[PATCH for 4.18 2/6] rseq: use get_user/put_user rather than __get_user/__put_user

[PATCH for 4.18 2/6] rseq: use get_user/put_user rather than __get_user/__put_user

[Mathieu Desnoyers]

In preparation to use __u64 for the rseq_cs pointer field, 32-bit
architectures need to read this 64-bit value located in user-space
addresses.

__get_user is used to read this value, given that its access check has
already been performed with access_ok() on rseq registration.

arm does not implement 8-byte __get_user. Rather than trying to
improve __get_user on ARM, use get_user/put_user across rseq instead.

If those end up showing up in benchmarks, the proper approach would be to
use user_access_begin() / unsafe_get/put_user() / user_access_end()
anyway.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
CC: Thomas Gleixner <tglx@linutronix.de>
Cc: Joel Fernandes <joelaf@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Watson <davejwatson@fb.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Chris Lameter <cl@linux.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Andrew Hunter <ahh@google.com>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: "Paul E . McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Paul Turner <pjt@google.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Josh Triplett <josh@joshtriplett.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ben Maurer <bmaurer@fb.com>
Cc: linux-api at vger.kernel.org
CC: linux-arm-kernel at lists.infradead.org
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
---
 kernel/rseq.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/kernel/rseq.c b/kernel/rseq.c
index 16b38c5342f9..2c8463acb50d 100644
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -85,9 +85,9 @@ static int rseq_update_cpu_id(struct task_struct *t)
 {
 	u32 cpu_id = raw_smp_processor_id();
 
-	if (__put_user(cpu_id, &t->rseq->cpu_id_start))
+	if (put_user(cpu_id, &t->rseq->cpu_id_start))
 		return -EFAULT;
-	if (__put_user(cpu_id, &t->rseq->cpu_id))
+	if (put_user(cpu_id, &t->rseq->cpu_id))
 		return -EFAULT;
 	trace_rseq_update(t);
 	return 0;
@@ -100,14 +100,14 @@ static int rseq_reset_rseq_cpu_id(struct task_struct *t)
 	/*
 	 * Reset cpu_id_start to its initial state (0).
 	 */
-	if (__put_user(cpu_id_start, &t->rseq->cpu_id_start))
+	if (put_user(cpu_id_start, &t->rseq->cpu_id_start))
 		return -EFAULT;
 	/*
 	 * Reset cpu_id to RSEQ_CPU_ID_UNINITIALIZED, so any user coming
 	 * in after unregistration can figure out that rseq needs to be
 	 * registered again.
 	 */
-	if (__put_user(cpu_id, &t->rseq->cpu_id))
+	if (put_user(cpu_id, &t->rseq->cpu_id))
 		return -EFAULT;
 	return 0;
 }
@@ -120,7 +120,7 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs)
 	u32 sig;
 	int ret;
 
-	ret = __get_user(ptr, &t->rseq->rseq_cs);
+	ret = get_user(ptr, &t->rseq->rseq_cs);
 	if (ret)
 		return ret;
 	if (!ptr) {
@@ -163,7 +163,7 @@ static int rseq_need_restart(struct task_struct *t, u32 cs_flags)
 	int ret;
 
 	/* Get thread flags. */
-	ret = __get_user(flags, &t->rseq->flags);
+	ret = get_user(flags, &t->rseq->flags);
 	if (ret)
 		return ret;
 
@@ -203,7 +203,7 @@ static int clear_rseq_cs(struct task_struct *t)
 	 *
 	 * Set rseq_cs to NULL with single-copy atomicity.
 	 */
-	return __put_user(0UL, &t->rseq->rseq_cs);
+	return put_user(0UL, &t->rseq->rseq_cs);
 }
 
 /*
-- 
2.11.0

[PATCH for 4.18 2/6] rseq: use get_user/put_user rather than __get_user/__put_user

[Mathieu Desnoyers]

----- On Jul 8, 2018, at 5:03 PM, Mathieu Desnoyers mathieu.desnoyers at efficios.com wrote:

> In preparation to use __u64 for the rseq_cs pointer field, 32-bit
> architectures need to read this 64-bit value located in user-space
> addresses.
> 
> __get_user is used to read this value, given that its access check has
> already been performed with access_ok() on rseq registration.
> 
> arm does not implement 8-byte __get_user. Rather than trying to
> improve __get_user on ARM, use get_user/put_user across rseq instead.
> 
> If those end up showing up in benchmarks, the proper approach would be to
> use user_access_begin() / unsafe_get/put_user() / user_access_end()
> anyway.

So, another twist to this story: ppc32 does not implement u64 get_user().

I am tempted to ditch this patch (leaving the __get_user()/__put_user as is
for 32-bit accesses), and simply use __copy_from_user()/__copy_to_user() to
load/store the rseq_cs pointer. Considering that we don't need to load/store
the rseq_cs field with single-copy atomicity from the kernel anymore, it
should be fine.

Any objection ?

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/rseq/linux-rseq.git rseq/dev
head:   a100323919af0c11a150a9ba58c3f8ac986ea42d
commit: 23d0f99d280fa97ebcf8b915157468f457bc6e11 [4/21] rseq: uapi: declare rseq_cs field as union, update includes
config: powerpc-ppc6xx_defconfig (attached as .config)
compiler: powerpc-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        git checkout 23d0f99d280fa97ebcf8b915157468f457bc6e11
        # save the attached .config to linux build tree
        GCC_VERSION=7.2.0 make.cross ARCH=powerpc

All errors (new ones prefixed by >>):

   kernel/rseq.o: In function `__rseq_handle_notify_resume':
>> (.text+0x648): undefined reference to `__get_user_bad'

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

Thanks,

Mathieu

> 
> Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
> CC: Thomas Gleixner <tglx@linutronix.de>
> Cc: Joel Fernandes <joelaf@google.com>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Dave Watson <davejwatson@fb.com>
> Cc: Will Deacon <will.deacon@arm.com>
> Cc: Andi Kleen <andi@firstfloor.org>
> Cc: "H . Peter Anvin" <hpa@zytor.com>
> Cc: Chris Lameter <cl@linux.com>
> Cc: Russell King <linux@arm.linux.org.uk>
> Cc: Andrew Hunter <ahh@google.com>
> Cc: Michael Kerrisk <mtk.manpages@gmail.com>
> Cc: "Paul E . McKenney" <paulmck@linux.vnet.ibm.com>
> Cc: Paul Turner <pjt@google.com>
> Cc: Boqun Feng <boqun.feng@gmail.com>
> Cc: Josh Triplett <josh@joshtriplett.org>
> Cc: Steven Rostedt <rostedt@goodmis.org>
> Cc: Ben Maurer <bmaurer@fb.com>
> Cc: linux-api at vger.kernel.org
> CC: linux-arm-kernel at lists.infradead.org
> Cc: Andy Lutomirski <luto@amacapital.net>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> ---
> kernel/rseq.c | 14 +++++++-------
> 1 file changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/kernel/rseq.c b/kernel/rseq.c
> index 16b38c5342f9..2c8463acb50d 100644
> --- a/kernel/rseq.c
> +++ b/kernel/rseq.c
> @@ -85,9 +85,9 @@ static int rseq_update_cpu_id(struct task_struct *t)
> {
> 	u32 cpu_id = raw_smp_processor_id();
> 
> -	if (__put_user(cpu_id, &t->rseq->cpu_id_start))
> +	if (put_user(cpu_id, &t->rseq->cpu_id_start))
> 		return -EFAULT;
> -	if (__put_user(cpu_id, &t->rseq->cpu_id))
> +	if (put_user(cpu_id, &t->rseq->cpu_id))
> 		return -EFAULT;
> 	trace_rseq_update(t);
> 	return 0;
> @@ -100,14 +100,14 @@ static int rseq_reset_rseq_cpu_id(struct task_struct *t)
> 	/*
> 	 * Reset cpu_id_start to its initial state (0).
> 	 */
> -	if (__put_user(cpu_id_start, &t->rseq->cpu_id_start))
> +	if (put_user(cpu_id_start, &t->rseq->cpu_id_start))
> 		return -EFAULT;
> 	/*
> 	 * Reset cpu_id to RSEQ_CPU_ID_UNINITIALIZED, so any user coming
> 	 * in after unregistration can figure out that rseq needs to be
> 	 * registered again.
> 	 */
> -	if (__put_user(cpu_id, &t->rseq->cpu_id))
> +	if (put_user(cpu_id, &t->rseq->cpu_id))
> 		return -EFAULT;
> 	return 0;
> }
> @@ -120,7 +120,7 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct
> rseq_cs *rseq_cs)
> 	u32 sig;
> 	int ret;
> 
> -	ret = __get_user(ptr, &t->rseq->rseq_cs);
> +	ret = get_user(ptr, &t->rseq->rseq_cs);
> 	if (ret)
> 		return ret;
> 	if (!ptr) {
> @@ -163,7 +163,7 @@ static int rseq_need_restart(struct task_struct *t, u32
> cs_flags)
> 	int ret;
> 
> 	/* Get thread flags. */
> -	ret = __get_user(flags, &t->rseq->flags);
> +	ret = get_user(flags, &t->rseq->flags);
> 	if (ret)
> 		return ret;
> 
> @@ -203,7 +203,7 @@ static int clear_rseq_cs(struct task_struct *t)
> 	 *
> 	 * Set rseq_cs to NULL with single-copy atomicity.
> 	 */
> -	return __put_user(0UL, &t->rseq->rseq_cs);
> +	return put_user(0UL, &t->rseq->rseq_cs);
> }
> 
> /*
> --
> 2.11.0

