Re: [PATCH 2/2] sigaltstack: remove EPERM check to make swapcontext() usable

From: Stas Sergeev
Date: Fri Jan 08 2016 - 21:50:03 EST


09.01.2016 05:03, Andy Lutomirski ÐÐÑÐÑ:
On Fri, Jan 8, 2016 at 5:18 PM, Stas Sergeev <stsp@xxxxxxx> wrote:
linux implements the sigaltstack() in a way that makes it impossible to
use with swapcontext(). Per the man page, sigaltstack is allowed to return
EPERM if the process is altering its sigaltstack while running on
sigaltstack.
This is likely needed to consistently return oss->ss_flags, that indicates
whether the process is being on sigaltstack or not.
Unfortunately, linux takes that permission to return EPERM too literally:
it returns EPERM even if you don't want to change to another sigaltstack,
but only want to disable sigaltstack with SS_DISABLE.
You can't use swapcontext() without disabling sigaltstack first, or the
stack will be re-used and overwritten by a subsequent signal.

With this patch, disabling sigaltstack inside a signal handler became
possible, and the swapcontext() can then be used safely. The oss->ss_flags
will then return SS_DISABLE, which doesn't seem to contradict the
(very ambiguous) man page wording, namely:
SS_ONSTACK
The process is currently executing on the alternate signal
stack. (Note that it is not possible to change the alternate
signal stack if the process is currently executing on it.)
You're definitely contradicting the "Note" part, though. POSIX is
quite clear, too:

"Attempts to modify the alternate signal stack while the process is
executing on it fail."
"modify" may not include "disable".
You don't modify the stack's location or size, just temporary disable its use.
So I believe SS_DISABLE should be fine.
Of course this is just one of the possible interpretations.
But it is the one that looks simple and satisfies everyone.

diff --git a/kernel/signal.c b/kernel/signal.c
index f3f1f7a..0a6af54 100644
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -3111,18 +3111,13 @@ do_sigaltstack (const stack_t __user *uss, stack_t
__user *uoss, unsigned long s
if (error)
goto out;

- error = -EPERM;
- if (on_sig_stack(sp))
- goto out;
-
- error = -EINVAL;
/*
- * Note - this code used to test ss_flags incorrectly:
- * old code may have been written using ss_flags==0
- * to mean ss_flags==SS_ONSTACK (as this was the only
- * way that worked) - this fix preserves that older
- * mechanism.
+ * Note - this code used to test on_sig_stack(sp) and
+ * return -EPERM. But we need at least SS_DISABLE to
+ * work while on sigaltstack, so the check was removed.

That old comment was simply incorrect. POSIX says:

The ss_flags member specifies the new stack state.
If it is set to SS_DISABLE, the stack is disabled and ss_sp and ss_size
are ignored. Otherwise, the stack shall be enabled, and the ss_sp and
ss_size members specify the new address and size of the stack.

Zero is perfectly valid. That being said, Linux has apparently
rejected non-zero non-SA_ONSTACK values for a long time, so we should
be fine.

I think it would be safer and more posixly correct to change the
behavior differently:

ss_flags == 0 or SS_DISABLE or SS_ONSTACK: preserve old Linux behavior.

ss_flags == SS_DISABLE | SS_FORCE: disable the altstack regardless of
whether we're executing on it.
I really dislike the idea of adding SS_FORCE just for SS_DISABLE.
I think it is sane to use SS_DISABLE in a sighandler, and it doesn't
conflict with one of the possible interpretations of posix.
So I wonder what other people think (add Linus to CC).

ss_flags == SS_ONSTACK | SS_FORCE: change the altstack regardless of
whether we're executing on it.
This is something that no one will likely ever need.
For SS_DISABLE there is a clear use-case: swapcontext().
So we _need_ to address the SS_DISABLE case.
But why do we care about SA_ONSTACK in a sighandler's case?
Someone later, if need be, can add it together with the SA_FORCE.

Users of SS_FORCE are required to be very careful with nested signals.
In particular, changing the altstack using SS_ONSTACK | SS_FORCE is
very dangerous:
So how about just not allowing such SS_ONSTACK until
someone really needs it... This is more difficult to implement,
but possible. Would you really add a new flag for the funtionality
that is both dangerous and useless?