Merge branch 'for-next/pkey-signal' into for-next/core

        * Intel server CPUs, Skylake and later

        * Intel client CPUs, Tiger Lake (11th Gen Core) and later

        * Future AMD CPUs

        * arm64 CPUs implementing the Permission Overlay Extension (FEAT_S1POE)

x86_64

======

Pkeys work by dedicating 4 previously Reserved bits in each page table entry to

a "protection key", giving 16 possible keys.

theoretically space in the PAE PTEs.  These permissions are enforced on data

access only and have no effect on instruction fetches.

arm64

=====

Pkeys use 3 bits in each page table entry, to encode a "protection key index",

giving 8 possible keys.

Protections for each key are defined with a per-CPU user-writable system

register (POR_EL0).  This is a 64-bit register encoding read, write and execute

overlay permissions for each protection key index.

Being a CPU register, POR_EL0 is inherently thread-local, potentially giving

each thread a different set of protections from every other thread.

Unlike x86_64, the protection key permissions also apply to instruction

fetches.

Syscalls

========

	int pkey_mprotect(unsigned long start, size_t len,

			  unsigned long prot, int pkey);

Before a pkey can be used, it must first be allocated with

pkey_alloc().  An application calls the WRPKRU instruction

directly in order to change access permissions to memory covered

with a key.  In this example WRPKRU is wrapped by a C function

called pkey_set().

Before a pkey can be used, it must first be allocated with pkey_alloc().  An

application writes to the architecture specific CPU register directly in order

to change access permissions to memory covered with a key.  In this example

this is wrapped by a C function called pkey_set().

::

	int real_prot = PROT_READ|PROT_WRITE;

	munmap(ptr, PAGE_SIZE);

	pkey_free(pkey);

.. note:: pkey_set() is a wrapper for the RDPKRU and WRPKRU instructions.

          An example implementation can be found in

          tools/testing/selftests/x86/protection_keys.c.

.. note:: pkey_set() is a wrapper around writing to the CPU register.

          Example implementations can be found in

          tools/testing/selftests/mm/pkey-{arm64,powerpc,x86}.h

Behavior

========

The kernel will send a SIGSEGV in both cases, but si_code will be set

to SEGV_PKERR when violating protection keys versus SEGV_ACCERR when

the plain mprotect() permissions are violated.

Note that kernel accesses from a kthread (such as io_uring) will use a default

value for the protection key register and so will not be consistent with

userspace's value of the register or mprotect().

		p->thread.cpu_context.x19 = (unsigned long)args->fn;

		p->thread.cpu_context.x20 = (unsigned long)args->fn_arg;

		if (system_supports_poe())

			p->thread.por_el0 = POR_EL0_INIT;

	}

	p->thread.cpu_context.pc = (unsigned long)ret_from_fork;

	p->thread.cpu_context.sp = (unsigned long)childregs;

#include <linux/ratelimit.h>

#include <linux/rseq.h>

#include <linux/syscalls.h>

#include <linux/pkeys.h>

#include <asm/daifflags.h>

#include <asm/debug-monitors.h>

	unsigned long end_offset;

};

#define BASE_SIGFRAME_SIZE round_up(sizeof(struct rt_sigframe), 16)

/*

 * Holds any EL0-controlled state that influences unprivileged memory accesses.

 * This includes both accesses done in userspace and uaccess done in the kernel.

 *

 * This state needs to be carefully managed to ensure that it doesn't cause

 * uaccess to fail when setting up the signal frame, and the signal handler

 * itself also expects a well-defined state when entered.

 */

struct user_access_state {

	u64 por_el0;

};

#define TERMINATOR_SIZE round_up(sizeof(struct _aarch64_ctx), 16)

#define EXTRA_CONTEXT_SIZE round_up(sizeof(struct extra_context), 16)

/*

 * Save the user access state into ua_state and reset it to disable any

 * restrictions.

 */

static void save_reset_user_access_state(struct user_access_state *ua_state)

{

	if (system_supports_poe()) {

		u64 por_enable_all = 0;

		for (int pkey = 0; pkey < arch_max_pkey(); pkey++)

			por_enable_all |= POE_RXW << (pkey * POR_BITS_PER_PKEY);

		ua_state->por_el0 = read_sysreg_s(SYS_POR_EL0);

		write_sysreg_s(por_enable_all, SYS_POR_EL0);

		/* Ensure that any subsequent uaccess observes the updated value */

		isb();

	}

}

/*

 * Set the user access state for invoking the signal handler.

 *

 * No uaccess should be done after that function is called.

 */

static void set_handler_user_access_state(void)

{

	if (system_supports_poe())

		write_sysreg_s(POR_EL0_INIT, SYS_POR_EL0);

}

/*

 * Restore the user access state to the values saved in ua_state.

 *

 * No uaccess should be done after that function is called.

