From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2E072C46CD2 for ; Tue, 30 Jan 2024 13:41:44 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A44066B0082; Tue, 30 Jan 2024 08:41:43 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 9F21C6B0089; Tue, 30 Jan 2024 08:41:43 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 8E1216B008A; Tue, 30 Jan 2024 08:41:43 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0017.hostedemail.com [216.40.44.17]) by kanga.kvack.org (Postfix) with ESMTP id 7FCCD6B0082 for ; Tue, 30 Jan 2024 08:41:43 -0500 (EST) Received: from smtpin28.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 43163C07AD for ; Tue, 30 Jan 2024 13:41:43 +0000 (UTC) X-FDA: 81736090086.28.FD7000A Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by imf03.hostedemail.com (Postfix) with ESMTP id A51242000E for ; Tue, 30 Jan 2024 13:41:39 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf03.hostedemail.com: domain of tongtiangen@huawei.com designates 45.249.212.189 as permitted sender) smtp.mailfrom=tongtiangen@huawei.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1706622101; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=5s+/rA66jkcBc5RVqpNWURjYoBpzfZPwaFzayiRRQRI=; b=wYHtzEPLjMplbxa4P3hMViZNjh/6NtfYnwO9IfjSlAcTiT0g06HxCJrMHNe3TNF/9EXbUO STDKc0ScANiKZlkXt9a3O8nIKGO+LmONhWw58kpB0vUsw+88unfy/W5Kp9fpAgGOlgW24n 9C+hh8mAVA2VbMWPUuKwWVl/fjjsTX4= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=none; dmarc=pass (policy=quarantine) header.from=huawei.com; spf=pass (imf03.hostedemail.com: domain of tongtiangen@huawei.com designates 45.249.212.189 as permitted sender) smtp.mailfrom=tongtiangen@huawei.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1706622101; a=rsa-sha256; cv=none; b=qLoer3IeP4EEC1M4UZwM7xQkpEC3qOayBjWUfcjp5PzxD4sbWCx1rgVKtcy6glGFQXLx+w AQBvMx78meAsUZvy02Jiap4moWotpoWrxfmQgQUvm6daTDCJ0dRJebO+jHaTH2ti9M1kxH gQ2DEDaqh+oKTExcxPj7nsk4FTKB1mU= Received: from mail.maildlp.com (unknown [172.19.88.194]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4TPRBS0vRFzJpQM; Tue, 30 Jan 2024 21:40:32 +0800 (CST) Received: from kwepemm600017.china.huawei.com (unknown [7.193.23.234]) by mail.maildlp.com (Postfix) with ESMTPS id 8B07B1400FF; Tue, 30 Jan 2024 21:41:31 +0800 (CST) Received: from [10.174.179.234] (10.174.179.234) by kwepemm600017.china.huawei.com (7.193.23.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Tue, 30 Jan 2024 21:41:29 +0800 Message-ID: Date: Tue, 30 Jan 2024 21:41:28 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH v10 3/6] arm64: add uaccess to machine check safe To: Mark Rutland CC: Catalin Marinas , Will Deacon , James Morse , Robin Murphy , Andrey Ryabinin , Alexander Potapenko , Alexander Viro , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Michael Ellerman , Nicholas Piggin , Christophe Leroy , Aneesh Kumar K.V , "Naveen N. Rao" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , , "H. Peter Anvin" , , , , , , , Guohanjun References: <20240129134652.4004931-1-tongtiangen@huawei.com> <20240129134652.4004931-4-tongtiangen@huawei.com> <23795738-b86e-7709-bc2b-5abba2e77b68@huawei.com> From: Tong Tiangen In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.179.234] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To kwepemm600017.china.huawei.com (7.193.23.234) X-Rspamd-Queue-Id: A51242000E X-Rspam-User: X-Rspamd-Server: rspam02 X-Stat-Signature: 7a61ejb794eoejjjz73i336ng9bd9bez X-HE-Tag: 1706622099-929111 X-HE-Meta: U2FsdGVkX19EbNjoegVcvgQ0qi4OI1q4P2K923GwGKaORcIK1Cj0ctn4VFYwcJGRcfcUsMgEX3MObU2anN0tKaS2vY8/gnjpX9T7Q+rGReqTNcmtFljqPxNK5jwz3hTybJjvIbKY4F77VTsolH8khW5SZjqYuWAyg/Qr4wSCUYtAl1bgCBvKLd4PXxqQZtBs/bWZaAWlVgIzfvbFqElHYWIkezEld7Qt81h+YJ1+3k2dXvZCIXASRtngNoLMlM6HdXnpTVqVUdfDpAzOj0Qho44dE/d/Ixwr/8bHF7BAOxQt22BB4GepKhllkXpJMKL3bafBY5O28t685PKFm4dosJNIUOQU5RVoowa9kpW/zEZ8KROAe5xSl9aOLiFE/1v80tOt8SNrbXTyuHVZC2cxfphaVssq54mORezSF/Ue/z0j+ba26YNsI5GyEgMU8MMkKT4xwWHbkRUC4J6vEgeeNLLnG2B0A13+6IEnUe9LSnLYdyj+qmK+KyuMocFi4ZcD4FA6fUOQMA+QI5sJ5Vy6QXZFvJu9210cZzup1TzBvLqLXDWEd0Hk0pb7fDrxvSST5EAE7Y0gOw9jHNAzX/mdThJkk8bs1VHZ9uoBDi7JPHAZznF0NFoDAdTYOiCFK2naww2GXd/ebFIyGVZ99WSpfkVY9JU90ywh+o18TaeQ/YdCDXF5mO4+cdDjNNgaMITzBvFrQBHDYBO+xQdO5HB3MnoFc9wJWH1KVAdlc32v1T3YZDppeP61uvnarZQJAeFjYjz83ROveBIJSop8ARzqctFOWlzPF6R6YPuXmHgO64xFyIVKneKyKCiqW5sDXXLcvSnN+uKHwj5FqPh7BbRiIznSvuERNndOyCBeZYwyBQ82Z7AR86Bk9f0Mxc/5VXE6oxixRFQQ75HgpHu03xVTJvrD3QGYvFJycnyDblx4Elpw8Fa55WTBs2RmMaWcmsdncwU0yY0PfRPkzvY9mI3 