From: Linus Torvalds <torvalds@linux-foundation.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Russell King - ARM Linux <linux@armlinux.org.uk>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Richard Henderson <rth@twiddle.net>,
Will Deacon <will.deacon@arm.com>,
Haavard Skinnemoen <hskinnemoen@gmail.com>,
Vineet Gupta <vgupta@synopsys.com>,
Steven Miao <realmz6@gmail.com>,
Jesper Nilsson <jesper.nilsson@axis.com>,
Mark Salter <msalter@redhat.com>,
Yoshinori Sato <ysato@users.sourceforge.jp>,
Richard Kuo <rkuo@codeaurora.org>,
Tony Luck <tony.luck@intel.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
James Hogan <james.hogan@imgtec.com>,
Michal Simek <monstr@monstr.eu>,
David Howells <dhowells@redhat.com>,
Ley Foon Tan <lftan@altera.com>, Jonas Bonn <jonas@southpole>
Subject: Re: [RFC][CFT][PATCHSET v1] uaccess unification
Date: Thu, 30 Mar 2017 10:18:23 -0700 [thread overview]
Message-ID: <CA+55aFzsGSKzbQjWAPxFvc=HeXyr6stk1KsB-1xGCKALgazYuQ@mail.gmail.com> (raw)
In-Reply-To: <20170330164342.GR29622@ZenIV.linux.org.uk>
On Thu, Mar 30, 2017 at 9:43 AM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Thu, Mar 30, 2017 at 05:22:41PM +0100, Russell King - ARM Linux wrote:
> How would the following affect things?
>
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index e68604ae3ced..d24d338f0682 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -184,7 +184,7 @@ static size_t copy_page_to_iter_iovec(struct page *page, size_t offset, size_t b
>
> kaddr = kmap(page);
> from = kaddr + offset;
> - left = __copy_to_user(buf, from, copy);
> + left = __copy_to_user_inatomic(buf, from, copy);
This is all going in the wrong direction entirely.
That "__copy_to_user()" code was bad from the beginning: it should
never have had the double underscores. I objected to it at the time.
Now you're making it go from bad to insane. You're apparently
mis-using "inatomic" because of subtle issues that have nothing to do
with "inatomic" - you want to get rid of a might_sleep() warning, but
you don't actuially want inatomic behavior, so the thing will still
sleep.
This all very subtle already depends on people having checked the
"struct iov_iter" beforehand. We should *remove* subtle stuff like
that, not add yet more layers of subtlety and possible future bugs
when somebody calls copy_page_to_iter() without having properly
validated the iter.
These are not theoretical issues. We've _had_ these exact bugs when
people didn't validate the stuff they created by hand and bypassed the
normal IO paths.
Trying to optimize away an access_ok() or a might_fault() is *not* a
valid reason to completely break our security model, and create code
that makes no sense (claiming it is atomic when it isn't).
Linus
WARNING: multiple messages have this Message-ID (diff)
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Russell King - ARM Linux <linux@armlinux.org.uk>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Richard Henderson <rth@twiddle.net>,
Will Deacon <will.deacon@arm.com>,
Haavard Skinnemoen <hskinnemoen@gmail.com>,
Vineet Gupta <vgupta@synopsys.com>,
Steven Miao <realmz6@gmail.com>,
Jesper Nilsson <jesper.nilsson@axis.com>,
Mark Salter <msalter@redhat.com>,
Yoshinori Sato <ysato@users.sourceforge.jp>,
Richard Kuo <rkuo@codeaurora.org>,
Tony Luck <tony.luck@intel.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
James Hogan <james.hogan@imgtec.com>,
Michal Simek <monstr@monstr.eu>,
David Howells <dhowells@redhat.com>,
Ley Foon Tan <lftan@altera.com>, Jonas Bonn <jonas@southpole.se>,
Helge Deller <deller@gmx.de>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Ralf Baechle <ralf@linux-mips.org>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Chen Liqin <liqin.linux@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Chris Metcalf <cmetcalf@mellanox.com>,
Richard Weinberger <richard@nod.at>,
Guan Xuetao <gxt@mprc.pku.edu.cn>,
Thomas Gleixner <tglx@linutronix.de>,
Chris Zankel <chris@zankel.net>
Subject: Re: [RFC][CFT][PATCHSET v1] uaccess unification
Date: Thu, 30 Mar 2017 10:18:23 -0700 [thread overview]
Message-ID: <CA+55aFzsGSKzbQjWAPxFvc=HeXyr6stk1KsB-1xGCKALgazYuQ@mail.gmail.com> (raw)
Message-ID: <20170330171823.07rUF4KJNE0saD5jIPswBsgTUIF3XqXSNbWD6tHNvA0@z> (raw)
In-Reply-To: <20170330164342.GR29622@ZenIV.linux.org.uk>
On Thu, Mar 30, 2017 at 9:43 AM, Al Viro <viro@zeniv.linux.org.uk> wrote:
> On Thu, Mar 30, 2017 at 05:22:41PM +0100, Russell King - ARM Linux wrote:
> How would the following affect things?
>
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index e68604ae3ced..d24d338f0682 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -184,7 +184,7 @@ static size_t copy_page_to_iter_iovec(struct page *page, size_t offset, size_t b
>
> kaddr = kmap(page);
> from = kaddr + offset;
> - left = __copy_to_user(buf, from, copy);
> + left = __copy_to_user_inatomic(buf, from, copy);
This is all going in the wrong direction entirely.
That "__copy_to_user()" code was bad from the beginning: it should
never have had the double underscores. I objected to it at the time.
Now you're making it go from bad to insane. You're apparently
mis-using "inatomic" because of subtle issues that have nothing to do
with "inatomic" - you want to get rid of a might_sleep() warning, but
you don't actuially want inatomic behavior, so the thing will still
sleep.
