the-tree/kernel/rseq.c

0001 // SPDX-License-Identifier: GPL-2.0+
0002 /*
0003  * Restartable sequences system call
0004  *
0005  * Copyright (C) 2015, Google, Inc.,
0006  * Paul Turner <pjt@google.com> and Andrew Hunter <ahh@google.com>
0007  * Copyright (C) 2015-2018, EfficiOS Inc.,
0008  * Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
0009  */
0010
0011 #include <linux/sched.h>
0012 #include <linux/uaccess.h>
0013 #include <linux/syscalls.h>
0014 #include <linux/rseq.h>
0015 #include <linux/types.h>
0016 #include <asm/ptrace.h>
0017
0018 #define CREATE_TRACE_POINTS
0019 #include <trace/events/rseq.h>
0020
0021 #define RSEQ_CS_NO_RESTART_FLAGS (RSEQ_CS_FLAG_NO_RESTART_ON_PREEMPT | \
0022                   RSEQ_CS_FLAG_NO_RESTART_ON_SIGNAL | \
0023                   RSEQ_CS_FLAG_NO_RESTART_ON_MIGRATE)
0024
0025 /*
0026  *
0027  * Restartable sequences are a lightweight interface that allows
0028  * user-level code to be executed atomically relative to scheduler
0029  * preemption and signal delivery. Typically used for implementing
0030  * per-cpu operations.
0031  *
0032  * It allows user-space to perform update operations on per-cpu data
0033  * without requiring heavy-weight atomic operations.
0034  *
0035  * Detailed algorithm of rseq user-space assembly sequences:
0036  *
0037  *                     init(rseq_cs)
0038  *                     cpu = TLS->rseq::cpu_id_start
0039  *   [1]               TLS->rseq::rseq_cs = rseq_cs
0040  *   [start_ip]        ----------------------------
0041  *   [2]               if (cpu != TLS->rseq::cpu_id)
0042  *                             goto abort_ip;
0043  *   [3]               <last_instruction_in_cs>
0044  *   [post_commit_ip]  ----------------------------
0045  *
0046  *   The address of jump target abort_ip must be outside the critical
0047  *   region, i.e.:
0048  *
0049  *     [abort_ip] < [start_ip]  || [abort_ip] >= [post_commit_ip]
0050  *
0051  *   Steps [2]-[3] (inclusive) need to be a sequence of instructions in
0052  *   userspace that can handle being interrupted between any of those
0053  *   instructions, and then resumed to the abort_ip.
0054  *
0055  *   1.  Userspace stores the address of the struct rseq_cs assembly
0056  *       block descriptor into the rseq_cs field of the registered
0057  *       struct rseq TLS area. This update is performed through a single
0058  *       store within the inline assembly instruction sequence.
0059  *       [start_ip]
0060  *
0061  *   2.  Userspace tests to check whether the current cpu_id field match
0062  *       the cpu number loaded before start_ip, branching to abort_ip
0063  *       in case of a mismatch.
0064  *
0065  *       If the sequence is preempted or interrupted by a signal
0066  *       at or after start_ip and before post_commit_ip, then the kernel
0067  *       clears TLS->__rseq_abi::rseq_cs, and sets the user-space return
0068  *       ip to abort_ip before returning to user-space, so the preempted
0069  *       execution resumes at abort_ip.
0070  *
0071  *   3.  Userspace critical section final instruction before
0072  *       post_commit_ip is the commit. The critical section is
0073  *       self-terminating.
0074  *       [post_commit_ip]
0075  *
0076  *   4.  <success>
0077  *
0078  *   On failure at [2], or if interrupted by preempt or signal delivery
0079  *   between [1] and [3]:
0080  *
0081  *       [abort_ip]
0082  *   F1. <failure>
0083  */
0084
0085 static int rseq_update_cpu_id(struct task_struct *t)
0086 {
0087     u32 cpu_id = raw_smp_processor_id();
0088     struct rseq __user *rseq = t->rseq;
0089
0090     if (!user_write_access_begin(rseq, sizeof(*rseq)))
0091         goto efault;
0092     unsafe_put_user(cpu_id, &rseq->cpu_id_start, efault_end);
0093     unsafe_put_user(cpu_id, &rseq->cpu_id, efault_end);
0094     user_write_access_end();
0095     trace_rseq_update(t);
0096     return 0;
0097
0098 efault_end:
0099     user_write_access_end();
0100 efault:
0101     return -EFAULT;
0102 }
0103
0104 static int rseq_reset_rseq_cpu_id(struct task_struct *t)
0105 {
0106     u32 cpu_id_start = 0, cpu_id = RSEQ_CPU_ID_UNINITIALIZED;
0107
0108     /*
0109      * Reset cpu_id_start to its initial state (0).
0110      */
0111     if (put_user(cpu_id_start, &t->rseq->cpu_id_start))
0112         return -EFAULT;
0113     /*
0114      * Reset cpu_id to RSEQ_CPU_ID_UNINITIALIZED, so any user coming
0115      * in after unregistration can figure out that rseq needs to be
0116      * registered again.
0117      */
0118     if (put_user(cpu_id, &t->rseq->cpu_id))
0119         return -EFAULT;
0120     return 0;
0121 }
0122
0123 static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs)
0124 {
0125     struct rseq_cs __user *urseq_cs;
0126     u64 ptr;
0127     u32 __user *usig;
0128     u32 sig;
0129     int ret;
0130
0131 #ifdef CONFIG_64BIT
0132     if (get_user(ptr, &t->rseq->rseq_cs))
0133         return -EFAULT;
0134 #else
0135     if (copy_from_user(&ptr, &t->rseq->rseq_cs, sizeof(ptr)))
0136         return -EFAULT;
0137 #endif
0138     if (!ptr) {
0139         memset(rseq_cs, 0, sizeof(*rseq_cs));
0140         return 0;
0141     }
0142     if (ptr >= TASK_SIZE)
0143         return -EINVAL;
0144     urseq_cs = (struct rseq_cs __user *)(unsigned long)ptr;
0145     if (copy_from_user(rseq_cs, urseq_cs, sizeof(*rseq_cs)))
0146         return -EFAULT;
0147
0148     if (rseq_cs->start_ip >= TASK_SIZE ||
0149         rseq_cs->start_ip + rseq_cs->post_commit_offset >= TASK_SIZE ||
0150         rseq_cs->abort_ip >= TASK_SIZE ||
0151         rseq_cs->version > 0)
0152         return -EINVAL;
0153     /* Check for overflow. */
0154     if (rseq_cs->start_ip + rseq_cs->post_commit_offset < rseq_cs->start_ip)
0155         return -EINVAL;
0156     /* Ensure that abort_ip is not in the critical section. */
0157     if (rseq_cs->abort_ip - rseq_cs->start_ip < rseq_cs->post_commit_offset)
0158         return -EINVAL;
0159
0160     usig = (u32 __user *)(unsigned long)(rseq_cs->abort_ip - sizeof(u32));
0161     ret = get_user(sig, usig);
0162     if (ret)
0163         return ret;
0164
0165     if (current->rseq_sig != sig) {
0166         printk_ratelimited(KERN_WARNING
0167             "Possible attack attempt. Unexpected rseq signature 0x%x, expecting 0x%x (pid=%d, addr=%p).\n",
0168             sig, current->rseq_sig, current->pid, usig);
0169         return -EINVAL;
0170     }
0171     return 0;
0172 }
0173
0174 static int rseq_need_restart(struct task_struct *t, u32 cs_flags)
0175 {
0176     u32 flags, event_mask;
0177     int ret;
0178
0179     if (WARN_ON_ONCE(cs_flags & RSEQ_CS_NO_RESTART_FLAGS) || cs_flags)
0180         return -EINVAL;
0181
0182     /* Get thread flags. */
0183     ret = get_user(flags, &t->rseq->flags);
0184     if (ret)
0185         return ret;
0186
0187     if (WARN_ON_ONCE(flags & RSEQ_CS_NO_RESTART_FLAGS) || flags)
0188         return -EINVAL;
0189
0190     /*
0191      * Load and clear event mask atomically with respect to
0192      * scheduler preemption.
0193      */
0194     preempt_disable();
0195     event_mask = t->rseq_event_mask;
0196     t->rseq_event_mask = 0;
0197     preempt_enable();
0198
0199     return !!event_mask;
0200 }
0201
0202 static int clear_rseq_cs(struct task_struct *t)
0203 {
0204     /*
0205      * The rseq_cs field is set to NULL on preemption or signal
0206      * delivery on top of rseq assembly block, as well as on top
0207      * of code outside of the rseq assembly block. This performs
0208      * a lazy clear of the rseq_cs field.
0209      *
0210      * Set rseq_cs to NULL.
0211      */
0212 #ifdef CONFIG_64BIT
0213     return put_user(0UL, &t->rseq->rseq_cs);
0214 #else
0215     if (clear_user(&t->rseq->rseq_cs, sizeof(t->rseq->rseq_cs)))
0216         return -EFAULT;
0217     return 0;
0218 #endif
0219 }
0220
0221 /*
0222  * Unsigned comparison will be true when ip >= start_ip, and when
0223  * ip < start_ip + post_commit_offset.
0224  */
0225 static bool in_rseq_cs(unsigned long ip, struct rseq_cs *rseq_cs)
0226 {
0227     return ip - rseq_cs->start_ip < rseq_cs->post_commit_offset;
0228 }
0229
0230 static int rseq_ip_fixup(struct pt_regs *regs)
0231 {
0232     unsigned long ip = instruction_pointer(regs);
0233     struct task_struct *t = current;
0234     struct rseq_cs rseq_cs;
0235     int ret;
0236
0237     ret = rseq_get_rseq_cs(t, &rseq_cs);
0238     if (ret)
0239         return ret;
0240
0241     /*
0242      * Handle potentially not being within a critical section.
0243      * If not nested over a rseq critical section, restart is useless.
0244      * Clear the rseq_cs pointer and return.
0245      */
0246     if (!in_rseq_cs(ip, &rseq_cs))
0247         return clear_rseq_cs(t);
0248     ret = rseq_need_restart(t, rseq_cs.flags);
0249     if (ret <= 0)
0250         return ret;
0251     ret = clear_rseq_cs(t);
0252     if (ret)
0253         return ret;
0254     trace_rseq_ip_fixup(ip, rseq_cs.start_ip, rseq_cs.post_commit_offset,
0255                 rseq_cs.abort_ip);
0256     instruction_pointer_set(regs, (unsigned long)rseq_cs.abort_ip);
0257     return 0;
0258 }
0259
0260 /*
0261  * This resume handler must always be executed between any of:
0262  * - preemption,
0263  * - signal delivery,
0264  * and return to user-space.
0265  *
0266  * This is how we can ensure that the entire rseq critical section
0267  * will issue the commit instruction only if executed atomically with
0268  * respect to other threads scheduled on the same CPU, and with respect
0269  * to signal handlers.
0270  */
0271 void __rseq_handle_notify_resume(struct ksignal *ksig, struct pt_regs *regs)
0272 {
0273     struct task_struct *t = current;
0274     int ret, sig;
0275
0276     if (unlikely(t->flags & PF_EXITING))
0277         return;
0278
0279     /*
0280      * regs is NULL if and only if the caller is in a syscall path.  Skip
0281      * fixup and leave rseq_cs as is so that rseq_sycall() will detect and
0282      * kill a misbehaving userspace on debug kernels.
0283      */
0284     if (regs) {
0285         ret = rseq_ip_fixup(regs);
0286         if (unlikely(ret < 0))
0287             goto error;
0288     }
0289     if (unlikely(rseq_update_cpu_id(t)))
0290         goto error;
0291     return;
0292
0293 error:
0294     sig = ksig ? ksig->sig : 0;
0295     force_sigsegv(sig);
0296 }
0297
0298 #ifdef CONFIG_DEBUG_RSEQ
0299
0300 /*
0301  * Terminate the process if a syscall is issued within a restartable
0302  * sequence.
0303  */
0304 void rseq_syscall(struct pt_regs *regs)
0305 {
0306     unsigned long ip = instruction_pointer(regs);
0307     struct task_struct *t = current;
0308     struct rseq_cs rseq_cs;
0309
0310     if (!t->rseq)
0311         return;
0312     if (rseq_get_rseq_cs(t, &rseq_cs) || in_rseq_cs(ip, &rseq_cs))
0313         force_sig(SIGSEGV);
0314 }
0315
0316 #endif
0317
0318 /*
0319  * sys_rseq - setup restartable sequences for caller thread.
0320  */
0321 SYSCALL_DEFINE4(rseq, struct rseq __user *, rseq, u32, rseq_len,
0322         int, flags, u32, sig)
0323 {
0324     int ret;
0325
0326     if (flags & RSEQ_FLAG_UNREGISTER) {
0327         if (flags & ~RSEQ_FLAG_UNREGISTER)
0328             return -EINVAL;
0329         /* Unregister rseq for current thread. */
0330         if (current->rseq != rseq || !current->rseq)
0331             return -EINVAL;
0332         if (rseq_len != sizeof(*rseq))
0333             return -EINVAL;
0334         if (current->rseq_sig != sig)
0335             return -EPERM;
0336         ret = rseq_reset_rseq_cpu_id(current);
0337         if (ret)
0338             return ret;
0339         current->rseq = NULL;
0340         current->rseq_sig = 0;
0341         return 0;
0342     }
0343
0344     if (unlikely(flags))
0345         return -EINVAL;
0346
0347     if (current->rseq) {
0348         /*
0349          * If rseq is already registered, check whether
0350          * the provided address differs from the prior
0351          * one.
0352          */
0353         if (current->rseq != rseq || rseq_len != sizeof(*rseq))
0354             return -EINVAL;
0355         if (current->rseq_sig != sig)
0356             return -EPERM;
0357         /* Already registered. */
0358         return -EBUSY;
0359     }
0360
0361     /*
0362      * If there was no rseq previously registered,
0363      * ensure the provided rseq is properly aligned and valid.
0364      */
0365     if (!IS_ALIGNED((unsigned long)rseq, __alignof__(*rseq)) ||
0366         rseq_len != sizeof(*rseq))
0367         return -EINVAL;
0368     if (!access_ok(rseq, rseq_len))
0369         return -EFAULT;
0370     current->rseq = rseq;
0371     current->rseq_sig = sig;
0372     /*
0373      * If rseq was previously inactive, and has just been
0374      * registered, ensure the cpu_id_start and cpu_id fields
0375      * are updated before returning to user-space.
0376      */
0377     rseq_set_notify_resume(current);
0378
0379     return 0;
0380 }