From: Ram Pai <linuxram@us.ibm.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: Dave Hansen <dave.hansen@intel.com>,
linux-mm@kvack.org, linux-api@vger.kernel.org,
linux-x86_64@vger.kernel.org, linux-arch@vger.kernel.org,
x86@kernel.org
Subject: Re: [PATCH] pkeys: Introduce PKEY_ALLOC_SIGNALINHERIT and change signal semantics
Date: Wed, 2 May 2018 14:12:54 -0700 [thread overview]
Message-ID: <20180502211254.GA5863@ram.oc3035372033.ibm.com> (raw)
In-Reply-To: <822a28c9-5405-68c2-11bf-0c282887466d@redhat.com>
On Wed, May 02, 2018 at 05:12:50PM +0200, Florian Weimer wrote:
> On 05/02/2018 04:30 PM, Dave Hansen wrote:
> >On 05/02/2018 06:26 AM, Florian Weimer wrote:
> >>pkeys support for IBM POWER intends to inherited the access rights of
> >>the current thread in signal handlers. The advantage is that this
> >>preserves access to memory regions associated with non-default keys,
> >>enabling additional usage scenarios for memory protection keys which
> >>currently do not work on x86 due to the unconditional reset to the
> >>(configurable) default key in signal handlers.
> >
> >What's the usage scenario that does not work?
>
> Here's what I want to do:
>
> Nick Clifton wrote a binutils patch which puts the .got.plt section
> on separate pages. We allocate a protection key for it, assign it
> to all such sections in the process image, and change the access
> rights of the main thread to disallow writes via that key during
> process startup. In _dl_fixup, we enable write access to the GOT,
> update the GOT entry, and then disable it again.
>
> This way, we have a pretty safe form of lazy binding, without having
> to resort to BIND_NOW.
>
> With the current kernel behavior on x86, we cannot do that because
> signal handlers revert to the default (deny) access rights, so the
> GOT turns inaccessible.
>
> >>Consequently, this commit updates the x86 implementation to preserve
> >>the PKRU register value of the interrupted context in signal handlers.
> >>If a key is allocated successfully with the PKEY_ALLOC_SIGNALINHERIT
> >>flag, the application can assume this signal inheritance behavior.
> >
> >I think this is a pretty gross misuse of the API. Adding an argument to
> >pkey_alloc() is something that folks would assume would impact the key
> >being *allocated*, not pkeys behavior across the process as a whole.
>
> From the application point of view, only the allocated key is
> affecteda??it has specific semantics that were undefined before and
> varied between x86 and POWER.
>
> >>This change does not affect the init_pkru optimization because if the
> >>thread's PKRU register is zero due to the init_pkru setting, it will
> >>remain zero in the signal handler through inheritance from the
> >>interrupted context.
> >
> >I think you are right, but it's rather convoluted. It does:
> >
> >1. Running with PKRU in the init state
> >2. Kernel saves off init-state-PKRU XSAVE signal buffer
> >3. Enter signal, kernel XRSTOR (may) set the init state again
> >4. fpu__clear() does __write_pkru(), takes it out of the init state
> >5. Signal handler runs, exits
> >6. fpu__restore_sig() XRSTOR's the state from #2, taking PKRU back to
> > the init state
>
> Isn't that just the cost of not hard-coding the XSAVE area layout?
>
> >But, about the patch in general:
> >
> >I'm not a big fan of doing this in such a PKRU-specific way. It would
> >be nice to have this available for all XSAVE states. It would also keep
> >you from so unnecessarily frobbing with WRPKRU in fpu__clear(). You
> >could just clear the PKRU bit in the Requested Feature BitMap (RFBM)
> >passed to XRSTOR. That would be much straightforward and able to be
> >more easily extended to more states.
>
> I don't see where I could plug this into the current kernel sources.
> Would you please provide some pointers?
>
> >PKRU is now preserved on signal entry, but not signal exit. Was that
> >intentional? That seems like odd behavior, and also differs from the
> >POWER implementation as I understand it.
>
> Ram, would you please comment?
on POWER the pkey behavior will remain the same at entry or at exit from
the signal handler. For eg: if a key is read-disabled on entry into
the signal handler, and gets read-enabled in the signal handler, than it
will continue to be read-enabled on return from the signal handler.
In other words, changes to key permissions persist across signal
boundaries.
>
> I think it is a bug not restore the access rights to the former
> value in the interrupted context. In userspace, we have exactly
> this problem with errno, and it can lead to subtle bugs.
>
> Thanks,
> Florian
--
Ram Pai
next prev parent reply other threads:[~2018-05-02 21:13 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-02 13:26 [PATCH] pkeys: Introduce PKEY_ALLOC_SIGNALINHERIT and change signal semantics Florian Weimer
2018-05-02 14:30 ` Dave Hansen
2018-05-02 15:12 ` Florian Weimer
2018-05-02 15:28 ` Dave Hansen
2018-05-02 21:08 ` Florian Weimer
2018-05-02 22:03 ` Dave Hansen
2018-05-07 9:47 ` Florian Weimer
2018-05-02 17:09 ` Andy Lutomirski
2018-05-02 17:17 ` Florian Weimer
2018-05-02 20:41 ` Andy Lutomirski
2018-05-02 21:06 ` Florian Weimer
2018-05-02 21:23 ` Andy Lutomirski
2018-05-02 22:08 ` Dave Hansen
2018-05-02 22:22 ` Andy Lutomirski
2018-05-02 22:32 ` Dave Hansen
2018-05-02 23:32 ` Andy Lutomirski
2018-05-02 23:58 ` Dave Hansen
2018-05-03 1:14 ` Andy Lutomirski
2018-05-03 14:42 ` Dave Hansen
2018-05-03 14:42 ` Florian Weimer
2018-05-03 2:10 ` Ram Pai
2018-05-03 4:05 ` Andy Lutomirski
2018-05-07 9:48 ` Florian Weimer
2018-05-08 2:49 ` Andy Lutomirski
2018-05-08 12:40 ` Florian Weimer
2018-05-09 14:41 ` Andy Lutomirski
2018-05-14 12:01 ` Florian Weimer
2018-05-14 15:32 ` Andy Lutomirski
2018-05-14 15:34 ` Florian Weimer
2018-05-16 17:01 ` Dave Hansen
2018-05-16 20:52 ` Ram Pai
2018-05-16 20:54 ` Andy Lutomirski
2018-05-16 20:35 ` Ram Pai
2018-05-16 20:37 ` Andy Lutomirski
2018-05-16 21:07 ` Ram Pai
2018-05-17 10:09 ` Florian Weimer
2018-05-17 10:11 ` Florian Weimer
2018-05-03 14:37 ` Florian Weimer
2018-05-02 21:12 ` Ram Pai [this message]
2018-05-02 21:18 ` Andy Lutomirski
2018-05-02 23:38 ` Ram Pai
2018-05-07 9:47 ` Florian Weimer
2018-05-07 9:43 ` Florian Weimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180502211254.GA5863@ram.oc3035372033.ibm.com \
--to=linuxram@us.ibm.com \
--cc=dave.hansen@intel.com \
--cc=fweimer@redhat.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-x86_64@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).