6GDBZlge 7uc7XMm636TpLnhAYLpS0kAPzt0aiPUXNb/00y7LTUZD6ReKoedz5S1/w2rykO8cUzLsHUsFh+4tGm9hwCZhD9o3jhUntTyktNZgbZS39k6vwNPP1QZzGCShpDbp3zqH+IqhmVXAn9gJDjz6jWDERR2vwiXM/BlUKG6BB0Pq+iK+kaa1kLIi3XFiM54VWMV5RsZhn0yKEADYPZ5GiAO3XxzipuvId+g1EXfkB+3QfQ496rI8= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: 在 2024/1/30 20:01, Mark Rutland 写道: > On Tue, Jan 30, 2024 at 07:14:35PM +0800, Tong Tiangen wrote: >> 在 2024/1/30 1:43, Mark Rutland 写道: >>> On Mon, Jan 29, 2024 at 09:46:49PM +0800, Tong Tiangen wrote: >>> Further, this change will also silently fixup unexpected kernel faults if we >>> pass bad kernel pointers to copy_{to,from}_user, which will hide real bugs. >> >> I think this is better than the panic kernel, because the real bugs >> belongs to the user process. Even if the wrong pointer is >> transferred, the page corresponding to the wrong pointer has a memroy >> error. > > I think you have misunderstood my point; I'm talking about the case of a bad > kernel pointer *without* a memory error. > > For example, consider some buggy code such as: > > void __user *uptr = some_valid_user_pointer; > void *kptr = NULL; // or any other bad pointer > > ret = copy_to_user(uptr, kptr, size); > if (ret) > return -EFAULT; > > Before this patch, when copy_to_user() attempted to load from NULL it would > fault, there would be no fixup handler for the LDR, and the kernel would die(), > reporting the bad kernel access. > > After this patch (which adds fixup handlers to all the LDR*s in > copy_to_user()), the fault (which is *not* a memory error) would be handled by > the fixup handler, and copy_to_user() would return an error without *any* > indication of the horrible kernel bug. > > This will hide kernel bugs, which will make those harder to identify and fix, > and will also potentially make it easier to exploit the kernel: if the user > somehow gains control of the kernel pointer, they can rely on the fixup handler > returning an error, and can scan through memory rather than dying as soon as > they pas a bad pointer. I should understand what you mean. I'll think about this and reply. Many thanks. Tong. > >> In addition, the panic information contains necessary information >> for users to check. > > There is no panic() in the case I am describing. > >>> So NAK to this change as-is; likewise for the addition of USER() to other ldr* >>> macros in copy_from_user.S and the addition of USER() str* macros in >>> copy_to_user.S. >>> >>> If we want to handle memory errors on some kaccesses, we need a new EX_TYPE_* >>> separate from the usual EX_TYPE_KACESS_ERR_ZERO that means "handle memory >>> errors, but treat other faults as fatal". That should come with a rationale and >>> explanation of why it's actually useful. >> >> This makes sense. Add kaccess types that can be processed properly. >> >>> >>> [...] >>> >>>> diff --git a/arch/arm64/mm/extable.c b/arch/arm64/mm/extable.c >>>> index 478e639f8680..28ec35e3d210 100644 >>>> --- a/arch/arm64/mm/extable.c >>>> +++ b/arch/arm64/mm/extable.c >>>> @@ -85,10 +85,10 @@ bool fixup_exception_mc(struct pt_regs *regs) >>>> if (!ex) >>>> return false; >>>> - /* >>>> - * This is not complete, More Machine check safe extable type can >>>> - * be processed here. >>>> - */ >>>> + switch (ex->type) { >>>> + case EX_TYPE_UACCESS_ERR_ZERO: >>>> + return ex_handler_uaccess_err_zero(ex, regs); >>>> + } >>> >>> Please fold this part into the prior patch, and start ogf with *only* handling >>> errors on accesses already marked with EX_TYPE_UACCESS_ERR_ZERO. I think that >>> change would be relatively uncontroversial, and it would be much easier to >>> build atop that. >> >> OK, the two patches will be merged in the next release. > > Thanks. > > Mark. > .