Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp1380695iob; Thu, 19 May 2022 05:34:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzIZ8K2Dyq5x8OkfNxYWGhDmZr94mNY+HRYBfCq1I6HALoDj/regcXL2I9Gm8xzkJcad7s8 X-Received: by 2002:a17:907:3f95:b0:6f4:f45a:9f66 with SMTP id hr21-20020a1709073f9500b006f4f45a9f66mr3975324ejc.544.1652963696038; Thu, 19 May 2022 05:34:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652963696; cv=none; d=google.com; s=arc-20160816; b=C/RC5LVjGnOU5uQBA0cpEtgmhjMWxi64t5SEXT28Gp/W1POmpl0JqzH7M25GWtMwVg GCz5CC2p1nH52kpnpH7ITb8og//5GJ6UgQ0mjQ0DVoG9+U5W5EJHpCb+tKDpliRa4ZOY tCtNayZh2AoJ2isQ/1Fxcmvxi5Iwh0n94zG73gIRwFyNcHV7VrBxVTzXQvp1xCtCtKOr oOHIG6C94uSAFckwIScHy/H+OpINSPBxXej12JGSbL9pC0OsJM2BhEQcjIkXln61cm7M 9R3thEu+4dfRrzRnBPU3HV5tcVRnoiAAV73KY9Iugb9hl1zo86CcXDExYNJHvnLKSU7j iPKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=sKlfT5ZkxvV8m/6xw3OpUrmQMIzjKm27Dr40zVa6AOY=; b=Osdm35h6hYYMIA1+BA7oRntZmwNLMqWIs7N9z/2u8xDfCnD02b0QvsrVAS/D55eeZ6 60aIYh9OAKEXjfX7HjmTOh5dg7CVCpF+VB3ywS1uzHTK7Xo/ltnG1HB8ep/3kYgeg7ge DBGCNLIEo41z6mbnwxNNiskqZAO8L6hZqqudXKsZDIqdPnbE77N6ITAzKcCmm1IUF5SK EPoBxeHX6pVp4qV2B4Oq1UVYbgCLNkrSGUvbzq1U8RQoIxxWpjn1cnIgE0B1xJAUwmJE LUAirXCFDUCEGqjGVyqim6tmuURytUqnS23LKpPCnmACTigtSIBpy8YssViL2o3sndb5 5OiQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id bc12-20020a056402204c00b0042aa68f763asi4743724edb.595.2022.05.19.05.34.28; Thu, 19 May 2022 05:34:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234115AbiESGxY (ORCPT + 99 others); Thu, 19 May 2022 02:53:24 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40752 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230174AbiESGxV (ORCPT ); Thu, 19 May 2022 02:53:21 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 849129859D for ; Wed, 18 May 2022 23:53:19 -0700 (PDT) Received: from kwepemi500012.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4L3gXB3kSbzhYlT; Thu, 19 May 2022 14:52:26 +0800 (CST) Received: from kwepemm600017.china.huawei.com (7.193.23.234) by kwepemi500012.china.huawei.com (7.221.188.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 19 May 2022 14:53:17 +0800 Received: from [10.174.179.234] (10.174.179.234) by kwepemm600017.china.huawei.com (7.193.23.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.24; Thu, 19 May 2022 14:53:15 +0800 Message-ID: Date: Thu, 19 May 2022 14:53:14 +0800 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH -next v4 4/7] arm64: add copy_{to, from}_user to machine check safe To: Mark Rutland CC: James Morse , Andrew Morton , Thomas Gleixner , "Ingo Molnar" , Borislav Petkov , Robin Murphy , Dave Hansen , "Catalin Marinas" , Will Deacon , "Alexander Viro" , Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , , "H . Peter Anvin" , , , , , Kefeng Wang , Xie XiuQi , Guohanjun References: <20220420030418.3189040-1-tongtiangen@huawei.com> <20220420030418.3189040-5-tongtiangen@huawei.com> From: Tong Tiangen In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.179.234] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To