> -----Original Message----- > From: David Laight > Sent: 31 March 2020 14:52 > To: Linux Kernel Mailing List <linux-kernel@xxxxxxxxxxxxxxx> > Cc: netdev@xxxxxxxxxxxxxxx > Subject: [RFC PATCH 00/12] Changes to code that reads iovec from userspace > > This is RFC because we seem to be in a merge window. > > The canonical code to read iov[] is currently: > struct iovec iovstack[UIO_FASTIOV]; > struct iovec *iov; > ... > iov = iovstack; > rc = import_iovec(..., UIO_FASTIOV, &iov, &iter); > if (rc < 0) > return rc; > ... > kfree(iov); > > Note that the 'iov' parameter is used for two different things. > On input it is an iov[] can can be used. > On output it is an iov[] array that must be freed. > > If 'iovstack' is passed, the count is actually always UIO_FASTIOV (8) > although in some places the array definition is in a different file > (never mind function) from the constant used. > > import_iovec() itself is just a wrapper to rw_copy_check_uvector(). > So everything is passed through to a second function. > Several items are 'passed by reference' - adding to the code paths. > > On success import_iovec() returned the transfer count. > Only one caller looks at it, the count is also in iter.count. > > The new canonical code is: > struct iov_cache cache; > struct iovec *iov; > ... > iov = iovec_import(..., &cache, &iter); > if (IS_ERR(iov)) > return PTR_ERR(iov); > ... > kfree(iov); > > Since 'struct iov_cache' is a fixed size there is no need to pass in > a length (correct or not!). It can still be NULL (used by the scsi code). > > iovec_import() contains the code that used to be in rw_copy_check_uvector() > and then sets up the iov_iter. > > rw_copy_check_uvector() is no more. > The only other caller was in mm/process_vm_access.c when reading the > iov[] for the target process addresses when copying from a differ process. > This can extract the iov[] from an extra 'struct iov_iter'. > > In passing I noticed an access_ok() call on each fragment. > I hope this is just there to bail out early! > It is also skipped in process_vm_rw(). I did a quick look but couldn't > see an obvious equivalent check. > > Patches 1 and 2 tidy up existing code. > Patches 3 and 4 add the new interface. > Patches 5 through 10 change all the callers. > Patch 11 removes a 'hack' that allowed fs/io_uring be updated before the socket code. > Patch 12 removes the old interface. > > I suspect the changes need to trickle through a merge window. > > David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
