Re: [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user()

From: Al Viro
Date: Sat Mar 28 2020 - 07:59:45 EST

Next message: Jules Irenge: "Re: [PATCH 10/10] trace: Replace printk and WARN_ON with WARN"
Previous message: Dave Young: "Re: [PATCH] swiotlb: Allow swiotlb to live at pre-defined address"
In reply to: Ingo Molnar: "Re: [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user()"
Next in thread: Ingo Molnar: "Re: [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Mar 28, 2020 at 11:48:57AM +0100, Ingo Molnar wrote:
>
> * Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
>
> > From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> >
> > rather than relying upon the magic in raw_copy_from_user()
>
> > - bytes = __copy_from_user_nmi(&frame.next_frame, fp, 4);
> > - if (bytes != 0)
> > + if (__get_user(frame.next_frame, &fp->next_frame))
> > break;
> > - bytes = __copy_from_user_nmi(&frame.return_address, fp+4, 4);
> > - if (bytes != 0)
> > + if (__get_user(frame.return_address, &fp->return_address))
> > break;
>
> Just wondering about the long term plan here: we have unsafe_get_user()
> as a wrapper around __get_user(),

Not on x86; that wrapper is the fallback for architectures without
non-trivial user_access_begin/user_access_end

> but the __get_user() API doesn't carry
> the 'unsafe' tag yet.
>
> Should we add an __unsafe_get_user() alias to it perhaps, and use it in
> all code that adds it, like the chunk above? Or rename it to
> __unsafe_get_user() outright? No change to the logic, but it would be
> more obvious what code has inherited old __get_user() uses and which code
> uses __unsafe_get_user() intentionally.
>
> Even after your series there's 700 uses of __get_user(), so it would make
> sense to make a distinction in name at least and tag all unsafe APIs with
> an 'unsafe_' prefix.

"unsafe" != "lacks access_ok", it's "done under user_access_begin".
And this series is just a part of much bigger pile.

FWIW, with the currently linearized part I see 26 users in arch/x86 and
108 - outside of arch/*. With 43 of the latter supplied by the sodding
comedi_compat32.c, which needs to be rewritten anyway (or git rm'ed,
for that matter)...

We'll get there; the tricky part is the ones that come in pair with
something other than access_ok() in the first place (many of those
are KVM-related, but not all such are).

This part had been more about untangling uaccess_try stuff,,,

Next message: Jules Irenge: "Re: [PATCH 10/10] trace: Replace printk and WARN_ON with WARN"
Previous message: Dave Young: "Re: [PATCH] swiotlb: Allow swiotlb to live at pre-defined address"
In reply to: Ingo Molnar: "Re: [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user()"
Next in thread: Ingo Molnar: "Re: [RFC][PATCH 01/22] x86 user stack frame reads: switch to explicit __get_user()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]