From: Ingo Molnar <mingo@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Tony Luck" <tony.luck@gmail.com>,
"Mika Penttilä" <mika.penttila@nextfour.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"Thomas Gleixner" <tglx@linutronix.de>,
"Borislav Petkov" <bp@alien8.de>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Peter Zijlstra" <a.p.zijlstra@chello.nl>,
"H. Peter Anvin" <hpa@zytor.com>,
"Andy Lutomirski" <luto@amacapital.net>,
"Williams, Dan J" <dan.j.williams@intel.com>
Subject: Re: [PATCH v14] x86, mce: Add memcpy_mcsafe()
Date: Sun, 13 Mar 2016 10:25:05 +0100 [thread overview]
Message-ID: <20160313092505.GA11079@gmail.com> (raw)
In-Reply-To: <CA+55aFxQQsmy0wQrQeFPp_+M=y0qwyH8w3irij7RdcSREdWUzA@mail.gmail.com>
* Linus Torvalds <torvalds@linux-foundation.org> wrote:
> On Sat, Mar 12, 2016 at 9:16 AM, Ingo Molnar <mingo@kernel.org> wrote:
> >
> > Please use the copy_*_user() memory copying API semantics, which are: return
> > negative code (-EFAULT) on error, 0 on success.
>
> Those are the get_user/put_user() semantics.
>
> copy_*_user() has those annoying "bytes left uncopied" return values
> that I really wouldn't encourage anybody else use unless they really
> have to. [...]
Indeed, and I even grepped for it because I tend to get it wrong ... I suck!
> [...] There are (good) reasons why it's done that way, but it's still not
> something that should be aped without the same kind of major reasons.
Yeah, so IIRC the main reason being security and the ability to know which bits of
a possibly uninitialized area are not yet copied on.
But with primary memcpy_mcsafe() usage being in-kernel (MM)IO space management I
don't think we have the 'uninitialized' problem in nearly as marked a fashion, and
we very much have the (largely uncompensated) cost of more complex assembly.
Nevertheless, wrt. error handling, the bit I feel very strongly about is the
following:
We have the existing 'mempcy API check for failure' pattern of:
if (put_user()) {
... it didn't succeed ...
}
if (copy_from_user()) {
... it didn't succeed ...
}
... which should be kept IMHO:
if (memcpy_mcsafe()) {
... it didn't succeed ...
}
... and what I most disagree with most is one of the suggestions in the original
mail I replied to:
>> 2) Reverse the return values.
(== return 1 on success, 0 on failure)
... that's crazy IMHO and reverses the pattern of almost every memcpy-with-check
(or syscall-success) API we have!
So I still think we should have the regular '0 on success, negative error value on
failure' semantics - but I'd not be hugely against a '0 on success, bytes left
uncopied on failure' variant either in principle, except that I think it unduly
complicates the assembly side to recover the bytes.
The '0/1' current implementation is really neither of these but still fits the
common error checking pattern, but it's still much better than the '1/0'
suggestion which is crazy!
So I think we should move from 0/1 to 0/-EFAULT for now, and maybe (maybe) move to
a 0/bytes_left return code in the future, if there comes a strong usecase. Most
error checks will have to be converted in that case anyway to make use of the
return code, so it's not like we introduce an extra cost here by going to
0/-EFAULT.
Also, by going to 0/-EFAULT we have the option to also allow other negative error
codes, which would allow the distinction of #MC traps from regular page fault
traps for example. (a driver might want to log them differently.)
Thanks,
Ingo
next prev parent reply other threads:[~2016-03-13 9:25 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-17 18:20 [PATCH v11 0/4] Machine check recovery when kernel accesses poison Tony Luck
2016-02-17 18:20 ` [PATCH v11 1/4] x86: Expand exception table to allow new handling options Tony Luck
2016-02-18 10:19 ` [tip:ras/core] x86/mm: Expand the exception table logic " tip-bot for Tony Luck
2016-02-17 18:20 ` [PATCH v11 4/4] x86: Create a new synthetic cpu capability for machine check recovery Tony Luck
2016-02-18 10:19 ` [tip:x86/asm] x86/cpufeature: " tip-bot for Tony Luck
2016-02-17 18:20 ` [PATCH v11 2/4] x86, mce: Check for faults tagged in EXTABLE_CLASS_FAULT exception table entries Tony Luck
2016-02-18 10:19 ` [tip:ras/core] x86/mce: " tip-bot for Tony Luck
2016-02-17 18:20 ` [PATCH v11 3/4] x86, mce: Add __mcsafe_copy() Tony Luck
2016-02-18 8:21 ` Ingo Molnar
2016-02-18 9:59 ` Peter Zijlstra
2016-02-18 10:19 ` Ingo Molnar
2016-02-18 10:29 ` Borislav Petkov
2016-02-18 10:35 ` Peter Zijlstra
2016-02-18 14:59 ` Luck, Tony
2016-02-19 7:58 ` Ingo Molnar
2016-02-19 8:43 ` Peter Zijlstra
2016-02-19 9:51 ` Ingo Molnar
2016-02-18 10:29 ` Borislav Petkov
2016-02-18 10:34 ` Ingo Molnar
2016-02-18 10:36 ` Borislav Petkov
2016-02-18 18:48 ` Ingo Molnar
2016-02-18 21:14 ` [PATCH v12] x86, mce: Add memcpy_trap() Luck, Tony
2016-02-19 9:10 ` Ingo Molnar
2016-02-19 17:53 ` [PATCH v13] " Luck, Tony
2016-02-24 17:38 ` Tony Luck
2016-02-24 18:35 ` Linus Torvalds
2016-02-24 19:27 ` Tony Luck
2016-02-24 19:37 ` Linus Torvalds
2016-02-25 8:56 ` Ingo Molnar
2016-02-25 19:33 ` Luck, Tony
2016-02-25 20:39 ` Linus Torvalds
2016-02-25 22:11 ` Andy Lutomirski
2016-02-18 19:47 ` [PATCH v14] x86, mce: Add memcpy_mcsafe() Tony Luck
2016-03-02 20:47 ` Luck, Tony
2016-03-08 17:37 ` [tip:ras/core] x86/mm, x86/mce: " tip-bot for Tony Luck
2016-03-10 19:26 ` [PATCH v14] x86, mce: " Mika Penttilä
2016-03-10 19:37 ` Luck, Tony
2016-03-11 22:10 ` Tony Luck
2016-03-11 22:14 ` Dan Williams
2016-03-12 17:16 ` Ingo Molnar
2016-03-13 1:12 ` Linus Torvalds
2016-03-13 9:25 ` Ingo Molnar [this message]
2016-03-14 22:33 ` [PATCH] x86/mm, x86/mce: Fix return type/value for memcpy_mcsafe() Tony Luck
2016-03-16 8:06 ` [tip:x86/urgent] " tip-bot for Tony Luck
2016-02-26 0:58 ` [PATCH v13] x86, mce: Add memcpy_trap() Linus Torvalds
2016-02-26 1:19 ` Andy Lutomirski
2016-02-26 2:38 ` Linus Torvalds
2016-02-18 18:12 ` [PATCH v11 3/4] x86, mce: Add __mcsafe_copy() Linus Torvalds
2016-02-18 18:51 ` Ingo Molnar
2016-02-18 18:52 ` Luck, Tony
2016-02-18 20:14 ` Ingo Molnar
2016-02-18 21:33 ` Dan Williams
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160313092505.GA11079@gmail.com \
--to=mingo@kernel.org \
--cc=a.p.zijlstra@chello.nl \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=dan.j.williams@intel.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=mika.penttila@nextfour.com \
--cc=tglx@linutronix.de \
--cc=tony.luck@gmail.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).