-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com

[PATCH for 4.18 2/6] rseq: use get_user/put_user rather than __get_user/__put_user

[Linus Torvalds]

On Mon, Jul 9, 2018 at 10:28 AM Mathieu Desnoyers
<mathieu.desnoyers@efficios.com> wrote:
>
> So, another twist to this story: ppc32 does not implement u64 get_user().

I was going to say that "that's not possible", since we actually have
64-bit arguments at least in the form of "loff_t __user *".

But when I started looking, it turns out that yeah, we do
"copy_from_user()" on them, and instead made the x86 copy_from_user()
have special cases for constant sizes.

So a 8-byte copy_from_user() is fine. It ends up being a "get_user()"
on x86 anyway.

                Linus

[PATCH for 4.18 2/6] rseq: use get_user/put_user rather than __get_user/__put_user

[Mathieu Desnoyers]

----- On Jul 9, 2018, at 2:04 PM, Linus Torvalds torvalds at linux-foundation.org wrote:

> On Mon, Jul 9, 2018 at 10:28 AM Mathieu Desnoyers
> <mathieu.desnoyers@efficios.com> wrote:
>>
>> So, another twist to this story: ppc32 does not implement u64 get_user().
> 
> I was going to say that "that's not possible", since we actually have
> 64-bit arguments at least in the form of "loff_t __user *".
> 
> But when I started looking, it turns out that yeah, we do
> "copy_from_user()" on them, and instead made the x86 copy_from_user()
> have special cases for constant sizes.
> 
> So a 8-byte copy_from_user() is fine. It ends up being a "get_user()"
> on x86 anyway.

Given that this memory area has already been checked with access_ok()
on rseq registration, are you fine with leaving
__get_user/__put_user/__copy_{from,to}_user in place so we do the
minimal change at this stage of rc, or should I go ahead and replace
the lot with get_user/put_user/copy_{from,to}_user ?

