Page MenuHomeFreeBSD
Differential D47741

kern: restore signal mask before ast() for pselect/ppoll
ClosedPublic
Actions

Authored by kevans on Nov 25 2024, 7:03 PM.
Tags
None
Referenced Files
F107423870: D47741.diff
Mon, Jan 13, 11:34 PM
Unknown Object (File)
Sat, Jan 11, 5:41 PM
Unknown Object (File)
Fri, Jan 3, 10:50 PM
Unknown Object (File)
Dec 8 2024, 12:37 AM
Unknown Object (File)
Dec 8 2024, 12:19 AM
Unknown Object (File)
Dec 6 2024, 7:35 PM
Unknown Object (File)
Dec 5 2024, 1:38 PM
Unknown Object (File)
Dec 5 2024, 12:19 PM
View All 31 Files
Subscribers
imp
markj
olce

Details

Reviewers
des
kib
Group Reviewers
Klara
Commits
rGe5e44726d5af: kern: restore signal mask before ast() for pselect/ppoll
rGccb973da1f1b: kern: restore signal mask before ast() for pselect/ppoll
rGcab31f5633c1: kern: add a TDA_PSELECT for early restoration of sigmask
Summary

It's possible to take a signal after pselect/ppoll have set their return
value, but before we actually return to userland. This results in
taking a signal without reflecting it in the return value, which weakens
the guarantees provided by these functions.

Switch both to restore the signal mask before we return. If a signal
was received after the wait was over, then we'll just have the signal
queued up for the next time it comes unblocked. The modified signal
mask is retained if we were interrupted so that ast() actually handles
the signal, at which point the signal mask is restored.

Sponsored by: Klara, Inc.
Sponsored by: NetApp, Inc.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

kevans created this revision.Nov 25 2024, 7:03 PM
Herald added subscribers: olce, imp. · View Herald TranscriptNov 25 2024, 7:03 PM
kevans requested review of this revision.Nov 25 2024, 7:03 PM
Harbormaster completed remote builds in B60764: Diff 146922.Nov 25 2024, 7:03 PM
kevans mentioned this in D47738: tests: Demonstrate a bug in ppoll() and pselect()..Nov 25 2024, 7:05 PM
des accepted this revision.Nov 25 2024, 7:44 PM

I can confirm that this fixes the test cases in D47738.

This revision is now accepted and ready to land.Nov 25 2024, 7:44 PM
markj added a subscriber: markj.Nov 25 2024, 8:06 PM
markj added inline comments.
sys/kern/sys_generic.c
1061 ↗(On Diff #146922)

Should this be conditional on uset != NULL?

kevans updated this revision to Diff 146930.Nov 25 2024, 8:11 PM

All of this should be conditional on uset != NULL; in the NULL case, the
old sigmask is not valid and we don't need to do anything special on the way
out.

This revision now requires review to proceed.Nov 25 2024, 8:11 PM
Harbormaster completed remote builds in B60767: Diff 146930.Nov 25 2024, 8:11 PM
kevans marked an inline comment as done.Nov 25 2024, 8:11 PM
kib added a comment.Nov 25 2024, 8:18 PM

Is the problem caused by the fact that AST_SIG is processed before AST_SIGSUSPEND? Would reordering the AST indexes be enough?

As I understand, the complain is that signal ast handler might push the signal frame before sigsuspend handler restores the sigmask which marks the signal as blocked?

kevans added a comment.Nov 25 2024, 8:27 PM
In D47741#1088787, @kib wrote:

Is the problem caused by the fact that AST_SIG is processed before AST_SIGSUSPEND? Would reordering the AST indexes be enough?

As I understand, the complain is that signal ast handler might push the signal frame before sigsuspend handler restores the sigmask which marks the signal as blocked?

AST_SIG has to be processed before AST_SIGSUSPEND in order for the temporary signal mask stuff to work, AFAICT, but the complaint is specifically that we can catch a signal that's only temporarily unmasked after the timeout has expired (the window from kern_poll_kfds return -> AST_SIG), so we don't get EINTR but the signal was still handled. It's even more confusing when you're trying to ktrace around this, and it looks like the signal was handled between ppoll() calls when it should be blocked.

kevans added a comment.Nov 25 2024, 9:08 PM

It looks on inspection like Linux provides the stronger guarantee that you won't see a signal handled if it didn't interrupt the sleep, but OpenBSD does not.

kib added a comment.Nov 25 2024, 9:10 PM
In D47741#1088794, @kevans wrote:
In D47741#1088787, @kib wrote:

Is the problem caused by the fact that AST_SIG is processed before AST_SIGSUSPEND? Would reordering the AST indexes be enough?

As I understand, the complain is that signal ast handler might push the signal frame before sigsuspend handler restores the sigmask which marks the signal as blocked?

AST_SIG has to be processed before AST_SIGSUSPEND in order for the temporary signal mask stuff to work, AFAICT,

Do you mean AST_SIGSUSPEND scheduling from kern_sigsuspend()? If yes, then perhaps we need AST_SIGSUSPEND2, which is scheduled from pselect/ppoll and processed after AST_SIG.

but the complaint is specifically that we can catch a signal that's only temporarily unmasked after the timeout has expired (the window from kern_poll_kfds return -> AST_SIG), so we don't get EINTR but the signal was still handled. It's even more confusing when you're trying to ktrace around this, and it looks like the signal was handled between ppoll() calls when it should be blocked.

Yes, the idea is to ensure that AST_SIG processing code see the blocking mask. But IMO there is no need to inline the AST_SIGSUSPEND handler.

kevans added a comment.EditedNov 25 2024, 9:37 PM
In D47741#1088837, @kib wrote:
In D47741#1088794, @kevans wrote:
In D47741#1088787, @kib wrote:

Is the problem caused by the fact that AST_SIG is processed before AST_SIGSUSPEND? Would reordering the AST indexes be enough?

As I understand, the complain is that signal ast handler might push the signal frame before sigsuspend handler restores the sigmask which marks the signal as blocked?

AST_SIG has to be processed before AST_SIGSUSPEND in order for the temporary signal mask stuff to work, AFAICT,

Do you mean AST_SIGSUSPEND scheduling from kern_sigsuspend()? If yes, then perhaps we need AST_SIGSUSPEND2, which is scheduled from pselect/ppoll and processed after AST_SIG.

I mean AST_SIGSUSPEND as scheduled from here- if seltdwait()'s sleep was interrupted by a signal, then my understanding is that we need to keep the temporary signal mask installed all the way until AST_SIG is done in order to process signals that are blocked by the old signal mask, but not by the temporary signal mask.

but the complaint is specifically that we can catch a signal that's only temporarily unmasked after the timeout has expired (the window from kern_poll_kfds return -> AST_SIG), so we don't get EINTR but the signal was still handled. It's even more confusing when you're trying to ktrace around this, and it looks like the signal was handled between ppoll() calls when it should be blocked.

Yes, the idea is to ensure that AST_SIG processing code see the blocking mask. But IMO there is no need to inline the AST_SIGSUSPEND handler.

What we need is for AST_SIGSUSPEND to process before AST_SIG in this one unique case, but I don't think there's a good way to do that- would it make more sense to register AST_SIGSUSPEND2 with the same callback that runs before AST_SIG to avoid processing any of the blocked signals after the non-interrupted sleep?

kib added a comment.Nov 25 2024, 10:05 PM
In D47741#1088847, @kevans wrote:
In D47741#1088837, @kib wrote:
In D47741#1088794, @kevans wrote:
In D47741#1088787, @kib wrote:

Is the problem caused by the fact that AST_SIG is processed before AST_SIGSUSPEND? Would reordering the AST indexes be enough?

As I understand, the complain is that signal ast handler might push the signal frame before sigsuspend handler restores the sigmask which marks the signal as blocked?

AST_SIG has to be processed before AST_SIGSUSPEND in order for the temporary signal mask stuff to work, AFAICT,

Do you mean AST_SIGSUSPEND scheduling from kern_sigsuspend()? If yes, then perhaps we need AST_SIGSUSPEND2, which is scheduled from pselect/ppoll and processed after AST_SIG.

I mean AST_SIGSUSPEND as scheduled from here- if seltdwait()'s sleep was interrupted by a signal, then my understanding is that we need to keep the temporary signal mask installed all the way until AST_SIG is done in order to process signals that are blocked by the old signal mask, but not by the temporary signal mask.

You mean that you intend is to actually deliver the signals that interrupted the select' sleep? Hmm, we never behaved this way. I think if we want to, the kern_select() function needs to grow the cursig/postsig loop. But do we really have to do this?

but the complaint is specifically that we can catch a signal that's only temporarily unmasked after the timeout has expired (the window from kern_poll_kfds return -> AST_SIG), so we don't get EINTR but the signal was still handled. It's even more confusing when you're trying to ktrace around this, and it looks like the signal was handled between ppoll() calls when it should be blocked.

Yes, the idea is to ensure that AST_SIG processing code see the blocking mask. But IMO there is no need to inline the AST_SIGSUSPEND handler.

What we need is for AST_SIGSUSPEND to process before AST_SIG in this one unique case, but I don't think there's a good way to do that- would it make more sense to register AST_SIGSUSPEND2 with the same callback that runs before AST_SIG to avoid processing any of the blocked signals after the non-interrupted sleep?

Yes, AST_SIGSUSPEND2 is exactly what I propose for now.

kib accepted this revision.Nov 25 2024, 10:54 PM
This revision is now accepted and ready to land.Nov 25 2024, 10:54 PM
kevans updated this revision to Diff 146953.Nov 25 2024, 11:55 PM

Add a new ast flag to do the same thing, using a shared handler with TDA_SIGSUSPEND. This constitutes a KBI break, so to MFC I'll likely inline ast_sigsuspend() at the call sites since they should be more or less functionally equivalent except in some weirder cases.

This will be split into two commits, one to add TDA_SIGSUSPEND_EARLY and one to use it.

This revision now requires review to proceed.Nov 25 2024, 11:55 PM
kib added inline comments.Nov 26 2024, 12:08 AM
sys/sys/proc.h
497

TDA_PSELECT (in-line with TDA_SIGSUSPEND) ?

kevans updated this revision to Diff 146954.Nov 26 2024, 12:15 AM
kevans marked an inline comment as done.

Rename to TDA_PSELECT, since this is generally the expected-typical behavior of pselect (and ppoll) (vs. the typical behavior of sigsuspend)

kib accepted this revision.Nov 26 2024, 12:22 AM
This revision is now accepted and ready to land.Nov 26 2024, 12:22 AM
Closed by commit rGcab31f5633c1: kern: add a TDA_PSELECT for early restoration of sigmask (authored by kevans). · Explain WhyNov 26 2024, 4:05 AM
This revision was automatically updated to reflect the committed changes.
kevans added a commit: rGcab31f5633c1: kern: add a TDA_PSELECT for early restoration of sigmask.
kevans added a commit: rGccb973da1f1b: kern: restore signal mask before ast() for pselect/ppoll.
kevans added a commit: rGe5e44726d5af: kern: restore signal mask before ast() for pselect/ppoll.Dec 10 2024, 8:03 PM
des mentioned this in D27871: Rework jobc handling..Fri, Jan 3, 7:26 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
10 lines
sys/
2 lines
1 line

Diff 146962

View Options

sys/kern/kern_sig.c

Loading...
View Options

sys/sys/param.h

Loading...
View Options

sys/sys/proc.h

Loading...