From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 472773126D9; Fri, 17 Oct 2025 10:08:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695741; cv=none; b=lS6dypZ5ASQWWiOPISpfoEU3nTblBRjNN/cJBy2qSExbrgytkZUUm69fainruRI8suXKgUlUYsjK+1gb3C+EZd48ygTtNMnj6cMo01pdWEZ2h3zUb7oD0lccGgysD6g2Pc94jQyXvM2/7VwIPu+c3YiZ6+oLt59AsBH3+kwtFMU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695741; c=relaxed/simple; bh=B6FY70g1YU4tpzw5guto+VK5McncnWIMenNCFYwqfSs=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=ljGVnO+SQaW4LRnljDed/dujlwEsrgdj04pEjWB5pGffYu2g8vZiiJSe3VS9qVD2TP9CjyfhjjsoFx2QfLqEobt2IHp+XhQ3uRp3sNxp4ejaYTailaYioWj2ipU3fhlt2jXmT2h8TYQp1cWAXY2qaxD4ngcsJlV4kT5G2j4elmk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=ytPCOBNE; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=8f0yU993; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="ytPCOBNE"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="8f0yU993" Message-ID: <20251017093029.874834505@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695737; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=fZFzuFe1kZwWOtUDwXLfQwu5MJAw6qMRRDC36ZwVfYw=; b=ytPCOBNE1TkvJTWpLy78QusdxvVV4Ds58RKvhJHsf/croUeiGvx9UnV4mNMdoBRVg07oHB 4+32mu7/3RJxShsIPe6JWBz5/FrJfOZGgzsUfIDkj+3q1xMnmtZgpTWyromcSbAF8Xv274 FkV/c0yAHYbltKBm+ghXeCxDak+NWmvJPnXPfMhkj/1G0WGZ/rLPBaFrj917XRVqjV/Kqd dvKhMtlzqqxyQdha8CX/xxPGIDZ4upmI/c5f9i+386qXdlQKjcAWLAvTaQeifJ8F/2voYJ mhvw6eRvaSu0a/m6bo4SZbAHuXSegaKyNol/l9f+YG/bs3UKrtYmohJd5Aay1Q== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695737; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=fZFzuFe1kZwWOtUDwXLfQwu5MJAw6qMRRDC36ZwVfYw=; b=8f0yU993CYFDRwGspwr1ZKCjnjUpxYp+aRgJMGfWayi/6XrP0VvvNNmJISqFj4Wkr7Otd+ Te+PwI9NuQKM1+Cw== From: Thomas Gleixner To: LKML Cc: kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, Linus Torvalds , x86@kernel.org, Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Mathieu Desnoyers , Andrew Cooper , Julia Lawall , Nicolas Palix , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Subject: [patch V3 01/12] ARM: uaccess: Implement missing __get_user_asm_dword() References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 17 Oct 2025 12:08:56 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" When CONFIG_CPU_SPECTRE=3Dn then get_user() is missing the 8 byte ASM varia= nt for no real good reason. This prevents using get_user(u64) in generic code. Implement it as a sequence of two 4-byte reads with LE/BE awareness and make the unsigned long (or long long) type for the intermediate variable to read into dependend on the the target type. The __long_type() macro and idea was lifted from PowerPC. Thanks to Christophe for pointing it out. Reported-by: kernel test robot Signed-off-by: Thomas Gleixner Cc: Russell King Cc: linux-arm-kernel@lists.infradead.org Closes: https://lore.kernel.org/oe-kbuild-all/202509120155.pFgwfeUD-lkp@int= el.com/ Acked-by: Peter Zijlstra (Intel) --- V2a: Solve the *ptr issue vs. unsigned long long - Russell/Christophe V2: New patch to fix the 0-day fallout --- arch/arm/include/asm/uaccess.h | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) --- a/arch/arm/include/asm/uaccess.h +++ b/arch/arm/include/asm/uaccess.h @@ -283,10 +283,17 @@ extern int __put_user_8(void *, unsigned __gu_err; \ }) =20 +/* + * This is a type: either unsigned long, if the argument fits into + * that type, or otherwise unsigned long long. + */ +#define __long_type(x) \ + __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL)) + #define __get_user_err(x, ptr, err, __t) \ do { \ unsigned long __gu_addr =3D (unsigned long)(ptr); \ - unsigned long __gu_val; \ + __long_type(x) __gu_val; \ unsigned int __ua_flags; \ __chk_user_ptr(ptr); \ might_fault(); \ @@ -295,6 +302,7 @@ do { \ case 1: __get_user_asm_byte(__gu_val, __gu_addr, err, __t); break; \ case 2: __get_user_asm_half(__gu_val, __gu_addr, err, __t); break; \ case 4: __get_user_asm_word(__gu_val, __gu_addr, err, __t); break; \ + case 8: __get_user_asm_dword(__gu_val, __gu_addr, err, __t); break; \ default: (__gu_val) =3D __get_user_bad(); \ } \ uaccess_restore(__ua_flags); \ @@ -353,6 +361,22 @@ do { \ #define __get_user_asm_word(x, addr, err, __t) \ __get_user_asm(x, addr, err, "ldr" __t) =20 +#ifdef __ARMEB__ +#define __WORD0_OFFS 4 +#define __WORD1_OFFS 0 +#else +#define __WORD0_OFFS 0 +#define __WORD1_OFFS 4 +#endif + +#define __get_user_asm_dword(x, addr, err, __t) \ + ({ \ + unsigned long __w0, __w1; \ + __get_user_asm(__w0, addr + __WORD0_OFFS, err, "ldr" __t); \ + __get_user_asm(__w1, addr + __WORD1_OFFS, err, "ldr" __t); \ + (x) =3D ((u64)__w1 << 32) | (u64) __w0; \ +}) + #define __put_user_switch(x, ptr, __err, __fn) \ do { \ const __typeof__(*(ptr)) __user *__pu_ptr =3D (ptr); \ From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3F7293128C5; Fri, 17 Oct 2025 10:09:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695743; cv=none; b=bMyW5KwR+3srcPeo+fW+sN2kReD981SYQfNsv2UGDstdowBY7yb5V+dZCurBiUCvfQoMWl9HTOHcWlq3Qn9haqs8MYPYsVBxEj9SMV86FsaHg9VnTNVwtrL9Ispbfib74cFPkZShi+hu0sTGtpkvGpi48ft07fKQKGlqodQzzZk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695743; c=relaxed/simple; bh=87O4I+Gs+q+53VRSgJDF74yqnaDGggOQykXNLW0MPKg=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=RPL3AtM1hPPDf+qbPYD3aDLkq8+mYUFam30m7Lq6STRNRp5J4p8p3mKcpPgxIpv3AN7BJD5D2tZ5soLER18FuuVnAXBIMxqOr5+XcHIZ3BBL/XoxVn1j4HWjaY9orc7D22z/0xTWW97sRBvHdpPGKQh3mhcOWPYBjFP15gizy6Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=mnnP4EcH; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=lT33mtBx; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="mnnP4EcH"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="lT33mtBx" Message-ID: <20251017093029.938477880@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695739; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=riOmJf9FiDkmu6m5dlKP9M/8U5xAklSgvZrcN3Urpuk=; b=mnnP4EcHPsGiBWQ80ZqxKt13uzAIBB3k2yS1/Hm+sPYsJe6113u4U0umZSA2nn4kRaNJpJ Rkenq6/jim491Xuz2SO5kQafyylcG/mRIKVDiZycdMNLud5mhnSzrCccn3X38Wn96+T79G hktsrO07q6YSP3slcwP5falY25Pb1CIBaksqoE7E+68t7LYG14+qC/FrU8haf5HTnTplbs MaMSXBhMZ0H9m83V9tz5MYbIVxs8gMl4CTnClDsiglM3QfGTLclgpuM2XbhANq8nfDV8t5 j+3gKnN8VqFnD7yW0QYwYHf0UUMTWmEWnVOjwgvBsCHbUXj8W+NB41bt6EE6Fw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695739; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=riOmJf9FiDkmu6m5dlKP9M/8U5xAklSgvZrcN3Urpuk=; b=lT33mtBxSqSSNnCxx2OdHF+2ZASAeNgjqpk4i+2mH9cETV5n/xlEFPQtRRy1EHJTr8iogE XUXXib744TyAY9DA== From: Thomas Gleixner To: LKML Cc: Linus Torvalds , kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Mathieu Desnoyers , Andrew Cooper , Julia Lawall , Nicolas Palix , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Subject: [patch V3 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 17 Oct 2025 12:08:58 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ASM GOTO is miscompiled by GCC when it is used inside a auto cleanup scope: bool foo(u32 __user *p, u32 val) { scoped_guard(pagefault) unsafe_put_user(val, p, efault); return true; efault: return false; } e80: e8 00 00 00 00 call e85 e85: 65 48 8b 05 00 00 00 00 mov %gs:0x0(%rip),%rax e8d: 83 80 04 14 00 00 01 addl $0x1,0x1404(%rax) // pf_disable++ e94: 89 37 mov %esi,(%rdi) e96: 83 a8 04 14 00 00 01 subl $0x1,0x1404(%rax) // pf_disable-- e9d: b8 01 00 00 00 mov $0x1,%eax // success ea2: e9 00 00 00 00 jmp ea7 // ret ea7: 31 c0 xor %eax,%eax // fail ea9: e9 00 00 00 00 jmp eae // ret which is broken as it leaks the pagefault disable counter on failure. Clang at least fails the build. Linus suggested to add a local label into the macro scope and let that jump to the actual caller supplied error label. __label__ local_label; \ arch_unsafe_get_user(x, ptr, local_label); \ if (0) { \ local_label: \ goto label; \ That works for both GCC and clang. clang: c80: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)=09 c85: 65 48 8b 0c 25 00 00 00 00 mov %gs:0x0,%rcx c8e: ff 81 04 14 00 00 incl 0x1404(%rcx) // pf_disable++ c94: 31 c0 xor %eax,%eax // set retval to fal= se c96: 89 37 mov %esi,(%rdi) // write c98: b0 01 mov $0x1,%al // set retval to true c9a: ff 89 04 14 00 00 decl 0x1404(%rcx) // pf_disable-- ca0: 2e e9 00 00 00 00 cs jmp ca6 // ret The exception table entry points correctly to c9a GCC: f70: e8 00 00 00 00 call f75 f75: 65 48 8b 05 00 00 00 00 mov %gs:0x0(%rip),%rax f7d: 83 80 04 14 00 00 01 addl $0x1,0x1404(%rax) // pf_disable++ f84: 8b 17 mov (%rdi),%edx f86: 89 16 mov %edx,(%rsi) f88: 83 a8 04 14 00 00 01 subl $0x1,0x1404(%rax) // pf_disable-- f8f: b8 01 00 00 00 mov $0x1,%eax // success f94: e9 00 00 00 00 jmp f99 // ret f99: 83 a8 04 14 00 00 01 subl $0x1,0x1404(%rax) // pf_disable-- fa0: 31 c0 xor %eax,%eax // fail fa2: e9 00 00 00 00 jmp fa7 // ret The exception table entry points correctly to f99 So both compilers optimize out the extra goto and emit correct and efficient code. Provide a generic wrapper to do that to avoid modifying all the affected architecture specific implementation with that workaround. The only change required for architectures is to rename unsafe_*_user() to arch_unsafe_*_user(). That's done in subsequent changes. Suggested-by: Linus Torvalds Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) Reviewed-by: Mathieu Desnoyers --- include/linux/uaccess.h | 72 +++++++++++++++++++++++++++++++++++++++++++= ++--- 1 file changed, 68 insertions(+), 4 deletions(-) --- a/include/linux/uaccess.h +++ b/include/linux/uaccess.h @@ -518,7 +518,34 @@ long strncpy_from_user_nofault(char *dst long count); long strnlen_user_nofault(const void __user *unsafe_addr, long count); =20 -#ifndef __get_kernel_nofault +#ifdef arch_get_kernel_nofault +/* + * Wrap the architecture implementation so that @label can be outside of a + * cleanup() scope. A regular C goto works correctly, but ASM goto does + * not. Clang rejects such an attempt, but GCC silently emits buggy code. + */ +#define __get_kernel_nofault(dst, src, type, label) \ +do { \ + __label__ local_label; \ + arch_get_kernel_nofault(dst, src, type, local_label); \ + if (0) { \ + local_label: \ + goto label; \ + } \ +} while (0) + +#define __put_kernel_nofault(dst, src, type, label) \ +do { \ + __label__ local_label; \ + arch_get_kernel_nofault(dst, src, type, local_label); \ + if (0) { \ + local_label: \ + goto label; \ + } \ +} while (0) + +#elif !defined(__get_kernel_nofault) /* arch_get_kernel_nofault */ + #define __get_kernel_nofault(dst, src, type, label) \ do { \ type __user *p =3D (type __force __user *)(src); \ @@ -535,7 +562,8 @@ do { \ if (__put_user(data, p)) \ goto label; \ } while (0) -#endif + +#endif /* !__get_kernel_nofault */ =20 /** * get_kernel_nofault(): safely attempt to read from a location @@ -549,7 +577,42 @@ do { \ copy_from_kernel_nofault(&(val), __gk_ptr, sizeof(val));\ }) =20 -#ifndef user_access_begin +#ifdef user_access_begin + +#ifdef arch_unsafe_get_user +/* + * Wrap the architecture implementation so that @label can be outside of a + * cleanup() scope. A regular C goto works correctly, but ASM goto does + * not. Clang rejects such an attempt, but GCC silently emits buggy code. + * + * Some architectures use internal local labels already, but this extra + * indirection here is harmless because the compiler optimizes it out + * completely in any case. This construct just ensures that the ASM GOTO + * target is always in the local scope. The C goto 'label' works correct + * when leaving a cleanup() scope. + */ +#define unsafe_get_user(x, ptr, label) \ +do { \ + __label__ local_label; \ + arch_unsafe_get_user(x, ptr, local_label); \ + if (0) { \ + local_label: \ + goto label; \ + } \ +} while (0) + +#define unsafe_put_user(x, ptr, label) \ +do { \ + __label__ local_label; \ + arch_unsafe_put_user(x, ptr, local_label); \ + if (0) { \ + local_label: \ + goto label; \ + } \ +} while (0) +#endif /* arch_unsafe_get_user */ + +#else /* user_access_begin */ #define user_access_begin(ptr,len) access_ok(ptr, len) #define user_access_end() do { } while (0) #define unsafe_op_wrap(op, err) do { if (unlikely(op)) goto err; } while (= 0) @@ -559,7 +622,8 @@ do { \ #define unsafe_copy_from_user(d,s,l,e) unsafe_op_wrap(__copy_from_user(d,s= ,l),e) static inline unsigned long user_access_save(void) { return 0UL; } static inline void user_access_restore(unsigned long flags) { } -#endif +#endif /* !user_access_begin */ + #ifndef user_write_access_begin #define user_write_access_begin user_access_begin #define user_write_access_end user_access_end From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F638313276; Fri, 17 Oct 2025 10:09:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695744; cv=none; b=EPTMzHmlfnH7Mff4cnHiNyRQOVGAipnwz+g2puVEG8PGHmmNoBoM2tPNodCHLkWp51KCuRZjJVTkQ+YgO4oynjthCePXTrCpxITlX8hY+8o69Ghr1aD7js7LLli5NMsYpSE6GdRf2AaNN6LgCqwfdsRBKQV5XAuBlDQo9oVL+vE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695744; c=relaxed/simple; bh=1JN45mC64c47dz9TU2Ot3j2U1wNiqKWBKgn8OQGE8ow=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=dtzTacOd21ihHwWlNR4Nu8iAoUNX6StNUEvdg8c4KIq2H+iUOYkNx9ISPK2e/+87a7tqO0GGxLjPQnWJqF2fREAsTzzOwHWVu9mo/akis8OAIWQfUr0dzdj9mBK8vN98ruf+VIabEaU1l4D39AfACB8tF6Tj1fbLrPsaTl0k6hw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=GTvRGyk6; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=wLsGC9RL; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="GTvRGyk6"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="wLsGC9RL" Message-ID: <20251017093030.001666876@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695741; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=EKzyB0lrI1vv7+y80GeaggsaapcXMx0ewLMg7+vmnx4=; b=GTvRGyk6DjoMxDt+fYkyakO6ycdq3eWKJ5DLVvdla9gpLRlLAUtCHv3+2OCSBITMNRhjV+ 6R5tlN403YJ0IfDxjOVq4z3XEeIW/8FaVPYWQFIdq4ALG+Iag8vKidxOVW51jHPDlm3vjB nP7wsoZz7ZXJA2YRNabZ9OZ3Bd9HbSwPqRx+nTnL6R9ljmWGRkc5qFj/+L6OiUpoptPLXr lCw3HWo3QxWP24rkonxwBYynALATxasmSCuenpjqG+BEHbdLziuS9rHmOHHoGRaT+SSkJG xKPV0L9VPCcB90+j30+g4MmmbnMU6jRSjCrYOvAuK1Y6XoE1XS7zW9KZUlKnYQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695741; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=EKzyB0lrI1vv7+y80GeaggsaapcXMx0ewLMg7+vmnx4=; b=wLsGC9RLzsjb5HJDs0ah7GifEriO3GgBtZB6KgEAeIJj2b6wMW7RITABes1j7sh8PjBhxD SPwii5s8wN3IgXCw== From: Thomas Gleixner To: LKML Cc: x86@kernel.org, kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, Linus Torvalds , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Mathieu Desnoyers , Andrew Cooper , Julia Lawall , Nicolas Palix , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Subject: [patch V3 03/12] x86/uaccess: Use unsafe wrappers for ASM GOTO References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 17 Oct 2025 12:09:00 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ASM GOTO is miscompiled by GCC when it is used inside a auto cleanup scope: bool foo(u32 __user *p, u32 val) { scoped_guard(pagefault) unsafe_put_user(val, p, efault); return true; efault: return false; } It ends up leaking the pagefault disable counter in the fault path. clang at least fails the build. Rename unsafe_*_user() to arch_unsafe_*_user() which makes the generic uaccess header wrap it with a local label that makes both compilers emit correct code. Same for the kernel_nofault() variants. Signed-off-by: Thomas Gleixner Cc: x86@kernel.org Acked-by: Peter Zijlstra (Intel) --- arch/x86/include/asm/uaccess.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- a/arch/x86/include/asm/uaccess.h +++ b/arch/x86/include/asm/uaccess.h @@ -528,18 +528,18 @@ static __must_check __always_inline bool #define user_access_save() smap_save() #define user_access_restore(x) smap_restore(x) =20 -#define unsafe_put_user(x, ptr, label) \ +#define arch_unsafe_put_user(x, ptr, label) \ __put_user_size((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)), label) =20 #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT -#define unsafe_get_user(x, ptr, err_label) \ +#define arch_unsafe_get_user(x, ptr, err_label) \ do { \ __inttype(*(ptr)) __gu_val; \ __get_user_size(__gu_val, (ptr), sizeof(*(ptr)), err_label); \ (x) =3D (__force __typeof__(*(ptr)))__gu_val; \ } while (0) #else // !CONFIG_CC_HAS_ASM_GOTO_OUTPUT -#define unsafe_get_user(x, ptr, err_label) \ +#define arch_unsafe_get_user(x, ptr, err_label) \ do { \ int __gu_err; \ __inttype(*(ptr)) __gu_val; \ @@ -618,11 +618,11 @@ do { \ } while (0) =20 #ifdef CONFIG_CC_HAS_ASM_GOTO_OUTPUT -#define __get_kernel_nofault(dst, src, type, err_label) \ +#define arch_get_kernel_nofault(dst, src, type, err_label) \ __get_user_size(*((type *)(dst)), (__force type __user *)(src), \ sizeof(type), err_label) #else // !CONFIG_CC_HAS_ASM_GOTO_OUTPUT -#define __get_kernel_nofault(dst, src, type, err_label) \ +#define arch_get_kernel_nofault(dst, src, type, err_label) \ do { \ int __kr_err; \ \ @@ -633,7 +633,7 @@ do { \ } while (0) #endif // CONFIG_CC_HAS_ASM_GOTO_OUTPUT =20 -#define __put_kernel_nofault(dst, src, type, err_label) \ +#define arch_put_kernel_nofault(dst, src, type, err_label) \ __put_user_size(*((type *)(src)), (__force type __user *)(dst), \ sizeof(type), err_label) From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99E3B314A74; Fri, 17 Oct 2025 10:09:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695746; cv=none; b=q+wttXwqid+4TyKNq7Q5YCCaq0p1Nw/tflU8fjGgmWkipRk3GG1yVWgoD6KDaNGm9ibjfM/EFsLtj9b2EfFiCjcawC1iBufvWwfpO9DiBFHxAzMQuEqBKNa8caHxFwcD8Bq2YIEOCYl2O3Am7pMerK/zYu5vVyiPjqrqZfy/1f8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695746; c=relaxed/simple; bh=kv2agbdsqIbzMLDcTPxxSBLHwg3H9gA4/g6IZ/c2ULk=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=sxm/Kwa5cxjaz/coPKCdVduVV6iVhRsPlUSG/STVq4LaNz2jbgV2SsNwCE/nPXOaeXM/bHx7HhUe3lwV4b1RRVLCzwjZinZdUHQFS5tW8KmITLKNSqzIp5o2O/h4kH5SvTAcEemLm/InKLJTXyJdoOLD2iWVuBNnlUYEaZvdyNI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=MnLnslQ4; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=rg0WPyLq; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="MnLnslQ4"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="rg0WPyLq" Message-ID: <20251017093030.064701062@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=DNQHcterXWXQuFWR5KPGbkzD3Sh/vJk9lLVEwO1xPSA=; b=MnLnslQ4RTsV85Q3CoH24lxHMQcF21HKHrtG7EOggVFlERWiVpTDR1OV7BLIIXpp85tyM9 I7IoqOHCLIqnPvnSVsWVb/Tu2jQui1WDunh2r7Qwge4EsFLfN8gkhQuolZ3E+cyqEV0YOw 6YqRd4+Xv0RBvQT1MNCkfK6e1IcQ8AumHt6pvIbojy2QtqkEaPYDHqHAea5RkXNWGyEpjl 7xQHleplT3cA3JY0wM9+v9hUdjev9y6y1EgIEzbKs5vYyU4M0DvNL1MGJvittYUZPuSAbA 0ZX2f3AXVPL23vcIPhkezJfXaQwQ3oOGHCYt8SH/2Beh0cStIp1WXsGlFtUGeg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695743; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=DNQHcterXWXQuFWR5KPGbkzD3Sh/vJk9lLVEwO1xPSA=; b=rg0WPyLqAanfBxT81ThSaB9BbJy7x27baok62rRyXXmPsoM3tIHAgK3ol6nAR0EDXBfInK mTIojW6IJ53yd1Cw== From: Thomas Gleixner To: LKML Cc: Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, Linus Torvalds , x86@kernel.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Mathieu Desnoyers , Andrew Cooper , Julia Lawall , Nicolas Palix , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Subject: [patch V3 04/12] powerpc/uaccess: Use unsafe wrappers for ASM GOTO References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 17 Oct 2025 12:09:02 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ASM GOTO is miscompiled by GCC when it is used inside a auto cleanup scope: bool foo(u32 __user *p, u32 val) { scoped_guard(pagefault) unsafe_put_user(val, p, efault); return true; efault: return false; } It ends up leaking the pagefault disable counter in the fault path. clang at least fails the build. Rename unsafe_*_user() to arch_unsafe_*_user() which makes the generic uaccess header wrap it with a local label that makes both compilers emit correct code. Same for the kernel_nofault() variants. Signed-off-by: Thomas Gleixner Cc: Madhavan Srinivasan Cc: Michael Ellerman Cc: Nicholas Piggin Cc: Christophe Leroy Cc: linuxppc-dev@lists.ozlabs.org Acked-by: Peter Zijlstra (Intel) --- arch/powerpc/include/asm/uaccess.