From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751638AbdFFLAi convert rfc822-to-8bit (ORCPT ); Tue, 6 Jun 2017 07:00:38 -0400 Received: from ozlabs.org ([103.22.144.67]:39093 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751404AbdFFLAg (ORCPT ); Tue, 6 Jun 2017 07:00:36 -0400 From: Michael Ellerman To: christophe leroy , Benjamin Herrenschmidt , Paul Mackerras , Scott Wood Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org Subject: Re: [PATCH 2/5] powerpc/mm: split store_updates_sp() in two parts in do_page_fault() In-Reply-To: <97200860-c6da-9d4d-fb53-2aa9c9ca655f@c-s.fr> References: <58f17a04cee5726467ef4e283dfbd7da68fa6ab4.1492606298.git.christophe.leroy@c-s.fr> <871sr23flh.fsf@concordia.ellerman.id.au> <6daf8f4e-9b39-d585-2c64-9b0348fef123@c-s.fr> <87shjer9vx.fsf@concordia.ellerman.id.au> <97200860-c6da-9d4d-fb53-2aa9c9ca655f@c-s.fr> User-Agent: Notmuch/0.21 (https://notmuchmail.org) Date: Tue, 06 Jun 2017 21:00:27 +1000 Message-ID: <87r2yxpeic.fsf@concordia.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org christophe leroy writes: > Le 05/06/2017 à 12:45, Michael Ellerman a écrit : >> Christophe LEROY writes: >> >>> Le 02/06/2017 à 11:26, Michael Ellerman a écrit : >>>> Christophe Leroy writes: >>>> >>>>> Only the get_user() in store_updates_sp() has to be done outside >>>>> the mm semaphore. All the comparison can be done within the semaphore, >>>>> so only when really needed. >>>>> >>>>> As we got a DSI exception, the address pointed by regs->nip is >>>>> obviously valid, otherwise we would have had a instruction exception. >>>>> So __get_user() can be used instead of get_user() >>>> >>>> I don't think that part is true. >>>> >>>> You took a DSI so there *was* an instruction at NIP, but since then it >>>> may have been unmapped by another thread. >>>> >>>> So I don't think you can assume the get_user() will succeed. >>> >>> The difference between get_user() and __get_user() is that get_user() >>> performs an access_ok() in addition. >>> >>> Doesn't access_ok() only checks whether addr is below TASK_SIZE to >>> ensure it is a valid user address ? >> >> Yeah more or less, via some gross macros. >> >> I was actually not that worried about the switch from get_user() to >> __get_user(), but rather that you removed the check of the return value. >> ie. >> >> - if (get_user(inst, (unsigned int __user *)regs->nip)) >> - return 0; >> >> Became: >> >> if (is_write && user_mode(regs)) >> - store_update_sp = store_updates_sp(regs); >> + __get_user(inst, (unsigned int __user *)regs->nip); >> >> >> I think dropping the access_ok() probably is alright, because the NIP >> must (should!) have been in userspace, though as Ben says it's always >> good to be paranoid. >> >> But ignoring that the address can fault at all is wrong AFAICS. > > I see what you mean now. > > Indeed, > > - unsigned int inst; > > Became > > + unsigned int inst = 0; > > Since __get_user() doesn't modify 'inst' in case of error, 'inst' > remains 0, and store_updates_sp(0) return false. That was the idea behind. Ugh. OK, my bad. Though it is a little subtle. How about: @@ -286,10 +290,13 @@ int do_page_fault(struct pt_regs *regs, unsigned long address, /* * We want to do this outside mmap_sem, because reading code around nip * can result in fault, which will cause a deadlock when called with - * mmap_sem held + * mmap_sem held. We don't need to check if get_user() fails, if it does + * it won't modify inst, and an inst of 0 will return false from + * store_updates_sp(). */ + inst = 0; if (is_write && is_user) - store_update_sp = store_updates_sp(regs); + get_user(inst, (unsigned int __user *)regs->nip); if (is_user) flags |= FAULT_FLAG_USER; Then this one can go in. cheers From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from ozlabs.org (ozlabs.org [IPv6:2401:3900:2:1::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 3whpct386dzDqMH for ; Tue, 6 Jun 2017 21:00:30 +1000 (AEST) From: Michael Ellerman To: christophe leroy , Benjamin Herrenschmidt , Paul Mackerras , Scott Wood Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org Subject: Re: [PATCH 2/5] powerpc/mm: split store_updates_sp() in two parts in do_page_fault() In-Reply-To: <97200860-c6da-9d4d-fb53-2aa9c9ca655f@c-s.fr> References: <58f17a04cee5726467ef4e283dfbd7da68fa6ab4.1492606298.git.christophe.leroy@c-s.fr> <871sr23flh.fsf@concordia.ellerman.id.au> <6daf8f4e-9b39-d585-2c64-9b0348fef123@c-s.fr> <87shjer9vx.fsf@concordia.ellerman.id.au> <97200860-c6da-9d4d-fb53-2aa9c9ca655f@c-s.fr> Date: Tue, 06 Jun 2017 21:00:27 +1000 Message-ID: <87r2yxpeic.fsf@concordia.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , christophe leroy writes: > Le 05/06/2017 =C3=A0 12:45, Michael Ellerman a =C3=A9crit : >> Christophe LEROY writes: >> >>> Le 02/06/2017 =C3=A0 11:26, Michael Ellerman a =C3=A9crit : >>>> Christophe Leroy writes: >>>> >>>>> Only the get_user() in store_updates_sp() has to be done outside >>>>> the mm semaphore. All the comparison can be done within the semaphore, >>>>> so only when really needed. >>>>> >>>>> As we got a DSI exception, the address pointed by regs->nip is >>>>> obviously valid, otherwise we would have had a instruction exception. >>>>> So __get_user() can be used instead of get_user() >>>> >>>> I don't think that part is true. >>>> >>>> You took a DSI so there *was* an instruction at NIP, but since then it >>>> may have been unmapped by another thread. >>>> >>>> So I don't think you can assume the get_user() will succeed. >>> >>> The difference between get_user() and __get_user() is that get_user() >>> performs an access_ok() in addition. >>> >>> Doesn't access_ok() only checks whether addr is below TASK_SIZE to >>> ensure it is a valid user address ? >> >> Yeah more or less, via some gross macros. >> >> I was actually not that worried about the switch from get_user() to >> __get_user(), but rather that you removed the check of the return value. >> ie. >> >> - if (get_user(inst, (unsigned int __user *)regs->nip)) >> - return 0; >> >> Became: >> >> if (is_write && user_mode(regs)) >> - store_update_sp =3D store_updates_sp(regs); >> + __get_user(inst, (unsigned int __user *)regs->nip); >> >> >> I think dropping the access_ok() probably is alright, because the NIP >> must (should!) have been in userspace, though as Ben says it's always >> good to be paranoid. >> >> But ignoring that the address can fault at all is wrong AFAICS. > > I see what you mean now. > > Indeed, > > - unsigned int inst; > > Became > > + unsigned int inst =3D 0; > > Since __get_user() doesn't modify 'inst' in case of error, 'inst'=20 > remains 0, and store_updates_sp(0) return false. That was the idea behind. Ugh. OK, my bad. Though it is a little subtle. How about: @@ -286,10 +290,13 @@ int do_page_fault(struct pt_regs *regs, unsigned long= address, /* * We want to do this outside mmap_sem, because reading code around= nip * can result in fault, which will cause a deadlock when called with - * mmap_sem held + * mmap_sem held. We don't need to check if get_user() fails, if it= does + * it won't modify inst, and an inst of 0 will return false from + * store_updates_sp(). */ + inst =3D 0; if (is_write && is_user) - store_update_sp =3D store_updates_sp(regs); + get_user(inst, (unsigned int __user *)regs->nip); =20 if (is_user) flags |=3D FAULT_FLAG_USER; Then this one can go in. cheers