From: Catalin Marinas <catalin.marinas@arm.com>
To: Will Deacon <will@kernel.org>
Cc: Robin Murphy <robin.murphy@arm.com>,
linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Chen Huang <chenhuang5@huawei.com>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH] arm64: Avoid premature usercopy failure
Date: Tue, 13 Jul 2021 18:20:46 +0100 [thread overview]
Message-ID: <20210713172045.GD13181@arm.com> (raw)
In-Reply-To: <20210713165957.GA30304@willie-the-truck>
On Tue, Jul 13, 2021 at 05:59:58PM +0100, Will Deacon wrote:
> On Mon, Jul 12, 2021 at 03:27:46PM +0100, Robin Murphy wrote:
> > Al reminds us that the usercopy API must only return complete failure
> > if absolutely nothing could be copied. Currently, if userspace does
> > something silly like giving us an unaligned pointer to Device memory,
> > or a size which overruns MTE tag bounds, we may fail to honour that
> > requirement when faulting on a multi-byte access even though a smaller
> > access could have succeeded.
> >
> > Add a mitigation to the fixup routines to fall back to a single-byte
> > copy if we faulted on a larger access before anything has been written
> > to the destination, to guarantee making *some* forward progress. We
> > needn't be too concerned about the overall performance since this should
> > only occur when callers are doing something a bit dodgy in the first
> > place. Particularly broken userspace might still be able to trick
> > generic_perform_write() into an infinite loop by targeting write() at
> > an mmap() of some read-only device register where the fault-in load
> > succeeds but any store synchronously aborts such that copy_to_user() is
> > genuinely unable to make progress, but, well, don't do that...
> >
> > CC: stable@vger.kernel.org
> > Reported-by: Chen Huang <chenhuang5@huawei.com>
> > Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
> > Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
> > Signed-off-by: Robin Murphy <robin.murphy@arm.com>
> > ---
> >
> > I've started trying the "replay" approach for figuring out more precise
> > remainders in general, but that quickly got more complicated with
> > rebasing the fault address passing stuff, so I'm resending this now as
> > a point fix and will continue to explore that as an improvement on top.
>
> Is it possible to add/extend a selftest for this, please? I think Catalin
> mentioned that before, but not sure if he got anywhere with it.
It's on my to-do list but going on holiday soon. If Robin is keen on
this, I don't really mind ;).
--
Catalin
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Will Deacon <will@kernel.org>
Cc: Robin Murphy <robin.murphy@arm.com>,
linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org,
linux-kernel@vger.kernel.org, stable@vger.kernel.org,
Chen Huang <chenhuang5@huawei.com>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: Re: [PATCH] arm64: Avoid premature usercopy failure
Date: Tue, 13 Jul 2021 18:20:46 +0100 [thread overview]
Message-ID: <20210713172045.GD13181@arm.com> (raw)
In-Reply-To: <20210713165957.GA30304@willie-the-truck>
On Tue, Jul 13, 2021 at 05:59:58PM +0100, Will Deacon wrote:
> On Mon, Jul 12, 2021 at 03:27:46PM +0100, Robin Murphy wrote:
> > Al reminds us that the usercopy API must only return complete failure
> > if absolutely nothing could be copied. Currently, if userspace does
> > something silly like giving us an unaligned pointer to Device memory,
> > or a size which overruns MTE tag bounds, we may fail to honour that
> > requirement when faulting on a multi-byte access even though a smaller
> > access could have succeeded.
> >
> > Add a mitigation to the fixup routines to fall back to a single-byte
> > copy if we faulted on a larger access before anything has been written
> > to the destination, to guarantee making *some* forward progress. We
> > needn't be too concerned about the overall performance since this should
> > only occur when callers are doing something a bit dodgy in the first
> > place. Particularly broken userspace might still be able to trick
> > generic_perform_write() into an infinite loop by targeting write() at
> > an mmap() of some read-only device register where the fault-in load
> > succeeds but any store synchronously aborts such that copy_to_user() is
> > genuinely unable to make progress, but, well, don't do that...
> >
> > CC: stable@vger.kernel.org
> > Reported-by: Chen Huang <chenhuang5@huawei.com>
> > Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
> > Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
> > Signed-off-by: Robin Murphy <robin.murphy@arm.com>
> > ---
> >
> > I've started trying the "replay" approach for figuring out more precise
> > remainders in general, but that quickly got more complicated with
> > rebasing the fault address passing stuff, so I'm resending this now as
> > a point fix and will continue to explore that as an improvement on top.
>
> Is it possible to add/extend a selftest for this, please? I think Catalin
> mentioned that before, but not sure if he got anywhere with it.
It's on my to-do list but going on holiday soon. If Robin is keen on
this, I don't really mind ;).
--
Catalin
next prev parent reply other threads:[~2021-07-13 17:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-12 14:27 [PATCH] arm64: Avoid premature usercopy failure Robin Murphy
2021-07-12 14:27 ` Robin Murphy
2021-07-13 16:59 ` Will Deacon
2021-07-13 16:59 ` Will Deacon
2021-07-13 17:20 ` Catalin Marinas [this message]
2021-07-13 17:20 ` Catalin Marinas
2021-07-15 17:39 ` Will Deacon
2021-07-15 17:39 ` Will Deacon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210713172045.GD13181@arm.com \
--to=catalin.marinas@arm.com \
--cc=chenhuang5@huawei.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=robin.murphy@arm.com \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.