Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp7992012imu; Tue, 4 Dec 2018 00:43:49 -0800 (PST) X-Google-Smtp-Source: AFSGD/Vh+r4g8LT68HXoSiKP4EAnXLXIB8Q6UGerzEPWu0KSkg0qDnUNtKYJ1Orn/rn8rByrAc3s X-Received: by 2002:a63:5b1f:: with SMTP id p31mr15924969pgb.56.1543913029903; Tue, 04 Dec 2018 00:43:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543913029; cv=none; d=google.com; s=arc-20160816; b=SCCyZYupj4tuBoGzbdS/9IydOTF7xkh/DFlr3lNJSX29EVhb4ALjDeEjFgxvl9i0A6 GDjQ0OsZgIQiYLxbyXeFGIDTINdjxCeI2dUL9/j25cOuzfVpuqz2HRCWRlmCmaHO3N7u Mzrxas6+Eo+O9nCdd5Ag3Z78Wwp5L/zOJBAoPZBIkfe0Nz905DwZ7MMxzUwSK12qyuEE u4IM25FdVnXYcS+bFJr6Spvs2Te3uQFUYCo3fmnr7KqGtEIJg4CFDUO7/NaxLO7/FljP 9VhQ2HLlmGfm6A6jyV5qU0iQs1EETRhkjbhdVlUj56+IL6bwF/AN7dwCkj6dBDR60YMO qvAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:references :in-reply-to:subject:cc:to:from; bh=OKdvQtxd+teAbVav0iaOSD6RMyWX4qjPVvqzX/NLUzE=; b=bPqD09Y6vwv95dLFMZtBEf1sspYTskr6eGUM/kibtzMVAIYnSJK5TPzsx3hRfJSh7c ZpnnJFf5QrmRpT8BHGlgE5h3PRY73mxLyOQALzCRDDwSjh8eUxpmXkixmNn+FNpSwLTP YT4SvjtDmNWZx4sa5cA0z4x9ql7DkccSo1DFjMKIpEpf88QQv7kBtKDfZqArgw4H9Ptw 53EdZz0EMiv0D1vaL0SVkK2MgP8V1jzv4DYQq76ThvA2h7yf0oMj3wANRBdBAIlcHL4z axYsQh31bXU6NBe+90M6ueqXQnIJ3p1Oqzso3GiKnK0LDb1NPYMvmNpsKd9aDgb/yqNB hFXQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f5si16379521pfn.259.2018.12.04.00.43.34; Tue, 04 Dec 2018 00:43:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725899AbeLDIm6 (ORCPT + 99 others); Tue, 4 Dec 2018 03:42:58 -0500 Received: from ozlabs.org ([203.11.71.1]:54587 "EHLO ozlabs.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725747AbeLDIm5 (ORCPT ); Tue, 4 Dec 2018 03:42:57 -0500 Received: from authenticated.ozlabs.org (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPSA id 438Fk6451gz9s55; Tue, 4 Dec 2018 19:42:54 +1100 (AEDT) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ellerman.id.au From: Michael Ellerman To: Christophe Leroy , Kees Cook , Andrew Morton , Benjamin Herrenschmidt , Paul Mackerras Cc: linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-mm@kvack.org Subject: Re: [PATCH 1/2] mm: add probe_user_read() and probe_user_address() In-Reply-To: References: Date: Tue, 04 Dec 2018 19:42:52 +1100 Message-ID: <874lbtisxf.fsf@concordia.ellerman.id.au> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Christophe Leroy writes: > In the powerpc, there are several places implementing safe ^ code ? > access to user data. This is sometimes implemented using > probe_kernel_address() with additional access_ok() verification, > sometimes with get_user() enclosed in a pagefault_disable()/enable() > pair, etc... : > show_user_instructions() > bad_stack_expansion() > p9_hmi_special_emu() > fsl_pci_mcheck_exception() > read_user_stack_64() > read_user_stack_32() on PPC64 > read_user_stack_32() on PPC32 > power_pmu_bhrb_to() > > In the same spirit as probe_kernel_read() and probe_kernel_address(), > this patch adds probe_user_read() and probe_user_address(). > > probe_user_read() does the same as probe_kernel_read() but > first checks that it is really a user address. > > probe_user_address() is a shortcut to probe_user_read() ... > +#define probe_user_address(addr, retval) \ > + probe_user_read(&(retval), addr, sizeof(retval)) I realise you added probe_user_address() to mirror probe_kernel_address(), but I'd rather we just used probe_user_read() directly. The only advantage of probe_kernel_address() is that you don't have to mention retval twice. But the downsides are that it's not obvious that you're writing to retval (because the macro takes the address for you), and retval is evaluated twice (the latter is usually not a problem but it can be). eg, call sites like this are confusing: static int read_user_stack_64(unsigned long __user *ptr, unsigned long *ret) { ... if (!probe_user_address(ptr, *ret)) return 0; It's confusing because ret is a pointer, but then we dereference it before passing it to probe_user_address(), so it looks like we're just passing a value, but we're not. Compare to: if (!probe_user_read(ret, ptr, sizeof(*ret))) return 0; Which is entirely analogous to a call to memcpy() and involves no magic. I know there's lots of precedent here with get_user() etc. but that doesn't mean we have to follow that precedent blindly :) I guess perhaps we can add probe_user_address() but just not use it in the powerpc code, if other folks want it to exist. cheers