On 15/10/2024 17:01, Catalin Marinas wrote: >> We also still need to resolve Kevin's concern, which probably means >> keeping the thread's original POR around someplace. > If we fail to allocate context for POR_EL0 (or anything else), we'll > deliver a SIGSEGV. I think it's quite likely that the SIGSEGV will also > fail to allocate context we end up with a fatal SIGSEGV. Not sure the > user can affect the allocation/layout, though it can change stack > attributes where the frame is written. > > Assuming that the user tricks the kernel into failing to write the > context but allows it to succeed on the resulting SIGSEGV, POR_EL0 > wouldn't have been reset and the SIGSEGV context will still have the > original value. I don't think we need to do anything here for 6.12. > > However, in for-next/core, we have gcs_signal_entry() called after > resetting POR_EL0. If this fails, we can end up with a new POR_EL0 on > sigreturn (subject to the above user toggling permissions). I think this > needs to be fixed, POR_EL0 only reset when we know we are going to > deliver the signal. In the series I've just posted [1], POR_EL0 is reset to "allow all" before we do anything, so it sounds like we may have a problem there. However, it does keep track of that state, so I think the fix may be simple. If any error occurs in setup_rt_frame(), we could call restore_unpriv_access_state() to restore the original value of POR_EL0, like in sigreturn(). Otherwise we call set_handler_unpriv_access_state() to set POR_EL0 to POR_EL0_INIT as we do today. I can make that change in v2 if that sounds helpful. Kevin [1] https://lore.kernel.org/linux-arm-kernel/20241017133909.3837547-4-kevin.brodsky@xxxxxxx/T/#u
