From: Al Viro <viro@ZenIV.linux.org.uk>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Miller <davem@davemloft.net>,
Network Development <netdev@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] situation with csum_and_copy_... API
Date: Wed, 19 Nov 2014 21:17:13 +0000 [thread overview]
Message-ID: <20141119211712.GD7996@ZenIV.linux.org.uk> (raw)
In-Reply-To: <CA+55aFyQR2gOzEDROcWFcQzLvTjOxyJRjFJXJ03JB5knd-Gsgg@mail.gmail.com>
On Wed, Nov 19, 2014 at 12:40:53PM -0800, Linus Torvalds wrote:
> On Wed, Nov 19, 2014 at 12:31 PM, David Miller <davem@davemloft.net> wrote:
> >
> > But that is just my opinion, and yes I do acknowledge that we've had
> > serious holes in this area in the past.
>
> The serious holes have generally been exactly in the "upper layers
> already check" camp, and then it turns out that some odd ioctl or
> other thing ends up doing something odd and interesting.
>
> If Al has actual performance profiles showing that the access_ok() is
> a real problem, then fine. As a low-level optimization, I agree with
> it. But not as a "let's just drop them, and make the security rules be
> non-local and subtle, and require people to know the details of the
> whole call-chain".
>
> Seeing a "__get_user()" and just being able to glance up in the same
> function and seeing the "access_ok()" is just a good safety net. And
> means that people don't have to waste time thinking about or looking
> for where the hell the security net really is.
Umm... It's not quite that bad - the thing is, for iov_iter-net series
we'll need copy_and_csum_{to,from}_iter() anyway and for iovec-backed
iov_iter instances we already ask the iovec to be validated wrt access_ok().
And this validation (already done by rw_copy_check_uvector()) is going to
be next to iov_iter_init() setting the iov_iter up.
Moreover, I'm planning to take iov_iter_init() into rw_copy_check_uvector().
That way setting ->iov is done from the same function that has just checked
all ranges. If you look at the callers, you'll see that almost all of them
are directly followed by iov_iter_init() and folding it in is a fairly
obvious cleanup.
The thing is, with ..._iter() variants added we are left with no other
in-tree callers of csum_and_copy_{to,from}_user(). I agree that dropping
those access_ok() is too early at this point - the analysis of paths
by which a range can reach them is scary right now. Moreover, it mostly
parallels the changes later in the series - ones that propagate a pointer
to iov_iter put into msdghdr in place of ->msg_iov/->msg_iovlen down to
the new primitives. _After_ those steps the analysis (see the horrors in
commit message of 3/5) becomes trivial.
So whether we end up removing those access_ok() or not, this is not the
time to do so. It still might make sense in the end, but not right now.
Frankly, my preference would be to provide __csum_and_copy_...() that do
not bother with access_ok() (and do so consistently between the architectures),
and do not bother with zeroing or trying to do an accurate csum in case of
error. With uniform implementation of csum_and_copy_...() that does
access_ok(), tries to call __csum_... variant and, in case of failure,
does __copy_..._user(), zeroes the tail in the "from" one and calculates
the csum by source of destination - whichever's kernel-side. I.e. do what
ppc64 is doing. That way we get obviously safe csum_and_copy_.._user(),
and consistent __ counterparts directly used by ..._iter() primitives.
Quite a bit of complexity becomes possible to remove from asm code,
while we are at it - zeroing isn't the worst of it, contortions needed to
calculate the csum accurately in error case are often nastier. So much
that e.g. arm doesn't even bother trying.
Again, this is a separate work - I agree with you regarding the overhead
being a non-issue for existing callers, and if somebody tries e.g. to send
64K from 32K-element vector of 2-byte ranges they'll have a _lot_ of other
overhead that will drown that of those access_ok(). In normal cases the
price of copying the data itself is going to swamp that of access_ok(),
of course.
IOW, consider the access_ok() changes withdrawn for now. It's too early
in the series for them and the only reason to pull them that high in
ordering had been the fear of overhead. Which is very unlikely to be
an issue. They won't come back (if they come back at all) until the
proof of correctness becomes absolutely trivial.
next prev parent reply other threads:[~2014-11-19 21:17 UTC|newest]
Thread overview: 133+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-18 8:47 [RFC] situation with csum_and_copy_... API Al Viro
2014-11-18 19:40 ` [patches][RFC] " Al Viro
2014-11-18 19:41 ` [PATCH 1/5] separate kernel- and userland-side msghdr Al Viro
2014-11-18 19:42 ` [PATCH 2/5] {compat_,}verify_iovec(): switch to generic copying of iovecs Al Viro
2014-11-18 19:42 ` [PATCH 3/5] remove a bunch of now-pointless access_ok() in net Al Viro
2014-11-18 19:43 ` [PATCH 4/5] bury skb_copy_to_page() Al Viro
2014-11-18 19:43 ` [PATCH 5/5] fold verify_iovec() into copy_msghdr_from_user() Al Viro
2014-11-19 20:25 ` [patches][RFC] situation with csum_and_copy_... API David Miller
2014-11-18 20:49 ` [RFC] " Linus Torvalds
2014-11-18 21:23 ` Al Viro
2014-11-18 21:39 ` Linus Torvalds
2014-11-19 20:31 ` David Miller
2014-11-19 20:40 ` Linus Torvalds
2014-11-19 21:17 ` Al Viro [this message]
2014-11-19 21:17 ` David Miller
2014-11-19 21:30 ` Al Viro
2014-11-19 21:53 ` David Miller
2014-11-20 21:47 ` Al Viro
2014-11-20 21:55 ` Eric Dumazet
2014-11-20 22:25 ` Al Viro
2014-11-20 22:53 ` Eric Dumazet
2014-11-21 8:49 ` Al Viro
2014-11-21 15:01 ` Eric Dumazet
2014-11-21 17:42 ` David Laight
2014-11-21 19:39 ` Al Viro
2014-11-21 19:40 ` Linus Torvalds
2014-11-24 10:03 ` David Laight
2014-11-22 3:27 ` Al Viro
2014-11-22 3:36 ` Al Viro
2014-11-24 10:27 ` David Laight
2014-11-20 23:23 ` David Miller
2014-11-21 17:26 ` David Miller
2014-11-22 4:28 ` Al Viro
2014-11-22 4:29 ` [PATCH 01/17] new helper: skb_copy_and_csum_datagram_msg() Al Viro
2014-11-22 4:30 ` [PATCH 02/17] new helper: memcpy_from_msg() Al Viro
2014-11-22 4:30 ` [PATCH 03/17] switch ipxrtr_route_packet() from iovec to msghdr Al Viro
2014-11-22 4:31 ` [PATCH 04/17] new helper: memcpy_to_msg() Al Viro
2014-11-22 4:32 ` [PATCH 05/17] switch drivers/net/tun.c to ->read_iter() Al Viro
2014-11-22 4:32 ` [PATCH 06/17] switch macvtap " Al Viro
2014-11-23 23:29 ` Ben Hutchings
2014-11-22 4:33 ` [PATCH 07/17] new helpers: skb_copy_datagram_from_iter() and zerocopy_sg_from_iter() Al Viro
2014-11-24 0:02 ` Ben Hutchings
2014-11-24 0:29 ` Ben Hutchings
2014-11-24 5:34 ` Jason Wang
2014-11-24 10:03 ` Al Viro
2014-11-22 4:33 ` [PATCH 08/17] {macvtap,tun}_get_user(): switch to iov_iter Al Viro
2014-11-24 0:27 ` Ben Hutchings
2014-11-24 1:06 ` Ben Hutchings
2014-11-24 10:15 ` Al Viro
2014-11-22 4:34 ` [PATCH 09/17] kill zerocopy_sg_from_iovec() Al Viro
2014-11-22 4:35 ` [PATCH 10/17] switch AF_PACKET and AF_UNIX to skb_copy_datagram_from_iter() Al Viro
2014-11-22 4:36 ` PATCH 11/17] switch sctp_user_addto_chunk() and sctp_datamsg_from_user() to passing iov_iter Al Viro
2014-11-22 4:36 ` [PATCH 12/17] tipc_sendmsg(): pass msghdr instead of its ->msg_iov Al Viro
2014-11-22 4:37 ` [PATCH 13/17] tipc_msg_build(): " Al Viro
2014-11-22 4:37 ` [PATCH 14/17] vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr Al Viro
2014-11-22 4:38 ` [PATCH 15/17] [atm] switch vcc_sendmsg() to copy_from_iter() Al Viro
2014-11-22 4:38 ` [PATCH 16/17] rds: switch ->inc_copy_to_user() to passing iov_iter Al Viro
2014-11-22 4:39 ` [PATCH 17/17] rds: switch rds_message_copy_from_user() to iov_iter Al Viro
2014-11-24 2:00 ` Ben Hutchings
2014-11-24 10:17 ` Al Viro
2014-11-22 7:24 ` [RFC] situation with csum_and_copy_... API David Miller
2014-11-25 2:40 ` Al Viro
2014-11-25 14:02 ` [PATCH v2 01/17] new helper: skb_copy_and_csum_datagram_msg() Al Viro
2014-11-25 19:28 ` David Miller
2014-11-25 20:59 ` Al Viro
2014-11-26 17:27 ` David Miller
2014-12-05 5:56 ` the next chunk of iov_iter-net stuff for review Al Viro
2014-12-05 5:58 ` [PATCH 01/12] raw.c: stick msghdr into raw_frag_vec Al Viro
2014-12-05 5:58 ` [PATCH 02/12] ipv6 equivalent of "ipv4: Avoid reading user iov twice after raw_probe_proto_opt" Al Viro
2014-12-05 5:58 ` [PATCH 03/12] ip_generic_getfrag, udplite_getfrag: switch to passing msghdr Al Viro
2014-12-05 5:58 ` [PATCH 04/12] switch tcp_sock->ucopy from iovec (ucopy.iov) to msghdr (ucopy.msg) Al Viro
2014-12-05 5:58 ` [PATCH 05/12] switch l2cap ->memcpy_fromiovec() to msghdr Al Viro
2014-12-05 5:58 ` [PATCH 06/12] vmci: propagate msghdr all way down to __qp_memcpy_from_queue() Al Viro
2014-12-05 5:58 ` [PATCH 07/12] put iov_iter into msghdr Al Viro
2014-12-05 5:58 ` [PATCH 08/12] first fruits - kill l2cap ->memcpy_fromiovec() Al Viro
2014-12-05 5:58 ` [PATCH 09/12] switch memcpy_to_msg() and skb_copy{,_and_csum}_datagram_msg() to primitives Al Viro
2014-12-05 5:58 ` [PATCH 10/12] ppp_read(): switch to skb_copy_datagram_iter() Al Viro
2014-12-05 5:58 ` [PATCH 11/12] skb_copy_datagram_iovec() can die Al Viro
2014-12-05 5:58 ` [PATCH 12/12] bury memcpy_toiovec() Al Viro
2014-12-09 20:07 ` the next chunk of iov_iter-net stuff for review David Miller
2014-12-09 21:04 ` Al Viro
2014-12-09 21:17 ` David Miller
2014-12-09 21:23 ` Al Viro
2014-12-09 21:37 ` David Miller
2014-12-09 22:49 ` Al Viro
2014-12-09 22:50 ` [PATCH 01/25] iov_iter.c: macros for iterating over iov_iter Al Viro
2014-12-09 22:50 ` [PATCH 02/25] iov_iter.c: iterate_and_advance Al Viro
2014-12-09 22:50 ` [PATCH 03/25] iov_iter.c: convert iov_iter_npages() to iterate_all_kinds Al Viro
2014-12-09 22:50 ` [PATCH 04/25] iov_iter.c: convert iov_iter_get_pages() " Al Viro
2014-12-09 22:50 ` [PATCH 05/25] iov_iter.c: convert iov_iter_get_pages_alloc() " Al Viro
2014-12-09 22:50 ` [PATCH 06/25] iov_iter.c: convert iov_iter_zero() to iterate_and_advance Al Viro
2014-12-09 22:50 ` [PATCH 07/25] iov_iter.c: get rid of bvec_copy_page_{to,from}_iter() Al Viro
2014-12-09 22:50 ` [PATCH 08/25] iov_iter.c: convert copy_from_iter() to iterate_and_advance Al Viro
2014-12-09 22:50 ` [PATCH 09/25] iov_iter.c: convert copy_to_iter() " Al Viro
2014-12-09 22:50 ` [PATCH 10/25] iov_iter.c: handle ITER_KVEC directly Al Viro
2014-12-09 22:50 ` [PATCH 11/25] csum_and_copy_..._iter() Al Viro
