From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0F3F1C2B9F4 for ; Fri, 25 Jun 2021 10:39:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id EB62861444 for ; Fri, 25 Jun 2021 10:39:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231478AbhFYKlf (ORCPT ); Fri, 25 Jun 2021 06:41:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:50884 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230436AbhFYKlb (ORCPT ); Fri, 25 Jun 2021 06:41:31 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C745E61443; Fri, 25 Jun 2021 10:39:08 +0000 (UTC) Date: Fri, 25 Jun 2021 11:39:06 +0100 From: Catalin Marinas To: Robin Murphy Cc: Al Viro , Matthew Wilcox , Christoph Hellwig , Chen Huang , Mark Rutland , Andrew Morton , Stephen Rothwell , Randy Dunlap , Will Deacon , Linux ARM , linux-mm , open list Subject: Re: [BUG] arm64: an infinite loop in generic_perform_write() Message-ID: <20210625103905.GA20835@arm.com> References: <20210623132223.GA96264@C02TD0UTHF1T.local> <1c635945-fb25-8871-7b34-f475f75b2caf@huawei.com> <27fbb8c1-2a65-738f-6bec-13f450395ab7@arm.com> <20210624185554.GC25097@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 24, 2021 at 09:36:54PM +0100, Robin Murphy wrote: > On 2021-06-24 19:55, Catalin Marinas wrote: > > On Thu, Jun 24, 2021 at 04:27:17PM +0000, Al Viro wrote: > > > On Thu, Jun 24, 2021 at 02:22:27PM +0100, Robin Murphy wrote: > > > > FWIW I think the only way to make the kernel behaviour any more robust here > > > > would be to make the whole uaccess API more expressive, such that rather > > > > than simply saying "I only got this far" it could actually differentiate > > > > between stopping due to a fault which may be recoverable and worth retrying, > > > > and one which definitely isn't. > > > > > > ... and propagate that "more expressive" information through what, 3 or 4 > > > levels in the call chain? > > > > > > From include/linux/uaccess.h: > > > > > > * If raw_copy_{to,from}_user(to, from, size) returns N, size - N bytes starting > > > * at to must become equal to the bytes fetched from the corresponding area > > > * starting at from. All data past to + size - N must be left unmodified. > > > * > > > * If copying succeeds, the return value must be 0. If some data cannot be > > > * fetched, it is permitted to copy less than had been fetched; the only > > > * hard requirement is that not storing anything at all (i.e. returning size) > > > * should happen only when nothing could be copied. In other words, you don't > > > * have to squeeze as much as possible - it is allowed, but not necessary. > > > > > > arm64 instances violate the aforementioned hard requirement. > > > > After reading the above a few more times, I think I get it. The key > > sentence is: not storing anything at all should happen only when nothing > > could be copied. In the MTE case, something can still be copied. > > > > > Please, fix > > > it there; it's not hard. All you need is an exception handler in .Ltiny15 > > > that would fall back to (short) byte-by-byte copy if the faulting address > > > happened to be unaligned. Or just do one-byte copy, not that it had been > > > considerably cheaper than a loop. Will be cheaper than propagating that extra > > > information up the call chain, let alone paying for extra ->write_begin() > > > and ->write_end() for single byte in generic_perform_write(). > > > > Yeah, it's definitely fixable in the arch code. I misread the above > > requirements and thought it could be fixed in the core code. > > > > Quick hack, though I think in the actual exception handling path in .S > > more sense (and it needs the copy_to_user for symmetry): > > Hmm, if anything the asm version might be even more straightforward; I think > it's pretty much just this (untested): That's what I thought but it was too late in the day to think in asm. > diff --git a/arch/arm64/lib/copy_to_user.S b/arch/arm64/lib/copy_to_user.S > index 043da90f5dd7..632bf1f9540d 100644 > --- a/arch/arm64/lib/copy_to_user.S > +++ b/arch/arm64/lib/copy_to_user.S > @@ -62,6 +62,9 @@ EXPORT_SYMBOL(__arch_copy_to_user) > > .section .fixup,"ax" > .align 2 > -9998: sub x0, end, dst // bytes not copied > +9998: ldrb w7, [x1] > +USER(9997f, sttrb w7, [x0]) > + add x0, x0, #1 > +9997: sub x0, end, dst // bytes not copied > ret > .previous > > If we can get away without trying to finish the whole copy bytewise, (i.e. > we don't cause any faults of our own by knowingly over-reading in the > routine itself), I'm more than happy with that. I don't think we over-read/write in the routine itself as this is based on the user memcpy() which can't handle faults. And since we got a fault before the end of the copy, we have at least one byte left in the buffer (which may or may not trigger a fault). I wonder whether we should skip the extra byte copy if something was copied, i.e. start the exception handler with: cmp dstin, dst b.ne 9997f That said, the fall-back to bytewise copying may have some advantage. I think we still have the issue where we copy some data to user but report less (STP failing on the second 8-byte when the first had been already written first 8). A byte copy loop would solve this, unless we pass the fault address to the exception handler (I thought you had some patch for this at some point). -- Catalin From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.6 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CE5C5C2B9F4 for ; Fri, 25 Jun 2021 11:01:58 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 918F161446 for ; Fri, 25 Jun 2021 11:01:58 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 918F161446 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=Pxwn3PxW1JghbzDb9MoDPEzcOeoamV9lZsveLI/2hbM=; b=t5RuUIwcx3DBdN 