From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 3CB83D15DA5 for ; Mon, 21 Oct 2024 15:11:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=/lUlrp8VyGT3Ya0UwKYQKZzPcfODNtuUqLv7ONGsLZ8=; b=hHjBMJ3QohnRH2kvK50cKLXQL2 C3b7J7nti2y/93CluuMiYCmBhG8nmUGQddsVTvM2KPITPZdrayWmdFs6Ht0ofGn0Xa18OrgFATB9R 7o5PTrJ6SlJ6mBR+Yh953l2HZDv++wQCQbb420pYUiSie7WM4h5jjzmJi0TQ4/8N7id2tGQu+U0AA w2cYW9xF49BmRJyuk/U1iUQM1cGUAKmJpXHsulhN5IZmpuUoFLwXpPonQKgalpPdhLDynQla40Ie/ DTIuMcaic9+zTmJQ+8G0yt7NUq8+auxHnBwuMdZ9AwT/ELu+gUCr5BUXkh8oDf4rSII2kTaOlFzY1 WWc4qKpg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1t2u45-00000007jnc-2P3u; Mon, 21 Oct 2024 15:11:25 +0000 Received: from foss.arm.com ([217.140.110.172]) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1t2tYe-00000007dui-15GX for linux-arm-kernel@lists.infradead.org; Mon, 21 Oct 2024 14:38:58 +0000 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 9CF9CDA7; Mon, 21 Oct 2024 07:39:22 -0700 (PDT) Received: from e133380.arm.com (e133380.arm.com [10.1.197.69]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 983893F73B; Mon, 21 Oct 2024 07:38:50 -0700 (PDT) Date: Mon, 21 Oct 2024 15:38:47 +0100 From: Dave Martin To: Kevin Brodsky Cc: linux-arm-kernel@lists.infradead.org, akpm@linux-foundation.org, anshuman.khandual@arm.com, aruna.ramakrishna@oracle.com, broonie@kernel.org, catalin.marinas@arm.com, dave.hansen@linux.intel.com, jeffxu@chromium.org, joey.gouly@arm.com, shuah@kernel.org, will@kernel.org, linux-kselftest@vger.kernel.org, x86@kernel.org Subject: Re: [PATCH 3/5] arm64: signal: Improve POR_EL0 handling to avoid uaccess failures Message-ID: References: <20241017133909.3837547-1-kevin.brodsky@arm.com> <20241017133909.3837547-4-kevin.brodsky@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20241021_073856_414309_1221260E X-CRM114-Status: GOOD ( 38.23 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Hi, Just in case the reply I thought I'd sent to this evaporated (or I imagined it): On Mon, Oct 21, 2024 at 12:06:07PM +0200, Kevin Brodsky wrote: > On 17/10/2024 17:53, Dave Martin wrote: > > [...] > >> +/* > >> + * Save the unpriv access state into ua_state and reset it to disable any > >> + * restrictions. > >> + */ > >> +static void save_reset_unpriv_access_state(struct unpriv_access_state *ua_state) > > Would _user_ be more consistent naming than _unpriv_ ? > > I did ponder on the naming. I considered user_access/uaccess instead of > unpriv_access, but my concern is that it might imply that only uaccess > is concerned, while in reality loads/stores that userspace itself > executes are impacted too. I thought using the "unpriv" terminology from > the Arm ARM (used for stage 1 permissions) might avoid such > misunderstanding. I'm interested to hear opinions on this, maybe > accuracy sacrifices readability. > > > Same elsewhere. I think "user" covers these meanings, though including the word "access" makes it sound like this is specific to uaccess. Maybe something like: save_reset_user_permissions() restore_user_permissions() would make sense? (But again, it's not a big deal.) > > > >> +{ > >> + if (system_supports_poe()) { > >> + /* > >> + * Enable all permissions in all 8 keys > >> + * (inspired by REPEAT_BYTE()) > >> + */ > >> + u64 por_enable_all = (~0u / POE_MASK) * POE_RXW; > > Yikes! > > > > Seriously though, why are we granting permissions that the signal > > handler isn't itself going to have over its own stack? > > > > I think the logical thing to do is to think of the write/read of the > > signal frame as being done on behalf of the signal handler, so the > > permissions should be those we're going to give the signal handler: > > not less, and (so far as we can approximate) not more. > > Will continue that discussion on the cover letter. > > > > >> + > >> + ua_state->por_el0 = read_sysreg_s(SYS_POR_EL0); > >> + write_sysreg_s(por_enable_all, SYS_POR_EL0); > >> + /* Ensure that any subsequent uaccess observes the updated value */ > >> + isb(); > >> + } > >> +} > >> + > >> +/* > >> + * Set the unpriv access state for invoking the signal handler. > >> + * > >> + * No uaccess should be done after that function is called. > >> + */ > >> +static void set_handler_unpriv_access_state(void) > >> +{ > >> + if (system_supports_poe()) > >> + write_sysreg_s(POR_EL0_INIT, SYS_POR_EL0); > >> + > > Spurious blank line? > > Thanks! > > >> +} > > [...] > > > >> @@ -1252,9 +1310,11 @@ static int setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, > >> { > >> struct rt_sigframe_user_layout user; > >> struct rt_sigframe __user *frame; > >> + struct unpriv_access_state ua_state; > >> int err = 0; > >> > >> fpsimd_signal_preserve_current_state(); > >> + save_reset_unpriv_access_state(&ua_state); > > (Trivial nit: maybe put the blank line before this rather than after? > > This has nothing to do with "settling" the kernel's internal context > > switch state, and a lot to do with generaing the signal frame...) > > In fact considering the concern Catalin brought up with POR_EL0 being > reset even when we fail to deliver the signal [1], I'm realising this > call should be moved after get_sigframe(), since the latter doesn't use > uaccess and can fail. Good point... > [1] https://lore.kernel.org/linux-arm-kernel/Zw6D2waVyIwYE7wd@arm.com/ > > >> > >> if (get_sigframe(&user, ksig, regs)) > >> return 1; > > [...] I guess the call can be pushed to just before the first __put_user(), after here? > > > >> @@ -1273,6 +1333,7 @@ static int setup_rt_frame(int usig, struct ksignal *ksig, sigset_t *set, > >> regs->regs[1] = (unsigned long)&frame->info; > >> regs->regs[2] = (unsigned long)&frame->uc; > >> } > >> + set_handler_unpriv_access_state(); > > This bit feels prematurely factored? We don't have separate functions > > for the other low-level preparation done here... > > I preferred to have a consistent API for all manipulations of POR_EL0, > the idea being that if more registers are added to struct > unpriv_access_state, only the *unpriv_access* helpers need to be amended. > > > It works either way though, and I don't have a strong view. > > > > Overall, this all looks reasonable. Keeping the symmetry seems generally a good idea, especially if we expect that struct to grow more state over time. I wasn't sure how we anticipiate this evolving. [...] Cheers ---Dave