Re: [RFC PATCH v1 01/10] s390/uaccess: Add storage key checked access to user memory

From: Janis Schoetterl-Glausch
Date: Fri Jan 21 2022 - 08:46:13 EST

Next message: Alexander Fomichev: "Re: [RFC] Scheduler: DMA Engine regression because of sched/fair changes"
Previous message: trix: "[PATCH] btrfs: initialize variable cancel"
In reply to: Heiko Carstens: "Re: [RFC PATCH v1 01/10] s390/uaccess: Add storage key checked access to user memory"
Next in thread: Heiko Carstens: "Re: [RFC PATCH v1 01/10] s390/uaccess: Add storage key checked access to user memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/21/22 12:04, Heiko Carstens wrote:
> On Fri, Jan 21, 2022 at 08:32:25AM +0100, Christian Borntraeger wrote:
>> So in essence adding something like this and then providing raw_copy_from/to_user_key?
>> (whitespace damaged, just pasted in)
>>
>> diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
>> index ac0394087f7d..3b6e78ee211c 100644
>> --- a/include/linux/uaccess.h
>> +++ b/include/linux/uaccess.h
>> @@ -201,6 +201,59 @@ copy_to_user(void __user *to, const void *from, unsigned long n)
>> return n;
>> }
>> +
>> +#if defined(__s390x__) && defined(CONFIG_KVM)
>> +/*
>> + * Variants that pass along an access key. Uses by KVM on s390x to implement
>> + * key checks for guests that use storage keys Must be kept in sync with the
>> + * non-key variants from above. The only difference is the _key suffix when
>> + * calling raw_copy_from/to_user_key.
>> + */
>
> This is too architecture specific, I wouldn't like to see __s390__ or
> KVM dependencies. This should be a bit more generic, so other
> architectures _might_ also make use of this interface that is:
>
>> +static inline __must_check unsigned long
>> +_copy_from_user_key(void *to, const void __user *from, unsigned long n, u8 key)
>
> Make key unsigned long, add support for INLINE_COPY_TO_USER, and maybe
> add a wrapper, so this works on all architectures, e.g. if
> raw_copy_to_user_key() is not defined, then fall back to
> raw_copy_to_user() and ignore the key parameter.
>

Since we only need the double underscore variants, even if we're going to be more
general than we need to be, we can restrict ourselves to those, can't we?

I don't understand your comment about the wrapper. You'd want an error on misuse,
that is, if you try to use a _with_key function if the functionality is not defined, no?

I see the following possibilities:
1. raw_copy_from/to_user is declared by each architecture.
Mirror that for raw_copy_from/to_user_with_key.
Linker error on misuse.
2. Opt in with #define UACCESS_WITH_KEY or similar.
Undeclared function on misuse.
3. Opt in by requiring that raw_copy_from/to_user_with_key are macros.
Undeclared function on misuse.
4. Declare raw_copy_from/to_user_with_key in include/linux/uacess.h.
Linker error on misuse.

Next message: Alexander Fomichev: "Re: [RFC] Scheduler: DMA Engine regression because of sched/fair changes"
Previous message: trix: "[PATCH] btrfs: initialize variable cancel"
In reply to: Heiko Carstens: "Re: [RFC PATCH v1 01/10] s390/uaccess: Add storage key checked access to user memory"
Next in thread: Heiko Carstens: "Re: [RFC PATCH v1 01/10] s390/uaccess: Add storage key checked access to user memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]