From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Laight Subject: RE: [RFC] raw_copy_from_user() semantics Date: Wed, 22 Jul 2020 13:14:21 +0000 Message-ID: <8fde1b9044a34ff59eb5ff3dafbf2b97@AcuMS.aculab.com> References: <20200719031733.GI2786714@ZenIV.linux.org.uk> <20200722113707.GC27540@gaia> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Return-path: In-Reply-To: <20200722113707.GC27540@gaia> Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org To: 'Catalin Marinas' , Linus Torvalds Cc: Al Viro , linux-arch , Linux Kernel Mailing List List-Id: linux-arch.vger.kernel.org From: Catalin Marinas > Sent: 22 July 2020 12:37 > > On Sun, Jul 19, 2020 at 12:34:11PM -0700, Linus Torvalds wrote: > > On Sun, Jul 19, 2020 at 12:28 PM Linus Torvalds > > wrote: > > > I think we should try to get rid of the exact semantics. > > > > Side note: I think one of the historical reasons for the exact > > semantics was that we used to do things like the mount option copying > > with a "copy_from_user()" iirc. > > > > And that could take a fault at the end of the stack etc, because > > "copy_mount_options()" is nasty and doesn't get a size, and just > > copies "up to 4kB" of data. > > > > It's a mistake in the interface, but it is what it is. But we've > > always handled the inexact count there anyway by originally doing byte > > accesses, and at some point you optimized it to just look at where > > page boundaries might be.. > > And we may have to change this again since, with arm64 MTE, the page > boundary check is insufficient: > > https://lore.kernel.org/linux-fsdevel/20200715170844.30064-25-catalin.marinas@arm.com/ > > While currently the fault path is unlikely to trigger, with MTE in user > space it's a lot more likely since the buffer (e.g. a string) is > normally less than 4K and the adjacent addresses would have a different > colour. > > I looked (though briefly) into passing the copy_from_user() problem to > filesystems that would presumably know better how much to copy. In most > cases the options are string, so something like strncpy_from_user() > would work. For mount options as binary blobs (IIUC btrfs) maybe the fs > has a better way to figure out how much to copy. What about changing the mount code to loop calling get_user() to read aligned words until failure? Mount is fairly uncommon and the extra cost is probably small compared to the rest of doing a mount. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales) From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from eu-smtp-delivery-151.mimecast.com ([207.82.80.151]:21295 "EHLO eu-smtp-delivery-151.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725878AbgGVNO1 (ORCPT ); Wed, 22 Jul 2020 09:14:27 -0400 From: David Laight Subject: RE: [RFC] raw_copy_from_user() semantics Date: Wed, 22 Jul 2020 13:14:21 +0000 Message-ID: <8fde1b9044a34ff59eb5ff3dafbf2b97@AcuMS.aculab.com> References: <20200719031733.GI2786714@ZenIV.linux.org.uk> <20200722113707.GC27540@gaia> In-Reply-To: <20200722113707.GC27540@gaia> Content-Language: en-US MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Sender: linux-arch-owner@vger.kernel.org List-ID: To: 'Catalin Marinas' , Linus Torvalds Cc: Al Viro , linux-arch , Linux Kernel Mailing List Message-ID: <20200722131421.asmiSmmT5puaXny7H0XB3dQ2J8B5nKUJu4KAuGw94WI@z> From: Catalin Marinas > Sent: 22 July 2020 12:37 > > On Sun, Jul 19, 2020 at 12:34:11PM -0700, Linus Torvalds wrote: > > On Sun, Jul 19, 2020 at 12:28 PM Linus Torvalds > > wrote: > > > I think we should try to get rid of the exact semantics. > > > > Side note: I think one of the historical reasons for the exact > > semantics was that we used to do things like the mount option copying > > with a "copy_from_user()" iirc. > > > > And that could take a fault at the end of the stack etc, because > > "copy_mount_options()" is nasty and doesn't get a size, and just > > copies "up to 4kB" of data. > > > > It's a mistake in the interface, but it is what it is. But we've > > always handled the inexact count there anyway by originally doing byte > > accesses, and at some point you optimized it to just look at where > > page boundaries might be.. > > And we may have to change this again since, with arm64 MTE, the page > boundary check is insufficient: > > https://lore.kernel.org/linux-fsdevel/20200715170844.30064-25-catalin.marinas@arm.com/ > > While currently the fault path is unlikely to trigger, with MTE in user > space it's a lot more likely since the buffer (e.g. a string) is > normally less than 4K and the adjacent addresses would have a different > colour. > > I looked (though briefly) into passing the copy_from_user() problem to > filesystems that would presumably know better how much to copy. In most > cases the options are string, so something like strncpy_from_user() > would work. For mount options as binary blobs (IIUC btrfs) maybe the fs > has a better way to figure out how much to copy. What about changing the mount code to loop calling get_user() to read aligned words until failure? Mount is fairly uncommon and the extra cost is probably small compared to the rest of doing a mount. David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)