2021-03-27 01:55:06 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
|
sched: prctl() core-scheduling interface
This patch provides support for setting and copying core scheduling
'task cookies' between threads (PID), processes (TGID), and process
groups (PGID).
The value of core scheduling isn't that tasks don't share a core,
'nosmt' can do that. The value lies in exploiting all the sharing
opportunities that exist to recover possible lost performance and that
requires a degree of flexibility in the API.
From a security perspective (and there are others), the thread,
process and process group distinction is an existent hierarchal
categorization of tasks that reflects many of the security concerns
about 'data sharing'. For example, protecting against cache-snooping
by a thread that can just read the memory directly isn't all that
useful.
With this in mind, subcommands to CREATE/SHARE (TO/FROM) provide a
mechanism to create and share cookies. CREATE/SHARE_TO specify a
target pid with enum pidtype used to specify the scope of the targeted
tasks. For example, PIDTYPE_TGID will share the cookie with the
process and all of it's threads as typically desired in a security
scenario.
API:
prctl(PR_SCHED_CORE, PR_SCHED_CORE_GET, tgtpid, pidtype, &cookie)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_CREATE, tgtpid, pidtype, NULL)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_TO, tgtpid, pidtype, NULL)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_FROM, srcpid, pidtype, NULL)
where 'tgtpid/srcpid == 0' implies the current process and pidtype is
kernel enum pid_type {PIDTYPE_PID, PIDTYPE_TGID, PIDTYPE_PGID, ...}.
For return values, EINVAL, ENOMEM are what they say. ESRCH means the
tgtpid/srcpid was not found. EPERM indicates lack of PTRACE permission
access to tgtpid/srcpid. ENODEV indicates your machines lacks SMT.
[peterz: complete rewrite]
Signed-off-by: Chris Hyser <chris.hyser@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Don Hiatt <dhiatt@digitalocean.com>
Tested-by: Hongyu Ning <hongyu.ning@linux.intel.com>
Tested-by: Vincent Guittot <vincent.guittot@linaro.org>
Link: https://lkml.kernel.org/r/20210422123309.039845339@infradead.org
2021-03-25 05:40:15 +08:00
|
|
|
#include <linux/prctl.h>
|
2021-03-27 01:55:06 +08:00
|
|
|
#include "sched.h"
|
|
|
|
|
|
|
|
/*
|
|
|
|
* A simple wrapper around refcount. An allocated sched_core_cookie's
|
|
|
|
* address is used to compute the cookie of the task.
|
|
|
|
*/
|
|
|
|
struct sched_core_cookie {
|
|
|
|
refcount_t refcnt;
|
|
|
|
};
|
|
|
|
|
2021-09-22 16:57:35 +08:00
|
|
|
static unsigned long sched_core_alloc_cookie(void)
|
2021-03-27 01:55:06 +08:00
|
|
|
{
|
|
|
|
struct sched_core_cookie *ck = kmalloc(sizeof(*ck), GFP_KERNEL);
|
|
|
|
if (!ck)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
refcount_set(&ck->refcnt, 1);
|
|
|
|
sched_core_get();
|
|
|
|
|
|
|
|
return (unsigned long)ck;
|
|
|
|
}
|
|
|
|
|
2021-09-22 16:57:35 +08:00
|
|
|
static void sched_core_put_cookie(unsigned long cookie)
|
2021-03-27 01:55:06 +08:00
|
|
|
{
|
|
|
|
struct sched_core_cookie *ptr = (void *)cookie;
|
|
|
|
|
|
|
|
if (ptr && refcount_dec_and_test(&ptr->refcnt)) {
|
|
|
|
kfree(ptr);
|
|
|
|
sched_core_put();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-09-22 16:57:35 +08:00
|
|
|
static unsigned long sched_core_get_cookie(unsigned long cookie)
|
2021-03-27 01:55:06 +08:00
|
|
|
{
|
|
|
|
struct sched_core_cookie *ptr = (void *)cookie;
|
|
|
|
|
|
|
|
if (ptr)
|
|
|
|
refcount_inc(&ptr->refcnt);
|
|
|
|
|
|
|
|
return cookie;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sched_core_update_cookie - replace the cookie on a task
|
|
|
|
* @p: the task to update
|
|
|
|
* @cookie: the new cookie
|
|
|
|
*
|
|
|
|
* Effectively exchange the task cookie; caller is responsible for lifetimes on
|
|
|
|
* both ends.
|
|
|
|
*
|
|
|
|
* Returns: the old cookie
|
|
|
|
*/
|
2021-09-22 16:57:35 +08:00
|
|
|
static unsigned long sched_core_update_cookie(struct task_struct *p,
|
|
|
|
unsigned long cookie)
|
2021-03-27 01:55:06 +08:00
|
|
|
{
|
|
|
|
unsigned long old_cookie;
|
|
|
|
struct rq_flags rf;
|
|
|
|
struct rq *rq;
|
|
|
|
bool enqueued;
|
|
|
|
|
|
|
|
rq = task_rq_lock(p, &rf);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Since creating a cookie implies sched_core_get(), and we cannot set
|
|
|
|
* a cookie until after we've created it, similarly, we cannot destroy
|
|
|
|
* a cookie until after we've removed it, we must have core scheduling
|
|
|
|
* enabled here.
|
|
|
|
*/
|
|
|
|
SCHED_WARN_ON((p->core_cookie || cookie) && !sched_core_enabled(rq));
|
|
|
|
|
|
|
|
enqueued = sched_core_enqueued(p);
|
|
|
|
if (enqueued)
|
|
|
|
sched_core_dequeue(rq, p);
|
|
|
|
|
|
|
|
old_cookie = p->core_cookie;
|
|
|
|
p->core_cookie = cookie;
|
|
|
|
|
|
|
|
if (enqueued)
|
|
|
|
sched_core_enqueue(rq, p);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If task is currently running, it may not be compatible anymore after
|
|
|
|
* the cookie change, so enter the scheduler on its CPU to schedule it
|
|
|
|
* away.
|
|
|
|
*/
|
|
|
|
if (task_running(rq, p))
|
|
|
|
resched_curr(rq);
|
|
|
|
|
|
|
|
task_rq_unlock(rq, p, &rf);
|
|
|
|
|
|
|
|
return old_cookie;
|
|
|
|
}
|
|
|
|
|
|
|
|
static unsigned long sched_core_clone_cookie(struct task_struct *p)
|
|
|
|
{
|
|
|
|
unsigned long cookie, flags;
|
|
|
|
|
|
|
|
raw_spin_lock_irqsave(&p->pi_lock, flags);
|
|
|
|
cookie = sched_core_get_cookie(p->core_cookie);
|
|
|
|
raw_spin_unlock_irqrestore(&p->pi_lock, flags);
|
|
|
|
|
|
|
|
return cookie;
|
|
|
|
}
|
|
|
|
|
2021-03-29 21:18:35 +08:00
|
|
|
void sched_core_fork(struct task_struct *p)
|
|
|
|
{
|
|
|
|
RB_CLEAR_NODE(&p->core_node);
|
|
|
|
p->core_cookie = sched_core_clone_cookie(current);
|
|
|
|
}
|
|
|
|
|
2021-03-27 01:55:06 +08:00
|
|
|
void sched_core_free(struct task_struct *p)
|
|
|
|
{
|
|
|
|
sched_core_put_cookie(p->core_cookie);
|
|
|
|
}
|
sched: prctl() core-scheduling interface
This patch provides support for setting and copying core scheduling
'task cookies' between threads (PID), processes (TGID), and process
groups (PGID).
The value of core scheduling isn't that tasks don't share a core,
'nosmt' can do that. The value lies in exploiting all the sharing
opportunities that exist to recover possible lost performance and that
requires a degree of flexibility in the API.
From a security perspective (and there are others), the thread,
process and process group distinction is an existent hierarchal
categorization of tasks that reflects many of the security concerns
about 'data sharing'. For example, protecting against cache-snooping
by a thread that can just read the memory directly isn't all that
useful.
