From: David Laight <david.laight.linux@gmail.com>
To: "Christophe Leroy (CS GROUP)" <chleroy@kernel.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Linus Torvalds <torvalds@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4] fs: Replace user_access_{begin/end} by scoped user access
Date: Wed, 18 Mar 2026 14:21:40 +0000 [thread overview]
Message-ID: <20260318142140.3f94510c@pumpkin> (raw)
In-Reply-To: <f46941437f681cc72fc5a84fa768f65b952f43c6.1773830446.git.chleroy@kernel.org>
On Wed, 18 Mar 2026 13:22:43 +0100
"Christophe Leroy (CS GROUP)" <chleroy@kernel.org> wrote:
> Scoped user access reduces code complexity and seamlessly bring
> masked user access on architectures that support it.
>
> Replace user_access_begin/user_access_end blocks by
> scoped user access.
>
> Signed-off-by: Christophe Leroy (CS GROUP) <chleroy@kernel.org>
> ---
> v2:
> - Fix build failure with CONFIG_COMPAT
> - Handled checkpatch.pl output
>
> v3:
> - Fix again build failure with CONFIG_COMPAT. I was obviously too tired when I sent out v2.
>
> v4:
> - Introduced local size var based on Linus comment on readability. Not a dirent_size() helper as suggested as both sites are different.
> ---
> fs/readdir.c | 94 +++++++++++++++++++++-------------------------------
> fs/select.c | 35 ++++++++-----------
> 2 files changed, 51 insertions(+), 78 deletions(-)
>
> diff --git a/fs/readdir.c b/fs/readdir.c
> index 73707b6816e9..8fa615b7e950 100644
> --- a/fs/readdir.c
> +++ b/fs/readdir.c
> @@ -184,6 +184,7 @@ static bool fillonedir(struct dir_context *ctx, const char *name, int namlen,
> struct readdir_callback *buf =
> container_of(ctx, struct readdir_callback, ctx);
> struct old_linux_dirent __user * dirent;
> + size_t size = offsetof(struct old_linux_dirent, d_name) + namlen + 1;
> unsigned long d_ino;
>
> if (buf->result)
> @@ -198,18 +199,13 @@ static bool fillonedir(struct dir_context *ctx, const char *name, int namlen,
> }
> buf->result++;
> dirent = buf->dirent;
> - if (!user_write_access_begin(dirent,
> - (unsigned long)(dirent->d_name + namlen + 1) -
> - (unsigned long)dirent))
> - goto efault;
> - unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
> - unsafe_put_user(offset, &dirent->d_offset, efault_end);
> - unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
> - unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
> - user_write_access_end();
> + scoped_user_write_access_size(dirent, size, efault) {
The problem now is that it isn't obviously clear that 'size' is correct.
If nothing else its definition is quite a way up from the use.
Perhaps putting:
size = offsetof(typeof(*dirent), d_name) + namelen + 1;
immediately before the scoped_user_write_access_size() would be better.
Perhaps even renaming it dirent_len.
David
> + unsafe_put_user(d_ino, &dirent->d_ino, efault);
> + unsafe_put_user(offset, &dirent->d_offset, efault);
> + unsafe_put_user(namlen, &dirent->d_namlen, efault);
> + unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault);
> + }
> return true;
> -efault_end:
> - user_write_access_end();
> efault:
> buf->result = -EFAULT;
> return false;
> @@ -287,23 +283,19 @@ static bool filldir(struct dir_context *ctx, const char *name, int namlen,
> return false;
> dirent = buf->current_dir;
> prev = (void __user *) dirent - prev_reclen;
> - if (!user_write_access_begin(prev, reclen + prev_reclen))
> - goto efault;
> -
> - /* This might be 'dirent->d_off', but if so it will get overwritten */
> - unsafe_put_user(offset, &prev->d_off, efault_end);
> - unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
> - unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
> - unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
> - unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
> - user_write_access_end();
> + scoped_user_write_access_size(prev, reclen + prev_reclen, efault) {
> + /* This might be 'dirent->d_off', but if so it will get overwritten */
> + unsafe_put_user(offset, &prev->d_off, efault);
> + unsafe_put_user(d_ino, &dirent->d_ino, efault);
> + unsafe_put_user(reclen, &dirent->d_reclen, efault);
> + unsafe_put_user(d_type, (char __user *)dirent + reclen - 1, efault);
> + unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault);
> + }
>
> buf->current_dir = (void __user *)dirent + reclen;
> buf->prev_reclen = reclen;
> ctx->count -= reclen;
> return true;
> -efault_end:
> - user_write_access_end();
> efault:
> buf->error = -EFAULT;
> return false;
> @@ -371,24 +363,20 @@ static bool filldir64(struct dir_context *ctx, const char *name, int namlen,
> return false;
> dirent = buf->current_dir;
> prev = (void __user *)dirent - prev_reclen;
> - if (!user_write_access_begin(prev, reclen + prev_reclen))
> - goto efault;
> -
> - /* This might be 'dirent->d_off', but if so it will get overwritten */
> - unsafe_put_user(offset, &prev->d_off, efault_end);
> - unsafe_put_user(ino, &dirent->d_ino, efault_end);
> - unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
> - unsafe_put_user(d_type, &dirent->d_type, efault_end);
> - unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
> - user_write_access_end();
> + scoped_user_write_access_size(prev, reclen + prev_reclen, efault) {
> + /* This might be 'dirent->d_off', but if so it will get overwritten */
> + unsafe_put_user(offset, &prev->d_off, efault);
> + unsafe_put_user(ino, &dirent->d_ino, efault);
> + unsafe_put_user(reclen, &dirent->d_reclen, efault);
> + unsafe_put_user(d_type, &dirent->d_type, efault);
> + unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault);
> + }
>
> buf->prev_reclen = reclen;
> buf->current_dir = (void __user *)dirent + reclen;
> ctx->count -= reclen;
> return true;
>
> -efault_end:
> - user_write_access_end();
> efault:
> buf->error = -EFAULT;
> return false;
> @@ -446,6 +434,7 @@ static bool compat_fillonedir(struct dir_context *ctx, const char *name,
> struct compat_readdir_callback *buf =
> container_of(ctx, struct compat_readdir_callback, ctx);
> struct compat_old_linux_dirent __user *dirent;
> + size_t size = offsetof(struct compat_old_linux_dirent, d_name) + namlen + 1;
> compat_ulong_t d_ino;
>
> if (buf->result)
> @@ -460,18 +449,13 @@ static bool compat_fillonedir(struct dir_context *ctx, const char *name,
> }
> buf->result++;
> dirent = buf->dirent;
> - if (!user_write_access_begin(dirent,
> - (unsigned long)(dirent->d_name + namlen + 1) -
> - (unsigned long)dirent))
> - goto efault;
> - unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
> - unsafe_put_user(offset, &dirent->d_offset, efault_end);
> - unsafe_put_user(namlen, &dirent->d_namlen, efault_end);
> - unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
> - user_write_access_end();
> + scoped_user_write_access_size(dirent, size, efault) {
> + unsafe_put_user(d_ino, &dirent->d_ino, efault);
> + unsafe_put_user(offset, &dirent->d_offset, efault);
> + unsafe_put_user(namlen, &dirent->d_namlen, efault);
> + unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault);
> + }
> return true;
> -efault_end:
> - user_write_access_end();
> efault:
> buf->result = -EFAULT;
> return false;
> @@ -543,22 +527,18 @@ static bool compat_filldir(struct dir_context *ctx, const char *name, int namlen
> return false;
> dirent = buf->current_dir;
> prev = (void __user *) dirent - prev_reclen;
> - if (!user_write_access_begin(prev, reclen + prev_reclen))
> - goto efault;
> -
> - unsafe_put_user(offset, &prev->d_off, efault_end);
> - unsafe_put_user(d_ino, &dirent->d_ino, efault_end);
> - unsafe_put_user(reclen, &dirent->d_reclen, efault_end);
> - unsafe_put_user(d_type, (char __user *) dirent + reclen - 1, efault_end);
> - unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault_end);
> - user_write_access_end();
> + scoped_user_write_access_size(prev, reclen + prev_reclen, efault) {
> + unsafe_put_user(offset, &prev->d_off, efault);
> + unsafe_put_user(d_ino, &dirent->d_ino, efault);
> + unsafe_put_user(reclen, &dirent->d_reclen, efault);
> + unsafe_put_user(d_type, (char __user *)dirent + reclen - 1, efault);
> + unsafe_copy_dirent_name(dirent->d_name, name, namlen, efault);
> + }
>
> buf->prev_reclen = reclen;
> buf->current_dir = (void __user *)dirent + reclen;
> ctx->count -= reclen;
> return true;
> -efault_end:
> - user_write_access_end();
> efault:
> buf->error = -EFAULT;
> return false;
> diff --git a/fs/select.c b/fs/select.c
> index e0244dbe4429..75978b18f48f 100644
> --- a/fs/select.c
> +++ b/fs/select.c
> @@ -1004,17 +1004,17 @@ static int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
> fdcount = do_poll(head, &table, end_time);
> poll_freewait(&table);
>
> - if (!user_write_access_begin(ufds, nfds * sizeof(*ufds)))
> - goto out_fds;
> + scoped_user_write_access_size(ufds, nfds * sizeof(*ufds), out_fds) {
> + struct pollfd __user *_ufds = ufds;
>
> - for (walk = head; walk; walk = walk->next) {
> - struct pollfd *fds = walk->entries;
> - unsigned int j;
> + for (walk = head; walk; walk = walk->next) {
> + struct pollfd *fds = walk->entries;
> + unsigned int j;
>
> - for (j = walk->len; j; fds++, ufds++, j--)
> - unsafe_put_user(fds->revents, &ufds->revents, Efault);
> - }
> - user_write_access_end();
> + for (j = walk->len; j; fds++, _ufds++, j--)
> + unsafe_put_user(fds->revents, &_ufds->revents, out_fds);
> + }
> + }
>
> err = fdcount;
> out_fds:
> @@ -1026,11 +1026,6 @@ static int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
> }
>
> return err;
> -
> -Efault:
> - user_write_access_end();
> - err = -EFAULT;
> - goto out_fds;
> }
>
> static long do_restart_poll(struct restart_block *restart_block)
> @@ -1338,15 +1333,13 @@ static inline int get_compat_sigset_argpack(struct compat_sigset_argpack *to,
> struct compat_sigset_argpack __user *from)
> {
> if (from) {
> - if (!user_read_access_begin(from, sizeof(*from)))
> - return -EFAULT;
> - unsafe_get_user(to->p, &from->p, Efault);
> - unsafe_get_user(to->size, &from->size, Efault);
> - user_read_access_end();
> + scoped_user_read_access(from, efault) {
> + unsafe_get_user(to->p, &from->p, efault);
> + unsafe_get_user(to->size, &from->size, efault);
> + }
> }
> return 0;
> -Efault:
> - user_read_access_end();
> +efault:
> return -EFAULT;
> }
>
next prev parent reply other threads:[~2026-03-18 14:21 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-18 12:22 [PATCH v4] fs: Replace user_access_{begin/end} by scoped user access Christophe Leroy (CS GROUP)
2026-03-18 14:21 ` David Laight [this message]
2026-03-18 15:34 ` Christophe Leroy (CS GROUP)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260318142140.3f94510c@pumpkin \
--to=david.laight.linux@gmail.com \
--cc=brauner@kernel.org \
--cc=chleroy@kernel.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox