From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18164C2B9F4 for ; Fri, 25 Jun 2021 10:39:14 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id 9337E61447 for ; Fri, 25 Jun 2021 10:39:13 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9337E61447 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id 67EA36B0036; Fri, 25 Jun 2021 06:39:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 655CA6B005D; Fri, 25 Jun 2021 06:39:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 4CFCC6B006C; Fri, 25 Jun 2021 06:39:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0009.hostedemail.com [216.40.44.9]) by kanga.kvack.org (Postfix) with ESMTP id 16C936B0036 for ; Fri, 25 Jun 2021 06:39:12 -0400 (EDT) Received: from smtpin15.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay04.hostedemail.com (Postfix) with ESMTP id 2852D250A5 for ; Fri, 25 Jun 2021 10:39:12 +0000 (UTC) X-FDA: 78291898944.15.7F4115B Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by imf02.hostedemail.com (Postfix) with ESMTP id C23C64202A0E for ; Fri, 25 Jun 2021 10:39:11 +0000 (UTC) Received: by mail.kernel.org (Postfix) with ESMTPSA id C745E61443; Fri, 25 Jun 2021 10:39:08 +0000 (UTC) Date: Fri, 25 Jun 2021 11:39:06 +0100 From: Catalin Marinas To: Robin Murphy Cc: Al Viro , Matthew Wilcox , Christoph Hellwig , Chen Huang , Mark Rutland , Andrew Morton , Stephen Rothwell , Randy Dunlap , Will Deacon , Linux ARM , linux-mm , open list Subject: Re: [BUG] arm64: an infinite loop in generic_perform_write() Message-ID: <20210625103905.GA20835@arm.com> References: <20210623132223.GA96264@C02TD0UTHF1T.local> <1c635945-fb25-8871-7b34-f475f75b2caf@huawei.com> <27fbb8c1-2a65-738f-6bec-13f450395ab7@arm.com> <20210624185554.GC25097@arm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Authentication-Results: imf02.hostedemail.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=arm.com (policy=none); spf=pass (imf02.hostedemail.com: domain of cmarinas@kernel.org designates 198.145.29.99 as permitted sender) smtp.mailfrom=cmarinas@kernel.org X-Rspamd-Server: rspam02 X-Stat-Signature: z3q7o5d7ftjba8ac7ke7gytt359srkp5 X-Rspamd-Queue-Id: C23C64202A0E X-HE-Tag: 1624617551-647042 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Thu, Jun 24, 2021 at 09:36:54PM +0100, Robin Murphy wrote: > On 2021-06-24 19:55, Catalin Marinas wrote: > > On Thu, Jun 24, 2021 at 04:27:17PM +0000, Al Viro wrote: > > > On Thu, Jun 24, 2021 at 02:22:27PM +0100, Robin Murphy wrote: > > > > FWIW I think the only way to make the kernel behaviour any more robust here > > > > would be to make the whole uaccess API more expressive, such that rather > > > > than simply saying "I only got this far" it could actually differentiate > > > > between stopping due to a fault which may be recoverable and worth retrying, > > > > and one which definitely isn't. > > > > > > ... and propagate that "more expressive" information through what, 3 or 4 > > > levels in the call chain? > > > > > > From include/linux/uaccess.h: > > > > > > * If raw_copy_{to,from}_user(to, from, size) returns N, size - N bytes starting > > > * at to must become equal to the bytes fetched from the corresponding area > > > * starting at from. All data past to + size - N must be left unmodified. > > > * > > > * If copying succeeds, the return value must be 0. If some data cannot be > > > * fetched, it is permitted to copy less than had been fetched; the only > > > * hard requirement is that not storing anything at all (i.e. returning size) > > > * should happen only when nothing could be copied. In other words, you don't > > > * have to squeeze as much as possible - it is allowed, but not necessary. > > > > > > arm64 instances violate the aforementioned hard requirement. > > > > After reading the above a few more times, I think I get it. The key > > sentence is: not storing anything at all should happen only when nothing > > could be copied. In the MTE case, something can still be copied. > > > > > Please, fix > > > it there; it's not hard. All you need is an exception handler in .Ltiny15 > > > that would fall back to (short) byte-by-byte copy if the faulting address > > > happened to be unaligned. Or just do one-byte copy, not that it had been > > > considerably cheaper than a loop. Will be cheaper than propagating that extra > > > information up the call chain, let alone paying for extra ->write_begin() > > > and ->write_end() for single byte in generic_perform_write(). > > > > Yeah, it's definitely fixable in the arch code. I misread the above > > requirements and thought it could be fixed in the core code. > > > > Quick hack, though I think in the actual exception handling path in .S > > more sense (and it needs the copy_to_user for symmetry): > > Hmm, if anything the asm version might be even more straightforward; I think > it's pretty much just this (untested): That's what I thought but it was too late in the day to think in asm. > diff --git a/arch/arm64/lib/copy_to_user.S b/arch/arm64/lib/copy_to_user.S > index 043da90f5dd7..632bf1f9540d 100644 > --- a/arch/arm64/lib/copy_to_user.S > +++ b/arch/arm64/lib/copy_to_user.S > @@ -62,6 +62,9 @@ EXPORT_SYMBOL(__arch_copy_to_user) > > .section .fixup,"ax" > .align 2 > -9998: sub x0, end, dst // bytes not copied > +9998: ldrb w7, [x1] > +USER(9997f, sttrb w7, [x0]) > + add x0, x0, #1 > +9997: sub x0, end, dst // bytes not copied > ret > .previous > > If we can get away without trying to finish the whole copy bytewise, (i.e. > we don't cause any faults of our own by knowingly over-reading in the > routine itself), I'm more than happy with that. I don't think we over-read/write in the routine itself as this is based on the user memcpy() which can't handle faults. And since we got a fault before the end of the copy, we have at least one byte left in the buffer (which may or may not trigger a fault). I wonder whether we should skip the extra byte copy if something was copied, i.e. start the exception handler with: cmp dstin, dst b.ne 9997f That said, the fall-back to bytewise copying may have some advantage. I think we still have the issue where we copy some data to user but report less (STP failing on the second 8-byte when the first had been already written first 8). A byte copy loop would solve this, unless we pass the fault address to the exception handler (I thought you had some patch for this at some point). -- Catalin