From: Mark Rutland <mark.rutland@arm.com>
To: linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org
Cc: Richard Henderson <rth@twiddle.net>,
Ivan Kokshaysky <ink@jurassic.park.msu.ru>,
Matt Turner <mattst88@gmail.com>,
Brian Cain <bcain@codeaurora.org>,
Tony Luck <tony.luck@intel.com>,
Fenghua Yu <fenghua.yu@intel.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Michal Simek <monstr@monstr.eu>,
Thomas Bogendoerfer <tsbogend@alpha.franken.de>,
Ley Foon Tan <ley.foon.tan@intel.com>,
Jonas Bonn <jonas@southpole.se>,
Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>,
Stafford Horne <shorne@gmail.com>,
"James E.J. Bottomley" <James.Bottomley@HansenPartnership.com>,
Helge Deller <deller@gmx.de>,
Paul Walmsley <paul.walmsley@sifive.com>,
Palmer Dabbelt <palmer@dabbelt.com>,
Albert Ou <aou@eecs.berkeley.edu>,
"David S. Miller" <davem@davemloft.net>,
Chris Zankel <chris@zankel.net>,
Max Filippov <jcmvbkbc@gmail.com>
Subject: Fatal signal handling within uaccess faults
Date: Thu, 21 Jan 2021 12:31:40 +0000 [thread overview]
Message-ID: <20210121123140.GD48431@C02TD0UTHF1T.local> (raw)
Hi all,
Arch maintainers, if you are Cc'd I believe your architecture has a
user-triggerable livelock; please see below for details. Apologies in
advance if I am mistaken!
I believe the following architectures ARE affected:
alpha, hexagon, ia64, m68k, microblaze, mips, nios2, openrisc,
parisc, riscv, sparc (32 & 64), xtensa
I believe the following architectures ARE NOT affected:
arc, arm, arm64, c6x, h8300, nds32, powerpc, s390, sh, x86
... and csky has a fix pending as of today.
The issue is that in the fault handling path, architectures have a check
with the shape:
| if (fault_signal_pending(fault, regs))
| return;
... where if a uaccess (e.g. get_user()) triggers a fault and there's a
fault signal pending, the handler will return to the uaccess without
having performed a uaccess fault fixup, and so the CPU will immediately
execute the uaccess instruction again, whereupon it will livelock
bouncing between that instruction and the fault handler.
The architectures (with an MMU) which are not affected apply the uaccess
fixup, and so return to the error handler for the uaccess, and make
forward progress. Usually, this looks something like:
| if (fault_signal_pending(fault, regs)) {
| if (!user_mode(regs))
| goto no_context; // or fixup_exception(...), etc
| return;
| }
I believe similar changes need to be made to each of the architectures
I've listed as affected above.
This was previously reported back in July 2017:
https://lore.kernel.org/lkml/20170822102527.GA14671@leverpostej/
... but it looks like it looks like that wasn't sufficiently visible, so
I'm poking folk explicitly this time around.
I believe that this can be triggered with the test case below,
duplicated from the previous posting. If the architecture is affected,
it will not be possible to kill the test program with any signal.
Thanks,
Mark.
---->8----
#include <errno.h>
#include <linux/userfaultfd.h>
#include <stdio.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/vfs.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
void *mem;
long pagesz;
int uffd, ret;
struct uffdio_api api = {
.api = UFFD_API
};
struct uffdio_register reg;
pagesz = sysconf(_SC_PAGESIZE);
if (pagesz < 0) {
return errno;
}
mem = mmap(NULL, pagesz, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (mem == MAP_FAILED)
return errno;
uffd = syscall(__NR_userfaultfd, 0);
if (uffd < 0)
return errno;
ret = ioctl(uffd, UFFDIO_API, &api);
if (ret < 0)
return errno;
reg = (struct uffdio_register) {
.range = {
.start = (unsigned long)mem,
.len = pagesz
},
.mode = UFFDIO_REGISTER_MODE_MISSING
};
ret = ioctl(uffd, UFFDIO_REGISTER, ®);
if (ret < 0)
return errno;
/*
* Force an arbitrary uaccess to memory monitored by the userfaultfd.
* This will block, but when a SIGKILL is sent, will consume all
* available CPU time without being killed, and may inhibit forward
* progress of the system.
*/
ret = fstatfs(0, (struct statfs *)mem);
return 0;
}
reply other threads:[~2021-01-21 12:34 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210121123140.GD48431@C02TD0UTHF1T.local \
--to=mark.rutland@arm.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=aou@eecs.berkeley.edu \
--cc=bcain@codeaurora.org \
--cc=chris@zankel.net \
--cc=davem@davemloft.net \
--cc=deller@gmx.de \
--cc=fenghua.yu@intel.com \
--cc=geert@linux-m68k.org \
--cc=ink@jurassic.park.msu.ru \
--cc=jcmvbkbc@gmail.com \
--cc=jonas@southpole.se \
--cc=ley.foon.tan@intel.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mattst88@gmail.com \
--cc=monstr@monstr.eu \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=rth@twiddle.net \
--cc=shorne@gmail.com \
--cc=stefan.kristiansson@saunalahti.fi \
--cc=tony.luck@intel.com \
--cc=tsbogend@alpha.franken.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).