With this in mind, subcommands to CREATE/SHARE (TO/FROM) provide a
mechanism to create and share cookies. CREATE/SHARE_TO specify a
target pid with enum pidtype used to specify the scope of the targeted
tasks. For example, PIDTYPE_TGID will share the cookie with the
process and all of it's threads as typically desired in a security
scenario.
API:
prctl(PR_SCHED_CORE, PR_SCHED_CORE_GET, tgtpid, pidtype, &cookie)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_CREATE, tgtpid, pidtype, NULL)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_TO, tgtpid, pidtype, NULL)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_FROM, srcpid, pidtype, NULL)
where 'tgtpid/srcpid == 0' implies the current process and pidtype is
kernel enum pid_type {PIDTYPE_PID, PIDTYPE_TGID, PIDTYPE_PGID, ...}.
For return values, EINVAL, ENOMEM are what they say. ESRCH means the
tgtpid/srcpid was not found. EPERM indicates lack of PTRACE permission
access to tgtpid/srcpid. ENODEV indicates your machines lacks SMT.
[peterz: complete rewrite]
Signed-off-by: Chris Hyser <chris.hyser@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Don Hiatt <dhiatt@digitalocean.com>
Tested-by: Hongyu Ning <hongyu.ning@linux.intel.com>
Tested-by: Vincent Guittot <vincent.guittot@linaro.org>
Link: https://lkml.kernel.org/r/20210422123309.039845339@infradead.org
2021-03-25 05:40:15 +08:00
|
|
|
|
|
|
|
static void __sched_core_set(struct task_struct *p, unsigned long cookie)
|
|
|
|
{
|
|
|
|
cookie = sched_core_get_cookie(cookie);
|
|
|
|
cookie = sched_core_update_cookie(p, cookie);
|
|
|
|
sched_core_put_cookie(cookie);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Called from prctl interface: PR_SCHED_CORE */
|
|
|
|
int sched_core_share_pid(unsigned int cmd, pid_t pid, enum pid_type type,
|
|
|
|
unsigned long uaddr)
|
|
|
|
{
|
|
|
|
unsigned long cookie = 0, id = 0;
|
|
|
|
struct task_struct *task, *p;
|
|
|
|
struct pid *grp;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
if (!static_branch_likely(&sched_smt_present))
|
|
|
|
return -ENODEV;
|
|
|
|
|
2021-08-26 01:06:13 +08:00
|
|
|
BUILD_BUG_ON(PR_SCHED_CORE_SCOPE_THREAD != PIDTYPE_PID);
|
|
|
|
BUILD_BUG_ON(PR_SCHED_CORE_SCOPE_THREAD_GROUP != PIDTYPE_TGID);
|
|
|
|
BUILD_BUG_ON(PR_SCHED_CORE_SCOPE_PROCESS_GROUP != PIDTYPE_PGID);
|
|
|
|
|
sched: prctl() core-scheduling interface
This patch provides support for setting and copying core scheduling
'task cookies' between threads (PID), processes (TGID), and process
groups (PGID).
The value of core scheduling isn't that tasks don't share a core,
'nosmt' can do that. The value lies in exploiting all the sharing
opportunities that exist to recover possible lost performance and that
requires a degree of flexibility in the API.
From a security perspective (and there are others), the thread,
process and process group distinction is an existent hierarchal
categorization of tasks that reflects many of the security concerns
about 'data sharing'. For example, protecting against cache-snooping
by a thread that can just read the memory directly isn't all that
useful.
With this in mind, subcommands to CREATE/SHARE (TO/FROM) provide a
mechanism to create and share cookies. CREATE/SHARE_TO specify a
target pid with enum pidtype used to specify the scope of the targeted
tasks. For example, PIDTYPE_TGID will share the cookie with the
process and all of it's threads as typically desired in a security
scenario.
