Re: [RFC PATCH -next V2 5/7] arm64: add get_user to machine check safe

From: Tong Tiangen
Date: Sat Apr 09 2022 - 05:17:50 EST




在 2022/4/8 23:22, Mark Rutland 写道:
On Thu, Apr 07, 2022 at 10:38:04PM +0800, Tong Tiangen wrote:
在 2022/4/6 19:22, Mark Rutland 写道:
On Wed, Apr 06, 2022 at 09:13:09AM +0000, Tong Tiangen wrote:
Add scenarios get_user to machine check safe. The processing of
EX_TYPE_UACCESS_ERR_ZERO and EX_TYPE_UACCESS_ERR_ZERO_UCE_RECOVERY is same
and both return -EFAULT.

Which uaccess cases do we expect to *not* be recoverable?

Naively I would assume that if we're going to treat a memory error on a uaccess
as fatal to userspace we should be able to do that for *any* uacesses.

The commit message should explain why we need the distinction between a
recoverable uaccess and a non-recoverable uaccess.

Thanks,
Mark.

Currently, any memory error consumed in kernel mode will lead to panic
(do_sea()).

My idea is that not all memory errors consumed in kernel mode are fatal,
such as copy_ from_ user/get_ user is a memory error consumed when
reading user data in the process context. In this case, we can not let the
kernel panic, just kill the process without affecting the operation
of the system.

I understood this part.

However, not all uaccess can be recovered without affecting the normal
operation of the system. The key is not whether it is uaccess, but whether
there are key data affecting the normal operation of the system in the read
page.

Ok. Can you give an example of such a case where the a uaccess that hits
a memory error must be fatal?

I think you might be trying to say that for copy_{to,from}_user() we can
make that judgement, but those are combined user+kernel access
primitives, and the *uaccess* part should never be reading from a page
with "key data affecting the normal operation of the system", since
that's userspace memory.

Is there any *userspace access* (e.g. where we use LDTR/STTR today)
where we must treat a memory error as fatal to the system?

Thanks,
Mark.
.

I seem to understand what you mean.
Take copy_to_user()/put_user() as an example. If it encounters memory error, only related processes will be affected. According to this understanding, it seems that all uaccess can be recovered.

Thanks,
Tong.