[PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Adhemerval Zanella]

The usage of signals to implementation pthread cancellation is an
implementation detail and should not be visible through cancellation
entrypoints.

However now that pthread_cancel always send the SIGCANCEL, some
entrypoint might be interruptable and return EINTR to the caller
(for instance on sem_wait).

Using SA_RESTART hides this, since the cancellation handler should
either act uppon cancellation (if asynchronous cancellation is enable)
or ignore the cancellation internal signal.

Checked on x86_64-linux-gnu and i686-linux-gnu.
---
 nptl/pthread_cancel.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/nptl/pthread_cancel.c b/nptl/pthread_cancel.c
index 0698cd2046..cc25ff21f3 100644
--- a/nptl/pthread_cancel.c
+++ b/nptl/pthread_cancel.c
@@ -72,7 +72,11 @@ __pthread_cancel (pthread_t th)
     {
       struct sigaction sa;
       sa.sa_sigaction = sigcancel_handler;
-      sa.sa_flags = SA_SIGINFO;
+      /* The signal handle should be non-interruptible to avoid the risk of
+	 spurious EINTR caused by SIGCANCEL sent to process or if
+	 pthread_cancel() is called while cancellation is disabled in the
+	 target thread.  */
+      sa.sa_flags = SA_SIGINFO | SA_RESTART;
       __sigemptyset (&sa.sa_mask);
       __libc_sigaction (SIGCANCEL, &sa, NULL);
       atomic_store_relaxed (&init_sigcancel, 1);
-- 
2.30.2

Re: [PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Andreas Schwab]

On Jun 17 2021, Adhemerval Zanella via Libc-alpha wrote:

> diff --git a/nptl/pthread_cancel.c b/nptl/pthread_cancel.c
> index 0698cd2046..cc25ff21f3 100644
> --- a/nptl/pthread_cancel.c
> +++ b/nptl/pthread_cancel.c
> @@ -72,7 +72,11 @@ __pthread_cancel (pthread_t th)
>      {
>        struct sigaction sa;
>        sa.sa_sigaction = sigcancel_handler;
> -      sa.sa_flags = SA_SIGINFO;
> +      /* The signal handle should be non-interruptible to avoid the risk of

            The signal handler should be non-interrupting

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."

Re: [PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Adhemerval Zanella]

On 17/06/2021 10:03, Andreas Schwab wrote:
> On Jun 17 2021, Adhemerval Zanella via Libc-alpha wrote:
> 
>> diff --git a/nptl/pthread_cancel.c b/nptl/pthread_cancel.c
>> index 0698cd2046..cc25ff21f3 100644
>> --- a/nptl/pthread_cancel.c
>> +++ b/nptl/pthread_cancel.c
>> @@ -72,7 +72,11 @@ __pthread_cancel (pthread_t th)
>>      {
>>        struct sigaction sa;
>>        sa.sa_sigaction = sigcancel_handler;
>> -      sa.sa_flags = SA_SIGINFO;
>> +      /* The signal handle should be non-interruptible to avoid the risk of
> 
>             The signal handler should be non-interrupting

Ack, I fixed it locally.

Re: [PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Florian Weimer]

* Adhemerval Zanella via Libc-alpha:

> The usage of signals to implementation pthread cancellation is an
> implementation detail and should not be visible through cancellation
> entrypoints.
>
> However now that pthread_cancel always send the SIGCANCEL, some
> entrypoint might be interruptable and return EINTR to the caller
> (for instance on sem_wait).
>
> Using SA_RESTART hides this, since the cancellation handler should
> either act uppon cancellation (if asynchronous cancellation is enable)
> or ignore the cancellation internal signal.

I think this still needs a NEWS entry because there have been kernel
bugs in this area (e.g. in CIFS).

