From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
To: Florian Weimer <fweimer@redhat.com>
Cc: carlos <carlos@redhat.com>,
Joseph Myers <joseph@codesourcery.com>,
Szabolcs Nagy <szabolcs.nagy@arm.com>,
libc-alpha <libc-alpha@sourceware.org>
Subject: Re: [RFC PATCH glibc 1/3] glibc: Perform rseq(2) registration at C startup and thread creation (v18)
Date: Thu, 30 Apr 2020 15:59:05 -0400 (EDT) [thread overview]
Message-ID: <1916849841.78543.1588276745582.JavaMail.zimbra@efficios.com> (raw)
In-Reply-To: <625724399.78482.1588276415331.JavaMail.zimbra@efficios.com>
----- On Apr 30, 2020, at 3:53 PM, Mathieu Desnoyers mathieu.desnoyers@efficios.com wrote:
> ----- On Apr 30, 2020, at 3:39 PM, Mathieu Desnoyers
> mathieu.desnoyers@efficios.com wrote:
>
>> ----- On Apr 30, 2020, at 1:46 PM, Florian Weimer fweimer@redhat.com wrote:
>>
>>> * Mathieu Desnoyers:
>>>
>>>> ----- On Apr 30, 2020, at 1:07 PM, Florian Weimer fweimer@redhat.com wrote:
>>>> [...]
>>>>> __libc_fatal does not attribute the error to glibc, so I suggest to
>>>>> start the error messages with “glibc fatal error: ”, so that people know
>>>>> where to look.
>>>>
>>>> OK. Is there a strict requirement on limiting to 80 columns for code
>>>> including an error message string in glibc ? IOW:
>>>>
>>>> if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>>> __libc_fatal ("glibc fatal error: rseq already initialized for this thread\n");
>>>>
>>>> or
>>>>
>>>> if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>>> __libc_fatal ("glibc fatal error: "
>>>> "rseq already initialized for this thread\n");
>>>>
>>>> ?
>>>
>>> The latter, please. Some code also uses
>>>
>>> if (__rseq_abi.cpu_id != RSEQ_CPU_ID_UNINITIALIZED)
>>> __libc_fatal ("\
>>> glibc fatal error: rseq already initialized for this thread\n");
>>>
>>> But that's not really my preference.
>>>
>>> (Trimmed the Cc: list a bit, we are really down to glibc specifics at
>>> this point.)
>>
>> One last question with respect to handling of rseq errno values. We currently
>> have (based on my own rseq(2) man page, not upstream yet):
>>
>> ERRORS
>> EINVAL Either flags contains an invalid value, or rseq contains an address which
>> is not appropriately aligned,
>> or rseq_len contains a size that does not match the size received on
>> registration.
>>
>> ENOSYS The rseq() system call is not implemented by this kernel.
>>
>> EFAULT rseq is an invalid address.
>>
>> EBUSY Restartable sequence is already registered for this thread.
>>
>> EPERM The sig argument on unregistration does not match the signature received
>> on registration.
>>
>> So with the current suggestions, we basically treat "EBUSY" as a __libc_fatal
>> (),
>> which is fine, and all other errno values (EINVAL, ENOSYS, EFAULT, EPERM) as
>> conditions which will just disable rseq for the thread by marking cpu_id as
>> RSEQ_CPU_ID_REGISTRATION_FAILED.
>>
>> I'm hesitant to treat "EINVAL", and "EFAULT" in this way, as those errno should
>> IMHO
>> really abort libc as well with an appropriate __libc_fatal () message, because
>> something
>> is clearly going wrong and we don't want to hide it under the carpet by just
>> disabling rseq support silently.
>>
>> Also, I personally consider that adding an additional errno value
>> to an existing system call for a given set of supported system call
>> parameters is an ABI breakage, but I _know_ the Linux kernel community
>> as a whole does not feel that way, and they are known to have pretty much
>> silently added additional errno values to existing system calls as long
>> as nobody complains.
>>
>> Considering this, I wonder if we should be strict and e.g. do:
>>
>> const char *msg = NULL;
>>
>> switch (INTERNAL_SYSCALL_ERRNO (ret))
>> {
>> case ENOSYS:
>> case EPERM:
>> /* rseq system call is unavailable or not permitted. */
>> __rseq_abi.cpu_id = RSEQ_CPU_ID_REGISTRATION_FAILED;
>> break;
>> case EINVAL:
>> msg = "glibc fatal error: rseq already registered for this thread\n";
>> break;
>> case EBUSY:
>> msg = "glibc fatal error: rseq parameters are invalid";
>> case EFAULT:
>> msg = "glibc fatal error: rseq is an invalid address";
>> break;
>> default:
>> msg = "glibc fatal error: unexpected rseq errno";
>> break;
>> }
>> if (msg)
>> __libc_fatal (msg);
>>
>> Also considering that __libc_fatal only takes a string as parameter,
>> I wonder if there is a facility to print the errno string I could use
>> instead of __libc_fatal () ?
>
> I also suspect we'd want to handle "EACCES" in a non-fatal way in case
> it is returned by seccomp. The seccomp internals seems to allow a lot of
> freedom in letting the seccomp filters choose the errno number.
I'm actually wondering about "EPERM". Is it sometimes used by seccomp
filters to refuse a system call ? Based on the rseq man page, EPERM
should only be returned by rseq unregistration if the signature does not
match. So I'm tempted to handle EPERM in a fatal way if we can assume
seccomp filters always return EACCES when refusing a system call. Any
input on this would be welcome.
Thanks,
Mathieu
--
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com
next prev parent reply other threads:[~2020-04-30 19:59 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-28 17:15 Mathieu Desnoyers
2020-04-28 17:15 ` [RFC PATCH glibc 2/3] glibc: sched_getcpu(): use rseq cpu_id TLS on Linux (v7) Mathieu Desnoyers
2020-04-28 17:15 ` [RFC PATCH glibc 3/3] rseq registration tests (v10) Mathieu Desnoyers
2020-04-30 12:20 ` [RFC PATCH glibc 1/3] glibc: Perform rseq(2) registration at C startup and thread creation (v18) Florian Weimer
2020-04-30 16:11 ` Mathieu Desnoyers
2020-04-30 16:36 ` Florian Weimer
2020-04-30 16:55 ` Mathieu Desnoyers
2020-04-30 17:07 ` Florian Weimer
2020-04-30 17:20 ` Mathieu Desnoyers
2020-04-30 17:46 ` Florian Weimer
2020-04-30 19:39 ` Mathieu Desnoyers
2020-04-30 19:53 ` Mathieu Desnoyers
2020-04-30 19:59 ` Mathieu Desnoyers [this message]
2020-04-30 20:34 ` Florian Weimer
2020-04-30 20:37 ` Mathieu Desnoyers
2020-04-30 20:37 ` Florian Weimer
2020-04-30 20:39 ` Mathieu Desnoyers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1916849841.78543.1588276745582.JavaMail.zimbra@efficios.com \
--to=mathieu.desnoyers@efficios.com \
--cc=carlos@redhat.com \
--cc=fweimer@redhat.com \
--cc=joseph@codesourcery.com \
--cc=libc-alpha@sourceware.org \
--cc=szabolcs.nagy@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).