[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <6C9EE370-1BE4-4556-8B79-39BDBBAED7F8@amacapital.net>
Date: Tue, 3 Jul 2018 10:06:40 -0700
From: Andy Lutomirski <luto@...capital.net>
To: Andi Kleen <andi@...stfloor.org>
Cc: Peter Zijlstra <peterz@...radead.org>,
Heiko Carstens <heiko.carstens@...ibm.com>,
Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Thomas Gleixner <tglx@...utronix.de>,
linux-kernel <linux-kernel@...r.kernel.org>,
linux-api <linux-api@...r.kernel.org>,
"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>,
Boqun Feng <boqun.feng@...il.com>,
Dave Watson <davejwatson@...com>, Paul Turner <pjt@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Russell King <linux@....linux.org.uk>,
Ingo Molnar <mingo@...hat.com>,
"H. Peter Anvin" <hpa@...or.com>, Chris Lameter <cl@...ux.com>,
Ben Maurer <bmaurer@...com>, rostedt <rostedt@...dmis.org>,
Josh Triplett <josh@...htriplett.org>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will.deacon@....com>,
Michael Kerrisk <mtk.manpages@...il.com>,
Joel Fernandes <joelaf@...gle.com>, michal.simek@...inx.com,
Martin Schwidefsky <schwidefsky@...ibm.com>,
Vasily Gorbik <gor@...ux.ibm.com>
Subject: Re: [RFC PATCH for 4.18] rseq: use __u64 for rseq_cs fields, validate user inputs
On Jul 3, 2018, at 9:40 AM, Andi Kleen <andi@...stfloor.org> wrote:
>>
>> So I think you're good... But yes, you raise an interresting point.
>
> So it sounds like architectures that don't have an instruction atomic u64
> *_user need to disable interrupts during the access, and somehow handle that
> case when a page fault happens?
I think all this discussion of “atomic” is a huge distraction. The properties we need are:
- User code can change rseq_cs from one valid user pointer to another with a single instruction (or equivalent) such that we can’t end up in the kernel with the write only partially done as seen in that thread.
- The kernel needs to be able to read the value consistently with the above requirement.
I don’t think it’s possible to have a valid implementation of get_user() on any architecture that’s so weak that this doesn’t work.
If user code writes rseq_cs from the wrong thread, I think the user code is buggy and we simply don’t care what happens. The kernel should be allowed to use an arbitrarily weak read with respect to other threads.
Powered by blists - more mailing lists