From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A9739C07E96 for ; Tue, 13 Jul 2021 17:00:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 84750611AC for ; Tue, 13 Jul 2021 17:00:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232455AbhGMRCy (ORCPT ); Tue, 13 Jul 2021 13:02:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:46450 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229604AbhGMRCx (ORCPT ); Tue, 13 Jul 2021 13:02:53 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C332161279; Tue, 13 Jul 2021 17:00:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1626195603; bh=7qTlaialpc3o6/uKYhiOxUmmY9YiuNQpL0hx8sWkp4Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=QHF91szFngKequpv/wK720OMgleZ7Q1M5Iqxd7NBNUZ2b+Pj4qg/XZ5e0c55jiNEq 2szr9NiXqUb4G6ff51z+5mJkiX/bix+6UiGMdYt1cOELmgYZCHqVNm2leayUh1sED6 WCjIoIG6KiwheZTaaB8d6HnTPLfBo8d9VrCsK6JOuWW7anYbDLJYKMkQs6uojJNYoF LGFtU699Ol46wpP83X0ChZK70eswBThWmKK3Da+b9ObY/FToqsqa1VUC6545dQ/V5s h0EyA3L6CLnjizDWqmWEn10tm6AAyGnygIgIYMzqGFTWQyH/KUPiRRYmYrK1wsOTCg +JxoPt6N7tS4Q== Date: Tue, 13 Jul 2021 17:59:58 +0100 From: Will Deacon To: Robin Murphy Cc: catalin.marinas@arm.com, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Chen Huang , Al Viro Subject: Re: [PATCH] arm64: Avoid premature usercopy failure Message-ID: <20210713165957.GA30304@willie-the-truck> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 12, 2021 at 03:27:46PM +0100, Robin Murphy wrote: > Al reminds us that the usercopy API must only return complete failure > if absolutely nothing could be copied. Currently, if userspace does > something silly like giving us an unaligned pointer to Device memory, > or a size which overruns MTE tag bounds, we may fail to honour that > requirement when faulting on a multi-byte access even though a smaller > access could have succeeded. > > Add a mitigation to the fixup routines to fall back to a single-byte > copy if we faulted on a larger access before anything has been written > to the destination, to guarantee making *some* forward progress. We > needn't be too concerned about the overall performance since this should > only occur when callers are doing something a bit dodgy in the first > place. Particularly broken userspace might still be able to trick > generic_perform_write() into an infinite loop by targeting write() at > an mmap() of some read-only device register where the fault-in load > succeeds but any store synchronously aborts such that copy_to_user() is > genuinely unable to make progress, but, well, don't do that... > > CC: stable@vger.kernel.org > Reported-by: Chen Huang > Suggested-by: Al Viro > Reviewed-by: Catalin Marinas > Signed-off-by: Robin Murphy > --- > > I've started trying the "replay" approach for figuring out more precise > remainders in general, but that quickly got more complicated with > rebasing the fault address passing stuff, so I'm resending this now as > a point fix and will continue to explore that as an improvement on top. Is it possible to add/extend a selftest for this, please? I think Catalin mentioned that before, but not sure if he got anywhere with it. Will From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,INCLUDES_CR_TRAILER,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E7D7C07E95 for ; Tue, 13 Jul 2021 17:01:49 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id F3EC261249 for ; Tue, 13 Jul 2021 17:01:48 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org F3EC261249 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=BcBNx+w0me2TGidjSSzHruuLQjIbdhrzGsIDkN7kloI=; b=mR1a3ZV7GwQclQ Q4T8bo/FlpqO3EUtg5VC9TRoks+bG1AGD4R3K66y9iun9n9JAdotEpdWSnbfx8RpJ+ep5Yrpusgb2 hz9rpWgWOFMdx82wxy6xOTxDAjDtnYE+jEOwfpwtJZXGckgb/5ORiANFblE6vwKqLH4xfC5T4q8Xp 9+B+a0vRl2Sk3TdIg6sgv/k+Ynk8d72K37qDPoPycVpxa4tILa4f2xtoudBke7hSWD4DH/bybkVUa 0W7EY4YYpo8gkehTbILdlMUtye27tTxFYLPdcHK4MslsPrDJPT7lKnLxO9vTJzE+T7+LBGamzKp7J ykFx5wjT+xBx9g1Oraqw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1m3LlY-00AzoV-7T; Tue, 13 Jul 2021 17:00:16 +0000 Received: from mail.kernel.org ([198.145.29.99]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1m3LlL-00AzlY-Fm for linux-arm-kernel@lists.infradead.org; Tue, 13 Jul 2021 17:00:04 +0000 Received: by mail.kernel.org (Postfix) with ESMTPSA id C332161279; Tue, 13 Jul 2021 17:00:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1626195603; bh=7qTlaialpc3o6/uKYhiOxUmmY9YiuNQpL0hx8sWkp4Q=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=QHF91szFngKequpv/wK720OMgleZ7Q1M5Iqxd7NBNUZ2b+Pj4qg/XZ5e0c55jiNEq 2szr9NiXqUb4G6ff51z+5mJkiX/bix+6UiGMdYt1cOELmgYZCHqVNm2leayUh1sED6 WCjIoIG6KiwheZTaaB8d6HnTPLfBo8d9VrCsK6JOuWW7anYbDLJYKMkQs6uojJNYoF LGFtU699Ol46wpP83X0ChZK70eswBThWmKK3Da+b9ObY/FToqsqa1VUC6545dQ/V5s h0EyA3L6CLnjizDWqmWEn10tm6AAyGnygIgIYMzqGFTWQyH/KUPiRRYmYrK1wsOTCg +JxoPt6N7tS4Q== Date: Tue, 13 Jul 2021 17:59:58 +0100 From: Will Deacon To: Robin Murphy Cc: catalin.marinas@arm.com, linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Chen Huang , Al Viro Subject: Re: [PATCH] arm64: Avoid premature usercopy failure Message-ID: <20210713165957.GA30304@willie-the-truck> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210713_100003_613059_54DBC64D X-CRM114-Status: GOOD ( 21.54 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Mon, Jul 12, 2021 at 03:27:46PM +0100, Robin Murphy wrote: > Al reminds us that the usercopy API must only return complete failure > if absolutely nothing could be copied. Currently, if userspace does > something silly like giving us an unaligned pointer to Device memory, > or a size which overruns MTE tag bounds, we may fail to honour that > requirement when faulting on a multi-byte access even though a smaller > access could have succeeded. > > Add a mitigation to the fixup routines to fall back to a single-byte > copy if we faulted on a larger access before anything has been written > to the destination, to guarantee making *some* forward progress. We > needn't be too concerned about the overall performance since this should > only occur when callers are doing something a bit dodgy in the first > place. Particularly broken userspace might still be able to trick > generic_perform_write() into an infinite loop by targeting write() at > an mmap() of some read-only device register where the fault-in load > succeeds but any store synchronously aborts such that copy_to_user() is > genuinely unable to make progress, but, well, don't do that... > > CC: stable@vger.kernel.org > Reported-by: Chen Huang > Suggested-by: Al Viro > Reviewed-by: Catalin Marinas > Signed-off-by: Robin Murphy > --- > > I've started trying the "replay" approach for figuring out more precise > remainders in general, but that quickly got more complicated with > rebasing the fault address passing stuff, so I'm resending this now as > a point fix and will continue to explore that as an improvement on top. Is it possible to add/extend a selftest for this, please? I think Catalin mentioned that before, but not sure if he got anywhere with it. Will _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel