git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Michael Jeanson <mjeanson@efficios.com>
	Thu, 6 Mar 2025 21:12:21 +0000 (16:12 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 17 Jul 2025 16:30:55 +0000 (18:30 +0200)
commit	3e4028ef31b69286c9d4878cee0330235f53f218
tree	1c1548b04ce441fbb5c4670b6c3d6ff8478d4036	tree
parent	4b934b78041f68bb78a6b634a463da2e4e5f4b05	commit \| diff

rseq: Fix segfault on registration when rseq_cs is non-zero

commit fd881d0a085fc54354414aed990ccf05f282ba53 upstream.

The rseq_cs field is documented as being set to 0 by user-space prior to
registration, however this is not currently enforced by the kernel. This
can result in a segfault on return to user-space if the value stored in
the rseq_cs field doesn't point to a valid struct rseq_cs.

The correct solution to this would be to fail the rseq registration when
the rseq_cs field is non-zero. However, some older versions of glibc
will reuse the rseq area of previous threads without clearing the
rseq_cs field and will also terminate the process if the rseq
registration fails in a secondary thread. This wasn't caught in testing
because in this case the leftover rseq_cs does point to a valid struct
rseq_cs.

What we can do is clear the rseq_cs field on registration when it's
non-zero which will prevent segfaults on registration and won't break
the glibc versions that reuse rseq areas on thread creation.

Signed-off-by: Michael Jeanson <mjeanson@efficios.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lore.kernel.org/r/20250306211223.109455-1-mjeanson@efficios.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>