 */

static void restore_user_access_state(const struct user_access_state *ua_state)

{

	if (system_supports_poe())

		write_sysreg_s(ua_state->por_el0, SYS_POR_EL0);

}

static void init_user_layout(struct rt_sigframe_user_layout *user)

{

	const size_t reserved_size =

	return err;

}

static int preserve_poe_context(struct poe_context __user *ctx)

static int preserve_poe_context(struct poe_context __user *ctx,

				const struct user_access_state *ua_state)

{

	int err = 0;

	__put_user_error(POE_MAGIC, &ctx->head.magic, err);

	__put_user_error(sizeof(*ctx), &ctx->head.size, err);

	__put_user_error(read_sysreg_s(SYS_POR_EL0), &ctx->por_el0, err);

	__put_user_error(ua_state->por_el0, &ctx->por_el0, err);

	return err;

}

static int restore_poe_context(struct user_ctxs *user)

static int restore_poe_context(struct user_ctxs *user,

			       struct user_access_state *ua_state)

{

	u64 por_el0;

	int err = 0;

	__get_user_error(por_el0, &(user->poe->por_el0), err);

	if (!err)

		write_sysreg_s(por_el0, SYS_POR_EL0);

		ua_state->por_el0 = por_el0;

	return err;

}

}

static int restore_sigframe(struct pt_regs *regs,

			    struct rt_sigframe __user *sf)

			    struct rt_sigframe __user *sf,

			    struct user_access_state *ua_state)

{

	sigset_t set;

	int i, err;

		err = restore_zt_context(&user);

	if (err == 0 && system_supports_poe() && user.poe)

		err = restore_poe_context(&user);

		err = restore_poe_context(&user, ua_state);

	return err;

}

{

	struct pt_regs *regs = current_pt_regs();

	struct rt_sigframe __user *frame;

	struct user_access_state ua_state;

	/* Always make any pending restarted system calls return -EINTR */

	current->restart_block.fn = do_no_restart_syscall;

	if (!access_ok(frame, sizeof (*frame)))

		goto badframe;

	if (restore_sigframe(regs, frame))

	if (restore_sigframe(regs, frame, &ua_state))

		goto badframe;

	if (gcs_restore_signal())

	if (restore_altstack(&frame->uc.uc_stack))

		goto badframe;

	restore_user_access_state(&ua_state);

	return regs->regs[0];

badframe:

}

static int setup_sigframe(struct rt_sigframe_user_layout *user,

			  struct pt_regs *regs, sigset_t *set)

			  struct pt_regs *regs, sigset_t *set,

			  const struct user_access_state *ua_state)

{

	int i, err = 0;

	struct rt_sigframe __user *sf = user->sigframe;

		err |= preserve_fpmr_context(fpmr_ctx);

	}

	if (system_supports_poe() && err == 0 && user->poe_offset) {

	if (system_supports_poe() && err == 0) {

		struct poe_context __user *poe_ctx =

			apply_user_offset(user, user->poe_offset);

		err |= preserve_poe_context(poe_ctx);

		err |= preserve_poe_context(poe_ctx, ua_state);

	}

	/* ZA state if present */

	if (system_supports_sme() && err == 0 && user->za_offset) {

		struct za_context __user *za_ctx =

		sme_smstop();

	}

	if (system_supports_poe())

		write_sysreg_s(POR_EL0_INIT, SYS_POR_EL0);

	if (ksig->ka.sa.sa_flags & SA_RESTORER)

		sigtramp = ksig->ka.sa.sa_restorer;

	else

{

	struct rt_sigframe_user_layout user;

	struct rt_sigframe __user *frame;

	struct user_access_state ua_state;

	int err = 0;

	fpsimd_signal_preserve_current_state();

	if (get_sigframe(&user, ksig, regs))

		return 1;

	save_reset_user_access_state(&ua_state);

	frame = user.sigframe;

	__put_user_error(0, &frame->uc.uc_flags, err);

	__put_user_error(NULL, &frame->uc.uc_link, err);

	err |= __save_altstack(&frame->uc.uc_stack, regs->sp);

	err |= setup_sigframe(&user, regs, set);

	err |= setup_sigframe(&user, regs, set, &ua_state);

	if (err == 0) {

		err = setup_return(regs, ksig, &user, usig);

		if (ksig->ka.sa.sa_flags & SA_SIGINFO) {

		}

	}

	if (err == 0)

		set_handler_user_access_state();

	else

		restore_user_access_state(&ua_state);

	return err;

}

	int err;

	/* unregister private events */

	cpuhp_remove_state(sdei_entry_point);

	cpuhp_remove_state(sdei_hp_state);

	err = sdei_unregister_shared();

	if (err)

#define __noscs __attribute__((__no_sanitize__("shadow-call-stack")))

#endif

#ifdef __SANITIZE_HWADDRESS__

#define __no_sanitize_address __attribute__((__no_sanitize__("hwaddress")))

#else

#define __no_sanitize_address __attribute__((__no_sanitize_address__))

#endif

#if defined(__SANITIZE_THREAD__)

#define __no_sanitize_thread __attribute__((__no_sanitize_thread__))