Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1721884ybb;
        Sun, 29 Mar 2020 11:43:36 -0700 (PDT)
X-Google-Smtp-Source: ADFU+vteyHvod5ULQIQ0R1oPR6lmeJtxTHNzQLjl1Y58JxaAjQMietbnoyPFQ2jLi6WarmIcuFDj
X-Received: by 2002:a05:6830:8d:: with SMTP id a13mr6642664oto.321.1585507416184;
        Sun, 29 Mar 2020 11:43:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585507416; cv=none;
        d=google.com; s=arc-20160816;
        b=xDT1JJcJgg143/Ffr5vdU4ZRIZ9y/YvHpkkTyOgertsRF71S+Zscg7x/RYIy8AQ+O7
         sBTp9mIzS8vyOyjfwm3xaXra4AeQKK2ewb37Rjm0TN8298ATej3TeBpSyIcfeQuqwTri
         9k4EscUtOB64op9XkAksg8L0wCK+z8PNbNJZQ+wgp31StBDcIs9whAmpqxZnYCH0jVyF
         Ak5N/aAGNlxdPscjVuRRnMABUd1F0shI9WA4ZKnb51B6n3XlmuVYQu0HAEl9x6Ag3RUb
         flGkNd/4Mjqejwow7zx1wslGlOqoX85EmS1LZyB6GOmPUq1d81zPfTQ5Sm0QoLl1IPrF
         ubKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=+p2OwdEH3KOQt7UScUIEx2C+Hv3WCMmiopajHPvFEzc=;
        b=cFv0XiwBfhOkDLeZMUMO0r96w53z5zOQm3cEV6tlvK7jXnlfFqT30HNZQhQ8/XzHoE
         Akq0A+rdADC854og41q9QYmL5alSJj45CJNUKP8J21ax+KJ44seykAo58Fou2CIX8dcW
         Fsy3VrchN8lfnAosHYwvJu01p1Ju0Iz6UzJXcNCmMwzlgWYqkLX9BLmUf3RY8SKulsFG
         XH3Z2FMXr/71f/Ed5mKXKC8ecouwBOOLvBho6bhrsvy+Yub1nYU385WInpXoLckQQstb
         EEOEJMAtOfLmjbX39P+7+KqXZaii9rHydUKuV9gC0f2DQMFNuXpNxsyyvemoQcx7873H
         6B4A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b="TEnX/1oG";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id l11si5463386oop.3.2020.03.29.11.43.22;
        Sun, 29 Mar 2020 11:43:36 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linux-foundation.org header.s=google header.b="TEnX/1oG";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727903AbgC2SQk (ORCPT <rfc822;sduhuangshuai@gmail.com>
        + 99 others); Sun, 29 Mar 2020 14:16:40 -0400
Received: from mail-lf1-f65.google.com ([209.85.167.65]:41710 "EHLO
        mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727506AbgC2SQk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 29 Mar 2020 14:16:40 -0400
Received: by mail-lf1-f65.google.com with SMTP id z23so12151619lfh.8
        for <linux-kernel@vger.kernel.org>; Sun, 29 Mar 2020 11:16:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linux-foundation.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=+p2OwdEH3KOQt7UScUIEx2C+Hv3WCMmiopajHPvFEzc=;
        b=TEnX/1oGd0WrxjO90s1W75xZ4j/3mxfYUZZqQ1cVXy0s5ncLrAPaNiD1TKrNAUIb7b
         1nj9qPlZrlGMa3Eern3Gq9aE89JzCVM/fFIYH9oxprYJTP2bPfnPWAnhKrwl1dYWg+ab
         t63T2jdrZaxiUjhSnoGBD7DiKOpaU6X7/VSkc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=+p2OwdEH3KOQt7UScUIEx2C+Hv3WCMmiopajHPvFEzc=;
        b=WBWVbipdsdmjmH/as2wkdTaHz3oe2APZMvwZ6D2ucfsyiKgT0xzx16aQVGI9p7Lvwc
         f1izWw3UfqDg2yDwj0rbJ36MZjO4ZepAPTNChPuwqA/Ez4mw6udbLuMFtG7wciqwjPmc
         xSXapiKfV2YOi+DzpnoP29l+QJy6X8570+T3xgghPts+2tJwqxi8ufVqBdDfhXhkCH+G
         WUsqtVTf4VUFi3j45PfRft2O1GBjhmwEpyi72JX9z4xt/NHdJhJP8ncvo8xd42GdyD9s
         DkHKoYq49B41l/7XhQ83j9HiTkMM5lGMS8+lbvhMOu5rG1mYj9UgtzbUcWlplQuNuaRY
         xivg==
X-Gm-Message-State: AGi0PuarIVfOIhbinqifLJRdZ+h3zK8ovHACKhzHGdz0fsuh6bO8NY/U
        j5Gc4bN0JDgM7DyTT79yW8A7qv5I5J0=
X-Received: by 2002:a19:4c44:: with SMTP id z65mr5953095lfa.203.1585505796419;
        Sun, 29 Mar 2020 11:16:36 -0700 (PDT)
Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com. [209.85.167.48])
        by smtp.gmail.com with ESMTPSA id v12sm5870697ljh.6.2020.03.29.11.16.35
        for <linux-kernel@vger.kernel.org>
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Sun, 29 Mar 2020 11:16:35 -0700 (PDT)
Received: by mail-lf1-f48.google.com with SMTP id n20so12108694lfl.10
        for <linux-kernel@vger.kernel.org>; Sun, 29 Mar 2020 11:16:35 -0700 (PDT)
X-Received: by 2002:a19:7f96:: with SMTP id a144mr5872846lfd.31.1585505795085;
 Sun, 29 Mar 2020 11:16:35 -0700 (PDT)
MIME-Version: 1.0
References: <20200323183620.GD23230@ZenIV.linux.org.uk> <20200323183819.250124-1-viro@ZenIV.linux.org.uk>
 <20200328104857.GA93574@gmail.com> <20200328115936.GA23230@ZenIV.linux.org.uk>
 <20200329092602.GB93574@gmail.com> <CALCETrX=nXN14fqu-yEMGwwN-vdSz=-0C3gcOMucmxrCUpevdA@mail.gmail.com>
 <489c9af889954649b3453e350bab6464@AcuMS.aculab.com> <CAHk-=whDAxb+83gYCv4=-armoqXQXgzshaVCCe9dNXZb9G_CxQ@mail.gmail.com>
 <9352bc55302d4589aaf2461c7b85fb6b@AcuMS.aculab.com>
In-Reply-To: <9352bc55302d4589aaf2461c7b85fb6b@AcuMS.aculab.com>
From:   Linus Torvalds <torvalds@linux-foundation.org>
Date:   Sun, 29 Mar 2020 11:16:19 -0700
X-Gmail-Original-Message-ID: <CAHk-=wjEf+0sBkPFKWpYZK_ygS9=ig3KTZkDe5jkDj+v8i7B+w@mail.gmail.com>
Message-ID: <CAHk-=wjEf+0sBkPFKWpYZK_ygS9=ig3KTZkDe5jkDj+v8i7B+w@mail.gmail.com>
Subject: Re: [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user()
To:     David Laight <David.Laight@aculab.com>
Cc:     Andy Lutomirski <luto@amacapital.net>,
        Ingo Molnar <mingo@kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        Thomas Gleixner <tglx@linutronix.de>, X86 ML <x86@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Borislav Petkov <bp@alien8.de>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Mar 29, 2020 at 11:03 AM David Laight <David.Laight@aculab.com> wrote:
>
> > That's how get_user() already works.
> >
> > It is a polymorphic function (done using macros, sizeof() and ugly
> > compiler tricks) that generates a call, yes. But it's not a normal C
> > call. On x86-64, it returns the error code in %rax, and the value in
> > %rdx
>
> I must be mis-remembering the object code from last time
> I looked at it.

