Re: [RFC PATCH v4 1/5] glibc: Perform rseq(2) registration at nptl init and thread creation

From: Rich Felker
Date: Fri Nov 23 2018 - 12:31:26 EST

Next message: Tony Lindgren: "Re: [PATCHv5 4/6] drm/omap: fix incorrect union usage"
Previous message: Ard Biesheuvel: "[PATCH] arm64/bpf: use movn/movk/movk sequence to generate kernel addresses"
In reply to: Mathieu Desnoyers: "Re: [RFC PATCH v4 1/5] glibc: Perform rseq(2) registration at nptl init and thread creation"
Next in thread: Florian Weimer: "Re: [RFC PATCH v4 1/5] glibc: Perform rseq(2) registration at nptl init and thread creation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Nov 23, 2018 at 12:05:20PM -0500, Mathieu Desnoyers wrote:
> ----- On Nov 23, 2018, at 9:28 AM, Rich Felker dalias@xxxxxxxx wrote:
> [...]
> >
> > Absolutely. As long as it's in libc, implicit destruction will happen.
> > Actually I think the glibc code shound unconditionally unregister the
> > rseq address at exit (after blocking signals, so no application code
> > can run) in case a third-party rseq library was linked and failed to
> > do so before thread exit (e.g. due to mismatched ref counts) rather
> > than respecting the reference count, since it knows it's the last
> > user. This would make potentially-buggy code safer.
>
> OK, let me go ahead with a few ideas/questions along that path.
^^^^^^^^^^^^^^^
>
> Let's say our stated goal is to let the "exit" system call from the
> glibc thread exit path perform rseq unregistration (without explicit
> unregistration beforehand). Let's look at what we need.

This is not "along that path". The above-quoted text is not about
assuming it's safe to make SYS_exit without unregistering the rseq
object, but rather about glibc being able to perform the
rseq-unregister syscall without caring about reference counts, since
it knows no other code that might depend on rseq can run after it.

> First, we need the TLS area to be valid until the exit system call
> is invoked by the thread. If glibc defines __rseq_abi as a weak symbol,
> I'm not entirely sure we can guarantee the IE model if another library
> gets its own global-dynamic weak symbol elected at execution time. Would
> it be better to switch to a "strong" symbol for the glibc __rseq_abi
> rather than weak ?

This doesn't help; still whichever comes first in link order would
override. Either way __rseq_abi would be in static TLS, though,
because any dynamically-loaded library is necessarily loaded after
libc, which is loaded at initial exec time.

> There has been presumptions about signals being blocked when the thread
> exits throughout this email thread. Out of curiosity, what code is
> responsible for disabling signals in this situation ? Related to this,
> is it valid to access a IE model TLS variable from a signal handler at
> _any_ point where the signal handler nests over thread's execution ?
> This includes early start and just before invoking the exit system call.

It should be valid to access *any* TLS object like this, but the
standards don't cover it well. Right now access to dynamic TLS from
signal handlers is unsafe in glibc, but static is safe.

Rich

Next message: Tony Lindgren: "Re: [PATCHv5 4/6] drm/omap: fix incorrect union usage"
Previous message: Ard Biesheuvel: "[PATCH] arm64/bpf: use movn/movk/movk sequence to generate kernel addresses"
In reply to: Mathieu Desnoyers: "Re: [RFC PATCH v4 1/5] glibc: Perform rseq(2) registration at nptl init and thread creation"
Next in thread: Florian Weimer: "Re: [RFC PATCH v4 1/5] glibc: Perform rseq(2) registration at nptl init and thread creation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]