Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp291251rdb; Tue, 5 Dec 2023 05:46:09 -0800 (PST) X-Google-Smtp-Source: AGHT+IH6P1KoLTsyizzRrsc6GEi3ezgZ8PyWsaWLRebApjzZgwT9I9ZUHBERqz1+YH36eOP3n1c5 X-Received: by 2002:a17:902:d511:b0:1d0:c4af:4635 with SMTP id b17-20020a170902d51100b001d0c4af4635mr909286plg.98.1701783969563; Tue, 05 Dec 2023 05:46:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701783969; cv=none; d=google.com; s=arc-20160816; b=f4yYMPEnMeNUyoJBnP6UYUtf9or49IkhsvL0emcNRweqHPT5ysNHSUqc4Gd/FYItnF tdgNoLs//01sYRzyFHlRxFtldiKv3wPyyoW/qhb8HnJM90Inw0Oq+VHEjasz1bTNqPCh nCrNIw+aIC6PJ1JpSWlP7MdGdisNNS+8b6fYsgk0a0HqbTNYkbgzMgRdu8r16zeyN4Ow +l44FjorY+tEmgpMvRwfENGoIkCsEC+pG8qroVCXhp1+auIx46oE0Ku6OFwrCVXXYIQL 97TA5ZwfzOqvmHdQWS4+e+DmwO5nqx+QAwa1zZPNXEAbBumHpQLWLMUFTowmwNpk58Qe u7tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :organization:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:dkim-signature; bh=FSRHGKoQ2y+P/hzJL2Gm/ynyDVH8OKOZpF8JV6g73hc=; fh=kTT8NlF3d5uYDYqngUkJvqMhqLAgwSs3WmYeYLG3WCM=; b=slpAg5LdXsx03YYdiy39JyvW6h35x4spWhcfKuLrTlbRtB8XvZJSF9bqLSG2vYP7H8 pIRFcz+kkEsIWXIiddhLprHCX+T51OJ1UEmM6HyNOejIfpXqGMQbsJ/v8iKapR+JJg3j /fxfC0KDzSNlczirARkODq7Tcm7/SGBiX1r2dF8aq4sdm4Uyj181WDgl5OxNkLbY6sEd mzH52t6ofhWseSK/c2m0ieFoFSqpWnKNGO7frHnIFP94K/DaiF/WVpVvb98kNso2OrZJ i0R3e2luL3p0uIBS+pHZfqbM42KAYD1UKzowoK70opsPlIHEeZ3esALYRk1KzvZ43/dI A7Xw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@foss.st.com header.s=selector1 header.b=xcBM+SaQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foss.st.com Return-Path: Received: from morse.vger.email (morse.vger.email. [2620:137:e000::3:1]) by mx.google.com with ESMTPS id z3-20020a63c043000000b00578c64433d5si9286123pgi.877.2023.12.05.05.46.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 05 Dec 2023 05:46:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) client-ip=2620:137:e000::3:1; Authentication-Results: mx.google.com; dkim=pass header.i=@foss.st.com header.s=selector1 header.b=xcBM+SaQ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:1 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=foss.st.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id 19DEB80FFD96; Tue, 5 Dec 2023 05:46:07 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345482AbjLENpw (ORCPT + 99 others); Tue, 5 Dec 2023 08:45:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51464 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232147AbjLENpu (ORCPT ); Tue, 5 Dec 2023 08:45:50 -0500 Received: from mx07-00178001.pphosted.com (mx07-00178001.pphosted.com [185.132.182.106]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E7852BA for ; Tue, 5 Dec 2023 05:45:55 -0800 (PST) Received: from pps.filterd (m0288072.ppops.net [127.0.0.1]) by mx07-00178001.pphosted.com (8.17.1.22/8.17.1.22) with ESMTP id 3B5Cfi4f023034; Tue, 5 Dec 2023 14:45:39 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=foss.st.com; h= message-id:date:mime-version:subject:to:cc:references:from :in-reply-to:content-type:content-transfer-encoding; s= selector1; bh=FSRHGKoQ2y+P/hzJL2Gm/ynyDVH8OKOZpF8JV6g73hc=; b=xc BM+SaQa1mWzMBcckkW63sW2OkZZFaplXw5gEzG46J8EBbPcfqxE/P3QqdPyzeIfj mmPoHmoBQutnmxuRczMkb5J/frK3vgDkbCMsAo0bpb3JPUETW7Hha/TVPJOiqEFu EaW/EvbSwptc5qXlGSKBHS1CO8iezNQnmMdINLrv0HVI3E5sM1JmNNTJsDNeO0vw f/5qDIXgTxs8heBmmF+MVuorIyuof9fQBrD0HkRYHOzFcCOpXxKs1qMjUFPOWP0p HKPeXBdA3Yyd6pYlztLFVt/CCOGsRQwV8LPy8nruylvEVkxWMj9OS7enBiXsAqiy yhf3ouT9TT6u7iEl6qaA== Received: from beta.dmz-eu.st.com (beta.dmz-eu.st.com [164.129.1.35]) by mx07-00178001.pphosted.com (PPS) with ESMTPS id 3uqtvm4k7v-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 Dec 2023 14:45:38 +0100 (CET) Received: from euls16034.sgp.st.com (euls16034.sgp.st.com [10.75.44.20]) by beta.dmz-eu.st.com (STMicroelectronics) with ESMTP id A7AE210008D; Tue, 5 Dec 2023 14:45:36 +0100 (CET) Received: from Webmail-eu.st.com (shfdag1node2.st.com [10.75.129.70]) by euls16034.sgp.st.com (STMicroelectronics) with ESMTP id 9EBDE24C438; Tue, 5 Dec 2023 14:45:36 +0100 (CET) Received: from [10.201.20.163] (10.201.20.163) by SHFDAG1NODE2.st.com (10.75.129.70) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.27; Tue, 5 Dec 2023 14:45:36 +0100 Message-ID: Date: Tue, 5 Dec 2023 14:45:35 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v4] tee: Use iov_iter to better support shared buffer registration Content-Language: en-US To: Sumit Garg CC: Jens Axboe , Al Viro , Jens Wiklander , Christoph Hellwig , , References: <20231129164439.1130903-1-arnaud.pouliquen@foss.st.com> <60b67bd5-36c3-4318-9a2b-bcf172681d45@foss.st.com> <40902a86-3b88-45bc-bb6f-2de0eb48dc9d@foss.st.com> <438a8b44-ea5f-4e13-bd7e-e1c2e2a481c4@kernel.dk> From: Arnaud POULIQUEN Organization: STMicroelectronics In-Reply-To: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.201.20.163] X-ClientProxiedBy: EQNCAS1NODE3.st.com (10.75.129.80) To SHFDAG1NODE2.st.com (10.75.129.70) X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-05_09,2023-12-05_01,2023-05-22_02 X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Tue, 05 Dec 2023 05:46:07 -0800 (PST) Hi Sumit, On 12/5/23 13:07, Sumit Garg wrote: > Hi Arnaud, > > On Mon, 4 Dec 2023 at 22:32, Arnaud POULIQUEN > wrote: >> >> Hi, >> >> On 12/4/23 17:40, Jens Axboe wrote: >>> On 12/4/23 9:36 AM, Jens Axboe wrote: >>>> On 12/4/23 5:42 AM, Sumit Garg wrote: >>>>> IMO, access_ok() should be the first thing that import_ubuf() or >>>>> import_single_range() should do, something as follows: >>>>> >>>>> diff --git a/lib/iov_iter.c b/lib/iov_iter.c >>>>> index 8ff6824a1005..4aee0371824c 100644 >>>>> --- a/lib/iov_iter.c >>>>> +++ b/lib/iov_iter.c >>>>> @@ -1384,10 +1384,10 @@ EXPORT_SYMBOL(import_single_range); >>>>> >>>>> int import_ubuf(int rw, void __user *buf, size_t len, struct iov_iter *i) >>>>> { >>>>> - if (len > MAX_RW_COUNT) >>>>> - len = MAX_RW_COUNT; >>>>> if (unlikely(!access_ok(buf, len))) >>>>> return -EFAULT; >>>>> + if (len > MAX_RW_COUNT) >>>>> + len = MAX_RW_COUNT; >>>>> >>>>> iov_iter_ubuf(i, rw, buf, len); >>>>> return 0; >>>>> >>>>> Jens A., Al Viro, >>>>> >>>>> Was there any particular reason which I am unaware of to perform >>>>> access_ok() check on modified input length? >>>> >>>> This change makes sense to me, and seems consistent with what is done >>>> elsewhere too. >>> >>> For some reason I missed import_single_range(), which does it the same >>> way as import_ubuf() currently does - cap the range before the >>> access_ok() check. The vec variants sum as they go, but access_ok() >>> before the range. >>> >>> I think part of the issue here is that the single range imports return 0 >>> for success and -ERROR otherwise. This means that the caller does not >>> know if the full range was imported or not. OTOH, we always cap any data >>> transfer at MAX_RW_COUNT, so may make more sense to fix up the caller >>> here. >>> >> >> Should we limit to MAX_RW_COUNT or return an error? >> Seems to me that limiting could generate side effect later that could be not >> simple to debug. >> >> >>>>> int import_ubuf(int rw, void __user *buf, size_t len, struct iov_iter *i) >>>>> { >>>>> - if (len > MAX_RW_COUNT) >>>>> + return -EFAULT; >>>>> if (unlikely(!access_ok(buf, len))) >>>>> return -EFAULT; >>>>> >>>>> iov_iter_ubuf(i, rw, buf, len); >>>>> return 0; >> >> or perhaps just remove the test as __access_ok() already tests that the >> size < TASK_SIZE >> >> https://elixir.bootlin.com/linux/v6.7-rc4/source/include/asm-generic/access_ok.h#L31 >> > > It looks like there are predefined constraints for using import_ubuf() > which doesn't properly match our needs. So let's directly use: > iov_iter_ubuf() instead. Yes, this seems a safer alternative. I will send a new version based on it. Thanks, Arnaud > > -Sumit > >> >> Thanks, >> Arnaud >>