Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp3736718ybp; Sun, 13 Oct 2019 13:02:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqxIjmuwQ+lqiDVCOpdeyD7GxuAIDc747yyr0RVcQvrCTDVv1zTtLZYx4DeFWEdkmKSNTXW9 X-Received: by 2002:a50:a781:: with SMTP id i1mr24964863edc.17.1570996948014; Sun, 13 Oct 2019 13:02:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570996948; cv=none; d=google.com; s=arc-20160816; b=srl4sewwjZaUqrQBX0qpu1O488Kbu79KmR7dH3DwQJLD1E8yDfIucZCfRTvKiDQn5w FO8w8tyCkSwoWjPHg7rbSPn57Sl57QhzW7We91JjM3qTF1bdmziKmEwS9hSxvGarECkm OaRJQ1xTY8RhOUs/eldXcwj58S6uYWZWhB2JJkSliY/UVDxN7IJ0nCHlowrFxauN0VLn fip3D4bM0TKz36dDjJbAH5slh8pUQdLGb922w6cF6yBnIeiqWLQ27hBzbbjuscFVlQxn WAe6tVXJlkZImUSbkoeG3D+vOWcy69WNgLjlpjTXL2Z9/37uRwhV/KI9E3NwC++xiqYf awew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=+qobF73HZ+xerK6sryVz52eyDeLN1wWrlqebHPujOiU=; b=JPiwXxHJtUPl2e3VV+pRtsVyLYB8C0SiRIeqxQyq9lS7rKkmdUlA6+7pX9Muxkgo5b AWCIVFlVq0fzCtyQS9ef6py5gEtZRWxvl4LXGbrorwkwBa3t+2oohav5e0K8zZqumDjf fewhMU4Fc3Hf3NcGo20Oit5dCrcYn4Ik6zmNPTMeVSW2rsr8HZX5XT85AzEcXM0F4w61 sYNw3XaRq6uajuYS3qEYm5qcWoljOxf3aqUVHgFa2VKpO8jsjAW8r3ffDMgDDmZ4XesW zPtI81b0ZBQkFHcfgnfCuNFIrnodiOebzusr9j6R7E+2qo+nWYOX6WHgzD5xNzbcBSCe dPOw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f47si10847462ede.263.2019.10.13.13.02.04; Sun, 13 Oct 2019 13:02:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729495AbfJMT7w (ORCPT + 99 others); Sun, 13 Oct 2019 15:59:52 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:35148 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727492AbfJMT7w (ORCPT ); Sun, 13 Oct 2019 15:59:52 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.2 #3 (Red Hat Linux)) id 1iJk1t-0000Qd-LD; Sun, 13 Oct 2019 19:59:49 +0000 Date: Sun, 13 Oct 2019 20:59:49 +0100 From: Al Viro To: Linus Torvalds Cc: Guenter Roeck , Linux Kernel Mailing List , linux-fsdevel Subject: Re: [PATCH] Convert filldir[64]() from __put_user() to unsafe_put_user() Message-ID: <20191013195949.GM26530@ZenIV.linux.org.uk> References: <20191010195504.GI26530@ZenIV.linux.org.uk> <20191011001104.GJ26530@ZenIV.linux.org.uk> <20191013181333.GK26530@ZenIV.linux.org.uk> <20191013191050.GL26530@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Oct 13, 2019 at 12:22:38PM -0700, Linus Torvalds wrote: > On Sun, Oct 13, 2019 at 12:10 PM Al Viro wrote: > > > > No arguments re put_user_ex side of things... Below is a completely > > untested patch for get_user_ex elimination (it seems to build, but that's > > it); in any case, I would really like to see comments from x86 folks > > before it goes anywhere. > > Please don't do this: > > > + if (unlikely(__copy_from_user(&sc, usc, sizeof(sc)))) > > + goto Efault; > > Why would you use __copy_from_user()? Just don't. > > > + if (unlikely(__copy_from_user(&v, user_vm86, > > + offsetof(struct vm86_struct, int_revectored)))) > > Same here. > > There's no excuse for __copy_from_user(). Probably... Said that, vm86 one is preceded by if (!access_ok(user_vm86, plus ? sizeof(struct vm86_struct) : sizeof(struct vm86plus_struct))) return -EFAULT; so I didn't want to bother. We'll need to eliminate most of access_ok() anyway, and I figured that conversion to plain copy_from_user() would go there as well. Again, this is not a patch submission - just an illustration of what I meant re getting rid of get_user_ex(). IOW, the whole thing is still in the plotting stage. Re plotting: how strongly would you object against passing the range to user_access_end()? Powerpc folks have a very close analogue of stac/clac, currently buried inside their __get_user()/__put_user()/etc. - the same places where x86 does, including futex.h and friends. And there it's even costlier than on x86. It would obviously be nice to lift it at least out of unsafe_get_user()/unsafe_put_user() and move into user_access_begin()/user_access_end(); unfortunately, in one subarchitecture they really want it the range on the user_access_end() side as well. That's obviously not fatal (they can bloody well save those into thread_info at user_access_begin()), but right now we have relatively few user_access_end() callers, so the interface changes are still possible. Other architectures with similar stuff are riscv (no arguments, same as for stac/clac), arm (uaccess_save_and_enable() on the way in, return value passed to uaccess_restore() on the way out) and s390 (similar to arm, but there it's needed only to deal with nesting, and I'm not sure it actually can happen). It would be nice to settle the API while there are not too many users outside of arch/x86; changing it later will be a PITA and we definitely have architectures that do potentially costly things around the userland memory access; user_access_begin()/user_access_end() is in the right place to try and see if they fit there...