On an object code level, the end result actually almost looks like a
normal call, until you start looking at the exact register passing
details.

On a source level, it's anything but.

This is "get_user()" on x86:

  #define get_user(x, ptr)                                              \
  ({                                                                    \
        int __ret_gu;                                                   \
        register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX);            \
        __chk_user_ptr(ptr);                                            \
        might_fault();                                                  \
        asm volatile("call __get_user_%P4"                              \
                     : "=a" (__ret_gu), "=r" (__val_gu),                \
                        ASM_CALL_CONSTRAINT                             \
                     : "0" (ptr), "i" (sizeof(*(ptr))));                \
        (x) = (__force __typeof__(*(ptr))) __val_gu;                    \
        __builtin_expect(__ret_gu, 0);                                  \
  })

and all it actually *generates* is that single "call" instruction, so
the only code you see from the above mess in the object file (assuming
you don't have debugging enabled that expands "might_fault()" into a
lot of checking code) is something like this:

        call __get_user_4

with the input address being in %rax (which is also the returning
error code), and the value of 'x' being in %rdx.

The above macro looks a bit messy, but that's actually hiding some of
the real complexity (that "__inttype()" thing is a mess of compiler
tricks in itself, as is the magical ASM_CALL_CONSTRAINT thing, along
with the magic that goes into a 64-bit return value on x86-32 which is
implicit in the magical register asm() definition).

The uaccess code is a lot of complex macros and inline functions to
make it all work well.

Al's uaccess cleanups (which should be in the next merge window) help
a _lot_. Not with the get_user() above (that is already about as
simple as it can get), but with a lot of the other crazy special cases
that we had grown over the years.

My current "unsafe_get_user() using clang and 'asm goto' with outpus"
patch is on top of Al's patches exactly because it was cleaner to do
with all of his cleanups.

But that magical asm-goto-with-outputs patch probably won't land
upstream for a couple of years.

I had the unsafe_put_user() patches to use 'asm goto' in a local
branch for almost three years before I made them official. See commit
a959dc88f9c8 ("Use __put_user_goto in __put_user_size() and
unsafe_put_user()") and notice how it has an author date of May, 2016,
but was only committed January 2019.

I basically waited until "asm goto" was something we could rely on
(and used for other reasons).

I suspect something very similar will happen with unsafe_get_user(). I
have a patch if people want to play with it, but right now it's a
"this relies on an unreleased version of clang to even work".

                      Linus