Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp235262ybp; Thu, 10 Oct 2019 17:11:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqxur5ztYhCLjCJ2PATUwnSK+l97KgzCa6sxfCWG7Tdka86kO6QQ5llXFh+UqLxDHYWusDdZ X-Received: by 2002:a17:906:f54:: with SMTP id h20mr11102745ejj.55.1570752708537; Thu, 10 Oct 2019 17:11:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570752708; cv=none; d=google.com; s=arc-20160816; b=NgqoTR0fS8ftINOWrl/cSauCy5q7MiDfr17/1K5KDmiR84hyMxRy0KJVFnvKej6Ph7 K/giY09jLIWJKIq6PvKQGBmIhwGsjMFjs3xhSDZPt8vM216ZPv2P+GhQYq3v8tAz/0Cg TXDh7g0MptfVqO4kUIhYauMZEvMH8SEOI65HhqygLeToiNCutjvyq/pgRUoCUDEjPW/1 kabW5/3/Gbvp40ZP1CSduVY6fy5wxC6mQDQNSMgzO19Hs1b+i/RSnEhnSAprShtQrgBM W/wKD5tx3XLk7lRwlEeUG+9/5IgdrRrJAacgOColz1KWnPr3ikKUZGk9fYNPUc5Z69cL KR2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=tiRGdeZsg8k+EpIjAEqKqOdbO5LjPuKnuHdbBpastEE=; b=byjGIzandms341yIxUe/5+qdFusQfxpeX6kbCHz4eewPRpoLM+HwOMysC1oFjDZLFg wNRD8Jl76MSjPMnRfFjFT5v6AnQ3GP3txc48u8dkfLfA1YbUIwXVrjceRi0j1gftmGjN XcKJ0lBXiB6JIYA50Q8sBlEFz19EtltevHzRY+GplScq/BaqMUWBhzzxIO236l3vUQ6a DbICu7tXogoGPVmos9yN73VTyKLW4+Lw9SW80ywfXBSUebpp3F7p2NPktrUfcLl1F966 cGjXRLssHOoNnCN4fHrSNNhlNlK9IATYYM5jsueitf1jj6X+5qiawzBOvf5e34SULsZM eRqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ch10si4044492ejb.89.2019.10.10.17.11.24; Thu, 10 Oct 2019 17:11:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727525AbfJKALI (ORCPT + 99 others); Thu, 10 Oct 2019 20:11:08 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:43330 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727478AbfJKALI (ORCPT ); Thu, 10 Oct 2019 20:11:08 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.2 #3 (Red Hat Linux)) id 1iIiWO-0000GI-J7; Fri, 11 Oct 2019 00:11:04 +0000 Date: Fri, 11 Oct 2019 01:11:04 +0100 From: Al Viro To: Linus Torvalds Cc: Guenter Roeck , Linux Kernel Mailing List , linux-fsdevel Subject: Re: [PATCH] Convert filldir[64]() from __put_user() to unsafe_put_user() Message-ID: <20191011001104.GJ26530@ZenIV.linux.org.uk> References: <20191007012437.GK26530@ZenIV.linux.org.uk> <20191007025046.GL26530@ZenIV.linux.org.uk> <20191008032912.GQ26530@ZenIV.linux.org.uk> <20191010195504.GI26530@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Oct 10, 2019 at 03:12:49PM -0700, Linus Torvalds wrote: > On Thu, Oct 10, 2019 at 12:55 PM Al Viro wrote: > > > > Anyway, another question you way: what do you think of try/catch approaches > > to __get_user() blocks, like e.g. restore_sigcontext() is doing? > > I'd rather have them converted to our unsafe_get/put_user() instead. > > We don't generate great code for the "get" case (because of how gcc > doesn't allow us to mix "asm goto" and outputs), but I really despise > the x86-specific "{get,put}_user_ex()" machinery. It's not actually > doing a real try/catch at all, and will just keep taking faults if one > happens. > > But I've not gotten around to rewriting those disgusting sequences to > the unsafe_get/put_user() model. I did look at it, and it requires > some changes exactly *because* the _ex() functions are broken and > continue, but also because the current code ends up also doing other > things inside the try/catch region that you're not supposed to do in a > user_access_begin/end() region . Hmm... Which one was that? AFAICS, we have do_sys_vm86: only get_user_ex() restore_sigcontext(): get_user_ex(), set_user_gs() ia32_restore_sigcontext(): get_user_ex() So at least get_user_try/get_user_ex/get_user_catch should be killable. The other side... save_v86_state(): put_user_ex() setup_sigcontext(): put_user_ex() __setup_rt_frame(): put_user_ex(), static_cpu_has() another one in __setup_rt_frame(): put_user_ex() x32_setup_rt_frame(): put_user_ex() ia32_setup_sigcontext(): put_user_ex() ia32_setup_frame(): put_user_ex() another one in ia32_setup_frame(): put_user_ex(), static_cpu_has() IDGI... Is static_cpu_has() not allowed in there? Looks like it's all inlines and doesn't do any potentially risky memory accesses... What am I missing? As for the try/catch model... How about if (!user_access_begin()) sod off ... unsafe_get_user(..., l); ... unsafe_get_user_nojump(); ... unsafe_get_user_nojump(); ... if (user_access_did_fail()) goto l; user_access_end() ... return 0; l: ... user_access_end() return -EFAULT; making it clear that we are delaying the check for failures until it's more convenient. And *not* trying to trick C parser into enforcing anything - let objtool do it and to hell with do { and } while (0) in magic macros. Could be mixed with the normal unsafe_..._user() without any problems, AFAICS...