Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp537627ybb; Sat, 28 Mar 2020 05:01:15 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtL3EwSZ/NyrVA2UxVCRYF6bhYKn494gjTxSB48eDc6O4pK/V8lodrC/r0EX6shKfm3J+LE X-Received: by 2002:a05:6830:1313:: with SMTP id p19mr2516867otq.179.1585396875719; Sat, 28 Mar 2020 05:01:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585396875; cv=none; d=google.com; s=arc-20160816; b=QAuZxmmaWojKuKH5iCq3i5F9pzsZSx4wwGlkbBG6cTnWFADCRc8UPJKlPzGnl+kmSm AsyhTGiHliUHei3J5A82QTPM5mzgYHV2n18ODWsMpVgZ2rWlJgsZ1w/0830i+TaaIIYx EeiH2P690khkiSH/HpKbGTwDHk+NXrz/IByyDzOb5B+k6ZBCyxwICWDSjndauOYu6bTE 4bP6y7DrhYKzzhu/CzxU7BvA0yv4uNPT2VE/KCJ/OdyGZYTdGVREIiJOe6cfdOFyp79x pNru91QReaRvhGYkyJ7NmRSeJTYRzeJZti+fA0qZFIPM8fkWnwWq9oLXx+JzppcmMGKk qYog== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=/Cuc8vqGpuWZkNysZwJrIkcZrqQSpHoEqK82qjrpKvM=; b=L7lPT0MD3vJzF9t3m6BQxce+MF/qS9zLWEtp0agXVy9mjvZWx4RVb2nw5x2MJrj1e1 ULvbZNBAdH+E6BUYYF9NkYkuNyHIZHBTXP/nRp/FrU0iIRhMZSCEEblNr8K/9grt9D7y ob6FiUjIhNqMIA7VD9eLXMTofgYqJs2cwayCnfQIqUZRW8bXFRDFpiES+o0wVu+ZdzLh DqY9YEqVpkFuSNaEp4oqE9P8r3LLtQWzUlag47n2FL8wiunVymDWVpkg1aZMdKFM+nwc xVrrxbEQQahKmzSlrKN8AEdeMANL34paRdVaoWr9p5Y002BQlMHWp4YYwDSh0KoNy/Fa OCoA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r6si3706905oti.159.2020.03.28.05.01.02; Sat, 28 Mar 2020 05:01:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726290AbgC1L7m (ORCPT + 99 others); Sat, 28 Mar 2020 07:59:42 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:44328 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726045AbgC1L7m (ORCPT ); Sat, 28 Mar 2020 07:59:42 -0400 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1jIA7k-004fYk-2k; Sat, 28 Mar 2020 11:59:36 +0000 Date: Sat, 28 Mar 2020 11:59:36 +0000 From: Al Viro To: Ingo Molnar Cc: Linus Torvalds , Thomas Gleixner , x86@kernel.org, linux-kernel@vger.kernel.org, Borislav Petkov Subject: Re: [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user() Message-ID: <20200328115936.GA23230@ZenIV.linux.org.uk> References: <20200323183620.GD23230@ZenIV.linux.org.uk> <20200323183819.250124-1-viro@ZenIV.linux.org.uk> <20200328104857.GA93574@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200328104857.GA93574@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Mar 28, 2020 at 11:48:57AM +0100, Ingo Molnar wrote: > > * Al Viro wrote: > > > From: Al Viro > > > > rather than relying upon the magic in raw_copy_from_user() > > > - bytes = __copy_from_user_nmi(&frame.next_frame, fp, 4); > > - if (bytes != 0) > > + if (__get_user(frame.next_frame, &fp->next_frame)) > > break; > > - bytes = __copy_from_user_nmi(&frame.return_address, fp+4, 4); > > - if (bytes != 0) > > + if (__get_user(frame.return_address, &fp->return_address)) > > break; > > Just wondering about the long term plan here: we have unsafe_get_user() > as a wrapper around __get_user(), Not on x86; that wrapper is the fallback for architectures without non-trivial user_access_begin/user_access_end > but the __get_user() API doesn't carry > the 'unsafe' tag yet. > > Should we add an __unsafe_get_user() alias to it perhaps, and use it in > all code that adds it, like the chunk above? Or rename it to > __unsafe_get_user() outright? No change to the logic, but it would be > more obvious what code has inherited old __get_user() uses and which code > uses __unsafe_get_user() intentionally. > > Even after your series there's 700 uses of __get_user(), so it would make > sense to make a distinction in name at least and tag all unsafe APIs with > an 'unsafe_' prefix. "unsafe" != "lacks access_ok", it's "done under user_access_begin". And this series is just a part of much bigger pile. FWIW, with the currently linearized part I see 26 users in arch/x86 and 108 - outside of arch/*. With 43 of the latter supplied by the sodding comedi_compat32.c, which needs to be rewritten anyway (or git rm'ed, for that matter)... We'll get there; the tricky part is the ones that come in pair with something other than access_ok() in the first place (many of those are KVM-related, but not all such are). This part had been more about untangling uaccess_try stuff,,,