From: David Laight <david.laight.linux@gmail.com>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: LKML <linux-kernel@vger.kernel.org>,
"Christophe Leroy" <christophe.leroy@csgroup.eu>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Linus Torvalds" <torvalds@linux-foundation.org>,
"kernel test robot" <lkp@intel.com>,
"Russell King" <linux@armlinux.org.uk>,
linux-arm-kernel@lists.infradead.org, x86@kernel.org,
"Madhavan Srinivasan" <maddy@linux.ibm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Nicholas Piggin" <npiggin@gmail.com>,
linuxppc-dev@lists.ozlabs.org, "Paul Walmsley" <pjw@kernel.org>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
linux-riscv@lists.infradead.org,
"Heiko Carstens" <hca@linux.ibm.com>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Sven Schnelle" <svens@linux.ibm.com>,
linux-s390@vger.kernel.org,
"Julia Lawall" <Julia.Lawall@inria.fr>,
"Nicolas Palix" <nicolas.palix@imag.fr>,
"Peter Zijlstra" <peterz@infradead.org>,
"Darren Hart" <dvhart@infradead.org>,
"Davidlohr Bueso" <dave@stgolabs.net>,
"André Almeida" <andrealmeid@igalia.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Christian Brauner" <brauner@kernel.org>,
"Jan Kara" <jack@suse.cz>,
linux-fsdevel@vger.kernel.org
Subject: Re: [patch V5 07/12] uaccess: Provide scoped user access regions
Date: Fri, 7 Nov 2025 19:17:53 +0000 [thread overview]
Message-ID: <20251107191753.7433d2dc@pumpkin> (raw)
In-Reply-To: <20251027083745.546420421@linutronix.de>
On Mon, 27 Oct 2025 09:43:55 +0100 (CET)
Thomas Gleixner <tglx@linutronix.de> wrote:
> User space access regions are tedious and require similar code patterns all
> over the place:
...
> There have been issues with using the wrong user_*_access_end() variant in
> the error path and other typical Copy&Pasta problems, e.g. using the wrong
> fault label in the user accessor which ends up using the wrong accesss end
> variant.
>
> These patterns beg for scopes with automatic cleanup. The resulting outcome
> is:
> scoped_user_read_access(from, Efault)
> unsafe_get_user(val, from, Efault);
> return 0;
> Efault:
> return -EFAULT;
>
> The scope guarantees the proper cleanup for the access mode is invoked both
> in the success and the failure (fault) path.
>
...
The code doesn't work if the 'from' (above) is 'const foo __user *from'.
Due to assigning away constness.
The changes below fix the build, I suspect the code is then correct.
...
> +/* Define RW variant so the below _mode macro expansion works */
> +#define masked_user_rw_access_begin(u) masked_user_access_begin(u)
> +#define user_rw_access_begin(u, s) user_access_begin(u, s)
> +#define user_rw_access_end() user_access_end()
> +
> +/* Scoped user access */
> +#define USER_ACCESS_GUARD(_mode) \
#define USER_ACCESS_GUARD(_mode, void)
(but change all the void below to a different name...)
> +static __always_inline void __user * \
> +class_user_##_mode##_begin(void __user *ptr) \
> +{ \
> + return ptr; \
> +} \
> + \
> +static __always_inline void \
> +class_user_##_mode##_end(void __user *ptr) \
> +{ \
> + user_##_mode##_access_end(); \
> +} \
> + \
> +DEFINE_CLASS(user_ ##_mode## _access, void __user *, \
> + class_user_##_mode##_end(_T), \
> + class_user_##_mode##_begin(ptr), void __user *ptr) \
> + \
> +static __always_inline class_user_##_mode##_access_t \
> +class_user_##_mode##_access_ptr(void __user *scope) \
> +{ \
> + return scope; \
> +}
> +
> +USER_ACCESS_GUARD(read)
> +USER_ACCESS_GUARD(write)
> +USER_ACCESS_GUARD(rw)
USER_ACCESS_GUARD(read, const void)
USER_ACCESS_GUARD(write, void)
USER_ACCESS_GUARD(rw, void)
> +#undef USER_ACCESS_GUARD
...
> +#define __scoped_user_access(mode, uptr, size, elbl) \
> +for (bool done = false; !done; done = true) \
> + for (void __user *_tmpptr = __scoped_user_access_begin(mode, uptr, size, elbl); \
for (typeof(uptr) _tmpptr = ...
> + !done; done = true) \
> + for (CLASS(user_##mode##_access, scope)(_tmpptr); !done; done = true) \
> + /* Force modified pointer usage within the scope */ \
> + for (const typeof(uptr) uptr = _tmpptr; !done; done = true)
> +
David
next prev parent reply other threads:[~2025-11-07 19:18 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 8:43 [patch V5 00/12] uaccess: Provide and use scopes for user access Thomas Gleixner
2025-10-27 8:43 ` [patch V5 01/12] ARM: uaccess: Implement missing __get_user_asm_dword() Thomas Gleixner
2025-10-28 13:35 ` Mathieu Desnoyers
2025-10-27 8:43 ` [patch V5 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() Thomas Gleixner
2025-10-27 12:12 ` Andrew Cooper
2025-10-28 13:44 ` Mathieu Desnoyers
2025-10-28 14:04 ` Yann Ylavic
2025-10-28 15:53 ` Thomas Gleixner
2025-10-29 9:40 ` [patch V6 " Thomas Gleixner
2025-11-04 6:11 ` [patch V5 " Christophe Leroy
2025-10-27 8:43 ` [patch V5 03/12] x86/uaccess: Use unsafe wrappers for ASM GOTO Thomas Gleixner
2025-10-28 13:50 ` Mathieu Desnoyers
2025-10-27 8:43 ` [patch V5 04/12] powerpc/uaccess: " Thomas Gleixner
2025-10-28 13:51 ` Mathieu Desnoyers
2025-11-04 6:15 ` Christophe Leroy
2025-10-27 8:43 ` [patch V5 05/12] riscv/uaccess: " Thomas Gleixner
2025-10-28 13:52 ` Mathieu Desnoyers
2025-10-27 8:43 ` [patch V5 06/12] s390/uaccess: " Thomas Gleixner
2025-10-28 13:54 ` Mathieu Desnoyers
2025-10-27 8:43 ` [patch V5 07/12] uaccess: Provide scoped user access regions Thomas Gleixner
2025-10-28 14:11 ` Mathieu Desnoyers
2025-11-04 6:20 ` Christophe Leroy
2025-11-07 19:17 ` David Laight [this message]
2025-10-27 8:43 ` [patch V5 08/12] uaccess: Provide put/get_user_inline() Thomas Gleixner
2025-10-28 14:12 ` Mathieu Desnoyers
2025-11-04 6:30 ` Christophe Leroy
2025-10-27 8:43 ` [patch V5 09/12] [RFC] coccinelle: misc: Add scoped_masked_$MODE_access() checker script Thomas Gleixner
2025-10-27 8:44 ` [patch V5 10/12] futex: Convert to get/put_user_inline() Thomas Gleixner
2025-10-28 14:24 ` Mathieu Desnoyers
2025-10-28 15:56 ` Thomas Gleixner
2025-10-28 16:02 ` Mathieu Desnoyers
2025-10-28 16:13 ` Linus Torvalds
2025-11-04 6:31 ` Christophe Leroy
2025-10-27 8:44 ` [patch V5 11/12] x86/futex: Convert to scoped user access Thomas Gleixner
2025-10-27 8:44 ` [patch V5 12/12] select: " Thomas Gleixner
2025-10-28 14:42 ` Mathieu Desnoyers
2025-11-04 6:32 ` Christophe Leroy
2025-10-27 15:53 ` [patch V5 00/12] uaccess: Provide and use scopes for " Linus Torvalds
2025-10-29 10:23 ` Peter Zijlstra
2025-11-03 14:46 ` Peter Zijlstra
2025-11-04 6:35 ` Christophe Leroy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251107191753.7433d2dc@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=Julia.Lawall@inria.fr \
--cc=andrealmeid@igalia.com \
--cc=andrew.cooper3@citrix.com \
--cc=borntraeger@linux.ibm.com \
--cc=brauner@kernel.org \
--cc=christophe.leroy@csgroup.eu \
--cc=dave@stgolabs.net \
--cc=dvhart@infradead.org \
--cc=hca@linux.ibm.com \
--cc=jack@suse.cz \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lkp@intel.com \
--cc=maddy@linux.ibm.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mpe@ellerman.id.au \
--cc=nicolas.palix@imag.fr \
--cc=npiggin@gmail.com \
--cc=palmer@dabbelt.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=svens@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).