From patchwork Tue Mar 14 11:50:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 69527 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp1715315wrd; Tue, 14 Mar 2023 05:05:59 -0700 (PDT) X-Google-Smtp-Source: AK7set/vj3eJZlzZQ+corB6YFuBUejHqUk7Xb3z4YlrFKOze7C8MrgOclBGGo7UEuFVqe9rkWraZ X-Received: by 2002:a17:902:dac3:b0:19f:8ad5:4331 with SMTP id q3-20020a170902dac300b0019f8ad54331mr7414688plx.38.1678795558872; Tue, 14 Mar 2023 05:05:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678795558; cv=none; d=google.com; s=arc-20160816; b=hgcdeISmU4s/7UufAMZr7K4A9Bmqv593mkEegziHAsk5i8s69azLP7MeyEbD31p4ZH uhgDgZp1dVom06NCKmyW4hPkIyXPiwzuTbhFc6nF+/SGsBu7lBXFTjRIv4fLqQY64m86 It7ALNtHu23HkSmAbbwHTAKnA/qzCM4Plu/x8r8N+kM0c1wG3dXMEZ5ntSc/3hvSSw7A h1MsxQ8TRkFt7UA1fshmGTOMkiWCjtA+PXMFLBGlIuK2p4YZamdfebWOdwIafLVlRdTX TfJtfIjxuICp6Z8Br82/K9005mnaBwbHOtarHREHa3dHQZsEtKKsMqHXif+V2MRquDlj sshw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=6yFwm6H7Kl0SN+ZNLEe9PUa5PuutReeMdfXc89aF0eI=; b=dI4syawuzWSF/levD1oZ5WiHVIP0Bh9zSw8/i4ZewUExxyqDND5mlVqrLvwbOExnW4 I3VoEAW6GAVTsWxYp7RYpxjxtsL/uSBvCc2SJA45gh6/rXBQdT4ToiFg6w76uu6gnLbN N0lFTLKQs4MioEhOgvktdI3xFYtXfIDrpwntBKEGLpnGfBzlgQTpK0n6eF630cIl+wLj rqeWUcBxwA/XcpumaeBLyzK7/qUPtsSeBNrqTqtEd7MlWSrRVuXWSzT4aWD+Oehe/aqX QvnDJiI09tcjt3LyKLhB7uVaEFfDJDWVyUMixmL/MI3vQOSNxc/guLdEHCyiUDQt+WtI QtCg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e1-20020a170902744100b0019cd86735f1si2279757plt.481.2023.03.14.05.05.45; Tue, 14 Mar 2023 05:05:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230286AbjCNLuw (ORCPT + 99 others); Tue, 14 Mar 2023 07:50:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37102 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231364AbjCNLuq (ORCPT ); Tue, 14 Mar 2023 07:50:46 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 814049B2C7 for ; Tue, 14 Mar 2023 04:50:44 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D4AE31042; Tue, 14 Mar 2023 04:51:27 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 36B993F67D; Tue, 14 Mar 2023 04:50:43 -0700 (PDT) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, linux-kernel@vger.kernel.org, mark.rutland@arm.com, robin.murphy@arm.com, viro@zeniv.linux.org.uk, will@kernel.org Subject: [PATCH 1/4] lib: test copy_{to,from}_user() Date: Tue, 14 Mar 2023 11:50:27 +0000 Message-Id: <20230314115030.347976-2-mark.rutland@arm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230314115030.347976-1-mark.rutland@arm.com> References: <20230314115030.347976-1-mark.rutland@arm.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760344731854085715?= X-GMAIL-MSGID: =?utf-8?q?1760344731854085715?= Historically, implementations of raw_copy_{to,from}_user() haven't correctly handled the requirements laid forth in , e.g. as Al spotted on arm64: https://lore.kernel.org/all/YNSyZaZtPTmTa5P8@zeniv-ca.linux.org.uk/ Similarly, we've had other issues where incorrect fault handling logic lead to memory corruption, e.g. https://lore.kernel.org/linux-arm-kernel/Y44gVm7IEMXqilef@FVFF77S0Q05N.cambridge.arm.com/ These issues are easy to introduce and hard to spot as we don't have any systematic tests for the faulting paths. This patch adds KUnit tests for raw_copy_{to,from}_user() which systematically test the faulting paths, allowing us to detect and avoid problems such as those above. The test checks copy sizes of 0 to 128 bytes at every possible alignment relative to a page boundary to exhaustively check all potential faulting and success paths. I've given this a spin on a few architectures using the KUnit QEMU harness, and it looks like most get *something* wrong. From those initial runs: * arm64's copy_to_user() under-reports the number of bytes copied in some cases, e.g. | post-destination bytes modified (dst_page[4082]=0x1, offset=4081, size=16, ret=15) * arm's copy_to_user() under-reports the number of bytes copied in some cases, and both copy_to_user() and copy_from_user() don't guarantee that at least a single byte is copied when a partial copy is possible, e.g. | post-destination bytes modified (dst_page[4068]=0x1, offset=4067, size=33, ret=32) | too few bytes consumed (offset=4068, size=32, ret=32) * i386's copy_from_user does not guarantee that at least a single byte is copied when a partial copit is possible, e.g. | too few bytes consumed (offset=4093, size=8, ret=8) * riscv's copy_to_user() and copy_from_user() don't guarantee that at least a single byte is copied when a partial copy is possible, e.g. | too few bytes consumed (offset=4095, size=2, ret=2) * s390 passes all tests * sparc's copy_from_user() over-reports the number of bbytes copied in some caes, e.g. | copied bytes incorrect (dst_page[0+0]=0x0, src_page[4095+0]=0xff, offset=4095, size=2, ret=1 * x86_64 passes all tests Signed-off-by: Mark Rutland Cc: Al Viro Cc: Catalin Marinas Cc: Robin Murphy Cc: Will Deacon --- lib/Kconfig.debug | 9 + lib/Makefile | 1 + lib/usercopy_kunit.c | 445 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 455 insertions(+) create mode 100644 lib/usercopy_kunit.c diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index c8b379e2e9ad..bd737db4ef06 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -2647,6 +2647,15 @@ config SIPHASH_KUNIT_TEST This is intended to help people writing architecture-specific optimized versions. If unsure, say N. +config USERCOPY_KUNIT_TEST + bool "KUnit tests for usercopy functions" if !KUNIT_ALL_TESTS + depends on KUNIT=y + default KUNIT_ALL_TESTS + help + Tests for faulting behaviour of copy_{to,from}_user(). + + If unsure, say N. + config TEST_UDELAY tristate "udelay test driver" help diff --git a/lib/Makefile b/lib/Makefile index baf2821f7a00..37fb438e6c43 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -391,6 +391,7 @@ CFLAGS_fortify_kunit.o += $(DISABLE_STRUCTLEAK_PLUGIN) obj-$(CONFIG_FORTIFY_KUNIT_TEST) += fortify_kunit.o obj-$(CONFIG_STRSCPY_KUNIT_TEST) += strscpy_kunit.o obj-$(CONFIG_SIPHASH_KUNIT_TEST) += siphash_kunit.o +obj-$(CONFIG_USERCOPY_KUNIT_TEST) += usercopy_kunit.o obj-$(CONFIG_GENERIC_LIB_DEVMEM_IS_ALLOWED) += devmem_is_allowed.o diff --git a/lib/usercopy_kunit.c b/lib/usercopy_kunit.c new file mode 100644 index 000000000000..0c73177b6ce5 --- /dev/null +++ b/lib/usercopy_kunit.c @@ -0,0 +1,445 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Test cases for usercopy faulting behaviour + */ + +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt + +#include + +#include +#include +#include +#include +#include +#include + +#define UBUF_ADDR_BASE SZ_2M + +struct usercopy_env { + struct mm_struct *mm; + void *kbuf; + struct page *ubuf_page; + void *ubuf; +}; + +struct usercopy_params { + long offset; + unsigned long size; +}; + +static void *usercopy_env_alloc(void) +{ + struct usercopy_env *env = kzalloc(sizeof(*env), GFP_KERNEL); + if (!env) + return NULL; + + env->kbuf = vmalloc(PAGE_SIZE); + if (!env->kbuf) + goto out_free_env; + + return env; + +out_free_env: + kfree(env); + return NULL; +} + +static void usercopy_env_free(struct usercopy_env *env) +{ + vfree(env->kbuf); + kfree(env); +} + +static void *usercopy_mm_alloc(struct usercopy_env *env) +{ + struct mm_struct *mm; + struct vm_area_struct *vma; + mm = mm_alloc(); + if (!mm) + return NULL; + + if (mmap_write_lock_killable(mm)) + goto out_free; + + vma = vm_area_alloc(mm); + if (!vma) + goto out_unlock; + + vma_set_anonymous(vma); + vma->vm_start = UBUF_ADDR_BASE; + vma->vm_end = UBUF_ADDR_BASE + PAGE_SIZE; + vm_flags_init(vma, VM_READ | VM_MAYREAD | VM_WRITE | VM_MAYWRITE); + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags); + + if (insert_vm_struct(mm, vma)) + goto out_free_vma; + + mmap_write_unlock(mm); + return mm; + +out_free_vma: + vm_area_free(vma); +out_unlock: + mmap_write_unlock(mm); +out_free: + mmput(mm); + return NULL; +} + +static void usercopy_mm_free(struct mm_struct *mm) +{ + mmput(mm); +} + +static struct page *usercopy_ubuf_pin(struct usercopy_env *env) +{ + struct page *p = NULL; + + kthread_use_mm(env->mm); + pin_user_pages_unlocked(UBUF_ADDR_BASE, 1, &p, FOLL_LONGTERM); + kthread_unuse_mm(env->mm); + + return p; +} + +static void usercopy_ubuf_unpin(struct usercopy_env *env) +{ + unpin_user_page(env->ubuf_page); +} + +static int usercopy_test_init(struct kunit *test) +{ + struct usercopy_env *env; + + env = usercopy_env_alloc(); + if (!env) + return -ENOMEM; + + env->mm = usercopy_mm_alloc(env); + if (!env->mm) + goto out_free_env; + + env->ubuf_page = usercopy_ubuf_pin(env); + if (!env->ubuf_page) + goto out_free_mm; + + env->ubuf = kmap(env->ubuf_page); + if (!env->ubuf) + goto out_unpin_ubuf; + + test->priv = env; + + return 0; + +out_unpin_ubuf: + usercopy_ubuf_unpin(env); +out_free_mm: + usercopy_mm_free(env->mm); +out_free_env: + usercopy_env_free(env); + return -ENOMEM; +} + +void usercopy_test_exit(struct kunit *test) +{ + struct usercopy_env *env = test->priv; + + kunmap(env->ubuf); + + usercopy_ubuf_unpin(env); + usercopy_mm_free(env->mm); + usercopy_env_free(env); +} + +static char buf_pattern(int offset) +{ + return offset & 0xff; +} + +static void buf_init_pattern(char *buf) +{ + for (int i = 0; i < PAGE_SIZE; i++) + buf[i] = buf_pattern(i); +} + +static void buf_init_zero(char *buf) +{ + memset(buf, 0, PAGE_SIZE); +} + +static void assert_size_valid(struct kunit *test, + const struct usercopy_params *params, + unsigned long ret) +{ + const unsigned long size = params->size; + const unsigned long offset = params->offset; + + if (ret > size) { + KUNIT_ASSERT_FAILURE(test, + "return value is impossibly large (ret=%lu, size=%lu)", + ret, size); + } + + /* + * When the user buffer starts within a faulting page, no bytes can be + * copied, so ret must equal size. + */ + if (offset < 0 || offset >= PAGE_SIZE) { + if (ret == size) + return; + + KUNIT_ASSERT_FAILURE(test, + "impossible copy did not fail (offset=%ld, size=%lu, ret=%lu)", + offset, size, ret); + } + + /* + * When the user buffer fits entirely within a non-faulting page, all + * bytes must be copied, so ret must equal 0. + */ + if (offset + size <= PAGE_SIZE) { + if (ret == 0) + return; + + KUNIT_ASSERT_FAILURE(test, + "completely possible copy failed (offset=%ld, size=%lu, ret=%lu)", + offset, size, ret); + } + + /* + * The buffer starts in a non-faulting page, but continues into a + * faulting page. At least one byte must be copied, and at most all the + * non-faulting bytes may be copied. + */ + if (ret == size) { + KUNIT_ASSERT_FAILURE(test, + "too few bytes consumed (offset=%ld, size=%lu, ret=%lu)", + offset, size, ret); + } + + if (ret < (offset + size) - PAGE_SIZE) { + KUNIT_ASSERT_FAILURE(test, + "too many bytes consumed (offset=%ld, size=%lu, ret=%lu)", + offset, size, ret); + } +} + +static void assert_src_valid(struct kunit *test, + const struct usercopy_params *params, + const char *src, long src_offset, + unsigned long ret) +{ + const unsigned long size = params->size; + const unsigned long offset = params->offset; + + /* + * A usercopy MUST NOT modify the source buffer. + */ + for (int i = 0; i < PAGE_SIZE; i++) { + char val = src[i]; + + if (val == buf_pattern(i)) + continue; + + KUNIT_ASSERT_FAILURE(test, + "source bytes modified (src[%d]=0x%x, offset=%ld, size=%lu, ret=%lu)", + i, offset, size, ret); + } +} + +static void assert_dst_valid(struct kunit *test, + const struct usercopy_params *params, + const char *dst, long dst_offset, + unsigned long ret) +{ + const unsigned long size = params->size; + const unsigned long offset = params->offset; + + /* + * A usercopy MUST NOT modify any bytes before the destination buffer. + */ + for (int i = 0; i < dst_offset; i++) { + char val = dst[i]; + + if (val == 0) + continue; + + KUNIT_ASSERT_FAILURE(test, + "pre-destination bytes modified (dst_page[%d]=0x%x, offset=%ld, size=%lu, ret=%lu)", + i, val, offset, size, ret); + } + + /* + * A usercopy MUST NOT modify any bytes after the end of the destination + * buffer. + */ + for (int i = dst_offset + size - ret; i < PAGE_SIZE; i++) { + char val = dst[i]; + + if (val == 0) + continue; + + KUNIT_ASSERT_FAILURE(test, + "post-destination bytes modified (dst_page[%d]=0x%x, offset=%ld, size=%lu, ret=%lu)", + i, val, offset, size, ret); + } +} + +static void assert_copy_valid(struct kunit *test, + const struct usercopy_params *params, + const char *dst, long dst_offset, + const char *src, long src_offset, + unsigned long ret) +{ + const unsigned long size = params->size; + const unsigned long offset = params->offset; + + /* + * Have we actually copied the bytes we expected to? + */ + for (int i = 0; i < params->size - ret; i++) { + char dst_val = dst[dst_offset + i]; + char src_val = src[src_offset + i]; + + if (dst_val == src_val) + continue; + + KUNIT_ASSERT_FAILURE(test, + "copied bytes incorrect (dst_page[%ld+%d]=0x%x, src_page[%ld+%d]=0x%x, offset=%ld, size=%lu, ret=%lu", + dst_offset, i, dst_val, + src_offset, i, src_val, + offset, size, ret); + } +} + +static unsigned long do_copy_to_user(const struct usercopy_env *env, + const struct usercopy_params *params) +{ + void __user *uptr = (void __user *)UBUF_ADDR_BASE + params->offset; + void *kptr = env->kbuf; + unsigned long ret; + + kthread_use_mm(env->mm); + ret = raw_copy_to_user(uptr, kptr, params->size); + kthread_unuse_mm(env->mm); + + return ret; +} + +static unsigned long do_copy_from_user(const struct usercopy_env *env, + const struct usercopy_params *params) +{ + void __user *uptr = (void __user *)UBUF_ADDR_BASE + params->offset; + void *kptr = env->kbuf; + unsigned long ret; + + kthread_use_mm(env->mm); + ret = raw_copy_from_user(kptr, uptr, params->size); + kthread_unuse_mm(env->mm); + + return ret; +} + +/* + * Test offsets in the ranges [-size, 0] and [PAGE_SIZE - size, PAGE_SIZE] so + * that we check all possible fault boundaries. + */ +#define for_each_offset(size, offset) \ + for (long offset = -size; \ + offset <= (long)PAGE_SIZE; \ + offset = (offset ? offset + 1 : (PAGE_SIZE - size))) + +static void test_copy_to_user(struct kunit *test) +{ + const struct usercopy_env *env = test->priv; + const unsigned long size = *(unsigned long *)test->param_value; + + for_each_offset(size, offset) { + const struct usercopy_params params = { + .size = size, + .offset = offset, + }; + unsigned long ret; + + buf_init_zero(env->ubuf); + buf_init_pattern(env->kbuf); + + ret = do_copy_to_user(env, ¶ms); + + assert_size_valid(test, ¶ms, ret); + assert_src_valid(test, ¶ms, env->kbuf, 0, ret); + assert_dst_valid(test, ¶ms, env->ubuf, params.offset, ret); + assert_copy_valid(test, ¶ms, + env->ubuf, params.offset, + env->kbuf, 0, + ret); + } +} + +static void test_copy_from_user(struct kunit *test) +{ + const struct usercopy_env *env = test->priv; + const unsigned long size = *(unsigned long *)test->param_value; + + for_each_offset(size, offset) { + const struct usercopy_params params = { + .size = size, + .offset = offset, + }; + unsigned long ret; + + buf_init_zero(env->kbuf); + buf_init_pattern(env->ubuf); + + ret = do_copy_from_user(env, ¶ms); + + assert_size_valid(test, ¶ms, ret); + assert_src_valid(test, ¶ms, env->ubuf, params.offset, ret); + assert_dst_valid(test, ¶ms, env->kbuf, 0, ret); + assert_copy_valid(test, ¶ms, + env->kbuf, 0, + env->ubuf, params.offset, + ret); + } +} + +static const void *gen_size(const void *prev, char *desc) +{ + /* + * Usercopy routines may have special cases for different sized copies, + * so we must test a range of sizes. Most cap out at chunks of up to 64 + * bytes, so we check double this to make sure that this works in + * conjunction with any prologue/epilogue copys, and/or when looped. + */ + const unsigned long max_size = 128; + static unsigned long size; + + if (!prev) { + size = 0; + } else if (size < max_size) { + size++; + } else { + return NULL; + } + + sprintf(desc, "%ld byte(s)", size); + return &size; +} + +static struct kunit_case usercopy_cases[] = { + KUNIT_CASE_PARAM(test_copy_to_user, gen_size), + KUNIT_CASE_PARAM(test_copy_from_user, gen_size), + { /* sentinel */ } +}; + +static struct kunit_suite usercopy_suite = { + .name = "usercopy", + .init = usercopy_test_init, + .exit = usercopy_test_exit, + .test_cases = usercopy_cases, +}; +kunit_test_suites(&usercopy_suite); + +MODULE_AUTHOR("Mark Rutland "); +MODULE_LICENSE("GPL v2"); From patchwork Tue Mar 14 11:50:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 69546 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp1720185wrd; Tue, 14 Mar 2023 05:14:51 -0700 (PDT) X-Google-Smtp-Source: AK7set9HmxoZosuobchKh7zw4mGYpVCMyhIXNIcXkmvRBQCcJk5t4PBTopFWzi+ieYoVFYhViulQ X-Received: by 2002:a17:90b:1e01:b0:237:39b1:7cb1 with SMTP id pg1-20020a17090b1e0100b0023739b17cb1mr38676348pjb.19.1678796090804; Tue, 14 Mar 2023 05:14:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678796090; cv=none; d=google.com; s=arc-20160816; b=t9gZQ3LwMM82fGB+tnPw1WinvPuyHtbh/uWDOiELPafEmYf3R60H1eEof3sBtjF+13 RU5QTx/rbu/wk6dKMhj6+/1BJ4Gc6vkXeUWBU9PmE12qUTK9ONXvqCD6yPrJ8VTQrFwX /VXRdmTAto8ns3X+d9XmxtciWKvxoJaEEGB4VFTB7ovo2r65F9GrFKtduR9zSWIpuhIn OhHXsPNGRT2s9cf+qsNLBKWX01r8I06pS/6UYUHk3uYWiAGE54iiR1rGbTmgz3fSf3GT vj3N7GtrY3ukzkgytLDXrrUpCkRrAthCy40gae45rQ2NxgDg0u56oVI2W0r9Sf7tEGM0 z5Cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=YE47Ph7rjVwMnbHSRHyuvgCRvXz1piffJxQ7hPpGPk0=; b=Qk8XNmkgxoH5TlDdG0hZp4oHr3Z5LyiFaZWxcLwv4USKyJnd/YoqbcsNIVbB+k8Dou CELfGN6zUjFejiHQdm+YKrHaL6ZwFmPAU1I5bNDj5yZIS5UfkiVm12EIeoBJNpFdowon uhgfQdxE5jQH914uDy9OBvXOq+ZEG6vGrRaSWR6q+7Wqnbbr4wXWVUUksRSTnpdAFvpP /NWlsR4UZJy3RmaM/pkDcAxY3LxULg8LOx0dmES3ksAoJ9Dqk772XRovsOGBajo9LRKO Vsd8xkmU7Ot+rG8yk1QRIAs54ip2IJOPFVBWi/QajnbPdrvB8567G8nDMemOQxi2qNsy 1CyQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id oe8-20020a17090b394800b002263b1df9f7si1706254pjb.0.2023.03.14.05.14.35; Tue, 14 Mar 2023 05:14:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231506AbjCNLu4 (ORCPT + 99 others); Tue, 14 Mar 2023 07:50:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37140 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230173AbjCNLur (ORCPT ); Tue, 14 Mar 2023 07:50:47 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 2C84E29E00 for ; Tue, 14 Mar 2023 04:50:46 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8A0CD1063; Tue, 14 Mar 2023 04:51:29 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id E009F3F67D; Tue, 14 Mar 2023 04:50:44 -0700 (PDT) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, linux-kernel@vger.kernel.org, mark.rutland@arm.com, robin.murphy@arm.com, viro@zeniv.linux.org.uk, will@kernel.org Subject: [PATCH 2/4] lib: test clear_user() Date: Tue, 14 Mar 2023 11:50:28 +0000 Message-Id: <20230314115030.347976-3-mark.rutland@arm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230314115030.347976-1-mark.rutland@arm.com> References: <20230314115030.347976-1-mark.rutland@arm.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760345289370052689?= X-GMAIL-MSGID: =?utf-8?q?1760345289370052689?= The clear_user() function follows the same conventions as copy_{to,from}_user(), and presumably has identical requirements on the return value. Test it in the same way. I've given this a spin on a few architectures using the KUnit QEMU harness, and it looks like most get *something* wrong, or I've misunderstood and clear_user() doesn't have the same requirements as copy_{to,from}_user()). From those initial runs: * arm, arm64, i386, riscv, x86_64 don't ensure that at least 1 byte is zeroed when a partial zeroing is possible, e.g. | too few bytes consumed (offset=4095, size=2, ret=2) | too few bytes consumed (offset=4093, size=4, ret=4) | too few bytes consumed (offset=4089, size=8, ret=8) * s390 reports that some bytes have been zeroed even when they haven't, e.g. | zeroed bytes incorrect (dst_page[4031+64]=0xca, offset=4031, size=66, ret=1 * sparc passses all tests Signed-off-by: Mark Rutland Cc: Al Viro Cc: Catalin Marinas Cc: Robin Murphy Cc: Will Deacon --- lib/usercopy_kunit.c | 89 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 82 insertions(+), 7 deletions(-) diff --git a/lib/usercopy_kunit.c b/lib/usercopy_kunit.c index 0c73177b6ce5..8e037e3a46e3 100644 --- a/lib/usercopy_kunit.c +++ b/lib/usercopy_kunit.c @@ -152,6 +152,11 @@ void usercopy_test_exit(struct kunit *test) usercopy_env_free(env); } +static char buf_zero(int offset) +{ + return 0; +} + static char buf_pattern(int offset) { return offset & 0xff; @@ -227,6 +232,7 @@ static void assert_size_valid(struct kunit *test, static void assert_src_valid(struct kunit *test, const struct usercopy_params *params, + char (*buf_expected)(int), const char *src, long src_offset, unsigned long ret) { @@ -237,9 +243,10 @@ static void assert_src_valid(struct kunit *test, * A usercopy MUST NOT modify the source buffer. */ for (int i = 0; i < PAGE_SIZE; i++) { + char expected = buf_expected(i); char val = src[i]; - if (val == buf_pattern(i)) + if (val == expected) continue; KUNIT_ASSERT_FAILURE(test, @@ -250,6 +257,7 @@ static void assert_src_valid(struct kunit *test, static void assert_dst_valid(struct kunit *test, const struct usercopy_params *params, + char (*buf_expected)(int), const char *dst, long dst_offset, unsigned long ret) { @@ -260,9 +268,10 @@ static void assert_dst_valid(struct kunit *test, * A usercopy MUST NOT modify any bytes before the destination buffer. */ for (int i = 0; i < dst_offset; i++) { + char expected = buf_expected(i); char val = dst[i]; - if (val == 0) + if (val == expected) continue; KUNIT_ASSERT_FAILURE(test, @@ -275,9 +284,10 @@ static void assert_dst_valid(struct kunit *test, * buffer. */ for (int i = dst_offset + size - ret; i < PAGE_SIZE; i++) { + char expected = buf_expected(i); char val = dst[i]; - if (val == 0) + if (val == expected) continue; KUNIT_ASSERT_FAILURE(test, @@ -313,6 +323,29 @@ static void assert_copy_valid(struct kunit *test, } } +static void assert_clear_valid(struct kunit *test, + const struct usercopy_params *params, + const char *dst, long dst_offset, + unsigned long ret) +{ + const unsigned long size = params->size; + const unsigned long offset = params->offset; + + /* + * Have we actually zeroed the bytes we expected to? + */ + for (int i = 0; i < params->size - ret; i++) { + char dst_val = dst[dst_offset + i]; + + if (dst_val == 0) + continue; + + KUNIT_ASSERT_FAILURE(test, + "zeroed bytes incorrect (dst_page[%ld+%d]=0x%x, offset=%ld, size=%lu, ret=%lu", + dst_offset, i, dst_val, + offset, size, ret); + } +} static unsigned long do_copy_to_user(const struct usercopy_env *env, const struct usercopy_params *params) { @@ -341,6 +374,19 @@ static unsigned long do_copy_from_user(const struct usercopy_env *env, return ret; } +static unsigned long do_clear_user(const struct usercopy_env *env, + const struct usercopy_params *params) +{ + void __user *uptr = (void __user *)UBUF_ADDR_BASE + params->offset; + unsigned long ret; + + kthread_use_mm(env->mm); + ret = clear_user(uptr, params->size); + kthread_unuse_mm(env->mm); + + return ret; +} + /* * Test offsets in the ranges [-size, 0] and [PAGE_SIZE - size, PAGE_SIZE] so * that we check all possible fault boundaries. @@ -368,8 +414,10 @@ static void test_copy_to_user(struct kunit *test) ret = do_copy_to_user(env, ¶ms); assert_size_valid(test, ¶ms, ret); - assert_src_valid(test, ¶ms, env->kbuf, 0, ret); - assert_dst_valid(test, ¶ms, env->ubuf, params.offset, ret); + assert_src_valid(test, ¶ms, buf_pattern, + env->kbuf, 0, ret); + assert_dst_valid(test, ¶ms, buf_zero, + env->ubuf, params.offset, ret); assert_copy_valid(test, ¶ms, env->ubuf, params.offset, env->kbuf, 0, @@ -395,8 +443,10 @@ static void test_copy_from_user(struct kunit *test) ret = do_copy_from_user(env, ¶ms); assert_size_valid(test, ¶ms, ret); - assert_src_valid(test, ¶ms, env->ubuf, params.offset, ret); - assert_dst_valid(test, ¶ms, env->kbuf, 0, ret); + assert_src_valid(test, ¶ms, buf_pattern, + env->ubuf, params.offset, ret); + assert_dst_valid(test, ¶ms, buf_zero, + env->kbuf, 0, ret); assert_copy_valid(test, ¶ms, env->kbuf, 0, env->ubuf, params.offset, @@ -404,6 +454,30 @@ static void test_copy_from_user(struct kunit *test) } } +static void test_clear_user(struct kunit *test) +{ + const struct usercopy_env *env = test->priv; + const unsigned long size = *(unsigned long *)test->param_value; + + for_each_offset(size, offset) { + const struct usercopy_params params = { + .size = size, + .offset = offset, + }; + unsigned long ret; + + buf_init_pattern(env->ubuf); + + ret = do_clear_user(env, ¶ms); + + assert_size_valid(test, ¶ms, ret); + assert_dst_valid(test, ¶ms, buf_pattern, + env->ubuf, params.offset, ret); + assert_clear_valid(test, ¶ms, + env->ubuf, params.offset, + ret); + } +} static const void *gen_size(const void *prev, char *desc) { /* @@ -430,6 +504,7 @@ static const void *gen_size(const void *prev, char *desc) static struct kunit_case usercopy_cases[] = { KUNIT_CASE_PARAM(test_copy_to_user, gen_size), KUNIT_CASE_PARAM(test_copy_from_user, gen_size), + KUNIT_CASE_PARAM(test_clear_user, gen_size), { /* sentinel */ } }; From patchwork Tue Mar 14 11:50:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 69533 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp1718524wrd; Tue, 14 Mar 2023 05:11:52 -0700 (PDT) X-Google-Smtp-Source: AK7set+xT/RONZU/cS2kSbPnzUqBSY8THWq+MIDWG0QQNPY+lIrU1Id4mW1/SYZD4+EHdLLfticp X-Received: by 2002:a17:902:f68a:b0:1a0:57df:861c with SMTP id l10-20020a170902f68a00b001a057df861cmr4662749plg.1.1678795912031; Tue, 14 Mar 2023 05:11:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678795912; cv=none; d=google.com; s=arc-20160816; b=WxXdpSvUXo/onRng2HjypeG5LlbFPJ77YMAvEOmYekfJNCCUyFJUB50LaV3+a9334I tLfN4rZ/vPD7dFXpQwAHGI/ttKqSUqKrAVwVdBUfEMUviiO+BO6PWZw46oc3gFJmxU/I +vyiQ9wMyNRPXzSaTEe1q+l4KyKGvETft4bJtYvSldepXa9LNML2EMW8TBJkm+Dw6sE9 G/jTkNgpr9umf/i/gSjIjf98OTqGGNMvjQl3tvK/r/ezXW6C04PUposxTwv814bnOghu xHLQPXLeuvR/3wSybG84yM/BFqGJadS2V5bylgQzBTuCFcEdtN3egb8o84Two7Qa2I/W OHbw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=ct6vPPjGl5UOJLOOQuSRub50YgBJ7Ti44sll0HTecKA=; b=mvbJpyGIXm4N4jMFFSOjSO6Q8zQaPa+mhKCdZnt1i9Qo+SfeaSgKQOhI91EnsF6jFi gCwU9YkHoTknw5rFNKB15/LiU3Wi6Qf0VEe9M4mg7y80s0Opz7bORIFUeHYvfJXO/hpj 14EfINmTffzENSZw4dKRJS+q4zqRtS9lbhcnT8QtDAcRDSt3yEI3qUJKQXyWdZeoEsMg eI01eP+WpqqL9OETWxfw5tbLqm0Rc8h5EvjgEO0sVtGR9ZukR3+qVYtwhBlOxNQpXoGJ 6B2KvMLJ2H/Ws4mrfZ0FxkfmK+XUba0icpqa3i7I4aaVQswlrqtg13oa+ULQ1168kxxc nieA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id kz7-20020a170902f9c700b0019a74a00baesi2385593plb.87.2023.03.14.05.11.35; Tue, 14 Mar 2023 05:11:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231524AbjCNLu7 (ORCPT + 99 others); Tue, 14 Mar 2023 07:50:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37150 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231492AbjCNLuu (ORCPT ); Tue, 14 Mar 2023 07:50:50 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id EB7B399278 for ; Tue, 14 Mar 2023 04:50:47 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3D6551474; Tue, 14 Mar 2023 04:51:31 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 93CF23F67D; Tue, 14 Mar 2023 04:50:46 -0700 (PDT) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, linux-kernel@vger.kernel.org, mark.rutland@arm.com, robin.murphy@arm.com, viro@zeniv.linux.org.uk, will@kernel.org Subject: [PATCH 3/4] arm64: fix __raw_copy_to_user semantics Date: Tue, 14 Mar 2023 11:50:29 +0000 Message-Id: <20230314115030.347976-4-mark.rutland@arm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230314115030.347976-1-mark.rutland@arm.com> References: <20230314115030.347976-1-mark.rutland@arm.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760345102230948948?= X-GMAIL-MSGID: =?utf-8?q?1760345102230948948?= For some combinations of sizes and alignments __{arch,raw}_copy_to_user will copy some bytes between (to + size - N) and (to + size), but will never modify bytes past (to + size). This violates the documentation in , which states: > If raw_copy_{to,from}_user(to, from, size) returns N, size - N bytes > starting at to must become equal to the bytes fetched from the > corresponding area starting at from. All data past to + size - N must > be left unmodified. This can be demonstrated through testing, e.g. | # test_copy_to_user: EXPECTATION FAILED at lib/usercopy_kunit.c:287 | post-destination bytes modified (dst_page[4082]=0x1, offset=4081, size=16, ret=15) | [FAILED] 16 byte copy This happens because the __arch_copy_to_user() can make unaligned stores to the userspace buffer, and the ARM architecture permits (but does not require) that such unaligned stores write some bytes before raising a fault (per ARM DDI 0487I.a Section B2.2.1 and Section B2.7.1). The extable fixup handlers in __arch_copy_to_user() assume that any faulting store has failed entirely, and so under-report the number of bytes copied when an unaligned store writes some bytes before faulting. The only architecturally guaranteed way to avoid this is to only use aligned stores to write to user memory. This patch rewrites __arch_copy_to_user() to only access the user buffer with aligned stores, such that the bytes written can always be determined reliably. For correctness, I've tested this exhaustively for sizes 0 to 128 against every possible alignment relative to a leading and trailing page boundary. I've also boot tested and run a few kernel builds with the new implementations. For performance, I've benchmarked this on a variety of CPU implementations, and across the board this appears at least as good as (or marginally better than) the current implementation of copy_to_user(). Timing a kernel build indicates the same, though the difference is very close to noise. We do not have a similar bug in __{arch,raw}_copy_from_user(), as faults taken on loads from user memory do not have side-effects. We do have similar issues in __arch_clear_user(), which will be addresssed in a subsequent patch. Signed-off-by: Mark Rutland Cc: Al Viro Cc: Catalin Marinas Cc: Robin Murphy Cc: Will Deacon --- arch/arm64/lib/copy_to_user.S | 202 +++++++++++++++++++++++++++------- 1 file changed, 161 insertions(+), 41 deletions(-) diff --git a/arch/arm64/lib/copy_to_user.S b/arch/arm64/lib/copy_to_user.S index 802231772608..fa603487e857 100644 --- a/arch/arm64/lib/copy_to_user.S +++ b/arch/arm64/lib/copy_to_user.S @@ -9,6 +9,14 @@ #include #include +#define USER_OFF(off, x...) USER(fixup_offset_##off, x) + +#define FIXUP_OFFSET(n) \ +fixup_offset_##n: \ + sub x0, x3, x0; \ + sub x0, x0, n; \ + ret + /* * Copy to user space from a kernel buffer (alignment handled by the hardware) * @@ -18,56 +26,168 @@ * x2 - n * Returns: * x0 - bytes not copied + * + * Unlike a memcpy(), we need to handle faults on user addresses, and we need + * to precisely report the number of bytes (not) copied. We must only use + * aligned single-copy-atomic stores to write to user memory, as stores which + * are not single-copy-atomic (e.g. unaligned stores, STP, ASMID stores) can be + * split into separate byte accesses (per ARM DDI 0487I.a, Section B2.2.1) and + * some arbitatrary set of those byte accesses might occur prior to a fault + * being raised (per per ARM DDI 0487I.a, Section B2.7.1). + * + * We use STTR to write to user memory, which has 1/2/4/8 byte forms, and the + * user address ('to') might have arbitrary alignment, so we must handle + * misalignment up to 8 bytes. */ - .macro ldrb1 reg, ptr, val - ldrb \reg, [\ptr], \val - .endm +SYM_FUNC_START(__arch_copy_to_user) + /* + * The end address. Fixup handlers will use this to calculate + * the number of bytes copied. + */ + add x3, x0, x2 - .macro strb1 reg, ptr, val - user_ldst 9998f, sttrb, \reg, \ptr, \val - .endm + /* + * Tracing of a kernel build indicates that for the vast + * majority of calls to copy_to_user(), 'to' is aligned to 8 + * bytes. When this is the case, we want to skip to the bulk + * copy as soon as possible. + */ + ands x4, x0, 0x7 + b.eq body - .macro ldrh1 reg, ptr, val - ldrh \reg, [\ptr], \val - .endm + /* + * For small unaligned copies, it's not worth trying to be + * optimal. + */ + cmp x2, #8 + b.lo bytewise_loop - .macro strh1 reg, ptr, val - user_ldst 9997f, sttrh, \reg, \ptr, \val - .endm + /* + * Calculate the distance to the next 8-byte boundary. + */ + mov x5, #8 + sub x4, x5, x4 - .macro ldr1 reg, ptr, val - ldr \reg, [\ptr], \val - .endm +SYM_INNER_LABEL(head_realign_1b, SYM_L_LOCAL) + tbz x4, #0, head_realign_2b - .macro str1 reg, ptr, val - user_ldst 9997f, sttr, \reg, \ptr, \val - .endm + ldrb w8, [x1], #1 +USER_OFF(0, sttrb w8, [x0]) + add x0, x0, #1 - .macro ldp1 reg1, reg2, ptr, val - ldp \reg1, \reg2, [\ptr], \val - .endm +SYM_INNER_LABEL(head_realign_2b, SYM_L_LOCAL) + tbz x4, #1, head_realign_4b - .macro stp1 reg1, reg2, ptr, val - user_stp 9997f, \reg1, \reg2, \ptr, \val - .endm + ldrh w8, [x1], #2 +USER_OFF(0, sttrh w8, [x0]) + add x0, x0, #2 -end .req x5 -srcin .req x15 -SYM_FUNC_START(__arch_copy_to_user) - add end, x0, x2 - mov srcin, x1 -#include "copy_template.S" - mov x0, #0 - ret +SYM_INNER_LABEL(head_realign_4b, SYM_L_LOCAL) + tbz x4, #2, head_realigned - // Exception fixups -9997: cmp dst, dstin - b.ne 9998f - // Before being absolutely sure we couldn't copy anything, try harder - ldrb tmp1w, [srcin] -USER(9998f, sttrb tmp1w, [dst]) - add dst, dst, #1 -9998: sub x0, end, dst // bytes not copied - ret + ldr w8, [x1], #4 +USER_OFF(0, sttr w8, [x0]) + add x0, x0, #4 + +SYM_INNER_LABEL(head_realigned, SYM_L_LOCAL) + /* + * Any 1-7 byte misalignment has now been fixed; subtract this + * misalignment from the remaining size. + */ + sub x2, x2, x4 + +SYM_INNER_LABEL(body, SYM_L_LOCAL) + cmp x2, #64 + b.lo tail_32b + +SYM_INNER_LABEL(body_64b_loop, SYM_L_LOCAL) + ldp x8, x9, [x1, #0] + ldp x10, x11, [x1, #16] + ldp x12, x13, [x1, #32] + ldp x14, x15, [x1, #48] +USER_OFF(0, sttr x8, [x0, #0]) +USER_OFF(8, sttr x9, [x0, #8]) +USER_OFF(16, sttr x10, [x0, #16]) +USER_OFF(24, sttr x11, [x0, #24]) +USER_OFF(32, sttr x12, [x0, #32]) +USER_OFF(40, sttr x13, [x0, #40]) +USER_OFF(48, sttr x14, [x0, #48]) +USER_OFF(56, sttr x15, [x0, #56]) + add x0, x0, #64 + add x1, x1, #64 + sub x2, x2, #64 + + cmp x2, #64 + b.hs body_64b_loop + +SYM_INNER_LABEL(tail_32b, SYM_L_LOCAL) + tbz x2, #5, tail_16b + + ldp x8, x9, [x1, #0] + ldp x10, x11, [x1, #16] +USER_OFF(0, sttr x8, [x0, #0]) +USER_OFF(8, sttr x9, [x0, #8]) +USER_OFF(16, sttr x10, [x0, #16]) +USER_OFF(24, sttr x11, [x0, #24]) + add x0, x0, #32 + add x1, x1, #32 + +SYM_INNER_LABEL(tail_16b, SYM_L_LOCAL) + tbz x2, #4, tail_8b + + ldp x8, x9, [x1], #16 +USER_OFF(0, sttr x8, [x0, #0]) +USER_OFF(8, sttr x9, [x0, #8]) + add x0, x0, #16 + +SYM_INNER_LABEL(tail_8b, SYM_L_LOCAL) + tbz x2, #3, tail_4b + + ldr x8, [x1], #8 +USER_OFF(0, sttr x8, [x0]) + add x0, x0, #8 + +SYM_INNER_LABEL(tail_4b, SYM_L_LOCAL) + tbz x2, #2, tail_2b + + ldr w8, [x1], #4 +USER_OFF(0, sttr w8, [x0]) + add x0, x0, #4 + +SYM_INNER_LABEL(tail_2b, SYM_L_LOCAL) + tbz x2, #1, tail_1b + + ldrh w8, [x1], #2 +USER_OFF(0, sttrh w8, [x0]) + add x0, x0, #2 + +SYM_INNER_LABEL(tail_1b, SYM_L_LOCAL) + tbz x2, #0, done + + ldrb w8, [x1] +USER_OFF(0, sttrb w8, [x0]) + +SYM_INNER_LABEL(done, SYM_L_LOCAL) + mov x0, xzr + ret + +SYM_INNER_LABEL(bytewise_loop, SYM_L_LOCAL) + cbz x2, done + + ldrb w8, [x1], #1 +USER_OFF(0, sttrb w8, [x0]) + add x0, x0, #1 + sub x2, x2, #1 + + b bytewise_loop + +FIXUP_OFFSET(0) +FIXUP_OFFSET(8) +FIXUP_OFFSET(16) +FIXUP_OFFSET(24) +FIXUP_OFFSET(32) +FIXUP_OFFSET(40) +FIXUP_OFFSET(48) +FIXUP_OFFSET(56) SYM_FUNC_END(__arch_copy_to_user) EXPORT_SYMBOL(__arch_copy_to_user) From patchwork Tue Mar 14 11:50:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Rutland X-Patchwork-Id: 69522 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:5915:0:0:0:0:0 with SMTP id v21csp1710152wrd; Tue, 14 Mar 2023 04:56:26 -0700 (PDT) X-Google-Smtp-Source: AK7set+ffPydIDaA/3qWXrLki+YbHjPpNYCC9qDQ+Cg2HPElo51QMMmLD4Mv3UyHHwIFT0IDYp1h X-Received: by 2002:a05:6a20:bf1d:b0:d4:e6f:1ee2 with SMTP id gc29-20020a056a20bf1d00b000d40e6f1ee2mr8020231pzb.56.1678794986654; Tue, 14 Mar 2023 04:56:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678794986; cv=none; d=google.com; s=arc-20160816; b=TK/jSNJB2WgA7y+GXRxoxDVA/q3SKzg+arNWn+d9nxfbpYAgwnik81zk7mztLWAF+B C6cNoQwWYa+hldokDhLGhA5Ku0atvynjVXOEEe6vSZDzfhZ68uxuV/XC3yEND0xnngbt XlZaaS1EjR/tqiUGED39xvkWfZVDgiPY4Il0KVlHGhOzW0q6YrgKLM+DutHWVJfNZ3Gf ETrN6lmFZ0exRZR2RacS9QFqCBlZLAiGdFdC65efVg/vl+9b7HWXzeIRaZ+Z4XXKy5fp 4WFjWlFcys9r6xnYUz1RNviu8NL6owTt74WBlCSX2Iup6M4JtK6ita7GrQnyw72Q1Pqp SeMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=g8WWi8F9pAoAXhWqZhEDyYK0Uztn4bZPkRXpHx4kugE=; b=R72V1D6nAMSaxFnknqREP/9df/J2eRg48z553SM2uL/3pcaogmsjOvHcFXzhyBiOqa GsuJfehfG2lHq1jGufZ9vyYGlAH37E4uqVuPETAmG40PCGjl7EVMmKOqVq1M9VeJfaee 5e2O70haBSfE5m0tDWk10/uG8N+kaxPvvgwEn8A1KBJEecUIPKvzK8TOFs7JoeaBLQkq qcokp9eYrLQzLcgWQYsbtkbWk3l1IMdVPfMuHgCpw5zbUvPlI9UsKcmUg+uQ8Cbh+Dpu Blc51rA6UNxmpF5i+xmNhEu9Wcb7oba9geewAdm5BBFkaSnlcVQNJM1pAEGlUlicqc+e cODA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l4-20020a656804000000b005078065851fsi2136550pgt.497.2023.03.14.04.56.11; Tue, 14 Mar 2023 04:56:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=arm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231207AbjCNLvE (ORCPT + 99 others); Tue, 14 Mar 2023 07:51:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37144 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231435AbjCNLuw (ORCPT ); Tue, 14 Mar 2023 07:50:52 -0400 Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id AED3B99BE2 for ; Tue, 14 Mar 2023 04:50:49 -0700 (PDT) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id D94F6150C; Tue, 14 Mar 2023 04:51:32 -0700 (PDT) Received: from lakrids.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPA id 3B9DC3F67D; Tue, 14 Mar 2023 04:50:48 -0700 (PDT) From: Mark Rutland To: linux-arm-kernel@lists.infradead.org Cc: catalin.marinas@arm.com, linux-kernel@vger.kernel.org, mark.rutland@arm.com, robin.murphy@arm.com, viro@zeniv.linux.org.uk, will@kernel.org Subject: [PATCH 4/4] arm64: fix clear_user() semantics Date: Tue, 14 Mar 2023 11:50:30 +0000 Message-Id: <20230314115030.347976-5-mark.rutland@arm.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230314115030.347976-1-mark.rutland@arm.com> References: <20230314115030.347976-1-mark.rutland@arm.com> MIME-Version: 1.0 X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760344132199999712?= X-GMAIL-MSGID: =?utf-8?q?1760344132199999712?= Generally, clear_user() is supposed to behave the same way as raw_copy_{to,from}_user(), which per requires: > If raw_copy_{to,from}_user(to, from, size) returns N, size - N bytes > starting at to must become equal to the bytes fetched from the > corresponding area starting at from. All data past to + size - N must > be left unmodified. > > If copying succeeds, the return value must be 0. If some data cannot > be fetched, it is permitted to copy less than had been fetched; the > only hard requirement is that not storing anything at all (i.e. > returning size) should happen only when nothing could be copied. In > other words, you don't have to squeeze as much as possible - it is > allowed, but not necessary. Unfortunately arm64's implementation of clear_user() may fail in cases where some bytes could be written, which can be demonstrated through testing, e.g. | # test_clear_user: ASSERTION FAILED at lib/usercopy_kunit.c:221 | too few bytes consumed (offset=4095, size=2, ret=2) | [FAILED] 2 byte(s) As with __{arch,raw}_copy_to_user() there are also a number of potential other problems where the use of misaligned accesses could result in under-reporting the number of bytes zeroed. This patch fixes these issues by replacing the current implementation of __arch_clear_user() with one derived from the new __arch_copy_to_user(). This only uses aligned stores to write to user memory, and reliably reports the number of bytes zeroed. For correctness, I've tested this exhaustively for sizes 0 to 128 against every possible alignment relative to a leading and trailing page boundary. I've also boot tested and run a few kernel builds with the new implementation. For performenace, I've benchmarked reads form /dev/zero and timed kernel builds before and after this patch, and this seems to be at least as good (or marginally better than) the current implementation, though the difference is very close to noise. Signed-off-by: Mark Rutland Cc: Al Viro Cc: Catalin Marinas Cc: Robin Murphy Cc: Will Deacon --- arch/arm64/lib/clear_user.S | 195 +++++++++++++++++++++++++++------- arch/arm64/lib/copy_to_user.S | 1 - 2 files changed, 157 insertions(+), 39 deletions(-) diff --git a/arch/arm64/lib/clear_user.S b/arch/arm64/lib/clear_user.S index a5a5f5b97b17..f422c05d8435 100644 --- a/arch/arm64/lib/clear_user.S +++ b/arch/arm64/lib/clear_user.S @@ -4,52 +4,171 @@ */ #include + #include +#include + +#define USER_OFF(off, x...) USER(fixup_offset_##off, x) - .text +#define FIXUP_OFFSET(n) \ +fixup_offset_##n: \ + sub x0, x3, x0; \ + sub x0, x0, n; \ + ret -/* Prototype: int __arch_clear_user(void *addr, size_t sz) - * Purpose : clear some user memory - * Params : addr - user memory address to clear - * : sz - number of bytes to clear - * Returns : number of bytes NOT cleared +/* + * Write zeroes to a user space buffer + * + * Parameters: + * x0 - to + * x1 - n + * Returns: + * x0 - bytes not copied * - * Alignment fixed up by hardware. + * Unlike a memset(to, 0, n), we need to handle faults on user addresses, and + * we need to precisely report the number of bytes (not) written. We must only + * use aligned single-copy-atomic stores to write to user memory, as stores + * which are not single-copy-atomic (e.g. unaligned stores, STP, ASMID stores) + * can be split into separate byte accesses (per ARM DDI 0487I.a, Section + * B2.2.1) and some arbitatrary set of those byte accesses might occur prior to + * a fault being raised (per per ARM DDI 0487I.a, Section B2.7.1). + * + * We use STTR to write to user memory, which has 1/2/4/8 byte forms, and the + * user address ('to') might have arbitrary alignment, so we must handle + * misalignment up to 8 bytes. */ - - .p2align 4 - // Alignment is for the loop, but since the prologue (including BTI) - // is also 16 bytes we can keep any padding outside the function SYM_FUNC_START(__arch_clear_user) - add x2, x0, x1 - subs x1, x1, #8 - b.mi 2f -1: -USER(9f, sttr xzr, [x0]) - add x0, x0, #8 - subs x1, x1, #8 - b.hi 1b -USER(9f, sttr xzr, [x2, #-8]) - mov x0, #0 - ret + /* + * The end address. Fixup handlers will use this to calculate + * the number of bytes cleared. + */ + add x3, x0, x1 -2: tbz x1, #2, 3f -USER(9f, sttr wzr, [x0]) -USER(8f, sttr wzr, [x2, #-4]) - mov x0, #0 - ret + /* + * Tracing of a kernel build indicates that for the vast + * majority of calls to copy_to_user(), 'to' is aligned to 8 + * bytes. When this is the case, we want to skip to the bulk + * copy as soon as possible. + */ + ands x4, x0, 0x7 + b.eq body -3: tbz x1, #1, 4f -USER(9f, sttrh wzr, [x0]) -4: tbz x1, #0, 5f -USER(7f, sttrb wzr, [x2, #-1]) -5: mov x0, #0 - ret + /* + * For small unaligned copies, it's not worth trying to be + * optimal. + */ + cmp x1, #8 + b.lo bytewise_loop - // Exception fixups -7: sub x0, x2, #5 // Adjust for faulting on the final byte... -8: add x0, x0, #4 // ...or the second word of the 4-7 byte case -9: sub x0, x2, x0 - ret + /* + * Calculate the distance to the next 8-byte boundary. + */ + mov x5, #8 + sub x4, x5, x4 + +SYM_INNER_LABEL(head_realign_1b, SYM_L_LOCAL) + tbz x4, #0, head_realign_2b + +USER_OFF(0, sttrb wzr, [x0]) + add x0, x0, #1 + +SYM_INNER_LABEL(head_realign_2b, SYM_L_LOCAL) + tbz x4, #1, head_realign_4b + +USER_OFF(0, sttrh wzr, [x0]) + add x0, x0, #2 + +SYM_INNER_LABEL(head_realign_4b, SYM_L_LOCAL) + tbz x4, #2, head_realigned + +USER_OFF(0, sttr wzr, [x0]) + add x0, x0, #4 + +SYM_INNER_LABEL(head_realigned, SYM_L_LOCAL) + /* + * Any 1-7 byte misalignment has now been fixed; subtract this + * misalignment from the remaining size. + */ + sub x1, x1, x4 + +SYM_INNER_LABEL(body, SYM_L_LOCAL) + cmp x1, #64 + b.lo tail_32b + +SYM_INNER_LABEL(body_64b_loop, SYM_L_LOCAL) +USER_OFF(0, sttr xzr, [x0, #0]) +USER_OFF(8, sttr xzr, [x0, #8]) +USER_OFF(16, sttr xzr, [x0, #16]) +USER_OFF(24, sttr xzr, [x0, #24]) +USER_OFF(32, sttr xzr, [x0, #32]) +USER_OFF(40, sttr xzr, [x0, #40]) +USER_OFF(48, sttr xzr, [x0, #48]) +USER_OFF(56, sttr xzr, [x0, #56]) + add x0, x0, #64 + sub x1, x1, #64 + + cmp x1, #64 + b.hs body_64b_loop + +SYM_INNER_LABEL(tail_32b, SYM_L_LOCAL) + tbz x1, #5, tail_16b + +USER_OFF(0, sttr xzr, [x0, #0]) +USER_OFF(8, sttr xzr, [x0, #8]) +USER_OFF(16, sttr xzr, [x0, #16]) +USER_OFF(24, sttr xzr, [x0, #24]) + add x0, x0, #32 + +SYM_INNER_LABEL(tail_16b, SYM_L_LOCAL) + tbz x1, #4, tail_8b + +USER_OFF(0, sttr xzr, [x0, #0]) +USER_OFF(8, sttr xzr, [x0, #8]) + add x0, x0, #16 + +SYM_INNER_LABEL(tail_8b, SYM_L_LOCAL) + tbz x1, #3, tail_4b + +USER_OFF(0, sttr xzr, [x0]) + add x0, x0, #8 + +SYM_INNER_LABEL(tail_4b, SYM_L_LOCAL) + tbz x1, #2, tail_2b + +USER_OFF(0, sttr wzr, [x0]) + add x0, x0, #4 + +SYM_INNER_LABEL(tail_2b, SYM_L_LOCAL) + tbz x1, #1, tail_1b + +USER_OFF(0, sttrh wzr, [x0]) + add x0, x0, #2 + +SYM_INNER_LABEL(tail_1b, SYM_L_LOCAL) + tbz x1, #0, done + +USER_OFF(0, sttrb wzr, [x0]) + +SYM_INNER_LABEL(done, SYM_L_LOCAL) + mov x0, xzr + ret + +SYM_INNER_LABEL(bytewise_loop, SYM_L_LOCAL) + cbz x1, done + +USER_OFF(0, sttrb wzr, [x0]) + add x0, x0, #1 + sub x1, x1, #1 + + b bytewise_loop + +FIXUP_OFFSET(0) +FIXUP_OFFSET(8) +FIXUP_OFFSET(16) +FIXUP_OFFSET(24) +FIXUP_OFFSET(32) +FIXUP_OFFSET(40) +FIXUP_OFFSET(48) +FIXUP_OFFSET(56) SYM_FUNC_END(__arch_clear_user) EXPORT_SYMBOL(__arch_clear_user) diff --git a/arch/arm64/lib/copy_to_user.S b/arch/arm64/lib/copy_to_user.S index fa603487e857..9eab9ec6c71e 100644 --- a/arch/arm64/lib/copy_to_user.S +++ b/arch/arm64/lib/copy_to_user.S @@ -7,7 +7,6 @@ #include #include -#include #define USER_OFF(off, x...) USER(fixup_offset_##off, x)