From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14AA0C4360C for ; Tue, 8 Oct 2019 20:16:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EA705218AC for ; Tue, 8 Oct 2019 20:16:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730676AbfJHUQT (ORCPT ); Tue, 8 Oct 2019 16:16:19 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:34422 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727570AbfJHUQT (ORCPT ); Tue, 8 Oct 2019 16:16:19 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.2 #3 (Red Hat Linux)) id 1iHvu4-0001qR-Ey; Tue, 08 Oct 2019 20:16:17 +0000 Date: Tue, 8 Oct 2019 21:16:16 +0100 From: Al Viro To: Linus Torvalds Cc: Guenter Roeck , Linux Kernel Mailing List , linux-fsdevel Subject: Re: [PATCH] Convert filldir[64]() from __put_user() to unsafe_put_user() Message-ID: <20191008201616.GW26530@ZenIV.linux.org.uk> References: <5f06c138-d59a-d811-c886-9e73ce51924c@roeck-us.net> <20191007012437.GK26530@ZenIV.linux.org.uk> <20191007025046.GL26530@ZenIV.linux.org.uk> <20191008195858.GV26530@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191008195858.GV26530@ZenIV.linux.org.uk> User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Tue, Oct 08, 2019 at 08:58:58PM +0100, Al Viro wrote: > That's powerpc. And while the constant-sized bits are probably pretty > useless there as well, note the allow_read_from_user()/prevent_read_from_user() > part. Looks suspiciously similar to user_access_begin()/user_access_end()... > > The difference is, they have separate "for read" and "for write" primitives > and they want the range in their user_access_end() analogue. Separating > the read and write isn't a problem for callers (we want them close to > the actual memory accesses). Passing the range to user_access_end() just > might be tolerable, unless it makes you throw up... BTW, another related cleanup is futex_atomic_op_inuser() and arch_futex_atomic_op_inuser(). In the former we have if (!access_ok(uaddr, sizeof(u32))) return -EFAULT; ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr); if (ret) return ret; and in the latter we've got STAC/CLAC pairs stuck into inlined bits on x86. As well as allow_write_to_user(uaddr, sizeof(*uaddr)) on ppc... I don't see anything in x86 one objtool would've barfed if we pulled STAC/CLAC out and turned access_ok() into user_access_begin(), with matching user_access_end() right after the call of arch_futex_atomic_op_inuser(). Everything is inlined there and no scary memory accesses would get into the scope (well, we do have if (!ret) *oval = oldval; in the very end of arch_futex_atomic_op_inuser() there, but oval is the address of a local variable in the sole caller; if we run with kernel stack on ring 3 page, we are deeply fucked *and* wouldn't have survived that far into futex_atomic_op_inuser() anyway ;-)