Re: [RFC PATCH for 4.18] rseq: use __u64 for rseq_cs fields, validate user inputs

From: Andy Lutomirski
Date: Tue Jul 03 2018 - 13:07:19 EST

On Jul 3, 2018, at 9:40 AM, Andi Kleen <andi@xxxxxxxxxxxxxx> wrote:

>> So I think you're good... But yes, you raise an interresting point.
> So it sounds like architectures that don't have an instruction atomic u64
> *_user need to disable interrupts during the access, and somehow handle that
> case when a page fault happens?

I think all this discussion of âatomicâ is a huge distraction. The properties we need are:

- User code can change rseq_cs from one valid user pointer to another with a single instruction (or equivalent) such that we canât end up in the kernel with the write only partially done as seen in that thread.

- The kernel needs to be able to read the value consistently with the above requirement.

I donât think itâs possible to have a valid implementation of get_user() on any architecture thatâs so weak that this doesnât work.

If user code writes rseq_cs from the wrong thread, I think the user code is buggy and we simply donât care what happens. The kernel should be allowed to use an arbitrarily weak read with respect to other threads.