On 2021-06-24 17:39, Al Viro wrote:
On Thu, Jun 24, 2021 at 05:38:35PM +0100, Robin Murphy wrote:
On 2021-06-24 17:27, Al Viro wrote:
On Thu, Jun 24, 2021 at 02:22:27PM +0100, Robin Murphy wrote:
FWIW I think the only way to make the kernel behaviour any more robust here
would be to make the whole uaccess API more expressive, such that rather
than simply saying "I only got this far" it could actually differentiate
between stopping due to a fault which may be recoverable and worth retrying,
and one which definitely isn't.
... and propagate that "more expressive" information through what, 3 or 4
levels in the call chain?
From include/linux/uaccess.h:
* If raw_copy_{to,from}_user(to, from, size) returns N, size - N bytes starting
* at to must become equal to the bytes fetched from the corresponding area
* starting at from. All data past to + size - N must be left unmodified.
*
* If copying succeeds, the return value must be 0. If some data cannot be
* fetched, it is permitted to copy less than had been fetched; the only
* hard requirement is that not storing anything at all (i.e. returning size)
* should happen only when nothing could be copied. In other words, you don't
* have to squeeze as much as possible - it is allowed, but not necessary.
arm64 instances violate the aforementioned hard requirement. Please, fix
it there; it's not hard. All you need is an exception handler in .Ltiny15
that would fall back to (short) byte-by-byte copy if the faulting address
happened to be unaligned. Or just do one-byte copy, not that it had been
considerably cheaper than a loop. Will be cheaper than propagating that extra
information up the call chain, let alone paying for extra ->write_begin()
and ->write_end() for single byte in generic_perform_write().
And what do we do if we then continue to fault with an external abort
because whatever it is that warranted being mapped as Device-type memory in
the first place doesn't support byte accesses?
If it does not support byte access, it would've failed on fault-in.
OK, if I'm understanding the code correctly and fault-in touches the
exact byte that copy_to_user() is going to start on, and faulting
anywhere *after* that byte is still OK, then that seems mostly workable,
although there are still potential corner cases like a device register
accepting byte reads but not byte writes.
Basically if privileged userspace is going to do dumb things with
mmap()ed MMIO, the kernel can't *guarantee* to save it from itself
without a hell of a lot of invasive work for no other gain. Sure we can
add some extra fallback paths in our arch code for a best-effort attempt
to mitigate alignment faults - revamping the usercopy routines is on my
to-do list so I'll bear this in mind, and I think it's basically the
same idea we mooted some time ago for tag faults anyway - but I'm sure
someone will inevitably still find some new way to trip it up.
Fortunately on modern systems many of the aforementioned dumb things
won't actually fault synchronously, so even if triggered by a usercopy
accesses the payback will come slightly later via asynchronous SError
and be considerably more terminal.
Thanks,
Robin.