Re: Sleeping in user_access section

From: Julien Thierry
Date: Fri Nov 23 2018 - 05:16:50 EST

Next message: Eric Saint-Etienne: "[PATCH] perf map: remove extra indirection from map__find()"
Previous message: Geert Uytterhoeven: "Re: [PATCH] pinctrl: rzn1: Fix check for used MDIO bus"
In reply to: hpa: "Re: Sleeping in user_access section"
Next in thread: Russell King - ARM Linux: "Re: Sleeping in user_access section"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 23/11/18 09:57, hpa@xxxxxxxxx wrote:

On November 23, 2018 1:27:02 AM PST, Julien Thierry <julien.thierry@xxxxxxx> wrote:

Hi,

I made an attempt at implementing the
user_access_begin()/user_access_end() macros along with the
get/put_user_unsafe() for arm64 by toggling the status of PAN (more or
less similar to x86's STAC/CTAC).

With a small mistake in my patch, we realized that directly calling
function that could reschedule while in a user_access section could
lead to:

- scheduling another task keeping the user_access status enabled
despite
the task never calling user_access_begin()

- when re-scheduling the task that was mid user_access section,
user_access would be disabled and the task would fault on the next
get/put_user_unsafe.

This is because __switch_to does not alter the user_access status when
switching from next to prev (at least on arm64 we currently don't, and
by looking at the x86 code I don't think this is done either).

From my understanding, this is not an issue when the task in
user_access mode gets scheduled out/in as a result of an interrupt as
PAN and EFLAGS.AC get saved/restore on exception entry/exit (at least I

know it is the case for PAN, I am less sure for the x86 side).

So, the question is, should __switch_to take care of the user_access
status when scheduling new tasks? Or should there be a restriction
about
scheduling out a task with user_access mode enabled and maybe add a
warning if we can detect this?

(Or did we miss something and this is not an issue on x86?)

Thanks,

You should never call a sleeping function from a user_access section. It is intended for very limited regions.

Thanks for the clarification.

Would it be worth documenting this somewhere? And add a check to detect such issues?

Also, those limited regions can be interrupted and preempted, but I guess you could consider the interrupted region being split into separate user_access regions, before and after the interrupt. Should it be stated that an exception/interrupt constitutes implicit user_access_end()/begin() when taken from/returning to a user_access region?

Thanks,

--
Julien Thierry

Next message: Eric Saint-Etienne: "[PATCH] perf map: remove extra indirection from map__find()"
Previous message: Geert Uytterhoeven: "Re: [PATCH] pinctrl: rzn1: Fix check for used MDIO bus"
In reply to: hpa: "Re: Sleeping in user_access section"
Next in thread: Russell King - ARM Linux: "Re: Sleeping in user_access section"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]