Re: [Xenomai-core] [RFC] Break out of endless user space loops

[Jan Kiszka]

Gilles Chanteperdrix wrote:
 Jan Kiszka wrote:
 Hi all,

 here is the first apparently working prototype for getting hold of
 endless user space loops in RT threads. A simple test case of mine now
 receive a SIGDEBUG even if it does while (1);.

 The design follows Gilles' suggestion to force a SEGV on victim thread
 but restore the patched PC before migrating the thread after this fault.
 The only drawback of this approach: We need to keep track of the
 preempted register set at I-pipe level. I basically replicated what
 Linux does these days as well and exported it as ipipe_get_irq_regs()
 (the second patch).
 
 You already have the regs in xnarch_fault_info.
 

We only pass this around for exceptions.

Jan



signature.asc
Description: OpenPGP digital signature
___
Xenomai-core mailing list
Xenomai-core@gna.org
https://mail.gna.org/listinfo/xenomai-core

Re: [Xenomai-core] [RFC] Break out of endless user space loops

[Jan Kiszka]

Philippe Gerum wrote:
 On Wed, 2010-06-02 at 19:19 +0200, Jan Kiszka wrote:
 Hi all,

 here is the first apparently working prototype for getting hold of
 endless user space loops in RT threads. A simple test case of mine now
 receive a SIGDEBUG even if it does while (1);.

 The design follows Gilles' suggestion to force a SEGV on victim thread
 but restore the patched PC before migrating the thread after this fault.
 The only drawback of this approach: We need to keep track of the
 preempted register set at I-pipe level. I basically replicated what
 Linux does these days as well and exported it as ipipe_get_irq_regs()
 (the second patch).

 This is an x86-64-only draft which clearly needs more love. I'm open for
 suggestions of different abstractions wherever you see a need.
 
 What if you have no MMU ?

Then you either have an MPU detecting NULL pointer accesses or you can
actually redirect the PC to some kernel function containing some other
invalid, exception-raising instruction.

Jan



signature.asc
Description: OpenPGP digital signature
___
Xenomai-core mailing list
Xenomai-core@gna.org
https://mail.gna.org/listinfo/xenomai-core

Re: [Xenomai-core] [RFC] Break out of endless user space loops

[Jan Kiszka]

Philippe Gerum wrote:
 On Thu, 2010-06-03 at 08:55 +0200, Jan Kiszka wrote:
 Gilles Chanteperdrix wrote:
 Jan Kiszka wrote:
 Hi all,

 here is the first apparently working prototype for getting hold of
 endless user space loops in RT threads. A simple test case of mine now
 receive a SIGDEBUG even if it does while (1);.

 The design follows Gilles' suggestion to force a SEGV on victim thread
 but restore the patched PC before migrating the thread after this fault.
 The only drawback of this approach: We need to keep track of the
 preempted register set at I-pipe level. I basically replicated what
 Linux does these days as well and exported it as ipipe_get_irq_regs()
 (the second patch).
 You already have the regs in xnarch_fault_info.

 We only pass this around for exceptions.
 
 And for a good reason, exceptions are always delivered synchronously
 upon receipt, not IRQs, given the deferred dispatching scheme. Your
 ipipe_get_irq_regs interface is inherently broken for anything which is
 not a wired-mode timer IRQ, since you could pass the caller a reference
 to an unwound stack frame.

It may not work for certain deferred IRQs, true, but then it will return
NULL. The user of ipipe_get_irq_regs has to take this into account. And
most consumers will be wired IRQ handler anyway.

 
 You have to resort to __ipipe_tick_regs, and obviously only use this in
 the context of a timer-triggered code, like the watchdog handler, which
 saves your day.

Doesn't work if the timer IRQ is not the host tick AND doesn't help us
modifying the return path.

Granted, the former scenario is already broken in I-pipe (try using an
x86 host with an MSI-capable HPET...), but the latter is definitely a no-go.

