Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp727010ybe; Wed, 11 Sep 2019 03:50:21 -0700 (PDT) X-Google-Smtp-Source: APXvYqyFcR09FbV4Rs3Hq9ll8LyTjXBeIT0/INewXPeeBMbDASW4Zl7VzZZBO0fWfkhGkSYGNCyg X-Received: by 2002:a17:906:1d4d:: with SMTP id o13mr29386472ejh.70.1568199021248; Wed, 11 Sep 2019 03:50:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568199021; cv=none; d=google.com; s=arc-20160816; b=bh4BNv2mih62u8cLETXBH4u6l+BDg6x4fbLqaytzN3PgN5FUNT20DQF2fa49xlUf46 P6TKi6V3jY3U3kfdzTWIR+qjK3wDdjI++e7+/+V6PGt1JabWPj2XoWpHkvW+Nym+UwBL 9saL2ZNuvcmxzndTLlrzFch+Qza9to0PMh8ZIcOx1YN7WSr0/18Tuz0Vcw5ZP9YMFlTM 33aUgs2+Ofc7VPXBSNk5p90bTJB+V4/wS8TTb4p5uPxtLmrcd/QCdfPfBfLoHaO8EUEm Lbs7ONHSr5rQ9czg0V1+IAo8WFhGEoyMu6FFPgeXEqs2FKQPluLH1cXUj6q+dVmGPOil 7MZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=s4U/NYn7eaHEcHZOThgPEno2uv51Irzawc+S3j7SpNc=; b=AYXnW9U3EPUAiCydMWkjtpdBWfd7qeMOjbRzSmXpRB4itWIB73Fc2z1z47eZ37XN4E 6D/6nEa/TMuCSVQpjBc0qFgtUUxrouGZWd5m/AnSJgGZxxxtc3GuETzfZyLi4GpXOCWR gHxXKMd8B6yasAumNCsvok3x/OZ1SqUyT+GWbz3fNYlGQd155xTOpGBsLCH/hqnBo229 YhxLkoDkr3yqor1XMXYsT7LB7CwchTE1HMzpfKlYUJ5m/gBjBLjWknRypJGuEKmDDamW AQ+JJGo0JMNZ739LC0uZN74l1GWGNKiw/XOjNaNlOeA+VrVe48xd0+sGeSQu5ANr9LuC 3btg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i36si13467533ede.436.2019.09.11.03.49.57; Wed, 11 Sep 2019 03:50:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727696AbfIKKqC (ORCPT + 99 others); Wed, 11 Sep 2019 06:46:02 -0400 Received: from mx2a.mailbox.org ([80.241.60.219]:20039 "EHLO mx2a.mailbox.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726657AbfIKKqB (ORCPT ); Wed, 11 Sep 2019 06:46:01 -0400 Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mx2.mailbox.org (Postfix) with ESMTPS id AC930A2C82; Wed, 11 Sep 2019 12:37:46 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp1.mailbox.org ([80.241.60.240]) by spamfilter04.heinlein-hosting.de (spamfilter04.heinlein-hosting.de [80.241.56.122]) (amavisd-new, port 10030) with ESMTP id ATeziMSY9H4D; Wed, 11 Sep 2019 12:37:41 +0200 (CEST) Date: Wed, 11 Sep 2019 20:37:30 +1000 From: Aleksa Sarai To: Peter Zijlstra Cc: Al Viro , Jeff Layton , "J. Bruce Fields" , Arnd Bergmann , David Howells , Shuah Khan , Shuah Khan , Ingo Molnar , Christian Brauner , Rasmus Villemoes , Eric Biederman , Andy Lutomirski , Andrew Morton , Alexei Starovoitov , Kees Cook , Jann Horn , Tycho Andersen , David Drysdale , Chanho Min , Oleg Nesterov , Alexander Shishkin , Jiri Olsa , Namhyung Kim , Aleksa Sarai , Linus Torvalds , containers@lists.linux-foundation.org, linux-alpha@vger.kernel.org, linux-api@vger.kernel.org, linux-arch@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-ia64@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org, linux-parisc@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-s390@vger.kernel.org, linux-sh@vger.kernel.org, linux-xtensa@linux-xtensa.org, sparclinux@vger.kernel.org, patrick.bellasi@arm.com Subject: Re: [PATCH v12 01/12] lib: introduce copy_struct_{to,from}_user helpers Message-ID: <20190911103730.72unmfp7lsvvafxo@yavin> References: <20190904201933.10736-1-cyphar@cyphar.com> <20190904201933.10736-2-cyphar@cyphar.com> <20190905073205.GY2332@hirez.programming.kicks-ass.net> <20190905092622.tlb6nn3uisssdfbu@yavin.dot.cyphar.com> <20190905094305.GJ2349@hirez.programming.kicks-ass.net> <20190905105749.GW2386@hirez.programming.kicks-ass.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="xpghzs3x7rsccuuz" Content-Disposition: inline In-Reply-To: <20190905105749.GW2386@hirez.programming.kicks-ass.net> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --xpghzs3x7rsccuuz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2019-09-05, Peter Zijlstra wrote: > On Thu, Sep 05, 2019 at 11:43:05AM +0200, Peter Zijlstra wrote: > > On Thu, Sep 05, 2019 at 07:26:22PM +1000, Aleksa Sarai wrote: > > > On 2019-09-05, Peter Zijlstra wrote: > > > > On Thu, Sep 05, 2019 at 06:19:22AM +1000, Aleksa Sarai wrote: > > > > > +/** > > > > > + * copy_struct_to_user: copy a struct to user space > > > > > + * @dst: Destination address, in user space. > > > > > + * @usize: Size of @dst struct. > > > > > + * @src: Source address, in kernel space. > > > > > + * @ksize: Size of @src struct. > > > > > + * > > > > > + * Copies a struct from kernel space to user space, in a way tha= t guarantees > > > > > + * backwards-compatibility for struct syscall arguments (as long= as future > > > > > + * struct extensions are made such that all new fields are *appe= nded* to the > > > > > + * old struct, and zeroed-out new fields have the same meaning a= s the old > > > > > + * struct). > > > > > + * > > > > > + * @ksize is just sizeof(*dst), and @usize should've been passed= by user space. > > > > > + * The recommended usage is something like the following: > > > > > + * > > > > > + * SYSCALL_DEFINE2(foobar, struct foo __user *, uarg, size_t, = usize) > > > > > + * { > > > > > + * int err; > > > > > + * struct foo karg =3D {}; > > > > > + * > > > > > + * // do something with karg > > > > > + * > > > > > + * err =3D copy_struct_to_user(uarg, usize, &karg, sizeof(k= arg)); > > > > > + * if (err) > > > > > + * return err; > > > > > + * > > > > > + * // ... > > > > > + * } > > > > > + * > > > > > + * There are three cases to consider: > > > > > + * * If @usize =3D=3D @ksize, then it's copied verbatim. > > > > > + * * If @usize < @ksize, then kernel space is "returning" a new= er struct to an > > > > > + * older user space. In order to avoid user space getting inc= omplete > > > > > + * information (new fields might be important), all trailing = bytes in @src > > > > > + * (@ksize - @usize) must be zerored > > > >=20 > > > > s/zerored/zero/, right? > > >=20 > > > It should've been "zeroed". > >=20 > > That reads wrong to me; that way it reads like this function must take > > that action and zero out the 'rest'; which is just wrong. > >=20 > > This function must verify those bytes are zero, not make them zero. > >=20 > > > > > , otherwise -EFBIG is re= turned. > > > >=20 > > > > 'Funny' that, copy_struct_from_user() below seems to use E2BIG. > > >=20 > > > This is a copy of the semantics that sched_[sg]etattr(2) uses -- E2BI= G for > > > a "too big" struct passed to the kernel, and EFBIG for a "too big" > > > struct passed to user-space. I would personally have preferred EMSGSI= ZE > > > instead of EFBIG, but felt using the existing error codes would be le= ss > > > confusing. > >=20 > > Sadly a recent commit: > >=20 > > 1251201c0d34 ("sched/core: Fix uclamp ABI bug, clean up and robustify= sched_read_attr() ABI logic and code") > >=20 > > Made the situation even 'worse'. >=20 > And thinking more about things; I'm not convinced the above patch is > actually right. >=20 > Do we really want to simply truncate all the attributes of the task? >=20 > And should we not at least set sched_flags when there are non-default > clamp values applied? >=20 > See; that is I think the primary bug that had chrt failing; we tried to > publish the default clamp values as !0. I just saw this patch in -rc8 -- should I even attempt to port sched_getattr(2) to copy_struct_to_user()? I agree that publishing a default non-zero value is a mistake -- once you do that, old user space will either get confused or lose information. --=20 Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH --xpghzs3x7rsccuuz Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQSxZm6dtfE8gxLLfYqdlLljIbnQEgUCXXjOZwAKCRCdlLljIbnQ EgeZAP9UC+Kf1AuY3XgSz6a5avhF1Eskr6DzrSR4wx0T62dnoQD9GcCXU0oVrERB 0xz5K9MrU1nBr6ERqmBwygo/DVsTwAk= =oep8 -----END PGP SIGNATURE----- --xpghzs3x7rsccuuz--