From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS31976 209.132.180.0/23 X-Spam-Status: No, score=-4.1 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 93D481F462 for ; Tue, 4 Jun 2019 11:46:26 +0000 (UTC) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:references:date:in-reply-to :message-id:mime-version:content-type:content-transfer-encoding; q=dns; s=default; b=qqAJ2CPPHiewtZS79jgMEY9khUBVsQnf8gAOVA2q42i pvtLxN6M3GGRmQUhgjAxHgKj0d7O+N1SDEikijz2r/w7hI4y4BUx37U6zTXO70Gz GQ/mBMV9ZduzCGP7r1PV1mr6Hmx7tVZqHW5YMaSbw6dGTLLZWYH4r0pL9stWWTAw = DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:references:date:in-reply-to :message-id:mime-version:content-type:content-transfer-encoding; s=default; bh=E0J+HvEuPwdH68v0QAXtZ8hMYCk=; b=CUCEyX1tipxozbsT6 HYBL+1S1JOpQS6o+9DnSg7xTm4SA1WHoWDS6Bj9etyfGZA60/vN5JuI+vEOfmoe6 RtiwHNTwzXT3PjBsbi1S4mDoGD7xDfxEee69b3SptkLLyHNNONJK/QPFOHfGLZVm Qykdd3BfEfe8a+HEFjA8n/hzuE= Received: (qmail 23548 invoked by alias); 4 Jun 2019 11:46:24 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Received: (qmail 23540 invoked by uid 89); 4 Jun 2019 11:46:24 -0000 Authentication-Results: sourceware.org; auth=none X-HELO: mx1.redhat.com From: Florian Weimer To: Mathieu Desnoyers Cc: carlos , Joseph Myers , Szabolcs Nagy , libc-alpha , Thomas Gleixner , Ben Maurer , Peter Zijlstra , "Paul E. McKenney" , Boqun Feng , Will Deacon , Dave Watson , Paul Turner , Rich Felker , linux-kernel , linux-api Subject: Re: [PATCH 1/5] glibc: Perform rseq(2) registration at C startup and thread creation (v10) References: <20190503184219.19266-1-mathieu.desnoyers@efficios.com> <87h89gjgaf.fsf@oldenburg2.str.redhat.com> <1239705947.14878.1558985272873.JavaMail.zimbra@efficios.com> <140718133.18261.1559144710554.JavaMail.zimbra@efficios.com> <2022553041.20966.1559249801435.JavaMail.zimbra@efficios.com> <875zprm4jo.fsf@oldenburg2.str.redhat.com> <732661684.21584.1559314109886.JavaMail.zimbra@efficios.com> <87muj2k4ov.fsf@oldenburg2.str.redhat.com> <1528929896.22217.1559326257155.JavaMail.zimbra@efficios.com> Date: Tue, 04 Jun 2019 13:46:04 +0200 In-Reply-To: <1528929896.22217.1559326257155.JavaMail.zimbra@efficios.com> (Mathieu Desnoyers's message of "Fri, 31 May 2019 14:10:57 -0400 (EDT)") Message-ID: <87o93d4lqb.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable * Mathieu Desnoyers: > ----- On May 31, 2019, at 11:46 AM, Florian Weimer fweimer@redhat.com wro= te: > >> * Mathieu Desnoyers: >>=20 >>> Let's break this down into the various sub-issues involved: >>> >>> 1) How early do we need to setup rseq ? Should it be setup before: >>> - LD_PRELOAD .so constructors ? >>> - Without circular dependency, >>> - With circular dependency, >>> - audit libraries initialization ? >>> - IFUNC resolvers ? >>> - other callbacks ? >>> - memory allocator calls ? >>> >>> We may end up in a situation where we need memory allocation to be setup >>> in order to initialize TLS before rseq can be registered for the main >>> thread. I suspect we will end up needing a fallbacks which always work >>> for the few cases that would try to use rseq too early in dl/libc start= up. >>=20 >> I think the answer to that depends on whether it's okay to have an >> observable transition from =E2=80=9Cno rseq kernel support=E2=80=9D to = =E2=80=9Ckernel supports >> rseq=E2=80=9D. > > As far as my own use-cases are concerned, I only care that rseq is initia= lized > before LD_PRELOAD .so constructors are executed. is relevant in this context. It requests the opposite behavior from LD_PRELOAD. > There appears to be some amount of documented limitations for what can be > done by the IFUNC resolvers. It might be acceptable to document that rseq > might not be initialized yet when those are executed. The only obstacle is that there are so many places where we could put this information. > I'd like to hear what others think about whether we should care about IFU= NC > resolvers and audit libraries using restartable sequences TLS ? In audit libraries (and after dlmopen), the inner libc will have duplicated TLS values, so it will look as if the TLS area is not active (but a registration has happened with the kernel). If we move __rseq_handled into the dynamic linker, its value will be shared along with ld.so with the inner objects. However, the inner libc still has to ensure that its registration attempt does not succeed because that would activate the wrong rseq area. The final remaining case is static dlopen. There is a copy of ld.so on the dynamic side, but it is completely inactive and has never run. I do not think we need to support that because multi-threading does not work reliably in this scenario, either. However, we should skip rseq registration in a nested libc (see the rtld_active function). >>> 4) Inability to touch a TLS variable (__rseq_abi) from ld-linux-*.so.2 >>> - Should we extend the dynamic linker to allow such TLS variable to = be >>> accessed ? If so, how much effort is required ? >>> - Can we find an alternative way to initialize rseq early during >>> dl init stages while still performing the TLS access from a functi= on >>> implemented within libc.so ? >>=20 >> This is again related to the answer for (1). There are various hacks we >> could implement to make the initialization invisible (e.g., computing >> the address of the variable using the equivalent of dlsym, after loading >> all the initial objects and before starting relocation). If it's not >> too hard to add TLS support to ld.so, we can consider that as well. >> (The allocation side should be pretty easy, relocation support it could >> be more tricky.) >>=20 >>> So far, I got rseq to be initialized before LD_PRELOADed library >>> constructors by doing the initialization in a constructor within >>> libc.so. I don't particularly like this approach, because the >>> constructor order is not guaranteed. >>=20 >> Right. > > One question related to use of constructors: AFAIU, if a library depends > on glibc, ELF guarantees that the glibc constructor will be executed firs= t, > before the other library. There are some exceptions, like DT_PREINIT_ARRAY functions and DF_1_INITFIRST. Some of these mechanisms we use in the implementation itself, so they are not really usable to end users. Cycles should not come into play here. By default, an object that uses the rseq area will have to link against libc (perhaps indirectly), and therefore the libc constructor runs first. > Which leaves us with the execution order of constructors within libc.so, > which is not guaranteed if we just use __attribute__ ((constructor)). > However, all gcc versions that are required to build recent glibc > seem to support a constructor with a "priority" value (lower gets > executed first, and those are executed before constructors without > priority). I'm not sure that's the right way to do it. If we want to happen execution in a specific order, we should write a single constructor function which is called from _init. For the time being, we can add the call to an appropriately defined inline function early in _init in elf/init-first.c (which is shared with Hurd, so Hurd will need some sort of stub function). Thanks, Florian