Jan



signature.asc
Description: OpenPGP digital signature
___
Xenomai-core mailing list
Xenomai-core@gna.org
https://mail.gna.org/listinfo/xenomai-core

Re: [Xenomai-core] [RFC] Break out of endless user space loops

[Philippe Gerum]

On Thu, 2010-06-03 at 10:47 +0200, Jan Kiszka wrote:
 Philippe Gerum wrote:
  On Thu, 2010-06-03 at 08:55 +0200, Jan Kiszka wrote:
  Gilles Chanteperdrix wrote:
  Jan Kiszka wrote:
  Hi all,
 
  here is the first apparently working prototype for getting hold of
  endless user space loops in RT threads. A simple test case of mine now
  receive a SIGDEBUG even if it does while (1);.
 
  The design follows Gilles' suggestion to force a SEGV on victim thread
  but restore the patched PC before migrating the thread after this fault.
  The only drawback of this approach: We need to keep track of the
  preempted register set at I-pipe level. I basically replicated what
  Linux does these days as well and exported it as ipipe_get_irq_regs()
  (the second patch).
  You already have the regs in xnarch_fault_info.
 
  We only pass this around for exceptions.
  
  And for a good reason, exceptions are always delivered synchronously
  upon receipt, not IRQs, given the deferred dispatching scheme. Your
  ipipe_get_irq_regs interface is inherently broken for anything which is
  not a wired-mode timer IRQ, since you could pass the caller a reference
  to an unwound stack frame.
 
 It may not work for certain deferred IRQs, true, but then it will return
 NULL. The user of ipipe_get_irq_regs has to take this into account. And
 most consumers will be wired IRQ handler anyway.
 
  
  You have to resort to __ipipe_tick_regs, and obviously only use this in
  the context of a timer-triggered code, like the watchdog handler, which
  saves your day.
 
 Doesn't work if the timer IRQ is not the host tick AND doesn't help us
 modifying the return path.

That is not the basic issue, copying back regs-ip to the actual frame
before yielding to the IRQ trampoline code would be trivial and your
patch does require a deeper change in the ipipe already. The issue is:
do not provide a service which is not 100% trustable in this area.

 Granted, the former scenario is already broken in I-pipe (try using an
 x86 host with an MSI-capable HPET...), but the latter is definitely a no-go.
 

I'm arguing that your ipipe_get_irq_regs interface is broken by design
pipeline-wise; piling up more crap in the pipeline core that is wrong
already for some x86 timer sources won't help. The point is: you have to
explicitly address that case only considering the timer interrupt, in
wired-mode, because this won't fly in any other cases.

 Jan
 


-- 
Philippe.



___
Xenomai-core mailing list
Xenomai-core@gna.org
https://mail.gna.org/listinfo/xenomai-core

Re: [Xenomai-core] [RFC] Break out of endless user space loops

[Philippe Gerum]

On Thu, 2010-06-03 at 12:18 +0200, Jan Kiszka wrote:
 Philippe Gerum wrote:
  On Thu, 2010-06-03 at 10:47 +0200, Jan Kiszka wrote:
  Philippe Gerum wrote:
  On Thu, 2010-06-03 at 08:55 +0200, Jan Kiszka wrote:
  Gilles Chanteperdrix wrote:
  Jan Kiszka wrote:
  Hi all,
 
  here is the first apparently working prototype for getting hold of
  endless user space loops in RT threads. A simple test case of mine now
  receive a SIGDEBUG even if it does while (1);.
 
  The design follows Gilles' suggestion to force a SEGV on victim thread
  but restore the patched PC before migrating the thread after this 
  fault.
  The only drawback of this approach: We need to keep track of the
  preempted register set at I-pipe level. I basically replicated what
  Linux does these days as well and exported it as ipipe_get_irq_regs()
  (the second patch).
  You already have the regs in xnarch_fault_info.
 
  We only pass this around for exceptions.
  And for a good reason, exceptions are always delivered synchronously
  upon receipt, not IRQs, given the deferred dispatching scheme. Your
  ipipe_get_irq_regs interface is inherently broken for anything which is
  not a wired-mode timer IRQ, since you could pass the caller a reference
  to an unwound stack frame.
  It may not work for certain deferred IRQs, true, but then it will return
  NULL. The user of ipipe_get_irq_regs has to take this into account. And
  most consumers will be wired IRQ handler anyway.
 
  You have to resort to __ipipe_tick_regs, and obviously only use this in
  the context of a timer-triggered code, like the watchdog handler, which
  saves your day.
  Doesn't work if the timer IRQ is not the host tick AND doesn't help us
  modifying the return path.
  
  That is not the basic issue, copying back regs-ip to the actual frame
  before yielding to the IRQ trampoline code would be trivial and your
  patch does require a deeper change in the ipipe already. The issue is:
  do not provide a service which is not 100% trustable in this area.
 
 There is no use for ipipe_get_irq_regs in our case outside the call
 stack of the triggering IRQ. If you have nested IRQs inside this stack,
 ipipe_get_irq_regs account for this, if you leave the stack, it returns
 NULL. This is 100% reliable.

Try calling ipipe_get_irq_regs within a root domain IRQ handler, then,
we'll resume this discussion right after - you may have another
perception of the situation. You will get NULL once in a while, albeit
you are running over an IRQ context, from a Linux POV.

100% reliable for a published ipipe interface means that it ought to
work when called from _all_ domains, unless its semantics specifically
dictates a particular context for use. By no mean ipipe_get_irq_regs
tells anyone that it may only be used reliably on behalf of an unlocked,
wired, directly dispatched IRQ.

The only IRQ that fits this description is the pipelined hrtimer irq
(not even the host one, the host one simply inherits this property when
it happens that hrtimer == host timer for the underlying architecture),
and the only domain which may assume this safely is the invariant head,
which certainly restricts quite a bit the valid context for using those
services.

 
 If you want read-only access to the preempted register set, then we need
 some other mechanism, something like the tick regs. But those already
 exits, and we have no other users beyond the host tick so far.

I agree, we do need something to ALLOWS US fixup the frame for the
return address to be correct. I'm just asking that we do provide a clean
interface for this, since it will be there to stay. 

 
 Jan
 


-- 
Philippe.



___
Xenomai-core mailing list
Xenomai-core@gna.org
https://mail.gna.org/listinfo/xenomai-core

Re: [Xenomai-core] [RFC] Break out of endless user space loops

[Jan Kiszka]

Philippe Gerum wrote:
 On Thu, 2010-06-03 at 12:18 +0200, Jan Kiszka wrote:
 Philippe Gerum wrote:
 On Thu, 2010-06-03 at 10:47 +0200, Jan Kiszka wrote:
 Philippe Gerum wrote:
 On Thu, 2010-06-03 at 08:55 +0200, Jan Kiszka wrote:
 Gilles Chanteperdrix wrote:
 Jan Kiszka wrote:
 Hi all,

 here is the first apparently working prototype for getting hold of
 endless user space loops in RT threads. A simple test case of mine now
 receive a SIGDEBUG even if it does while (1);.

 The design follows Gilles' suggestion to force a SEGV on victim thread
 but restore the patched PC before migrating the thread after this 
 fault.
 The only drawback of this approach: We need to keep track of the
 preempted register set at I-pipe level. I basically replicated what
 Linux does these days as well and exported it as ipipe_get_irq_regs()
 (the second patch).
 You already have the regs in xnarch_fault_info.

 We only pass this around for exceptions.
 And for a good reason, exceptions are always delivered synchronously
 upon receipt, not IRQs, given the deferred dispatching scheme. Your
 ipipe_get_irq_regs interface is inherently broken for anything which is
 not a wired-mode timer IRQ, since you could pass the caller a reference
 to an unwound stack frame.
 It may not work for certain deferred IRQs, true, but then it will return
 NULL. The user of ipipe_get_irq_regs has to take this into account. And
 most consumers will be wired IRQ handler anyway.

 You have to resort to __ipipe_tick_regs, and obviously only use this in
 the context of a timer-triggered code, like the watchdog handler, which
 saves your day.
 Doesn't work if the timer IRQ is not the host tick AND doesn't help us
 modifying the return path.
 That is not the basic issue, copying back regs-ip to the actual frame
 before yielding to the IRQ trampoline code would be trivial and your
 patch does require a deeper change in the ipipe already. The issue is:
 do not provide a service which is not 100% trustable in this area.
 There is no use for ipipe_get_irq_regs in our case outside the call
 stack of the triggering IRQ. If you have nested IRQs inside this stack,
 ipipe_get_irq_regs account for this, if you leave the stack, it returns
 NULL. This is 100% reliable.
 
 Try calling ipipe_get_irq_regs within a root domain IRQ handler, then,
 we'll resume this discussion right after - you may have another
 perception of the situation. You will get NULL once in a while, albeit
 you are running over an IRQ context, from a Linux POV.
 
 100% reliable for a published ipipe interface means that it ought to
 work when called from _all_ domains, unless its semantics specifically
 dictates a particular context for use. By no mean ipipe_get_irq_regs
 tells anyone that it may only be used reliably on behalf of an unlocked,
 wired, directly dispatched IRQ.
 
 The only IRQ that fits this description is the pipelined hrtimer irq
 (not even the host one, the host one simply inherits this property when
 it happens that hrtimer == host timer for the underlying architecture),
 and the only domain which may assume this safely is the invariant head,
 which certainly restricts quite a bit the valid context for using those
 services.
 
 If you want read-only access to the preempted register set, then we need
 some other mechanism, something like the tick regs. But those already
 exits, and we have no other users beyond the host tick so far.
 
 I agree, we do need something to ALLOWS US fixup the frame for the
 return address to be correct. I'm just asking that we do provide a clean
 interface for this, since it will be there to stay. 

Ack. I'm already looking into some way to pimp up ipipe_get_irq_regs so
that it can replace the x86 tick_regs and will never be NULL inside an
IRQ handler. The only thing that is missing is filling in the proper
context that unblocked some pipeline and triggers an IRQ replay this
way. Should be fairly simple.

Jan



signature.asc
Description: OpenPGP digital signature
___
Xenomai-core mailing list
Xenomai-core@gna.org
https://mail.gna.org/listinfo/xenomai-core

Re: [Xenomai-core] [RFC] Break out of endless user space loops

[Gilles Chanteperdrix]

Jan Kiszka wrote:
 Hi all,
 
 here is the first apparently working prototype for getting hold of
 endless user space loops in RT threads. A simple test case of mine now
 receive a SIGDEBUG even if it does while (1);.
 
 The design follows Gilles' suggestion to force a SEGV on victim thread
 but restore the patched PC before migrating the thread after this fault.
 The only drawback of this approach: We need to keep track of the
 preempted register set at I-pipe level. I basically replicated what
 Linux does these days as well and exported it as ipipe_get_irq_regs()
 (the second patch).

You already have the regs in xnarch_fault_info.

-- 
Gilles.

___
Xenomai-core mailing list
Xenomai-core@gna.org
https://mail.gna.org/listinfo/xenomai-core

Re: [Xenomai-core] [RFC] Break out of endless user space loops

[Philippe Gerum]

On Wed, 2010-06-02 at 19:19 +0200, Jan Kiszka wrote:
 Hi all,
 
 here is the first apparently working prototype for getting hold of
 endless user space loops in RT threads. A simple test case of mine now
 receive a SIGDEBUG even if it does while (1);.
 
 The design follows Gilles' suggestion to force a SEGV on victim thread
 but restore the patched PC before migrating the thread after this fault.
 The only drawback of this approach: We need to keep track of the
 preempted register set at I-pipe level. I basically replicated what
 Linux does these days as well and exported it as ipipe_get_irq_regs()
 (the second patch).
 
 This is an x86-64-only draft which clearly needs more love. I'm open for
 suggestions of different abstractions wherever you see a need.

What if you have no MMU ?

 
 Jan
 
 ---
  include/asm-generic/hal.h|2 ++
  include/asm-x86/bits/thread_64.h |1 +
  include/asm-x86/system_64.h  |   26 ++
  ksrc/nucleus/pod.c   |5 +
  ksrc/nucleus/sched.c |1 +
  5 files changed, 35 insertions(+), 0 deletions(-)
 
 diff --git a/include/asm-generic/hal.h b/include/asm-generic/hal.h
 index 84c1a4d..be6abf0 100644
 --- a/include/asm-generic/hal.h
 +++ b/include/asm-generic/hal.h
 @@ -96,6 +96,8 @@ typedef spinlock_t rthal_spinlock_t;
  #define rthal_irq_cookie(ipd,irq)__ipipe_irq_cookie(ipd,irq)
  #define rthal_irq_handler(ipd,irq)   __ipipe_irq_handler(ipd,irq)
  
 +#define rthal_get_irq_regs() ipipe_get_irq_regs()
 +
  #define rthal_cpudata_irq_hits(ipd,cpu,irq)  
 __ipipe_cpudata_irq_hits(ipd,cpu,irq)
  
  #ifndef local_irq_save_hw_smp
 diff --git a/include/asm-x86/bits/thread_64.h 
 b/include/asm-x86/bits/thread_64.h
 index 91b71ed..d163c9e 100644
 --- a/include/asm-x86/bits/thread_64.h
 +++ b/include/asm-x86/bits/thread_64.h
 @@ -33,6 +33,7 @@ static inline void xnarch_init_tcb(xnarchtcb_t * tcb)
   tcb-ripp = tcb-rip;
   tcb-fpup = tcb-i387;
   tcb-is_root = 0;
 + tcb-forced_um_exit = 0;
   /* Must be followed by xnarch_init_thread(). */
  }
  
 diff --git a/include/asm-x86/system_64.h b/include/asm-x86/system_64.h
 index 4de8693..f023dab 100644
 --- a/include/asm-x86/system_64.h
 +++ b/include/asm-x86/system_64.h
 @@ -60,6 +60,8 @@ typedef struct xnarchtcb {  /* Per-thread 
 arch-dependent block */
   unsigned long ts_usedfpu: 1;
   unsigned long cr0_ts: 1;
  
 + unsigned long forced_um_exit: 1;
 +
   unsigned stacksize; /* Aligned size of stack (bytes) */
   unsigned long *stackbase;   /* Stack space */
  
 @@ -122,6 +124,30 @@ static inline void xnarch_free_stack_mem(void *chunk, 
 u_long bytes)
   kfree(chunk);
  }
  
 +static inline void xnarch_force_userspace_exit(xnarchtcb_t *tcb)
 +{
 + struct pt_regs *regs = rthal_get_irq_regs();
 +
 + if (user_mode(regs)) {
 + tcb-rip = regs-x86reg_ip;
 + tcb-forced_um_exit = 1;
 + regs-x86reg_ip = 0;
 + }
 +}
 +
 +static inline int
 +xnarch_fixup_userspace_exit(xnarchtcb_t *tcb, xnarch_fltinfo_t *fi)
 +{
 +#ifdef CONFIG_XENO_OPT_PERVASIVE
 + if (tcb-forced_um_exit) {
 + fi-regs-x86reg_ip = tcb-rip;
 + tcb-forced_um_exit = 0;
 + return 1;
 + }
 +#endif /* CONFIG_XENO_OPT_PERVASIVE */
 + return 0;
 +}
 +
  #ifdef __cplusplus
  }
  #endif
 diff --git a/ksrc/nucleus/pod.c b/ksrc/nucleus/pod.c
 index 7002a73..bdb5758 100644
 --- a/ksrc/nucleus/pod.c
 +++ b/ksrc/nucleus/pod.c
 @@ -2547,6 +2547,11 @@ int xnpod_trap_fault(xnarch_fltinfo_t *fltinfo)
  
   thread = xnpod_current_thread();
  
 + if (xnarch_fixup_userspace_exit(xnthread_archtcb(thread), fltinfo)) {
 + xnshadow_relax(0, 0);
 + return 1;
 + }
 +
   trace_mark(xn_nucleus, thread_fault,
  thread %p thread_name %s ip %p type %d,
  thread, xnthread_name(thread),
 diff --git a/ksrc/nucleus/sched.c b/ksrc/nucleus/sched.c
 index 0b737a3..64fa0e0 100644
 --- a/ksrc/nucleus/sched.c
 +++ b/ksrc/nucleus/sched.c
 @@ -100,6 +100,7 @@ static void xnsched_watchdog_handler(struct xntimer 
 *timer)
'%s'\n, xnthread_name(thread));
   xnthread_set_info(thread, XNAMOK | XNKICKED);
   xnshadow_send_sig(thread, SIGDEBUG, SIGDEBUG_WATCHDOG, 1);
 + xnarch_force_userspace_exit(xnthread_archtcb(thread));
   } else
  #endif /* CONFIG_XENO_OPT_PERVASIVE */
   {


-- 
Philippe.



___
Xenomai-core mailing list
Xenomai-core@gna.org
https://mail.gna.org/listinfo/xenomai-core