From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Thomas Gleixner <tglx@linutronix.de>,
linux-kernel <linux-kernel@vger.kernel.org>,
Joel Fernandes <joelaf@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Dave Watson <davejwatson@fb.com>,
Will Deacon <will.deacon@arm.com>,
Andi Kleen <andi@firstfloor.org>,
"H. Peter Anvin" <hpa@zytor.com>, Chris Lameter <cl@linux.com>,
Russell King <linux@arm.linux.org.uk>,
Andrew Hunter <ahh@google.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Paul Turner <pjt@google.com>, Boqun Feng <boqun.feng@gmail.com>,
Josh Triplett <josh@joshtriplett.org>,
rostedt <rostedt@goodmis.org>, Ben Maurer <bmaurer@fb.com>,
linux-api <linux-api@vger.kernel.org>linux-arch <linux-a>
Subject: Re: [RFC PATCH for 4.18 2/2] rseq: compat: clear high bits of rseq_cs fields
Date: Tue, 26 Jun 2018 18:17:22 -0400 (EDT) [thread overview]
Message-ID: <107389573.6464.1530051442686.JavaMail.zimbra@efficios.com> (raw)
In-Reply-To: <D9B93DE9-F61C-4488-B109-432C2DFDCEC2@amacapital.net>
----- On Jun 26, 2018, at 5:58 PM, Andy Lutomirski luto@amacapital.net wrote:
>> On Jun 26, 2018, at 2:16 PM, Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
>> wrote:
>>
>> Make the behavior rseq on compat tasks more robust by ensuring that
>> kernel/rseq.c:rseq_get_rseq_cs() clears the high bits of
>> rseq_cs->abort_ip, rseq_cs->start_ip and rseq_cs->post_commit_offset
>> when a 32-bit binary is run on a 64-bit kernel.
>>
>> The intent here is that if user-space has garbage rather than zeroes
>> in its struct rseq_cs fields padding, the behavior will be the same
>> whether the binary is run on 32-bit or 64-bit kernels.
>>
>> Use in_compat_syscall() when rseq_get_rseq_cs() is invoked from
>> system call context, and use is_compat_frame() when invoked from
>> signal delivery.
>>
>
> And when it’s invoked due to preemption unrelated to a syscall or signal, you
> malfunction?
Fair point! Hence the "RFC". ;)
So I understand better your intent to use the pt_regs to figure out whether it
is compat or not. My is_compat_frame()+in_compat_syscall() approach does not
handle this correctly.
>
> I think the only sane solution is to make these fields be u64,
I'm OK with turning the rseq_cs start_ip, post_commit_offset, and abort_ip
fields into normal u64.
> delete the
> LINUX_FIELD_ macros,
The LINUX_FIELD_ macros are still needed to ensure single-copy updates of
the (struct rseq *__tls_abi)->rseq_cs pointer by 32-bit user-space.
> and possibly teach the x86 slowpath return to inject a
> signal if it’s trying to return to a 32-bit context with garbage in the high
> bits of regs->ip so that we determistically fail if the user screws up.
I like the approach of dealing with the rseq_cs fields as u64 even on 32-bit
architectures. As a downside, it will require 32-bit architectures to do
arithmetic on 64-bit values, but it's not a fast-path. As you point out, the
tricky bit is to decide what happens when architecture code returns to
userspace with regs->ip containing garbage in the high bits.
An alternative approach is to ensure the high bits are cleared when returning
to an IP with garbage in the high bits.
> Rseq is brand new. It should not need compat code at all.
Dealing with u64 for start_ip, post_commit_offset, and abort_ip at the kernel
level would indeed provide this characteristic. However, I'm uneasy adding
64-bit arithmetic on operations really caring about 32 bits on 32-bit archs,
even though those are not fast paths.
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
WARNING: multiple messages have this Message-ID (diff)
From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Thomas Gleixner <tglx@linutronix.de>,
linux-kernel <linux-kernel@vger.kernel.org>,
Joel Fernandes <joelaf@google.com>,
Peter Zijlstra <peterz@infradead.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Dave Watson <davejwatson@fb.com>,
Will Deacon <will.deacon@arm.com>,
Andi Kleen <andi@firstfloor.org>,
"H. Peter Anvin" <hpa@zytor.com>, Chris Lameter <cl@linux.com>,
Russell King <linux@arm.linux.org.uk>,
Andrew Hunter <ahh@google.com>,
Michael Kerrisk <mtk.manpages@gmail.com>,
"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
Paul Turner <pjt@google.com>, Boqun Feng <boqun.feng@gmail.com>,
Josh Triplett <josh@joshtriplett.org>,
rostedt <rostedt@goodmis.org>, Ben Maurer <bmaurer@fb.com>,
linux-api <linux-api@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>, x86 <x86@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: Re: [RFC PATCH for 4.18 2/2] rseq: compat: clear high bits of rseq_cs fields
Date: Tue, 26 Jun 2018 18:17:22 -0400 (EDT) [thread overview]
Message-ID: <107389573.6464.1530051442686.JavaMail.zimbra@efficios.com> (raw)
Message-ID: <20180626221722.donnX3f2CrWHioKHdupUIPdd2jh9dBzq5rAdNHD-w58@z> (raw)
In-Reply-To: <D9B93DE9-F61C-4488-B109-432C2DFDCEC2@amacapital.net>
----- On Jun 26, 2018, at 5:58 PM, Andy Lutomirski luto@amacapital.net wrote:
>> On Jun 26, 2018, at 2:16 PM, Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
>> wrote:
>>
>> Make the behavior rseq on compat tasks more robust by ensuring that
>> kernel/rseq.c:rseq_get_rseq_cs() clears the high bits of
>> rseq_cs->abort_ip, rseq_cs->start_ip and rseq_cs->post_commit_offset
>> when a 32-bit binary is run on a 64-bit kernel.
>>
>> The intent here is that if user-space has garbage rather than zeroes
>> in its struct rseq_cs fields padding, the behavior will be the same
>> whether the binary is run on 32-bit or 64-bit kernels.
>>
>> Use in_compat_syscall() when rseq_get_rseq_cs() is invoked from
>> system call context, and use is_compat_frame() when invoked from
>> signal delivery.
>>
>
> And when it’s invoked due to preemption unrelated to a syscall or signal, you
> malfunction?
Fair point! Hence the "RFC". ;)
So I understand better your intent to use the pt_regs to figure out whether it
is compat or not. My is_compat_frame()+in_compat_syscall() approach does not
handle this correctly.
>
> I think the only sane solution is to make these fields be u64,
I'm OK with turning the rseq_cs start_ip, post_commit_offset, and abort_ip
fields into normal u64.
> delete the
> LINUX_FIELD_ macros,
The LINUX_FIELD_ macros are still needed to ensure single-copy updates of
the (struct rseq *__tls_abi)->rseq_cs pointer by 32-bit user-space.
> and possibly teach the x86 slowpath return to inject a
> signal if it’s trying to return to a 32-bit context with garbage in the high
> bits of regs->ip so that we determistically fail if the user screws up.
I like the approach of dealing with the rseq_cs fields as u64 even on 32-bit
architectures. As a downside, it will require 32-bit architectures to do
arithmetic on 64-bit values, but it's not a fast-path. As you point out, the
tricky bit is to decide what happens when architecture code returns to
userspace with regs->ip containing garbage in the high bits.
An alternative approach is to ensure the high bits are cleared when returning
to an IP with garbage in the high bits.
> Rseq is brand new. It should not need compat code at all.
Dealing with u64 for start_ip, post_commit_offset, and abort_ip at the kernel
level would indeed provide this characteristic. However, I'm uneasy adding
64-bit arithmetic on operations really caring about 32 bits on 32-bit archs,
even though those are not fast paths.
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
next prev parent reply other threads:[~2018-06-26 22:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-26 21:16 [RFC PATCH for 4.18 1/2] compat: Introduce is_compat_frame Mathieu Desnoyers
2018-06-26 21:16 ` Mathieu Desnoyers
2018-06-26 21:16 ` [RFC PATCH for 4.18 2/2] rseq: compat: clear high bits of rseq_cs fields Mathieu Desnoyers
2018-06-26 21:16 ` Mathieu Desnoyers
2018-06-26 21:58 ` Andy Lutomirski
2018-06-26 21:58 ` Andy Lutomirski
2018-06-26 22:17 ` Mathieu Desnoyers [this message]
2018-06-26 22:17 ` Mathieu Desnoyers
2018-06-28 8:04 ` Thomas Gleixner
2018-06-28 8:04 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=107389573.6464.1530051442686.JavaMail.zimbra@efficios.com \
--to=mathieu.desnoyers@efficios.com \
--cc=ahh@google.com \
--cc=andi@firstfloor.org \
--cc=bmaurer@fb.com \
--cc=boqun.feng@gmail.com \
--cc=catalin.marinas@arm.com \
--cc=cl@linux.com \
--cc=davejwatson@fb.com \
--cc=hpa@zytor.com \
--cc=joelaf@google.com \
--cc=josh@joshtriplett.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@arm.linux.org.uk \
--cc=luto@amacapital.net \
--cc=mtk.manpages@gmail.com \
--cc=paulmck@linux.vnet.ibm.com \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=rostedt@goodmis.org \
--cc=tglx@linutronix.de \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.