From: Al Viro <viro@zeniv.linux.org.uk>
To: Ingo Molnar <mingo@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Thomas Gleixner <tglx@linutronix.de>,
x86@kernel.org, linux-kernel@vger.kernel.org,
Borislav Petkov <bp@alien8.de>
Subject: Re: [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user()
Date: Sat, 28 Mar 2020 11:59:36 +0000 [thread overview]
Message-ID: <20200328115936.GA23230@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20200328104857.GA93574@gmail.com>
On Sat, Mar 28, 2020 at 11:48:57AM +0100, Ingo Molnar wrote:
>
> * Al Viro <viro@ZenIV.linux.org.uk> wrote:
>
> > From: Al Viro <viro@zeniv.linux.org.uk>
> >
> > rather than relying upon the magic in raw_copy_from_user()
>
> > - bytes = __copy_from_user_nmi(&frame.next_frame, fp, 4);
> > - if (bytes != 0)
> > + if (__get_user(frame.next_frame, &fp->next_frame))
> > break;
> > - bytes = __copy_from_user_nmi(&frame.return_address, fp+4, 4);
> > - if (bytes != 0)
> > + if (__get_user(frame.return_address, &fp->return_address))
> > break;
>
> Just wondering about the long term plan here: we have unsafe_get_user()
> as a wrapper around __get_user(),
Not on x86; that wrapper is the fallback for architectures without
non-trivial user_access_begin/user_access_end
> but the __get_user() API doesn't carry
> the 'unsafe' tag yet.
>
> Should we add an __unsafe_get_user() alias to it perhaps, and use it in
> all code that adds it, like the chunk above? Or rename it to
> __unsafe_get_user() outright? No change to the logic, but it would be
> more obvious what code has inherited old __get_user() uses and which code
> uses __unsafe_get_user() intentionally.
>
> Even after your series there's 700 uses of __get_user(), so it would make
> sense to make a distinction in name at least and tag all unsafe APIs with
> an 'unsafe_' prefix.
"unsafe" != "lacks access_ok", it's "done under user_access_begin".
And this series is just a part of much bigger pile.
FWIW, with the currently linearized part I see 26 users in arch/x86 and
108 - outside of arch/*. With 43 of the latter supplied by the sodding
comedi_compat32.c, which needs to be rewritten anyway (or git rm'ed,
for that matter)...
We'll get there; the tricky part is the ones that come in pair with
something other than access_ok() in the first place (many of those
are KVM-related, but not all such are).
This part had been more about untangling uaccess_try stuff,,,
next prev parent reply other threads:[~2020-03-28 11:59 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-23 18:36 [RFC][PATCHSET] x86 uaccess cleanups Al Viro
2020-03-23 18:37 ` [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user() Al Viro
2020-03-23 18:37 ` [RFC][PATCH 02/22] x86 kvm page table walks: " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 03/22] x86: switch sigframe sigset handling to explict __get_user()/__put_user() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 04/22] x86: get rid of small constant size cases in raw_copy_{to,from}_user() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 05/22] vm86: get rid of get_user_ex() use Al Viro
2020-03-23 18:38 ` [RFC][PATCH 06/22] x86: get rid of get_user_ex() in ia32_restore_sigcontext() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 07/22] x86: get rid of get_user_ex() in restore_sigcontext() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 08/22] x86: kill get_user_{try,catch,ex} Al Viro
2020-03-23 18:38 ` [RFC][PATCH 09/22] x86: switch save_v86_state() to unsafe_put_user() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 10/22] x86: switch setup_sigcontext() " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 11/22] x86: switch ia32_setup_sigcontext() " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 12/22] x86: get rid of put_user_try in {ia32,x32}_setup_rt_frame() Al Viro
2020-03-23 18:38 ` [RFC][PATCH 13/22] x86: ia32_setup_sigcontext(): lift user_access_{begin,end}() into the callers Al Viro
2020-03-23 18:53 ` Linus Torvalds
2020-03-23 21:42 ` Al Viro
2020-03-23 18:38 ` [RFC][PATCH 14/22] x86: ia32_setup_frame(): consolidate uaccess areas Al Viro
2020-03-23 18:38 ` [RFC][PATCH 15/22] x86: ia32_setup_rt_frame(): " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 16/22] x86: get rid of put_user_try in __setup_rt_frame() (both 32bit and 64bit) Al Viro
2020-03-23 18:38 ` [RFC][PATCH 17/22] x86: setup_sigcontext(): list user_access_{begin,end}() into callers Al Viro
2020-03-23 18:56 ` Linus Torvalds
2020-03-23 18:38 ` [RFC][PATCH 18/22] x86: __setup_frame(): consolidate uaccess areas Al Viro
2020-03-23 18:38 ` [RFC][PATCH 19/22] x86: __setup_rt_frame(): " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 20/22] x86: x32_setup_rt_frame(): " Al Viro
2020-03-23 18:38 ` [RFC][PATCH 21/22] x86: unsafe_put_... macros for sigcontext and sigmask Al Viro
2020-03-23 18:38 ` [RFC][PATCH 22/22] kill uaccess_try() Al Viro
2020-03-24 15:15 ` [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user() Peter Zijlstra
2020-03-28 10:48 ` Ingo Molnar
2020-03-28 11:59 ` Al Viro [this message]
2020-03-29 9:26 ` Ingo Molnar
2020-03-29 16:50 ` Andy Lutomirski
2020-03-29 17:05 ` Linus Torvalds
2020-03-29 17:41 ` David Laight
2020-03-29 17:56 ` Linus Torvalds
2020-03-29 18:03 ` David Laight
2020-03-29 18:16 ` Linus Torvalds
2020-03-29 18:32 ` David Laight
2020-03-29 18:55 ` Linus Torvalds
2020-03-29 21:21 ` Andy Lutomirski
2020-03-29 22:06 ` Linus Torvalds
2020-03-29 22:12 ` Linus Torvalds
2020-03-29 18:16 ` Al Viro
2020-03-29 18:19 ` Linus Torvalds
2020-03-29 17:57 ` Al Viro
2020-03-30 15:54 ` David Laight
2020-03-23 19:16 ` [RFC][PATCHSET] x86 uaccess cleanups Linus Torvalds
2020-03-27 2:24 ` [RFC][PATCHSET v2] " Al Viro
2020-03-27 2:26 ` Al Viro
2020-03-27 2:30 ` Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 01/22] x86 user stack frame reads: switch to explicit __get_user() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 02/22] x86 kvm page table walks: " Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 03/22] x86: switch sigframe sigset handling to explict __get_user()/__put_user() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 04/22] x86: get rid of small constant size cases in raw_copy_{to,from}_user() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 05/22] vm86: get rid of get_user_ex() use Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 06/22] x86: get rid of get_user_ex() in ia32_restore_sigcontext() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 07/22] x86: get rid of get_user_ex() in restore_sigcontext() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 08/22] x86: kill get_user_{try,catch,ex} Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 09/22] x86: switch save_v86_state() to unsafe_put_user() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 10/22] x86: switch setup_sigcontext() " Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 11/22] x86: switch ia32_setup_sigcontext() " Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 12/22] x86: get rid of put_user_try in {ia32,x32}_setup_rt_frame() Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 13/22] x86: ia32_setup_sigcontext(): lift user_access_{begin,end}() into the callers Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 14/22] x86: ia32_setup_frame(): consolidate uaccess areas Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 15/22] x86: ia32_setup_rt_frame(): " Al Viro
2020-03-27 2:31 ` [RFC][PATCH v2 16/22] x86: get rid of put_user_try in __setup_rt_frame() (both 32bit and 64bit) Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 17/22] x86: setup_sigcontext(): list user_access_{begin,end}() into callers Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 18/22] x86: __setup_frame(): consolidate uaccess areas Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 19/22] x86: __setup_rt_frame(): " Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 20/22] x86: x32_setup_rt_frame(): " Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 21/22] x86: unsafe_put-style macro for sigmask Al Viro
2020-03-27 2:32 ` [RFC][PATCH v2 22/22] kill uaccess_try() Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200328115936.GA23230@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=bp@alien8.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox