Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp6395274ybp; Tue, 15 Oct 2019 14:23:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqxoQ/fU3NS5FFoMZEA6HdFBZmZM47u/pyXaBG48jQ7oAQEPJ7d0lN/8aQ5z9tXPBNYks9K8 X-Received: by 2002:aa7:d717:: with SMTP id t23mr34986084edq.300.1571174608746; Tue, 15 Oct 2019 14:23:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571174608; cv=none; d=google.com; s=arc-20160816; b=A4rc2yaQfChd4K77YpS7xiSm0gTyP0llVqC5MgkwCwXtFxPij07pLqpIJFCEEe9j+O PE3iUV8uZA2jTPnFo+fNMq2+mSAau1CuN3Yi+zMxOMrDT4nHiqhjZDh8D+GDVB4LdrVG vQ6JExrzocBfZRwWwLidHZIFmC9MO5kPIDoW96Xohuqc9W9y30V9BVJMq+H+b1YjHb4i ORzzH3/dbcZ8j93j9znXWL7Xpoyg+obHXrtO+VjbFatPGIHMYlpwN7vZof+oAuSCAYPU wu/bG16RMYw60tfweTUTfqFtN9krnPTgstg9OsOv7Th+y6s98DgPX7RpH1hIMuiwul2i 2F2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=dpuni3RFrvl5cJgijXaZjfml7f0AbIoDnT9etJkvflg=; b=NswkRpFnaRqC/BNpmrM5OBy3k01/fDwQmwHpLff2O3H1r379BDke7mbmHCXCuOeX+p 4NQGTrAU9zVxUzWU82sy0WK0FPrqubAXbsmYtU4v3NLz1C+9iLpuAqBaHiizHvXocSYG wAMdUUOmfpjgveS2VO0jewVWM59A1xgSqe9v2hMV0JDfD3SZESXMvIYBAGY9I56Bn1zc +rVUgaPcp3L0HBLqXKmpKfAkX2NyKxUEiVvNdum+U64xM9rzo6XkN/fwWBqiirER2feO RekTXry6kD7py86L+JBgUc5CtFcEYRFgnv2/ZhHwYVZMDpculK+TgQZeVQIxyOaE74MP fIuA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n6si13663845ejj.232.2019.10.15.14.23.05; Tue, 15 Oct 2019 14:23:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389071AbfJOSIw (ORCPT + 99 others); Tue, 15 Oct 2019 14:08:52 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:37876 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725820AbfJOSIw (ORCPT ); Tue, 15 Oct 2019 14:08:52 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.2 #3 (Red Hat Linux)) id 1iKRFW-0000B2-Nm; Tue, 15 Oct 2019 18:08:46 +0000 Date: Tue, 15 Oct 2019 19:08:46 +0100 From: Al Viro To: Linus Torvalds Cc: Guenter Roeck , Linux Kernel Mailing List , linux-fsdevel , Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Darren Hart , linux-arch@vger.kernel.org Subject: Re: [PATCH] Convert filldir[64]() from __put_user() to unsafe_put_user() Message-ID: <20191015180846.GA31707@ZenIV.linux.org.uk> References: <20191010195504.GI26530@ZenIV.linux.org.uk> <20191011001104.GJ26530@ZenIV.linux.org.uk> <20191013181333.GK26530@ZenIV.linux.org.uk> <20191013191050.GL26530@ZenIV.linux.org.uk> <20191013195949.GM26530@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20191013195949.GM26530@ZenIV.linux.org.uk> User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [futex folks and linux-arch Cc'd] On Sun, Oct 13, 2019 at 08:59:49PM +0100, Al Viro wrote: > Re plotting: how strongly would you object against passing the range to > user_access_end()? Powerpc folks have a very close analogue of stac/clac, > currently buried inside their __get_user()/__put_user()/etc. - the same > places where x86 does, including futex.h and friends. > > And there it's even costlier than on x86. It would obviously be nice > to lift it at least out of unsafe_get_user()/unsafe_put_user() and > move into user_access_begin()/user_access_end(); unfortunately, in > one subarchitecture they really want it the range on the user_access_end() > side as well. That's obviously not fatal (they can bloody well save those > into thread_info at user_access_begin()), but right now we have relatively > few user_access_end() callers, so the interface changes are still possible. > > Other architectures with similar stuff are riscv (no arguments, same > as for stac/clac), arm (uaccess_save_and_enable() on the way in, > return value passed to uaccess_restore() on the way out) and s390 > (similar to arm, but there it's needed only to deal with nesting, > and I'm not sure it actually can happen). > > It would be nice to settle the API while there are not too many users > outside of arch/x86; changing it later will be a PITA and we definitely > have architectures that do potentially costly things around the userland > memory access; user_access_begin()/user_access_end() is in the right > place to try and see if they fit there... Another question: right now we have if (!access_ok(uaddr, sizeof(u32))) return -EFAULT; ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr); if (ret) return ret; in kernel/futex.c. Would there be any objections to moving access_ok() inside the instances and moving pagefault_disable()/pagefault_enable() outside? Reasons: * on x86 that would allow folding access_ok() with STAC into user_access_begin(). The same would be doable on other usual suspects (arm, arm64, ppc, riscv, s390), bringing access_ok() next to their STAC counterparts. * pagefault_disable()/pagefault_enable() pair is universal on all architectures, really meant to by the nature of the beast and lifting it into kernel/futex.c would get the same situation as with futex_atomic_cmpxchg_inatomic(). Which also does access_ok() inside the primitive (also foldable into user_access_begin(), at that). * access_ok() would be closer to actual memory access (and out of the generic code). Comments?