kwepemm600017.china.huawei.com (7.193.23.234) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-6.3 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2022/5/13 23:31, Mark Rutland 写道: > On Wed, Apr 20, 2022 at 03:04:15AM +0000, Tong Tiangen wrote: >> Add copy_{to, from}_user() to machine check safe. >> >> If copy fail due to hardware memory error, only the relevant processes are >> affected, so killing the user process and isolate the user page with >> hardware memory errors is a more reasonable choice than kernel panic. >> >> Add new extable type EX_TYPE_UACCESS_MC which can be used for uaccess that >> can be recovered from hardware memory errors. > > I don't understand why we need this. > > If we apply EX_TYPE_UACCESS consistently to *all* user accesses, and > *only* to user accesses, that would *always* indicate that we can > recover, and that seems much simpler to deal with. > > Today we use EX_TYPE_UACCESS_ERR_ZERO for kernel accesses in a couple of > cases, which we should clean up, and we user EX_TYPE_FIXUP for a couple > of user accesses, but those could easily be converted over. > >> The x16 register is used to save the fixup type in copy_xxx_user which >> used extable type EX_TYPE_UACCESS_MC. This is dicussed on patch patch 3/7. > > Why x16? > > How is this intended to be consumed, and why is that behaviour different > from any *other* fault? > > Mark. This is to distinguish EX_TYPE_FIXUP, if this exception is triggered, in fixup processing, it is needed to copy by byte, but if exception is triggered by machine check, the data does not need to be copied again. So we need one place to store exception type, Therefore, X16 that is not currently used in copy_from/to_user is selected. Maybe better to use exception_table_entry->data to pass the register that needs to be set? Thanks, Tong. > >> Signed-off-by: Tong Tiangen >> --- >> arch/arm64/include/asm/asm-extable.h | 14 ++++++++++++++ >> arch/arm64/include/asm/asm-uaccess.h | 15 ++++++++++----- >> arch/arm64/lib/copy_from_user.S | 18 +++++++++++------- >> arch/arm64/lib/copy_to_user.S | 18 +++++++++++------- >> arch/arm64/mm/extable.c | 18 ++++++++++++++---- >> 5 files changed, 60 insertions(+), 23 deletions(-) >> >> diff --git a/arch/arm64/include/asm/asm-extable.h b/arch/arm64/include/asm/asm-extable.h >> index c39f2437e08e..75b2c00e9523 100644 >> --- a/arch/arm64/include/asm/asm-extable.h >> +++ b/arch/arm64/include/asm/asm-extable.h >> @@ -2,12 +2,18 @@ >> #ifndef __ASM_ASM_EXTABLE_H >> #define __ASM_ASM_EXTABLE_H >> >> +#define FIXUP_TYPE_NORMAL 0 >> +#define FIXUP_TYPE_MC 1 >> + >> #define EX_TYPE_NONE 0 >> #define EX_TYPE_FIXUP 1 >> #define EX_TYPE_BPF 2 >> #define EX_TYPE_UACCESS_ERR_ZERO 3 >> #define EX_TYPE_LOAD_UNALIGNED_ZEROPAD 4 >> >> +/* _MC indicates that can fixup from machine check errors */ >> +#define EX_TYPE_UACCESS_MC 5 >> + >> #ifdef __ASSEMBLY__ >> >> #define __ASM_EXTABLE_RAW(insn, fixup, type, data) \ >> @@ -27,6 +33,14 @@ >> __ASM_EXTABLE_RAW(\insn, \fixup, EX_TYPE_FIXUP, 0) >> .endm >> >> +/* >> + * Create