API:
prctl(PR_SCHED_CORE, PR_SCHED_CORE_GET, tgtpid, pidtype, &cookie)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_CREATE, tgtpid, pidtype, NULL)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_TO, tgtpid, pidtype, NULL)
prctl(PR_SCHED_CORE, PR_SCHED_CORE_SHARE_FROM, srcpid, pidtype, NULL)
where 'tgtpid/srcpid == 0' implies the current process and pidtype is
kernel enum pid_type {PIDTYPE_PID, PIDTYPE_TGID, PIDTYPE_PGID, ...}.
For return values, EINVAL, ENOMEM are what they say. ESRCH means the
tgtpid/srcpid was not found. EPERM indicates lack of PTRACE permission
access to tgtpid/srcpid. ENODEV indicates your machines lacks SMT.
[peterz: complete rewrite]
Signed-off-by: Chris Hyser <chris.hyser@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Don Hiatt <dhiatt@digitalocean.com>
Tested-by: Hongyu Ning <hongyu.ning@linux.intel.com>
Tested-by: Vincent Guittot <vincent.guittot@linaro.org>
Link: https://lkml.kernel.org/r/20210422123309.039845339@infradead.org
2021-03-25 05:40:15 +08:00
|
|
|
if (type > PIDTYPE_PGID || cmd >= PR_SCHED_CORE_MAX || pid < 0 ||
|
|
|
|
(cmd != PR_SCHED_CORE_GET && uaddr))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
if (pid == 0) {
|
|
|
|
task = current;
|
|
|
|
} else {
|
|
|
|
task = find_task_by_vpid(pid);
|
|
|
|
if (!task) {
|
|
|
|
rcu_read_unlock();
|
|
|
|
return -ESRCH;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
get_task_struct(task);
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check if this process has the right to modify the specified
|
|
|
|
* process. Use the regular "ptrace_may_access()" checks.
|
|
|
|
*/
|
|
|
|
if (!ptrace_may_access(task, PTRACE_MODE_READ_REALCREDS)) {
|
|
|
|
err = -EPERM;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
case PR_SCHED_CORE_GET:
|
|
|
|
if (type != PIDTYPE_PID || uaddr & 7) {
|
|
|
|
err = -EINVAL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
cookie = sched_core_clone_cookie(task);
|
|
|
|
if (cookie) {
|
|
|
|
/* XXX improve ? */
|
|
|
|
ptr_to_hashval((void *)cookie, &id);
|
|
|
|
}
|
|
|
|
err = put_user(id, (u64 __user *)uaddr);
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
case PR_SCHED_CORE_CREATE:
|
|
|
|
cookie = sched_core_alloc_cookie();
|
|
|
|
if (!cookie) {
|
|
|
|
err = -ENOMEM;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PR_SCHED_CORE_SHARE_TO:
|
|
|
|
cookie = sched_core_clone_cookie(current);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case PR_SCHED_CORE_SHARE_FROM:
|
|
|
|
if (type != PIDTYPE_PID) {
|
|
|
|
err = -EINVAL;
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
cookie = sched_core_clone_cookie(task);
|
|
|
|
__sched_core_set(current, cookie);
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
default:
|
|
|
|
err = -EINVAL;
|
|
|
|
goto out;
|
|
|
|
};
|
|
|
|
|
|
|
|
if (type == PIDTYPE_PID) {
|
|
|
|
__sched_core_set(task, cookie);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
grp = task_pid_type(task, type);
|
|
|
|
|
|
|
|
do_each_pid_thread(grp, type, p) {
|
|
|
|
if (!ptrace_may_access(p, PTRACE_MODE_READ_REALCREDS)) {
|
|
|
|
err = -EPERM;
|
|
|
|
goto out_tasklist;
|
|
|
|
}
|
|
|
|
} while_each_pid_thread(grp, type, p);
|
|
|
|
|
|
|
|
do_each_pid_thread(grp, type, p) {
|
|
|
|
__sched_core_set(p, cookie);
|
|
|
|
} while_each_pid_thread(grp, type, p);
|
|
|
|
out_tasklist:
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
|
|
|
|
out:
|
|
|
|
sched_core_put_cookie(cookie);
|
|
|
|
put_task_struct(task);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|