From: Alexey Kardashevskiy <aik@ozlabs.ru>
To: "Aneesh Kumar K.V" <aneesh.kumar@linux.ibm.com>,
linuxppc-dev@lists.ozlabs.org
Cc: Nicholas Piggin <npiggin@gmail.com>
Subject: Re: [PATCH kernel v2] powerpc/kuap: Restore AMR after replaying soft interrupts
Date: Thu, 3 Dec 2020 19:10:54 +1100 [thread overview]
Message-ID: <b095472b-e7d2-65e0-0936-f3b018c12367@ozlabs.ru> (raw)
In-Reply-To: <87zh2vjsxg.fsf@linux.ibm.com>
On 03/12/2020 17:38, Aneesh Kumar K.V wrote:
> Alexey Kardashevskiy <aik@ozlabs.ru> writes:
>
>> When interrupted in raw_copy_from_user()/... after user memory access
>> is enabled, a nested handler may also access user memory (perf is
>> one example) and when it does so, it calls prevent_read_from_user()
>> which prevents the upper handler from accessing user memory.
>>
>> This saves/restores AMR when replaying interrupts.
>>
>> get_kuap/set_kuap have stubs for disabled KUAP on RADIX but there are
>> none for hash-only configs (BOOK3E) so this adds stubs and moves
>> AMR_KUAP_BLOCK_xxx.
>>
>> Found by syzkaller. More likely to break with enabled
>> CONFIG_DEBUG_ATOMIC_SLEEP, the call chain is
>> timer_interrupt -> ktime_get -> read_seqcount_begin -> local_irq_restore.
>
> Can you test this with https://github.com/kvaneesh/linux/commits/hash-kuap-reworked-2
Yup, broken:
[ 8.813115] ------------[ cut here ]------------
[ 8.813499] Bug: Read fault blocked by AMR!
[ 8.813532] WARNING: CPU: 0 PID: 1113 at
/home/aik/p/kernel/arch/powerpc/include/asm/book3s/64/kup.h:369
__do_page_fault+0xd
34/0xdf0
[ 8.814248] Modules linked in:
[ 8.814459] CPU: 0 PID: 1113 Comm: amr Not tainted
5.10.0-rc4_aneesh--hash-kuap-reworked-2_a+fstn1 #61
[ 8.815075] NIP: c0000000000a4674 LR: c0000000000a4670 CTR:
0000000000000000
[ 8.815632] REGS: c00000000d44f530 TRAP: 0700 Not tainted
(5.10.0-rc4_aneesh--hash-kuap-reworked-2_a+fstn1)
> We do save restore AMR on interrupt entry and exit.
This is nested interrupt. we get interrupted while copying to/from user.
The first handler has AMR off, then it goes to strncpy_from_user,
enables AMR, page fault happens and another interrupt arrives - and if
the new interrupt also wants strncpy_from_user/co, it will enable AMR
again (which is ok), do copy and then disable AMR; and then we go back
and resume the first strncpy_from_user which thinks AMR is enabling
while it is not. I just see how strncpy_from_user is called while
strncpy_from_user is running. Nick understands the mechanics better.
I can give you an initramdisk which crashes in a millisecond, ping me in
slack.
--
Alexey
next prev parent reply other threads:[~2020-12-03 8:12 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-03 5:47 [PATCH kernel v2] powerpc/kuap: Restore AMR after replaying soft interrupts Alexey Kardashevskiy
2020-12-03 6:38 ` Aneesh Kumar K.V
2020-12-03 8:10 ` Alexey Kardashevskiy [this message]
2020-12-03 7:41 ` kernel test robot
2020-12-03 8:03 ` Christophe Leroy
2020-12-03 8:13 ` Alexey Kardashevskiy
2020-12-04 21:02 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b095472b-e7d2-65e0-0936-f3b018c12367@ozlabs.ru \
--to=aik@ozlabs.ru \
--cc=aneesh.kumar@linux.ibm.com \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=npiggin@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).