> Checked on x86_64-linux-gnu and i686-linux-gnu.
> ---
>  nptl/pthread_cancel.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/nptl/pthread_cancel.c b/nptl/pthread_cancel.c
> index 0698cd2046..cc25ff21f3 100644
> --- a/nptl/pthread_cancel.c
> +++ b/nptl/pthread_cancel.c
> @@ -72,7 +72,11 @@ __pthread_cancel (pthread_t th)
>      {
>        struct sigaction sa;
>        sa.sa_sigaction = sigcancel_handler;
> -      sa.sa_flags = SA_SIGINFO;
> +      /* The signal handle should be non-interruptible to avoid the risk of
> +	 spurious EINTR caused by SIGCANCEL sent to process or if
> +	 pthread_cancel() is called while cancellation is disabled in the
> +	 target thread.  */
> +      sa.sa_flags = SA_SIGINFO | SA_RESTART;
>        __sigemptyset (&sa.sa_mask);
>        __libc_sigaction (SIGCANCEL, &sa, NULL);
>        atomic_store_relaxed (&init_sigcancel, 1);

I really don't feel comfortable reviewing this.  However I think it is
still consistent with the (buggy) SYSCALL_CANCEL implementation:

        int sc_cancel_oldtype = LIBC_CANCEL_ASYNC ();                        \
        sc_ret = INLINE_SYSCALL_CALL (__VA_ARGS__);                          \
        LIBC_CANCEL_RESET (sc_cancel_oldtype);                               \

We temporary enable async cancellation, in which case we unwind through
the signal handler if canceled.  We do not rely on a EINTR error return
from the system call and a cancellation check outside of the signal
handler.  So adding SA_RESTART should really be okay.

Thanks,
Florian

Re: [PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Adhemerval Zanella]

On 18/06/2021 08:38, Florian Weimer wrote:
> * Adhemerval Zanella via Libc-alpha:
> 
>> The usage of signals to implementation pthread cancellation is an
>> implementation detail and should not be visible through cancellation
>> entrypoints.
>>
>> However now that pthread_cancel always send the SIGCANCEL, some
>> entrypoint might be interruptable and return EINTR to the caller
>> (for instance on sem_wait).
>>
>> Using SA_RESTART hides this, since the cancellation handler should
>> either act uppon cancellation (if asynchronous cancellation is enable)
>> or ignore the cancellation internal signal.
> 
> I think this still needs a NEWS entry because there have been kernel
> bugs in this area (e.g. in CIFS).

Ok, I have added the following on "Deprecated and removed features, and 
other changes affecting compatibility"

* The pthread cancellation handler is now setup with SA_RESTART.  It should
  not be visible to application since the cancellation handler should either 
  act uppon cancellation (if asynchronous cancellation is enabled) or
  ignore the cancellation internal signal.

> 
>> Checked on x86_64-linux-gnu and i686-linux-gnu.
>> ---
>>  nptl/pthread_cancel.c | 6 +++++-
>>  1 file changed, 5 insertions(+), 1 deletion(-)
>>
>> diff --git a/nptl/pthread_cancel.c b/nptl/pthread_cancel.c
>> index 0698cd2046..cc25ff21f3 100644
>> --- a/nptl/pthread_cancel.c
>> +++ b/nptl/pthread_cancel.c
>> @@ -72,7 +72,11 @@ __pthread_cancel (pthread_t th)
>>      {
>>        struct sigaction sa;
>>        sa.sa_sigaction = sigcancel_handler;
>> -      sa.sa_flags = SA_SIGINFO;
>> +      /* The signal handle should be non-interruptible to avoid the risk of
>> +	 spurious EINTR caused by SIGCANCEL sent to process or if
>> +	 pthread_cancel() is called while cancellation is disabled in the
>> +	 target thread.  */
>> +      sa.sa_flags = SA_SIGINFO | SA_RESTART;
>>        __sigemptyset (&sa.sa_mask);
>>        __libc_sigaction (SIGCANCEL, &sa, NULL);
>>        atomic_store_relaxed (&init_sigcancel, 1);
> 
> I really don't feel comfortable reviewing this.  However I think it is
> still consistent with the (buggy) SYSCALL_CANCEL implementation:
> 
>         int sc_cancel_oldtype = LIBC_CANCEL_ASYNC ();                        \
>         sc_ret = INLINE_SYSCALL_CALL (__VA_ARGS__);                          \
>         LIBC_CANCEL_RESET (sc_cancel_oldtype);                               \
> 
> We temporary enable async cancellation, in which case we unwind through
> the signal handler if canceled.  We do not rely on a EINTR error return
> from the system call and a cancellation check outside of the signal
> handler.  So adding SA_RESTART should really be okay.

Yes, we still cancel the thread even for partial results (BZ#12683).

Re: [PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Florian Weimer]

* Adhemerval Zanella:

> On 18/06/2021 08:38, Florian Weimer wrote:
>> * Adhemerval Zanella via Libc-alpha:
>> 
>>> The usage of signals to implementation pthread cancellation is an
>>> implementation detail and should not be visible through cancellation
>>> entrypoints.
>>>
>>> However now that pthread_cancel always send the SIGCANCEL, some
>>> entrypoint might be interruptable and return EINTR to the caller
>>> (for instance on sem_wait).
>>>
>>> Using SA_RESTART hides this, since the cancellation handler should
>>> either act uppon cancellation (if asynchronous cancellation is enable)
>>> or ignore the cancellation internal signal.
>> 
>> I think this still needs a NEWS entry because there have been kernel
>> bugs in this area (e.g. in CIFS).
>
> Ok, I have added the following on "Deprecated and removed features, and 
> other changes affecting compatibility"
>
> * The pthread cancellation handler is now setup with SA_RESTART.  It should
>   not be visible to application since the cancellation handler should either 
>   act uppon cancellation (if asynchronous cancellation is enabled) or
>   ignore the cancellation internal signal.

The key change is: The cancellation signal is now sent in more cases,
but this should be transparent to the application due to SA_RESTART.

Thanks,
Florian

Re: [PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Adhemerval Zanella]

On 22/06/2021 15:33, Florian Weimer wrote:
> * Adhemerval Zanella:
> 
>> On 18/06/2021 08:38, Florian Weimer wrote:
>>> * Adhemerval Zanella via Libc-alpha:
>>>
>>>> The usage of signals to implementation pthread cancellation is an
>>>> implementation detail and should not be visible through cancellation
>>>> entrypoints.
>>>>
>>>> However now that pthread_cancel always send the SIGCANCEL, some
>>>> entrypoint might be interruptable and return EINTR to the caller
>>>> (for instance on sem_wait).
>>>>
>>>> Using SA_RESTART hides this, since the cancellation handler should
>>>> either act uppon cancellation (if asynchronous cancellation is enable)
>>>> or ignore the cancellation internal signal.
>>>
>>> I think this still needs a NEWS entry because there have been kernel
>>> bugs in this area (e.g. in CIFS).
>>
>> Ok, I have added the following on "Deprecated and removed features, and 
>> other changes affecting compatibility"
>>
>> * The pthread cancellation handler is now setup with SA_RESTART.  It should
>>   not be visible to application since the cancellation handler should either 
>>   act uppon cancellation (if asynchronous cancellation is enabled) or
>>   ignore the cancellation internal signal.
> 
> The key change is: The cancellation signal is now sent in more cases,
> but this should be transparent to the application due to SA_RESTART.

I am not sure if we really need to describe this implementation detail
on a NEWS entry.

Re: [PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Florian Weimer]

* Adhemerval Zanella:

> On 22/06/2021 15:33, Florian Weimer wrote:
>> * Adhemerval Zanella:
>> 
>>> On 18/06/2021 08:38, Florian Weimer wrote:
>>>> * Adhemerval Zanella via Libc-alpha:
>>>>
>>>>> The usage of signals to implementation pthread cancellation is an
>>>>> implementation detail and should not be visible through cancellation
>>>>> entrypoints.
>>>>>
>>>>> However now that pthread_cancel always send the SIGCANCEL, some
>>>>> entrypoint might be interruptable and return EINTR to the caller
>>>>> (for instance on sem_wait).
>>>>>
>>>>> Using SA_RESTART hides this, since the cancellation handler should
>>>>> either act uppon cancellation (if asynchronous cancellation is enable)
>>>>> or ignore the cancellation internal signal.
>>>>
>>>> I think this still needs a NEWS entry because there have been kernel
>>>> bugs in this area (e.g. in CIFS).
>>>
>>> Ok, I have added the following on "Deprecated and removed features, and 
>>> other changes affecting compatibility"
>>>
>>> * The pthread cancellation handler is now setup with SA_RESTART.  It should
>>>   not be visible to application since the cancellation handler should either 
>>>   act uppon cancellation (if asynchronous cancellation is enabled) or
>>>   ignore the cancellation internal signal.
>> 
>> The key change is: The cancellation signal is now sent in more cases,
>> but this should be transparent to the application due to SA_RESTART.
>
> I am not sure if we really need to describe this implementation detail
> on a NEWS entry.

