Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2357641imd; Fri, 2 Nov 2018 10:00:30 -0700 (PDT) X-Google-Smtp-Source: AJdET5fRLGvMWi1j/YpcHrD4QCFf+CFQntzL3PeDBBfmWDyROefG9YvJr4M0sVj2/WD3CdMcZiPo X-Received: by 2002:a63:dc54:: with SMTP id f20mr11765012pgj.410.1541178030702; Fri, 02 Nov 2018 10:00:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541178030; cv=none; d=google.com; s=arc-20160816; b=inSW51fcB/UUUc7DK5OVm6weRInaGiqGzue9iectFaw8gMojiA1FirMbyFl3y3HWmY CLps8REOqNLWJvZfvjLWlZsKc6E7sDGUyd52n+D96NIhyDmW8494jpjOBKDgwo4p2aIG O95VcOVx5Em+83d2R1mIASMiPPsnpwtsMugTHE6P+Fg1TTWO9Ie2zAG7Fdraz41GVfHc Ky4c6xin73GolvaWDtH6k4siOy5XaWoDbJ2+emdXInSfz7DHlrptojXDIk6FEFOLOtba Nugl7tV/L6KzTBUezldMO5QO+OKid1YO3JZxXxWFRQX5jZbfsMlYk33CIKMpNFH3BLsE ITKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=7WfRPP00NcHUkB7HlhK3Ipsq5jo/n1LuPVwIAJ5Z4As=; b=YHj6+B88DhqfPhN3rleguYMqIHPYnxNQ6YCKJfK1GCXkgeO1bRZbvHD3wFh24u9Qq7 ZFN7gVSEfc/bbfBmOiBZbn4K/DmozfE0ZmvBdlywJ4TotIEA09J7P5jEs0pK11tihx6/ RkaUgMAeaBEm6qrgT8EVW8WZO/YuXgElST2hIBli4E+h+K887A/2y9zq+Cc+ppvbxC/n mzlOW789z8XADSCfJnAfGPgiZweOWXiQAJ9Nks0S4p/O/ZB5yAiWh6slswhRScVryFij w+fEW981WKbqxFXdQ389bXVaRDm+6SETzYv2+j3G7wZv3Xxj7G8G+YGRfOTCI8U3g/oG DKDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t7-v6si32930566pgn.270.2018.11.02.10.00.15; Fri, 02 Nov 2018 10:00:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728037AbeKCCHe (ORCPT + 99 others); Fri, 2 Nov 2018 22:07:34 -0400 Received: from mx1.redhat.com ([209.132.183.28]:49462 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726707AbeKCCHd (ORCPT ); Fri, 2 Nov 2018 22:07:33 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 41B1E58E3C; Fri, 2 Nov 2018 16:59:46 +0000 (UTC) Received: from redhat.com (ovpn-124-238.rdu2.redhat.com [10.10.124.238]) by smtp.corp.redhat.com (Postfix) with SMTP id 19CA92635D; Fri, 2 Nov 2018 16:59:40 +0000 (UTC) Date: Fri, 2 Nov 2018 12:59:40 -0400 From: "Michael S. Tsirkin" To: Linus Torvalds Cc: mark.rutland@arm.com, Kees Cook , kvm@vger.kernel.org, virtualization@lists.linux-foundation.org, netdev@vger.kernel.org, Linux Kernel Mailing List , Andrew Morton , bijan.mottahedeh@oracle.com, gedwards@ddn.com, joe@perches.com, lenaic@lhuard.fr, liang.z.li@intel.com, mhocko@kernel.org, mhocko@suse.com, stefanha@redhat.com, wei.w.wang@intel.com, Jason Wang Subject: Re: [PULL] vhost: cleanups and fixes Message-ID: <20181102122937-mutt-send-email-mst@kernel.org> References: <20181101171938-mutt-send-email-mst@kernel.org> <20181102114635.hi3q53kzmz4qljsf@lakrids.cambridge.arm.com> <20181102083018-mutt-send-email-mst@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Fri, 02 Nov 2018 16:59:46 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Nov 02, 2018 at 09:14:51AM -0700, Linus Torvalds wrote: > On Fri, Nov 2, 2018 at 6:04 AM Michael S. Tsirkin wrote: > > > > I've tried making access_ok mask the parameter it gets. > > PLEASE don't do this. Okay. > Just use "copy_to/from_user()". Just for completeness I'd like to point out for vhost the copies are done from the kernel thread. So yes we can switch to copy_to/from_user but for e.g. 32-bit userspace running on top of a 64 bit kernel it is IIUC not sufficient - we must *also* do access_ok checks on control path when addresses are passed to the kernel and when current points to the correct task struct. > We have had lots of bugs because code bitrots. Yes, I wish we did not need these access_ok checks and could just rely on copy_to/from_user. > And no, the access_ok() checks aren't expensive, not even in a loop. > They *used* to be somewhat expensive compared to the access, but that > simply isn't true any more. The real expense in copy_to_user and > friends are in the user access bit setting (STAC and CLAC on x86), > which easily an order of magnitude more expensive than access_ok(). > > So just get rid of the double-underscore version. It's basically > always a mis-optimization due to entirely historical reasons. I can > pretty much guarantee that it's not visible in profiles. > > Linus OK. So maybe we should focus on switching to user_access_begin/end + unsafe_get_user/unsafe_put_user in a loop which does seem to be measureable. That moves the barrier out of the loop, which seems to be consistent with what you would expect. -- MST