From: David Laight <david.laight.linux@gmail.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: LKML <linux-kernel@vger.kernel.org>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Darren Hart" <dvhart@infradead.org>,
"Davidlohr Bueso" <dave@stgolabs.net>,
"André Almeida" <andrealmeid@igalia.com>,
x86@kernel.org, "Alexander Viro" <viro@zeniv.linux.org.uk>,
"Christian Brauner" <brauner@kernel.org>,
"Jan Kara" <jack@suse.cz>,
linux-fsdevel@vger.kernel.org
Subject: Re: [patch 0/4] uaccess: Provide and use helpers for user masked access
Date: Mon, 18 Aug 2025 22:21:06 +0100 [thread overview]
Message-ID: <20250818222106.714629ee@pumpkin> (raw)
In-Reply-To: <20250817144943.76b9ee62@pumpkin>
On Sun, 17 Aug 2025 14:49:43 +0100
David Laight <david.laight.linux@gmail.com> wrote:
> On Wed, 13 Aug 2025 17:57:00 +0200 (CEST)
> Thomas Gleixner <tglx@linutronix.de> wrote:
>
> > commit 2865baf54077 ("x86: support user address masking instead of
> > non-speculative conditional") provided an optimization for
> > unsafe_get/put_user(), which optimizes the Spectre-V1 mitigation in an
> > architecture specific way. Currently only x86_64 supports that.
> >
> > The required code pattern screams for helper functions before it is copied
> > all over the kernel. So far the exposure is limited to futex, x86 and
> > fs/select.
> >
> > Provide a set of helpers for common single size access patterns:
>
> (gmail hasn't decided to accept 1/4 yet - I need to find a better
> mail relay...)
>
> +/*
> + * Conveniance macros to avoid spreading this pattern all over the place
> ^ spelling...
> + */
> +#define user_read_masked_begin(src) ({ \
> + bool __ret = true; \
> + \
> + if (can_do_masked_user_access()) \
> + src = masked_user_access_begin(src); \
> + else if (!user_read_access_begin(src, sizeof(*src))) \
> + __ret = false; \
> + __ret; \
> +})
Would something like this work (to avoid the hidden update)?
#define user_read_begin(uaddr, size, error_code) ({ \
typeof(uaddr) __uaddr; \
if (can_do_masked_user_access()) \
__uaddr = masked_user_access_begin(uaddr);\
else if (user_read_access_begin(uaddr, size)) \
__uaddr = uaddr; \
else { \
error_code; \
} \
__uaddr; \
})
With typical use being either:
uaddr = user_read_begin(uaddr, sizeof (*uaddr), return -EFAULT);
or:
uaddr = user_read_begin(uaddr, sizeof (*uaddr), goto bad_uaddr);
One problem is I don't think you can easily enforce the assignment.
Ideally you'd want something that made the compiler think that 'uaddr' was unset.
It could be done for in a debug/diagnostic compile by adding 'uaddr = NULL'
at the bottom of the #define and COMPILE_ASSERT(!staticically_true(uaddr == NULL))
inside unsafe_get/put_user().
David
next prev parent reply other threads:[~2025-08-18 21:21 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-13 15:57 [patch 0/4] uaccess: Provide and use helpers for user masked access Thomas Gleixner
2025-08-13 15:57 ` [patch 1/4] uaccess: Provide common helpers for masked user access Thomas Gleixner
2025-08-26 7:04 ` Christophe Leroy
2025-09-13 18:01 ` Thomas Gleixner
2025-08-13 15:57 ` [patch 2/4] futex: Convert to get/put_user_masked_u32() Thomas Gleixner
2025-08-13 15:57 ` [patch 3/4] x86/futex: Use user_*_masked_begin() Thomas Gleixner
2025-08-26 7:09 ` Christophe Leroy
2025-08-13 15:57 ` [patch 4/4] select: Use user_read_masked_begin() Thomas Gleixner
2025-08-17 13:49 ` [patch 0/4] uaccess: Provide and use helpers for user masked access David Laight
2025-08-17 14:00 ` Linus Torvalds
2025-08-17 15:29 ` David Laight
2025-08-17 15:36 ` Linus Torvalds
2025-08-18 11:59 ` David Laight
2025-08-18 21:21 ` David Laight [this message]
2025-08-18 21:36 ` Linus Torvalds
2025-08-18 22:21 ` Al Viro
2025-08-18 23:00 ` Linus Torvalds
2025-08-19 0:39 ` Al Viro
2025-08-20 23:48 ` Al Viro
2025-08-21 7:45 ` Christian Brauner
2025-08-21 22:49 ` Al Viro
2025-08-19 2:39 ` Matthew Wilcox
2025-08-19 21:33 ` David Laight
2025-08-19 4:44 ` Thomas Weißschuh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250818222106.714629ee@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=andrealmeid@igalia.com \
--cc=brauner@kernel.org \
--cc=dave@stgolabs.net \
--cc=dvhart@infradead.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).