Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp621622ybe; Fri, 6 Sep 2019 04:56:32 -0700 (PDT) X-Google-Smtp-Source: APXvYqxojNn8eZP5LdgkFzbmcTLlpwj/0KdlwYqJxjJ00d1vvtYJv9nlUbkPjBpzgTiQL1hAafih X-Received: by 2002:a63:7d49:: with SMTP id m9mr7893691pgn.161.1567770992170; Fri, 06 Sep 2019 04:56:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567770992; cv=none; d=google.com; s=arc-20160816; b=xbMriW8tjFMdX+kBbXwg8TuB4VjsyolIoCmuoylV4QVHQBUMuzKRpLHlweckG8INbJ y0Kdb4cBjT/tOSRUzia7PUrmPqyCFiJ5uCO0TePg4usQx2qmBxUpyMXrneLVOH5HBT7I N5aeQcuU3z3e+8gHHfqDkSH7femUNelxucg7v6mTIMIdwqlLSiL2rh1R9vFba6XlGDGn 7LVb7KXq9hrwE7DVbOKTJ752Jw5shZac9iQCy3tBS1BkHLJiWuAo48FBC7NKTU+LiBqN MT7qqGa3PWNqpfmotpRAzdZAdBhZAxDrtrOWoX3D53xbTxdzzPU0G0CoFQ/sbcXRibkG 6AXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=eqNHFCpenKlLhy5CXb4y8sAYqkQa5zaZb7hH39+2XTk=; b=o1JNJQeCxzKTLTnzuYJzgVPfwfhN3vimOlpvgA+IHccpHuZfj1jPJelynjgVubWUha WZ/hE+mlAFlecDOtVUBgMNujH4sqVhQio5qc85V64kPgCIuAF/RDQS9SRHmyhe2l3lkz Hw3GJZvmAQPhtyDx71yb1FaDLrUbBfZiwNFAqP/2cip4E1bmFIVrAyT9G9XZTeaFCHw0 R6qk+bmIhtlDk8iecr/f4xEw2EtSfotOr0V6nKC6ase3zV+wkSMAN7hqklOQbvCUv13l A8Zx11O4sTVj8/x73TaqMA9jMLI8x2wWnHXNITt6ocOdXjAqMmhaApBE4dl+TJ7tLYcn t4dA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 79si5558283pfz.161.2019.09.06.04.56.16; Fri, 06 Sep 2019 04:56:32 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391492AbfIFAPB (ORCPT + 99 others); Thu, 5 Sep 2019 20:15:01 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:44722 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391444AbfIFAPA (ORCPT ); Thu, 5 Sep 2019 20:15:00 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.1 #3 (Red Hat Linux)) id 1i61tX-00047s-6A; Fri, 06 Sep 2019 00:14:31 +0000 Date: Fri, 6 Sep 2019 01:14:31 +0100 From: Al Viro To: Aleksa Sarai Cc: Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Shuah Khan , Shuah Khan , Ingo Molnar , Peter Zijlstra , Christian Brauner , Rasmus Villemoes , Eric Biederman , Andy Lutomirski , Andrew Morton , Alexei Starovoitov , Kees Cook , Jann Horn , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Aleksa Sarai , Linus Torvalds , containers@lists.linux-foundation.org, linux-alpha@vger.kernel.org, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-ia64@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, linux-xtensa@linux-xtensa.org, sparclinux@vger.kernel.org Subject: Re: [PATCH v12 01/12] lib: introduce copy_struct_{to,from}_user helpers Message-ID: <20190906001431.GU1131@ZenIV.linux.org.uk> References: <20190904201933.10736-1-cyphar@cyphar.com> <20190904201933.10736-2-cyphar@cyphar.com> <20190905180750.GQ1131@ZenIV.linux.org.uk> <20190905230003.bek7vqdvruzi4ybx@yavin.dot.cyphar.com> <20190905234944.GT1131@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190905234944.GT1131@ZenIV.linux.org.uk> User-Agent: Mutt/1.12.0 (2019-05-25) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Sep 06, 2019 at 12:49:44AM +0100, Al Viro wrote: > On Fri, Sep 06, 2019 at 09:00:03AM +1000, Aleksa Sarai wrote: > > > > + return -EFAULT; > > > > + } > > > > + /* Copy the interoperable parts of the struct. */ > > > > + if (__copy_to_user(dst, src, size)) > > > > + return -EFAULT; > > > > > > Why not simply clear_user() and copy_to_user()? > > > > I'm not sure I understand what you mean -- are you asking why we need to > > do memchr_inv(src + size, 0, rest) earlier? > > I'm asking why bother with __ and separate access_ok(). > > > > if ((unsigned long)addr & 1) { > > > u8 v; > > > if (get_user(v, (__u8 __user *)addr)) > > > return -EFAULT; > > > if (v) > > > return -E2BIG; > > > addr++; > > > } > > > if ((unsigned long)addr & 2) { > > > u16 v; > > > if (get_user(v, (__u16 __user *)addr)) > > > return -EFAULT; > > > if (v) > > > return -E2BIG; > > > addr +=2; > > > } > > > if ((unsigned long)addr & 4) { > > > u32 v; > > > if (get_user(v, (__u32 __user *)addr)) > > > return -EFAULT; > > > if (v) > > > return -E2BIG; > > > } > > > > > Actually, this is a dumb way to do it - page size on anything > is going to be a multiple of 8, so you could just as well > read 8 bytes from an address aligned down. Then mask the > bytes you don't want to check out and see if there's anything > left. > > You can have readability boundaries inside a page - it's either > the entire page (let alone a single word) being readable, or > it's EFAULT for all parts. > > > > would be saner, and things like x86 could trivially add an > > > asm variant - it's not hard. Incidentally, memchr_inv() is > > > an overkill in this case... > > > > Why is memchr_inv() overkill? > > Look at its implementation; you only care if there are > non-zeroes, you don't give a damn where in the buffer > the first one would be. All you need is the same logics > as in "from userland" case > if (!count) > return true; > offset = (unsigned long)from & 7 > p = (u64 *)(from - offset); > v = *p++; > if (offset) { // unaligned > count += offset; > v &= ~aligned_byte_mask(offset); // see strnlen_user.c > } > while (count > 8) { > if (v) > return false; > v = *p++; > count -= 8; > } > if (count != 8) > v &= aligned_byte_mask(count); > return v == 0; > > All there is to it... ... and __user case would be pretty much this with if (user_access_begin(from, count)) { .... user_access_end(); } wrapped around the damn thing - again, see strnlen_user.c, with unsafe_get_user(v, p++, efault); instead of those v = *p++; Calling conventions might need some thinking - it might be * all read, all zeroes * non-zero found * read failed so we probably want to map the "all zeroes" case to 0, "read failed" to -EFAULT and "non-zero found" to something else. Might be positive, might be some other -E.... - not sure if E2BIG (or EFBIG) makes much sense here. Need to look at the users...