an exception table entry for `insn`, which will branch to `fixup` >> + * when an unhandled fault(include sea fault) is taken. >> + */ >> + .macro _asm_extable_uaccess_mc, insn, fixup >> + __ASM_EXTABLE_RAW(\insn, \fixup, EX_TYPE_UACCESS_MC, 0) >> + .endm >> + >> /* >> * Create an exception table entry for `insn` if `fixup` is provided. Otherwise >> * do nothing. >> diff --git a/arch/arm64/include/asm/asm-uaccess.h b/arch/arm64/include/asm/asm-uaccess.h >> index 0557af834e03..6c23c138e1fc 100644 >> --- a/arch/arm64/include/asm/asm-uaccess.h >> +++ b/arch/arm64/include/asm/asm-uaccess.h >> @@ -63,6 +63,11 @@ alternative_else_nop_endif >> 9999: x; \ >> _asm_extable 9999b, l >> >> + >> +#define USER_MC(l, x...) \ >> +9999: x; \ >> + _asm_extable_uaccess_mc 9999b, l >> + >> /* >> * Generate the assembly for LDTR/STTR with exception table entries. >> * This is complicated as there is no post-increment or pair versions of the >> @@ -73,8 +78,8 @@ alternative_else_nop_endif >> 8889: ldtr \reg2, [\addr, #8]; >> add \addr, \addr, \post_inc; >> >> - _asm_extable 8888b,\l; >> - _asm_extable 8889b,\l; >> + _asm_extable_uaccess_mc 8888b, \l; >> + _asm_extable_uaccess_mc 8889b, \l; >> .endm >> >> .macro user_stp l, reg1, reg2, addr, post_inc >> @@ -82,14 +87,14 @@ alternative_else_nop_endif >> 8889: sttr \reg2, [\addr, #8]; >> add \addr, \addr, \post_inc; >> >> - _asm_extable 8888b,\l; >> - _asm_extable 8889b,\l; >> + _asm_extable_uaccess_mc 8888b,\l; >> + _asm_extable_uaccess_mc 8889b,\l; >> .endm >> >> .macro user_ldst l, inst, reg, addr, post_inc >> 8888: \inst \reg, [\addr]; >> add \addr, \addr, \post_inc; >> >> - _asm_extable 8888b,\l; >> + _asm_extable_uaccess_mc 8888b, \l; >> .endm >> #endif >> diff --git a/arch/arm64/lib/copy_from_user.S b/arch/arm64/lib/copy_from_user.S >> index 34e317907524..480cc5ac0a8d 100644 >> --- a/arch/arm64/lib/copy_from_user.S >> +++ b/arch/arm64/lib/copy_from_user.S >> @@ -25,7 +25,7 @@ >> .endm >> >> .macro strb1 reg, ptr, val >> - strb \reg, [\ptr], \val >> + USER_MC(9998f, strb \reg, [\ptr], \val) >> .endm >> >> .macro ldrh1 reg, ptr, val >> @@ -33,7 +33,7 @@ >> .endm >> >> .macro strh1 reg, ptr, val >> - strh \reg, [\ptr], \val >> + USER_MC(9998f, strh \reg, [\ptr], \val) >> .endm >> >> .macro ldr1 reg, ptr, val >> @@ -41,7 +41,7 @@ >> .endm >> >> .macro str1 reg, ptr, val >> - str \reg, [\ptr], \val >> + USER_MC(9998f, str \reg, [\ptr], \val) >> .endm >> >> .macro ldp1 reg1, reg2, ptr, val >> @@ -49,11 +49,12 @@ >> .endm >> >> .macro stp1 reg1, reg2, ptr, val >> - stp \reg1, \reg2, [\ptr], \val >> + USER_MC(9998f, stp \reg1, \reg2, [\ptr], \val) >> .endm >> >> -end .req x5 >> -srcin .req x15 >> +end .req x5 >> +srcin .req x15 >> +fixup_type .req x16 >> SYM_FUNC_START(__arch_copy_from_user) >> add end, x0, x2 >> mov srcin, x1 >> @@ -62,7 +63,10 @@ SYM_FUNC_START(__arch_copy_from_user) >> ret >> >> // Exception fixups >> -9997: cmp dst, dstin >> + // x16: fixup type written by ex_handler_uaccess_mc >> +9997: cmp fixup_type, #FIXUP_TYPE_MC >> + b.eq 9998f >> + cmp dst, dstin >> b.ne 9998f >> // Before being absolutely sure we couldn't copy anything, try harder >> USER(9998f, ldtrb tmp1w, [srcin]) >> diff --git a/arch/arm64/lib/copy_to_user.S b/arch/arm64/lib/copy_to_user.S >> index 802231772608..021a7d27b3a4 100644 >> --- a/arch/arm64/lib/copy_to_user.S >> +++ b/arch/arm64/lib/copy_to_user.S >> @@ -20,7 +20,7 @@ >> * x0 - bytes not copied >> */ >> .macro ldrb1 reg, ptr, val >> - ldrb \reg, [\ptr], \val >> + USER_MC(9998f, ldrb \reg, [\ptr], \val) >> .endm >> >> .macro strb1 reg, ptr, val >> @@ -28,7 +28,7 @@ >> .endm >> >> .macro ldrh1 reg, ptr, val >> - ldrh \reg, [\ptr], \val >> + USER_MC(9998f, ldrh \reg, [\ptr], \val) >> .endm >> >> .macro strh1 reg, ptr, val >> @@ -36,7 +36,7 @@ >> .endm >> >> .macro ldr1 reg, ptr, val >> - ldr \reg, [\ptr], \val >> + USER_MC(9998f, ldr \reg, [\ptr], \val) >> .endm >> >> .macro str1 reg, ptr, val >> @@ -44,15 +44,16 @@ >> .endm >> >> .macro ldp1 reg1, reg2, ptr, val >> - ldp \reg1, \reg2, [\ptr], \val >> + USER_MC(9998f, ldp \reg1, \reg2, [\ptr], \val) >> .endm >> >> .macro stp1 reg1, reg2, ptr, val >> user_stp 9997f, \reg1, \reg2, \ptr, \val >> .endm >> >> -end .req x5 >> -srcin .req x15 >> +end .req x5 >> +srcin .req x15 >> +fixup_type .req x16 >> SYM_FUNC_START(__arch_copy_to_user) >> add end, x0, x2 >> mov srcin, x1 >> @@ -61,7 +62,10 @@ SYM_FUNC_START(__arch_copy_to_user) >> ret >> >> // Exception fixups >> -9997: cmp dst, dstin >> + // x16: fixup type written by ex_handler_uaccess_mc >> +9997: cmp fixup_type, #FIXUP_TYPE_MC >> + b.eq 9998f >> + cmp dst, dstin >> b.ne 9998f >> // Before being absolutely sure we couldn't copy anything, try harder >> ldrb tmp1w, [srcin] >> diff --git a/arch/arm64/mm/extable.c b/arch/arm64/mm/extable.c >> index 4f0083a550d4..525876c3ebf4 100644 >> --- a/arch/arm64/mm/extable.c >> +++ b/arch/arm64/mm/extable.c >> @@ -24,6 +24,14 @@ static bool ex_handler_fixup(const struct exception_table_entry *ex, >> return true; >> } >> >> +static bool ex_handler_uaccess_type(const struct exception_table_entry *ex, >> + struct pt_regs *regs, >> + unsigned long fixup_type) >> +{ >> + regs->regs[16] = fixup_type; >> + return ex_handler_fixup(ex, regs); >> +} >> + >> static bool ex_handler_uaccess_err_zero(const struct exception_table_entry *ex, >> struct pt_regs *regs) >> { >> @@ -75,6 +83,8 @@ bool fixup_exception(struct pt_regs *regs) >> switch (ex->type) { >> case EX_TYPE_FIXUP: >> return ex_handler_fixup(ex, regs); >> + case EX_TYPE_UACCESS_MC: >> + return ex_handler_uaccess_type(ex, regs, FIXUP_TYPE_NORMAL); >> case EX_TYPE_BPF: >> return ex_handler_bpf(ex, regs); >> case EX_TYPE_UACCESS_ERR_ZERO: >> @@ -94,10 +104,10 @@ bool fixup_exception_mc(struct pt_regs *regs) >> if (!ex) >> return false; >> >> - /* >> - * This is not complete, More Machine check safe extable type can >> - * be processed here. >> - */ >> + switch (ex->type) { >> + case EX_TYPE_UACCESS_MC: >> + return ex_handler_uaccess_type(ex, regs, FIXUP_TYPE_MC); >> + } >> >> return false; >> } >> -- >> 2.25.1 >> > .