Received: by 2002:a05:7412:d1aa:b0:fc:a2b0:25d7 with SMTP id ba42csp957664rdb; Tue, 30 Jan 2024 04:02:32 -0800 (PST) X-Google-Smtp-Source: AGHT+IEI4bt7t4hwbHb/c9w/6MmpbnzNllaKPw+SgvFggXCWSb6wEdarCFhO2OKl2Q02yLkAzQdM X-Received: by 2002:a17:906:f193:b0:a35:45bb:c58c with SMTP id gs19-20020a170906f19300b00a3545bbc58cmr5915763ejb.51.1706616152050; Tue, 30 Jan 2024 04:02:32 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1706616152; cv=pass; d=google.com; s=arc-20160816; b=mQ8Yp0AMQX1+bwyXnv7bJU0wNNfioG6jJ66NaF6LiJ/NEhBhbBjaVSJiUwSyd1kTiU qFMPEQHU5jlt4tri6DOjqoS3aPwRRkThwAqdGmUOTUlRQ+SWRnVJ8XZdBIaLZoePbhBQ EZHM6vBou2xfJyh7I4sbi0DPlFc1WfJferU5A2Jd5AfMZ92Af90jbCaGUsTG/gpp5zk6 M+6V7owIeimNqSNojaKaViqx5p8X6r0HSaYo2iPgCCi7b6FOPHn5nE9rd7J+Ly7ybErl 5brFzYSFDNOq1mtWuHwy6iQKc5eCDKY3A2ffHgIfrHoVJ77QVW7y437+KuiL7eqPJ7B7 FyuQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date; bh=n0WbJbv6fzoimQXx65ShQdRhm3qiZXY+n9VOiK6k8oY=; fh=xeCn5p7qRGCkWwGqNIxKhkXzb8rbqE1yupV31i+mXW8=; b=uFMlKaWmwsP+NP1ECaHs6iWirUVj/BYburDOOxNEi67YHBTXII/orCRF9N11y582Vi IUvzRDw3/8oCG3klPUdPFMPMgdNYu53s8+TdmWiSlTd/HFp882mTvjJn3n2p2OooQABO f6dCcsCqtUMt0YVV95KTuxoBBKt8EFK2QMz1iE/oNSmUY27Lo+Mrju2gMnCaDssTtBZF h2LIYIfcciKpES5LCJ/tZ8VdxGQdNISvcey77Gj09MWf9oeMc45JJcXekNfdM0dZ4L3i 3/Yyf4BeDHNKPRJJKXiYiWcNqBcJ59gngmjXdEmIraGzVLCQe/c6FIux/gvyr9uMFQRL 1eJw== ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel+bounces-44567-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-44567-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id gv25-20020a170906f11900b00a35fa5c8e77si1081278ejb.630.2024.01.30.04.02.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Jan 2024 04:02:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-44567-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=arm.com dmarc=pass fromdomain=arm.com); spf=pass (google.com: domain of linux-kernel+bounces-44567-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-44567-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 245861F26822 for ; Tue, 30 Jan 2024 12:01:47 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8B38B67E79; Tue, 30 Jan 2024 12:01:38 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5506067E6D for ; Tue, 30 Jan 2024 12:01:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.140.110.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706616098; cv=none; b=MsBq951J5L/uCFdhUsin56hfs1PJ+81xSKKX+evhX7dyvJmxQvXGZIGx4MSGYUsGB0OZx0Jfs7MAuoGaRL9iw7gEyQnMobw7oXD6WH2VzJwJOuvN8sKbKX9jKrnOFHWe82adSqRWGScNrTxxeruvW0e/FXFTrNUX2YZGp/HZCgo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1706616098; c=relaxed/simple; bh=481BpRBp9cVKd8wrjM/xBAlEXnWqNi2ovI4ZoN7a6cY=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=SDjlWev52vsBpym+PPFjBsr3gAIOGHy78FpVFZIeCUeTNb6J/HKy7LmbjARaRuTF0T7ulZ/T4miu5v/BVl5fZeSv7nvy0GLbUOxOXXhMbLSHgFmVt7Gn2Mq+ZqEv/IfGcERPMn43mgvp2X2Q1wFpf/Lk5oudLy/d3HjrICu8jDs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com; spf=pass smtp.mailfrom=arm.com; arc=none smtp.client-ip=217.140.110.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3DDFDDA7; Tue, 30 Jan 2024 04:02:19 -0800 (PST) Received: from FVFF77S0Q05N (unknown [10.57.48.92]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 57FCA3F762; Tue, 30 Jan 2024 04:01:31 -0800 (PST) Date: Tue, 30 Jan 2024 12:01:26 +0000 From: Mark Rutland To: Tong Tiangen Cc: Catalin Marinas , Will Deacon , James Morse , Robin Murphy , Andrey Ryabinin , Alexander Potapenko , Alexander Viro , Andrey Konovalov , Dmitry Vyukov , Vincenzo Frascino , Andrew Morton , Michael Ellerman , Nicholas Piggin , Christophe Leroy , "Aneesh Kumar K.V" , "Naveen N. Rao" , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , x86@kernel.org, "H. Peter Anvin" , linux-arm-kernel@lists.infradead.org, linux-mm@kvack.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com, wangkefeng.wang@huawei.com, Guohanjun Subject: Re: [PATCH v10 3/6] arm64: add uaccess to machine check safe Message-ID: References: <20240129134652.4004931-1-tongtiangen@huawei.com> <20240129134652.4004931-4-tongtiangen@huawei.com> <23795738-b86e-7709-bc2b-5abba2e77b68@huawei.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <23795738-b86e-7709-bc2b-5abba2e77b68@huawei.com> On Tue, Jan 30, 2024 at 07:14:35PM +0800, Tong Tiangen wrote: > 在 2024/1/30 1:43, Mark Rutland 写道: > > On Mon, Jan 29, 2024 at 09:46:49PM +0800, Tong Tiangen wrote: > > Further, this change will also silently fixup unexpected kernel faults if we > > pass bad kernel pointers to copy_{to,from}_user, which will hide real bugs. > > I think this is better than the panic kernel, because the real bugs > belongs to the user process. Even if the wrong pointer is > transferred, the page corresponding to the wrong pointer has a memroy > error. I think you have misunderstood my point; I'm talking about the case of a bad kernel pointer *without* a memory error. For example, consider some buggy code such as: void __user *uptr = some_valid_user_pointer; void *kptr = NULL; // or any other bad pointer ret = copy_to_user(uptr, kptr, size); if (ret) return -EFAULT; Before this patch, when copy_to_user() attempted to load from NULL it would fault, there would be no fixup handler for the LDR, and the kernel would die(), reporting the bad kernel access. After this patch (which adds fixup handlers to all the LDR*s in copy_to_user()), the fault (which is *not* a memory error) would be handled by the fixup handler, and copy_to_user() would return an error without *any* indication of the horrible kernel bug. This will hide kernel bugs, which will make those harder to identify and fix, and will also potentially make it easier to exploit the kernel: if the user somehow gains control of the kernel pointer, they can rely on the fixup handler returning an error, and can scan through memory rather than dying as soon as they pas a bad pointer. > In addition, the panic information contains necessary information > for users to check. There is no panic() in the case I am describing. > > So NAK to this change as-is; likewise for the addition of USER() to other ldr* > > macros in copy_from_user.S and the addition of USER() str* macros in > > copy_to_user.S. > > > > If we want to handle memory errors on some kaccesses, we need a new EX_TYPE_* > > separate from the usual EX_TYPE_KACESS_ERR_ZERO that means "handle memory > > errors, but treat other faults as fatal". That should come with a rationale and > > explanation of why it's actually useful. > > This makes sense. Add kaccess types that can be processed properly. > > > > > [...] > > > > > diff --git a/arch/arm64/mm/extable.c b/arch/arm64/mm/extable.c > > > index 478e639f8680..28ec35e3d210 100644 > > > --- a/arch/arm64/mm/extable.c > > > +++ b/arch/arm64/mm/extable.c > > > @@ -85,10 +85,10 @@ bool fixup_exception_mc(struct pt_regs *regs) > > > if (!ex) > > > return false; > > > - /* > > > - * This is not complete, More Machine check safe extable type can > > > - * be processed here. > > > - */ > > > + switch (ex->type) { > > > + case EX_TYPE_UACCESS_ERR_ZERO: > > > + return ex_handler_uaccess_err_zero(ex, regs); > > > + } > > > > Please fold this part into the prior patch, and start ogf with *only* handling > > errors on accesses already marked with EX_TYPE_UACCESS_ERR_ZERO. I think that > > change would be relatively uncontroversial, and it would be much easier to > > build atop that. > > OK, the two patches will be merged in the next release. Thanks. Mark.