[PATCH 1/2] uaccess: Simplify code pattern for masked user copies

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Laight <david.laight.linux@gmail.com>
To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Laight <david.laight.linux@gmail.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
	Arnd Bergmann <arnd@arndb.de>, Kees Cook <kees@kernel.org>
Subject: [PATCH 1/2] uaccess: Simplify code pattern for masked user copies
Date: Sun,  9 Feb 2025 10:55:59 +0000	[thread overview]
Message-ID: <20250209105600.3388-2-david.laight.linux@gmail.com> (raw)
In-Reply-To: <20250209105600.3388-1-david.laight.linux@gmail.com>

Commit 2865baf54077a added 'user address masking' to avoid the
serialising instructions associated with access_ok() when using
unsafe_get_user().

However the code pattern required is non-trivial.
Add a new wrapper masked_user_read_access_begin() to simplify things.
Code can then be changed:
-		if (!user_read_access_begin(from, sizeof(*from)))
+		if (!masked_user_read_access_begin(&from, sizeof(*from)))
			return -EFAULT;
		unsafe_get_user(xxx, &from->xxx, Efault);
If address masking is supported the 'return -EFAULT' will never happen.

Add the matching masked_user_write_access_begin().
Although speculative accesses aren't an issue, it saves the conditional
branch.

Signed-off-by: David Laight <david.laight.linux@gmail.com>
---
 include/linux/uaccess.h | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index e9c702c1908d..5a55152c0010 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -33,6 +33,15 @@
 })
 #endif
 
+/*
+ * Architectures can reduce the cost of validating user addresses by
+ * defining masked_user_access_begin().
+ * It should convert any kernel address to the base of an unmapped
+ * page (eg that of a guard page between user and kernel addresses)
+ * and enable accesses to user memory.
+ * To avoid speculative accesses it should use ALU instructions
+ * (eg  a compare and conditional move).
+ */
 #ifdef masked_user_access_begin
  #define can_do_masked_user_access() 1
 #else
@@ -41,6 +50,18 @@
  #define mask_user_address(src) (src)
 #endif
 
+#ifdef masked_user_access_begin
+#define masked_user_read_access_begin(from, size) \
+	((*(from) = masked_user_access_begin(*(from))), 1)
+#define masked_user_write_access_begin(from, size) \
+	((*(from) = masked_user_access_begin(*(from))), 1)
+#else
+#define masked_user_read_access_begin(from, size) \
+	user_read_access_begin(*(from), size)
+#define masked_user_write_access_begin(from, size) \
+	user_write_access_begin(*(from), size)
+#endif
+
 /*
  * Architectures should provide two primitives (raw_copy_{to,from}_user())
  * and get rid of their private instances of copy_{to,from}_user() and
-- 
2.39.5

next prev parent reply	other threads:[~2025-02-09 10:56 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-09 10:55 [PATCH 0/2] uaccess: Add masked_user_read_access_begin David Laight
2025-02-09 10:55 ` David Laight [this message]
2025-02-09 17:40   ` [PATCH 1/2] uaccess: Simplify code pattern for masked user copies Linus Torvalds
2025-02-09 18:34     ` David Laight
2025-02-09 18:40       ` Linus Torvalds
2025-02-09 18:46         ` Linus Torvalds
2025-02-09 19:02           ` David Laight
2025-02-09 19:47     ` David Laight
2025-02-09 20:40       ` Linus Torvalds
2025-02-09 21:18         ` David Laight
2025-02-09 21:38           ` Linus Torvalds
2025-02-09 10:56 ` [PATCH 2/2] fs: Use masked_user_read_access_begin() David Laight

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e9c702c1908 dfblob:5a55152c001 )
 OR (
bs:"[PATCH 1/2] uaccess: Simplify code pattern for masked user copies" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250209105600.3388-2-david.laight.linux@gmail.com \
    --to=david.laight.linux@gmail.com \
    --cc=arnd@arndb.de \
    --cc=brauner@kernel.org \
    --cc=jack@suse.cz \
    --cc=kees@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.