From: Christophe Leroy <christophe.leroy@csgroup.eu>
To: Thomas Gleixner <tglx@linutronix.de>,
LKML <linux-kernel@vger.kernel.org>
Cc: "Linus Torvalds" <torvalds@linux-foundation.org>,
"kernel test robot" <lkp@intel.com>,
"Russell King" <linux@armlinux.org.uk>,
linux-arm-kernel@lists.infradead.org, x86@kernel.org,
"Madhavan Srinivasan" <maddy@linux.ibm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Nicholas Piggin" <npiggin@gmail.com>,
linuxppc-dev@lists.ozlabs.org, "Paul Walmsley" <pjw@kernel.org>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
linux-riscv@lists.infradead.org,
"Heiko Carstens" <hca@linux.ibm.com>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Sven Schnelle" <svens@linux.ibm.com>,
linux-s390@vger.kernel.org,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"David Laight" <david.laight.linux@gmail.com>,
"Julia Lawall" <Julia.Lawall@inria.fr>,
"Nicolas Palix" <nicolas.palix@imag.fr>,
"Peter Zijlstra" <peterz@infradead.org>,
"Darren Hart" <dvhart@infradead.org>,
"Davidlohr Bueso" <dave@stgolabs.net>,
"André Almeida" <andrealmeid@igalia.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Christian Brauner" <brauner@kernel.org>,
"Jan Kara" <jack@suse.cz>,
linux-fsdevel@vger.kernel.org
Subject: Re: [patch V5 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user()
Date: Tue, 4 Nov 2025 07:11:30 +0100 [thread overview]
Message-ID: <14010da0-9fba-4627-a499-e71034cd9bac@csgroup.eu> (raw)
In-Reply-To: <20251027083745.231716098@linutronix.de>
Le 27/10/2025 à 09:43, Thomas Gleixner a écrit :
> ASM GOTO is miscompiled by GCC when it is used inside a auto cleanup scope:
>
> bool foo(u32 __user *p, u32 val)
> {
> scoped_guard(pagefault)
> unsafe_put_user(val, p, efault);
> return true;
> efault:
> return false;
> }
>
> e80: e8 00 00 00 00 call e85 <foo+0x5>
> e85: 65 48 8b 05 00 00 00 00 mov %gs:0x0(%rip),%rax
> e8d: 83 80 04 14 00 00 01 addl $0x1,0x1404(%rax) // pf_disable++
> e94: 89 37 mov %esi,(%rdi)
> e96: 83 a8 04 14 00 00 01 subl $0x1,0x1404(%rax) // pf_disable--
> e9d: b8 01 00 00 00 mov $0x1,%eax // success
> ea2: e9 00 00 00 00 jmp ea7 <foo+0x27> // ret
> ea7: 31 c0 xor %eax,%eax // fail
> ea9: e9 00 00 00 00 jmp eae <foo+0x2e> // ret
>
> which is broken as it leaks the pagefault disable counter on failure.
Is there a GCC bug report for it ?
>
> Clang at least fails the build.
Is it expected ? Is the error message meaningfull ?
>
> Linus suggested to add a local label into the macro scope and let that
> jump to the actual caller supplied error label.
>
> __label__ local_label; \
> arch_unsafe_get_user(x, ptr, local_label); \
> if (0) { \
> local_label: \
> goto label; \
That's in a while loop so it would have been cleaner (more readable) to
break instead of that ugly if(0), see __get_user_size_allowed() in
powerpc uaccess.h
>
> That works for both GCC and clang.
>
> clang:
>
> c80: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
> c85: 65 48 8b 0c 25 00 00 00 00 mov %gs:0x0,%rcx
> c8e: ff 81 04 14 00 00 incl 0x1404(%rcx) // pf_disable++
> c94: 31 c0 xor %eax,%eax // set retval to false
> c96: 89 37 mov %esi,(%rdi) // write
> c98: b0 01 mov $0x1,%al // set retval to true
> c9a: ff 89 04 14 00 00 decl 0x1404(%rcx) // pf_disable--
> ca0: 2e e9 00 00 00 00 cs jmp ca6 <foo+0x26> // ret
>
> The exception table entry points correctly to c9a
>
> GCC:
>
> f70: e8 00 00 00 00 call f75 <baz+0x5>
> f75: 65 48 8b 05 00 00 00 00 mov %gs:0x0(%rip),%rax
> f7d: 83 80 04 14 00 00 01 addl $0x1,0x1404(%rax) // pf_disable++
> f84: 8b 17 mov (%rdi),%edx
> f86: 89 16 mov %edx,(%rsi)
> f88: 83 a8 04 14 00 00 01 subl $0x1,0x1404(%rax) // pf_disable--
> f8f: b8 01 00 00 00 mov $0x1,%eax // success
> f94: e9 00 00 00 00 jmp f99 <baz+0x29> // ret
> f99: 83 a8 04 14 00 00 01 subl $0x1,0x1404(%rax) // pf_disable--
> fa0: 31 c0 xor %eax,%eax // fail
> fa2: e9 00 00 00 00 jmp fa7 <baz+0x37> // ret
>
> The exception table entry points correctly to f99
>
> So both compilers optimize out the extra goto and emit correct and
> efficient code.
> > Provide a generic wrapper to do that to avoid modifying all the
affected
> architecture specific implementation with that workaround.
>
> The only change required for architectures is to rename unsafe_*_user() to
> arch_unsafe_*_user(). That's done in subsequent changes.
>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
> ---
> include/linux/uaccess.h | 72 +++++++++++++++++++++++++++++++++++++++++++++---
> 1 file changed, 68 insertions(+), 4 deletions(-)
>
> --- a/include/linux/uaccess.h
> +++ b/include/linux/uaccess.h
> @@ -518,7 +518,34 @@ long strncpy_from_user_nofault(char *dst
> long count);
> long strnlen_user_nofault(const void __user *unsafe_addr, long count);
>
> -#ifndef __get_kernel_nofault
> +#ifdef arch_get_kernel_nofault
> +/*
> + * Wrap the architecture implementation so that @label can be outside of a
> + * cleanup() scope. A regular C goto works correctly, but ASM goto does
> + * not. Clang rejects such an attempt, but GCC silently emits buggy code.
> + */
> +#define __get_kernel_nofault(dst, src, type, label) \
> +do { \
> + __label__ local_label; \
> + arch_get_kernel_nofault(dst, src, type, local_label); \
> + if (0) { \
> + local_label: \
> + goto label; \
> + } \
> +} while (0)
> +
> +#define __put_kernel_nofault(dst, src, type, label) \
> +do { \
> + __label__ local_label; \
> + arch_get_kernel_nofault(dst, src, type, local_label); \
> + if (0) { \
> + local_label: \
> + goto label; \
> + } \
> +} while (0)
> +
> +#elif !defined(__get_kernel_nofault) /* arch_get_kernel_nofault */
> +
> #define __get_kernel_nofault(dst, src, type, label) \
> do { \
> type __user *p = (type __force __user *)(src); \
> @@ -535,7 +562,8 @@ do { \
> if (__put_user(data, p)) \
> goto label; \
> } while (0)
> -#endif
> +
> +#endif /* !__get_kernel_nofault */
>
> /**
> * get_kernel_nofault(): safely attempt to read from a location
> @@ -549,7 +577,42 @@ do { \
> copy_from_kernel_nofault(&(val), __gk_ptr, sizeof(val));\
> })
>
> -#ifndef user_access_begin
> +#ifdef user_access_begin
> +
> +#ifdef arch_unsafe_get_user
> +/*
> + * Wrap the architecture implementation so that @label can be outside of a
> + * cleanup() scope. A regular C goto works correctly, but ASM goto does
> + * not. Clang rejects such an attempt, but GCC silently emits buggy code.
> + *
> + * Some architectures use internal local labels already, but this extra
> + * indirection here is harmless because the compiler optimizes it out
> + * completely in any case. This construct just ensures that the ASM GOTO
> + * target is always in the local scope. The C goto 'label' works correct
> + * when leaving a cleanup() scope.
> + */
> +#define unsafe_get_user(x, ptr, label) \
> +do { \
> + __label__ local_label; \
> + arch_unsafe_get_user(x, ptr, local_label); \
> + if (0) { \
> + local_label: \
> + goto label; \
> + } \
> +} while (0)
> +
> +#define unsafe_put_user(x, ptr, label) \
> +do { \
> + __label__ local_label; \
> + arch_unsafe_put_user(x, ptr, local_label); \
> + if (0) { \
> + local_label: \
> + goto label; \
> + } \
> +} while (0)
> +#endif /* arch_unsafe_get_user */
> +
> +#else /* user_access_begin */
> #define user_access_begin(ptr,len) access_ok(ptr, len)
> #define user_access_end() do { } while (0)
> #define unsafe_op_wrap(op, err) do { if (unlikely(op)) goto err; } while (0)
> @@ -559,7 +622,8 @@ do { \
> #define unsafe_copy_from_user(d,s,l,e) unsafe_op_wrap(__copy_from_user(d,s,l),e)
> static inline unsigned long user_access_save(void) { return 0UL; }
> static inline void user_access_restore(unsigned long flags) { }
> -#endif
> +#endif /* !user_access_begin */
> +
> #ifndef user_write_access_begin
> #define user_write_access_begin user_access_begin
> #define user_write_access_end user_access_end
>
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2025-11-04 6:20 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 8:43 [patch V5 00/12] uaccess: Provide and use scopes for user access Thomas Gleixner
2025-10-27 8:43 ` [patch V5 01/12] ARM: uaccess: Implement missing __get_user_asm_dword() Thomas Gleixner
2025-10-28 13:35 ` Mathieu Desnoyers
2025-10-27 8:43 ` [patch V5 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() Thomas Gleixner
2025-10-27 12:12 ` Andrew Cooper
2025-10-28 13:44 ` Mathieu Desnoyers
2025-10-28 14:04 ` Yann Ylavic
2025-10-28 15:53 ` Thomas Gleixner
2025-10-29 9:40 ` [patch V6 " Thomas Gleixner
2025-12-19 8:10 ` patchwork-bot+linux-riscv
2025-11-04 6:11 ` Christophe Leroy [this message]
2025-10-27 8:43 ` [patch V5 03/12] x86/uaccess: Use unsafe wrappers for ASM GOTO Thomas Gleixner
2025-10-28 13:50 ` Mathieu Desnoyers
2025-10-27 8:43 ` [patch V5 04/12] powerpc/uaccess: " Thomas Gleixner
2025-10-28 13:51 ` Mathieu Desnoyers
2025-11-04 6:15 ` Christophe Leroy
2025-10-27 8:43 ` [patch V5 05/12] riscv/uaccess: " Thomas Gleixner
2025-10-28 13:52 ` Mathieu Desnoyers
2025-10-27 8:43 ` [patch V5 06/12] s390/uaccess: " Thomas Gleixner
2025-10-28 13:54 ` Mathieu Desnoyers
2025-10-27 8:43 ` [patch V5 07/12] uaccess: Provide scoped user access regions Thomas Gleixner
2025-10-28 14:11 ` Mathieu Desnoyers
2025-11-04 6:20 ` Christophe Leroy
2025-11-07 19:17 ` David Laight
2025-10-27 8:43 ` [patch V5 08/12] uaccess: Provide put/get_user_inline() Thomas Gleixner
2025-10-28 14:12 ` Mathieu Desnoyers
2025-11-04 6:30 ` Christophe Leroy
2025-10-27 8:43 ` [patch V5 09/12] [RFC] coccinelle: misc: Add scoped_masked_$MODE_access() checker script Thomas Gleixner
2025-10-27 8:44 ` [patch V5 10/12] futex: Convert to get/put_user_inline() Thomas Gleixner
2025-10-28 14:24 ` Mathieu Desnoyers
2025-10-28 15:56 ` Thomas Gleixner
2025-10-28 16:02 ` Mathieu Desnoyers
2025-10-28 16:13 ` Linus Torvalds
2025-11-04 6:31 ` Christophe Leroy
2025-10-27 8:44 ` [patch V5 11/12] x86/futex: Convert to scoped user access Thomas Gleixner
2025-10-27 8:44 ` [patch V5 12/12] select: " Thomas Gleixner
2025-10-28 14:42 ` Mathieu Desnoyers
2025-11-04 6:32 ` Christophe Leroy
2025-10-27 15:53 ` [patch V5 00/12] uaccess: Provide and use scopes for " Linus Torvalds
2025-10-29 10:23 ` Peter Zijlstra
2025-11-03 14:46 ` Peter Zijlstra
2025-11-04 6:35 ` Christophe Leroy
2025-12-19 8:10 ` patchwork-bot+linux-riscv
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=14010da0-9fba-4627-a499-e71034cd9bac@csgroup.eu \
--to=christophe.leroy@csgroup.eu \
--cc=Julia.Lawall@inria.fr \
--cc=andrealmeid@igalia.com \
--cc=andrew.cooper3@citrix.com \
--cc=borntraeger@linux.ibm.com \
--cc=brauner@kernel.org \
--cc=dave@stgolabs.net \
--cc=david.laight.linux@gmail.com \
--cc=dvhart@infradead.org \
--cc=hca@linux.ibm.com \
--cc=jack@suse.cz \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lkp@intel.com \
--cc=maddy@linux.ibm.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mpe@ellerman.id.au \
--cc=nicolas.palix@imag.fr \
--cc=npiggin@gmail.com \
--cc=palmer@dabbelt.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=svens@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox