rseq: Implement fast path for exit to user

Implement the actual logic for handling RSEQ updates in a fast path after
handling the TIF work and at the point where the task is actually returning
to user space.

This is the right point to do that because at this point the CPU and the MM
CID are stable and cannot longer change due to yet another reschedule.
That happens when the task is handling it via TIF_NOTIFY_RESUME in
resume_user_mode_work(), which is invoked from the exit to user mode work
loop.

The function is invoked after the TIF work is handled and runs with
interrupts disabled, which means it cannot resolve page faults. It
therefore disables page faults and in case the access to the user space
memory faults, it:

  - notes the fail in the event struct
  - raises TIF_NOTIFY_RESUME
  - returns false to the caller

The caller has to go back to the TIF work, which runs with interrupts
enabled and therefore can resolve the page faults. This happens mostly on
fork() when the memory is marked COW.

If the user memory inspection finds invalid data, the function returns
false as well and sets the fatal flag in the event struct along with
TIF_NOTIFY_RESUME. The slow path notify handler has to evaluate that flag
and terminate the task with SIGSEGV as documented.

The initial decision to invoke any of this is based on one flags in the
event struct: @sched_switch. The decision is in pseudo ASM:

      load	tsk::event::sched_switch
      jnz	inspect_user_space
      mov	$0, tsk::event::events
      ...
      leave

So for the common case where the task was not scheduled out, this really
boils down to three instructions before going out if the compiler is not
completely stupid (and yes, some of them are).

If the condition is true, then it checks, whether CPU ID or MM CID have
changed. If so, then the CPU/MM IDs have to be updated and are thereby
cached for the next round. The update unconditionally retrieves the user
space critical section address to spare another user*begin/end() pair.  If
that's not zero and tsk::event::user_irq is set, then the critical section
is analyzed and acted upon. If either zero or the entry came via syscall
the critical section analysis is skipped.

If the comparison is false then the critical section has to be analyzed
because the event flag is then only true when entry from user was by
interrupt.

This is provided without the actual hookup to let reviewers focus on the
implementation details. The hookup happens in the next step.

Note: As with quite some other optimizations this depends on the generic
entry infrastructure and is not enabled to be sucked into random
architecture implementations.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://patch.msgid.link/20251027084307.638929615@linutronix.de

diff --git a/include/linux/rseq_entry.h b/include/linux/rseq_entry.h
index aa1c0464a16ca923994e76915e63a8b1cddaa346..3f13be7301fa82359f77bac9c14affa9b8b88094 100644 (file)
--- a/include/linux/rseq_entry.h
+++ b/include/linux/rseq_entry.h
@@ -10,6 +10,7 @@ struct rseq_stats {
        unsigned long   exit;
        unsigned long   signal;
        unsigned long   slowpath;
+       unsigned long   fastpath;
        unsigned long   ids;
        unsigned long   cs;
        unsigned long   clear;
@@ -245,12 +246,13 @@ rseq_update_user_cs(struct task_struct *t, struct pt_regs *regs, unsigned long c
 {
        struct rseq_cs __user *ucs = (struct rseq_cs __user *)(unsigned long)csaddr;
        unsigned long ip = instruction_pointer(regs);
+       unsigned long tasksize = TASK_SIZE;
        u64 start_ip, abort_ip, offset;
        u32 usig, __user *uc_sig;
 
        rseq_stat_inc(rseq_stats.cs);
 
-       if (unlikely(csaddr >= TASK_SIZE)) {
+       if (unlikely(csaddr >= tasksize)) {
                t->rseq.event.fatal = true;
                return false;
        }
@@ -287,7 +289,7 @@ rseq_update_user_cs(struct task_struct *t, struct pt_regs *regs, unsigned long c
                 * in TLS::rseq::rseq_cs. An RSEQ abort would then evade ROP
                 * protection.
                 */
-               if (abort_ip >= TASK_SIZE || abort_ip < sizeof(*uc_sig))
+               if (unlikely(abort_ip >= tasksize || abort_ip < sizeof(*uc_sig)))
                        goto die;
 
