Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp1145673imd; Thu, 1 Nov 2018 10:54:39 -0700 (PDT) X-Google-Smtp-Source: AJdET5cyzffUQaqIqZqj91JKYGdxr2ZpKtG9Ds0O9rxNGpZndngf7N+RHZDYWDHiwe9hHO7at+pH X-Received: by 2002:a17:902:50e3:: with SMTP id c32-v6mr8505288plj.39.1541094879363; Thu, 01 Nov 2018 10:54:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541094879; cv=none; d=google.com; s=arc-20160816; b=wIeES3gdSDY4WNxW6n3cLJ4gtswadJlbHaCKL6ZrSanYmijz3PZVNRzsh08mpCuwur 9rn1C3rBNZgJaEDBwlCWfJ4oY/JWbb/gcRtHArqLgLYiF4fYxtj8l6yvum8d/z9js0Yy 5XEzWih6w8hN108MQOVpb6aWH9CF3yIuSAuIGp5VWuHVbdltkEzADSJ+n+5PDITDQsTW PPT4nqJGmYVlA6cW1FpQwP6WM9P+FjiztL3CCjucOdmnbfnuG+9YR/thSvLyognh3pzo oMV0RxQ+Fi3KOJcGfr1TjPFBboaGW7SU1R8dGbS9RzJPhUsFEqu5PIZRmK3d/WyU0Y07 M/hw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:subject:message-id:date:from :mime-version:dkim-signature; bh=9eQCzcLQF0w7xupCcj8HfW2t/lV7ueTj6MPEwKHbqy8=; b=gWOSpW+cgb8zclyqzun/iqlo2pbMwCj9K8hwwMP/fztitL6D8AeEdy/DoiN40cjTIO v3iIDlFuXYPmWa4knnqDNxo8bGT2QiK2eT6CrKvzkXc/4zjhCaavo8nyppBTT/85cHMn c7c8jx6qA0/AFb/X/ZBs6qkrrGnDefONgfIkGVAa6ASWxKTYz2mxnPzW7Q3wLYEAzJub gitxTpCAQdRsIkh9PTl+Ijy8tDc8/wHhDPkUbjOn/YKWV18iC4wg3fY9jjlFg0F9KwPk imJ7WBaZKZxEnXO9MYvTJ9Fks4B3WAnD6Djs1TGpd+N9SBxGfXBBrELX/eOOzo0Y09iu ZI/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Pe+oRCX9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m72-v6si4800039pga.114.2018.11.01.10.54.23; Thu, 01 Nov 2018 10:54:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Pe+oRCX9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727969AbeKBC5x (ORCPT + 99 others); Thu, 1 Nov 2018 22:57:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:32810 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725843AbeKBC5x (ORCPT ); Thu, 1 Nov 2018 22:57:53 -0400 Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4019620833 for ; Thu, 1 Nov 2018 17:53:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541094833; bh=lxfRkIbnNn5vEkPpgT7ExdEPOv3fuXsZCA4uvAwxVlU=; h=From:Date:Subject:To:From; b=Pe+oRCX9f30bzoz0mr0Pr1nDUrIKq9CbrzWQLrSDkljBCc5BAaNTkbqvoWMVufnYk aErJTnMyiHDwgKdxPCx+SDFbLfVyZzd8CjmhlkdBfM++O7VcUpa4xL8TEmOzEqcps+ rMb9r5+P8Znzc+ekus0w+1fi9U3l5m0CLV5bujBM= Received: by mail-wr1-f50.google.com with SMTP id n5-v6so20875050wrw.12 for ; Thu, 01 Nov 2018 10:53:53 -0700 (PDT) X-Gm-Message-State: AGRZ1gIRU5OWvgZEJupYQOGv+Ih7YaTaffXcAKjzdmdm7tjW9YXUnWlM 1fq0vk+adiwWbwU3ZR2ksjaFY/h4dqyNqZt2iF19UA== X-Received: by 2002:adf:97d3:: with SMTP id t19-v6mr7793210wrb.283.1541094831751; Thu, 01 Nov 2018 10:53:51 -0700 (PDT) MIME-Version: 1.0 From: Andy Lutomirski Date: Thu, 1 Nov 2018 10:53:40 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: RFC: userspace exception fixups To: Dave Hansen , "Christopherson, Sean J" , Jethro Beekman , Jarkko Sakkinen , Florian Weimer , Linux API , Jann Horn , Linus Torvalds , X86 ML , linux-arch , LKML , Peter Zijlstra , Rich Felker , nhorman@redhat.com, npmccallum@redhat.com, "Ayoun, Serge" , shay.katz-zamir@intel.com, linux-sgx@vger.kernel.org, Andy Shevchenko , Thomas Gleixner , Ingo Molnar , Borislav Petkov Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi all- The people working on SGX enablement are grappling with a somewhat annoying issue: the x86 EENTER instruction is used from user code and can, as part of its normal-ish operation, raise an exception. It is also highly likely to be used from a library, and signal handling in libraries is unpleasant at best. There's been some discussion of adding a vDSO entry point to wrap EENTER and do something sensible with the exceptions, but I'm wondering if a more general mechanism would be helpful. The basic idea would be to allow libc, or maybe even any library, to register a handler that gets a chance to act on an exception caused by a user instruction before a signal is delivered. As a straw-man example for how this could work, there could be a new syscall: long register_exception_handler(void (*handler)(int, siginfo_t *, void *)); If a handler is registered, then, if a synchronous exception happens (page fault, etc), the kernel would set up an exception frame as usual but, rather than checking for signal handlers, it would just call the registered handler. That handler is expected to either handle the exception entirely on its own or to call one of two new syscalls to ask for normal signal delivery or to ask to retry the faulting instruction. Alternatively, we could do something a lot more like the kernel's internal fixups where there's a table in user memory that maps potentially faulting instructions to landing pads that handle exceptions. Do you think this would be useful? Here are some use cases that I think are valid: (a) Enter an SGX enclave and handle errors. There would be two instructions that would need special handling: EENTER and ERESUME. (b) Do some math and catch division by zero. I think it would be a bad idea to have user code call a function and say that it wants to handle *any* division by zero, but having certain specified division instructions have special handling seems entirely reasonable. (c) Ditto for floating point errors. (d) Try an instruction and see if it gets #UD. (e) Run a bunch of code and handle page faults to a given address range by faulting something in. This is not like the others, in that a handler wants to handle a range of target addresses, not instructions. And userfaultfd is plausibly a better solution anyway. (f) Run NaCl-like sandboxed code where the code can cause page faults to certain mapped-but-intentionally-not-present ranges and those need to be handled. On Windows, you can use SEH to do crazy things like running known-buggy code and eating the page faults. I don't think we want to go there. All of this makes me think that the right solution is to have a way to register fault handlers for instructions to cover (a) - (d) and to treat (e) and (f) as something else entirely if there's enough demand. --Andy