On Tue, Jan 8, 2019 at 8:31 PM Michael S. Tsirkin <mst@xxxxxxxxxx> wrote: > > Linus, given that you just changed all users of access_ok anyway, do > you still think that the access_ok() conversion to return a speculation > sanitized pointer or NULL is too big a conversion? I didn't actually change a single access_ok(). I changed the (very few) users of "user_access_begin()" to do an access_ok() in them. There were 8 of them total. It turns out that two of those cases (the strn*_user() ones) found bugs in the implementation of access_ok() of two architectures, and then looking at the others found that six more architectures also had problems, but those weren't actually because of any access_ok() changes, they were pre-existing issues. So we definitely had unfortunate bugs in access_ok(), but they were mostly the benign kind (ir the "use arguments twice - a real potential bug, but not one that actually likely makes any difference to existing users) Changing all 600+ users of access_ok() would be painful. That said, one thing I *would* like to do is to just get rid of __get_user() and __put_user() entirely. Or rather, just make them do exactly the same thing that the normal "get_user()"/"put_user()" functions do. And then, _within_ the case of get_user()/put_user(), doing the access_ok() as a data dependency rather than a lfence should be easy enough. Linus