Re: + fully-honor-vdso_enabled.patch added to -mm tree

[John Reiser <jreiser@BitWagon.com>]

Oleg Nesterov wrote:
> John Reiser wrote:

>>+	switch (vdso_enabled) {
>>+	case 0:  /* none */
>>+		return 0;
> 
> 
> This means we don't initialize mm->context.vdso and ->sysenter_return.
> 
> Is it ok? For example, setup_rt_frame() uses VDSO_SYM(&__kernel_rt_sigreturn),
> sysenter_past_esp pushes ->sysenter_return on stack.

Paul Mundt has commented on setup_rt_frame() and provided a patch which
bullet-proofs that area.  I will include that patch into the next revision.

The value of ->sysenter_return is interpreted in user space by the
sysexit instruction; nobody else cares what the value is.  The kernel
is not required to provide a good value when vdso_enabled is zero,
because the kernel has not told the process that sysenter is valid
(by setting AT_SYSINFO.)  The kernel requires specific register values
for sysenter+sysexit and these values may change at the whim of the
kernel, so correct code must follow the kernel's protocol.
glibc uses sysenter only when AT_SYSINFO is present.  User code can
screw up even when vdso_enabled is non-zero, by overwriting or re-
mapping the vdso page (clobber memory at the destination of sysexit.)

Both context.vdso and sysenter_return could be set to zero whenever
vdso_enabled is zero; those two values might even be defaulted.
I'll add such a change to the next revision of the patch, if you'll
defend it against claims of "unnecessary code."

> 
> Note also that load_elf_binary does
> 
> 	arch_setup_additional_pages()
> 	create_elf_tables()
> 
> , looks like application can crash after exec if vdso_enabled changes from 0
> to 1 in between.

Correct.  Changing vdso_enabled from 0 to non-zero must be prepared
to lose this race if it is not prevented.  Ordinarily it won't matter
because the administrator will perform such changes at a "quiet" time.

-- 
John Reiser, jreiser@BitWagon.com