From: Mark Rutland <mark.rutland@arm.com>
To: Tong Tiangen <tongtiangen@huawei.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [RFC PATCH -next V2 5/7] arm64: add get_user to machine check safe
Date: Fri, 8 Apr 2022 16:22:22 +0100 [thread overview]
Message-ID: <YlBTLn1cf7+gJmiM@lakrids> (raw)
In-Reply-To: <ac80045b-24f0-a163-ea96-be0d01c48d29@huawei.com>
On Thu, Apr 07, 2022 at 10:38:04PM +0800, Tong Tiangen wrote:
> 在 2022/4/6 19:22, Mark Rutland 写道:
> > On Wed, Apr 06, 2022 at 09:13:09AM +0000, Tong Tiangen wrote:
> > > Add scenarios get_user to machine check safe. The processing of
> > > EX_TYPE_UACCESS_ERR_ZERO and EX_TYPE_UACCESS_ERR_ZERO_UCE_RECOVERY is same
> > > and both return -EFAULT.
> >
> > Which uaccess cases do we expect to *not* be recoverable?
> >
> > Naively I would assume that if we're going to treat a memory error on a uaccess
> > as fatal to userspace we should be able to do that for *any* uacesses.
> >
> > The commit message should explain why we need the distinction between a
> > recoverable uaccess and a non-recoverable uaccess.
> >
> > Thanks,
> > Mark.
>
> Currently, any memory error consumed in kernel mode will lead to panic
> (do_sea()).
>
> My idea is that not all memory errors consumed in kernel mode are fatal,
> such as copy_ from_ user/get_ user is a memory error consumed when
> reading user data in the process context. In this case, we can not let the
> kernel panic, just kill the process without affecting the operation
> of the system.
I understood this part.
> However, not all uaccess can be recovered without affecting the normal
> operation of the system. The key is not whether it is uaccess, but whether
> there are key data affecting the normal operation of the system in the read
> page.
Ok. Can you give an example of such a case where the a uaccess that hits
a memory error must be fatal?
I think you might be trying to say that for copy_{to,from}_user() we can
make that judgement, but those are combined user+kernel access
primitives, and the *uaccess* part should never be reading from a page
with "key data affecting the normal operation of the system", since
that's userspace memory.
Is there any *userspace access* (e.g. where we use LDTR/STTR today)
where we must treat a memory error as fatal to the system?
Thanks,
Mark.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Mark Rutland <mark.rutland@arm.com>
To: Tong Tiangen <tongtiangen@huawei.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
x86@kernel.org, "H. Peter Anvin" <hpa@zytor.com>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org
Subject: Re: [RFC PATCH -next V2 5/7] arm64: add get_user to machine check safe
Date: Fri, 8 Apr 2022 16:22:22 +0100 [thread overview]
Message-ID: <YlBTLn1cf7+gJmiM@lakrids> (raw)
In-Reply-To: <ac80045b-24f0-a163-ea96-be0d01c48d29@huawei.com>
On Thu, Apr 07, 2022 at 10:38:04PM +0800, Tong Tiangen wrote:
> 在 2022/4/6 19:22, Mark Rutland 写道:
> > On Wed, Apr 06, 2022 at 09:13:09AM +0000, Tong Tiangen wrote:
> > > Add scenarios get_user to machine check safe. The processing of
> > > EX_TYPE_UACCESS_ERR_ZERO and EX_TYPE_UACCESS_ERR_ZERO_UCE_RECOVERY is same
> > > and both return -EFAULT.
> >
> > Which uaccess cases do we expect to *not* be recoverable?
> >
> > Naively I would assume that if we're going to treat a memory error on a uaccess
> > as fatal to userspace we should be able to do that for *any* uacesses.
> >
> > The commit message should explain why we need the distinction between a
> > recoverable uaccess and a non-recoverable uaccess.
> >
> > Thanks,
> > Mark.
>
> Currently, any memory error consumed in kernel mode will lead to panic
> (do_sea()).
>
> My idea is that not all memory errors consumed in kernel mode are fatal,
> such as copy_ from_ user/get_ user is a memory error consumed when
> reading user data in the process context. In this case, we can not let the
> kernel panic, just kill the process without affecting the operation
> of the system.
I understood this part.
> However, not all uaccess can be recovered without affecting the normal
> operation of the system. The key is not whether it is uaccess, but whether
> there are key data affecting the normal operation of the system in the read
> page.
Ok. Can you give an example of such a case where the a uaccess that hits
a memory error must be fatal?
I think you might be trying to say that for copy_{to,from}_user() we can
make that judgement, but those are combined user+kernel access
primitives, and the *uaccess* part should never be reading from a page
with "key data affecting the normal operation of the system", since
that's userspace memory.
Is there any *userspace access* (e.g. where we use LDTR/STTR today)
where we must treat a memory error as fatal to the system?
Thanks,
Mark.
next prev parent reply other threads:[~2022-04-08 15:23 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-06 9:13 [RFC PATCH -next V2 0/7]arm64: add machine check safe support Tong Tiangen
2022-04-06 9:13 ` Tong Tiangen
2022-04-06 9:13 ` [RFC PATCH -next V2 1/7] x86: fix copy_mc_to_user compile error Tong Tiangen
2022-04-06 9:13 ` Tong Tiangen
2022-04-06 9:22 ` Borislav Petkov
2022-04-06 9:22 ` Borislav Petkov
2022-04-06 10:02 ` Tong Tiangen
2022-04-06 10:02 ` Tong Tiangen
2022-04-06 9:13 ` [RFC PATCH -next V2 2/7] arm64: fix page_address return value in copy_highpage Tong Tiangen
2022-04-06 9:13 ` Tong Tiangen
2022-04-06 10:22 ` Mark Rutland
2022-04-06 10:22 ` Mark Rutland
2022-04-06 12:47 ` Tong Tiangen
2022-04-06 12:47 ` Tong Tiangen
2022-04-06 9:13 ` [RFC PATCH -next V2 3/7] arm64: add support for machine check error safe Tong Tiangen
2022-04-06 9:13 ` Tong Tiangen
2022-04-06 10:58 ` Mark Rutland
2022-04-06 10:58 ` Mark Rutland
2022-04-07 14:26 ` Tong Tiangen
2022-04-07 14:26 ` Tong Tiangen
2022-04-06 9:13 ` [RFC PATCH -next V2 4/7] arm64: add copy_from_user to machine check safe Tong Tiangen
2022-04-06 9:13 ` Tong Tiangen
2022-04-06 11:19 ` Mark Rutland
2022-04-06 11:19 ` Mark Rutland
2022-04-07 14:28 ` Tong Tiangen
2022-04-07 14:28 ` Tong Tiangen
2022-04-06 9:13 ` [RFC PATCH -next V2 5/7] arm64: add get_user " Tong Tiangen
2022-04-06 9:13 ` Tong Tiangen
2022-04-06 11:22 ` Mark Rutland
2022-04-06 11:22 ` Mark Rutland
2022-04-07 14:38 ` Tong Tiangen
2022-04-07 14:38 ` Tong Tiangen
2022-04-08 15:22 ` Mark Rutland [this message]
2022-04-08 15:22 ` Mark Rutland
2022-04-09 9:17 ` Tong Tiangen
2022-04-09 9:17 ` Tong Tiangen
2022-04-06 9:13 ` [RFC PATCH -next V2 6/7] arm64: add cow " Tong Tiangen
2022-04-06 9:13 ` Tong Tiangen
2022-04-06 9:13 ` [RFC PATCH -next V2 7/7] arm64: add pagecache reading " Tong Tiangen
2022-04-06 9:13 ` Tong Tiangen
2022-04-06 11:27 ` Mark Rutland
2022-04-06 11:27 ` Mark Rutland
2022-04-07 14:56 ` Tong Tiangen
2022-04-07 14:56 ` Tong Tiangen
2022-04-07 15:53 ` Robin Murphy
2022-04-07 15:53 ` Robin Murphy
2022-04-08 2:43 ` Tong Tiangen
2022-04-08 2:43 ` Tong Tiangen
2022-04-08 11:11 ` Robin Murphy
2022-04-08 11:11 ` Robin Murphy
2022-04-09 9:24 ` Tong Tiangen
2022-04-09 9:24 ` Tong Tiangen
2022-04-06 10:04 ` [RFC PATCH -next V2 0/7]arm64: add machine check safe support Mark Rutland
2022-04-06 10:04 ` Mark Rutland
2022-04-07 4:21 ` Tong Tiangen
2022-04-07 4:21 ` Tong Tiangen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YlBTLn1cf7+gJmiM@lakrids \
--to=mark.rutland@arm.com \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=catalin.marinas@arm.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=tongtiangen@huawei.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.