From: Tong Tiangen <tongtiangen@huawei.com>
To: Borislav Petkov <bp@alien8.de>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, <wangkefeng.wang@huawei.com>,
Dave Hansen <dave.hansen@linux.intel.com>, <x86@kernel.org>,
"H. Peter Anvin" <hpa@zytor.com>, Tony Luck <tony.luck@intel.com>,
Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
Naoya Horiguchi <naoya.horiguchi@nec.com>,
<linux-kernel@vger.kernel.org>, <linux-edac@vger.kernel.org>,
<linux-mm@kvack.org>, Guohanjun <guohanjun@huawei.com>
Subject: Re: [PATCH -next v5 2/3] x86/mce: set MCE_IN_KERNEL_COPYIN for DEFAULT_MCE_SAFE exception
Date: Sun, 18 Feb 2024 18:08:14 +0800 [thread overview]
Message-ID: <100198dd-320f-68e6-9c09-210620940a74@huawei.com> (raw)
In-Reply-To: <20240207122942.GRZcN3tqWkV-WE-pak@fat_crate.local>
在 2024/2/7 20:29, Borislav Petkov 写道:
> On Sun, Feb 04, 2024 at 04:26:26PM +0800, Tong Tiangen wrote:
>> diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c
>> index bca780fa5e57..b2cce1b6c96d 100644
>> --- a/arch/x86/kernel/cpu/mce/severity.c
>> +++ b/arch/x86/kernel/cpu/mce/severity.c
>> @@ -292,11 +292,11 @@ static noinstr int error_context(struct mce *m, struct pt_regs *regs)
>> case EX_TYPE_UACCESS:
>> if (!copy_user)
>> return IN_KERNEL;
>> + fallthrough;
>> + case EX_TYPE_DEFAULT_MCE_SAFE:
>> m->kflags |= MCE_IN_KERNEL_COPYIN;
>> fallthrough;
>
> I knew something was still bugging me here and this is still wrong.
>
> Let's imagine this flow:
>
> copy_mc_to_user() - note *src is kernel memory
> |-> copy_mc_enhanced_fast_string or copy_mc_fragile - it's the same thing
> |-> -#MC, exception type EX_TYPE_DEFAULT_MCE_SAFE
> |-> error_context():
> case EX_TYPE_DEFAULT_MCE_SAFE:
> m->kflags |= MCE_IN_KERNEL_COPYIN;
>
> MCE_IN_KERNEL_COPYIN does kill_me_never():
>
> pr_err("Kernel accessed poison in user space at %llx\n", p->mce_addr);
>
> but that's reading from kernel memory!
Hi:
1. The copy_mc_to_kernel() is used in the coredump, KSM, and COW
scenarios, in these scenarios, the src mem stores the user data and the
kernel use kernel address to access the src mem(using kmap()).
2. the src mem of copy_mc_to_user() is currently only used by the DAX:
dax_iomap_iter()
-> dax_copy_to_iter()
-> _copy_mc_to_iter
-> copy_to_user_iter_mc()
-> copy_mc_to_user()
DAX is also used to store user data,such as pmem,pmem uses the kernel
address to access src mem(memremap_pages()):
pmem_attach_disk()
-> devm_memremap_pages()
-> memremap_pages()
3. EX_TYPE_DEFAULT_MCE_SAFE is only used in
copy_mc_to_user()/copy_mc_to_kernel()。
4. Therefore, for EX_TYPE_DEFAULT_MCE_SAFE, the memory page where the
hardware error occurs stores user data, these page can be securely
isolated. This is different from UACCESS, which can be securely isolated
only COPYIN(the src mem is user data) is checked.
Based on the above understanding, I think the original logic should be
fine, except for the pr_err() in kill_me_never().
Thanks.
Tong.
>
> IOW, I *think* that switch statement should be this:
>
> switch (fixup_type) {
> case EX_TYPE_UACCESS:
> case EX_TYPE_DEFAULT_MCE_SAFE:
> if (!copy_user)
> return IN_KERNEL;
>
> m->kflags |= MCE_IN_KERNEL_COPYIN;
> fallthrough;
>
> case EX_TYPE_FAULT_MCE_SAFE:
> m->kflags |= MCE_IN_KERNEL_RECOV;
> return IN_KERNEL_RECOV;
>
> default:
> return IN_KERNEL;
> }
>
> Provided I'm not missing a case and provided is_copy_from_user() really
> detects all cases properly.
>
> And then patch 3 is wrong because we only can handle "copy in" - not
> just any copy.
>
> Thx.
>
next prev parent reply other threads:[~2024-02-18 10:08 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-02-04 8:26 [PATCH -next v5 0/3] minor improvements for x86 mce processing Tong Tiangen
2024-02-04 8:26 ` [PATCH -next v5 1/3] x86/mce: remove redundant fixup type EX_TYPE_COPY Tong Tiangen
2024-02-04 8:26 ` [PATCH -next v5 2/3] x86/mce: set MCE_IN_KERNEL_COPYIN for DEFAULT_MCE_SAFE exception Tong Tiangen
2024-02-07 12:29 ` Borislav Petkov
2024-02-08 6:21 ` Tong Tiangen
2024-02-18 10:08 ` Tong Tiangen [this message]
2024-03-27 0:48 ` Tong Tiangen
2024-03-27 22:05 ` Borislav Petkov
2024-04-01 3:41 ` Tong Tiangen
2024-02-04 8:26 ` [PATCH -next v5 3/3] x86/mce: rename MCE_IN_KERNEL_COPYIN to MCE_IN_KERNEL_COPY_MC Tong Tiangen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=100198dd-320f-68e6-9c09-210620940a74@huawei.com \
--to=tongtiangen@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=bp@alien8.de \
--cc=dave.hansen@linux.intel.com \
--cc=guohanjun@huawei.com \
--cc=hpa@zytor.com \
--cc=linux-edac@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=luto@kernel.org \
--cc=mingo@redhat.com \
--cc=naoya.horiguchi@nec.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=tony.luck@intel.com \
--cc=wangkefeng.wang@huawei.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox