* [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack [not found] <cover.1462296606.git.luto@kernel.org> @ 2016-05-03 17:31 ` Andy Lutomirski [not found] ` <c46bee4654ca9e68c498462fd11746e2bd0d98c8.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> 2016-05-03 17:31 ` [PATCH 2/4] selftests/sigaltstack: Fix the sas test on old kernels Andy Lutomirski ` (2 subsequent siblings) 3 siblings, 1 reply; 16+ messages in thread From: Andy Lutomirski @ 2016-05-03 17:31 UTC (permalink / raw) To: x86 Cc: linux-kernel, Borislav Petkov, Andy Lutomirski, Stas Sergeev, Al Viro, Aleksa Sarai, Amanieu d'Antras, Andrea Arcangeli, Andrew Morton, Andy Lutomirski, Brian Gerst, Denys Vlasenko, Eric W. Biederman, Frederic Weisbecker, H. Peter Anvin, Heinrich Schuchardt, Jason Low, Josh Triplett, Konstantin Khlebnikov, Linus Torvalds, Oleg Nesterov, Palmer Dabbelt, Paul Moore, Pavel If a signal stack is set up with SS_AUTODISARM, then the kernel inherently avoids incorrectly resetting the signal stack if signals recurse: the signal stack will be reset on the first signal delivery. This means that we don't need check the stack pointer when delivering signals if SS_AUTODISARM is set. This will make segmented x86 programs more robust: currently there's a hole that could be triggered if ESP/RSP appears to point to the signal stack but actually doesn't due to a nonzero SS base. Signed-off-by: Stas Sergeev <stsp@list.ru> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Aleksa Sarai <cyphar@cyphar.com> Cc: Amanieu d'Antras <amanieu@gmail.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de> Cc: Jason Low <jason.low2@hp.com> Cc: Josh Triplett <josh@joshtriplett.org> Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Palmer Dabbelt <palmer@dabbelt.com> Cc: Paul Moore <pmoore@redhat.com> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Richard Weinberger <richard@nod.at> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: Shuah Khan <shuahkh@osg.samsung.com> Cc: Tejun Heo <tj@kernel.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vladimir Davydov <vdavydov@parallels.com> Cc: linux-api@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@kernel.org> --- include/linux/sched.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/linux/sched.h b/include/linux/sched.h index 2950c5cd3005..8f03a93348b9 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -2576,6 +2576,18 @@ static inline int kill_cad_pid(int sig, int priv) */ static inline int on_sig_stack(unsigned long sp) { + /* + * If the signal stack is AUTODISARM then, by construction, we + * can't be on the signal stack unless user code deliberately set + * SS_AUTODISARM when we were already on the it. + * + * This improve reliability: if user state gets corrupted such that + * the stack pointer points very close to the end of the signal stack, + * then this check will enable the signal to be handled anyway. + */ + if (current->sas_ss_flags & SS_AUTODISARM) + return 0; + #ifdef CONFIG_STACK_GROWSUP return sp >= current->sas_ss_sp && sp - current->sas_ss_sp < current->sas_ss_size; -- 2.5.5 ^ permalink raw reply related [flat|nested] 16+ messages in thread
[parent not found: <c46bee4654ca9e68c498462fd11746e2bd0d98c8.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>]
* Re: [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack [not found] ` <c46bee4654ca9e68c498462fd11746e2bd0d98c8.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> @ 2016-05-04 6:32 ` Ingo Molnar [not found] ` <20160504063233.GB9499-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> 2016-05-07 14:37 ` Stas Sergeev 1 sibling, 1 reply; 16+ messages in thread From: Ingo Molnar @ 2016-05-04 6:32 UTC (permalink / raw) To: Andy Lutomirski Cc: x86-DgEjT+Ai2ygdnm+yROfE0A, linux-kernel-u79uwXL29TY76Z2rM5mHXA, Borislav Petkov, Stas Sergeev, Al Viro, Aleksa Sarai, Amanieu d'Antras, Andrea Arcangeli, Andrew Morton, Andy Lutomirski, Brian Gerst, Denys Vlasenko, Eric W. Biederman, Frederic Weisbecker, H. Peter Anvin, Heinrich Schuchardt, Jason Low, Josh Triplett, Konstantin Khlebnikov, Linus Torvalds, Oleg Nesterov, Palmer Dabbelt, Paul Moore, Pavel Emelyanov * Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote: > If a signal stack is set up with SS_AUTODISARM, then the kernel > inherently avoids incorrectly resetting the signal stack if signals > recurse: the signal stack will be reset on the first signal > delivery. This means that we don't need check the stack pointer > when delivering signals if SS_AUTODISARM is set. > > This will make segmented x86 programs more robust: currently there's > a hole that could be triggered if ESP/RSP appears to point to the > signal stack but actually doesn't due to a nonzero SS base. > > Signed-off-by: Stas Sergeev <stsp-cmBhpYW9OiY@public.gmane.org> Presuably that SOB from Stas is stray, as there's no matching From: line? I've removed it. Thanks, Ingo ^ permalink raw reply [flat|nested] 16+ messages in thread
[parent not found: <20160504063233.GB9499-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>]
* Re: [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack [not found] ` <20160504063233.GB9499-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> @ 2016-05-04 23:02 ` Andy Lutomirski 0 siblings, 0 replies; 16+ messages in thread From: Andy Lutomirski @ 2016-05-04 23:02 UTC (permalink / raw) To: Ingo Molnar Cc: Thomas Gleixner, Shuah Khan, Pavel Emelyanov, Andrew Morton, Jason Low, Eric W. Biederman, Josh Triplett, Aleksa Sarai, Paul Moore, X86 ML, Sasha Levin, Stas Sergeev, Denys Vlasenko, Al Viro, Amanieu d'Antras, Borislav Petkov, Konstantin Khlebnikov, Heinrich Schuchardt, Tejun Heo, Brian Gerst, Linux API, Linus Torvalds, Palmer Dabbelt On May 3, 2016 11:32 PM, "Ingo Molnar" <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote: > > > * Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote: > > > If a signal stack is set up with SS_AUTODISARM, then the kernel > > inherently avoids incorrectly resetting the signal stack if signals > > recurse: the signal stack will be reset on the first signal > > delivery. This means that we don't need check the stack pointer > > when delivering signals if SS_AUTODISARM is set. > > > > This will make segmented x86 programs more robust: currently there's > > a hole that could be triggered if ESP/RSP appears to point to the > > signal stack but actually doesn't due to a nonzero SS base. > > > > Signed-off-by: Stas Sergeev <stsp-cmBhpYW9OiY@public.gmane.org> > > Presuably that SOB from Stas is stray, as there's no matching From: line? > I've removed it. Yes. It was a cut-and-paste-o -- I meant to change it to cc. > > Thanks, > > Ingo ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack [not found] ` <c46bee4654ca9e68c498462fd11746e2bd0d98c8.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> 2016-05-04 6:32 ` Ingo Molnar @ 2016-05-07 14:37 ` Stas Sergeev 2016-05-09 1:32 ` Andy Lutomirski 1 sibling, 1 reply; 16+ messages in thread From: Stas Sergeev @ 2016-05-07 14:37 UTC (permalink / raw) To: Andy Lutomirski, x86-DgEjT+Ai2ygdnm+yROfE0A Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, Borislav Petkov, Al Viro, Aleksa Sarai, Amanieu d'Antras, Andrea Arcangeli, Andrew Morton, Andy Lutomirski, Brian Gerst, Denys Vlasenko, Eric W. Biederman, Frederic Weisbecker, H. Peter Anvin, Heinrich Schuchardt, Jason Low, Josh Triplett, Konstantin Khlebnikov, Linus Torvalds, Oleg Nesterov, Palmer Dabbelt, Paul Moore, Pavel Emelyanov, Peter Zijlstra 03.05.2016 20:31, Andy Lutomirski пишет: > If a signal stack is set up with SS_AUTODISARM, then the kernel > inherently avoids incorrectly resetting the signal stack if signals > recurse: the signal stack will be reset on the first signal > delivery. This means that we don't need check the stack pointer > when delivering signals if SS_AUTODISARM is set. > > This will make segmented x86 programs more robust: currently there's > a hole that could be triggered if ESP/RSP appears to point to the > signal stack but actually doesn't due to a nonzero SS base. > > Signed-off-by: Stas Sergeev <stsp-cmBhpYW9OiY@public.gmane.org> > Cc: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> > Cc: Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org> > Cc: Amanieu d'Antras <amanieu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Cc: Andrea Arcangeli <aarcange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> > Cc: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> > Cc: Borislav Petkov <bp-Gina5bIWoIWzQB+pC5nmwQ@public.gmane.org> > Cc: Brian Gerst <brgerst-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Cc: Denys Vlasenko <dvlasenk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > Cc: Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> > Cc: Frederic Weisbecker <fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Cc: H. Peter Anvin <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org> > Cc: Heinrich Schuchardt <xypron.glpk-Mmb7MZpHnFY@public.gmane.org> > Cc: Jason Low <jason.low2-VXdhtT5mjnY@public.gmane.org> > Cc: Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org> > Cc: Konstantin Khlebnikov <khlebnikov-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org> > Cc: Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> > Cc: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > Cc: Palmer Dabbelt <palmer-96lFi9zoCfxBDgjK7y7TUQ@public.gmane.org> > Cc: Paul Moore <pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > Cc: Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> > Cc: Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> > Cc: Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org> > Cc: Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> > Cc: Shuah Khan <shuahkh-JPH+aEBZ4P+UEJcrhfAQsw@public.gmane.org> > Cc: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> > Cc: Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org> > Cc: Vladimir Davydov <vdavydov-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> > Cc: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > Signed-off-by: Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> > --- > include/linux/sched.h | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > > diff --git a/include/linux/sched.h b/include/linux/sched.h > index 2950c5cd3005..8f03a93348b9 100644 > --- a/include/linux/sched.h > +++ b/include/linux/sched.h > @@ -2576,6 +2576,18 @@ static inline int kill_cad_pid(int sig, int priv) > */ > static inline int on_sig_stack(unsigned long sp) > { > + /* > + * If the signal stack is AUTODISARM then, by construction, we > + * can't be on the signal stack unless user code deliberately set > + * SS_AUTODISARM when we were already on the it. "on the it" -> "on it". Anyway, I am a bit puzzled with this patch. You say "unless user code deliberately set SS_AUTODISARM when we were already on the it" so what happens in case it actually does? Without your patch: if user sets up the same sas - no stack switch. if user sets up different sas - stack switch on nested signal. With your patch: stack switch in any case, so if user set up same sas - stack corruption by nested signal. Or am I missing the intention? ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack 2016-05-07 14:37 ` Stas Sergeev @ 2016-05-09 1:32 ` Andy Lutomirski [not found] ` <CALCETrX4AMCUkYMXe6-RoHTHQ=bpunM5keHSxMg=fEVtb1EmqA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 0 siblings, 1 reply; 16+ messages in thread From: Andy Lutomirski @ 2016-05-09 1:32 UTC (permalink / raw) To: Stas Sergeev Cc: Thomas Gleixner, Shuah Khan, Pavel Emelyanov, Andrew Morton, Jason Low, Eric W. Biederman, Josh Triplett, Aleksa Sarai, Paul Moore, X86 ML, Sasha Levin, Denys Vlasenko, Al Viro, Amanieu d'Antras, Borislav Petkov, Konstantin Khlebnikov, Heinrich Schuchardt, Tejun Heo, Brian Gerst, Linux API, Linus Torvalds, Palmer Dabbelt, Frederic Weisbecker, Andrea On May 7, 2016 7:38 AM, "Stas Sergeev" <stsp@list.ru> wrote: > > 03.05.2016 20:31, Andy Lutomirski пишет: > >> If a signal stack is set up with SS_AUTODISARM, then the kernel >> inherently avoids incorrectly resetting the signal stack if signals >> recurse: the signal stack will be reset on the first signal >> delivery. This means that we don't need check the stack pointer >> when delivering signals if SS_AUTODISARM is set. >> >> This will make segmented x86 programs more robust: currently there's >> a hole that could be triggered if ESP/RSP appears to point to the >> signal stack but actually doesn't due to a nonzero SS base. >> >> Signed-off-by: Stas Sergeev <stsp@list.ru> >> Cc: Al Viro <viro@zeniv.linux.org.uk> >> Cc: Aleksa Sarai <cyphar@cyphar.com> >> Cc: Amanieu d'Antras <amanieu@gmail.com> >> Cc: Andrea Arcangeli <aarcange@redhat.com> >> Cc: Andrew Morton <akpm@linux-foundation.org> >> Cc: Andy Lutomirski <luto@amacapital.net> >> Cc: Borislav Petkov <bp@alien8.de> >> Cc: Brian Gerst <brgerst@gmail.com> >> Cc: Denys Vlasenko <dvlasenk@redhat.com> >> Cc: Eric W. Biederman <ebiederm@xmission.com> >> Cc: Frederic Weisbecker <fweisbec@gmail.com> >> Cc: H. Peter Anvin <hpa@zytor.com> >> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de> >> Cc: Jason Low <jason.low2@hp.com> >> Cc: Josh Triplett <josh@joshtriplett.org> >> Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> >> Cc: Linus Torvalds <torvalds@linux-foundation.org> >> Cc: Oleg Nesterov <oleg@redhat.com> >> Cc: Palmer Dabbelt <palmer@dabbelt.com> >> Cc: Paul Moore <pmoore@redhat.com> >> Cc: Pavel Emelyanov <xemul@parallels.com> >> Cc: Peter Zijlstra <peterz@infradead.org> >> Cc: Richard Weinberger <richard@nod.at> >> Cc: Sasha Levin <sasha.levin@oracle.com> >> Cc: Shuah Khan <shuahkh@osg.samsung.com> >> Cc: Tejun Heo <tj@kernel.org> >> Cc: Thomas Gleixner <tglx@linutronix.de> >> Cc: Vladimir Davydov <vdavydov@parallels.com> >> Cc: linux-api@vger.kernel.org >> Cc: linux-kernel@vger.kernel.org >> Signed-off-by: Andy Lutomirski <luto@kernel.org> >> --- >> include/linux/sched.h | 12 ++++++++++++ >> 1 file changed, 12 insertions(+) >> >> diff --git a/include/linux/sched.h b/include/linux/sched.h >> index 2950c5cd3005..8f03a93348b9 100644 >> --- a/include/linux/sched.h >> +++ b/include/linux/sched.h >> @@ -2576,6 +2576,18 @@ static inline int kill_cad_pid(int sig, int priv) >> */ >> static inline int on_sig_stack(unsigned long sp) >> { >> + /* >> + * If the signal stack is AUTODISARM then, by construction, we >> + * can't be on the signal stack unless user code deliberately set >> + * SS_AUTODISARM when we were already on the it. > > "on the it" -> "on it". > > Anyway, I am a bit puzzled with this patch. > You say "unless user code deliberately set > > SS_AUTODISARM when we were already on the it" > so what happens in case it actually does? > Stack corruption. Don't do that. > Without your patch: if user sets up the same sas - no stack switch. > if user sets up different sas - stack switch on nested signal. > > With your patch: stack switch in any case, so if user > set up same sas - stack corruption by nested signal. > > Or am I missing the intention? The intention is to make everything completely explicit. With SS_AUTODISARM, the kernel knows directly whether you're on the signal stack, and there should be no need to look at sp. If you set SS_AUTODISARM and get a signal, the signal stack gets disarmed. If you take a nested signal, it's delivered normally. When you return all the way out, the signal stack is re-armed. For DOSEMU, this means that no 16-bit register state can possibly cause a signal to be delivered wrong, because the register state when a signal is raised won't affect delivery, which seems like a good thing to me. If this behavior would be problematic for you, can you explain why? ^ permalink raw reply [flat|nested] 16+ messages in thread
[parent not found: <CALCETrX4AMCUkYMXe6-RoHTHQ=bpunM5keHSxMg=fEVtb1EmqA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack [not found] ` <CALCETrX4AMCUkYMXe6-RoHTHQ=bpunM5keHSxMg=fEVtb1EmqA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2016-05-09 2:04 ` Stas Sergeev [not found] ` <97f8e27a-019c-a5d4-2d2c-c2a9627cf23d-cmBhpYW9OiY@public.gmane.org> 0 siblings, 1 reply; 16+ messages in thread From: Stas Sergeev @ 2016-05-09 2:04 UTC (permalink / raw) To: Andy Lutomirski Cc: Thomas Gleixner, Shuah Khan, Pavel Emelyanov, Andrew Morton, Jason Low, Eric W. Biederman, Josh Triplett, Aleksa Sarai, Paul Moore, X86 ML, Sasha Levin, Denys Vlasenko, Al Viro, Amanieu d'Antras, Borislav Petkov, Konstantin Khlebnikov, Heinrich Schuchardt, Tejun Heo, Brian Gerst, Linux API, Linus Torvalds, Palmer Dabbelt, Frederic Weisbecker, Andrea 09.05.2016 04:32, Andy Lutomirski пишет: > On May 7, 2016 7:38 AM, "Stas Sergeev" <stsp-cmBhpYW9OiY@public.gmane.org> wrote: >> 03.05.2016 20:31, Andy Lutomirski пишет: >> >>> If a signal stack is set up with SS_AUTODISARM, then the kernel >>> inherently avoids incorrectly resetting the signal stack if signals >>> recurse: the signal stack will be reset on the first signal >>> delivery. This means that we don't need check the stack pointer >>> when delivering signals if SS_AUTODISARM is set. >>> >>> This will make segmented x86 programs more robust: currently there's >>> a hole that could be triggered if ESP/RSP appears to point to the >>> signal stack but actually doesn't due to a nonzero SS base. >>> >>> Signed-off-by: Stas Sergeev <stsp-cmBhpYW9OiY@public.gmane.org> >>> Cc: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> >>> Cc: Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org> >>> Cc: Amanieu d'Antras <amanieu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>> Cc: Andrea Arcangeli <aarcange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>> Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> >>> Cc: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> >>> Cc: Borislav Petkov <bp-Gina5bIWoIWzQB+pC5nmwQ@public.gmane.org> >>> Cc: Brian Gerst <brgerst-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>> Cc: Denys Vlasenko <dvlasenk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>> Cc: Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> >>> Cc: Frederic Weisbecker <fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>> Cc: H. Peter Anvin <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org> >>> Cc: Heinrich Schuchardt <xypron.glpk-Mmb7MZpHnFY@public.gmane.org> >>> Cc: Jason Low <jason.low2-VXdhtT5mjnY@public.gmane.org> >>> Cc: Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org> >>> Cc: Konstantin Khlebnikov <khlebnikov-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org> >>> Cc: Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> >>> Cc: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>> Cc: Palmer Dabbelt <palmer-96lFi9zoCfxBDgjK7y7TUQ@public.gmane.org> >>> Cc: Paul Moore <pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>> Cc: Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> >>> Cc: Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> >>> Cc: Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org> >>> Cc: Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> >>> Cc: Shuah Khan <shuahkh-JPH+aEBZ4P+UEJcrhfAQsw@public.gmane.org> >>> Cc: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> >>> Cc: Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org> >>> Cc: Vladimir Davydov <vdavydov-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> >>> Cc: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org >>> Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org >>> Signed-off-by: Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> >>> --- >>> include/linux/sched.h | 12 ++++++++++++ >>> 1 file changed, 12 insertions(+) >>> >>> diff --git a/include/linux/sched.h b/include/linux/sched.h >>> index 2950c5cd3005..8f03a93348b9 100644 >>> --- a/include/linux/sched.h >>> +++ b/include/linux/sched.h >>> @@ -2576,6 +2576,18 @@ static inline int kill_cad_pid(int sig, int priv) >>> */ >>> static inline int on_sig_stack(unsigned long sp) >>> { >>> + /* >>> + * If the signal stack is AUTODISARM then, by construction, we >>> + * can't be on the signal stack unless user code deliberately set >>> + * SS_AUTODISARM when we were already on the it. >> "on the it" -> "on it". >> >> Anyway, I am a bit puzzled with this patch. >> You say "unless user code deliberately set >> >> SS_AUTODISARM when we were already on the it" >> so what happens in case it actually does? >> > Stack corruption. Don't do that. Only after your change, I have to admit. :) >> Without your patch: if user sets up the same sas - no stack switch. >> if user sets up different sas - stack switch on nested signal. >> >> With your patch: stack switch in any case, so if user >> set up same sas - stack corruption by nested signal. >> >> Or am I missing the intention? > The intention is to make everything completely explicit. With > SS_AUTODISARM, the kernel knows directly whether you're on the signal > stack, and there should be no need to look at sp. If you set > SS_AUTODISARM and get a signal, the signal stack gets disarmed. If > you take a nested signal, it's delivered normally. When you return > all the way out, the signal stack is re-armed. > > For DOSEMU, this means that no 16-bit register state can possibly > cause a signal to be delivered wrong, because the register state when > a signal is raised won't affect delivery, which seems like a good > thing to me. Yes, but doesn't affect dosemu1 which doesn't use SS_AUTODISARM. So IMHO the SS check should still be added, even if not for dosemu2. > If this behavior would be problematic for you, can you explain why? Only theoretically: if someone sets SS_AUTODISARM inside a sighandler. Since this doesn't give EPERM, I wouldn't deliberately make it a broken scenario (esp if it wasn't before the particular change). Ideally it would give EPERM, but we can't, so doesn't matter much. I just wanted to warn about the possible regression. ^ permalink raw reply [flat|nested] 16+ messages in thread
[parent not found: <97f8e27a-019c-a5d4-2d2c-c2a9627cf23d-cmBhpYW9OiY@public.gmane.org>]
* Re: [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack [not found] ` <97f8e27a-019c-a5d4-2d2c-c2a9627cf23d-cmBhpYW9OiY@public.gmane.org> @ 2016-05-14 4:18 ` Andy Lutomirski [not found] ` <CALCETrV+gmXn-kTJmKBDPM8HaRTcvp+eGmeF7mOES6bCje2AGQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 0 siblings, 1 reply; 16+ messages in thread From: Andy Lutomirski @ 2016-05-14 4:18 UTC (permalink / raw) To: Stas Sergeev Cc: Thomas Gleixner, Pavel Emelyanov, Shuah Khan, X86 ML, Andrew Morton, Linux API, Jason Low, Eric W. Biederman, Aleksa Sarai, Josh Triplett, linux-kernel-u79uwXL29TY76Z2rM5mHXA, Paul Moore, Sasha Levin, Denys Vlasenko, Al Viro, Borislav Petkov, Amanieu d'Antras, Konstantin Khlebnikov, Heinrich Schuchardt, Brian Gerst, Tejun Heo, Linus Torvalds, Andrea Arcangeli On May 8, 2016 7:05 PM, "Stas Sergeev" <stsp-cmBhpYW9OiY@public.gmane.org> wrote: > > 09.05.2016 04:32, Andy Lutomirski пишет: > >> On May 7, 2016 7:38 AM, "Stas Sergeev" <stsp-cmBhpYW9OiY@public.gmane.org> wrote: >>> >>> 03.05.2016 20:31, Andy Lutomirski пишет: >>> >>>> If a signal stack is set up with SS_AUTODISARM, then the kernel >>>> inherently avoids incorrectly resetting the signal stack if signals >>>> recurse: the signal stack will be reset on the first signal >>>> delivery. This means that we don't need check the stack pointer >>>> when delivering signals if SS_AUTODISARM is set. >>>> >>>> This will make segmented x86 programs more robust: currently there's >>>> a hole that could be triggered if ESP/RSP appears to point to the >>>> signal stack but actually doesn't due to a nonzero SS base. >>>> >>>> Signed-off-by: Stas Sergeev <stsp-cmBhpYW9OiY@public.gmane.org> >>>> Cc: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> >>>> Cc: Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org> >>>> Cc: Amanieu d'Antras <amanieu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>>> Cc: Andrea Arcangeli <aarcange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>>> Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> >>>> Cc: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> >>>> Cc: Borislav Petkov <bp-Gina5bIWoIWzQB+pC5nmwQ@public.gmane.org> >>>> Cc: Brian Gerst <brgerst-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>>> Cc: Denys Vlasenko <dvlasenk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>>> Cc: Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> >>>> Cc: Frederic Weisbecker <fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>>> Cc: H. Peter Anvin <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org> >>>> Cc: Heinrich Schuchardt <xypron.glpk-Mmb7MZpHnFY@public.gmane.org> >>>> Cc: Jason Low <jason.low2-VXdhtT5mjnY@public.gmane.org> >>>> Cc: Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org> >>>> Cc: Konstantin Khlebnikov <khlebnikov-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org> >>>> Cc: Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> >>>> Cc: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>>> Cc: Palmer Dabbelt <palmer-96lFi9zoCfxBDgjK7y7TUQ@public.gmane.org> >>>> Cc: Paul Moore <pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>>> Cc: Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> >>>> Cc: Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> >>>> Cc: Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org> >>>> Cc: Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> >>>> Cc: Shuah Khan <shuahkh-JPH+aEBZ4P+UEJcrhfAQsw@public.gmane.org> >>>> Cc: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> >>>> Cc: Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org> >>>> Cc: Vladimir Davydov <vdavydov-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> >>>> Cc: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org >>>> Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org >>>> Signed-off-by: Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> >>>> --- >>>> include/linux/sched.h | 12 ++++++++++++ >>>> 1 file changed, 12 insertions(+) >>>> >>>> diff --git a/include/linux/sched.h b/include/linux/sched.h >>>> index 2950c5cd3005..8f03a93348b9 100644 >>>> --- a/include/linux/sched.h >>>> +++ b/include/linux/sched.h >>>> @@ -2576,6 +2576,18 @@ static inline int kill_cad_pid(int sig, int priv) >>>> */ >>>> static inline int on_sig_stack(unsigned long sp) >>>> { >>>> + /* >>>> + * If the signal stack is AUTODISARM then, by construction, we >>>> + * can't be on the signal stack unless user code deliberately set >>>> + * SS_AUTODISARM when we were already on the it. >>> >>> "on the it" -> "on it". >>> >>> Anyway, I am a bit puzzled with this patch. >>> You say "unless user code deliberately set >>> >>> SS_AUTODISARM when we were already on the it" >>> so what happens in case it actually does? >>> >> Stack corruption. Don't do that. > > Only after your change, I have to admit. :) > > >>> Without your patch: if user sets up the same sas - no stack switch. >>> if user sets up different sas - stack switch on nested signal. >>> >>> With your patch: stack switch in any case, so if user >>> set up same sas - stack corruption by nested signal. >>> >>> Or am I missing the intention? >> >> The intention is to make everything completely explicit. With >> SS_AUTODISARM, the kernel knows directly whether you're on the signal >> stack, and there should be no need to look at sp. If you set >> SS_AUTODISARM and get a signal, the signal stack gets disarmed. If >> you take a nested signal, it's delivered normally. When you return >> all the way out, the signal stack is re-armed. >> >> For DOSEMU, this means that no 16-bit register state can possibly >> cause a signal to be delivered wrong, because the register state when >> a signal is raised won't affect delivery, which seems like a good >> thing to me. > > Yes, but doesn't affect dosemu1 which doesn't use SS_AUTODISARM. > So IMHO the SS check should still be added, even if not for dosemu2. > > >> If this behavior would be problematic for you, can you explain why? > > Only theoretically: if someone sets SS_AUTODISARM inside a > sighandler. Since this doesn't give EPERM, I wouldn't deliberately > make it a broken scenario (esp if it wasn't before the particular change). > Ideally it would give EPERM, but we can't, so doesn't matter much. > I just wanted to warn about the possible regression. I suppose we could return an error if you are on the sigstack when setting SS_AUTODISARM, although I was hoping to avoid yet more special cases. > -- > To unsubscribe from this list: send the line "unsubscribe linux-api" in > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 16+ messages in thread
[parent not found: <CALCETrV+gmXn-kTJmKBDPM8HaRTcvp+eGmeF7mOES6bCje2AGQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>]
* Re: [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack [not found] ` <CALCETrV+gmXn-kTJmKBDPM8HaRTcvp+eGmeF7mOES6bCje2AGQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> @ 2016-05-14 11:18 ` Stas Sergeev 2016-05-14 16:35 ` Andy Lutomirski 0 siblings, 1 reply; 16+ messages in thread From: Stas Sergeev @ 2016-05-14 11:18 UTC (permalink / raw) To: Andy Lutomirski Cc: Thomas Gleixner, Pavel Emelyanov, Shuah Khan, X86 ML, Andrew Morton, Linux API, Jason Low, Eric W. Biederman, Aleksa Sarai, Josh Triplett, linux-kernel-u79uwXL29TY76Z2rM5mHXA, Paul Moore, Sasha Levin, Denys Vlasenko, Al Viro, Borislav Petkov, Amanieu d'Antras, Konstantin Khlebnikov, Heinrich Schuchardt, Brian Gerst, Tejun Heo, Linus Torvalds, Andrea Arcangeli 14.05.2016 07:18, Andy Lutomirski пишет: > On May 8, 2016 7:05 PM, "Stas Sergeev" <stsp-cmBhpYW9OiY@public.gmane.org> wrote: >> 09.05.2016 04:32, Andy Lutomirski пишет: >> >>> On May 7, 2016 7:38 AM, "Stas Sergeev" <stsp-cmBhpYW9OiY@public.gmane.org> wrote: >>>> 03.05.2016 20:31, Andy Lutomirski пишет: >>>> >>>>> If a signal stack is set up with SS_AUTODISARM, then the kernel >>>>> inherently avoids incorrectly resetting the signal stack if signals >>>>> recurse: the signal stack will be reset on the first signal >>>>> delivery. This means that we don't need check the stack pointer >>>>> when delivering signals if SS_AUTODISARM is set. >>>>> >>>>> This will make segmented x86 programs more robust: currently there's >>>>> a hole that could be triggered if ESP/RSP appears to point to the >>>>> signal stack but actually doesn't due to a nonzero SS base. >>>>> >>>>> Signed-off-by: Stas Sergeev <stsp-cmBhpYW9OiY@public.gmane.org> >>>>> Cc: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> >>>>> Cc: Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org> >>>>> Cc: Amanieu d'Antras <amanieu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>>>> Cc: Andrea Arcangeli <aarcange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>>>> Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> >>>>> Cc: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> >>>>> Cc: Borislav Petkov <bp-Gina5bIWoIWzQB+pC5nmwQ@public.gmane.org> >>>>> Cc: Brian Gerst <brgerst-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>>>> Cc: Denys Vlasenko <dvlasenk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>>>> Cc: Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> >>>>> Cc: Frederic Weisbecker <fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >>>>> Cc: H. Peter Anvin <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org> >>>>> Cc: Heinrich Schuchardt <xypron.glpk-Mmb7MZpHnFY@public.gmane.org> >>>>> Cc: Jason Low <jason.low2-VXdhtT5mjnY@public.gmane.org> >>>>> Cc: Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org> >>>>> Cc: Konstantin Khlebnikov <khlebnikov-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org> >>>>> Cc: Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> >>>>> Cc: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>>>> Cc: Palmer Dabbelt <palmer-96lFi9zoCfxBDgjK7y7TUQ@public.gmane.org> >>>>> Cc: Paul Moore <pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >>>>> Cc: Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> >>>>> Cc: Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> >>>>> Cc: Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org> >>>>> Cc: Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> >>>>> Cc: Shuah Khan <shuahkh-JPH+aEBZ4P+UEJcrhfAQsw@public.gmane.org> >>>>> Cc: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> >>>>> Cc: Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org> >>>>> Cc: Vladimir Davydov <vdavydov-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> >>>>> Cc: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org >>>>> Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org >>>>> Signed-off-by: Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> >>>>> --- >>>>> include/linux/sched.h | 12 ++++++++++++ >>>>> 1 file changed, 12 insertions(+) >>>>> >>>>> diff --git a/include/linux/sched.h b/include/linux/sched.h >>>>> index 2950c5cd3005..8f03a93348b9 100644 >>>>> --- a/include/linux/sched.h >>>>> +++ b/include/linux/sched.h >>>>> @@ -2576,6 +2576,18 @@ static inline int kill_cad_pid(int sig, int priv) >>>>> */ >>>>> static inline int on_sig_stack(unsigned long sp) >>>>> { >>>>> + /* >>>>> + * If the signal stack is AUTODISARM then, by construction, we >>>>> + * can't be on the signal stack unless user code deliberately set >>>>> + * SS_AUTODISARM when we were already on the it. >>>> "on the it" -> "on it". >>>> >>>> Anyway, I am a bit puzzled with this patch. >>>> You say "unless user code deliberately set >>>> >>>> SS_AUTODISARM when we were already on the it" >>>> so what happens in case it actually does? >>>> >>> Stack corruption. Don't do that. >> Only after your change, I have to admit. :) >> >> >>>> Without your patch: if user sets up the same sas - no stack switch. >>>> if user sets up different sas - stack switch on nested signal. >>>> >>>> With your patch: stack switch in any case, so if user >>>> set up same sas - stack corruption by nested signal. >>>> >>>> Or am I missing the intention? >>> The intention is to make everything completely explicit. With >>> SS_AUTODISARM, the kernel knows directly whether you're on the signal >>> stack, and there should be no need to look at sp. If you set >>> SS_AUTODISARM and get a signal, the signal stack gets disarmed. If >>> you take a nested signal, it's delivered normally. When you return >>> all the way out, the signal stack is re-armed. >>> >>> For DOSEMU, this means that no 16-bit register state can possibly >>> cause a signal to be delivered wrong, because the register state when >>> a signal is raised won't affect delivery, which seems like a good >>> thing to me. >> Yes, but doesn't affect dosemu1 which doesn't use SS_AUTODISARM. >> So IMHO the SS check should still be added, even if not for dosemu2. >> >> >>> If this behavior would be problematic for you, can you explain why? >> Only theoretically: if someone sets SS_AUTODISARM inside a >> sighandler. Since this doesn't give EPERM, I wouldn't deliberately >> make it a broken scenario (esp if it wasn't before the particular change). >> Ideally it would give EPERM, but we can't, so doesn't matter much. >> I just wanted to warn about the possible regression. > I suppose we could return an error if you are on the sigstack when > setting SS_AUTODISARM, although I was hoping to avoid yet more special > cases. Hmm. How about extending the generic check then? Currently it is roughly: if (on_sig_stack(sp)) return -EPERM; and we could do: if (on_sig_stack(sp) || on_new_sas(new_sas, sp)) return -EPERM; Looks like it will close the potential hole opened by your commit without introducing the special case for SS_AUTODISARM. What do you think? ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack 2016-05-14 11:18 ` Stas Sergeev @ 2016-05-14 16:35 ` Andy Lutomirski 0 siblings, 0 replies; 16+ messages in thread From: Andy Lutomirski @ 2016-05-14 16:35 UTC (permalink / raw) To: Stas Sergeev Cc: Thomas Gleixner, Shuah Khan, Pavel Emelyanov, X86 ML, Andrew Morton, Linux API, Jason Low, Eric W. Biederman, Josh Triplett, Aleksa Sarai, Paul Moore, linux-kernel, Sasha Levin, Denys Vlasenko, Al Viro, Amanieu d'Antras, Borislav Petkov, Konstantin Khlebnikov, Heinrich Schuchardt, Tejun Heo, Brian Gerst, Linus Torvalds, Palmer Dabbelt On May 14, 2016 4:18 AM, "Stas Sergeev" <stsp@list.ru> wrote: > > 14.05.2016 07:18, Andy Lutomirski пишет: > >> On May 8, 2016 7:05 PM, "Stas Sergeev" <stsp@list.ru> wrote: >>> >>> 09.05.2016 04:32, Andy Lutomirski пишет: >>> >>>> On May 7, 2016 7:38 AM, "Stas Sergeev" <stsp@list.ru> wrote: >>>>> >>>>> 03.05.2016 20:31, Andy Lutomirski пишет: >>>>> >>>>>> If a signal stack is set up with SS_AUTODISARM, then the kernel >>>>>> inherently avoids incorrectly resetting the signal stack if signals >>>>>> recurse: the signal stack will be reset on the first signal >>>>>> delivery. This means that we don't need check the stack pointer >>>>>> when delivering signals if SS_AUTODISARM is set. >>>>>> >>>>>> This will make segmented x86 programs more robust: currently there's >>>>>> a hole that could be triggered if ESP/RSP appears to point to the >>>>>> signal stack but actually doesn't due to a nonzero SS base. >>>>>> >>>>>> Signed-off-by: Stas Sergeev <stsp@list.ru> >>>>>> Cc: Al Viro <viro@zeniv.linux.org.uk> >>>>>> Cc: Aleksa Sarai <cyphar@cyphar.com> >>>>>> Cc: Amanieu d'Antras <amanieu@gmail.com> >>>>>> Cc: Andrea Arcangeli <aarcange@redhat.com> >>>>>> Cc: Andrew Morton <akpm@linux-foundation.org> >>>>>> Cc: Andy Lutomirski <luto@amacapital.net> >>>>>> Cc: Borislav Petkov <bp@alien8.de> >>>>>> Cc: Brian Gerst <brgerst@gmail.com> >>>>>> Cc: Denys Vlasenko <dvlasenk@redhat.com> >>>>>> Cc: Eric W. Biederman <ebiederm@xmission.com> >>>>>> Cc: Frederic Weisbecker <fweisbec@gmail.com> >>>>>> Cc: H. Peter Anvin <hpa@zytor.com> >>>>>> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de> >>>>>> Cc: Jason Low <jason.low2@hp.com> >>>>>> Cc: Josh Triplett <josh@joshtriplett.org> >>>>>> Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> >>>>>> Cc: Linus Torvalds <torvalds@linux-foundation.org> >>>>>> Cc: Oleg Nesterov <oleg@redhat.com> >>>>>> Cc: Palmer Dabbelt <palmer@dabbelt.com> >>>>>> Cc: Paul Moore <pmoore@redhat.com> >>>>>> Cc: Pavel Emelyanov <xemul@parallels.com> >>>>>> Cc: Peter Zijlstra <peterz@infradead.org> >>>>>> Cc: Richard Weinberger <richard@nod.at> >>>>>> Cc: Sasha Levin <sasha.levin@oracle.com> >>>>>> Cc: Shuah Khan <shuahkh@osg.samsung.com> >>>>>> Cc: Tejun Heo <tj@kernel.org> >>>>>> Cc: Thomas Gleixner <tglx@linutronix.de> >>>>>> Cc: Vladimir Davydov <vdavydov@parallels.com> >>>>>> Cc: linux-api@vger.kernel.org >>>>>> Cc: linux-kernel@vger.kernel.org >>>>>> Signed-off-by: Andy Lutomirski <luto@kernel.org> >>>>>> --- >>>>>> include/linux/sched.h | 12 ++++++++++++ >>>>>> 1 file changed, 12 insertions(+) >>>>>> >>>>>> diff --git a/include/linux/sched.h b/include/linux/sched.h >>>>>> index 2950c5cd3005..8f03a93348b9 100644 >>>>>> --- a/include/linux/sched.h >>>>>> +++ b/include/linux/sched.h >>>>>> @@ -2576,6 +2576,18 @@ static inline int kill_cad_pid(int sig, int priv) >>>>>> */ >>>>>> static inline int on_sig_stack(unsigned long sp) >>>>>> { >>>>>> + /* >>>>>> + * If the signal stack is AUTODISARM then, by construction, we >>>>>> + * can't be on the signal stack unless user code deliberately set >>>>>> + * SS_AUTODISARM when we were already on the it. >>>>> >>>>> "on the it" -> "on it". >>>>> >>>>> Anyway, I am a bit puzzled with this patch. >>>>> You say "unless user code deliberately set >>>>> >>>>> SS_AUTODISARM when we were already on the it" >>>>> so what happens in case it actually does? >>>>> >>>> Stack corruption. Don't do that. >>> >>> Only after your change, I have to admit. :) >>> >>> >>>>> Without your patch: if user sets up the same sas - no stack switch. >>>>> if user sets up different sas - stack switch on nested signal. >>>>> >>>>> With your patch: stack switch in any case, so if user >>>>> set up same sas - stack corruption by nested signal. >>>>> >>>>> Or am I missing the intention? >>>> >>>> The intention is to make everything completely explicit. With >>>> SS_AUTODISARM, the kernel knows directly whether you're on the signal >>>> stack, and there should be no need to look at sp. If you set >>>> SS_AUTODISARM and get a signal, the signal stack gets disarmed. If >>>> you take a nested signal, it's delivered normally. When you return >>>> all the way out, the signal stack is re-armed. >>>> >>>> For DOSEMU, this means that no 16-bit register state can possibly >>>> cause a signal to be delivered wrong, because the register state when >>>> a signal is raised won't affect delivery, which seems like a good >>>> thing to me. >>> >>> Yes, but doesn't affect dosemu1 which doesn't use SS_AUTODISARM. >>> So IMHO the SS check should still be added, even if not for dosemu2. >>> >>> >>>> If this behavior would be problematic for you, can you explain why? >>> >>> Only theoretically: if someone sets SS_AUTODISARM inside a >>> sighandler. Since this doesn't give EPERM, I wouldn't deliberately >>> make it a broken scenario (esp if it wasn't before the particular change). >>> Ideally it would give EPERM, but we can't, so doesn't matter much. >>> I just wanted to warn about the possible regression. >> >> I suppose we could return an error if you are on the sigstack when >> setting SS_AUTODISARM, although I was hoping to avoid yet more special >> cases. > > Hmm. > How about extending the generic check then? > Currently it is roughly: > if (on_sig_stack(sp)) return -EPERM; > > and we could do: > if (on_sig_stack(sp) || on_new_sas(new_sas, sp)) return -EPERM; > > Looks like it will close the potential hole opened by your commit > without introducing the special case for SS_AUTODISARM. > What do you think? > It's still a wee bit ugly. Also, doesn't that change existing behavior for the existing non-AUTODISARM case? Also, we'd have to make sure that sigreturn doesn't trigger this check. My inclination would be leave it alone. ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 2/4] selftests/sigaltstack: Fix the sas test on old kernels [not found] <cover.1462296606.git.luto@kernel.org> 2016-05-03 17:31 ` [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack Andy Lutomirski @ 2016-05-03 17:31 ` Andy Lutomirski [not found] ` <f3e739bf435beeaecbd5f038f1359d2eac6d1e63.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> 2016-05-03 17:31 ` [PATCH 3/4] signals/sigaltstack: Report current flag bits in sigaltstack() Andy Lutomirski 2016-05-03 17:31 ` [PATCH 4/4] signals/sigaltstack: Change SS_AUTODISARM to (1U << 31) Andy Lutomirski 3 siblings, 1 reply; 16+ messages in thread From: Andy Lutomirski @ 2016-05-03 17:31 UTC (permalink / raw) To: x86 Cc: linux-kernel, Borislav Petkov, Andy Lutomirski, Stas Sergeev, Al Viro, Andrew Morton, Andy Lutomirski, Brian Gerst, Denys Vlasenko, H. Peter Anvin, Linus Torvalds, Oleg Nesterov, Pavel Emelyanov, Peter Zijlstra, Shuah Khan, Thomas Gleixner, linux-api The handling for old kernels was wrong. Fix it. Reported-by: Ingo Molnar <mingo@kernel.org> Cc: Stas Sergeev <stsp@list.ru> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Shuah Khan <shuahkh@osg.samsung.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-api@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@kernel.org> --- tools/testing/selftests/sigaltstack/sas.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/tools/testing/selftests/sigaltstack/sas.c b/tools/testing/selftests/sigaltstack/sas.c index 57da8bfde60b..a98c3ef8141f 100644 --- a/tools/testing/selftests/sigaltstack/sas.c +++ b/tools/testing/selftests/sigaltstack/sas.c @@ -15,6 +15,7 @@ #include <alloca.h> #include <string.h> #include <assert.h> +#include <errno.h> #ifndef SS_AUTODISARM #define SS_AUTODISARM (1 << 4) @@ -117,13 +118,19 @@ int main(void) stk.ss_flags = SS_ONSTACK | SS_AUTODISARM; err = sigaltstack(&stk, NULL); if (err) { - perror("[FAIL]\tsigaltstack(SS_ONSTACK | SS_AUTODISARM)"); - stk.ss_flags = SS_ONSTACK; - } - err = sigaltstack(&stk, NULL); - if (err) { - perror("[FAIL]\tsigaltstack(SS_ONSTACK)"); - return EXIT_FAILURE; + if (errno == EINVAL) { + printf("[NOTE]\tThe running kernel doesn't support SS_AUTODISARM\n"); + /* + * If test cases for the !SS_AUTODISARM variant were + * added, we could still run them. We don't have any + * test cases like that yet, so just exit and report + * success. + */ + return 0; + } else { + perror("[FAIL]\tsigaltstack(SS_ONSTACK | SS_AUTODISARM)"); + return EXIT_FAILURE; + } } ustack = mmap(NULL, SIGSTKSZ, PROT_READ | PROT_WRITE, -- 2.5.5 ^ permalink raw reply related [flat|nested] 16+ messages in thread
[parent not found: <f3e739bf435beeaecbd5f038f1359d2eac6d1e63.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>]
* Re: [PATCH 2/4] selftests/sigaltstack: Fix the sas test on old kernels [not found] ` <f3e739bf435beeaecbd5f038f1359d2eac6d1e63.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> @ 2016-05-07 15:02 ` Stas Sergeev [not found] ` <abedee05-5671-7ba7-c256-41e61fb596cb-cmBhpYW9OiY@public.gmane.org> 0 siblings, 1 reply; 16+ messages in thread From: Stas Sergeev @ 2016-05-07 15:02 UTC (permalink / raw) To: Andy Lutomirski, x86-DgEjT+Ai2ygdnm+yROfE0A Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, Borislav Petkov, Al Viro, Andrew Morton, Andy Lutomirski, Brian Gerst, Denys Vlasenko, H. Peter Anvin, Linus Torvalds, Oleg Nesterov, Pavel Emelyanov, Peter Zijlstra, Shuah Khan, Thomas Gleixner, linux-api-u79uwXL29TY76Z2rM5mHXA 03.05.2016 20:31, Andy Lutomirski пишет: > The handling for old kernels was wrong. Fix it. > > Reported-by: Ingo Molnar <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> > Cc: Stas Sergeev <stsp-cmBhpYW9OiY@public.gmane.org> > Cc: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> > Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> > Cc: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> > Cc: Borislav Petkov <bp-Gina5bIWoIWzQB+pC5nmwQ@public.gmane.org> > Cc: Brian Gerst <brgerst-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Cc: Denys Vlasenko <dvlasenk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > Cc: H. Peter Anvin <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org> > Cc: Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> > Cc: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > Cc: Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> > Cc: Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> > Cc: Shuah Khan <shuahkh-JPH+aEBZ4P+UEJcrhfAQsw@public.gmane.org> > Cc: Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org> > Cc: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > Signed-off-by: Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> > --- > tools/testing/selftests/sigaltstack/sas.c | 21 ++++++++++++++------- > 1 file changed, 14 insertions(+), 7 deletions(-) > > diff --git a/tools/testing/selftests/sigaltstack/sas.c b/tools/testing/selftests/sigaltstack/sas.c > index 57da8bfde60b..a98c3ef8141f 100644 > --- a/tools/testing/selftests/sigaltstack/sas.c > +++ b/tools/testing/selftests/sigaltstack/sas.c > @@ -15,6 +15,7 @@ > #include <alloca.h> > #include <string.h> > #include <assert.h> > +#include <errno.h> > > #ifndef SS_AUTODISARM > #define SS_AUTODISARM (1 << 4) > @@ -117,13 +118,19 @@ int main(void) > stk.ss_flags = SS_ONSTACK | SS_AUTODISARM; > err = sigaltstack(&stk, NULL); > if (err) { > - perror("[FAIL]\tsigaltstack(SS_ONSTACK | SS_AUTODISARM)"); > - stk.ss_flags = SS_ONSTACK; > - } > - err = sigaltstack(&stk, NULL); > - if (err) { > - perror("[FAIL]\tsigaltstack(SS_ONSTACK)"); > - return EXIT_FAILURE; > + if (errno == EINVAL) { > + printf("[NOTE]\tThe running kernel doesn't support SS_AUTODISARM\n"); > + /* > + * If test cases for the !SS_AUTODISARM variant were > + * added, we could still run them. We don't have any > + * test cases like that yet, so just exit and report > + * success. > + */ But that was the point, please see how it handles the old kernels: $ ./sas [FAIL] sigaltstack(SS_ONSTACK | SS_AUTODISARM): Invalid argument [RUN] signal USR1 [FAIL] ss_flags=1, should be SS_DISABLE [RUN] switched to user ctx [RUN] signal USR2 [FAIL] sigaltstack re-used [FAIL] Stack corrupted [RUN] Aborting Unfortunalely, for Ingo it crashed... I am not sure why, I can't reproduce. :( So if you disable all the "old" tests, you can as well remove them, or... find the bug and re-enable. :) ^ permalink raw reply [flat|nested] 16+ messages in thread
[parent not found: <abedee05-5671-7ba7-c256-41e61fb596cb-cmBhpYW9OiY@public.gmane.org>]
* Re: [PATCH 2/4] selftests/sigaltstack: Fix the sas test on old kernels [not found] ` <abedee05-5671-7ba7-c256-41e61fb596cb-cmBhpYW9OiY@public.gmane.org> @ 2016-05-09 1:32 ` Andy Lutomirski 0 siblings, 0 replies; 16+ messages in thread From: Andy Lutomirski @ 2016-05-09 1:32 UTC (permalink / raw) To: Stas Sergeev Cc: Thomas Gleixner, Denys Vlasenko, Shuah Khan, Pavel Emelyanov, Al Viro, Borislav Petkov, Andrew Morton, Brian Gerst, Linux API, Linus Torvalds, linux-kernel-u79uwXL29TY76Z2rM5mHXA, Oleg Nesterov, H. Peter Anvin, X86 ML, Peter Zijlstra On May 7, 2016 8:02 AM, "Stas Sergeev" <stsp-cmBhpYW9OiY@public.gmane.org> wrote: > > 03.05.2016 20:31, Andy Lutomirski пишет: > >> The handling for old kernels was wrong. Fix it. >> >> Reported-by: Ingo Molnar <mingo-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> >> Cc: Stas Sergeev <stsp-cmBhpYW9OiY@public.gmane.org> >> Cc: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> >> Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> >> Cc: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> >> Cc: Borislav Petkov <bp-Gina5bIWoIWzQB+pC5nmwQ@public.gmane.org> >> Cc: Brian Gerst <brgerst-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> >> Cc: Denys Vlasenko <dvlasenk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >> Cc: H. Peter Anvin <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org> >> Cc: Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> >> Cc: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> >> Cc: Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> >> Cc: Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> >> Cc: Shuah Khan <shuahkh-JPH+aEBZ4P+UEJcrhfAQsw@public.gmane.org> >> Cc: Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org> >> Cc: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org >> Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org >> Signed-off-by: Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> >> --- >> tools/testing/selftests/sigaltstack/sas.c | 21 ++++++++++++++------- >> 1 file changed, 14 insertions(+), 7 deletions(-) >> >> diff --git a/tools/testing/selftests/sigaltstack/sas.c b/tools/testing/selftests/sigaltstack/sas.c >> index 57da8bfde60b..a98c3ef8141f 100644 >> --- a/tools/testing/selftests/sigaltstack/sas.c >> +++ b/tools/testing/selftests/sigaltstack/sas.c >> @@ -15,6 +15,7 @@ >> #include <alloca.h> >> #include <string.h> >> #include <assert.h> >> +#include <errno.h> >> #ifndef SS_AUTODISARM >> #define SS_AUTODISARM (1 << 4) >> @@ -117,13 +118,19 @@ int main(void) >> stk.ss_flags = SS_ONSTACK | SS_AUTODISARM; >> err = sigaltstack(&stk, NULL); >> if (err) { >> - perror("[FAIL]\tsigaltstack(SS_ONSTACK | SS_AUTODISARM)"); >> - stk.ss_flags = SS_ONSTACK; >> - } >> - err = sigaltstack(&stk, NULL); >> - if (err) { >> - perror("[FAIL]\tsigaltstack(SS_ONSTACK)"); >> - return EXIT_FAILURE; >> + if (errno == EINVAL) { >> + printf("[NOTE]\tThe running kernel doesn't support SS_AUTODISARM\n"); >> + /* >> + * If test cases for the !SS_AUTODISARM variant were >> + * added, we could still run them. We don't have any >> + * test cases like that yet, so just exit and report >> + * success. >> + */ > > But that was the point, please see how it handles the > old kernels: > > $ ./sas > [FAIL] sigaltstack(SS_ONSTACK | SS_AUTODISARM): Invalid argument > [RUN] signal USR1 > [FAIL] ss_flags=1, should be SS_DISABLE > [RUN] switched to user ctx > [RUN] signal USR2 > [FAIL] sigaltstack re-used > [FAIL] Stack corrupted > [RUN] Aborting This is useful as a demonstration of why the feature is useful, but it doesn't indicate that anything is wrong with old kernels per she. That's why I changed it to simply report that the feature is missing. ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 3/4] signals/sigaltstack: Report current flag bits in sigaltstack() [not found] <cover.1462296606.git.luto@kernel.org> 2016-05-03 17:31 ` [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack Andy Lutomirski 2016-05-03 17:31 ` [PATCH 2/4] selftests/sigaltstack: Fix the sas test on old kernels Andy Lutomirski @ 2016-05-03 17:31 ` Andy Lutomirski [not found] ` <94b291ec9fd47741a9264851e316e158ded0b00d.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> 2016-05-03 17:31 ` [PATCH 4/4] signals/sigaltstack: Change SS_AUTODISARM to (1U << 31) Andy Lutomirski 3 siblings, 1 reply; 16+ messages in thread From: Andy Lutomirski @ 2016-05-03 17:31 UTC (permalink / raw) To: x86 Cc: linux-kernel, Borislav Petkov, Andy Lutomirski, Stas Sergeev, Al Viro, Amanieu d'Antras, Andrew Morton, Andy Lutomirski, Brian Gerst, Denys Vlasenko, H. Peter Anvin, Linus Torvalds, Michal Hocko, Oleg Nesterov, Pavel Emelyanov, Peter Zijlstra (Intel), Richard Weinberger, Sasha Levin, Shuah Khan, Thomas Gleixner, Vladimir Davydov, linux-api sigaltstack()'s reported previous state uses a somewhat odd convention, but the concept of flag bits is new, and we can do the flag bits sensibly. Specifically, let's just report them directly. This will allow saving and restoring the sigaltstack state using sigaltstack() to work correctly. Signed-off-by: Stas Sergeev <stsp@list.ru> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Amanieu d'Antras <amanieu@gmail.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Michal Hocko <mhocko@suse.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Richard Weinberger <richard@nod.at> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: Shuah Khan <shuahkh@osg.samsung.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vladimir Davydov <vdavydov@parallels.com> Cc: linux-api@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@kernel.org> --- kernel/signal.c | 3 ++- tools/testing/selftests/sigaltstack/sas.c | 19 ++++++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/kernel/signal.c b/kernel/signal.c index bf97ea5775ae..ab122a2cee41 100644 --- a/kernel/signal.c +++ b/kernel/signal.c @@ -3099,7 +3099,8 @@ do_sigaltstack (const stack_t __user *uss, stack_t __user *uoss, unsigned long s oss.ss_sp = (void __user *) current->sas_ss_sp; oss.ss_size = current->sas_ss_size; - oss.ss_flags = sas_ss_flags(sp); + oss.ss_flags = sas_ss_flags(sp) | + (current->sas_ss_flags & SS_FLAG_BITS); if (uss) { void __user *ss_sp; diff --git a/tools/testing/selftests/sigaltstack/sas.c b/tools/testing/selftests/sigaltstack/sas.c index a98c3ef8141f..4280d0699792 100644 --- a/tools/testing/selftests/sigaltstack/sas.c +++ b/tools/testing/selftests/sigaltstack/sas.c @@ -113,6 +113,19 @@ int main(void) perror("mmap()"); return EXIT_FAILURE; } + + err = sigaltstack(NULL, &stk); + if (err) { + perror("[FAIL]\tsigaltstack()"); + exit(EXIT_FAILURE); + } + if (stk.ss_flags == SS_DISABLE) { + printf("[OK]\tInitial sigaltstack state was SS_DISABLE\n"); + } else { + printf("[FAIL]\tInitial sigaltstack state was %i; should have been SS_DISABLE\n", stk.ss_flags); + return EXIT_FAILURE; + } + stk.ss_sp = sstack; stk.ss_size = SIGSTKSZ; stk.ss_flags = SS_ONSTACK | SS_AUTODISARM; @@ -151,12 +164,12 @@ int main(void) perror("[FAIL]\tsigaltstack()"); exit(EXIT_FAILURE); } - if (stk.ss_flags != 0) { - printf("[FAIL]\tss_flags=%i, should be 0\n", + if (stk.ss_flags != SS_AUTODISARM) { + printf("[FAIL]\tss_flags=%i, should be SS_AUTODISARM\n", stk.ss_flags); exit(EXIT_FAILURE); } - printf("[OK]\tsigaltstack is enabled after signal\n"); + printf("[OK]\tsigaltstack is still SS_AUTODISARM after signal\n"); printf("[OK]\tTest passed\n"); return 0; -- 2.5.5 ^ permalink raw reply related [flat|nested] 16+ messages in thread
[parent not found: <94b291ec9fd47741a9264851e316e158ded0b00d.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>]
* Re: [PATCH 3/4] signals/sigaltstack: Report current flag bits in sigaltstack() [not found] ` <94b291ec9fd47741a9264851e316e158ded0b00d.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> @ 2016-05-04 6:33 ` Ingo Molnar 0 siblings, 0 replies; 16+ messages in thread From: Ingo Molnar @ 2016-05-04 6:33 UTC (permalink / raw) To: Andy Lutomirski Cc: x86-DgEjT+Ai2ygdnm+yROfE0A, linux-kernel-u79uwXL29TY76Z2rM5mHXA, Borislav Petkov, Stas Sergeev, Al Viro, Amanieu d'Antras, Andrew Morton, Andy Lutomirski, Brian Gerst, Denys Vlasenko, H. Peter Anvin, Linus Torvalds, Michal Hocko, Oleg Nesterov, Pavel Emelyanov, Peter Zijlstra (Intel), Richard Weinberger, Sasha Levin, Shuah Khan, Thomas Gleixner, Vladimir Davydov, linux-api-u79uwXL29TY76Z2rM5mHXA * Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote: > sigaltstack()'s reported previous state uses a somewhat odd > convention, but the concept of flag bits is new, and we can do the > flag bits sensibly. Specifically, let's just report them directly. > > This will allow saving and restoring the sigaltstack state using > sigaltstack() to work correctly. > > Signed-off-by: Stas Sergeev <stsp-cmBhpYW9OiY@public.gmane.org> This SOB seems stray as well, so I've removed it too. Thanks, Ingo ^ permalink raw reply [flat|nested] 16+ messages in thread
