From: David Laight <david.laight.linux@gmail•com>
To: Thomas Gleixner <tglx@linutronix•de>
Cc: LKML <linux-kernel@vger•kernel.org>,
"Christophe Leroy" <christophe.leroy@csgroup•eu>,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios•com>,
"Andrew Cooper" <andrew.cooper3@citrix•com>,
"Linus Torvalds" <torvalds@linux-foundation•org>,
"kernel test robot" <lkp@intel•com>,
"Russell King" <linux@armlinux•org.uk>,
linux-arm-kernel@lists•infradead.org, x86@kernel•org,
"Madhavan Srinivasan" <maddy@linux•ibm.com>,
"Michael Ellerman" <mpe@ellerman•id.au>,
"Nicholas Piggin" <npiggin@gmail•com>,
linuxppc-dev@lists•ozlabs.org, "Paul Walmsley" <pjw@kernel•org>,
"Palmer Dabbelt" <palmer@dabbelt•com>,
linux-riscv@lists•infradead.org,
"Heiko Carstens" <hca@linux•ibm.com>,
"Christian Borntraeger" <borntraeger@linux•ibm.com>,
"Sven Schnelle" <svens@linux•ibm.com>,
linux-s390@vger•kernel.org,
"Julia Lawall" <Julia.Lawall@inria•fr>,
"Nicolas Palix" <nicolas.palix@imag•fr>,
"Peter Zijlstra" <peterz@infradead•org>,
"Darren Hart" <dvhart@infradead•org>,
"Davidlohr Bueso" <dave@stgolabs•net>,
"André Almeida" <andrealmeid@igalia•com>,
"Alexander Viro" <viro@zeniv•linux.org.uk>,
"Christian Brauner" <brauner@kernel•org>,
"Jan Kara" <jack@suse•cz>,
linux-fsdevel@vger•kernel.org
Subject: Re: [patch V4 07/12] uaccess: Provide scoped user access regions
Date: Wed, 22 Oct 2025 15:20:06 +0100 [thread overview]
Message-ID: <20251022152006.4d461c8b@pumpkin> (raw)
In-Reply-To: <20251022103112.294959046@linutronix.de>
On Wed, 22 Oct 2025 14:49:10 +0200 (CEST)
Thomas Gleixner <tglx@linutronix•de> wrote:
> User space access regions are tedious and require similar code patterns all
> over the place:
>
> if (!user_read_access_begin(from, sizeof(*from)))
> return -EFAULT;
> unsafe_get_user(val, from, Efault);
> user_read_access_end();
> return 0;
> Efault:
> user_read_access_end();
> return -EFAULT;
>
> This got worse with the recent addition of masked user access, which
> optimizes the speculation prevention:
>
> if (can_do_masked_user_access())
> from = masked_user_read_access_begin((from));
> else if (!user_read_access_begin(from, sizeof(*from)))
> return -EFAULT;
> unsafe_get_user(val, from, Efault);
> user_read_access_end();
> return 0;
> Efault:
> user_read_access_end();
> return -EFAULT;
>
> There have been issues with using the wrong user_*_access_end() variant in
> the error path and other typical Copy&Pasta problems, e.g. using the wrong
> fault label in the user accessor which ends up using the wrong accesss end
> variant.
>
> These patterns beg for scopes with automatic cleanup. The resulting outcome
> is:
> scoped_user_read_access(from, Efault)
> unsafe_get_user(val, from, Efault);
> return 0;
> Efault:
> return -EFAULT;
>
> The scope guarantees the proper cleanup for the access mode is invoked both
> in the success and the failure (fault) path.
>
> The scoped_user_$MODE_access() macros are implemented as self terminating
> nested for() loops. Thanks to Andrew Cooper for pointing me at them. The
> scope can therefore be left with 'break', 'goto' and 'return'. Even
> 'continue' "works" due to the self termination mechanism.
I think that 'feature' should be marked as a 'bug', consider code like:
for (; len >= sizeof (*uaddr); uaddr++; len -= sizeof (*uaddr)) {
scoped_user_read_access(uaddr, Efault) {
int frag_len;
unsafe_get_user(frag_len, &uaddr->len, Efault);
if (!frag_len)
break;
...