It's the cause of additional EINTR errors.  People who have that buggy
CIFS module and use thread cancellation could see those spurious EINTR
errors.  Right, without mentioning EINTR it is probably not useful. 8-/

Thanks,
Florian

Re: [PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Adhemerval Zanella]

On 22/06/2021 15:52, Florian Weimer wrote:
> * Adhemerval Zanella:
> 
>> On 22/06/2021 15:33, Florian Weimer wrote:
>>> * Adhemerval Zanella:
>>>
>>>> On 18/06/2021 08:38, Florian Weimer wrote:
>>>>> * Adhemerval Zanella via Libc-alpha:
>>>>>
>>>>>> The usage of signals to implementation pthread cancellation is an
>>>>>> implementation detail and should not be visible through cancellation
>>>>>> entrypoints.
>>>>>>
>>>>>> However now that pthread_cancel always send the SIGCANCEL, some
>>>>>> entrypoint might be interruptable and return EINTR to the caller
>>>>>> (for instance on sem_wait).
>>>>>>
>>>>>> Using SA_RESTART hides this, since the cancellation handler should
>>>>>> either act uppon cancellation (if asynchronous cancellation is enable)
>>>>>> or ignore the cancellation internal signal.
>>>>>
>>>>> I think this still needs a NEWS entry because there have been kernel
>>>>> bugs in this area (e.g. in CIFS).
>>>>
>>>> Ok, I have added the following on "Deprecated and removed features, and 
>>>> other changes affecting compatibility"
>>>>
>>>> * The pthread cancellation handler is now setup with SA_RESTART.  It should
>>>>   not be visible to application since the cancellation handler should either 
>>>>   act uppon cancellation (if asynchronous cancellation is enabled) or
>>>>   ignore the cancellation internal signal.
>>>
>>> The key change is: The cancellation signal is now sent in more cases,
>>> but this should be transparent to the application due to SA_RESTART.
>>
>> I am not sure if we really need to describe this implementation detail
>> on a NEWS entry.
> 
> It's the cause of additional EINTR errors.  People who have that buggy
> CIFS module and use thread cancellation could see those spurious EINTR
> errors.  Right, without mentioning EINTR it is probably not useful. 8-/

What about:

* The pthread cancellation handler is now installed with SA_RESTART
  and pthread_cancel will always send the internal SIGCANCEL on a
  cancellation request.  It should not be visible to application since 
  the cancellation handler should either act upon cancellation (if 
  asynchronous cancellation is enabled) or ignore the cancellation 
  internal signal.  However there is buggy kernel interfaces (for
  instance some CIFS modules) that could still see spurious EINTR
  error when cancellation interrupts a blocking syscall.

Re: [PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Florian Weimer]

* Adhemerval Zanella:

> * The pthread cancellation handler is now installed with SA_RESTART
>   and pthread_cancel will always send the internal SIGCANCEL on a
>   cancellation request.  It should not be visible to application since 
>   the cancellation handler should either act upon cancellation (if 
>   asynchronous cancellation is enabled) or ignore the cancellation 
>   internal signal.  However there is buggy kernel interfaces (for
>   instance some CIFS modules) that could still see spurious EINTR
>   error when cancellation interrupts a blocking syscall.

Suggest: “some CIFS [versions]”

Rest looks okay to me, thanks.

Florian

Re: [PATCH] nptl: Use SA_RESTART for SIGCANCEL handler

[Adhemerval Zanella]

On 22/06/2021 16:51, Florian Weimer wrote:
> * Adhemerval Zanella:
> 
>> * The pthread cancellation handler is now installed with SA_RESTART
>>   and pthread_cancel will always send the internal SIGCANCEL on a
>>   cancellation request.  It should not be visible to application since 
>>   the cancellation handler should either act upon cancellation (if 
>>   asynchronous cancellation is enabled) or ignore the cancellation 
>>   internal signal.  However there is buggy kernel interfaces (for

It should be 'there are' here.

>>   instance some CIFS modules) that could still see spurious EINTR
>>   error when cancellation interrupts a blocking syscall.
> 
> Suggest: “some CIFS [versions]”
> 
> Rest looks okay to me, thanks.

Ack, I will change and push upstream.