This all very subtle already depends on people having checked the
"struct iov_iter" beforehand. We should *remove* subtle stuff like
that, not add yet more layers of subtlety and possible future bugs
when somebody calls copy_page_to_iter() without having properly
validated the iter.
These are not theoretical issues. We've _had_ these exact bugs when
people didn't validate the stuff they created by hand and bypassed the
normal IO paths.
Trying to optimize away an access_ok() or a might_fault() is *not* a
valid reason to completely break our security model, and create code
that makes no sense (claiming it is atomic when it isn't).
Linus
next prev parent reply other threads:[~2017-03-30 17:18 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-29 5:57 [RFC][CFT][PATCHSET v1] uaccess unification Al Viro
2017-03-29 5:57 ` Al Viro
2017-03-29 20:08 ` Vineet Gupta
2017-03-29 20:08 ` Vineet Gupta
2017-03-29 20:29 ` Al Viro
2017-03-29 20:29 ` Al Viro
2017-03-29 20:37 ` Linus Torvalds
2017-03-29 20:37 ` Linus Torvalds
2017-03-29 21:03 ` Al Viro
2017-03-29 21:03 ` Al Viro
2017-03-29 21:24 ` Linus Torvalds
2017-03-29 21:24 ` Linus Torvalds
2017-03-29 23:09 ` Al Viro
2017-03-29 23:09 ` Al Viro
2017-03-29 23:43 ` Linus Torvalds
2017-03-29 23:43 ` Linus Torvalds
2017-03-30 15:31 ` Al Viro
2017-03-30 15:31 ` Al Viro
2017-03-29 21:14 ` Vineet Gupta
2017-03-29 21:14 ` Vineet Gupta
2017-03-29 23:42 ` Al Viro
2017-03-29 23:42 ` Al Viro
2017-03-30 0:02 ` Vineet Gupta
2017-03-30 0:02 ` Vineet Gupta
2017-03-30 0:27 ` Linus Torvalds
2017-03-30 0:27 ` Linus Torvalds
2017-03-30 1:15 ` Al Viro
2017-03-30 1:15 ` Al Viro
2017-03-30 20:40 ` Vineet Gupta
2017-03-30 20:40 ` Vineet Gupta
2017-03-30 20:59 ` Linus Torvalds
2017-03-30 20:59 ` Linus Torvalds
2017-03-30 23:21 ` Russell King - ARM Linux
2017-03-30 23:21 ` Russell King - ARM Linux
2017-03-30 12:32 ` Martin Schwidefsky
2017-03-30 12:32 ` Martin Schwidefsky
2017-03-30 14:48 ` Al Viro
2017-03-30 14:48 ` Al Viro
2017-03-30 16:22 ` Russell King - ARM Linux
2017-03-30 16:22 ` Russell King - ARM Linux
2017-03-30 16:43 ` Al Viro
2017-03-30 16:43 ` Al Viro
2017-03-30 17:18 ` Linus Torvalds [this message]
2017-03-30 17:18 ` Linus Torvalds
2017-03-30 18:48 ` Al Viro
2017-03-30 18:48 ` Al Viro
2017-03-30 18:54 ` Al Viro
2017-03-30 18:54 ` Al Viro
2017-03-30 18:59 ` Linus Torvalds
2017-03-30 18:59 ` Linus Torvalds
2017-03-30 19:10 ` Al Viro
2017-03-30 19:10 ` Al Viro
2017-03-30 19:19 ` Linus Torvalds
2017-03-30 19:19 ` Linus Torvalds
2017-03-30 21:08 ` Al Viro
2017-03-30 21:08 ` Al Viro
2017-03-30 18:56 ` Linus Torvalds
2017-03-30 18:56 ` Linus Torvalds
2017-03-31 0:21 ` Kees Cook
2017-03-31 0:21 ` Kees Cook
2017-03-31 13:38 ` James Hogan
2017-03-31 13:38 ` James Hogan
2017-04-03 16:27 ` James Morse
2017-04-03 16:27 ` James Morse
2017-04-04 20:26 ` Max Filippov
2017-04-04 20:26 ` Max Filippov
2017-04-04 20:52 ` Al Viro
2017-04-04 20:52 ` Al Viro
2017-04-05 5:05 ` ia64 exceptions (Re: [RFC][CFT][PATCHSET v1] uaccess unification) Al Viro
2017-04-05 8:08 ` Al Viro
2017-04-05 8:08 ` Al Viro
2017-04-05 18:44 ` Tony Luck
2017-04-05 18:44 ` Tony Luck
2017-04-05 20:33 ` Al Viro
2017-04-05 20:33 ` Al Viro
2017-04-07 0:24 ` [RFC][CFT][PATCHSET v2] uaccess unification Al Viro
2017-04-07 0:24 ` Al Viro
2017-04-07 0:35 ` Al Viro
2017-04-07 0:35 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CA+55aFzsGSKzbQjWAPxFvc=HeXyr6stk1KsB-1xGCKALgazYuQ@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=dhowells@redhat.com \
--cc=geert@linux-m68k.org \
--cc=hskinnemoen@gmail.com \
--cc=james.hogan@imgtec.com \
--cc=jesper.nilsson@axis.com \
--cc=jonas@southpole \
--cc=lftan@altera.com \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=monstr@monstr.eu \
--cc=msalter@redhat.com \
--cc=realmz6@gmail.com \
--cc=rkuo@codeaurora.org \
--cc=rth@twiddle.net \
--cc=tony.luck@intel.com \
--cc=vgupta@synopsys.com \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
--cc=ysato@users.sourceforge.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).