Re: [PATCH] x86/uaccess: Implement get_kernel()

From: Ingo Molnar <mingo@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
	Jason Low <jason.low2@hp.com>,
	Peter Zijlstra <peterz@infradead.org>,
	Davidlohr Bueso <dave@stgolabs.net>,
	Tim Chen <tim.c.chen@linux.intel.com>,
	Aswin Chandramouleeswaran <aswin@hp.com>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] x86/uaccess: Implement get_kernel()
Date: Fri, 10 Apr 2015 20:04:25 +0200	[thread overview]
Message-ID: <20150410180425.GC6563@gmail.com> (raw)
In-Reply-To: <CA+55aFz-MWpRG7i5GQqM5o26e0jstxSAXLx9b1vD7hN5LXDt3Q@mail.gmail.com>

* Linus Torvalds <torvalds@linux-foundation.org> wrote:

> On Fri, Apr 10, 2015 at 4:14 AM, Ingo Molnar <mingo@kernel.org> wrote:
> >
> >>
> >> The next patch will implement efficient 
> >> __copy_from_kernel_inatomic() for x86.
> >
> > The patch below does that. Note, for simplicity I've changed the 
> > interface to 'get_kernel()' (will propagate this through the other 
> > patches as well).
> 
> So I think this needs a couple of changes:
> 
>  - That "get_kernel()" name is not clear enough about what the issue 
> is. I think it should make it clearer that it's an unsafe access 
> that could fault, and that we don't want a user access.
> 
>     So maybe "get_kernel_stalepointer()" or something like that.

Ok.

>  - you're just re-implementing "__get_user_asm_ex()" afaik. Try to
> share the code, renaming it to be something common.

Ok, will try that.

>  - I think we should look at sharing the code for __get_user(). Could
> we do something like this:
> 
>      (a) implement the basic "load with exceptions" as __get_with_exception()
>      (b) #define get_kernel_stalepointer() __get_with_exception
>      (c) make "__get_user()" be "stac(); __get_with_exception(); clac()"

Will try.

The only possible complication there might be the way we don't recover 
the error code in the _ex() variants, that's actually a pretty 
important aspect to making this zero cost. Since the error code comes 
back from assembly code in some cases we cannot make it go away in the 
_ex() case. So I'm not sure we can share code between _ex() and the 
normal methods - but we can certainly share with the _ex() variants.

>  - finally, I wonder what the exact semantics of 
> "get_kernel_stalepointer()" should be. I could well imagine that 
> what we should do is
> 
>         #ifdef CONFIG_DEBUG_PAGEALLOC
>             #define get_kernel_stalepointer(x,ptr) ((x)=READ_ONCE(*(ptr)), 0)
>         #else
>            #define get_kernel_stalepointer(x,ptr) __get_with_exception(x,ptr)
>         #endif

I guess you meant that to be the other way around?

> because I think it's reasonable to require that the kernel pointer 
> is _stale_, and not "invalid". [...]

Absolutely, and I think this is a hard requirement: we don't (ever) 
want to dereference random addresses, due to possible mmio side 
effects.

> [...] IOW, guarantee that it *has* been a kernel pointer, and that 
> the only reason it would trap is for DEBUG_PAGEALLOC.

Yes.

> That last point might need to be verified with hotplug memory. I 
> think hotplug memory does a stop_machine() or similar, but I'm not 
> sure.

So memory hotplug does it in a pretty simple fashion IIRC: only such 
zones are movable and hot-unpluggable which don't contain 
kmalloc()-able of gfp()-able memory - they are limited purpose memory 
pools only usable for user pages and the page cache.

So stale pointers should never point to hot-unpluggable memory.

Thanks,

	Ingo