From: Chris Metcalf <cmetcalf@tilera.com>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Oleg Nesterov <oleg@redhat.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
<linux-arch@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] arch/tile: avoid calling do_signal() after fork from a kernel thread
Date: Sat, 28 Apr 2012 17:46:13 -0400 [thread overview]
Message-ID: <4F9C6525.3050405@tilera.com> (raw)
In-Reply-To: <20120428205517.GW6871@ZenIV.linux.org.uk>
On 4/28/2012 4:55 PM, Al Viro wrote:
> On Sat, Apr 28, 2012 at 02:51:43PM -0400, Chris Metcalf wrote:
>> Calling interrupt_return will check the privilege of the context we're
>> returning to avoid the possibility of kernel threads doing any kind
>> of userspace actions (including signal handling) after a fork.
>>
>> Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
>> ---
>> Al, thanks for noticing this. I've queued it up for 3.4.
>>
>> Do you have a case that might provoke the signal behavior in the
>> unpatched code? The patched code passes our internal regressions.
>>
>> arch/tile/kernel/intvec_32.S | 2 +-
>> arch/tile/kernel/intvec_64.S | 2 +-
>> 2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/arch/tile/kernel/intvec_32.S b/arch/tile/kernel/intvec_32.S
>> index 5d56a1e..d0f48ca 100644
>> --- a/arch/tile/kernel/intvec_32.S
>> +++ b/arch/tile/kernel/intvec_32.S
>> @@ -1274,7 +1274,7 @@ STD_ENTRY(ret_from_fork)
>> FEEDBACK_REENTER(ret_from_fork)
>> {
>> movei r30, 0 /* not an NMI */
>> - j .Lresume_userspace /* jump into middle of interrupt_return */
>> + j interrupt_return
>> }
>> STD_ENDPROC(ret_from_fork)
> Umm... I'm not sure that it's correct. For one thing, ret_from_fork is
> used both for kernel threads and for plain old fork(2). In the latter
> case you want .Lresume_userspace, not interrupt_return.
It's OK, since we will jump to .Lresume_userspace from interrupt_return in
the latter case:
STD_ENTRY(interrupt_return)
/* If we're resuming to kernel space, don't check thread flags. */
{
[...]
PTREGS_PTR(r29, PTREGS_OFFSET_EX1)
}
ld r29, r29
andi r29, r29, SPR_EX_CONTEXT_1_1__PL_MASK /* mask off ICS */
{
beqzt r29, .Lresume_userspace
[...]
}
The struct ptregs "ex1" field will reliably tell us whether we came from
kernel or userspace context. Certainly for fork() this will indicate
userspace, since it's the return register info for the syscall. And for
kernel_thread() we explicitly set up ex1 to indicate kernel privilege as well.
> For another,
> there's kernel_execve() and if it fails (binary doesn't exist/has wrong
> format/etc.) you'll get to .Lresume_userspace with EX1_PL(regs->ex1)
> unchanged, i.e. the kernel one...
This is a good point. The current syscall return path goes directly to
.Lresume_userspace, which will screw up kernel syscalls. I think the right
answer is still to jump to interrupt_return from those cases, though. In
particular, this gets rid of the existing cruftiness where we have to
document that a local label (.Lresume_userspace) can be the target of jumps
from outside the containing function.
> As for the reproducer, just
> guess the PID of modprobe when you are e.g. trying to mount a filesystem
> with fs driver modular and not loaded; fork(), have parent wait a bit
> and call mount(), while the child keeps sending something more or less
> innocent (SIGCHLD, for example) to the guessed PID. And either have
> /sbin/modprobe chmod -x before doing that (you'll need to remember to
> chmod it back before reboot, of course) or just
> mount --bind /dev/null /sbin/modprobe. Either way, kernel_execve() will
> fail. And if you manage to hit the sucker just as it's being spawned,
> you'll get the kernel_thread() codepath as well.
>
> FWIW, I like what you've done with do_work_pending() - it's much cleaner
> than usual loops and tests in assembler. The only question is, what's
> going on with
> push_extra_callee_saves r0
> you are doing there - seems possibly over the top for situations when
> SIGPENDING isn't set and, more seriously, what if you go through that
> loop many times? You slap them again and again into pt_regs, overwriting
> anything ptrace() might've done to r34..r51, right?
Yes, that's a good observation. I should hoist the push of callee-saves to
before the loop. I'll put out a new patch that incorporates both of those
changes.
Thanks!
--
Chris Metcalf, Tilera Corp.
http://www.tilera.com
next prev parent reply other threads:[~2012-04-28 21:46 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-18 13:04 [PULL REQUEST] : ima-appraisal patches Mimi Zohar
2012-04-18 15:02 ` James Morris
2012-04-18 18:07 ` Mimi Zohar
2012-04-18 18:39 ` Al Viro
2012-04-18 20:56 ` Mimi Zohar
2012-04-19 19:57 ` Mimi Zohar
2012-04-20 0:43 ` [RFC] situation with fput() locking (was Re: [PULL REQUEST] : ima-appraisal patches) Al Viro
2012-04-20 2:31 ` Linus Torvalds
2012-04-20 2:54 ` Al Viro
2012-04-20 2:58 ` Linus Torvalds
2012-04-20 8:09 ` Al Viro
2012-04-20 15:56 ` Linus Torvalds
2012-04-20 16:08 ` Al Viro
2012-04-20 16:42 ` Al Viro
2012-04-20 17:21 ` Linus Torvalds
2012-04-20 18:07 ` Al Viro
2012-04-23 18:01 ` [RFC] TIF_NOTIFY_RESUME, arch/*/*/*signal*.c and all such Al Viro
2012-04-23 18:37 ` Oleg Nesterov
2012-04-24 7:26 ` Al Viro
2012-04-25 3:06 ` Al Viro
2012-04-25 12:37 ` Oleg Nesterov
2012-04-25 12:50 ` Al Viro
2012-04-25 13:03 ` Oleg Nesterov
2012-04-25 13:32 ` Oleg Nesterov
2012-04-25 13:32 ` Al Viro
2012-04-25 14:52 ` Oleg Nesterov
2012-04-25 15:46 ` Oleg Nesterov
2012-04-25 16:10 ` Al Viro
2012-04-25 17:02 ` Oleg Nesterov
2012-04-25 17:51 ` Al Viro
2012-04-26 7:15 ` Martin Schwidefsky
2012-04-26 7:25 ` David Miller
2012-04-26 13:52 ` Oleg Nesterov
2012-04-26 14:31 ` Martin Schwidefsky
2012-04-26 13:22 ` Oleg Nesterov
2012-04-26 18:37 ` Oleg Nesterov
2012-04-26 23:19 ` Al Viro
2012-04-27 17:24 ` Oleg Nesterov
2012-04-27 17:54 ` Oleg Nesterov
2012-05-02 10:37 ` Matt Fleming
2012-05-02 14:14 ` Al Viro
2012-04-27 18:45 ` Al Viro
2012-04-27 19:14 ` Geert Uytterhoeven
2012-04-27 19:34 ` Al Viro
2012-04-29 22:51 ` Al Viro
2012-04-30 6:39 ` Greg Ungerer
2012-04-27 19:42 ` Al Viro
2012-04-27 20:20 ` Roland McGrath
2012-04-27 21:12 ` Al Viro
2012-04-27 21:27 ` Roland McGrath
2012-04-27 23:15 ` Al Viro
2012-04-27 23:32 ` Al Viro
2012-04-29 4:12 ` Al Viro
2012-04-30 8:06 ` Martin Schwidefsky
2012-04-27 23:50 ` Al Viro
2012-04-28 18:51 ` [PATCH] arch/tile: avoid calling do_signal() after fork from a kernel thread Chris Metcalf
2012-04-28 20:55 ` Al Viro
2012-04-28 21:46 ` Chris Metcalf [this message]
2012-04-29 0:55 ` Al Viro
2012-04-28 18:51 ` [PATCH v2] arch/tile: fix up some issues in calling do_work_pending() Chris Metcalf
2012-04-29 3:49 ` [PATCH] arch/tile: avoid calling do_signal() after fork from a kernel thread Chris Metcalf
2012-04-28 2:42 ` [RFC] TIF_NOTIFY_RESUME, arch/*/*/*signal*.c and all such Al Viro
2012-04-28 3:32 ` Al Viro
2012-04-28 3:36 ` Al Viro
2012-04-29 16:33 ` Oleg Nesterov
2012-04-29 16:18 ` Oleg Nesterov
2012-04-29 18:05 ` Al Viro
2012-05-01 4:31 ` Al Viro
2012-05-01 5:06 ` Mike Frysinger
2012-05-01 5:52 ` Al Viro
2012-05-02 17:24 ` Al Viro
2012-05-02 18:30 ` Oleg Nesterov
2012-04-29 16:41 ` Oleg Nesterov
2012-04-29 18:09 ` Al Viro
2012-04-29 18:25 ` Oleg Nesterov
2012-04-20 3:15 ` [RFC] situation with fput() locking (was Re: [PULL REQUEST] : ima-appraisal patches) Al Viro
2012-04-20 18:54 ` Hugh Dickins
2012-04-20 19:04 ` Al Viro
2012-04-20 19:18 ` Linus Torvalds
2012-04-20 19:32 ` Hugh Dickins
2012-04-20 19:58 ` Al Viro
2012-04-20 21:12 ` Linus Torvalds
2012-04-20 22:13 ` Al Viro
2012-04-20 22:35 ` Linus Torvalds
2012-04-27 7:35 ` Kasatkin, Dmitry
2012-04-27 17:34 ` Al Viro
2012-04-27 18:52 ` Kasatkin, Dmitry
2012-04-27 19:15 ` Kasatkin, Dmitry
2012-04-30 14:32 ` Mimi Zohar
2012-05-03 4:23 ` James Morris
2012-04-20 19:37 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4F9C6525.3050405@tilera.com \
--to=cmetcalf@tilera.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox