Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp3764523ybp; Sun, 6 Oct 2019 19:52:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqz97J5/5yf3Sp0+f+F0Y+JDfsJwzyY9jQZazcVWxfDQQwvMR68hcuf9Ks68Nud7ysNDM1mR X-Received: by 2002:a17:906:1f12:: with SMTP id w18mr21828341ejj.224.1570416747648; Sun, 06 Oct 2019 19:52:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570416747; cv=none; d=google.com; s=arc-20160816; b=VKXnJwN4+ij392rMOi9jK8lGmVuD4ht0LgxrYyMQZwSfIfN8H9ASoCUw9/QvO8cWO7 EXtcxGhhjdET8VNoGZ8klFB7LBDmuU0+LN9ykekJTIU20cKnYuWzuPUEzFa83c18Aj2N jtfEgtteEhEk7iDeJ5Ok9LggZGu/2rJ9k8zszd1tdLbTV5CYfJnTYyDUUQ0KfsKiBUEZ vE2FxsEMq5/Ldi+IT66moYntR6hOt9CklakRVympfqK2D/FaottvhcGafhX1ZbkNHcTQ QxIsnIYlZAZQDz+jfEE1LyK3sXAFvvpG/KMTumAc0fZ7kT3P1ifFs0HzVm52j8uANM/o 8HAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=YktDRjfBYEFfnIrjs3fBWB4PCd4Inegknb98ZVfOTSQ=; b=ih21m668bgfuOVXOZtHTNTJFOkHBm3hzf/drBWUJ9L17FyzJIFndv6tzMlekaquajy /DnXXig17/qMBjPXZ8vSBkmmTadvYEROgZ5QRj2Mf5giHkvNa4iS1ybrj1ta0BgFn4NA r1MNnxDLJl+yXU72ZbbQdhzEeRtwM9+t24AZV551M4lm0/4iVe0xCr4HE5XvLP5cr3nm 55+QsyRhACC5F7fNCj8W7j5rAnaeQcWpZcdE65nQkCwZBhJ1ti13Pxy2sVM1lH5ZdO7I l38hyyV/G0SP+LYvFu7fi3VdpnguFQVqloByYoDsu4rwcjV9PWUFxHIvQcu7v3PKNwuc akBQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b34si8782036edb.439.2019.10.06.19.52.03; Sun, 06 Oct 2019 19:52:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726969AbfJGCut (ORCPT + 99 others); Sun, 6 Oct 2019 22:50:49 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:60916 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726781AbfJGCut (ORCPT ); Sun, 6 Oct 2019 22:50:49 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.2 #3 (Red Hat Linux)) id 1iHJ6k-0006NC-GN; Mon, 07 Oct 2019 02:50:46 +0000 Date: Mon, 7 Oct 2019 03:50:46 +0100 From: Al Viro To: Linus Torvalds Cc: Guenter Roeck , Linux Kernel Mailing List , linux-fsdevel Subject: Re: [PATCH] Convert filldir[64]() from __put_user() to unsafe_put_user() Message-ID: <20191007025046.GL26530@ZenIV.linux.org.uk> References: <20191006222046.GA18027@roeck-us.net> <5f06c138-d59a-d811-c886-9e73ce51924c@roeck-us.net> <20191007012437.GK26530@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Oct 06, 2019 at 07:06:19PM -0700, Linus Torvalds wrote: > On Sun, Oct 6, 2019 at 6:24 PM Al Viro wrote: > > > > Ugh... I wonder if it would be better to lift STAC/CLAC out of > > raw_copy_to_user(), rather than trying to reinvent its guts > > in readdir.c... > > Yeah, I suspect that's the best option. > > Do something like > > - lift STAC/CLAC out of raw_copy_to_user > > - rename it to unsafe_copy_to_user > > - create a new raw_copy_to_user that is just unsafe_copy_to_user() > with the STAC/CLAC around it. > > and the end result would actually be cleanert than what we have now > (which duplicates that STAC/CLAC for each size case etc). > > And then for the "architecture doesn't have user_access_begin/end()" > fallback case, we just do > > #define unsafe_copy_to_user raw_copy_to_user Callers of raw_copy_to_user(): arch/hexagon/mm/uaccess.c:27: uncleared = raw_copy_to_user(dest, &empty_zero_page, PAGE_SIZE); arch/hexagon/mm/uaccess.c:34: count = raw_copy_to_user(dest, &empty_zero_page, count); arch/powerpc/kvm/book3s_64_mmu_radix.c:68: ret = raw_copy_to_user(to, from, n); arch/s390/include/asm/uaccess.h:150: size = raw_copy_to_user(ptr, x, size); include/asm-generic/uaccess.h:145: return unlikely(raw_copy_to_user(ptr, x, size)) ? -EFAULT : 0; include/linux/uaccess.h:93: return raw_copy_to_user(to, from, n); include/linux/uaccess.h:102: return raw_copy_to_user(to, from, n); include/linux/uaccess.h:131: n = raw_copy_to_user(to, from, n); lib/iov_iter.c:142: n = raw_copy_to_user(to, from, n); lib/usercopy.c:28: n = raw_copy_to_user(to, from, n); Out of those, only __copy_to_user_inatomic(), __copy_to_user(), _copy_to_user() and iov_iter.c:copyout() can be called on any architecture. The last two should just do user_access_begin()/user_access_end() instead of access_ok(). __copy_to_user_inatomic() has very few callers as well: arch/mips/kernel/unaligned.c:1307: res = __copy_to_user_inatomic(addr, fpr, sizeof(*fpr)); drivers/gpu/drm/i915/i915_gem.c:345: unwritten = __copy_to_user_inatomic(user_data, lib/test_kasan.c:471: unused = __copy_to_user_inatomic(usermem, kmem, size + 1); mm/maccess.c:98: ret = __copy_to_user_inatomic((__force void __user *)dst, src, size); So few, in fact, that I wonder if we want to keep it at all; the only thing stopping me from "let's remove it" is that I don't understand the i915 side of things. Where does it do an equivalent of access_ok()? And mm/maccess.c one is __probe_kernel_write(), so presumably we don't want stac/clac there at all... So do we want to bother with separation between raw_copy_to_user() and unsafe_copy_to_user()? After all, __copy_to_user() also has only few callers, most of them in arch/* I'll take a look into that tomorrow - half-asleep right now...