git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Thomas Gleixner <tglx@linutronix.de>
	Mon, 27 Oct 2025 08:44:57 +0000 (09:44 +0100)
committer	Ingo Molnar <mingo@kernel.org>
	Tue, 4 Nov 2025 07:32:57 +0000 (08:32 +0100)
commit	abc850e7616c91ebaa3f5ba3617ab0a104d45039
tree	9b303aaff8cd13af49ecdc0f834b2f91ed876ef9	tree \| snapshot
parent	9c37cb6e80b8fcdddc1236ba42ffd438f511192b	commit \| diff

rseq: Provide and use rseq_update_user_cs()

Provide a straight forward implementation to check for and eventually
clear/fixup critical sections in user space.

The non-debug version does only the minimal sanity checks and aims for
efficiency.

There are two attack vectors, which are checked for:

  1) An abort IP which is in the kernel address space. That would cause at
     least x86 to return to kernel space via IRET.

  2) A rogue critical section descriptor with an abort IP pointing to some
     arbitrary address, which is not preceded by the RSEQ signature.

If the section descriptors are invalid then the resulting misbehaviour of
the user space application is not the kernels problem.

The kernel provides a run-time switchable debug slow path, which implements
the full zoo of checks including termination of the task when one of the
gazillion conditions is not met.

Replace the zoo in rseq.c with it and invoke it from the TIF_NOTIFY_RESUME
handler. Move the remainders into the CONFIG_DEBUG_RSEQ section, which will
be replaced and removed in a subsequent step.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20251027084307.151465632@linutronix.de

include/linux/rseq_entry.h		diff \| blob \| blame \| history
include/linux/rseq_types.h		diff \| blob \| blame \| history
kernel/rseq.c		diff \| blob \| blame \| history