-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
exception/interrupt handlers shouldn't access this_cpu()
#478
Comments
It seems to me that we can hardly remove all |
Sorry, I think the title is a bit misleading: What I was trying to say was the "with the current PerCpu implementation, exception/interrupt handlers must not access this_cpu()". I don't know of a good solution to this, but it might involve making PerCpu safe to access from multiple threads so that exception/interrupt handles may access |
For There would still be the possibility of restoring interrupts manually while the borrow is alive but it would at least be better than what we have now. |
This won't work for exception handlers though. The host can pretty much always trigger a #VC (e.g. by unmapping memory) even with restricted injection.
We already support nested disabling/enabling of interrupts. |
Exception/interrupt handlers (or more commonly signal handlers in non-kernel code) are considered separate threads within the abstract machine. One consequence of this is that they shouldn't access
this_cpu()
becausethis_cpu()
is notSync
. There's currently nothing to prevent this from happening.Code accessing
!Sync
data can usually assume that its accesses are never interrupted, but that's not the case if an exception handler preempts the code and accesses the data as well. The soundness of theCell
andRefCell
types hinges on being able to do uninterrupted accesses. Consider the following example: Some code wants to write an enum with data into aCell
in itsPerCpu
structure. Rust enums have a tag that decides which variant is active. If the code trying to write the enum is interrupted halfway through (e.g. by the hypervisor injecting #HV), it may have only written the tag, but not all the other data contained in the enum. Unlike with lock structures, there's nothing that prevents the exception handler from accessing the data as well. When the exception handler reads theCell
it may see the new enum tag but with some of the old enum data. If the tag doesn't match the data, that's obviously very bad.The text was updated successfully, but these errors were encountered: