From: Christoph Hellwig <hch@lst.de>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Christoph Hellwig <hch@lst.de>,
the arch/x86 maintainers <x86@kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Masami Hiramatsu <mhiramat@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
linux-parisc@vger.kernel.org,
linux-um <linux-um@lists.infradead.org>,
Netdev <netdev@vger.kernel.org>,
bpf@vger.kernel.org, Linux-MM <linux-mm@kvack.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 15/15] x86: use non-set_fs based maccess routines
Date: Thu, 7 May 2020 07:12:13 +0200 [thread overview]
Message-ID: <20200507051213.GB4501@lst.de> (raw)
In-Reply-To: <CAHk-=wghKpGdTmD4EDfwX2uyppwxksU+nFyS1B--kbopcQAgwg@mail.gmail.com>
On Wed, May 06, 2020 at 12:01:32PM -0700, Linus Torvalds wrote:
> Oh, absolutely. I did *NOT* mean that you'd use "unsafe_get_user()" as
> the actual interface. I just meant that as an implementation detail on
> x86, using "unsafe_get_user()" instead of "__get_user_size()"
> internally both simplifies the implementation, and means that it
> doesn't clash horribly with my local changes.
I had a version that just wrapped them, but somehow wasn't able to
make it work due to all the side effects vs macros issues. Maybe I
need to try again, the current version seemed like a nice way out
as it avoided a lot of the silly casting.
> Btw, that brings up another issue: so that people can't mis-use those
> kernel accessors and use them for user addresses, they probably should
> actually do something like
>
> if ((long)addr >= 0)
> goto error_label;
>
> on x86. IOW, have the "strict" kernel pointer behavior.
>
> Otherwise somebody will start using them for user pointers, and it
> will happen to work on old x86 without CLAC/STAC support.
>
> Of course, maybe CLAC/STAC is so common these days (at least with
> developers) that we don't have to worry about it.
The actual public routines (probe_kernel_read and co) get these
checks through probe_kernel_read_allowed, which is implemented by
the x86 code. Doing this for every 1-8 byte access might be a little
slow, though. Do you really fear drivers starting to use the low-level
helper? Maybe we need to move those into a different header than
<asm/uaccess.h> that makes it more clear that they are internal?
> But here you see what it is, if you want to. __get_user_size()
> technically still exists, but it has the "target branch" semantics in
> here, so your patch clashes badly with it.
The target branch semantics actually are what I want, that is how the
maccess code is structured. This is the diff I'd need for the calling
conventions in your bundle:
diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
index 765e18417b3ba..d1c8aacedade1 100644
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -526,14 +526,8 @@ do { \
#define HAVE_ARCH_PROBE_KERNEL
#define arch_kernel_read(dst, src, type, err_label) \
-do { \
- int __kr_err; \
- \
__get_user_size(*((type *)dst), (__force type __user *)src, \
- sizeof(type), __kr_err); \
- if (unlikely(__kr_err)) \
- goto err_label; \
-} while (0)
+ sizeof(type), err_label); \
#define arch_kernel_write(dst, src, type, err_label) \
__put_user_size(*((type *)(src)), (__force type __user *)(dst), \
prev parent reply other threads:[~2020-05-07 5:12 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-06 6:22 clean up and streamline probe_kernel_* and friends Christoph Hellwig
2020-05-06 6:22 ` [PATCH 01/15] maccess: unexport probe_kernel_write and probe_user_write Christoph Hellwig
2020-05-06 6:22 ` [PATCH 02/15] maccess: remove various unused weak aliases Christoph Hellwig
2020-05-06 6:22 ` [PATCH 03/15] maccess: remove duplicate kerneldoc commens Christoph Hellwig
2020-05-06 6:22 ` [PATCH 04/15] maccess: clarify kerneldoc comments Christoph Hellwig
2020-05-06 6:22 ` [PATCH 05/15] maccess: update the top of file comment Christoph Hellwig
2020-05-06 6:22 ` [PATCH 06/15] maccess: rename strncpy_from_unsafe_user to strncpy_from_user_unsafe Christoph Hellwig
2020-05-06 6:22 ` [PATCH 07/15] maccess: rename strncpy_from_unsafe_strict to strncpy_from_kernel_unsafe Christoph Hellwig
2020-05-06 6:22 ` [PATCH 08/15] maccess: rename strnlen_unsafe_user to strnlen_user_unsafe Christoph Hellwig
2020-05-06 17:44 ` Linus Torvalds
2020-05-06 17:47 ` Christoph Hellwig
2020-05-06 17:57 ` Linus Torvalds
2020-05-06 6:22 ` [PATCH 09/15] maccess: remove probe_read_common and probe_write_common Christoph Hellwig
2020-05-06 6:22 ` [PATCH 10/15] maccess: unify the probe kernel arch hooks Christoph Hellwig
2020-05-06 6:22 ` [PATCH 11/15] maccess: remove strncpy_from_unsafe Christoph Hellwig
2020-05-11 5:34 ` Masami Hiramatsu
2020-05-06 6:22 ` [PATCH 12/15] maccess: always use strict semantics for probe_kernel_read Christoph Hellwig
2020-05-11 5:05 ` Masami Hiramatsu
2020-05-11 5:27 ` Masami Hiramatsu
2020-05-06 6:22 ` [PATCH 13/15] maccess: move user access routines together Christoph Hellwig
2020-05-06 6:22 ` [PATCH 14/15] maccess: allow architectures to provide kernel probing directly Christoph Hellwig
2020-05-06 6:22 ` [PATCH 15/15] x86: use non-set_fs based maccess routines Christoph Hellwig
2020-05-06 17:51 ` Linus Torvalds
2020-05-06 18:15 ` Christoph Hellwig
2020-05-06 19:01 ` Linus Torvalds
2020-05-07 5:12 ` Christoph Hellwig [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200507051213.GB4501@lst.de \
--to=hch@lst.de \
--cc=akpm@linux-foundation.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=linux-parisc@vger.kernel.org \
--cc=linux-um@lists.infradead.org \
--cc=mhiramat@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).