Thanks,

Mathieu


-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com

[PATCH for 4.18 2/6] rseq: use get_user/put_user rather than __get_user/__put_user

[Linus Torvalds]

On Mon, Jul 9, 2018 at 11:19 AM Mathieu Desnoyers
<mathieu.desnoyers@efficios.com> wrote:
>
> Given that this memory area has already been checked with access_ok()
> on rseq registration, are you fine with leaving
> __get_user/__put_user/__copy_{from,to}_user in place so we do the
> minimal change at this stage of rc, or should I go ahead and replace
> the lot with get_user/put_user/copy_{from,to}_user ?

Do the full replacement, and let's get this over and done with.

              Linus

[PATCH for 4.18 2/6] rseq: use get_user/put_user rather than __get_user/__put_user

[Mathieu Desnoyers]

__get_user()/__put_user() is used to read values for address ranges that
were already checked with access_ok() on rseq registration.

It has been recognized that __get_user/__put_user are optimizing the
wrong thing. Replace them by get_user/put_user across rseq instead.

If those end up showing up in benchmarks, the proper approach would be to
use user_access_begin() / unsafe_{get,put}_user() / user_access_end()
anyway.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
CC: Thomas Gleixner <tglx@linutronix.de>
Cc: Joel Fernandes <joelaf@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Dave Watson <davejwatson@fb.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: "H . Peter Anvin" <hpa@zytor.com>
Cc: Chris Lameter <cl@linux.com>
Cc: Russell King <linux@arm.linux.org.uk>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: "Paul E . McKenney" <paulmck@linux.vnet.ibm.com>
Cc: Paul Turner <pjt@google.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Josh Triplett <josh@joshtriplett.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ben Maurer <bmaurer@fb.com>
Cc: linux-api at vger.kernel.org
CC: linux-arm-kernel at lists.infradead.org
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
---
 kernel/rseq.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/kernel/rseq.c b/kernel/rseq.c
index 16b38c5342f9..2c8463acb50d 100644
--- a/kernel/rseq.c
+++ b/kernel/rseq.c
@@ -85,9 +85,9 @@ static int rseq_update_cpu_id(struct task_struct *t)
 {
 	u32 cpu_id = raw_smp_processor_id();
 
-	if (__put_user(cpu_id, &t->rseq->cpu_id_start))
+	if (put_user(cpu_id, &t->rseq->cpu_id_start))
 		return -EFAULT;
-	if (__put_user(cpu_id, &t->rseq->cpu_id))
+	if (put_user(cpu_id, &t->rseq->cpu_id))
 		return -EFAULT;
 	trace_rseq_update(t);
 	return 0;
@@ -100,14 +100,14 @@ static int rseq_reset_rseq_cpu_id(struct task_struct *t)
 	/*
 	 * Reset cpu_id_start to its initial state (0).
 	 */
-	if (__put_user(cpu_id_start, &t->rseq->cpu_id_start))
+	if (put_user(cpu_id_start, &t->rseq->cpu_id_start))
 		return -EFAULT;
 	/*
 	 * Reset cpu_id to RSEQ_CPU_ID_UNINITIALIZED, so any user coming
 	 * in after unregistration can figure out that rseq needs to be
 	 * registered again.
 	 */
-	if (__put_user(cpu_id, &t->rseq->cpu_id))
+	if (put_user(cpu_id, &t->rseq->cpu_id))
 		return -EFAULT;
 	return 0;
 }
@@ -120,7 +120,7 @@ static int rseq_get_rseq_cs(struct task_struct *t, struct rseq_cs *rseq_cs)
 	u32 sig;
 	int ret;
 
-	ret = __get_user(ptr, &t->rseq->rseq_cs);
+	ret = get_user(ptr, &t->rseq->rseq_cs);
 	if (ret)
 		return ret;
 	if (!ptr) {
@@ -163,7 +163,7 @@ static int rseq_need_restart(struct task_struct *t, u32 cs_flags)
 	int ret;
 
 	/* Get thread flags. */
-	ret = __get_user(flags, &t->rseq->flags);
+	ret = get_user(flags, &t->rseq->flags);
 	if (ret)
 		return ret;
 
@@ -203,7 +203,7 @@ static int clear_rseq_cs(struct task_struct *t)
 	 *
 	 * Set rseq_cs to NULL with single-copy atomicity.
 	 */
-	return __put_user(0UL, &t->rseq->rseq_cs);
+	return put_user(0UL, &t->rseq->rseq_cs);
 }
 
 /*
-- 
2.11.0

[PATCH for 4.18 2/6] rseq: use get_user/put_user rather than __get_user/__put_user

[Michael Ellerman]

Mathieu Desnoyers <mathieu.desnoyers@efficios.com> writes:
> ----- On Jul 8, 2018, at 5:03 PM, Mathieu Desnoyers mathieu.desnoyers at efficios.com wrote:
>
>> In preparation to use __u64 for the rseq_cs pointer field, 32-bit
>> architectures need to read this 64-bit value located in user-space
>> addresses.
>> 
>> __get_user is used to read this value, given that its access check has
>> already been performed with access_ok() on rseq registration.
>> 
>> arm does not implement 8-byte __get_user. Rather than trying to
>> improve __get_user on ARM, use get_user/put_user across rseq instead.
>> 
>> If those end up showing up in benchmarks, the proper approach would be to
>> use user_access_begin() / unsafe_get/put_user() / user_access_end()
>> anyway.
>
> So, another twist to this story: ppc32 does not implement u64 get_user().

Or __get_user() for that matter.

But we should just fix it.

We have the asm to do it, it's just the fact that __gu_val is unsigned
long causes the size > sizeof(x) check here to fail:

#define __get_user_size(x, ptr, size, retval)			\
do {								\
	retval = 0;						\
	__chk_user_ptr(ptr);					\
	if (size > sizeof(x))					\
		(x) = __get_user_bad();				\



We seem to be able to fix that with the __inttype() trick that x86 uses.

That's probably not 4.18 material though. But if you want to go with
copy_from_user() for now you could then switch to get_user() for 4.19.

cheers

[PATCH for 4.18 2/6] rseq: use get_user/put_user rather than __get_user/__put_user

[Mathieu Desnoyers]

----- On Jul 10, 2018, at 2:16 AM, Michael Ellerman mpe at ellerman.id.au wrote:

> Mathieu Desnoyers <mathieu.desnoyers@efficios.com> writes:
>> ----- On Jul 8, 2018, at 5:03 PM, Mathieu Desnoyers
>> mathieu.desnoyers at efficios.com wrote:
>>
>>> In preparation to use __u64 for the rseq_cs pointer field, 32-bit
>>> architectures need to read this 64-bit value located in user-space
>>> addresses.
>>> 
>>> __get_user is used to read this value, given that its access check has
>>> already been performed with access_ok() on rseq registration.
>>> 
>>> arm does not implement 8-byte __get_user. Rather than trying to
>>> improve __get_user on ARM, use get_user/put_user across rseq instead.
>>> 
>>> If those end up showing up in benchmarks, the proper approach would be to
>>> use user_access_begin() / unsafe_get/put_user() / user_access_end()
>>> anyway.
>>
>> So, another twist to this story: ppc32 does not implement u64 get_user().
> 
> Or __get_user() for that matter.
> 
> But we should just fix it.
> 
> We have the asm to do it, it's just the fact that __gu_val is unsigned
> long causes the size > sizeof(x) check here to fail:
> 
> #define __get_user_size(x, ptr, size, retval)			\
> do {								\
>	retval = 0;						\
>	__chk_user_ptr(ptr);					\
>	if (size > sizeof(x))					\
>		(x) = __get_user_bad();				\
> 
> 
> 
> We seem to be able to fix that with the __inttype() trick that x86 uses.
> 
> That's probably not 4.18 material though. But if you want to go with
> copy_from_user() for now you could then switch to get_user() for 4.19.

I agree. Let's use copy_from_user() for 4.18. Once get_user() ends up supporting
u64 on ppc32 for 4.19, rseq will happily move back to it.

Thanks,

Mathieu

-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com