From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7921BC11F66 for ; Tue, 13 Jul 2021 17:20:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 59FAE610D1 for ; Tue, 13 Jul 2021 17:20:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232813AbhGMRXq (ORCPT ); Tue, 13 Jul 2021 13:23:46 -0400 Received: from mail.kernel.org ([198.145.29.99]:50440 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229454AbhGMRXp (ORCPT ); Tue, 13 Jul 2021 13:23:45 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E778661183; Tue, 13 Jul 2021 17:20:53 +0000 (UTC) Date: Tue, 13 Jul 2021 18:20:46 +0100 From: Catalin Marinas To: Will Deacon Cc: Robin Murphy , linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Chen Huang , Al Viro Subject: Re: [PATCH] arm64: Avoid premature usercopy failure Message-ID: <20210713172045.GD13181@arm.com> References: <20210713165957.GA30304@willie-the-truck> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210713165957.GA30304@willie-the-truck> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 13, 2021 at 05:59:58PM +0100, Will Deacon wrote: > On Mon, Jul 12, 2021 at 03:27:46PM +0100, Robin Murphy wrote: > > Al reminds us that the usercopy API must only return complete failure > > if absolutely nothing could be copied. Currently, if userspace does > > something silly like giving us an unaligned pointer to Device memory, > > or a size which overruns MTE tag bounds, we may fail to honour that > > requirement when faulting on a multi-byte access even though a smaller > > access could have succeeded. > > > > Add a mitigation to the fixup routines to fall back to a single-byte > > copy if we faulted on a larger access before anything has been written > > to the destination, to guarantee making *some* forward progress. We > > needn't be too concerned about the overall performance since this should > > only occur when callers are doing something a bit dodgy in the first > > place. Particularly broken userspace might still be able to trick > > generic_perform_write() into an infinite loop by targeting write() at > > an mmap() of some read-only device register where the fault-in load > > succeeds but any store synchronously aborts such that copy_to_user() is > > genuinely unable to make progress, but, well, don't do that... > > > > CC: stable@vger.kernel.org > > Reported-by: Chen Huang > > Suggested-by: Al Viro > > Reviewed-by: Catalin Marinas > > Signed-off-by: Robin Murphy > > --- > > > > I've started trying the "replay" approach for figuring out more precise > > remainders in general, but that quickly got more complicated with > > rebasing the fault address passing stuff, so I'm resending this now as > > a point fix and will continue to explore that as an improvement on top. > > Is it possible to add/extend a selftest for this, please? I think Catalin > mentioned that before, but not sure if he got anywhere with it. It's on my to-do list but going on holiday soon. If Robin is keen on this, I don't really mind ;). -- Catalin