[PATCH 1/2] uaccess: Simplify code pattern for masked user copies

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: David Laight <david.laight.linux@gmail.com>
To: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Laight <david.laight.linux@gmail.com>,
	Alexander Viro <viro@zeniv.linux.org.uk>,
	Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
	Arnd Bergmann <arnd@arndb.de>, Kees Cook <kees@kernel.org>
Subject: [PATCH 1/2] uaccess: Simplify code pattern for masked user copies
Date: Sun,  9 Feb 2025 10:55:59 +0000	[thread overview]
Message-ID: <20250209105600.3388-2-david.laight.linux@gmail.com> (raw)
In-Reply-To: <20250209105600.3388-1-david.laight.linux@gmail.com>

Commit 2865baf54077a added 'user address masking' to avoid the
serialising instructions associated with access_ok() when using
unsafe_get_user().

However the code pattern required is non-trivial.
Add a new wrapper masked_user_read_access_begin() to simplify things.
Code can then be changed:
-		if (!user_read_access_begin(from, sizeof(*from)))
+		if (!masked_user_read_access_begin(&from, sizeof(*from)))
			return -EFAULT;
		unsafe_get_user(xxx, &from->xxx, Efault);
If address masking is supported the 'return -EFAULT' will never happen.

Add the matching masked_user_write_access_begin().
Although speculative accesses aren't an issue, it saves the conditional
branch.

Signed-off-by: David Laight <david.laight.linux@gmail.com>
---
 include/linux/uaccess.h | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
index e9c702c1908d..5a55152c0010 100644
--- a/include/linux/uaccess.h
+++ b/include/linux/uaccess.h
@@ -33,6 +33,15 @@
 })
 #endif
 
+/*
+ * Architectures can reduce the cost of validating user addresses by
+ * defining masked_user_access_begin().
+ * It should convert any kernel address to the base of an unmapped
+ * page (eg that of a guard page between user and kernel addresses)
+ * and enable accesses to user memory.
+ * To avoid speculative accesses it should use ALU instructions
+ * (eg  a compare and conditional move).
+ */
 #ifdef masked_user_access_begin
  #define can_do_masked_user_access() 1
 #else
@@ -41,6 +50,18 @@
  #define mask_user_address(src) (src)
 #endif
 
+#ifdef masked_user_access_begin
+#define masked_user_read_access_begin(from, size) \
+	((*(from) = masked_user_access_begin(*(from))), 1)
+#define masked_user_write_access_begin(from, size) \
+	((*(from) = masked_user_access_begin(*(from))), 1)
+#else
+#define masked_user_read_access_begin(from, size) \
+	user_read_access_begin(*(from), size)
+#define masked_user_write_access_begin(from, size) \
+	user_write_access_begin(*(from), size)
+#endif
+
 /*
  * Architectures should provide two primitives (raw_copy_{to,from}_user())
  * and get rid of their private instances of copy_{to,from}_user() and
-- 
2.39.5

next prev parent reply	other threads:[~2025-02-09 10:56 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-09 10:55 [PATCH 0/2] uaccess: Add masked_user_read_access_begin David Laight
2025-02-09 10:55 ` David Laight [this message]
2025-02-09 17:40   ` [PATCH 1/2] uaccess: Simplify code pattern for masked user copies Linus Torvalds
2025-02-09 18:34     ` David Laight
2025-02-09 18:40       ` Linus Torvalds
2025-02-09 18:46         ` Linus Torvalds
2025-02-09 19:02           ` David Laight
2025-02-09 19:47     ` David Laight
2025-02-09 20:40       ` Linus Torvalds
2025-02-09 21:18         ` David Laight
2025-02-09 21:38           ` Linus Torvalds
2025-02-09 10:56 ` [PATCH 2/2] fs: Use masked_user_read_access_begin() David Laight

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e9c702c1908 dfblob:5a55152c001 )
 OR (
bs:"[PATCH 1/2] uaccess: Simplify code pattern for masked user copies" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250209105600.3388-2-david.laight.linux@gmail.com \
    --to=david.laight.linux@gmail.com \
    --cc=arnd@arndb.de \
    --cc=brauner@kernel.org \
    --cc=jack@suse.cz \
    --cc=kees@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).