From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-12.9 required=3.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C1D31C433E1 for ; Fri, 21 Aug 2020 13:31:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 96E5A2075E for ; Fri, 21 Aug 2020 13:31:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="FBhfxiep" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728684AbgHUNbt (ORCPT ); Fri, 21 Aug 2020 09:31:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728508AbgHUNbg (ORCPT ); Fri, 21 Aug 2020 09:31:36 -0400 Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com [IPv6:2a00:1450:4864:20::442]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E7AE5C061575 for ; Fri, 21 Aug 2020 06:31:30 -0700 (PDT) Received: by mail-wr1-x442.google.com with SMTP id d16so1932488wrq.9 for ; Fri, 21 Aug 2020 06:31:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=09U6vmSaahNdcLROs1sJRQMLO2jTllhKcJ+uh2MtTKA=; b=FBhfxiepYWlS9uM4Bp3qtAyG46bdidayLJQHBxfbLueX+M3HuwfkeT558+nRQSbGQ4 WIkVB7yUWXC2eCaRIJYc9a46sTBZ1NQ87YdhCK4Kk7YUvpR4FWpISpOByJZ/KcL7WD9W FnnokDVRdBqspIHoF/ghT0bvw9dXJK9uZLJKKLX3++cPmth+P3DTxEK7dchVqIzmC7/w qESqZ7Ekkci69zw1SX0P7XlEJHyLp71EYw9mf3yxrtfwZQN2AVKie5IdT9vBStgJ3ipy xWFmymgEZ+MbB5be3/p9NsdJln2lhDmi8cUI7UmvNIiDwlTSZprlboBjw6xYvbCGDtGk 6u7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=09U6vmSaahNdcLROs1sJRQMLO2jTllhKcJ+uh2MtTKA=; b=ViHnlNkUYizwfT3/OthIKvILABnh3TIw9dBgofGFbZCRSg5NymVpijqQ406LCph3Jd 4PQQOWCzQi3XqOm0G90rEBMHl3RICUisMhdRed4Uu66NZE4pBawFOJOnC31Y8MJvju81 FfGQGLZ/Gd2qZE+ayzANB2lIo83tIhYhMppW9bNceFjOFijqL5CraNPisOrjgQZJxmE8 et2DJRy9JYBjl3kbalxwMsQJnkAXQdzTISopSYlpz85IoIJrmUQ17H2/hB7ZpZvsSsvx ByHbpxQdwDdZGyE11yZtybkINHita7MxdLouvUIpzxh4NYJ7DqsOxsGvsc6LVlx4nZOI 87RQ== X-Gm-Message-State: AOAM532mPHdBBWdMtRjPlkwFKBJLr8A16b2yYB7nM+4t5P4hHRmCdJNH bkhq2eOzOt2jsm5F+ZOjtZSRGA== X-Google-Smtp-Source: ABdhPJxriNxDM/f9/YbCE9WsW7FeM36vohjb4MJ/IXB6Q5OW1j4S16rZa29+Vlc8vCz1eSzYWkhUIg== X-Received: by 2002:a5d:4a8d:: with SMTP id o13mr471970wrq.194.1598016687509; Fri, 21 Aug 2020 06:31:27 -0700 (PDT) Received: from elver.google.com ([100.105.32.75]) by smtp.gmail.com with ESMTPSA id 15sm4796747wmo.33.2020.08.21.06.31.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 21 Aug 2020 06:31:26 -0700 (PDT) Date: Fri, 21 Aug 2020 15:31:20 +0200 From: Marco Elver To: Dmitry Vyukov Cc: albert.linde@gmail.com, Andrew Morton , Borislav Petkov , Ingo Molnar , Jonathan Corbet , Thomas Gleixner , Arnd Bergmann , Akinobu Mita , "H. Peter Anvin" , Al Viro , Alexander Potapenko , Andrey Konovalov , "open list:DOCUMENTATION" , LKML , linux-arch , the arch/x86 maintainers , Albert van der Linde Subject: Re: [PATCH 1/3] lib, include/linux: add usercopy failure capability Message-ID: <20200821133120.GA3145341@elver.google.com> References: <20200821104926.828511-1-alinde@google.com> <20200821104926.828511-2-alinde@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.14.4 (2020-06-18) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 21, 2020 at 01:51PM +0200, Dmitry Vyukov wrote: ... > > +++ b/lib/fault-inject-usercopy.c > > @@ -0,0 +1,66 @@ > > +// SPDX-License-Identifier: GPL-2.0-only > > +#include > > +#include > > +#include > > + > > +static struct { > > + struct fault_attr attr; > > + u32 failsize; > > +} fail_usercopy = { > > + .attr = FAULT_ATTR_INITIALIZER, > > + .failsize = 0, > > +}; > > + > > +static int __init setup_fail_usercopy(char *str) > > +{ > > + return setup_fault_attr(&fail_usercopy.attr, str); > > +} > > +__setup("fail_usercopy=", setup_fail_usercopy); > > + > > +#ifdef CONFIG_FAULT_INJECTION_DEBUG_FS > > + > > +static int __init fail_usercopy_debugfs(void) > > +{ > > + umode_t mode = S_IFREG | 0600; > > + struct dentry *dir; > > + > > + dir = fault_create_debugfs_attr("fail_usercopy", NULL, > > + &fail_usercopy.attr); > > + if (IS_ERR(dir)) > > + return PTR_ERR(dir); > > + > > + debugfs_create_u32("failsize", mode, dir, > > + &fail_usercopy.failsize); > > Marco, what's the right way to annotate these concurrent accesses for KCSAN? For debugfs variables that are accessed concurrently, the only non-data-racy option (currently) is to use debugfs_create_atomic_t() and make the variable an atomic_t. If it's read-mostly as is the case here, and given that atomic_read() is cheap (it maps to READ_ONCE on x86 and arm64), that'd be reasonable even if performance is a concern. > > + return 0; > > +} > > + > > +late_initcall(fail_usercopy_debugfs); > > + > > +#endif /* CONFIG_FAULT_INJECTION_DEBUG_FS */ > > + > > +/** > > + * should_fail_usercopy() - Failure code or amount of bytes not to copy. > > + * @n: Size of the original copy call. > > + * > > + * The general idea is to have a method which returns the amount of bytes not > > + * to copy, a failure to return, or 0 if the calling function should progress > > + * without a failure. E.g., copy_{to,from}_user should NOT copy the amount of > > + * bytes returned by should_fail_usercopy, returning this value (in addition > > + * to any bytes that could actually not be copied) or a failure. > > + * > > + * Return: one of: > > + * negative, failure to return; > > + * 0, progress normally; > > + * a number in ]0, n], the number of bytes not to copy. > > + * > > + */ > > +long should_fail_usercopy(unsigned long n) > > +{ > > + if (should_fail(&fail_usercopy.attr, n)) { > > + if (fail_usercopy.failsize > 0) > > + return fail_usercopy.failsize % (n + 1); If you wanted to retain the u32 in debugfs, you can mark this 'data_race(fail_usercopy.failsize)' -- since what we're doing here is probabilistic anyway, reading a garbage value won't affect things much. Alternatively, just switch to atomic_t and it'll just be an atomic_read(). Thanks, -- Marco