Message ID | 20230912103334.2074140-1-zhaoyang.huang@unisoc.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:9ecd:0:b0:3f2:4152:657d with SMTP id t13csp318840vqx; Tue, 12 Sep 2023 03:53:31 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHEL3jAflFh+cjpw03h+S9TGiX6Cv6nDU+IowVa3kwbYqALcrWHzuH82cxbY5e6azE3wTB0 X-Received: by 2002:a17:903:245:b0:1c3:749f:6a5c with SMTP id j5-20020a170903024500b001c3749f6a5cmr13495240plh.12.1694516011439; Tue, 12 Sep 2023 03:53:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694516011; cv=none; d=google.com; s=arc-20160816; b=wiPT7zDaYXPCqhhXkz7ZMVlMomhVsnd0WVnNT4KVlC7j2fyCgMvY4Yjva6LJoSdNma ziVoiw3NnX1WXAPKUTTDfM31fQU3RsCmZntMcun4f7uiYXGKhfrmfyVoG45pcXklrxcF sadf1Objte9uDcRpfXyEv7Z9VvJ9KKMtSDDvgAS8qsuOxXP73SYIveCFCE8QOABmNdIc nDtOpWawGOZmrfw2XZuYrW+G4WxSgBdBVqV9n4Mo+L94uZfnB0BNL3rfx7JFTG5rdnRA kHtPkyihleSFrzRfk4FiyIPmyXNcEUSMK0TOmcrDvbldDMt2Th+JB7+3yoaA+zrMWGHO KRdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:to:from; bh=pXTSdbv+8PV/+NU8fLNL59xCumP/grr80RerYO7KEzg=; fh=fwZrSYR8klR3xSdGMINZnPtOQdWYitzcbA6tRPdImkE=; b=Hp0Y8wMcqeEyxTzfnFwNvUhHMAUgfWs5P3q6maU/+yFGoeLb2ZaJNbvLJtrVgwPfFp Kq8fPWlarduEZRA/mEuuIrwOj+RdDqFbA7SiB8n4M1ysUKQHu3uoLVmY0MtC5zNv4QkF jQrX6f40TgSRd7WkyDs8sBjweIqx1Nn16khBVOJm0iwU3KUTxwShz4xvuOzwz4yZfPlW 60QcT7QoGyWXVpegPtixPC4JdoexGirbCOLNCgHtAiUqUN0kpwC5jMWBYldNYEIM6Oe/ AzSXfy3nThBs73xCrarrgd/Va0WAUhg4HbRluST0ppPwAcsc2/LrbhufTri/tAiYtjj1 U0VQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id u18-20020a17090341d200b001b67bdc438csi5272268ple.376.2023.09.12.03.53.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 03:53:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 3786F81C0C83; Tue, 12 Sep 2023 03:44:32 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234302AbjILKoK (ORCPT <rfc822;pwkd43@gmail.com> + 37 others); Tue, 12 Sep 2023 06:44:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50020 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234198AbjILKoH (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 12 Sep 2023 06:44:07 -0400 Received: from SHSQR01.spreadtrum.com (mx1.unisoc.com [222.66.158.135]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 691D61FEF for <linux-kernel@vger.kernel.org>; Tue, 12 Sep 2023 03:33:52 -0700 (PDT) Received: from dlp.unisoc.com ([10.29.3.86]) by SHSQR01.spreadtrum.com with ESMTP id 38CAXdTP037668; Tue, 12 Sep 2023 18:33:39 +0800 (+08) (envelope-from zhaoyang.huang@unisoc.com) Received: from SHDLP.spreadtrum.com (bjmbx01.spreadtrum.com [10.0.64.7]) by dlp.unisoc.com (SkyGuard) with ESMTPS id 4RlKbw5wGxz2RsNTk; Tue, 12 Sep 2023 18:30:36 +0800 (CST) Received: from bj03382pcu01.spreadtrum.com (10.0.73.40) by BJMBX01.spreadtrum.com (10.0.64.7) with Microsoft SMTP Server (TLS) id 15.0.1497.23; Tue, 12 Sep 2023 18:33:37 +0800 From: "zhaoyang.huang" <zhaoyang.huang@unisoc.com> To: Russell King <linux@armlinux.org.uk>, Andrew Morton <akpm@linux-foundation.org>, Mike Rapoport <rppt@kernel.org>, Matthew Wilcox <willy@infradead.org>, <linux-mm@kvack.org>, <linux-arm-kernel@lists.infradead.org>, <linux-kernel@vger.kernel.org>, Zhaoyang Huang <huangzhaoyang@gmail.com>, <ke.wang@unisoc.com> Subject: [PATCH] arch: arm: remove redundant clear_page when CONFIG_INIT_ON_ALLOC_DEFAULT_ON is on Date: Tue, 12 Sep 2023 18:33:34 +0800 Message-ID: <20230912103334.2074140-1-zhaoyang.huang@unisoc.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.0.73.40] X-ClientProxiedBy: SHCAS03.spreadtrum.com (10.0.1.207) To BJMBX01.spreadtrum.com (10.0.64.7) X-MAIL: SHSQR01.spreadtrum.com 38CAXdTP037668 Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Tue, 12 Sep 2023 03:44:32 -0700 (PDT) X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1776828820848385282 X-GMAIL-MSGID: 1776828820848385282 |
Series |
arch: arm: remove redundant clear_page when CONFIG_INIT_ON_ALLOC_DEFAULT_ON is on
|
|
Commit Message
zhaoyang.huang
Sept. 12, 2023, 10:33 a.m. UTC
From: Zhaoyang Huang <zhaoyang.huang@unisoc.com> Double times of clear_page observed in an arm SOC(A55) when CONFIG_INIT_ON_ALLOC_DEFAULT_ON is on, which introduced by vma_alloc_zeroed_movable_folio within do_anonymous_pages. Since there is no D-cache operation within v6's clear_user_highpage, I would like to suggest to remove the redundant clear_page. struct folio *vma_alloc_zeroed_movable_folio(struct vm_area_struct *vma, unsigned long vaddr) { struct folio *folio; //first clear_page invoked by vma_alloc_folio==>alloc_page==>post_alloc_hook folio = vma_alloc_folio(GFP_HIGHUSER_MOVABLE, 0, vma, vaddr, false); if (folio) //second clear_page which is meaningless since it do nothing to D-cache in armv6 clear_user_highpage(&folio->page, vaddr); return folio; } Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com> --- arch/arm/mm/copypage-v6.c | 8 ++++++++ 1 file changed, 8 insertions(+)
Comments
On Tue, Sep 12, 2023 at 06:33:34PM +0800, zhaoyang.huang wrote: > From: Zhaoyang Huang <zhaoyang.huang@unisoc.com> > > Double times of clear_page observed in an arm SOC(A55) when > CONFIG_INIT_ON_ALLOC_DEFAULT_ON is on, which introduced by > vma_alloc_zeroed_movable_folio within do_anonymous_pages. > Since there is no D-cache operation within v6's clear_user_highpage, > I would like to suggest to remove the redundant clear_page. > > struct folio *vma_alloc_zeroed_movable_folio(struct vm_area_struct *vma, > unsigned long vaddr) > { > struct folio *folio; > > //first clear_page invoked by vma_alloc_folio==>alloc_page==>post_alloc_hook > folio = vma_alloc_folio(GFP_HIGHUSER_MOVABLE, 0, vma, vaddr, false); > if (folio) > //second clear_page which is meaningless since it do nothing to D-cache in armv6 > clear_user_highpage(&folio->page, vaddr); This is, of course, not the only place which calls clear_user_highpage(). Please explain why this patch is safe for all the _other_ places which call clear_user_highpage(). > return folio; > } > > Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com> > --- > arch/arm/mm/copypage-v6.