* [PATCH 4/4] signals/sigaltstack: Change SS_AUTODISARM to (1U << 31) [not found] <cover.1462296606.git.luto@kernel.org> ` (2 preceding siblings ...) 2016-05-03 17:31 ` [PATCH 3/4] signals/sigaltstack: Report current flag bits in sigaltstack() Andy Lutomirski @ 2016-05-03 17:31 ` Andy Lutomirski [not found] ` <bb996508a600af14b406810c3d58fe0e0d0afe0d.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> 3 siblings, 1 reply; 16+ messages in thread From: Andy Lutomirski @ 2016-05-03 17:31 UTC (permalink / raw) To: x86 Cc: linux-kernel, Borislav Petkov, Andy Lutomirski, Stas Sergeev, Al Viro, Aleksa Sarai, Amanieu d'Antras, Andrea Arcangeli, Andrew Morton, Andy Lutomirski, Brian Gerst, Denys Vlasenko, Eric W. Biederman, Frederic Weisbecker, H. Peter Anvin, Heinrich Schuchardt, Jason Low, Josh Triplett, Konstantin Khlebnikov, Linus Torvalds, Oleg Nesterov, Palmer Dabbelt, Paul Moore, Pavel Using bit 4 divides the space of available bits strangely. Use bit 31 instead so that we have a better chance of keeping flag and mode bits separate in the long run. Cc: Stas Sergeev <stsp@list.ru> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Aleksa Sarai <cyphar@cyphar.com> Cc: Amanieu d'Antras <amanieu@gmail.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Frederic Weisbecker <fweisbec@gmail.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Heinrich Schuchardt <xypron.glpk@gmx.de> Cc: Jason Low <jason.low2@hp.com> Cc: Josh Triplett <josh@joshtriplett.org> Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Palmer Dabbelt <palmer@dabbelt.com> Cc: Paul Moore <pmoore@redhat.com> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Richard Weinberger <richard@nod.at> Cc: Sasha Levin <sasha.levin@oracle.com> Cc: Shuah Khan <shuahkh@osg.samsung.com> Cc: Tejun Heo <tj@kernel.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vladimir Davydov <vdavydov@parallels.com> Cc: linux-api@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Andy Lutomirski <luto@kernel.org> --- include/uapi/linux/signal.h | 2 +- tools/testing/selftests/sigaltstack/sas.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/signal.h b/include/uapi/linux/signal.h index 738826048af2..cd0804b6bfa2 100644 --- a/include/uapi/linux/signal.h +++ b/include/uapi/linux/signal.h @@ -8,7 +8,7 @@ #define SS_DISABLE 2 /* bit-flags */ -#define SS_AUTODISARM (1 << 4) /* disable sas during sighandling */ +#define SS_AUTODISARM (1U << 31) /* disable sas during sighandling */ /* mask for all SS_xxx flags */ #define SS_FLAG_BITS SS_AUTODISARM diff --git a/tools/testing/selftests/sigaltstack/sas.c b/tools/testing/selftests/sigaltstack/sas.c index 4280d0699792..1bb01258e559 100644 --- a/tools/testing/selftests/sigaltstack/sas.c +++ b/tools/testing/selftests/sigaltstack/sas.c @@ -18,7 +18,7 @@ #include <errno.h> #ifndef SS_AUTODISARM -#define SS_AUTODISARM (1 << 4) +#define SS_AUTODISARM (1U << 31) #endif static void *sstack, *ustack; -- 2.5.5 ^ permalink raw reply related [flat|nested] 16+ messages in thread
[parent not found: <bb996508a600af14b406810c3d58fe0e0d0afe0d.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>]
* Re: [PATCH 4/4] signals/sigaltstack: Change SS_AUTODISARM to (1U << 31) [not found] ` <bb996508a600af14b406810c3d58fe0e0d0afe0d.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> @ 2016-05-07 15:16 ` Stas Sergeev 0 siblings, 0 replies; 16+ messages in thread From: Stas Sergeev @ 2016-05-07 15:16 UTC (permalink / raw) To: Andy Lutomirski, x86-DgEjT+Ai2ygdnm+yROfE0A Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA, Borislav Petkov, Al Viro, Aleksa Sarai, Amanieu d'Antras, Andrea Arcangeli, Andrew Morton, Andy Lutomirski, Brian Gerst, Denys Vlasenko, Eric W. Biederman, Frederic Weisbecker, H. Peter Anvin, Heinrich Schuchardt, Jason Low, Josh Triplett, Konstantin Khlebnikov, Linus Torvalds, Oleg Nesterov, Palmer Dabbelt, Paul Moore, Pavel Emelyanov, Peter Zijlstra 03.05.2016 20:31, Andy Lutomirski пишет: > Using bit 4 divides the space of available bits strangely. Use bit > 31 instead so that we have a better chance of keeping flag and mode > bits separate in the long run. > > Cc: Stas Sergeev <stsp-cmBhpYW9OiY@public.gmane.org> > Cc: Al Viro <viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org> > Cc: Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org> > Cc: Amanieu d'Antras <amanieu-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Cc: Andrea Arcangeli <aarcange-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > Cc: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> > Cc: Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org> > Cc: Borislav Petkov <bp-Gina5bIWoIWzQB+pC5nmwQ@public.gmane.org> > Cc: Brian Gerst <brgerst-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Cc: Denys Vlasenko <dvlasenk-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > Cc: Eric W. Biederman <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> > Cc: Frederic Weisbecker <fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> > Cc: H. Peter Anvin <hpa-YMNOUZJC4hwAvxtiuMwx3w@public.gmane.org> > Cc: Heinrich Schuchardt <xypron.glpk-Mmb7MZpHnFY@public.gmane.org> > Cc: Jason Low <jason.low2-VXdhtT5mjnY@public.gmane.org> > Cc: Josh Triplett <josh-iaAMLnmF4UmaiuxdJuQwMA@public.gmane.org> > Cc: Konstantin Khlebnikov <khlebnikov-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org> > Cc: Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org> > Cc: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > Cc: Palmer Dabbelt <palmer-96lFi9zoCfxBDgjK7y7TUQ@public.gmane.org> > Cc: Paul Moore <pmoore-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> > Cc: Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> > Cc: Peter Zijlstra <peterz-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org> > Cc: Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org> > Cc: Sasha Levin <sasha.levin-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org> > Cc: Shuah Khan <shuahkh-JPH+aEBZ4P+UEJcrhfAQsw@public.gmane.org> > Cc: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> > Cc: Thomas Gleixner <tglx-hfZtesqFncYOwBW4kG4KsQ@public.gmane.org> > Cc: Vladimir Davydov <vdavydov-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> > Cc: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > Cc: linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > Signed-off-by: Andy Lutomirski <luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> > --- > include/uapi/linux/signal.h | 2 +- > tools/testing/selftests/sigaltstack/sas.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/include/uapi/linux/signal.h b/include/uapi/linux/signal.h > index 738826048af2..cd0804b6bfa2 100644 > --- a/include/uapi/linux/signal.h > +++ b/include/uapi/linux/signal.h > @@ -8,7 +8,7 @@ > #define SS_DISABLE 2 > > /* bit-flags */ > -#define SS_AUTODISARM (1 << 4) /* disable sas during sighandling */ > +#define SS_AUTODISARM (1U << 31) /* disable sas during sighandling */ And what if we are out of 32 bits for storing both mode and flags? :) Well, yes, very unlikely, but I did it that way exactly so that we can eventually promote to 64bit variable. Doesn't matter at all, of course. Let it be any way you like. ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2016-05-14 16:35 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <cover.1462296606.git.luto@kernel.org> 2016-05-03 17:31 ` [PATCH 1/4] signals/sigaltstack: If SS_AUTODISARM, bypass on_sig_stack Andy Lutomirski [not found] ` <c46bee4654ca9e68c498462fd11746e2bd0d98c8.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> 2016-05-04 6:32 ` Ingo Molnar [not found] ` <20160504063233.GB9499-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> 2016-05-04 23:02 ` Andy Lutomirski 2016-05-07 14:37 ` Stas Sergeev 2016-05-09 1:32 ` Andy Lutomirski [not found] ` <CALCETrX4AMCUkYMXe6-RoHTHQ=bpunM5keHSxMg=fEVtb1EmqA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2016-05-09 2:04 ` Stas Sergeev [not found] ` <97f8e27a-019c-a5d4-2d2c-c2a9627cf23d-cmBhpYW9OiY@public.gmane.org> 2016-05-14 4:18 ` Andy Lutomirski [not found] ` <CALCETrV+gmXn-kTJmKBDPM8HaRTcvp+eGmeF7mOES6bCje2AGQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> 2016-05-14 11:18 ` Stas Sergeev 2016-05-14 16:35 ` Andy Lutomirski 2016-05-03 17:31 ` [PATCH 2/4] selftests/sigaltstack: Fix the sas test on old kernels Andy Lutomirski [not found] ` <f3e739bf435beeaecbd5f038f1359d2eac6d1e63.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> 2016-05-07 15:02 ` Stas Sergeev [not found] ` <abedee05-5671-7ba7-c256-41e61fb596cb-cmBhpYW9OiY@public.gmane.org> 2016-05-09 1:32 ` Andy Lutomirski 2016-05-03 17:31 ` [PATCH 3/4] signals/sigaltstack: Report current flag bits in sigaltstack() Andy Lutomirski [not found] ` <94b291ec9fd47741a9264851e316e158ded0b00d.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> 2016-05-04 6:33 ` Ingo Molnar 2016-05-03 17:31 ` [PATCH 4/4] signals/sigaltstack: Change SS_AUTODISARM to (1U << 31) Andy Lutomirski [not found] ` <bb996508a600af14b406810c3d58fe0e0d0afe0d.1462296606.git.luto-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> 2016-05-07 15:16 ` Stas Sergeev
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).