2014-12-09 22:50 ` [PATCH 12/25] new helper: iov_iter_kvec() Al Viro
2014-12-09 22:50 ` [PATCH 13/25] copy_from_iter_nocache() Al Viro
2014-12-09 22:50 ` [PATCH 14/25] raw.c: stick msghdr into raw_frag_vec Al Viro
2014-12-09 22:50 ` [PATCH 15/25] ipv6 equivalent of "ipv4: Avoid reading user iov twice after raw_probe_proto_opt" Al Viro
2014-12-09 22:50 ` [PATCH 16/25] ip_generic_getfrag, udplite_getfrag: switch to passing msghdr Al Viro
2014-12-09 22:50 ` [PATCH 17/25] switch tcp_sock->ucopy from iovec (ucopy.iov) to msghdr (ucopy.msg) Al Viro
2014-12-09 22:50 ` [PATCH 18/25] switch l2cap ->memcpy_fromiovec() to msghdr Al Viro
2014-12-09 22:50 ` [PATCH 19/25] vmci: propagate msghdr all way down to __qp_memcpy_from_queue() Al Viro
2014-12-09 22:50 ` [PATCH 20/25] put iov_iter into msghdr Al Viro
2014-12-09 22:50 ` [PATCH 21/25] first fruits - kill l2cap ->memcpy_fromiovec() Al Viro
2014-12-09 22:50 ` [PATCH 22/25] switch memcpy_to_msg() and skb_copy{,_and_csum}_datagram_msg() to primitives Al Viro
2014-12-09 22:50 ` [PATCH 23/25] ppp_read(): switch to skb_copy_datagram_iter() Al Viro
2014-12-09 22:50 ` [PATCH 24/25] skb_copy_datagram_iovec() can die Al Viro
2014-12-09 22:50 ` [PATCH 25/25] bury memcpy_toiovec() Al Viro
2014-12-09 23:13 ` the next chunk of iov_iter-net stuff for review Al Viro
2014-12-10 18:25 ` David Miller
2014-11-25 14:02 ` [PATCH v2 02/17] new helper: memcpy_from_msg() Al Viro
2014-11-25 14:02 ` [PATCH v2 03/17] switch ipxrtr_route_packet() from iovec to msghdr Al Viro
2014-11-25 14:02 ` [PATCH v2 04/17] new helper: memcpy_to_msg() Al Viro
2014-11-25 14:02 ` [PATCH v2 05/17] switch drivers/net/tun.c to ->read_iter() Al Viro
2014-11-25 14:02 ` [PATCH v2 06/17] switch macvtap " Al Viro
2014-11-25 14:02 ` [PATCH v2 07/17] new helpers: skb_copy_datagram_from_iter() and zerocopy_sg_from_iter() Al Viro
2014-11-25 14:02 ` [PATCH v2 08/17] {macvtap,tun}_get_user(): switch to iov_iter Al Viro
2015-02-03 10:10 ` Michael S. Tsirkin
2015-02-03 14:27 ` Al Viro
2015-02-03 15:19 ` Michael S. Tsirkin
2014-11-25 14:02 ` [PATCH v2 09/17] kill zerocopy_sg_from_iovec() Al Viro
2014-11-25 14:02 ` [PATCH v2 10/17] switch AF_PACKET and AF_UNIX to skb_copy_datagram_from_iter() Al Viro
2014-11-25 14:02 ` [PATCH v2 11/17] switch sctp_user_addto_chunk() and sctp_datamsg_from_user() to passing iov_iter Al Viro
2014-11-25 14:02 ` [PATCH v2 12/17] tipc_sendmsg(): pass msghdr instead of its ->msg_iov Al Viro
2014-11-25 14:02 ` [PATCH v2 13/17] tipc_msg_build(): " Al Viro
2014-11-25 14:02 ` [PATCH v2 14/17] vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr Al Viro
2014-11-25 14:02 ` [PATCH v2 15/17] [atm] switch vcc_sendmsg() to copy_from_iter() Al Viro
2014-11-25 14:02 ` [PATCH v2 16/17] rds: switch ->inc_copy_to_user() to passing iov_iter Al Viro
2014-11-25 14:02 ` [PATCH v2 17/17] rds: switch rds_message_copy_from_user() to iov_iter Al Viro
2014-11-22 17:48 ` [RFC] situation with csum_and_copy_... API Linus Torvalds
2014-11-21 4:17 ` Nicholas A. Bellinger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141119211712.GD7996@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).