> On May 2, 2018, at 3:32 PM, Dave Hansen <dave.hansen@xxxxxxxxx> wrote: > >> On 05/02/2018 03:22 PM, Andy Lutomirski wrote: >> That library wants other threads, signal handlers, and, in general, the >> whole rest of the process to be restricted, and that library doesn't want >> race conditions. The problem here is that, to get this right, we either >> need the PKRU modifications to be syscalls or to take locks, and the lock >> approach is going to be fairly gross. > > I totally get the idea that a RDPKRU/WRPKRU is non-atomic and that it > can't be mixed with asynchronous WRPKRU's in that thread. > > But, where do those come from in this scenario? I'm not getting the > secondary mechanism is that *makes* them unsafe. pkey_alloc() itself. If someone tries to allocate a key with a given default mode, unless there’s already a key that already had that value in all threads or pkey_alloc() needs to asynchronously create such a key. There is a partial hack that glibc could do. DSOs could have a way to statically request a key (e.g. a PT_PKEY segment) and glibc could do all the pkey_alloc() calls before any threads get created. Of course, a DSO like this can’t be dlopened(). We still need a way for pkey_alloc() to update the value for signal delivery, but that’s straightforward.
