From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D8E25C43331 for ; Fri, 6 Sep 2019 00:16:57 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8BA4D206DE for ; Fri, 6 Sep 2019 00:16:57 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8BA4D206DE Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=zeniv.linux.org.uk Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 46PdQv2qvFzDr82 for ; Fri, 6 Sep 2019 10:16:55 +1000 (AEST) Authentication-Results: lists.ozlabs.org; spf=none (mailfrom) smtp.mailfrom=ftp.linux.org.uk (client-ip=195.92.253.2; helo=zeniv.linux.org.uk; envelope-from=viro@ftp.linux.org.uk; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=zeniv.linux.org.uk Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [195.92.253.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 46PdNl4y0wzDqkT for ; Fri, 6 Sep 2019 10:15:03 +1000 (AEST) Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.1 #3 (Red Hat Linux)) id 1i61tX-00047s-6A; Fri, 06 Sep 2019 00:14:31 +0000 Date: Fri, 6 Sep 2019 01:14:31 +0100 From: Al Viro To: Aleksa Sarai Subject: Re: [PATCH v12 01/12] lib: introduce copy_struct_{to,from}_user helpers Message-ID: <20190906001431.GU1131@ZenIV.linux.org.uk> References: <20190904201933.10736-1-cyphar@cyphar.com> <20190904201933.10736-2-cyphar@cyphar.com> <20190905180750.GQ1131@ZenIV.linux.org.uk> <20190905230003.bek7vqdvruzi4ybx@yavin.dot.cyphar.com> <20190905234944.GT1131@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190905234944.GT1131@ZenIV.linux.org.uk> User-Agent: Mutt/1.12.0 (2019-05-25) X-BeenThere: linuxppc-dev@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux on PowerPC Developers Mail List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-ia64@vger.kernel.org, linux-sh@vger.kernel.org, Peter Zijlstra , Rasmus Villemoes , Alexei Starovoitov , linux-kernel@vger.kernel.org, David Howells , linux-kselftest@vger.kernel.org, sparclinux@vger.kernel.org, Jiri Olsa , linux-arch@vger.kernel.org, linux-s390@vger.kernel.org, Tycho Andersen , Aleksa Sarai , Shuah Khan , Alexander Shishkin , Ingo Molnar , linux-arm-kernel@lists.infradead.org, linux-mips@vger.kernel.org, linux-xtensa@linux-xtensa.org, Kees Cook , Arnd Bergmann , Jann Horn , linuxppc-dev@lists.ozlabs.org, linux-m68k@lists.linux-m68k.org, Andy Lutomirski , Shuah Khan , Namhyung Kim , David Drysdale , Christian Brauner , "J. Bruce Fields" , linux-parisc@vger.kernel.org, linux-api@vger.kernel.org, Chanho Min , Jeff Layton , Oleg Nesterov , Eric Biederman , linux-alpha@vger.kernel.org, linux-fsdevel@vger.kernel.org, Andrew Morton , Linus Torvalds , containers@lists.linux-foundation.org Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org Sender: "Linuxppc-dev" On Fri, Sep 06, 2019 at 12:49:44AM +0100, Al Viro wrote: > On Fri, Sep 06, 2019 at 09:00:03AM +1000, Aleksa Sarai wrote: > > > > + return -EFAULT; > > > > + } > > > > + /* Copy the interoperable parts of the struct. */ > > > > + if (__copy_to_user(dst, src, size)) > > > > + return -EFAULT; > > > > > > Why not simply clear_user() and copy_to_user()? > > > > I'm not sure I understand what you mean -- are you asking why we need to > > do memchr_inv(src + size, 0, rest) earlier? > > I'm asking why bother with __ and separate access_ok(). > > > > if ((unsigned long)addr & 1) { > > > u8 v; > > > if (get_user(v, (__u8 __user *)addr)) > > > return -EFAULT; > > > if (v) > > > return -E2BIG; > > > addr++; > > > } > > > if ((unsigned long)addr & 2) { > > > u16 v; > > > if (get_user(v, (__u16 __user *)addr)) > > > return -EFAULT; > > > if (v) > > > return -E2BIG; > > > addr +=2; > > > } > > > if ((unsigned long)addr & 4) { > > > u32 v; > > > if (get_user(v, (__u32 __user *)addr)) > > > return -EFAULT; > > > if (v) > > > return -E2BIG; > > > } > > > > > Actually, this is a dumb way to do it - page size on anything > is going to be a multiple of 8, so you could just as well > read 8 bytes from an address aligned down. Then mask the > bytes you don't want to check out and see if there's anything > left. > > You can have readability boundaries inside a page - it's either > the entire page (let alone a single word) being readable, or > it's EFAULT for all parts. > > > > would be saner, and things like x86 could trivially add an > > > asm variant - it's not hard. Incidentally, memchr_inv() is > > > an overkill in this case... > > > > Why is memchr_inv() overkill? > > Look at its implementation; you only care if there are > non-zeroes, you don't give a damn where in the buffer > the first one would be. All you need is the same logics > as in "from userland" case > if (!count) > return true; > offset = (unsigned long)from & 7 > p = (u64 *)(from - offset); > v = *p++; > if (offset) { // unaligned > count += offset; > v &= ~aligned_byte_mask(offset); // see strnlen_user.c > } > while (count > 8) { > if (v) > return false; > v = *p++; > count -= 8; > } > if (count != 8) > v &= aligned_byte_mask(count); > return v == 0; > > All there is to it... ... and __user case would be pretty much this with if (user_access_begin(from, count)) { .... user_access_end(); } wrapped around the damn thing - again, see strnlen_user.c, with unsafe_get_user(v, p++, efault); instead of those v = *p++; Calling conventions might need some thinking - it might be * all read, all zeroes * non-zero found * read failed so we probably want to map the "all zeroes" case to 0, "read failed" to -EFAULT and "non-zero found" to something else. Might be positive, might be some other -E.... - not sure if E2BIG (or EFBIG) makes much sense here. Need to look at the users...