From: Deepak Gupta <debug@rivosinc.com>
To: "Szabolcs.Nagy@arm.com" <Szabolcs.Nagy@arm.com>
Cc: Mark Brown <broonie@kernel.org>,
"Edgecombe, Rick P" <rick.p.edgecombe@intel.com>,
"dietmar.eggemann@arm.com" <dietmar.eggemann@arm.com>,
"keescook@chromium.org" <keescook@chromium.org>,
"brauner@kernel.org" <brauner@kernel.org>,
"shuah@kernel.org" <shuah@kernel.org>,
"mgorman@suse.de" <mgorman@suse.de>,
"dave.hansen@linux.intel.com" <dave.hansen@linux.intel.com>,
"fweimer@redhat.com" <fweimer@redhat.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"vincent.guittot@linaro.org" <vincent.guittot@linaro.org>,
"hjl.tools@gmail.com" <hjl.tools@gmail.com>,
"rostedt@goodmis.org" <rostedt@goodmis.org>,
"mingo@redhat.com" <mingo@redhat.com>,
"tglx@linutronix.de" <tglx@linutronix.de>,
"vschneid@redhat.com" <vschneid@redhat.com>,
"catalin.marinas@arm.com" <catalin.marinas@arm.com>,
"bristot@redhat.com" <bristot@redhat.com>,
"will@kernel.org" <will@kernel.org>,
"hpa@zytor.com" <hpa@zytor.com>,
"peterz@infradead.org" <peterz@infradead.org>,
"jannh@google.com" <jannh@google.com>,
"bp@alien8.de" <bp@alien8.de>,
"bsegall@google.com" <bsegall@google.com>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
"linux-api@vger.kernel.org" <linux-api@vger.kernel.org>,
"x86@kernel.org" <x86@kernel.org>,
"juri.lelli@redhat.com" <juri.lelli@redhat.com>,
nd@arm.com
Subject: Re: [PATCH RFC RFT 2/5] fork: Add shadow stack support to clone3()
Date: Mon, 30 Oct 2023 11:20:45 -0700 [thread overview]
Message-ID: <ZT/z/b9P8KLuZEFh@debug.ba.rivosinc.com> (raw)
In-Reply-To: <ZT+V5VlXg/PsIfpM@arm.com>
On Mon, Oct 30, 2023 at 11:39:17AM +0000, Szabolcs.Nagy@arm.com wrote:
>The 10/27/2023 16:24, Deepak Gupta wrote:
>> On Fri, Oct 27, 2023 at 12:49:59PM +0100, Szabolcs.Nagy@arm.com wrote:
>> > no. the lifetime is the issue: a stack in principle can outlive
>> > a thread and resumed even after the original thread exited.
>> > for that to work the shadow stack has to outlive the thread too.
>>
>> I understand an application can pre-allocate a pool of stack and re-use
>> them whenever it's spawning new threads using clone3 system call.
>>
>> However, once a new thread has been spawned how can it resume?
>
>a thread can getcontext then exit. later another thread
>can setcontext and execute on the stack of the exited
>thread and return to a previous stack frame there.
>
>(unlikely to work on runtimes where tls or thread id is
>exposed and thus may be cached on the stack. so not for
>posix.. but e.g. a go runtime could do this)
Aah then as you mentioned, we basically need clear lifetime rules around
their creation and deletion.
Because `getcontext/swapcontext/setcontext` can be updated to save shadow
stack token on stack itself and use that to resume. It's just lifetime
that needs to be managed.
>
>> By resume I mean consume the callstack context from an earlier thread.
>> Or you meant something else by `resume` here?
>>
>> Can you give an example of such an application or runtime where a newly
>> created thread consumes callstack context created by going away thread?
>
>my claim was not that existing runtimes are doing this,
>but that the linux interface contract allows this and
>tieing the stack lifetime to the thread is a change of
>contract.
>
>> > (or the other way around: a stack can be freed before the thread
>> > exits, if the thread pivots away from that stack.)
>>
>> This is simply a thread saying that I am moving to a different stack.
>> Again, interested in learning why would a thread do that. If I've to
>> speculate on reasons, I could think of user runtime managing it's own
>> pool of worker items (some people call them green threads) or current
>> stack became too small.
>
>switching stack is common, freeing the original stack may not be,
>but there is nothing that prevents this and then the corresponding
>shadow stack is clearly leaked if the kernel manages it. the amount
>of leak is proportional to the number of live threads and the sum
>of their original stack size which can be big.
>
>but as i said i think this lifetime issue is minor compared
>to other shadow stack issues, so it is ok if the shadow stack
>is kernel managed.
next prev parent reply other threads:[~2023-10-30 18:21 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-23 13:20 [PATCH RFC RFT 0/5] fork: Support shadow stacks in clone3() Mark Brown
2023-10-23 13:20 ` [PATCH RFC RFT 1/5] mm: Introduce ARCH_HAS_USER_SHADOW_STACK Mark Brown
2023-10-23 13:20 ` [PATCH RFC RFT 2/5] fork: Add shadow stack support to clone3() Mark Brown
2023-10-23 16:32 ` Edgecombe, Rick P
2023-10-23 18:32 ` Mark Brown
2023-10-26 17:10 ` Edgecombe, Rick P
2023-10-26 17:53 ` Mark Brown
2023-10-26 20:40 ` Deepak Gupta
2023-10-26 23:32 ` Edgecombe, Rick P
2023-10-27 11:49 ` Szabolcs.Nagy
2023-10-27 23:24 ` Deepak Gupta
2023-10-30 11:39 ` Szabolcs.Nagy
2023-10-30 18:20 ` Deepak Gupta [this message]
2023-10-26 23:31 ` Edgecombe, Rick P
2023-10-23 13:20 ` [PATCH RFC RFT 3/5] selftests/clone3: Factor more of main loop into test_clone3() Mark Brown
2023-10-23 13:20 ` [PATCH RFC RFT 4/5] selftests/clone3: Allow tests to flag if -E2BIG is a valid error code Mark Brown
2023-10-23 13:20 ` [PATCH RFC RFT 5/5] kselftest/clone3: Test shadow stack support Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZT/z/b9P8KLuZEFh@debug.ba.rivosinc.com \
--to=debug@rivosinc.com \
--cc=Szabolcs.Nagy@arm.com \
--cc=bp@alien8.de \
--cc=brauner@kernel.org \
--cc=bristot@redhat.com \
--cc=broonie@kernel.org \
--cc=bsegall@google.com \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@linux.intel.com \
--cc=dietmar.eggemann@arm.com \
--cc=fweimer@redhat.com \
--cc=hjl.tools@gmail.com \
--cc=hpa@zytor.com \
--cc=jannh@google.com \
--cc=juri.lelli@redhat.com \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mgorman@suse.de \
--cc=mingo@redhat.com \
--cc=nd@arm.com \
--cc=peterz@infradead.org \
--cc=rick.p.edgecombe@intel.com \
--cc=rostedt@goodmis.org \
--cc=shuah@kernel.org \
--cc=tglx@linutronix.de \
--cc=vincent.guittot@linaro.org \
--cc=vschneid@redhat.com \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.