From: Peter Zijlstra <peterz@infradead.org>
To: Nadav Amit <namit@vmware.com>
Cc: Ingo Molnar <mingo@redhat.com>,
LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>,
Thomas Gleixner <tglx@linutronix.de>,
Borislav Petkov <bp@alien8.de>,
Dave Hansen <dave.hansen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>,
Kees Cook <keescook@chromium.org>,
Dave Hansen <dave.hansen@intel.com>,
Masami Hiramatsu <mhiramat@kernel.org>
Subject: Re: [PATCH v4 06/10] x86/alternative: use temporary mm for text poking
Date: Mon, 12 Nov 2018 00:52:20 +0100 [thread overview]
Message-ID: <20181111235220.GB3056@worktop> (raw)
In-Reply-To: <43C8C690-F079-4513-82CD-46A62DBA5A3B@vmware.com>
On Sun, Nov 11, 2018 at 08:53:07PM +0000, Nadav Amit wrote:
> >> + /*
> >> + * The lock is not really needed, but this allows to avoid open-coding.
> >> + */
> >> + ptep = get_locked_pte(poking_mm, poking_addr, &ptl);
> >> +
> >> + /*
> >> + * If we failed to allocate a PTE, fail. This should *never* happen,
> >> + * since we preallocate the PTE.
> >> + */
> >> + if (WARN_ON_ONCE(!ptep))
> >> + goto out;
> >
> > Since we hard rely on init getting that right; can't we simply get rid
> > of this?
>
> This is a repeated complaint of yours, which I do not feel comfortable with.
> One day someone will run some static analysis tool and start finding that
> all these checks are missing.
>
> The question is why do you care about them.
Mostly because they should not be happening, ever. And if they happen,
there really isn't anything sensible we can do about it.
> If it is because they affect the
> generated code and make it less efficient, I can fully understand and perhaps
> we should have something like PARANOID_WARN_ON_ONCE() which compiles into nothing
> unless a certain debug option is set.
>
> If it is about the way the source code looks - I guess it doesn’t sore my
> eyes as hard as some other stuff, and I cannot do much about it (other than
> removing it as you asked).
And yes on the above two points. It adds both runtime overhead (albeit
trivially small) and code complexity.
> >> +out:
> >> + if (memcmp(addr, opcode, len))
> >> + r = -EFAULT;
> >
> > How could this ever fail? And how can we reliably recover from that?
>
> This code has been there before (with slightly uglier code). Before this
> patch, a BUG_ON() was used here. However, I noticed that kgdb actually
> checks that text_poke() succeeded after calling it and gracefully fail.
> However, this was useless, since text_poke() would panic before kgdb gets
> the chance to do anything (see patch 7).
Yes, I know it was there before, and I did see kgdb do it too. But aside
from that out-label case, which we also should never hit, how can we
realistically ever fail that memcmp()?
If we fail here, something is _seriously_ buggered.
next prev parent reply other threads:[~2018-11-11 23:52 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-10 23:17 [PATCH v4 00/10] x86/alternative: text_poke() fixes Nadav Amit
2018-11-10 23:17 ` [PATCH v4 01/10] Fix "x86/alternatives: Lockdep-enforce text_mutex in text_poke*()" Nadav Amit
2018-11-12 2:54 ` Masami Hiramatsu
2018-11-12 10:59 ` Jiri Kosina
2018-11-10 23:17 ` [PATCH v4 02/10] x86/jump_label: Use text_poke_early() during early init Nadav Amit
2018-11-12 20:12 ` Nadav Amit
2018-11-10 23:17 ` [PATCH v4 03/10] x86/mm: temporary mm struct Nadav Amit
2018-11-10 23:17 ` [PATCH v4 04/10] fork: provide a function for copying init_mm Nadav Amit
2018-11-10 23:17 ` [PATCH v4 05/10] x86/alternative: initializing temporary mm for patching Nadav Amit
2018-11-11 14:43 ` Peter Zijlstra
2018-11-11 20:38 ` Nadav Amit
2018-11-12 0:34 ` Peter Zijlstra
2018-11-10 23:17 ` [PATCH v4 06/10] x86/alternative: use temporary mm for text poking Nadav Amit
2018-11-11 14:59 ` Peter Zijlstra
2018-11-11 20:53 ` Nadav Amit
2018-11-11 23:52 ` Peter Zijlstra [this message]
2018-11-12 0:09 ` Nadav Amit
2018-11-12 0:41 ` Peter Zijlstra
2018-11-12 0:36 ` Peter Zijlstra
2018-11-12 3:46 ` Ingo Molnar
2018-11-12 8:50 ` Peter Zijlstra
2018-11-11 19:11 ` Damian Tometzki
2018-11-11 20:41 ` Nadav Amit
2018-11-10 23:17 ` [PATCH v4 07/10] x86/kgdb: avoid redundant comparison of code Nadav Amit
2018-11-10 23:17 ` [PATCH v4 08/10] x86: avoid W^X being broken during modules loading Nadav Amit
2018-11-10 23:17 ` [PATCH v4 09/10] x86/jump-label: remove support for custom poker Nadav Amit
2018-11-11 15:05 ` Peter Zijlstra
2018-11-11 20:31 ` Nadav Amit
2018-11-10 23:17 ` [PATCH v4 10/10] x86/alternative: remove the return value of text_poke_*() Nadav Amit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181111235220.GB3056@worktop \
--to=peterz@infradead.org \
--cc=bp@alien8.de \
--cc=dave.hansen@intel.com \
--cc=dave.hansen@linux.intel.com \
--cc=hpa@zytor.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=mhiramat@kernel.org \
--cc=mingo@redhat.com \
--cc=namit@vmware.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox