Received: by 2002:a05:7412:cfc7:b0:fc:a2b0:25d7 with SMTP id by7csp579817rdb; Sun, 18 Feb 2024 02:08:36 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCWb5VQRU+NFl0M1tZoyi/IbKQ8OUBLuEfBNnv3sm/qZeryfY6blYr29m6fVk5JJo3H30+K71PGwHd/XFXgZ3Yv56ey7v9PvHJRa0J/E4A== X-Google-Smtp-Source: AGHT+IGxlu+icrP0t7mlqt8gCg9cL+ANYHwvLDndHSbIIiILOM8e0mCbun8mHweK0gPcufr3R+fq X-Received: by 2002:a17:90b:4b06:b0:299:464c:c9fc with SMTP id lx6-20020a17090b4b0600b00299464cc9fcmr2599526pjb.45.1708250915798; Sun, 18 Feb 2024 02:08:35 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708250915; cv=pass; d=google.com; s=arc-20160816; b=OSD/0q+YHMiqkOMikg54voaSmUQ/wou5gyObIgYchNgTv8oevF8uU9wYFCFnWQ20PV hjlolY8dB71DmV2FX/doitHDq0cxGJ5fEI9jx1svVGQEDeY16joffMqpmc2Zqp/E5YSo mFBRCbNlHfoKn79O9h5CCUAVeVhoylVarT6+/VStLWNCYuLdM1Trp4a3q8d8RI5TRBLn FbP/9G09vw/0ctQYMX8fG1BbKwJPxS+ttIeX8UmMFOugb+UX4AhPAf0RIgG4E9jr1lf0 SRLZGqqD2PVcvBWJ2+EhmbkqS40WM6ykx39DmtWPFAPjtB1ljygoZd6lHcl8gSU52mQu 8GLw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to:subject :user-agent:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:date:message-id; bh=b0vAkIh3LdqK3gxrvdCw+B1PKVOLviZCqdpTR3YyvI4=; fh=E3fy7lCLBCruEuCkYyExyxhDK5qqVif4Jb+LDuqVNMA=; b=s0lafxCVvnuvgMJuxjPiAfQ0EjAgUDJ92/RZYZy+420hpJcvAAZzR5/ppa7jRB+70O V18cqnVh3GxbqsfpcwRWlluEz3LSm1h2Y1hZhvY0BWst9VGx0jbv4CCSdVaJ2vXdaYhC wDgHFaJB7ZBsaYbQd/VToW8q/Mi8lyVOt3OMGBNkPlbPUMiQre9Ptj9dFL/xdI4YZ21a rjDf7shJUVrcgL+m96gqWyhTePLK2TN+b0C7Dm85xZsG0bg0u86NgIaWab3pZgZSeb0V 35Dqbc8etd3Yhyps2gJzpwxxSbIB8o24R5lMJvdELrPehbob/WwsmX/X+UkL/WvJjbDL 61dA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-70328-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-70328-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id o6-20020a17090aac0600b00297022edd66si2807177pjq.178.2024.02.18.02.08.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 18 Feb 2024 02:08:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-70328-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; arc=pass (i=1 spf=pass spfdomain=huawei.com dmarc=pass fromdomain=huawei.com); spf=pass (google.com: domain of linux-kernel+bounces-70328-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-70328-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 7DF03282ECD for ; Sun, 18 Feb 2024 10:08:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 24ADC1C282; Sun, 18 Feb 2024 10:08:30 +0000 (UTC) Received: from szxga07-in.huawei.com (szxga07-in.huawei.com [45.249.212.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 69413FBE1; Sun, 18 Feb 2024 10:08:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.249.212.35 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708250909; cv=none; b=I5vRcYE1dEEIOR/kw8lKk3rPgCmJFHNvGXQOkQ+jttQQ2MsYPapPmur1JVOKvdgD3F4YeS+JibYbJO8RL8Bb2cYgnGraMBSOe0m5I8PIiDrQd7R3QKx3TWrOrI/82PY3F7BY3ieFt4Gn0vEsuyFhpyE+MTwZ30dtZc49Fy/BcMk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708250909; c=relaxed/simple; bh=LaBlhBnxg6dQJQlqoJUHDWjODNXxe/GPvW3ozfStz+Q=; h=Message-ID:Date:MIME-Version:Subject:To:CC:References:From: In-Reply-To:Content-Type; b=hBcFPuSo8uI8239J/X5utwvbdCl4p5BPRhLCbAfq8RQkY7dJYmpYKr6pB8ykDXXP+RvgNon+UHyotuWMbML12ap5vHeyclWubgF6g+yl+Y8YQ9/MPLVqQj6dlw+DJaBOy5lLAWlG7I5lqtSqdfwwLUrwjJawVX4+FgR7qdD4tDY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com; spf=pass smtp.mailfrom=huawei.com; arc=none smtp.client-ip=45.249.212.35 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huawei.com Received: from mail.maildlp.com (unknown [172.19.163.17]) by szxga07-in.huawei.com (SkyGuard) with ESMTP id 4Td1XL1yLyz1Q8sf; Sun, 18 Feb 2024 18:06:10 +0800 (CST) Received: from kwepemm600017.china.huawei.com (unknown [7.193.23.234]) by mail.maildlp.com (Postfix) with ESMTPS id C2A4B1A0172; Sun, 18 Feb 2024 18:08:16 +0800 (CST) Received: from [10.174.179.234] (10.174.179.234) by kwepemm600017.china.huawei.com (7.193.23.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Sun, 18 Feb 2024 18:08:15 +0800 Message-ID: <100198dd-320f-68e6-9c09-210620940a74@huawei.com> Date: Sun, 18 Feb 2024 18:08:14 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.8.0 Subject: Re: [PATCH -next v5 2/3] x86/mce: set MCE_IN_KERNEL_COPYIN for DEFAULT_MCE_SAFE exception To: Borislav Petkov CC: Thomas Gleixner , Ingo Molnar , , Dave Hansen , , "H. Peter Anvin" , Tony Luck , Andy Lutomirski , Peter Zijlstra , Andrew Morton , Naoya Horiguchi , , , , Guohanjun References: <20240204082627.3892816-1-tongtiangen@huawei.com> <20240204082627.3892816-3-tongtiangen@huawei.com> <20240207122942.GRZcN3tqWkV-WE-pak@fat_crate.local> From: Tong Tiangen In-Reply-To: <20240207122942.GRZcN3tqWkV-WE-pak@fat_crate.local> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To kwepemm600017.china.huawei.com (7.193.23.234) 在 2024/2/7 20:29, Borislav Petkov 写道: > On Sun, Feb 04, 2024 at 04:26:26PM +0800, Tong Tiangen wrote: >> diff --git a/arch/x86/kernel/cpu/mce/severity.c b/arch/x86/kernel/cpu/mce/severity.c >> index bca780fa5e57..b2cce1b6c96d 100644 >> --- a/arch/x86/kernel/cpu/mce/severity.c >> +++ b/arch/x86/kernel/cpu/mce/severity.c >> @@ -292,11 +292,11 @@ static noinstr int error_context(struct mce *m, struct pt_regs *regs) >> case EX_TYPE_UACCESS: >> if (!copy_user) >> return IN_KERNEL; >> + fallthrough; >> + case EX_TYPE_DEFAULT_MCE_SAFE: >> m->kflags |= MCE_IN_KERNEL_COPYIN; >> fallthrough; > > I knew something was still bugging me here and this is still wrong. > > Let's imagine this flow: > > copy_mc_to_user() - note *src is kernel memory > |-> copy_mc_enhanced_fast_string or copy_mc_fragile - it's the same thing > |-> -#MC, exception type EX_TYPE_DEFAULT_MCE_SAFE > |-> error_context(): > case EX_TYPE_DEFAULT_MCE_SAFE: > m->kflags |= MCE_IN_KERNEL_COPYIN; > > MCE_IN_KERNEL_COPYIN does kill_me_never(): > > pr_err("Kernel accessed poison in user space at %llx\n", p->mce_addr); > > but that's reading from kernel memory! Hi: 1. The copy_mc_to_kernel() is used in the coredump, KSM, and COW scenarios, in these scenarios, the src mem stores the user data and the kernel use kernel address to access the src mem(using kmap()). 2. the src mem of copy_mc_to_user() is currently only used by the DAX: dax_iomap_iter() -> dax_copy_to_iter() -> _copy_mc_to_iter -> copy_to_user_iter_mc() -> copy_mc_to_user() DAX is also used to store user data,such as pmem,pmem uses the kernel address to access src mem(memremap_pages()): pmem_attach_disk() -> devm_memremap_pages() -> memremap_pages() 3. EX_TYPE_DEFAULT_MCE_SAFE is only used in copy_mc_to_user()/copy_mc_to_kernel()。 4. Therefore, for EX_TYPE_DEFAULT_MCE_SAFE, the memory page where the hardware error occurs stores user data, these page can be securely isolated. This is different from UACCESS, which can be securely isolated only COPYIN(the src mem is user data) is checked. Based on the above understanding, I think the original logic should be fine, except for the pr_err() in kill_me_never(). Thanks. Tong. > > IOW, I *think* that switch statement should be this: > > switch (fixup_type) { > case EX_TYPE_UACCESS: > case EX_TYPE_DEFAULT_MCE_SAFE: > if (!copy_user) > return IN_KERNEL; > > m->kflags |= MCE_IN_KERNEL_COPYIN; > fallthrough; > > case EX_TYPE_FAULT_MCE_SAFE: > m->kflags |= MCE_IN_KERNEL_RECOV; > return IN_KERNEL_RECOV; > > default: > return IN_KERNEL; > } > > Provided I'm not missing a case and provided is_copy_from_user() really > detects all cases properly. > > And then patch 3 is wrong because we only can handle "copy in" - not > just any copy. > > Thx. >