From: andrea@cpushare.com
To: Chuck Ebbert <76306.1226@compuserve.com>
Cc: Linus Torvalds <torvalds@osdl.org>, Andrew Morton <akpm@osdl.org>,
Arjan van de Ven <arjan@infradead.org>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [test patch] seccomp: add code to disable TSC when enabling seccomp
Date: Fri, 14 Jul 2006 08:30:06 +0200 [thread overview]
Message-ID: <20060714063006.GF18774@opteron.random> (raw)
In-Reply-To: <200607140205_MC3-1-C4F5-E9D4@compuserve.com>
On Fri, Jul 14, 2006 at 02:02:55AM -0400, Chuck Ebbert wrote:
> But it looks like the mismatch could persist indefinitely: if a seccomp
> task inherits the wrong cr4 flag it could pass it on to another, or back
> to the original one and so on. I think this is the only safe way:
>
> if (test_tsk_thread_flag(next_p, TIF_NOTSC) ||
> test_tsk_thread_flag(prev_p, TIF_NOTSC)) {
>
> /* Flip TSC disable bit if necessary. */
> unsigned int cr4 = read_cr4();
>
> if (test_tsk_thread_flag(next_p, TIF_NOTSC)) {
> if (!(cr4 & X86_CR4_TSD))
> write_cr4(cr4 | X86_CR4_TSD);
> } else
> write_cr4(cr4 & ~X86_CR4_TSD);
> }
>
> (Testing TSD in the 'else' path is not worth the trouble.)
Yes that solves the problem of the first seccomp task propagating it
to the other seccomp tasks.
> The tiny window shouldn't be a problem, should it? Just what is the
> risk to begin with, and how much harder is it to exploit in such a
> small window?
Even the original patch of yours was perfectly fine in
practice. Eventually one of the per-cpu daemons would also be
scheduled even if there are more seccomp tasks per cpu.
But in my opinion if we care about this window and we change
something, it worth to close it completely, mostly for code-style
reasons (i.e. strict code). Note that the NOTSC will never be checked
unless there's a second task, so it's not a single timeslice.
As far as I can tell, the only way to close it completely, is to
require that the task that fires up seccomp is the current task. That
is a very fine requirement. That guarantees that no other cpu could
require any update in-core. So it's enough to always flip the NOTSC
bit in the current cpu with test_and_set_bit and to synchronously
update the cr4 accordingly to the result of test_and_set_bit, then we
can go back to the nicer (and faster) xor way in the scheduler slow
path ;).
This is incidentally exactly what I implemented and tested with my
last patch ;) (which is of course a modification and extension of
yours)
Thanks.
next prev parent reply other threads:[~2006-07-14 6:30 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-14 6:02 [test patch] seccomp: add code to disable TSC when enabling seccomp Chuck Ebbert
2006-07-14 6:30 ` andrea [this message]
-- strict thread matches above, loose matches on Subject: below --
2006-07-13 20:11 Chuck Ebbert
2006-07-14 2:02 ` andrea
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060714063006.GF18774@opteron.random \
--to=andrea@cpushare.com \
--cc=76306.1226@compuserve.com \
--cc=akpm@osdl.org \
--cc=arjan@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox