On Mon, Aug 26, 2019 at 06:20:49PM -0700, Sean Christopherson wrote: > On Mon, Aug 26, 2019 at 09:32:06AM +0300, Jarkko Sakkinen wrote: > > On Thu, Aug 22, 2019 at 07:10:09PM -0700, Sean Christopherson wrote: > > > Invoke EADD with the userspace source address instead of first copying > > > the data to a kernel page to avoid the overhead of alloc_page() and > > > copy_from_user(). > > > > > > Remove all pre-validation of TCS pages. The source page is no longer > > > readily available since it's not copied into the kernel, and validating > > > the TCS essentially requires accessing the entire page since the vast > > > majority of the TCS is reserved bytes. Given that userspace can now > > > cause EADD to fault simply by passing a bad pointer, validating the TCS > > > to avoid faults on EADD provides little to no value. > > > > > > Suggested-by: Andy Lutomirski <luto@xxxxxxxxxx> > > > Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> > > > > I already merged this to my tree but just realized that the commit > > message does not address why get_user_pages() is no option. > > AFAICT, gup() would also work, but I don't think it gains us anything, > e.g. validating the TCS still doesn't work because nothing prevents > userspace from scribbling the TCS page after it's checked by the kernel. > If we run into a scenario where we need to check the TCS, e.g. to prevent > using a feature the kernel doesn't support, then we'd have no choice but > to copy it into kernel memory[*]. > > Going with gup() would be a little more code, and maybe an imperceptibly > small performance hit, but otherwise the two options are more or less the > same. > > I (obviously) have a slight preference for passing the userspace address > directly to EADD, but I'm ok with either approach unless the gup code ends > up being particularly ugly. > > [*] While typing this out I realized we *must* copy the SECS into kernel > memory for ECREATE, otherwise the kernel would be susceptible to > TOCTOU attacks on the allowed attributes. Probably worth a comment. Lets stick to what was merged. /Jarkko