}
...
}
The expectation would be that the 'break' applies to the visible 'for' loop.
But you need a 'goto' to escape from the visible loop.
Someone who groks the static checkers might want to try to detect
continue/break in those loops.
David
next prev parent reply other threads:[~2025-10-22 14:20 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-22 12:49 [patch V4 00/12] uaccess: Provide and use scopes for user access Thomas Gleixner
2025-10-22 12:49 ` [patch V4 01/12] ARM: uaccess: Implement missing __get_user_asm_dword() Thomas Gleixner
2025-10-22 12:49 ` [patch V4 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() Thomas Gleixner
2025-10-22 12:49 ` [patch V4 03/12] x86/uaccess: Use unsafe wrappers for ASM GOTO Thomas Gleixner
2025-10-22 12:49 ` [patch V4 04/12] powerpc/uaccess: " Thomas Gleixner
2025-10-22 12:49 ` [patch V4 05/12] riscv/uaccess: " Thomas Gleixner
2025-10-22 12:49 ` [patch V4 06/12] s390/uaccess: " Thomas Gleixner
2025-10-22 15:00 ` Heiko Carstens
2025-10-22 12:49 ` [patch V4 07/12] uaccess: Provide scoped user access regions Thomas Gleixner
2025-10-22 14:20 ` David Laight [this message]
2025-10-22 14:23 ` Peter Zijlstra
2025-10-22 12:49 ` [patch V4 08/12] uaccess: Provide put/get_user_scoped() Thomas Gleixner
2025-10-22 12:49 ` [patch V4 09/12] [RFC] coccinelle: misc: Add scoped_$MODE_access() checker script Thomas Gleixner
2025-10-22 12:49 ` [patch V4 10/12] futex: Convert to scoped user access Thomas Gleixner
2025-10-22 15:16 ` Linus Torvalds
2025-10-23 18:44 ` Thomas Gleixner
2025-10-23 19:26 ` Linus Torvalds
2025-10-23 21:14 ` David Laight
2025-10-22 12:49 ` [patch V4 11/12] x86/futex: " Thomas Gleixner
2025-10-22 12:49 ` [patch V4 12/12] select: " Thomas Gleixner
2025-10-22 13:28 ` [patch V4 00/12] uaccess: Provide and use scopes for " Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251022152006.4d461c8b@pumpkin \
--to=david.laight.linux@gmail$(echo .)com \
--cc=Julia.Lawall@inria$(echo .)fr \
--cc=andrealmeid@igalia$(echo .)com \
--cc=andrew.cooper3@citrix$(echo .)com \
--cc=borntraeger@linux$(echo .)ibm.com \
--cc=brauner@kernel$(echo .)org \
--cc=christophe.leroy@csgroup$(echo .)eu \
--cc=dave@stgolabs$(echo .)net \
--cc=dvhart@infradead$(echo .)org \
--cc=hca@linux$(echo .)ibm.com \
--cc=jack@suse$(echo .)cz \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
--cc=linux-fsdevel@vger$(echo .)kernel.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-riscv@lists$(echo .)infradead.org \
--cc=linux-s390@vger$(echo .)kernel.org \
--cc=linux@armlinux$(echo .)org.uk \
--cc=linuxppc-dev@lists$(echo .)ozlabs.org \
--cc=lkp@intel$(echo .)com \
--cc=maddy@linux$(echo .)ibm.com \
--cc=mathieu.desnoyers@efficios$(echo .)com \
--cc=mpe@ellerman$(echo .)id.au \
--cc=nicolas.palix@imag$(echo .)fr \
--cc=npiggin@gmail$(echo .)com \
--cc=palmer@dabbelt$(echo .)com \
--cc=peterz@infradead$(echo .)org \
--cc=pjw@kernel$(echo .)org \
--cc=svens@linux$(echo .)ibm.com \
--cc=tglx@linutronix$(echo .)de \
--cc=torvalds@linux-foundation$(echo .)org \
--cc=viro@zeniv$(echo .)linux.org.uk \
--cc=x86@kernel$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox