Google Git
Sign in
kernel / pub / scm / linux / kernel / git / mark / linux / refs/heads/arm64/uaccess/fixes
commitca502394c31390a391379c606c8065500943e989[log] [tgz]
authorMark Rutland <mark.rutland@arm.com>Mon Mar 13 10:55:21 2023 +0000
committerMark Rutland <mark.rutland@arm.com>Wed Nov 15 22:11:34 2023 +0000
tree6271bcd72d726efb7c8a768bafd8f0ab886950ff
parentad6269338cfefd35dbffb5fa8edd6e4ab46470cd [diff]
arm64: fix clear_user() semantics

Generally, clear_user() is supposed to behave the same way as
raw_copy_{to,from}_user(), which per <linux/uaccess.h> requires:

> If raw_copy_{to,from}_user(to, from, size) returns N, size - N bytes
> starting at to must become equal to the bytes fetched from the
> corresponding area starting at from.  All data past to + size - N must
> be left unmodified.
>
> If copying succeeds, the return value must be 0.  If some data cannot
> be fetched, it is permitted to copy less than had been fetched; the
> only hard requirement is that not storing anything at all (i.e.
> returning size) should happen only when nothing could be copied.  In
> other words, you don't have to squeeze as much as possible - it is
> allowed, but not necessary.

Unfortunately arm64's implementation of clear_user() may fail in cases
where some bytes could be written, which can be demonstrated through
testing, e.g.

|     # test_clear_user: ASSERTION FAILED at lib/usercopy_kunit.c:221
| too few bytes consumed (offset=4095, size=2, ret=2)
| [FAILED] 2 byte(s)

As with __{arch,raw}_copy_to_user() there are also a number of potential
other problems where the use of misaligned accesses could result in
under-reporting the number of bytes zeroed.

This patch fixes these issues by replacing the current implementation of
__arch_clear_user() with one derived from the new __arch_copy_to_user().
This only uses aligned stores to write to user memory, and reliably
reports the number of bytes zeroed.

For correctness, I've tested this exhaustively for sizes 0 to 128
against every possible alignment relative to a leading and trailing page
boundary. I've also boot tested and run a few kernel builds with the new
implementation.

For performenace, I've benchmarked reads form /dev/zero and timed kernel
builds before and after this patch, and this seems to be at least as
good (or marginally better than) the current implementation, though the
difference is very close to noise.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Robin Murphy <robin.murphy@arm.com>
Cc: Will Deacon <will@kernel.org>
2 files changed
tree: 6271bcd72d726efb7c8a768bafd8f0ab886950ff
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. include/
  9. init/
  10. io_uring/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. rust/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .cocciconfig
  27. .get_maintainer.ignore
  28. .gitattributes
  29. .gitignore
  30. .mailmap
  31. .rustfmt.toml
  32. COPYING
  33. CREDITS
  34. Kbuild
  35. Kconfig
  36. MAINTAINERS
  37. Makefile
  38. README