From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7DFA53168E0
	for <linux-kernel@vger.kernel.org>; Wed, 26 Nov 2025 19:06:44 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1764184006; cv=none; b=iRLR4J2c7vTUp0ShpUEvNKt5PD6hQDkEhaMATwgoC7UYGw3H+HUIG9J3Omz/VGIbNsH8PC277pPVe1zAR5Gc08POjshGntiTRk16zIsyLsfDSVojsNzZAe3lr4T83hX5FsH0GAflzahAJ4Cz6iR4ae39gKLPdAVYY+e2pYfzDYg=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1764184006; c=relaxed/simple;
	bh=NXyTl9nKAnYiTZHRb7LT7+VdXNEopCvEW54Q/Ytc4WA=;
	h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID:
	 MIME-Version:Content-Type; b=cHm9Kb7JwkKAROmPEkwpthhAeA4tvxk1/vO/Bbm3vhnWqHlnfnofDGGbdzUaBVGFIqRpbQdtjCDMES7BkbbQjRaQ6UN9+EKWdrLsjwawXE23FlyUb/nvagEdz5Bij70RSXvaLrUTjqPNA+4h9TjRHCaMidaVppV1kzOE3tN+YK8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=PpgKycM+; arc=none smtp.client-ip=170.10.129.124
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="PpgKycM+"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1764184003;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 in-reply-to:in-reply-to:references:references;
	bh=6id7Ne0j5wZqZuzO7p3dl009nohb3QaQuvZ12dFvuK4=;
	b=PpgKycM+YdSm0cmI2qvLHH5KgaySdFZjeQvapDnnagVj42iTY22+aC1ZmnW25kuV4cHO8d
	PWSHk5O9zLuGSOAE8wKmFeVA5sqLrnO62ags6ete06tYUiQRvATOHY7K0VvfoxOuBdgbVZ
	ngqPRbfIT82ccWblFPqAEe/IGdVlEp4=
Received: from mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com
 (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by
 relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-279-D-nKIhilNbaqjq--mF9YOw-1; Wed,
 26 Nov 2025 14:06:40 -0500
X-MC-Unique: D-nKIhilNbaqjq--mF9YOw-1
X-Mimecast-MFC-AGG-ID: D-nKIhilNbaqjq--mF9YOw_1764183998
Received: from mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.12])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mx-prod-mc-01.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 3E5991954B0B;
	Wed, 26 Nov 2025 19:06:37 +0000 (UTC)
Received: from fweimer-oldenburg.csb.redhat.com (unknown [10.2.16.157])
	by mx-prod-int-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id F2A5019560A2;
	Wed, 26 Nov 2025 19:06:29 +0000 (UTC)
From: Florian Weimer <fweimer@redhat.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: Kevin Brodsky <kevin.brodsky@arm.com>,  Dmitry Vyukov
 <dvyukov@google.com>,  mathieu.desnoyers@efficios.com,
  peterz@infradead.org,  boqun.feng@gmail.com,  mingo@redhat.com,
  bp@alien8.de,  dave.hansen@linux.intel.com,  hpa@zytor.com,
  aruna.ramakrishna@oracle.com,  elver@google.com,  "Paul E. McKenney"
 <paulmck@kernel.org>,  x86@kernel.org,  linux-kernel@vger.kernel.org,
  Jens Axboe <axboe@kernel.dk>
Subject: Re: [PATCH v7 3/4] rseq: Make rseq work with protection keys
In-Reply-To: <87a508he4h.ffs@tglx> (Thomas Gleixner's message of "Wed, 26 Nov
	2025 18:56:14 +0100")
References: <cover.1747817128.git.dvyukov@google.com>
	<138c29bd5f5a0a22270c9384ecc721c40b7d8fbd.1747817128.git.dvyukov@google.com>
	<8079f564-cec0-45e4-857b-74b2e630a9d5@arm.com> <87ikexhbah.ffs@tglx>
	<lhuv7ix5ec4.fsf@oldenburg.str.redhat.com> <87a508he4h.ffs@tglx>
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Wed, 26 Nov 2025 20:06:26 +0100
Message-ID: <lhuy0ns3971.fsf@oldenburg.str.redhat.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain
X-Scanned-By: MIMEDefang 3.0 on 10.30.177.12

* Thomas Gleixner:

>> I'm less concerned about the impact on restart of restartable sequences
>> because by design, it's a non-modular feature: syscalls and function
>> calls are already banned.  If the code wants to restart, it has to make
>> sure that the access rights at the restart point are correct.  But
>> that's like any other register contents, I think.
>
> It's not only restart. RSEQ is also accessed by the kernel for storing
> CPUID, NODEID, CID. Some of that is used in glibc today, no?

But glibc code cannot run from within an rseq critical section.  And I
think it's not reasonable to expect that if you revoke access to all
allocated protection keys, it's well-defined t o call library code.

>> Would it help to allocate a dedicated key for rseq and specify that
>> userspace must always include this access in the accessible set?
>
> That would definitely be helpful to avoid switching PKRU in rseq
> handling code on exit to user space.
>
> Though with the reworked RSEQ code the extra overhead might not be
> horrible. See below.

We might have to dedicate an extra page, too.  So I prefer to avoid it
possible.

I think I missed the below part?

> But like with signals just blindly enabling key0 and hope that it works
> is not really a solution. Nothing prevents me from disabling RSEQ for
> glibc. Then install my own RSEQ page and mprotect it. When that key
> becomes disabled in PKRU and the code section is interrupted then exit
> to user space will fault and die in exactly the same way as
> today. That's progress...

But does that matter?  If I mprotect the stack and a signal arrives,
that results in a crash, too.  Some things just don't work.

> So we really need to sit down and actually define a proper programming
> model first instead of trying to duct tape the current ill defined mess
> forever.
>
> What do we have to take into account:
>
>    1) signals
>
>       Broken as we know already.
>
>       IMO, the proper solution is to provide a mechanism to register a
>       set of permissions which are used for signal delivery. The
>       resulting hardware value should expand the permission, but keep
>       the current active ones enabled.
>
>       That can be kinda kept backwards compatible as the signal perms
>       would default to PKEY0.

I had validated at one point that this works (although the patch that
enables internal pkeys usage in glibc did not exist back then).

  pkeys: Support setting access rights for signal handlers
  <https://lore.kernel.org/linux-mm/5fee976a-42d4-d469-7058-b78ad8897219@redhat.com/>

>    2) rseq
>
>       The option of having a separate key which needs to be always
>       enabled is definitely simple, but it wastes a key just for
>       that. There are only 16 of them :(
>
>       If we solve the signal case with an explicit permission set, we
>       can just reuse those signal permissions. They are maybe wider than
>       what's required to access RSEQ, but the signal permissions have to
>       include the TLS/RSEQ area to actually work.

Would it address the use case for single-colored memory access?  Or
would that still crash if the process gets descheduled while the access
rights register is set to the restricted value?

Thanks,
Florian