On Sun, Oct 06, 2019 at 07:06:19PM -0700, Linus Torvalds wrote: > On Sun, Oct 6, 2019 at 6:24 PM Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote: > > > > Ugh... I wonder if it would be better to lift STAC/CLAC out of > > raw_copy_to_user(), rather than trying to reinvent its guts > > in readdir.c... > > Yeah, I suspect that's the best option. > > Do something like > > - lift STAC/CLAC out of raw_copy_to_user > > - rename it to unsafe_copy_to_user > > - create a new raw_copy_to_user that is just unsafe_copy_to_user() > with the STAC/CLAC around it. > > and the end result would actually be cleanert than what we have now > (which duplicates that STAC/CLAC for each size case etc). > > And then for the "architecture doesn't have user_access_begin/end()" > fallback case, we just do > > #define unsafe_copy_to_user raw_copy_to_user Callers of raw_copy_to_user(): arch/hexagon/mm/uaccess.c:27: uncleared = raw_copy_to_user(dest, &empty_zero_page, PAGE_SIZE); arch/hexagon/mm/uaccess.c:34: count = raw_copy_to_user(dest, &empty_zero_page, count); arch/powerpc/kvm/book3s_64_mmu_radix.c:68: ret = raw_copy_to_user(to, from, n); arch/s390/include/asm/uaccess.h:150: size = raw_copy_to_user(ptr, x, size); include/asm-generic/uaccess.h:145: return unlikely(raw_copy_to_user(ptr, x, size)) ? -EFAULT : 0; include/linux/uaccess.h:93: return raw_copy_to_user(to, from, n); include/linux/uaccess.h:102: return raw_copy_to_user(to, from, n); include/linux/uaccess.h:131: n = raw_copy_to_user(to, from, n); lib/iov_iter.c:142: n = raw_copy_to_user(to, from, n); lib/usercopy.c:28: n = raw_copy_to_user(to, from, n); Out of those, only __copy_to_user_inatomic(), __copy_to_user(), _copy_to_user() and iov_iter.c:copyout() can be called on any architecture. The last two should just do user_access_begin()/user_access_end() instead of access_ok(). __copy_to_user_inatomic() has very few callers as well: arch/mips/kernel/unaligned.c:1307: res = __copy_to_user_inatomic(addr, fpr, sizeof(*fpr)); drivers/gpu/drm/i915/i915_gem.c:345: unwritten = __copy_to_user_inatomic(user_data, lib/test_kasan.c:471: unused = __copy_to_user_inatomic(usermem, kmem, size + 1); mm/maccess.c:98: ret = __copy_to_user_inatomic((__force void __user *)dst, src, size); So few, in fact, that I wonder if we want to keep it at all; the only thing stopping me from "let's remove it" is that I don't understand the i915 side of things. Where does it do an equivalent of access_ok()? And mm/maccess.c one is __probe_kernel_write(), so presumably we don't want stac/clac there at all... So do we want to bother with separation between raw_copy_to_user() and unsafe_copy_to_user()? After all, __copy_to_user() also has only few callers, most of them in arch/* I'll take a look into that tomorrow - half-asleep right now...
