From: Thomas Gleixner <tglx@linutronix.de>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: LKML <linux-kernel@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@kernel.org>,
Michael Kerrisk <mtk.manpages@gmail.com>,
linux-man@vger.kernel.org, libc-alpha <libc-alpha@sourceware.org>
Subject: Re: signals: Bug or manpage inconsistency?
Date: Tue, 30 May 2017 21:35:33 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.20.1705302105190.2356@nanos> (raw)
In-Reply-To: <CA+55aFwC_8RWygnZWtgT+COY8mGY_RnDSW_vrD=+1x_NyPxChw@mail.gmail.com>
On Tue, 30 May 2017, Linus Torvalds wrote:
> On Tue, May 30, 2017 at 6:21 AM, Thomas Gleixner <tglx@linutronix.de> wrote:
> >
> > Linus, any recollection?
> >
> > IMO, it's perfectly reasonable to discard ignored signals even when the
> > signal is in the blocked mask. When its unblocked and SIG_IGN is replaced
> > then the next signal will be delivered. But hell knows, how much user space
> > depends on this weird behaviour by now.
>
> Is there any real reason you care? Because clearly we're doing what
> POSIX allows, and I'd be nervous about changing existing behavior.
>
> There are various races wrt signals that happen particularly around
> fork/exec, and the way that programs handle those races is to block
> signals. I don't know that anybody cares about the exact semantics of
> this, but I could *imagine* that they do.
>
> Our current behavior is actually very nice: blocking a signal
> basically guarantees that you're now "atomic" wrt that signal. You
> won't lose signaling events after the blocking, unless you explicitly
> throw them away.
Right, blocking signals which are not set to SIG_IGN makes perfectly sense. The
SIG_IGN case is what bothers me.
If you do
ignore(sig);
<- Signal discarded
sigpending() -> empty
block(sig);
<- Signal queued
sigpending() -> queued signal marked pending
unblock(sig);
<- Queued signal dequeued and discarded due to SIG_IGN
sigpending() -> empty
> So I would suggest *not* changing the semantics unless you have a
> major real reason for wanting to do that.
The reason why I'm looking into that is the silly case with posix interval
timers dealing with ignored signals. We have to keep these timers self
rearming because nothing rearms them when SIG_IGN is lifted. That means
it's a nice way to keep the system busy and the process which armed the
timer is never waking up. We have a crude 'rate limit' of the interval to
one jiffie in place which prevents a unpriviledged DOS attack by arming the
timer with a very small interval. But that turns that mechanism into a
battery drain which is not obvious to figure out.
When I was working on a mitigation for that, which of course involves
fiddling with the signal code, I noticed that issue with sigpending() which
returns the blocked _and_ ignored signal as pending despite the man page
claiming otherwise. That made me look deeper and wonder about the rather
strange and inconsistent semantics of all of this.
Thanks,
tglx
WARNING: multiple messages have this Message-ID (diff)
From: Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org>
To: Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Cc: LKML <linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>,
Ingo Molnar <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Michael Kerrisk
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
libc-alpha <libc-alpha-9JcytcrH/bA+uJoB2kUjGw@public.gmane.org>
Subject: Re: signals: Bug or manpage inconsistency?
Date: Tue, 30 May 2017 21:35:33 +0200 (CEST) [thread overview]
Message-ID: <alpine.DEB.2.20.1705302105190.2356@nanos> (raw)
In-Reply-To: <CA+55aFwC_8RWygnZWtgT+COY8mGY_RnDSW_vrD=+1x_NyPxChw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Tue, 30 May 2017, Linus Torvalds wrote:
> On Tue, May 30, 2017 at 6:21 AM, Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org> wrote:
> >
> > Linus, any recollection?
> >
> > IMO, it's perfectly reasonable to discard ignored signals even when the
> > signal is in the blocked mask. When its unblocked and SIG_IGN is replaced
> > then the next signal will be delivered. But hell knows, how much user space
> > depends on this weird behaviour by now.
>
> Is there any real reason you care? Because clearly we're doing what
> POSIX allows, and I'd be nervous about changing existing behavior.
>
> There are various races wrt signals that happen particularly around
> fork/exec, and the way that programs handle those races is to block
> signals. I don't know that anybody cares about the exact semantics of
> this, but I could *imagine* that they do.
>
> Our current behavior is actually very nice: blocking a signal
> basically guarantees that you're now "atomic" wrt that signal. You
> won't lose signaling events after the blocking, unless you explicitly
> throw them away.
Right, blocking signals which are not set to SIG_IGN makes perfectly sense. The
SIG_IGN case is what bothers me.
If you do
ignore(sig);
<- Signal discarded
sigpending() -> empty
block(sig);
<- Signal queued
sigpending() -> queued signal marked pending
unblock(sig);
<- Queued signal dequeued and discarded due to SIG_IGN
sigpending() -> empty
> So I would suggest *not* changing the semantics unless you have a
> major real reason for wanting to do that.
The reason why I'm looking into that is the silly case with posix interval
timers dealing with ignored signals. We have to keep these timers self
rearming because nothing rearms them when SIG_IGN is lifted. That means
it's a nice way to keep the system busy and the process which armed the
timer is never waking up. We have a crude 'rate limit' of the interval to
one jiffie in place which prevents a unpriviledged DOS attack by arming the
timer with a very small interval. But that turns that mechanism into a
battery drain which is not obvious to figure out.
When I was working on a mitigation for that, which of course involves
fiddling with the signal code, I noticed that issue with sigpending() which
returns the blocked _and_ ignored signal as pending despite the man page
claiming otherwise. That made me look deeper and wonder about the rather
strange and inconsistent semantics of all of this.
Thanks,
tglx
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-05-30 19:35 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-30 13:21 signals: Bug or manpage inconsistency? Thomas Gleixner
2017-05-30 16:14 ` Thomas Gleixner
2017-05-30 16:14 ` Thomas Gleixner
2017-05-30 17:04 ` Oleg Nesterov
2017-05-30 17:19 ` Linus Torvalds
2017-05-30 17:19 ` Linus Torvalds
2017-05-30 19:18 ` Oleg Nesterov
2017-05-30 19:18 ` Oleg Nesterov
2017-05-30 20:54 ` Thomas Gleixner
2017-05-30 20:54 ` Thomas Gleixner
2017-05-31 0:48 ` Eric W. Biederman
2017-05-31 0:48 ` Eric W. Biederman
2017-05-31 1:10 ` Eric W. Biederman
2017-05-31 1:10 ` Eric W. Biederman
2017-05-30 17:04 ` Linus Torvalds
2017-05-30 17:04 ` Linus Torvalds
2017-05-30 19:35 ` Thomas Gleixner [this message]
2017-05-30 19:35 ` Thomas Gleixner
2017-05-30 19:58 ` Linus Torvalds
2017-05-30 19:58 ` Linus Torvalds
2017-05-30 21:00 ` Thomas Gleixner
2017-05-30 21:00 ` Thomas Gleixner
2017-05-31 6:51 ` Michael Kerrisk (man-pages)
2017-05-31 6:51 ` Michael Kerrisk (man-pages)
2017-06-01 7:01 ` Eric W. Biederman
2017-06-01 7:01 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.2.20.1705302105190.2356@nanos \
--to=tglx@linutronix.de \
--cc=libc-alpha@sourceware.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=mtk.manpages@gmail.com \
--cc=oleg@redhat.com \
--cc=peterz@infradead.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.