Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp700825rdg; Wed, 11 Oct 2023 03:09:48 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGkGpglJFL04iF30Iv/RIWCgg/w87j5sxxo6vvSB+F8C0bZ5tclT6TeF9WDOlgKBXvNrSNV X-Received: by 2002:a05:6870:1b8b:b0:1e9:8b12:89aa with SMTP id hm11-20020a0568701b8b00b001e98b1289aamr1930513oab.26.1697018988415; Wed, 11 Oct 2023 03:09:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697018988; cv=none; d=google.com; s=arc-20160816; b=s6vHexnK9tPEQNsT2obxIn8CYcoqksxv2HH5ifc0Xfg9a8RnuFhlPfw2RB9KhYOD5h Coajuyr/7KPX67/kCCWfx62eVKx38D1UJPSATjXpBWES2w173oDyuqv0cE5Ho1bBWkl3 7GWhbMfJHHsiP+X3O26rVgrUZv+jbFdVMt18PpCIPy/VfbgBhoP7tIrAuUcYof+7QXBr n99rWsG5Ju1/hoI/pv7OymmT7OK3CaLRj8goAuPLXqPSYuI3WTy2MJYNzkO/7I0Y9eg/ ug76SmIsT7Rll+nXpQBFGZ28I7DjOtJQ3KPzfF1c+cHG4gurB6sA6MEHrLP2sG9StLlc mwZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=Z/BHDKBtRPNfZbfljBzZf8+8HL449Ofu635qFeUigk0=; fh=zwYgZI7fViiWMszSXUp9QDpMCZZ/fkBX1HIXF8Q+kVM=; b=Fge1vKg1miY07NTimz5v8jqA3K8dVeky/Nblq5ILtnqSqIFxVOcX31DrdypH5ZNACJ BBqdPKOx1h7KsuJYfpfo4TNagMpfGHa9KZrxdvljAAXoWBX3tk4uO7FUeKqr/vOYpEAs vlnUgIAPhivgYWS9hpCPZRCFyMO2YB6tizl9HJz2Pdiq8t6195MoLK6THN0P+rDtyK+j TS3r/564EtFy40qnYMQbxD2lmn+KZfd6YQVjw9P7/81rnumuWSi4sQcM3P44Q1zzFi4L c8Krd6UrfuO848zJifkrTKp7txC3fXoT/S0TAe0Bt64r4Y3GKuBbPcGteDlf8dsLuw+E ToQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from agentk.vger.email (agentk.vger.email. [2620:137:e000::3:2]) by mx.google.com with ESMTPS id z15-20020a63e10f000000b00577f87e6210si4076238pgh.332.2023.10.11.03.09.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Oct 2023 03:09:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) client-ip=2620:137:e000::3:2; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:2 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 2C6768115478; Wed, 11 Oct 2023 03:09:44 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346319AbjJKKJ0 (ORCPT + 99 others); Wed, 11 Oct 2023 06:09:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46272 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234737AbjJKKIj (ORCPT ); Wed, 11 Oct 2023 06:08:39 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 123D61989 for ; Wed, 11 Oct 2023 03:07:34 -0700 (PDT) Received: from kwepemi500008.china.huawei.com (unknown [172.30.72.56]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4S57dL5l77zkY9p; Wed, 11 Oct 2023 18:03:34 +0800 (CST) Received: from huawei.com (10.67.174.55) by kwepemi500008.china.huawei.com (7.221.188.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.31; Wed, 11 Oct 2023 18:07:32 +0800 From: Jinjie Ruan To: , , , , , , , , , , , , , , , , , CC: Subject: [PATCH v5.15 00/15] arm64: Fix a concurrency issue in emulation_proc_handler() Date: Wed, 11 Oct 2023 10:06:40 +0000 Message-ID: <20231011100655.979626-1-ruanjinjie@huawei.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.67.174.55] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To kwepemi500008.china.huawei.com (7.221.188.139) X-CFilter-Loop: Reflected X-Spam-Status: No, score=2.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_SBL_CSS,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Wed, 11 Oct 2023 03:09:44 -0700 (PDT) X-Spam-Level: ** MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In linux-6.1, the related code is refactored in commit 124c49b1b5d9 ("arm64: armv8_deprecated: rework deprected instruction handling") and this issue was incidentally fixed. This patch set try to adapt the refactoring patches to stable 5.15 to solve the problem of repeated addition of linked lists described below. How to reproduce: CONFIG_ARMV8_DEPRECATED=y, CONFIG_SWP_EMULATION=y, and CONFIG_DEBUG_LIST=y, then launch two shell executions: #!/bin/bash while [ 1 ]; do echo 1 > /proc/sys/abi/swp done or "echo 1 > /proc/sys/abi/swp" and then launch two shell executions: #!/bin/bash while [ 1 ]; do echo 0 > /proc/sys/abi/swp done In emulation_proc_handler(), read and write operations are performed on insn->current_mode. In the concurrency scenario, mutex only protects writing insn->current_mode, and not protects the read. Suppose there are two concurrent tasks, task1 updates insn->current_mode to INSN_EMULATE in the critical section, the prev_mode of task2 is still the old data INSN_UNDEF of insn->current_mode. As a result, two tasks call update_insn_emulation_mode twice with prev_mode = INSN_UNDEF and current_mode = INSN_EMULATE, then call register_emulation_hooks twice, resulting in a list_add double problem. commit 124c49b1b5d9 ("arm64: armv8_deprecated: rework deprected instruction handling") remove the dynamic registration and unregistration so remove the register_undef_hook() function, so the below problem was incidentally fixed. Call trace: __list_add_valid+0xd8/0xe4 register_undef_hook+0x94/0x13c update_insn_emulation_mode+0xd0/0x12c emulation_proc_handler+0xd8/0xf4 proc_sys_call_handler+0x140/0x250 proc_sys_write+0x1c/0x2c new_sync_write+0xec/0x18c vfs_write+0x214/0x2ac ksys_write+0x70/0xfc __arm64_sys_write+0x24/0x30 el0_svc_common.constprop.0+0x7c/0x1bc do_el0_svc+0x2c/0x94 el0_svc+0x20/0x30 el0_sync_handler+0xb0/0xb4 el0_sync+0x160/0x180 Call trace: __list_del_entry_valid+0xac/0x110 unregister_undef_hook+0x34/0x80 update_insn_emulation_mode+0xf0/0x180 emulation_proc_handler+0x8c/0xd8 proc_sys_call_handler+0x1d8/0x208 proc_sys_write+0x14/0x20 new_sync_write+0xf0/0x190 vfs_write+0x304/0x388 ksys_write+0x6c/0x100 __arm64_sys_write+0x1c/0x28 el0_svc_common.constprop.4+0x68/0x188 do_el0_svc+0x24/0xa0 el0_svc+0x14/0x20 el0_sync_handler+0x90/0xb8 el0_sync+0x160/0x180 The first 5 patches is a patch set which provides context for subsequent refactoring 9 patches, especially commit 0f2cb928a154 ("arm64: consistently pass ESR_ELx to die()") which modify do_undefinstr() to add a ESR_ELx value arg, and then commit 61d64a376ea8 ("arm64: split EL0/EL1 UNDEF handlers") splits do_undefinstr() handler into separate do_el0_undef() and do_el1_undef() handlers. The 9 patches after that is another refactoring patch set, which is in preparation for the main rework commit 124c49b1b5d9 ("arm64: armv8_deprecated: rework deprected instruction handling"). To remove struct undef_hook, commit bff8f413c71f ("arm64: factor out EL1 SSBS emulation hook") factor out EL1 SSBS emulation hook, which also avoid call call_undef_hook() in do_el1_undef(), commit f5962add74b6 ("arm64: rework EL0 MRS emulation") factor out EL0 MRS emulation hook, which also prepare for replacing call_undef_hook() in do_el0_undef(). To replace call_undef_hook() function, commit 61d64a376ea8 ("arm64: split EL0/EL1 UNDEF handlers") split the do_undefinstr() into do_el0_undef() and do_el1_undef() functions, and commit dbfbd87efa79 ("arm64: factor insn read out of call_undef_hook()") factor user_insn_read() from call_undef_hook() so the main rework patch can replace the call_undef_hook() in do_el0_undef(). The last patch is a bugfix for the main rework patch. I've tested this with userspace programs which use each of the deprecated instructions on Raspberry Pi 4B KVM/Qemu, and I've concurrently modified the support level for each of the features back-and-forth between HW and emulated to check that there are no oops or above repeated addition or deletion call trace. Fixes: af483947d472 ("arm64: fix oops in concurrently setting insn_emulation sysctls") Cc: stable@vger.kernel.org#5.15.x Cc: gregkh@linuxfoundation.org Signed-off-by: Jinjie Ruan Mark Rutland (14): arm64: report EL1 UNDEFs better arm64: die(): pass 'err' as long arm64: consistently pass ESR_ELx to die() arm64: rework FPAC exception handling arm64: rework BTI exception handling arm64: allow kprobes on EL0 handlers arm64: split EL0/EL1 UNDEF handlers arm64: factor out EL1 SSBS emulation hook arm64: factor insn read out of call_undef_hook() arm64: rework EL0 MRS emulation arm64: armv8_deprecated: fold ops into insn_emulation arm64: armv8_deprecated move emulation functions arm64: armv8_deprecated: move aarch32 helper earlier arm64: armv8_deprecated: rework deprected instruction handling Ren Zhijie (1): arm64: armv8_deprecated: fix unused-function error arch/arm64/include/asm/cpufeature.h | 3 +- arch/arm64/include/asm/exception.h | 13 +- arch/arm64/include/asm/spectre.h | 2 + arch/arm64/include/asm/system_misc.h | 2 +- arch/arm64/include/asm/traps.h | 19 +- arch/arm64/kernel/armv8_deprecated.c | 572 +++++++++++++-------------- arch/arm64/kernel/cpufeature.c | 23 +- arch/arm64/kernel/entry-common.c | 36 +- arch/arm64/kernel/proton-pack.c | 26 +- arch/arm64/kernel/traps.c | 125 +++--- 10 files changed, 396 insertions(+), 425 deletions(-) -- 2.34.1