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/arch/arm/mm/copypage-v6.c b/arch/arm/mm/copypage-v6.c > index a1a71f36d850..6f8bee1b3203 100644 > --- a/arch/arm/mm/copypage-v6.c > +++ b/arch/arm/mm/copypage-v6.c > @@ -9,6 +9,7 @@ > #include <linux/mm.h> > #include <linux/highmem.h> > #include <linux/pagemap.h> > +#include <linux/gfp.h> > > #include <asm/shmparam.h> > #include <asm/tlbflush.h> > @@ -45,6 +46,13 @@ static void v6_copy_user_highpage_nonaliasing(struct page *to, > */ > static void v6_clear_user_highpage_nonaliasing(struct page *page, unsigned long vaddr) > { > + /* > + * This criteria only help bailing out when CONFIG_INIT_ON_ALLOC_DEFAULT_ON > + * is on. The page has been memset to zero when it allocated and the > + * bellowing clear_page will do it again. > + */ > + if (want_init_on_alloc(GFP_HIGHUSER_MOVABLE)) > + return; > void *kaddr = kmap_atomic(page); > clear_page(kaddr); > kunmap_atomic(kaddr); > -- > 2.25.1 >
On Tue, Sep 12, 2023 at 8:18 PM Matthew Wilcox <willy@infradead.org> wrote: > > On Tue, Sep 12, 2023 at 06:33:34PM +0800, zhaoyang.huang wrote: > > From: Zhaoyang Huang <zhaoyang.huang@unisoc.com> > > > > Double times of clear_page observed in an arm SOC(A55) when > > CONFIG_INIT_ON_ALLOC_DEFAULT_ON is on, which introduced by > > vma_alloc_zeroed_movable_folio within do_anonymous_pages. > > Since there is no D-cache operation within v6's clear_user_highpage, > > I would like to suggest to remove the redundant clear_page. > > > > struct folio *vma_alloc_zeroed_movable_folio(struct vm_area_struct *vma, > > unsigned long vaddr) > > { > > struct folio *folio; > > > > //first clear_page invoked by vma_alloc_folio==>alloc_page==>post_alloc_hook > > folio = vma_alloc_folio(GFP_HIGHUSER_MOVABLE, 0, vma, vaddr, false); > > if (folio) > > //second clear_page which is meaningless since it do nothing to D-cache in armv6 > > clear_user_highpage(&folio->page, vaddr); > > This is, of course, not the only place which calls clear_user_highpage(). > Please explain why this patch is safe for all the _other_ places which > call clear_user_highpage(). Here are all positions called clear_user_highpage which are paired with alloc_pages. IMO, it is safe to skip the second clear_page under armv6. drivers/media/v4l2-core/videobuf-dma-sg.c:441: clear_user_highpage(page, vmf->address); fs/dax.c:1612: clear_user_highpage(vmf->cow_page, vmf->address); include/linux/highmem.h:231: clear_user_highpage(&folio->page, vaddr); mm/memory.c:5974: clear_user_highpage(p, addr + i * PAGE_SIZE); mm/memory.c:5982: clear_user_highpage(page + idx, addr); mm/shmem.c:2621: clear_user_highpage(&folio->page, dst_addr); mm/khugepaged.c:796: clear_user_highpage(page, _address); > > > return folio; > > } > > > > Signed-off-by: Zhaoyang Huang <zhaoyang.huang@unisoc.com> > > --- > > arch/arm/mm/copypage-v6.c | 8 ++++++++ > > 1 file changed, 8 insertions(+) > > > > diff --git a/arch/arm/mm/copypage-v6.c b/arch/arm/mm/copypage-v6.c > > index a1a71f36d850..6f8bee1b3203 100644 > > --- a/arch/arm/mm/copypage-v6.c > > +++ b/arch/arm/mm/copypage-v6.c > > @@ -9,6 +9,7 @@ > > #include <linux/mm.h> > > #include <linux/highmem.h> > > #include <linux/pagemap.h> > > +#include <linux/gfp.h> > > > > #include <asm/shmparam.h> > > #include <asm/tlbflush.h> > > @@ -45,6 +46,13 @@ static void v6_copy_user_highpage_nonaliasing(struct page *to, > > */ > > static void v6_clear_user_highpage_nonaliasing(struct page *page, unsigned long vaddr) > > { > > + /* > > + * This criteria only help bailing out when CONFIG_INIT_ON_ALLOC_DEFAULT_ON > > + * is on. The page has been memset to zero when it allocated and the > > + * bellowing clear_page will do it again. > > + */ > > + if (want_init_on_alloc(GFP_HIGHUSER_MOVABLE)) > > + return; > > void *kaddr = kmap_atomic(page); > > clear_page(kaddr); > > kunmap_atomic(kaddr); > > -- > > 2.25.1 > >
On Wed, Sep 13, 2023 at 09:13:14AM +0800, Zhaoyang Huang wrote: > On Tue, Sep 12, 2023 at 8:18 PM Matthew Wilcox <willy@infradead.org> wrote: > > > > On Tue, Sep 12, 2023 at 06:33:34PM +0800, zhaoyang.huang wrote: > > > From: Zhaoyang Huang <zhaoyang.huang@unisoc.com> > > > > > > Double times of clear_page observed in an arm SOC(A55) when > > > CONFIG_INIT_ON_ALLOC_DEFAULT_ON is on, which introduced by > > > vma_alloc_zeroed_movable_folio within do_anonymous_pages. > > > Since there is no D-cache operation within v6's clear_user_highpage, > > > I would like to suggest to remove the redundant clear_page. So if CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not enabled, then what ensures that the page is cleared? > > > > > > struct folio *vma_alloc_zeroed_movable_folio(struct vm_area_struct *vma, > > > unsigned long vaddr) > > > { > > > struct folio *folio; > > > > > > //first clear_page invoked by vma_alloc_folio==>alloc_page==>post_alloc_hook > > > folio = vma_alloc_folio(GFP_HIGHUSER_MOVABLE, 0, vma, vaddr, false); > > > if (folio) > > > //second clear_page which is meaningless since it do nothing to D-cache in armv6 > > > clear_user_highpage(&folio->page, vaddr); If this clear_user_highpage() is removed, how is this code then safe when CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not enabled? > > > > This is, of course, not the only place which calls clear_user_highpage(). > > Please explain why this patch is safe for all the _other_ places which > > call clear_user_highpage(). > Here are all positions called clear_user_highpage which are paired > with alloc_pages. IMO, it is safe to skip the second clear_page under > armv6. No. Looking at, for example, the v4l case... This allocates a page and provides it to userspace. The page is allocated using GFP_USER | __GFP_DMA32. This does not set __GFP_ZERO. If CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not enabled, the page will not be initialised, and thus we will leak any data in that page to userspace. Now, it's not just about whether that configuration symbol is enabled in the kernel configuration - there is a command line argument to consider as well. CONFIG_INIT_ON_ALLOC_DEFAULT_ON can be y, but with init_on_alloc=0 passed to the kernel, if we remove the above clear_user_highpage(), the kernel then becomes unsafe. However, it's more than that. The kernel allocator has no idea that the page will be mapped to userspace, so it can't do the "clear the page at the user cache colour" trick for VIPT aliasing caches, which ensures that we hit cache lines that the user will see. So, I think we would then have to add arch specific cache operations to write-back the zeroing of the kernel mapping, _and_ cache operations to discard any data in the user cache colour. So, essentially, I don't think that _even_ when init_on_alloc is enabled, we can skip calling clear_user_highpage() as that would lead to data exposure to userspace.
On Wed, Sep 13, 2023 at 4:17 PM Russell King (Oracle) <linux@armlinux.org.uk> wrote: > > On Wed, Sep 13, 2023 at 09:13:14AM +0800, Zhaoyang Huang wrote: > > On Tue, Sep 12, 2023 at 8:18 PM Matthew Wilcox <willy@infradead.org> wrote: > > > > > > On Tue, Sep 12, 2023 at 06:33:34PM +0800, zhaoyang.huang wrote: > > > > From: Zhaoyang Huang <zhaoyang.huang@unisoc.com> > > > > > > > > Double times of clear_page observed in an arm SOC(A55) when > > > > CONFIG_INIT_ON_ALLOC_DEFAULT_ON is on, which introduced by > > > > vma_alloc_zeroed_movable_folio within do_anonymous_pages. > > > > Since there is no D-cache operation within v6's clear_user_highpage, > > > > I would like to suggest to remove the redundant clear_page. > > So if CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not enabled, then what ensures > that the page is cleared? > > > > > > > > > struct folio *vma_alloc_zeroed_movable_folio(struct vm_area_struct *vma, > > > > unsigned long vaddr) > > > > { > > > > struct folio *folio; > > > > > > > > //first clear_page invoked by vma_alloc_folio==>alloc_page==>post_alloc_hook > > > > folio = vma_alloc_folio(GFP_HIGHUSER_MOVABLE, 0, vma, vaddr, false); > > > > if (folio) > > > > //second clear_page which is meaningless since it do nothing to D-cache in armv6 > > > > clear_user_highpage(&folio->page, vaddr); > > If this clear_user_highpage() is removed, how is this code then safe when > CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not enabled? when CONFIG_INIT_ON_ALLOC_DEFAULT_ON is off, want_init_on_alloc() will return false and then clear_user_highpage will be called > > > > > > > This is, of course, not the only place which calls clear_user_highpage(). > > > Please explain why this patch is safe for all the _other_ places which > > > call clear_user_highpage(). > > Here are all positions called clear_user_highpage which are paired > > with alloc_pages. IMO, it is safe to skip the second clear_page under > > armv6. > > No. > > Looking at, for example, the v4l case... This allocates a page and > provides it to userspace. The page is allocated using GFP_USER | > __GFP_DMA32. This does not set __GFP_ZERO. If > CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not enabled, the page will not > be initialised, and thus we will leak any data in that page to > userspace. as explained above, clear_user_highpage will be called in this scenario > > Now, it's not just about whether that configuration symbol is enabled > in the kernel configuration - there is a command line argument to > consider as well. CONFIG_INIT_ON_ALLOC_DEFAULT_ON can be y, but with > init_on_alloc=0 passed to the kernel, if we remove the above > clear_user_highpage(), the kernel then becomes unsafe. Both of CONFIG_INIT_ON_ALLOC_DEFAULT_ON and cmdline configuration take effect via the global variable init_on_alloc which is judged within want_init_on_alloc() > > However, it's more than that. The kernel allocator has no idea that the > page will be mapped to userspace, so it can't do the "clear the page at > the user cache colour" trick for VIPT aliasing caches, which ensures > that we hit cache lines that the user will see. So, I think we would > then have to add arch specific cache operations to write-back the > zeroing of the kernel mapping, _and_ cache operations to discard any > data in the user cache colour. ok, do you mean you will update v6's clear_user_highpage from memset to D-cache flush things? > > So, essentially, I don't think that _even_ when init_on_alloc is > enabled, we can skip calling clear_user_highpage() as that would lead > to data exposure to userspace. This patch only suggests making changes on the specific v6 architecture where clear_user_highpage equal to clear_page so far. > > -- > RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ > FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
any further comments, it is arised from a real performance issue observed double times of memset in ARM A55 which should be waste. What this patch suggest is to remove the latter one while ensure the page will be cleared under all scenarios On Wed, Sep 13, 2023 at 4:53 PM Zhaoyang Huang <huangzhaoyang@gmail.com> wrote: > > On Wed, Sep 13, 2023 at 4:17 PM Russell King (Oracle) > <linux@armlinux.org.uk> wrote: > > > > On Wed, Sep 13, 2023 at 09:13:14AM +0800, Zhaoyang Huang wrote: > > > On Tue, Sep 12, 2023 at 8:18 PM Matthew Wilcox <willy@infradead.org> wrote: > > > > > > > > On Tue, Sep 12, 2023 at 06:33:34PM +0800, zhaoyang.huang wrote: > > > > > From: Zhaoyang Huang <zhaoyang.huang@unisoc.com> > > > > > > > > > > Double times of clear_page observed in an arm SOC(A55) when > > > > > CONFIG_INIT_ON_ALLOC_DEFAULT_ON is on, which introduced by > > > > > vma_alloc_zeroed_movable_folio within do_anonymous_pages. > > > > > Since there is no D-cache operation within v6's clear_user_highpage, > > > > > I would like to suggest to remove the redundant clear_page. > > > > So if CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not enabled, then what ensures > > that the page is cleared? > > > > > > > > > > > > > struct folio *vma_alloc_zeroed_movable_folio(struct vm_area_struct *vma, > > > > > unsigned long vaddr) > > > > > { > > > > > struct folio *folio; > > > > > > > > > > //first clear_page invoked by vma_alloc_folio==>alloc_page==>post_alloc_hook > > > > > folio = vma_alloc_folio(GFP_HIGHUSER_MOVABLE, 0, vma, vaddr, false); > > > > > if (folio) > > > > > //second clear_page which is meaningless since it do nothing to D-cache in armv6 > > > > > clear_user_highpage(&folio->page, vaddr); > > > > If this clear_user_highpage() is removed, how is this code then safe when > > CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not enabled? > when CONFIG_INIT_ON_ALLOC_DEFAULT_ON is off, want_init_on_alloc() will > return false and then clear_user_highpage will be called > > > > > > > > > > This is, of course, not the only place which calls clear_user_highpage(). > > > > Please explain why this patch is safe for all the _other_ places which > > > > call clear_user_highpage(). > > > Here are all positions called clear_user_highpage which are paired > > > with alloc_pages. IMO, it is safe to skip the second clear_page under > > > armv6. > > > > No. > > > > Looking at, for example, the v4l case... This allocates a page and > > provides it to userspace. The page is allocated using GFP_USER | > > __GFP_DMA32. This does not set __GFP_ZERO. If > > CONFIG_INIT_ON_ALLOC_DEFAULT_ON is not enabled, the page will not > > be initialised, and thus we will leak any data in that page to > > userspace. > as explained above, clear_user_highpage will be called in this scenario > > > > Now, it's not just about whether that configuration symbol is enabled > > in the kernel configuration - there is a command line argument to > > consider as well. CONFIG_INIT_ON_ALLOC_DEFAULT_ON can be y, but with > > init_on_alloc=0 passed to the kernel, if we remove the above > > clear_user_highpage(), the kernel then becomes unsafe. > Both of CONFIG_INIT_ON_ALLOC_DEFAULT_ON and cmdline configuration take > effect via the global variable init_on_alloc which is judged within > want_init_on_alloc() > > > > However, it's more than that. The kernel allocator has no idea that the > > page will be mapped to userspace, so it can't do the "clear the page at > > the user cache colour" trick for VIPT aliasing caches, which ensures > > that we hit cache lines that the user will see. So, I think we would > > then have to add arch specific cache operations to write-back the > > zeroing of the kernel mapping, _and_ cache operations to discard any > > data in the user cache colour. > ok, do you mean you will update v6's clear_user_highpage from memset > to D-cache flush things? > > > > So, essentially, I don't think that _even_ when init_on_alloc is > > enabled, we can skip calling clear_user_highpage() as that would lead > > to data exposure to userspace. > This patch only suggests making changes on the specific v6 > architecture where clear_user_highpage equal to clear_page so far. > > > > -- > > RMK's Patch system: https://www.armlinux.org.uk/developer/patches/ > > FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
diff --git a/arch/arm/mm/copypage-v6.c b/arch/arm/mm/copypage-v6.c index a1a71f36d850..6f8bee1b3203 100644 --- a/arch/arm/mm/copypage-v6.c +++ b/arch/arm/mm/copypage-v6.c @@ -9,6 +9,7 @@ #include <linux/mm.h> #include <linux/highmem.h> #include <linux/pagemap.h> +#include <linux/gfp.h> #include <asm/shmparam.h> #include <asm/tlbflush.h> @@ -45,6 +46,13 @@ static void v6_copy_user_highpage_nonaliasing(struct page *to, */ static void v6_clear_user_highpage_nonaliasing(struct page *page, unsigned long vaddr) { + /* + * This criteria only help bailing out when CONFIG_INIT_ON_ALLOC_DEFAULT_ON + * is on. The page has been memset to zero when it allocated and the + * bellowing clear_page will do it again. + */ + if (want_init_on_alloc(GFP_HIGHUSER_MOVABLE)) + return; void *kaddr = kmap_atomic(page); clear_page(kaddr); kunmap_atomic(kaddr);