_WRITE, pkey);
+
+	/* Set up alternate signal stack that will use the default MPK */
+	sigstack.ss_sp = mmap(0, STACK_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
+			      MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+	sigstack.ss_flags = 0;
+	sigstack.ss_size = STACK_SIZE;
+
+	/* Use clone to avoid newer glibcs using rseq on new threads */
+	long ret = syscall_raw(SYS_clone,
+			       CLONE_VM | CLONE_FS | CLONE_FILES |
+			       CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM |
+			       CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID |
+			       CLONE_DETACHED,
+			       (long) ((char *)(stack) + STACK_SIZE),
+			       (long) &parent_pid,
+			       (long) &child_pid, 0, 0);
+
+	if (ret < 0) {
+		errno = -ret;
+		perror("clone");
+	}  else if (ret == 0) {
+		thread_sigusr2_self(&sigstack);
+		syscall_raw(SYS_exit, 0, 0, 0, 0, 0, 0);
+	}
+
+	child_pid =  ret;
+	/* Check that thread exited */
+	do {
+		sched_yield();
+		ret = syscall_raw(SYS_tkill, child_pid, 0, 0, 0, 0, 0);
+	} while (ret != -ESRCH && ret != -EINVAL);
+
+	ksft_test_result_pass("%s\n", __func__);
+}
+
+void (*pkey_tests[])(void) = {
+	test_sigsegv_handler_with_pkey0_disabled,
+	test_sigsegv_handler_cannot_access_stack,
+	test_sigsegv_handler_with_different_pkey_for_stack,
+	test_pkru_preserved_after_sigusr1,
+	test_pkru_sigreturn
+};
+
+int main(int argc, char *argv[])
+{
+	int i;
+
+	ksft_print_header();
+	ksft_set_plan(ARRAY_SIZE(pkey_tests));
+
+	for (i = 0; i < ARRAY_SIZE(pkey_tests); i++)
+		(*pkey_tests[i])();
+
+	ksft_finished();
+	return 0;
+}
diff --git a/tools/testing/selftests/mm/protection_keys.c b/tools/testing/selftests/mm/protection_keys.c
index eaa6d1fc5328..cc6de1644360 100644
--- a/tools/testing/selftests/mm/protection_keys.c
+++ b/tools/testing/selftests/mm/protection_keys.c
@@ -950,16 +950,6 @@ void close_test_fds(void)
 	nr_test_fds = 0;
 }
 
-#define barrier() __asm__ __volatile__("": : :"memory")
-__attribute__((noinline)) int read_ptr(int *ptr)
-{
-	/*
-	 * Keep GCC from optimizing this away somehow
-	 */
-	barrier();
-	return *ptr;
-}
-
 void test_pkey_alloc_free_attach_pkey0(int *ptr, u16 pkey)
 {
 	int i, err;