                /* The address is guaranteed to be >= 0 and < TASK_SIZE */
@@ -397,6 +399,128 @@ static rseq_inline bool rseq_update_usr(struct task_struct *t, struct pt_regs *r
        return rseq_update_user_cs(t, regs, csaddr);
 }
 
+/*
+ * If you want to use this then convert your architecture to the generic
+ * entry code. I'm tired of building workarounds for people who can't be
+ * bothered to make the maintenance of generic infrastructure less
+ * burdensome. Just sucking everything into the architecture code and
+ * thereby making others chase the horrible hacks and keep them working is
+ * neither acceptable nor sustainable.
+ */
+#ifdef CONFIG_GENERIC_ENTRY
+
+/*
+ * This is inlined into the exit path because:
+ *
+ * 1) It's a one time comparison in the fast path when there is no event to
+ *    handle
+ *
+ * 2) The access to the user space rseq memory (TLS) is unlikely to fault
+ *    so the straight inline operation is:
+ *
+ *     - Four 32-bit stores only if CPU ID/ MM CID need to be updated
+ *     - One 64-bit load to retrieve the critical section address
+ *
+ * 3) In the unlikely case that the critical section address is != NULL:
+ *
+ *     - One 64-bit load to retrieve the start IP
+ *     - One 64-bit load to retrieve the offset for calculating the end
+ *     - One 64-bit load to retrieve the abort IP
+ *     - One 64-bit load to retrieve the signature
+ *     - One store to clear the critical section address
+ *
+ * The non-debug case implements only the minimal required checking. It
+ * provides protection against a rogue abort IP in kernel space, which
+ * would be exploitable at least on x86, and also against a rogue CS
+ * descriptor by checking the signature at the abort IP. Any fallout from
+ * invalid critical section descriptors is a user space problem. The debug
+ * case provides the full set of checks and terminates the task if a
+ * condition is not met.
+ *
+ * In case of a fault or an invalid value, this sets TIF_NOTIFY_RESUME and
+ * tells the caller to loop back into exit_to_user_mode_loop(). The rseq
+ * slow path there will handle the failure.
+ */
+static __always_inline bool rseq_exit_user_update(struct pt_regs *regs, struct task_struct *t)
+{
+       /*
+        * Page faults need to be disabled as this is called with
+        * interrupts disabled
+        */
+       guard(pagefault)();
+       if (likely(!t->rseq.event.ids_changed)) {
+               struct rseq __user *rseq = t->rseq.usrptr;
+               /*
+                * If IDs have not changed rseq_event::user_irq must be true
+                * See rseq_sched_switch_event().
+                */
+               u64 csaddr;
+
+               if (unlikely(get_user_inline(csaddr, &rseq->rseq_cs)))
+                       return false;
+
+               if (static_branch_unlikely(&rseq_debug_enabled) || unlikely(csaddr)) {
+                       if (unlikely(!rseq_update_user_cs(t, regs, csaddr)))
+                               return false;
+               }
+               return true;
+       }
+
+       struct rseq_ids ids = {
+               .cpu_id = task_cpu(t),
+               .mm_cid = task_mm_cid(t),
+       };
+       u32 node_id = cpu_to_node(ids.cpu_id);
+
+       return rseq_update_usr(t, regs, &ids, node_id);
+}
+
+static __always_inline bool __rseq_exit_to_user_mode_restart(struct pt_regs *regs)
+{
+       struct task_struct *t = current;
+
+       /*
+        * If the task did not go through schedule or got the flag enforced
+        * by the rseq syscall or execve, then nothing to do here.
+        *
+        * CPU ID and MM CID can only change when going through a context
+        * switch.
+        *
+        * rseq_sched_switch_event() sets the rseq_event::sched_switch bit
+        * only when rseq_event::has_rseq is true. That conditional is
+        * required to avoid setting the TIF bit if RSEQ is not registered
+        * for a task. rseq_event::sched_switch is cleared when RSEQ is
+        * unregistered by a task so it's sufficient to check for the
+        * sched_switch bit alone.
+        *
+        * A sane compiler requires three instructions for the nothing to do
+        * case including clearing the events, but your mileage might vary.
+        */
+       if (unlikely((t->rseq.event.sched_switch))) {
+               rseq_stat_inc(rseq_stats.fastpath);
+
+               if (unlikely(!rseq_exit_user_update(regs, t)))
+                       return true;
+       }
+       /* Clear state so next entry starts from a clean slate */
+       t->rseq.event.events = 0;
+       return false;
+}
+
+static __always_inline bool rseq_exit_to_user_mode_restart(struct pt_regs *regs)
+{
+       if (unlikely(__rseq_exit_to_user_mode_restart(regs))) {
+               current->rseq.event.slowpath = true;
+               set_tsk_thread_flag(current, TIF_NOTIFY_RESUME);
+               return true;
+       }
+       return false;
+}
+
+#else /* CONFIG_GENERIC_ENTRY */
+static inline bool rseq_exit_to_user_mode_restart(struct pt_regs *regs) { return false; }
+#endif /* !CONFIG_GENERIC_ENTRY */
+
 static __always_inline void rseq_exit_to_user_mode(void)
 {
        struct rseq_event *ev = &current->rseq.event;
@@ -421,9 +545,12 @@ static inline void rseq_debug_syscall_return(struct pt_regs *regs)
        if (static_branch_unlikely(&rseq_debug_enabled))
                __rseq_debug_syscall_return(regs);
 }
-
 #else /* CONFIG_RSEQ */
 static inline void rseq_note_user_irq_entry(void) { }
+static inline bool rseq_exit_to_user_mode_restart(struct pt_regs *regs)
+{
+       return false;
+}
 static inline void rseq_exit_to_user_mode(void) { }
 static inline void rseq_debug_syscall_return(struct pt_regs *regs) { }
 #endif /* !CONFIG_RSEQ */

diff --git a/include/linux/rseq_types.h b/include/linux/rseq_types.h
index a1389fff4fca183c932e45200a8f2519de0008bf..9c7a34154de8159f463131981178ed1727665d4f 100644 (file)
--- a/include/linux/rseq_types.h
+++ b/include/linux/rseq_types.h
@@ -18,6 +18,8 @@ struct rseq;
  * @has_rseq:          True if the task has a rseq pointer installed
  * @error:             Compound error code for the slow path to analyze
  * @fatal:             User space data corrupted or invalid
+ * @slowpath:          Indicator that slow path processing via TIF_NOTIFY_RESUME
+ *                     is required
  *
  * @sched_switch and @ids_changed must be adjacent and the combo must be
  * 16bit aligned to allow a single store, when both are set at the same
@@ -42,6 +44,7 @@ struct rseq_event {
                                u16             error;
                                struct {
                                        u8      fatal;
+                                       u8      slowpath;
                                };
                        };
                };

diff --git a/kernel/rseq.c b/kernel/rseq.c
index 183dde75680848d3f0671d4823aaef2f2966f7a4..c5d6336c69560981802e3bba749a468c3e99bf7e 100644 (file)
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -133,6 +133,7 @@ static int rseq_stats_show(struct seq_file *m, void *p)
                stats.exit      += data_race(per_cpu(rseq_stats.exit, cpu));
                stats.signal    += data_race(per_cpu(rseq_stats.signal, cpu));
                stats.slowpath  += data_race(per_cpu(rseq_stats.slowpath, cpu));
+               stats.fastpath  += data_race(per_cpu(rseq_stats.fastpath, cpu));
                stats.ids       += data_race(per_cpu(rseq_stats.ids, cpu));
                stats.cs        += data_race(per_cpu(rseq_stats.cs, cpu));
                stats.clear     += data_race(per_cpu(rseq_stats.clear, cpu));
@@ -142,6 +143,7 @@ static int rseq_stats_show(struct seq_file *m, void *p)
        seq_printf(m, "exit:   %16lu\n", stats.exit);
        seq_printf(m, "signal: %16lu\n", stats.signal);
        seq_printf(m, "slowp:  %16lu\n", stats.slowpath);
+       seq_printf(m, "fastp:  %16lu\n", stats.fastpath);
        seq_printf(m, "ids:    %16lu\n", stats.ids);
        seq_printf(m, "cs:     %16lu\n", stats.cs);
        seq_printf(m, "clear:  %16lu\n", stats.clear);