From: Marco Elver <elver@google.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: albert.linde@gmail.com, Andrew Morton <akpm@linux-foundation.org>,
Borislav Petkov <bp@alien8.de>, Ingo Molnar <mingo@redhat.com>,
Jonathan Corbet <corbet@lwn.net>,
Thomas Gleixner <tglx@linutronix.de>,
Arnd Bergmann <arnd@arndb.de>,
Akinobu Mita <akinobu.mita@gmail.com>,
"H. Peter Anvin" <hpa@zytor.com>,
Al Viro <viro@zeniv.linux.org.uk>,
Alexander Potapenko <glider@google.com>,
Andrey Konovalov <andreyknvl@google.com>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
the arch/x86 maintainers <x86@kernel.org>,
Albert van der Linde <alinde@google.com>
Subject: Re: [PATCH 1/3] lib, include/linux: add usercopy failure capability
Date: Fri, 21 Aug 2020 15:31:20 +0200 [thread overview]
Message-ID: <20200821133120.GA3145341@elver.google.com> (raw)
In-Reply-To: <CACT4Y+ZeoUX39tBZs-DLoX0q5tC+skB56Cxf_SSpKiJdv3mMFg@mail.gmail.com>
On Fri, Aug 21, 2020 at 01:51PM +0200, Dmitry Vyukov wrote:
...
> > +++ b/lib/fault-inject-usercopy.c
> > @@ -0,0 +1,66 @@
> > +// SPDX-License-Identifier: GPL-2.0-only
> > +#include <linux/fault-inject.h>
> > +#include <linux/fault-inject-usercopy.h>
> > +#include <linux/random.h>
> > +
> > +static struct {
> > + struct fault_attr attr;
> > + u32 failsize;
> > +} fail_usercopy = {
> > + .attr = FAULT_ATTR_INITIALIZER,
> > + .failsize = 0,
> > +};
> > +
> > +static int __init setup_fail_usercopy(char *str)
> > +{
> > + return setup_fault_attr(&fail_usercopy.attr, str);
> > +}
> > +__setup("fail_usercopy=", setup_fail_usercopy);
> > +
> > +#ifdef CONFIG_FAULT_INJECTION_DEBUG_FS
> > +
> > +static int __init fail_usercopy_debugfs(void)
> > +{
> > + umode_t mode = S_IFREG | 0600;
> > + struct dentry *dir;
> > +
> > + dir = fault_create_debugfs_attr("fail_usercopy", NULL,
> > + &fail_usercopy.attr);
> > + if (IS_ERR(dir))
> > + return PTR_ERR(dir);
> > +
> > + debugfs_create_u32("failsize", mode, dir,
> > + &fail_usercopy.failsize);
>
> Marco, what's the right way to annotate these concurrent accesses for KCSAN?
For debugfs variables that are accessed concurrently, the only
non-data-racy option (currently) is to use debugfs_create_atomic_t() and
make the variable an atomic_t.
If it's read-mostly as is the case here, and given that atomic_read() is
cheap (it maps to READ_ONCE on x86 and arm64), that'd be reasonable even
if performance is a concern.
> > + return 0;
> > +}
> > +
> > +late_initcall(fail_usercopy_debugfs);
> > +
> > +#endif /* CONFIG_FAULT_INJECTION_DEBUG_FS */
> > +
> > +/**
> > + * should_fail_usercopy() - Failure code or amount of bytes not to copy.
> > + * @n: Size of the original copy call.
> > + *
> > + * The general idea is to have a method which returns the amount of bytes not
> > + * to copy, a failure to return, or 0 if the calling function should progress
> > + * without a failure. E.g., copy_{to,from}_user should NOT copy the amount of
> > + * bytes returned by should_fail_usercopy, returning this value (in addition
> > + * to any bytes that could actually not be copied) or a failure.
> > + *
> > + * Return: one of:
> > + * negative, failure to return;
> > + * 0, progress normally;
> > + * a number in ]0, n], the number of bytes not to copy.
> > + *
> > + */
> > +long should_fail_usercopy(unsigned long n)
> > +{
> > + if (should_fail(&fail_usercopy.attr, n)) {
> > + if (fail_usercopy.failsize > 0)
> > + return fail_usercopy.failsize % (n + 1);
If you wanted to retain the u32 in debugfs, you can mark this
'data_race(fail_usercopy.failsize)' -- since what we're doing here is
probabilistic anyway, reading a garbage value won't affect things much.
Alternatively, just switch to atomic_t and it'll just be an
atomic_read().
Thanks,
-- Marco
next prev parent reply other threads:[~2020-08-21 13:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-21 10:49 [PATCH 0/3] add fault injection to user memory access functions albert.linde
2020-08-21 10:49 ` [PATCH 1/3] lib, include/linux: add usercopy failure capability albert.linde
2020-08-21 11:51 ` Dmitry Vyukov
2020-08-21 13:31 ` Marco Elver [this message]
2020-08-21 10:49 ` [PATCH 2/3] lib, uaccess: add failure injection to usercopy functions albert.linde
2020-08-21 11:46 ` Dmitry Vyukov
2020-08-21 10:49 ` [PATCH 3/3] x86: add failure injection to get/put/clear_user albert.linde
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200821133120.GA3145341@elver.google.com \
--to=elver@google.com \
--cc=akinobu.mita@gmail.com \
--cc=akpm@linux-foundation.org \
--cc=albert.linde@gmail.com \
--cc=alinde@google.com \
--cc=andreyknvl@google.com \
--cc=arnd@arndb.de \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=dvyukov@google.com \
--cc=glider@google.com \
--cc=hpa@zytor.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox