Re: [PATCH] rseq: Protect event mask against membarrier IPI

From: Mathieu Desnoyers
Date: Wed Aug 20 2025 - 09:24:23 EST

Next message: Lorenzo Stoakes: "Re: [PATCH v10 03/13] khugepaged: generalize hugepage_vma_revalidate for mTHP support"
Previous message: Qianfeng Rong: "[PATCH] RDMA/erdma: Use vcalloc() instead of vzalloc()"
Next in thread: Thomas Gleixner: "Re: [PATCH] rseq: Protect event mask against membarrier IPI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2025-08-13 11:02, Thomas Gleixner wrote:

From: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Date: Tue, 12 Aug 2025 16:34:43 +0200

rseq_need_restart() reads and clears task::rseq_event_mask with preemption
disabled to guard against the scheduler.

But membarrier() uses an IPI and sets the PREEMPT bit in the event mask
from the IPI, which leaves that RMW operation unprotected.

Use guard(irq) if CONFIG_MEMBARRIER is enabled to fix that.

Fixes: 2a36ab717e8f ("rseq/membarrier: Add MEMBARRIER_CMD_PRIVATE_EXPEDITED_RSEQ")
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
Cc: Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx>
Cc: Peter Zijlstra <peterz@xxxxxxxxxxxxx>
Cc: "Paul E. McKenney" <paulmck@xxxxxxxxxx>
Cc: Boqun Feng <boqun.feng@xxxxxxxxx>
Cc: stable@xxxxxxxxxxxxxxx
---
include/linux/rseq.h | 11 ++++++++---
kernel/rseq.c | 10 +++++-----
2 files changed, 13 insertions(+), 8 deletions(-)

--- a/include/linux/rseq.h
+++ b/include/linux/rseq.h
@@ -7,6 +7,12 @@
#include <linux/preempt.h>
#include <linux/sched.h>
+#ifdef CONFIG_MEMBARRIER
+# define RSEQ_EVENT_GUARD irq
+#else
+# define RSEQ_EVENT_GUARD preempt
+#endif

We should also update this comment in include/linux/sched.h:

/*
* RmW on rseq_event_mask must be performed atomically
* with respect to preemption.
*/
unsigned long rseq_event_mask;

to e.g.:

/*
* RmW on rseq_event_mask must be performed atomically
* with respect to preemption and membarrier IPIs.
*/

+
/*
* Map the event mask on the user-space ABI enum rseq_cs_flags
* for direct mask checks.
@@ -41,9 +47,8 @@ static inline void rseq_handle_notify_re
static inline void rseq_signal_deliver(struct ksignal *ksig,
struct pt_regs *regs)
{
- preempt_disable();
- __set_bit(RSEQ_EVENT_SIGNAL_BIT, &current->rseq_event_mask);
- preempt_enable();
+ scoped_guard(RSEQ_EVENT_GUARD)
+ __set_bit(RSEQ_EVENT_SIGNAL_BIT, &current->rseq_event_mask);

Then we have more to worry about interaction of the following
rseq events with membarrier IPI:

- rseq_preempt, rseq_migrate, rseq_signal_deliver.

Both rseq_preempt and rseq_migrate are documented as only being required
to be called with preempt off, not irq off.

I don't see the point in sharing the same rseq_event_mask across all of
those rseq event sources.

Can we just move the event sources requiring preempt-off to their own
word, and use a separate word for membarrier IPI instead ? This would
allow us to partition the problem into two distinct states each
protected by their respective mechanism.

rseq_handle_notify_resume(ksig, regs);
}
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -342,12 +342,12 @@ static int rseq_need_restart(struct task
/*
* Load and clear event mask atomically with respect to
- * scheduler preemption.
+ * scheduler preemption and membarrier IPIs.
*/
- preempt_disable();
- event_mask = t->rseq_event_mask;
- t->rseq_event_mask = 0;
- preempt_enable();
+ scoped_guard(RSEQ_EVENT_GUARD) {
+ event_mask = t->rseq_event_mask;
+ t->rseq_event_mask = 0;
+ }

Instead we could sample both the preempt-off and the irq-off
words here.

Thanks,

Mathieu

return !!event_mask;
}

--
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com

Next message: Lorenzo Stoakes: "Re: [PATCH v10 03/13] khugepaged: generalize hugepage_vma_revalidate for mTHP support"
Previous message: Qianfeng Rong: "[PATCH] RDMA/erdma: Use vcalloc() instead of vzalloc()"
Next in thread: Thomas Gleixner: "Re: [PATCH] rseq: Protect event mask against membarrier IPI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]