7+8jOh/0GpbUxvOslV15v+avpYU857vAMH/TuOLFzN03662RCt41651zDf6jt03mYOEGSS8SCU56D tOasco4rRQ6B/xvtlSRfKkC34yih/kIoyrDzFzr92sIf8U8KVGquRBH5iWstFffceeJMjwYk1wTr6 TABqNV92aw06xjIJfhZfcPrKwaq7eZGQMVQkKR/OG3CfNhgUXTVGDDDPS3u4X7DB6w8iXw3LsOVFH ORvZ5y9kuLRo/g6jS4pMII6tl0TcctgywzS5P+A9ASYdzuWLI7GO4iI7987AnzEsX2w9TFiqGz+yn QG4NJXYPtyB+am5U52og==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1lwjYz-001Acv-7Q; Fri, 25 Jun 2021 10:59:58 +0000 Received: from mail.kernel.org ([198.145.29.99]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1lwjEt-0012Kv-7J for linux-arm-kernel@lists.infradead.org; Fri, 25 Jun 2021 10:39:13 +0000 Received: by mail.kernel.org (Postfix) with ESMTPSA id C745E61443; Fri, 25 Jun 2021 10:39:08 +0000 (UTC) Date: Fri, 25 Jun 2021 11:39:06 +0100 From: Catalin Marinas To: Robin Murphy Cc: Al Viro , Matthew Wilcox , Christoph Hellwig , Chen Huang , Mark Rutland , Andrew Morton , Stephen Rothwell , Randy Dunlap , Will Deacon , Linux ARM , linux-mm , open list Subject: Re: [BUG] arm64: an infinite loop in generic_perform_write() Message-ID: <20210625103905.GA20835@arm.com> References: <20210623132223.GA96264@C02TD0UTHF1T.local> <1c635945-fb25-8871-7b34-f475f75b2caf@huawei.com> <27fbb8c1-2a65-738f-6bec-13f450395ab7@arm.com> <20210624185554.GC25097@arm.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210625_033911_361897_2A690382 X-CRM114-Status: GOOD ( 38.47 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Thu, Jun 24, 2021 at 09:36:54PM +0100, Robin Murphy wrote: > On 2021-06-24 19:55, Catalin Marinas wrote: > > On Thu, Jun 24, 2021 at 04:27:17PM +0000, Al Viro wrote: > > > On Thu, Jun 24, 2021 at 02:22:27PM +0100, Robin Murphy wrote: > > > > FWIW I think the only way to make the kernel behaviour any more robust here > > > > would be to make the whole uaccess API more expressive, such that rather > > > > than simply saying "I only got this far" it could actually differentiate > > > > between stopping due to a fault which may be recoverable and worth retrying, > > > > and one which definitely isn't. > > > > > > ... and propagate that "more expressive" information through what, 3 or 4 > > > levels in the call chain? > > > > > > From include/linux/uaccess.h: > > > > > > * If raw_copy_{to,from}_user(to, from, size) returns N, size - N bytes starting > > > * at to must become equal to the bytes fetched from the corresponding area > > > * starting at from. All data past to + size - N must be left unmodified. > > > * > > > * If copying succeeds, the return value must be 0. If some data cannot be > > > * fetched, it is permitted to copy less than had been fetched; the only > > > * hard requirement is that not storing anything at all (i.e. returning size) > > > * should happen only when nothing could be copied. In other words, you don't > > > * have to squeeze as much as possible - it is allowed, but not necessary. > > > > > > arm64 instances violate the aforementioned hard requirement. > > > > After reading the above a few more times, I think I get it. The key > > sentence is: not storing anything at all should happen only when nothing > > could be copied. In the MTE case, something can still be copied. > > > > > Please, fix > > > it there; it's not hard. All you need is an exception handler in .Ltiny15 > > > that would fall back to (short) byte-by-byte copy if the faulting address > > > happened to be unaligned. Or just do one-byte copy, not that it had been > > > considerably cheaper than a loop. Will be cheaper than propagating that extra > > > information up the call chain, let alone paying for extra ->write_begin() > > > and ->write_end() for single byte in generic_perform_write(). > > > > Yeah, it's definitely fixable in the arch code. I misread the above > > requirements and thought it could be fixed in the core code. > > > > Quick hack, though I think in the actual exception handling path in .S > > more sense (and it needs the copy_to_user for symmetry): > > Hmm, if anything the asm version might be even more straightforward; I think > it's pretty much just this (untested): That's what I thought but it was too late in the day to think in asm. > diff --git a/arch/arm64/lib/copy_to_user.S b/arch/arm64/lib/copy_to_user.S > index 043da90f5dd7..632bf1f9540d 100644 > --- a/arch/arm64/lib/copy_to_user.S > +++ b/arch/arm64/lib/copy_to_user.S > @@ -62,6 +62,9 @@ EXPORT_SYMBOL(__arch_copy_to_user) > > .section .fixup,"ax" > .align 2 > -9998: sub x0, end, dst // bytes not copied > +9998: ldrb w7, [x1] > +USER(9997f, sttrb w7, [x0]) > + add x0, x0, #1 > +9997: sub x0, end, dst // bytes not copied > ret > .previous > > If we can get away without trying to finish the whole copy bytewise, (i.e. > we don't cause any faults of our own by knowingly over-reading in the > routine itself), I'm more than happy with that. I don't think we over-read/write in the routine itself as this is based on the user memcpy() which can't handle faults. And since we got a fault before the end of the copy, we have at least one byte left in the buffer (which may or may not trigger a fault). I wonder whether we should skip the extra byte copy if something was copied, i.e. start the exception handler with: cmp dstin, dst b.ne 9997f That said, the fall-back to bytewise copying may have some advantage. I think we still have the issue where we copy some data to user but report less (STP failing on the second 8-byte when the first had been already written first 8). A byte copy loop would solve this, unless we pass the fault address to the exception handler (I thought you had some patch for this at some point). -- Catalin _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel