Re: [PATCH] x86/uaccess: Implement get_kernel()

From: Ingo Molnar
Date: Fri Apr 10 2015 - 14:04:37 EST



* Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:

> On Fri, Apr 10, 2015 at 4:14 AM, Ingo Molnar <mingo@xxxxxxxxxx> wrote:
> >
> >>
> >> The next patch will implement efficient
> >> __copy_from_kernel_inatomic() for x86.
> >
> > The patch below does that. Note, for simplicity I've changed the
> > interface to 'get_kernel()' (will propagate this through the other
> > patches as well).
>
> So I think this needs a couple of changes:
>
> - That "get_kernel()" name is not clear enough about what the issue
> is. I think it should make it clearer that it's an unsafe access
> that could fault, and that we don't want a user access.
>
> So maybe "get_kernel_stalepointer()" or something like that.

Ok.

> - you're just re-implementing "__get_user_asm_ex()" afaik. Try to
> share the code, renaming it to be something common.

Ok, will try that.

> - I think we should look at sharing the code for __get_user(). Could
> we do something like this:
>
> (a) implement the basic "load with exceptions" as __get_with_exception()
> (b) #define get_kernel_stalepointer() __get_with_exception
> (c) make "__get_user()" be "stac(); __get_with_exception(); clac()"

Will try.

The only possible complication there might be the way we don't recover
the error code in the _ex() variants, that's actually a pretty
important aspect to making this zero cost. Since the error code comes
back from assembly code in some cases we cannot make it go away in the
_ex() case. So I'm not sure we can share code between _ex() and the
normal methods - but we can certainly share with the _ex() variants.

> - finally, I wonder what the exact semantics of
> "get_kernel_stalepointer()" should be. I could well imagine that
> what we should do is
>
> #ifdef CONFIG_DEBUG_PAGEALLOC
> #define get_kernel_stalepointer(x,ptr) ((x)=READ_ONCE(*(ptr)), 0)
> #else
> #define get_kernel_stalepointer(x,ptr) __get_with_exception(x,ptr)
> #endif

I guess you meant that to be the other way around?

> because I think it's reasonable to require that the kernel pointer
> is _stale_, and not "invalid". [...]

Absolutely, and I think this is a hard requirement: we don't (ever)
want to dereference random addresses, due to possible mmio side
effects.

> [...] IOW, guarantee that it *has* been a kernel pointer, and that
> the only reason it would trap is for DEBUG_PAGEALLOC.

Yes.

> That last point might need to be verified with hotplug memory. I
> think hotplug memory does a stop_machine() or similar, but I'm not
> sure.

So memory hotplug does it in a pretty simple fashion IIRC: only such
zones are movable and hot-unpluggable which don't contain
kmalloc()-able of gfp()-able memory - they are limited purpose memory
pools only usable for user pages and the page cache.

So stale pointers should never point to hot-unpluggable memory.

Thanks,

Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/