Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp6403058ybp; Tue, 15 Oct 2019 14:31:57 -0700 (PDT) X-Google-Smtp-Source: APXvYqy9PYq/xfkP7xfuUx9XGdrmZAIzrW35LJPf3aQnvtjV27A1ifrQL8e/diNte+weY9DRUyiE X-Received: by 2002:a17:906:16d2:: with SMTP id t18mr35640985ejd.28.1571175117001; Tue, 15 Oct 2019 14:31:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571175116; cv=none; d=google.com; s=arc-20160816; b=UAfDg0UdLAoD6wkflPGHpOTIfZSczgpWigDEdi+6+9GiKGJUk5mSw/1adgCNm4KImh VrGEx6v7m4U4BgNFKD2clG7XN60ExL593hfyMk9V6bTnuE9MZCrR/HdS/WKa3/5wIvXi 2nL9G00/gEMnCI8cWtirNYdum03G+CP415XBKqMugr0qVMHYyxPW9Y8htrLa+Qwgniwh be/dgOIcjuU2yum6ji9MDh9mhodkBxFqGWVVTb8C0OQp5I/aKZdP5ETokm6CIrFKyFan cs+v0hRNUlGp0bnsKVr9U2gVUMSfItslF+quD7Mzm+QPddZiDcG1Vo6tVAII7LlytQDh l9rg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=MMAvaim9+S74+cLKGfKpPV0jt0ePKq4pl+dUnol7U2k=; b=lWr0Xea8CCMzP18gGCslxTl5Tq1q3niIRYWCkckjge9qym4mG/oRIhiiMxwXMJyrjL jNxa5sCSXTDlLjpMg57kwkE6z2GTi0lrATBuMGKFYNSCiDqjb1v3UCTRcHPxjGso0JpQ FvhpgjFEqLELf736C7/8MhdPMn3Tg9hV9zTJ0G8WxBJ2L2rCXmDrtoK6CKzRiioTx/+y J44EUKkD7nEt9T0Y8m0Le+A1BrXPpes65JiF9vMzzNz8KiysChCP8frFR+BD6eEkvdwG tCCXDGpmaA2asudk6PpswMpkaDbsoQ6Rl+nkWsUPGShlPYePGfv8hCFQMt4nDJGqcz3O VQAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=DhI3jZcx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y3si15909107ede.38.2019.10.15.14.31.33; Tue, 15 Oct 2019 14:31:56 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=DhI3jZcx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388960AbfJOTA6 (ORCPT + 99 others); Tue, 15 Oct 2019 15:00:58 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:39714 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731776AbfJOTA4 (ORCPT ); Tue, 15 Oct 2019 15:00:56 -0400 Received: by mail-lj1-f195.google.com with SMTP id y3so21399963ljj.6 for ; Tue, 15 Oct 2019 12:00:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MMAvaim9+S74+cLKGfKpPV0jt0ePKq4pl+dUnol7U2k=; b=DhI3jZcx/uyOLfu8ny5Lt1siVQgFVsCm5kmsY6i2FCqBbzb8QH9PPyTN8DCmdhDr5S A4G11LYL3O44P/4Ql7Jt/VeZd1nO1dKf4kVncZj73MdbJR4Dzd9pa/QE5Xu42b6DB/NB KjEixpuat22YXDmNzVBhKNDv8Olnc7lfHEeOk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MMAvaim9+S74+cLKGfKpPV0jt0ePKq4pl+dUnol7U2k=; b=Sfko3OgbfQEuj2WTydBmbcoqqDFIgtBiqn/WCkZ/9CqPL61X8kKzlt7eB7qbRZdtk4 gLzRg4x07V9Trb80NFmFup5WDD3VD2pR78TIn5IzgW4CjwarrjTWV+uUnuvrLJ0c/C0o +LTf+kUAY0Dn5V8ZyWRUeY+s/aDGsrsNAWnC/GVBy5soNVziMts/qATR7JMmoqiDahTa dyIb4QXK+lzjDceIrvgyLLS4eF1ofb5frX9LLFj03rvSwaj0h2vJ+2h/dEqF17co77GB h2gEJcrirzxLUFCvRyYvHkFn8C4JWAIPhsyBlugBDg3CCaBMBZEgZBeWvm6Qmc4xnMIe qQ4w== X-Gm-Message-State: APjAAAV2mx5DtVR3Zo4NnX43ExylvvZIYAtFtmcl4IpXRDP4GXUGjnPT EcpFZ5sUgdax8icwSN8c5KBaZj9WyYE= X-Received: by 2002:a2e:858f:: with SMTP id b15mr23421358lji.68.1571166053091; Tue, 15 Oct 2019 12:00:53 -0700 (PDT) Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com. [209.85.208.174]) by smtp.gmail.com with ESMTPSA id m27sm430987lfp.60.2019.10.15.12.00.51 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 15 Oct 2019 12:00:51 -0700 (PDT) Received: by mail-lj1-f174.google.com with SMTP id m7so21393820lji.2 for ; Tue, 15 Oct 2019 12:00:51 -0700 (PDT) X-Received: by 2002:a2e:545:: with SMTP id 66mr1159643ljf.133.1571166050946; Tue, 15 Oct 2019 12:00:50 -0700 (PDT) MIME-Version: 1.0 References: <20191010195504.GI26530@ZenIV.linux.org.uk> <20191011001104.GJ26530@ZenIV.linux.org.uk> <20191013181333.GK26530@ZenIV.linux.org.uk> <20191013191050.GL26530@ZenIV.linux.org.uk> <20191013195949.GM26530@ZenIV.linux.org.uk> <20191015180846.GA31707@ZenIV.linux.org.uk> In-Reply-To: <20191015180846.GA31707@ZenIV.linux.org.uk> From: Linus Torvalds Date: Tue, 15 Oct 2019 12:00:34 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] Convert filldir[64]() from __put_user() to unsafe_put_user() To: Al Viro Cc: Guenter Roeck , Linux Kernel Mailing List , linux-fsdevel , Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Darren Hart , linux-arch Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 15, 2019 at 11:08 AM Al Viro wrote: > > Another question: right now we have > if (!access_ok(uaddr, sizeof(u32))) > return -EFAULT; > > ret = arch_futex_atomic_op_inuser(op, oparg, &oldval, uaddr); > if (ret) > return ret; > in kernel/futex.c. Would there be any objections to moving access_ok() > inside the instances and moving pagefault_disable()/pagefault_enable() outside? I think we should remove all the "atomic" versions, and just make the rule be that if you want atomic, you surround it with pagefault_disable()/pagefault_enable(). That covers not just the futex ops (where "atomic" is actually somewhat ambiguous - the ops themselves are atomic too, so the naming might stay, although arguably the "futex" part makes that pointless too), but also copy_to_user_inatomic() and the powerpc version of __get_user_inatomic(). So we'd aim to get rid of all the "inatomic" ones entirely. Same ultimately probably goes for the NMI versions. We should just make it be a rule that we can use all of the user access functions with pagefault_{dis,en}able() around them, and they'll be "safe" to use in atomic context. One issue with the NMI versions is that they actually want to avoid the current value of set_fs(). So copy_from_user_nmi() (at least on x86) is special in that it does if (__range_not_ok(from, n, TASK_SIZE)) return n; instead of access_ok() because of that issue. NMI also has some other issues (nmi_uaccess_okay() on x86, at least), but those *probably* could be handled at page fault time instead. Anyway, NMI is so special that I'd suggest leaving it for later, but the non-NMI atomic accesses I would suggest you clean up at the same time. I think the *only* reason we have the "inatomic()" versions is that the regular ones do that "might_fault()" testing unconditionally, and might_fault() _used_ to be just a might_sleep() - so it's not about functionality per se, it's about "we have this sanity check that we need to undo". We've already made "might_fault()" look at pagefault_disabled(), so I think a lot of the reasons for inatomic are entirely historical. Linus