From: David Laight <david.laight.linux@gmail.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: LKML <linux-kernel@vger.kernel.org>,
"Christophe Leroy" <christophe.leroy@csgroup.eu>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"kernel test robot" <lkp@intel.com>,
"Russell King" <linux@armlinux.org.uk>,
linux-arm-kernel@lists.infradead.org, x86@kernel.org,
"Madhavan Srinivasan" <maddy@linux.ibm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Nicholas Piggin" <npiggin@gmail.com>,
linuxppc-dev@lists.ozlabs.org, "Paul Walmsley" <pjw@kernel.org>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
linux-riscv@lists.infradead.org,
"Heiko Carstens" <hca@linux.ibm.com>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Sven Schnelle" <svens@linux.ibm.com>,
linux-s390@vger.kernel.org,
"Julia Lawall" <Julia.Lawall@inria.fr>,
"Nicolas Palix" <nicolas.palix@imag.fr>,
"Peter Zijlstra" <peterz@infradead.org>,
"Darren Hart" <dvhart@infradead.org>,
"Davidlohr Bueso" <dave@stgolabs.net>,
"André Almeida" <andrealmeid@igalia.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Christian Brauner" <brauner@kernel.org>,
"Jan Kara" <jack@suse.cz>,
linux-fsdevel@vger.kernel.org
Subject: Re: [patch V5 07/12] uaccess: Provide scoped user access regions
Date: Fri, 7 Nov 2025 19:17:53 +0000 [thread overview]
Message-ID: <20251107191753.7433d2dc@pumpkin> (raw)
In-Reply-To: <20251027083745.546420421@linutronix.de>
On Mon, 27 Oct 2025 09:43:55 +0100 (CET)
Thomas Gleixner <tglx@linutronix.de> wrote:
> User space access regions are tedious and require similar code patterns all
> over the place:
...
> There have been issues with using the wrong user_*_access_end() variant in
> the error path and other typical Copy&Pasta problems, e.g. using the wrong
> fault label in the user accessor which ends up using the wrong accesss end
> variant.
>
> These patterns beg for scopes with automatic cleanup. The resulting outcome
> is:
> scoped_user_read_access(from, Efault)
> unsafe_get_user(val, from, Efault);
> return 0;
> Efault:
> return -EFAULT;
>
> The scope guarantees the proper cleanup for the access mode is invoked both
> in the success and the failure (fault) path.
>
...
The code doesn't work if the 'from' (above) is 'const foo __user *from'.
Due to assigning away constness.
The changes below fix the build, I suspect the code is then correct.
...
> +/* Define RW variant so the below _mode macro expansion works */
> +#define masked_user_rw_access_begin(u) masked_user_access_begin(u)
> +#define user_rw_access_begin(u, s) user_access_begin(u, s)
> +#define user_rw_access_end() user_access_end()
> +
> +/* Scoped user access */
> +#define USER_ACCESS_GUARD(_mode) \
#define USER_ACCESS_GUARD(_mode, void)
(but change all the void below to a different name...)
> +static __always_inline void __user * \
> +class_user_##_mode##_begin(void __user *ptr) \
> +{ \
> + return ptr; \
> +} \
> + \
> +static __always_inline void \
> +class_user_##_mode##_end(void __user *ptr) \
> +{ \
> + user_##_mode##_access_end(); \
> +} \
> + \
> +DEFINE_CLASS(user_ ##_mode## _access, void __user *, \
> + class_user_##_mode##_end(_T), \
> + class_user_##_mode##_begin(ptr), void __user *ptr) \
> + \
> +static __always_inline class_user_##_mode##_access_t \
> +class_user_##_mode##_access_ptr(void __user *scope) \
> +{ \
> + return scope; \
> +}
> +
> +USER_ACCESS_GUARD(read)
> +USER_ACCESS_GUARD(write)
> +USER_ACCESS_GUARD(rw)
USER_ACCESS_GUARD(read, const void)
USER_ACCESS_GUARD(write, void)
USER_ACCESS_GUARD(rw, void)
> +#undef USER_ACCESS_GUARD
...
> +#define __scoped_user_access(mode, uptr, size, elbl) \
> +for (bool done = false; !done; done = true) \
> + for (void __user *_tmpptr = __scoped_user_access_begin(mode, uptr, size, elbl); \
for (typeof(uptr) _tmpptr = ...
> + !done; done = true) \
> + for (CLASS(user_##mode##_access, scope)(_tmpptr); !done; done = true) \
> + /* Force modified pointer usage within the scope */ \
> + for (const typeof(uptr) uptr = _tmpptr; !done; done = true)
> +
David
WARNING: multiple messages have this Message-ID (diff)
From: David Laight <david.laight.linux@gmail.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: LKML <linux-kernel@vger.kernel.org>,
"Christophe Leroy" <christophe.leroy@csgroup.eu>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"kernel test robot" <lkp@intel.com>,
"Russell King" <linux@armlinux.org.uk>,
linux-arm-kernel@lists.infradead.org, x86@kernel.org,
"Madhavan Srinivasan" <maddy@linux.ibm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Nicholas Piggin" <npiggin@gmail.com>,
linuxppc-dev@lists.ozlabs.org, "Paul Walmsley" <pjw@kernel.org>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
linux-riscv@lists.infradead.org,
"Heiko Carstens" <hca@linux.ibm.com>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Sven Schnelle" <svens@linux.ibm.com>,
linux-s390@vger.kernel.org,
"Julia Lawall" <Julia.Lawall@inria.fr>,
"Nicolas Palix" <nicolas.palix@imag.fr>,
"Peter Zijlstra" <peterz@infradead.org>,
"Darren Hart" <dvhart@infradead.org>,
"Davidlohr Bueso" <dave@stgolabs.net>,
"André Almeida" <andrealmeid@igalia.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Christian Brauner" <brauner@kernel.org>,
"Jan Kara" <jack@suse.cz>,
linux-fsdevel@vger.kernel.org
Subject: Re: [patch V5 07/12] uaccess: Provide scoped user access regions
Date: Fri, 7 Nov 2025 19:17:53 +0000 [thread overview]
Message-ID: <20251107191753.7433d2dc@pumpkin> (raw)
In-Reply-To: <20251027083745.546420421@linutronix.de>
On Mon, 27 Oct 2025 09:43:55 +0100 (CET)
Thomas Gleixner <tglx@linutronix.de> wrote:
> User space access regions are tedious and require similar code patterns all
> over the place:
...
> There have been issues with using the wrong user_*_access_end() variant in
> the error path and other typical Copy&Pasta problems, e.g. using the wrong
> fault label in the user accessor which ends up using the wrong accesss end
> variant.
>
> These patterns beg for scopes with automatic cleanup. The resulting outcome
> is:
> scoped_user_read_access(from, Efault)
> unsafe_get_user(val, from, Efault);
> return 0;
> Efault:
> return -EFAULT;
>
> The scope guarantees the proper cleanup for the access mode is invoked both
> in the success and the failure (fault) path.
>
...
The code doesn't work if the 'from' (above) is 'const foo __user *from'.
Due to assigning away constness.
The changes below fix the build, I suspect the code is then correct.
...
> +/* Define RW variant so the below _mode macro expansion works */
> +#define masked_user_rw_access_begin(u) masked_user_access_begin(u)
> +#define user_rw_access_begin(u, s) user_access_begin(u, s)
> +#define user_rw_access_end() user_access_end()
> +
> +/* Scoped user access */
> +#define USER_ACCESS_GUARD(_mode) \
#define USER_ACCESS_GUARD(_mode, void)
(but change all the void below to a different name...)
> +static __always_inline void __user * \
> +class_user_##_mode##_begin(void __user *ptr) \
> +{ \
> + return ptr; \
> +} \
> + \
> +static __always_inline void \
> +class_user_##_mode##_end(void __user *ptr) \
> +{ \
> + user_##_mode##_access_end(); \
> +} \
> + \
> +DEFINE_CLASS(user_ ##_mode## _access, void __user *, \
> + class_user_##_mode##_end(_T), \
> + class_user_##_mode##_begin(ptr), void __user *ptr) \
> + \
> +static __always_inline class_user_##_mode##_access_t \
> +class_user_##_mode##_access_ptr(void __user *scope) \
> +{ \
> + return scope; \
> +}
> +
> +USER_ACCESS_GUARD(read)
> +USER_ACCESS_GUARD(write)
> +USER_ACCESS_GUARD(rw)
USER_ACCESS_GUARD(read, const void)
USER_ACCESS_GUARD(write, void)
USER_ACCESS_GUARD(rw, void)
> +#undef USER_ACCESS_GUARD
...
> +#define __scoped_user_access(mode, uptr, size, elbl) \
> +for (bool done = false; !done; done = true) \
> + for (void __user *_tmpptr = __scoped_user_access_begin(mode, uptr, size, elbl); \
for (typeof(uptr) _tmpptr = ...
> + !done; done = true) \
> + for (CLASS(user_##mode##_access, scope)(_tmpptr); !done; done = true) \
> + /* Force modified pointer usage within the scope */ \
> + for (const typeof(uptr) uptr = _tmpptr; !done; done = true)
> +
David
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2025-11-07 19:18 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 8:43 [patch V5 00/12] uaccess: Provide and use scopes for user access Thomas Gleixner
2025-10-27 8:43 ` Thomas Gleixner
2025-10-27 8:43 ` [patch V5 01/12] ARM: uaccess: Implement missing __get_user_asm_dword() Thomas Gleixner
2025-10-27 8:43 ` Thomas Gleixner
2025-10-28 13:35 ` Mathieu Desnoyers
2025-10-28 13:35 ` Mathieu Desnoyers
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:48 ` tip-bot2 for Thomas Gleixner
2025-10-27 8:43 ` [patch V5 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() Thomas Gleixner
2025-10-27 8:43 ` Thomas Gleixner
2025-10-27 12:12 ` Andrew Cooper
2025-10-27 12:12 ` Andrew Cooper
2025-10-28 13:44 ` Mathieu Desnoyers
2025-10-28 13:44 ` Mathieu Desnoyers
2025-10-28 14:04 ` Yann Ylavic
2025-10-28 14:04 ` Yann Ylavic
2025-10-28 15:53 ` Thomas Gleixner
2025-10-28 15:53 ` Thomas Gleixner
2025-10-29 9:40 ` [patch V6 " Thomas Gleixner
2025-10-29 9:40 ` Thomas Gleixner
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:48 ` tip-bot2 for Thomas Gleixner
2025-12-19 8:10 ` [patch V6 02/12] " patchwork-bot+linux-riscv
2025-12-19 8:10 ` patchwork-bot+linux-riscv
2025-11-04 6:11 ` [patch V5 " Christophe Leroy
2025-11-04 6:11 ` Christophe Leroy
2025-10-27 8:43 ` [patch V5 03/12] x86/uaccess: Use unsafe wrappers for ASM GOTO Thomas Gleixner
2025-10-27 8:43 ` Thomas Gleixner
2025-10-28 13:50 ` Mathieu Desnoyers
2025-10-28 13:50 ` Mathieu Desnoyers
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:48 ` tip-bot2 for Thomas Gleixner
2025-10-27 8:43 ` [patch V5 04/12] powerpc/uaccess: " Thomas Gleixner
2025-10-27 8:43 ` Thomas Gleixner
2025-10-28 13:51 ` Mathieu Desnoyers
2025-10-28 13:51 ` Mathieu Desnoyers
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:48 ` tip-bot2 for Thomas Gleixner
2025-11-04 6:15 ` [patch V5 04/12] " Christophe Leroy
2025-11-04 6:15 ` Christophe Leroy
2025-10-27 8:43 ` [patch V5 05/12] riscv/uaccess: " Thomas Gleixner
2025-10-27 8:43 ` Thomas Gleixner
2025-10-28 13:52 ` Mathieu Desnoyers
2025-10-28 13:52 ` Mathieu Desnoyers
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:48 ` tip-bot2 for Thomas Gleixner
2025-10-27 8:43 ` [patch V5 06/12] s390/uaccess: " Thomas Gleixner
2025-10-27 8:43 ` Thomas Gleixner
2025-10-28 13:54 ` Mathieu Desnoyers
2025-10-28 13:54 ` Mathieu Desnoyers
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:48 ` tip-bot2 for Thomas Gleixner
2025-10-27 8:43 ` [patch V5 07/12] uaccess: Provide scoped user access regions Thomas Gleixner
2025-10-27 8:43 ` Thomas Gleixner
2025-10-28 14:11 ` Mathieu Desnoyers
2025-10-28 14:11 ` Mathieu Desnoyers
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:48 ` tip-bot2 for Thomas Gleixner
2025-11-04 6:20 ` [patch V5 07/12] " Christophe Leroy
2025-11-04 6:20 ` Christophe Leroy
2025-11-04 8:17 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-07 19:17 ` David Laight [this message]
2025-11-07 19:17 ` [patch V5 07/12] " David Laight
2025-10-27 8:43 ` [patch V5 08/12] uaccess: Provide put/get_user_inline() Thomas Gleixner
2025-10-27 8:43 ` Thomas Gleixner
2025-10-28 14:12 ` Mathieu Desnoyers
2025-10-28 14:12 ` Mathieu Desnoyers
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:48 ` tip-bot2 for Thomas Gleixner
2025-11-04 6:30 ` [patch V5 08/12] " Christophe Leroy
2025-11-04 6:30 ` Christophe Leroy
2025-11-04 8:17 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-10-27 8:43 ` [patch V5 09/12] [RFC] coccinelle: misc: Add scoped_masked_$MODE_access() checker script Thomas Gleixner
2025-10-27 8:43 ` Thomas Gleixner
2025-10-27 8:44 ` [patch V5 10/12] futex: Convert to get/put_user_inline() Thomas Gleixner
2025-10-27 8:44 ` Thomas Gleixner
2025-10-28 14:24 ` Mathieu Desnoyers
2025-10-28 14:24 ` Mathieu Desnoyers
2025-10-28 15:56 ` Thomas Gleixner
2025-10-28 15:56 ` Thomas Gleixner
2025-10-28 16:02 ` Mathieu Desnoyers
2025-10-28 16:02 ` Mathieu Desnoyers
2025-10-28 16:13 ` Linus Torvalds
2025-10-28 16:13 ` Linus Torvalds
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:48 ` tip-bot2 for Thomas Gleixner
2025-11-04 6:31 ` [patch V5 10/12] " Christophe Leroy
2025-11-04 6:31 ` Christophe Leroy
2025-11-04 8:17 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-10-27 8:44 ` [patch V5 11/12] x86/futex: Convert to scoped user access Thomas Gleixner
2025-10-27 8:44 ` Thomas Gleixner
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:48 ` tip-bot2 for Thomas Gleixner
2025-11-04 8:17 ` tip-bot2 for Thomas Gleixner
2025-10-27 8:44 ` [patch V5 12/12] select: " Thomas Gleixner
2025-10-27 8:44 ` Thomas Gleixner
2025-10-28 14:42 ` Mathieu Desnoyers
2025-10-28 14:42 ` Mathieu Desnoyers
2025-10-29 10:24 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-11-03 14:47 ` tip-bot2 for Thomas Gleixner
2025-11-04 6:32 ` [patch V5 12/12] " Christophe Leroy
2025-11-04 6:32 ` Christophe Leroy
2025-11-04 8:17 ` [tip: core/rseq] " tip-bot2 for Thomas Gleixner
2025-10-27 15:53 ` [patch V5 00/12] uaccess: Provide and use scopes for " Linus Torvalds
2025-10-27 15:53 ` Linus Torvalds
2025-10-29 10:23 ` Peter Zijlstra
2025-10-29 10:23 ` Peter Zijlstra
2025-11-03 14:46 ` Peter Zijlstra
2025-11-03 14:46 ` Peter Zijlstra
2025-11-04 6:35 ` Christophe Leroy
2025-11-04 6:35 ` Christophe Leroy
2025-12-19 8:10 ` patchwork-bot+linux-riscv
2025-12-19 8:10 ` patchwork-bot+linux-riscv
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251107191753.7433d2dc@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=Julia.Lawall@inria.fr \
--cc=andrealmeid@igalia.com \
--cc=andrew.cooper3@citrix.com \
--cc=borntraeger@linux.ibm.com \
--cc=brauner@kernel.org \
--cc=christophe.leroy@csgroup.eu \
--cc=dave@stgolabs.net \
--cc=dvhart@infradead.org \
--cc=hca@linux.ibm.com \
--cc=jack@suse.cz \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lkp@intel.com \
--cc=maddy@linux.ibm.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mpe@ellerman.id.au \
--cc=nicolas.palix@imag.fr \
--cc=npiggin@gmail.com \
--cc=palmer@dabbelt.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=svens@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.