lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YajoDcF3AYJBZ63x@arm.com>
Date:   Thu, 2 Dec 2021 16:09:08 +0000
From:   Catalin Marinas <catalin.marinas@....com>
To:     Mark Rutland <mark.rutland@....com>
Cc:     Linus Torvalds <torvalds@...ux-foundation.org>,
        Andreas Gruenbacher <agruenba@...hat.com>,
        Josef Bacik <josef@...icpanda.com>,
        David Sterba <dsterba@...e.com>,
        Al Viro <viro@...iv.linux.org.uk>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Will Deacon <will@...nel.org>,
        Matthew Wilcox <willy@...radead.org>,
        linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-arm-kernel@...ts.infradead.org, linux-btrfs@...r.kernel.org
Subject: Re: [PATCH v2 3/4] arm64: Add support for user sub-page fault probing

Hi Mark,

On Wed, Dec 01, 2021 at 08:29:06PM +0000, Mark Rutland wrote:
> On Wed, Dec 01, 2021 at 07:37:49PM +0000, Catalin Marinas wrote:
> > +/*
> > + * Return 0 on success, the number of bytes not accessed otherwise.
> > + */
> > +static inline size_t __mte_probe_user_range(const char __user *uaddr,
> > +					    size_t size, bool skip_first)
> > +{
> > +	const char __user *end = uaddr + size;
> > +	int err = 0;
> > +	char val;
> > +
> > +	uaddr = PTR_ALIGN_DOWN(uaddr, MTE_GRANULE_SIZE);
> > +	if (skip_first)
> > +		uaddr += MTE_GRANULE_SIZE;
> 
> Do we need the skipping for a functional reason, or is that an optimization?

An optimisation and very likely not noticeable. Given that we'd do a read
following a put_user() or get_user() earlier, the cacheline was
allocated and another load may be nearly as fast as the uaddr increment.

> From the comments in probe_subpage_writeable() and
> probe_subpage_safe_writeable() I wasn't sure if the skipping was because we
> *don't need to* check the first granule, or because we *must not* check the
> first granule.

The "don't need to" part. But thinking about this, I'll just drop it as
it's confusing.

> > +	while (uaddr < end) {
> > +		/*
> > +		 * A read is sufficient for MTE, the caller should have probed
> > +		 * for the pte write permission if required.
> > +		 */
> > +		__raw_get_user(val, uaddr, err);
> > +		if (err)
> > +			return end - uaddr;
> > +		uaddr += MTE_GRANULE_SIZE;
> > +	}
> 
> I think we may need to account for the residue from PTR_ALIGN_DOWN(), or we can
> report more bytes not copied than was passed in `size` in the first place,
> which I think might confused some callers.
> 
> Consider MTE_GRANULE_SIZE is 16, uaddr is 31, and size is 1 (so end is 32). We
> align uaddr down to 16, and if we fail the first access we return (32 - 16),
> i.e. 16.

Good point. This is fine if we skip the first byte but not otherwise.
Planning to fold in this diff:

diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
index bcbd24b97917..213b30841beb 100644
--- a/arch/arm64/include/asm/uaccess.h
+++ b/arch/arm64/include/asm/uaccess.h
@@ -451,15 +451,17 @@ static inline int __copy_from_user_flushcache(void *dst, const void __user *src,
  * Return 0 on success, the number of bytes not accessed otherwise.
  */
 static inline size_t __mte_probe_user_range(const char __user *uaddr,
-					    size_t size, bool skip_first)
+					    size_t size)
 {
 	const char __user *end = uaddr + size;
 	int err = 0;
 	char val;
 
-	uaddr = PTR_ALIGN_DOWN(uaddr, MTE_GRANULE_SIZE);
-	if (skip_first)
-		uaddr += MTE_GRANULE_SIZE;
+	__raw_get_user(val, uaddr, err);
+	if (err)
+		return size;
+
+	uaddr = PTR_ALIGN(uaddr, MTE_GRANULE_SIZE);
 	while (uaddr < end) {
 		/*
 		 * A read is sufficient for MTE, the caller should have probed
@@ -480,8 +482,7 @@ static inline size_t probe_subpage_writeable(const void __user *uaddr,
 {
 	if (!system_supports_mte())
 		return 0;
-	/* first put_user() done in the caller */
-	return __mte_probe_user_range(uaddr, size, true);
+	return __mte_probe_user_range(uaddr, size);
 }
 
 static inline size_t probe_subpage_safe_writeable(const void __user *uaddr,
@@ -489,8 +490,7 @@ static inline size_t probe_subpage_safe_writeable(const void __user *uaddr,
 {
 	if (!system_supports_mte())
 		return 0;
-	/* the caller used GUP, don't skip the first granule */
-	return __mte_probe_user_range(uaddr, size, false);
+	return __mte_probe_user_range(uaddr, size);
 }
 
 static inline size_t probe_subpage_readable(const void __user *uaddr,
@@ -498,8 +498,7 @@ static inline size_t probe_subpage_readable(const void __user *uaddr,
 {
 	if (!system_supports_mte())
 		return 0;
-	/* first get_user() done in the caller */
-	return __mte_probe_user_range(uaddr, size, true);
+	return __mte_probe_user_range(uaddr, size);
 }
 
 #endif /* CONFIG_ARCH_HAS_SUBPAGE_FAULTS */

-- 
Catalin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