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/arch/powerpc/include/asm/uaccess.h +++ b/arch/powerpc/include/asm/uaccess.h @@ -451,7 +451,7 @@ user_write_access_begin(const void __use #define user_write_access_begin user_write_access_begin #define user_write_access_end prevent_current_write_to_user =20 -#define unsafe_get_user(x, p, e) do { \ +#define arch_unsafe_get_user(x, p, e) do { \ __long_type(*(p)) __gu_val; \ __typeof__(*(p)) __user *__gu_addr =3D (p); \ \ @@ -459,7 +459,7 @@ user_write_access_begin(const void __use (x) =3D (__typeof__(*(p)))__gu_val; \ } while (0) =20 -#define unsafe_put_user(x, p, e) \ +#define arch_unsafe_put_user(x, p, e) \ __put_user_size_goto((__typeof__(*(p)))(x), (p), sizeof(*(p)), e) =20 #define unsafe_copy_from_user(d, s, l, e) \ @@ -504,11 +504,11 @@ do { \ unsafe_put_user(*(u8*)(_src + _i), (u8 __user *)(_dst + _i), e); \ } while (0) =20 -#define __get_kernel_nofault(dst, src, type, err_label) \ +#define arch_get_kernel_nofault(dst, src, type, err_label) \ __get_user_size_goto(*((type *)(dst)), \ (__force type __user *)(src), sizeof(type), err_label) =20 -#define __put_kernel_nofault(dst, src, type, err_label) \ +#define arch_put_kernel_nofault(dst, src, type, err_label) \ __put_user_size_goto(*((type *)(src)), \ (__force type __user *)(dst), sizeof(type), err_label) From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D1D843168F8; Fri, 17 Oct 2025 10:09:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695748; cv=none; b=IxL+e2Y4pIn7Nj6p/QNO5g/RHwtoDLzPoDxhgY8OJ3rNS6kOPdukN3WnRM1Qh07x/Z7gNVce7dGz0wl2B8ieMarClOR45ZB+/7vq+Yfsc7lMcjcfdR283YPEUU55wNaSrZ8z73L8sGYcRhqXTSDI1bQvuq3+urdQfJ3bQRzbX68= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695748; c=relaxed/simple; bh=SVRRpksI+B5YHxzelxwgKXxbQk2UaLHrIQwq4nbHVuE=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=QxPBKSLF5jAomfY/wqh2fcWcdLxm2rzubMKN6pcl+Z/pDCzEryYUpUJQJQES+o7ajYyseGktHIAv/CjcHl2smm9ip8GR8xtmOpxOf7REZcKh37GXcabqxmqZOD7RRORFO3OaY1WLLgcnMVHb8ctKSyB4YB2g8VU1dAhQt7GlDYo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=iRDn9Ds6; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=1we+Ka3N; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="iRDn9Ds6"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="1we+Ka3N" Message-ID: <20251017093030.128245987@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=Q6hUKo07m0tisXGEHl1vXx2So4mSCWEC1HB29LLd09o=; b=iRDn9Ds66dol6j24A30mh2SQtUvITyG3hB/sYj16fMeHXdbzKXF/40bEicbNhI1HqhEy2a XwJNVm7JsPl7VOL4PYqfeA4jhZ8UNQ7x2r5M3BJh8tvw8CpneBlnbl4/F5BX/Li3PY2gI3 cztXpiCba9mg6mPEQXFl9XWMzaNT1JO2a5rCrp+9UX2jlpA6IiGEzEnfAhTTuNcIPKxyJ9 vTeYhZ086Z49Ve9WCGCplqFZo+b6fI6sa2T6ud3qheeoctm7xVI3CbNFvWMp39hgufFxln RCGgAELL/JamHlyFKxPAn0MGA/h1VCMA1/zGJzKu+RCy3OCwd/ErM3VeyfFd+w== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695745; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=Q6hUKo07m0tisXGEHl1vXx2So4mSCWEC1HB29LLd09o=; b=1we+Ka3NN45ZBOtjqeDCnoCSfPJah/aMjLBMgVfVCGTo+wL2wzcKrUfn1l/8ZpnTXWkF1s hVnmL//utitoKnAg== From: Thomas Gleixner To: LKML Cc: Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, Linus Torvalds , x86@kernel.org, Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Mathieu Desnoyers , Andrew Cooper , Julia Lawall , Nicolas Palix , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Subject: [patch V3 05/12] riscv/uaccess: Use unsafe wrappers for ASM GOTO References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 17 Oct 2025 12:09:04 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ASM GOTO is miscompiled by GCC when it is used inside a auto cleanup scope: bool foo(u32 __user *p, u32 val) { scoped_guard(pagefault) unsafe_put_user(val, p, efault); return true; efault: return false; } It ends up leaking the pagefault disable counter in the fault path. clang at least fails the build. Rename unsafe_*_user() to arch_unsafe_*_user() which makes the generic uaccess header wrap it with a local label that makes both compilers emit correct code. Same for the kernel_nofault() variants. Signed-off-by: Thomas Gleixner Cc: Paul Walmsley Cc: Palmer Dabbelt Cc: linux-riscv@lists.infradead.org Acked-by: Peter Zijlstra (Intel) --- arch/riscv/include/asm/uaccess.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/arch/riscv/include/asm/uaccess.h +++ b/arch/riscv/include/asm/uaccess.h @@ -437,10 +437,10 @@ unsigned long __must_check clear_user(vo __clear_user(untagged_addr(to), n) : n; } =20 -#define __get_kernel_nofault(dst, src, type, err_label) \ +#define arch_get_kernel_nofault(dst, src, type, err_label) \ __get_user_nocheck(*((type *)(dst)), (__force __user type *)(src), err_la= bel) =20 -#define __put_kernel_nofault(dst, src, type, err_label) \ +#define arch_put_kernel_nofault(dst, src, type, err_label) \ __put_user_nocheck(*((type *)(src)), (__force __user type *)(dst), err_la= bel) =20 static __must_check __always_inline bool user_access_begin(const void __us= er *ptr, size_t len) @@ -460,10 +460,10 @@ static inline void user_access_restore(u * We want the unsafe accessors to always be inlined and use * the error labels - thus the macro games. */ -#define unsafe_put_user(x, ptr, label) \ +#define arch_unsafe_put_user(x, ptr, label) \ __put_user_nocheck(x, (ptr), label) =20 -#define unsafe_get_user(x, ptr, label) do { \ +#define arch_unsafe_get_user(x, ptr, label) do { \ __inttype(*(ptr)) __gu_val; \ __get_user_nocheck(__gu_val, (ptr), label); \ (x) =3D (__force __typeof__(*(ptr)))__gu_val; \ From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D05C33191AE; Fri, 17 Oct 2025 10:09:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695752; cv=none; b=MfQP9rgkQ3IRWayZ7w4mTXIHgwSXfRCeeZray/nfPu0FhudMGb+YdfRNHdrJHk5nOs7J4K8fPdOJGfOHGc+ohMFDDXxziidAcMy+3ymLm1Kie5ihbiyJT3qgeEY/GZ7bdsychK2oA9I3UPLTaFb6gCwRZP0pT+3SDhkN5h+UkXw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695752; c=relaxed/simple; bh=u/yk2503WbcPVzxext/24oA9U+OTQsqD5MrPiHlhlts=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=ceQdb9TsdCG5FJI0QLgCU+wkXZty4Lhp4wvogbedFBSoT4w7RfXAoeL71x/UB/o40W3WIk6PWXKAzyn0ycufI5m/IhLUdpon/AHtA0DMTMg3zHSf6E38bJcvGuuFn9Z6vrXzoxHVwu/XDEKKByZDgMGdkDAPHxkW26w4rroDldw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=q8b6SIEb; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=alxqReYg; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="q8b6SIEb"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="alxqReYg" Message-ID: <20251017093030.191135747@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=MKNcUChSn/NfFd+dS8+uLnvvYuPvhQsaUPbuMoERc+Y=; b=q8b6SIEbM6xmYbfUOBOsLQQqsGBsDZbUG5zgXIQ1nCaDQjNcfLo4DooMbAJRHmRY4Fj1Ya bfkqpb+cVypLrVHUdfnXmaR1oShltmHyFSjTkAUXIahM5M4lekfHj7qv7f5Txd9okhwhtE QSicNOQgGEIlyCyWThLox7YfPfmrXdiAWsy/GCpSZ+CcUMu2GQ+FuXIRLGbXrDopMZzGNQ NgwZCoDvLA+ZG+oO7bRzY2LokGzd1D/ENoZKQfUHTgnHVehDpCj9htY0cllyEeAwi8HFks akPf8peQTo0M2vUHxpi9V9vTza0tx5piQl8G/3irMcCQdGqHiNXmJIt3HnZRwQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695747; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=MKNcUChSn/NfFd+dS8+uLnvvYuPvhQsaUPbuMoERc+Y=; b=alxqReYgkWchksom+y0h0ctnpoZBTdkl4M0BCc8DkilDqD43CyCCDp+n0sn9nGvc5OKybq DAWDSxoXrZWqR8Bw== From: Thomas Gleixner To: LKML Cc: Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, Linus Torvalds , x86@kernel.org, Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Mathieu Desnoyers , Andrew Cooper , Julia Lawall , Nicolas Palix , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Subject: [patch V3 06/12] s390/uaccess: Use unsafe wrappers for ASM GOTO References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 17 Oct 2025 12:09:06 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ASM GOTO is miscompiled by GCC when it is used inside a auto cleanup scope: bool foo(u32 __user *p, u32 val) { scoped_guard(pagefault) unsafe_put_user(val, p, efault); return true; efault: return false; } It ends up leaking the pagefault disable counter in the fault path. clang at least fails the build. S390 is not affected for unsafe_*_user() as it uses it's own local label already, but __get/put_kernel_nofault() lack that. Rename them to arch_*_kernel_nofault() which makes the generic uaccess header wrap it with a local label that makes both compilers emit correct code. Signed-off-by: Thomas Gleixner Cc: Heiko Carstens Cc: Christian Borntraeger Cc: Sven Schnelle Cc: linux-s390@vger.kernel.org Acked-by: Peter Zijlstra (Intel) --- arch/s390/include/asm/uaccess.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/s390/include/asm/uaccess.h +++ b/arch/s390/include/asm/uaccess.h @@ -468,8 +468,8 @@ do { \ =20 #endif /* CONFIG_CC_HAS_ASM_GOTO_OUTPUT && CONFIG_CC_HAS_ASM_AOR_FORMAT_FL= AGS */ =20 -#define __get_kernel_nofault __mvc_kernel_nofault -#define __put_kernel_nofault __mvc_kernel_nofault +#define arch_get_kernel_nofault __mvc_kernel_nofault +#define arch_put_kernel_nofault __mvc_kernel_nofault =20 void __cmpxchg_user_key_called_with_bad_pointer(void); From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE670314D00; Fri, 17 Oct 2025 10:09:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695753; cv=none; b=JNdeKgH4zC/Q14LsoEYAOYqDTeXBVGBY2CQBcm9l8vlJ5svX7+hclc6rLEMZ+cwUXQ+N8q9glwx9TmPChR5loVHC/6rdF94ueNpHRKnCF3ojDwafGcKR1+70wt/NIgy36t9QuIPu5xbDub4ZouAmJqmcmpFhfeCQCwRpfWwVMmI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695753; c=relaxed/simple; bh=IVl4st+feujIvIlnJSP0Fen+YcHRaDBvibuIWgq5NI8=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=o2SIdeI/7yHNT+pSbqK0GpattQXDra9acnmuYUkmfq2sljD5O8a8E3ky4fDu50fnY0/65BSz904KOOSKIq3bkf5diFK3dJ9Om4rlns74fN2lOSa+EoCaNteEWnt3GuX41pyAQ8AZLA6DhCMkTOIctZwXxRgqRQJ7KSvBAsqEuV4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=Bb4OS4Rv; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=3TPB8HmZ; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="Bb4OS4Rv"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="3TPB8HmZ" Message-ID: <20251017093030.253004391@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=RdcDfhtq167IZPh3ARC9oWqCjxt0RAIa6pkCu2pnJd0=; b=Bb4OS4RvAADRftzUP18ntCc+l3Mb2pJChmeCE+m6oV682xSpbE6Il1GzeQChn2Tf3ObOcZ WObwc3uW3CVwKN4JXne2ZL8dmGoovgMiMj4Frjn1Z8bSmA3X5PWeApgjgn8dO6n9o94WQ3 P33rw3cDrlo05oz5pkGxGhWL8+GKzhkFIqTnfjbxLdUjXmhkmftn84uB4GYKbZxHFV6OPz 2V7Tlti6oi2z0qr7/tjXFjhGSF9hTDPDNrhb6No+HO9cLrXqxbYZCkeV2SfAqZfrAOiB5M DxLWbtY9dAeqaDKvkv+bGg3HyeDqkx19oJXOigUJgQt2Y/wivk76WZXUZcfCng== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=RdcDfhtq167IZPh3ARC9oWqCjxt0RAIa6pkCu2pnJd0=; b=3TPB8HmZ3uCcpKtaZzu7+E2zBu47MJZK4maEFOd1rl22pH918pBZ/AuoYYfoC7FNJW5E8i kTR4lwYEKyPPjbCQ== From: Thomas Gleixner To: LKML Cc: Christophe Leroy , Mathieu Desnoyers , Andrew Cooper , Linus Torvalds , kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, x86@kernel.org, Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , linuxppc-dev@lists.ozlabs.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Julia Lawall , Nicolas Palix , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Subject: [patch V3 07/12] uaccess: Provide scoped masked user access regions References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 17 Oct 2025 12:09:08 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" User space access regions are tedious and require similar code patterns all over the place: if (!user_read_access_begin(from, sizeof(*from))) return -EFAULT; unsafe_get_user(val, from, Efault); user_read_access_end(); return 0; Efault: user_read_access_end(); return -EFAULT; This got worse with the recent addition of masked user access, which optimizes the speculation prevention: if (can_do_masked_user_access()) from =3D masked_user_read_access_begin((from)); else if (!user_read_access_begin(from, sizeof(*from))) return -EFAULT; unsafe_get_user(val, from, Efault); user_read_access_end(); return 0; Efault: user_read_access_end(); return -EFAULT; There have been issues with using the wrong user_*_access_end() variant in the error path and other typical Copy&Pasta problems, e.g. using the wrong fault label in the user accessor which ends up using the wrong accesss end variant.=20 These patterns beg for scopes with automatic cleanup. The resulting outcome is: scoped_masked_user_read_access(from, Efault) unsafe_get_user(val, from, Efault); return 0; Efault: return -EFAULT; The scope guarantees the proper cleanup for the access mode is invoked both in the success and the failure (fault) path. The scoped_masked_user_$MODE_access() macros are implemented as self terminating nested for() loops. Thanks to Andrew Cooper for pointing me at them. The scope can therefore be left with 'break', 'goto' and 'return'. Even 'continue' "works" due to the self termination mechanism. Both GCC and clang optimize all the convoluted macro maze out and the above results with clang in: b80: f3 0f 1e fa endbr64 b84: 48 b8 ef cd ab 89 67 45 23 01 movabs $0x123456789abcdef,%rax b8e: 48 39 c7 cmp %rax,%rdi b91: 48 0f 47 f8 cmova %rax,%rdi b95: 90 nop b96: 90 nop b97: 90 nop b98: 31 c9 xor %ecx,%ecx b9a: 8b 07 mov (%rdi),%eax b9c: 89 06 mov %eax,(%rsi) b9e: 85 c9 test %ecx,%ecx ba0: 0f 94 c0 sete %al ba3: 90 nop ba4: 90 nop ba5: 90 nop ba6: c3 ret Which looks as compact as it gets. The NOPs are placeholder for STAC/CLAC. GCC emits the fault path seperately: bf0: f3 0f 1e fa endbr64 bf4: 48 b8 ef cd ab 89 67 45 23 01 movabs $0x123456789abcdef,%rax bfe: 48 39 c7 cmp %rax,%rdi c01: 48 0f 47 f8 cmova %rax,%rdi c05: 90 nop c06: 90 nop c07: 90 nop c08: 31 d2 xor %edx,%edx c0a: 8b 07 mov (%rdi),%eax c0c: 89 06 mov %eax,(%rsi) c0e: 85 d2 test %edx,%edx c10: 75 09 jne c1b c12: 90 nop c13: 90 nop c14: 90 nop c15: b8 01 00 00 00 mov $0x1,%eax c1a: c3 ret c1b: 90 nop c1c: 90 nop c1d: 90 nop c1e: 31 c0 xor %eax,%eax c20: c3 ret The fault labels for the scoped*() macros and the fault labels for the actual user space accessors can be shared and must be placed outside of the scope. If masked user access is enabled on an architecture, then the pointer handed in to scoped_masked_user_$MODE_access() can be modified to point to a guaranteed faulting user address. This modification is only scope local as the pointer is aliased inside the scope. When the scope is left the alias is not longer in effect. IOW the original pointer value is preserved so it can be used e.g. for fixup or diagnostic purposes in the fault path. Signed-off-by: Thomas Gleixner Cc: Christophe Leroy Cc: Mathieu Desnoyers Cc: Andrew Cooper Cc: Linus Torvalds Acked-by: Peter Zijlstra (Intel) --- V3: Make it a nested for() loop Get rid of the code in macro parameters - Linus Provide sized variants - Mathieu V2: Remove the shady wrappers around the opening and use scopes with automa= tic cleanup --- include/linux/uaccess.h | 197 +++++++++++++++++++++++++++++++++++++++++++= +++++ 1 file changed, 197 insertions(+) --- a/include/linux/uaccess.h +++ b/include/linux/uaccess.h @@ -2,6 +2,7 @@ #ifndef __LINUX_UACCESS_H__ #define __LINUX_UACCESS_H__ =20 +#include #include #include #include @@ -35,9 +36,17 @@ =20 #ifdef masked_user_access_begin #define can_do_masked_user_access() 1 +# ifndef masked_user_write_access_begin +# define masked_user_write_access_begin masked_user_access_begin +# endif +# ifndef masked_user_read_access_begin +# define masked_user_read_access_begin masked_user_access_begin +#endif #else #define can_do_masked_user_access() 0 #define masked_user_access_begin(src) NULL + #define masked_user_read_access_begin(src) NULL + #define masked_user_write_access_begin(src) NULL #define mask_user_address(src) (src) #endif =20 @@ -633,6 +642,194 @@ static inline void user_access_restore(u #define user_read_access_end user_access_end #endif =20 +/* Define RW variant so the below _mode macro expansion works */ +#define masked_user_rw_access_begin(u) masked_user_access_begin(u) +#define user_rw_access_begin(u, s) user_access_begin(u, s) +#define user_rw_access_end() user_access_end() + +/* Scoped user access */ +#define USER_ACCESS_GUARD(_mode) \ +static __always_inline void __user * \ +class_masked_user_##_mode##_begin(void __user *ptr) \ +{ \ + return ptr; \ +} \ + \ +static __always_inline void \ +class_masked_user_##_mode##_end(void __user *ptr) \ +{ \ + user_##_mode##_access_end(); \ +} \ + \ +DEFINE_CLASS(masked_user_ ##_mode## _access, void __user *, \ + class_masked_user_##_mode##_end(_T), \ + class_masked_user_##_mode##_begin(ptr), void __user *ptr) \ + \ +static __always_inline class_masked_user_##_mode##_access_t \ +class_masked_user_##_mode##_access_ptr(void __user *scope) \ +{ \ + return scope; \ +} + +USER_ACCESS_GUARD(read) +USER_ACCESS_GUARD(write) +USER_ACCESS_GUARD(rw) +#undef USER_ACCESS_GUARD + +/** + * __scoped_user_access_begin - Start the masked user access + * @_mode: The mode of the access class (read, write, rw) + * @_uptr: The pointer to access user space memory + * @_size: Size of the access + * @_elbl: Error label to goto when the access region is rejected. + * + * Internal helper for __scoped_masked_user_access(). Don't use directly + */ +#define __scoped_user_access_begin(_mode, _uptr, _size, _elbl) \ +({ \ + typeof((_uptr)) ____ret; \ + \ + if (can_do_masked_user_access()) { \ + ____ret =3D masked_user_##_mode##_access_begin((_uptr)); \ + } else { \ + ____ret =3D _uptr; \ + if (!user_##_mode##_access_begin(_uptr, (_size))) \ + goto _elbl; \ + } \ + ____ret; \ +}) + +/** + * __scoped_masked_user_access - Open a scope for masked user access + * @_mode: The mode of the access class (read, write, rw) + * @_uptr: The pointer to access user space memory + * @_size: Size of the access + * @_elbl: Error label to goto when the access region is rejected. It + * must be placed outside the scope. + * + * If the user access function inside the scope requires a fault label, it + * can use @_elvl or a difference label outside the scope, which requires + * that user access which is implemented with ASM GOTO has been properly + * wrapped. See unsafe_get_user() for reference. + * + * scoped_masked_user_rw_access(ptr, efault) { + * unsafe_get_user(rval, &ptr->rval, efault); + * unsafe_put_user(wval, &ptr->wval, efault); + * } + * return 0; + * efault: + * return -EFAULT; + * + * The scope is internally implemented as a autoterminating nested for() + * loop, which can be left with 'return', 'break' and 'goto' at any + * point. + * + * When the scope is left user_##@_mode##_access_end() is automatically + * invoked. + * + * When the architecture supports masked user access and the access region + * which is determined by @_uptr and @_size is not a valid user space + * address, i.e. < TASK_SIZE, the scope sets the pointer to a faulting user + * space address and does not terminate early. This optimizes for the good + * case and lets the performance uncritical bad case go through the fault. + * + * The eventual modification of the pointer is limited to the scope. + * Outside of the scope the original pointer value is unmodified, so that + * the original pointer value is available for diagnostic purposes in an + * out of scope fault path. + * + * Nesting scoped masked user access into a masked user access scope is + * invalid and fails the build. Nesting into other guards, e.g. pagefault + * is safe. + * + * Don't use directly. Use the scoped_masked_user_$MODE_access() instead. +*/ +#define __scoped_masked_user_access(_mode, _uptr, _size, _elbl) \ +for (bool ____stop =3D false; !____stop; ____stop =3D true) \ + for (typeof((_uptr)) _tmpptr =3D __scoped_user_access_begin(_mode, _uptr,= _size, _elbl); \ + !____stop; ____stop =3D true) \ + for (CLASS(masked_user_##_mode##_access, scope) (_tmpptr); !____stop; \ + ____stop =3D true) \ + /* Force modified pointer usage within the scope */ \ + for (const typeof((_uptr)) _uptr =3D _tmpptr; !____stop; ____stop =3D t= rue) \ + if (1) + +/** + * scoped_masked_user_read_access_size - Start a scoped user read access w= ith given size + * @_usrc: Pointer to the user space address to read from + * @_size: Size of the access starting from @_usrc + * @_elbl: Error label to goto when the access region is rejected. + * + * For further information see __scoped_masked_user_access() above. + */ +#define scoped_masked_user_read_access_size(_usrc, _size, _elbl) \ + __scoped_masked_user_access(read, (_usrc), (_size), _elbl) + +/** + * scoped_masked_user_read_access - Start a scoped user read access + * @_usrc: Pointer to the user space address to read from + * @_elbl: Error label to goto when the access region is rejected. + * + * The size of the access starting from @_usrc is determined via sizeof(*@= _usrc)). + * + * For further information see __scoped_masked_user_access() above. + */ +#define scoped_masked_user_read_access(_usrc, _elbl) \ + scoped_masked_user_read_access_size((_usrc), sizeof(*(_usrc)), _elbl) + +/** + * scoped_masked_user_read_end - End a scoped user read access + * + * Ends the scope opened with scoped_masked_user_read_access[_size]() + */ +#define scoped_masked_user_read_end() __scoped_masked_user_end() + +/** + * scoped_masked_user_write_access_size - Start a scoped user write access= with given size + * @_udst: Pointer to the user space address to write to + * @_size: Size of the access starting from @_udst + * @_elbl: Error label to goto when the access region is rejected. + * + * For further information see __scoped_masked_user_access() above. + */ +#define scoped_masked_user_write_access_size(_udst, _size, _elbl) \ + __scoped_masked_user_access(write, (_udst), (_size), _elbl) + +/** + * scoped_masked_user_write_access - Start a scoped user write access + * @_udst: Pointer to the user space address to write to + * @_elbl: Error label to goto when the access region is rejected. + * + * The size of the access starting from @_udst is determined via sizeof(*@= _udst)). + * + * For further information see __scoped_masked_user_access() above. + */ +#define scoped_masked_user_write_access(_udst, _elbl) \ + scoped_masked_user_write_access_size((_udst), sizeof(*(_udst)), _elbl) + +/** + * scoped_masked_user_rw_access_size - Start a scoped user read/write acce= ss with given size + * @_uptr Pointer to the user space address to read from and write to + * @_size: Size of the access starting from @_uptr + * @_elbl: Error label to goto when the access region is rejected. + * + * For further information see __scoped_masked_user_access() above. + */ +#define scoped_masked_user_rw_access_size(_uptr, _size, _elbl) \ + __scoped_masked_user_access(rw, (_uptr), (_size), _elbl) + +/** + * scoped_masked_user_rw_access - Start a scoped user read/write access + * @_uptr Pointer to the user space address to read from and write to + * @_elbl: Error label to goto when the access region is rejected. + * + * The size of the access starting from @_uptr is determined via sizeof(*@= _uptr)). + * + * For further information see __scoped_masked_user_access() above. + */ +#define scoped_masked_user_rw_access(_uptr, _elbl) \ + scoped_masked_user_rw_access_size((_uptr), sizeof(*(_uptr)), _elbl) + #ifdef CONFIG_HARDENED_USERCOPY void __noreturn usercopy_abort(const char *name, const char *detail, bool to_user, unsigned long offset, From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3202331AF15; Fri, 17 Oct 2025 10:09:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695755; cv=none; b=WAWRMxmaE+mmJTe0PT+kQ7Rti3ETv0k8oe2UpFV76A6yiPlf4+SmpVhR2cbBhkjpZdHEgi+s6nCqZB2utGSzfBKlMzy0UOxF+Mjz6LFz3qNp4VhTSBHODbO6UX/iC7+jgycQl1QByd7/Au9Lz9MKw11CO+o3TMEZid7etlpxuDk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695755; c=relaxed/simple; bh=na43TUgjqW9GtM5apYEfH5YukE3UrvIAE4IgfYLHTJ0=; h=Message-ID:From:To:Subject:References:MIME-Version:Content-Type: cc:Date; b=MJTjm0xNkS0YyS/wiDctUGqj/fPA89MHHg7b/hWFoHrom1vGD3siAc6lxNVhgRlKf6f1zwBJt89mWBPQ8542zFDbgF+iAAOSVYEpMhXFgy2TG2XZE1ZajP9xUaKq93ay4MIwRdzkDdvPa4Z/Ag4nInaNdQNE0sW2lHaXPwL6a9Y= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=JcAYfksQ; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=DnX8ZWmy; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="JcAYfksQ"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="DnX8ZWmy" Message-ID: <20251017093030.315578108@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695751; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=vd38qmen6NqGKwpBNmxeBxrmUMKgHzuu9w3FhQnzP9o=; b=JcAYfksQjgseU6JQSYgkc8FtMvPTo+BADwor0oMs+Wk9DC39l2Coe+sbE7+SDOueo3i1gw JGzB712onYnG/ENdPxx83uMwA8j+HjvyScQpX1fYKd5Q17dKeeWxIiTfCL3yaPBBgYtJnH uxT5lmG/p6AnqJZto66uFkr03ODvm2yhfKyWqXt4x/QbgkX5jLrhxBYu7qGphXY5iJzhff zoDMEx2yQkwcNlf4yDJTV9VYxcYYVa3jqYOXQiu4upVIB8qxSdV6X4By3AdGKSX5BQaMpF xroG39Z+EO5YYcDq2HlRO5gltDwITYHsE485kHCPtUjH9mUI9sjTeWv64gY1Ng== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695751; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=vd38qmen6NqGKwpBNmxeBxrmUMKgHzuu9w3FhQnzP9o=; b=DnX8ZWmywsPakWjMIvDYYLxa0MyU0uYz7SqZaZDlR9T/Fn9DUAXcsl7O4z6oJS67E42bZ8 CqhlmgxJxTHEi3Cg== From: Thomas Gleixner To: LKML Subject: [patch V3 08/12] uaccess: Provide put/get_user_masked() References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 cc: kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, Linus Torvalds , x86@kernel.org, Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Mathieu Desnoyers , Andrew Cooper , Julia Lawall , Nicolas Palix , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Date: Fri, 17 Oct 2025 12:09:10 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Provide conveniance wrappers around scoped masked user access similiar to put/get_user(), which reduce the usage sites to: if (!get_user_masked(val, ptr)) return -EFAULT; Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) --- include/linux/uaccess.h | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) --- a/include/linux/uaccess.h +++ b/include/linux/uaccess.h @@ -830,6 +830,50 @@ for (bool ____stop =3D false; !____stop; _ #define scoped_masked_user_rw_access(_uptr, _elbl) \ scoped_masked_user_rw_access_size((_uptr), sizeof(*(_uptr)), _elbl) =20 +/** + * get_user_masked - Read user data with masked access + * @_val: The variable to store the value read from user memory + * @_usrc: Pointer to the user space memory to read from + * + * Return: true if successful, false when faulted + */ +#define get_user_masked(_val, _usrc) \ +({ \ + __label__ efault; \ + typeof((_usrc)) _tmpsrc =3D (_usrc); \ + bool ____ret =3D true; \ + \ + scoped_masked_user_read_access(_tmpsrc, efault) \ + unsafe_get_user(_val, _tmpsrc, efault); \ + if (0) { \ + efault: \ + ____ret =3D false; \ + } \ + ____ret; \ +}) + +/** + * put_user_masked - Write to user memory with masked access + * @_val: The value to write + * @_udst: Pointer to the user space memory to write to + * + * Return: true if successful, false when faulted + */ +#define put_user_masked(_val, _udst) \ +({ \ + __label__ efault; \ + typeof((_udst)) _tmpdst =3D (_udst); \ + bool ____ret =3D true; \ + \ + scoped_masked_user_write_access(_tmpdst, efault) \ + unsafe_put_user(_val, _tmpdst, efault); \ + if (0) { \ + efault: \ + ____ret =3D false; \ + } \ + ____ret; \ +}) + #ifdef CONFIG_HARDENED_USERCOPY void __noreturn usercopy_abort(const char *name, const char *detail, bool to_user, unsigned long offset, From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4756531DD8D; Fri, 17 Oct 2025 10:09:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695757; cv=none; b=KZVhncI7+q21X/BtTZKBOD6nGMarjhB02RE1dtwghUhnW37dUDqp8tlTCXEldryfJAAhPrXr8PjEmrXTzvmd+8bypcrzT9zy79ns1k7o8ud2o2GSFnOxc4YGcSqw+SY1V9wArK09iE/LuLcDIS8GKEIhoP1QAFy26nIxOiMfh9s= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695757; c=relaxed/simple; bh=be/YPhbyQ1P5Ag66r+4v+GEmNWKI0Xs5mB9mAv89AJI=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=oNVWhG2R8+qYlKBhbttReNohieBD2BRXMtyvtQ79LJzzdYvRijNzhRfv0pKyC+J4/fqqNolad3i7ZXZxCsxwmHdQlAJkDkbWqy6Fq+2bD6iX+/MB551z0swbRaUo6IFXYgSmFuDzIP/VdFkFF15D8ZJ+vinmbRSl9FPil8w+Np8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=hta58kDN; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=Y3LLmuFY; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="hta58kDN"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="Y3LLmuFY" Message-ID: <20251017093030.378863263@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695753; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=eAYIGd5fXsjzeJJB6qw0P3j1iV5OhzS8DCs61XHs+jU=; b=hta58kDNqoHEEa2fr4giEnDSVUkRAytH2cY/ek52tlnq3qWRDJ1K/krbS6McjLr93cNBLF jxOOuv3MuMs81dQjLKsp+HxNpsnTgQ/AV2HiNeFCNCOEMA5TyQDBQVDNKRi0p4vmte/Iai WI2zvCG2Lc8rTZzJwcobqA4uqJnd7maiACqPzHL4rChOYJNt1asJ1L2zIRm3uzq/0RMLy6 A8wP+wL5pOyhN/8vXVVelN3NXYs+3rSq6QISL6DP0WxsINkHDR0UUbMorXnQDZ6tuIIGZ5 6Pq6J6Lq/6Tl5eVFMQX8rlfddlnMhm/nPPww+gOl4tJKaR40xGv4tlBz/FwRNg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695753; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=eAYIGd5fXsjzeJJB6qw0P3j1iV5OhzS8DCs61XHs+jU=; b=Y3LLmuFYZAakAFXAg95cIJVuHw48NRZZoUaiDyUbz89qP5xShyqzhFoiUg+TySC0spPGJK LkNvBVMjv0fTtoBA== From: Thomas Gleixner To: LKML Cc: Julia Lawall , Nicolas Palix , kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, Linus Torvalds , x86@kernel.org, Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Mathieu Desnoyers , Andrew Cooper , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Subject: [patch V3 09/12] [RFC] coccinelle: misc: Add scoped_masked_$MODE_access() checker script References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 17 Oct 2025 12:09:12 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A common mistake in user access code is that the wrong access mode is selected for starting the user access section. As most architectures map Read and Write modes to ReadWrite this goes often unnoticed for quite some time. Aside of that the scoped user access mechanism requires that the same pointer is used for the actual accessor macros that was handed in to start the scope because the pointer can be modified by the scope begin mechanism if the architecture supports masking. Add a basic (and incomplete) coccinelle script to check for the common issues. The error output is: kernel/futex/futex.h:303:2-17: ERROR: Invalid pointer for unsafe_put_user(p= ) in scoped_masked_user_write_access(to) kernel/futex/futex.h:292:2-17: ERROR: Invalid access mode unsafe_get_user()= in scoped_masked_user_write_access() Not-Yet-Signed-off-by: Thomas Gleixner Cc: Julia Lawall Cc: Nicolas Palix Acked-by: Peter Zijlstra (Intel) --- scripts/coccinelle/misc/scoped_uaccess.cocci | 108 ++++++++++++++++++++++= +++++ 1 file changed, 108 insertions(+) --- /dev/null +++ b/scripts/coccinelle/misc/scoped_uaccess.cocci @@ -0,0 +1,108 @@ +// SPDX-License-Identifier: GPL-2.0-only +/// Validate scoped_masked_user*access() scopes +/// +// Confidence: Zero +// Options: --no-includes --include-headers + +virtual context +virtual report +virtual org + +@initialize:python@ +@@ + +scopemap =3D { + 'scoped_masked_user_read_access_size' : 'scoped_masked_user_read_access= ', + 'scoped_masked_user_write_access_size' : 'scoped_masked_user_write_acces= s', + 'scoped_masked_user_rw_access_size' : 'scoped_masked_user_rw_access', +} + +# Most common accessors. Incomplete list +noaccessmap =3D { + 'scoped_masked_user_read_access' : ('unsafe_put_user', 'unsafe_cop= y_to_user'), + 'scoped_masked_user_write_access' : ('unsafe_get_user', 'unsafe_cop= y_from_user'), +} + +# Most common accessors. Incomplete list +ptrmap =3D { + 'unsafe_put_user' : 1, + 'unsafe_get_user' : 1, + 'unsafe_copy_to_user' : 0, + 'unsafe_copy_from_user' : 0, +} + +print_mode =3D None + +def pr_err(pos, msg): + if print_mode =3D=3D 'R': + coccilib.report.print_report(pos[0], msg) + elif print_mode =3D=3D 'O': + cocci.print_main(msg, pos) + +@r0 depends on report || org@ +iterator name scoped_masked_user_read_access, + scoped_masked_user_read_access_size, + scoped_masked_user_write_access, + scoped_masked_user_write_access_size, + scoped_masked_user_rw_access, + scoped_masked_user_rw_access_size; +iterator scope; +statement S; +@@ + +( +( +scoped_masked_user_read_access(...) S +| +scoped_masked_user_read_access_size(...) S +| +scoped_masked_user_write_access(...) S +| +scoped_masked_user_write_access_size(...) S +| +scoped_masked_user_rw_access(...) S +| +scoped_masked_user_rw_access_size(...) S +) +& +scope(...) S +) + +@script:python depends on r0 && report@ +@@ +print_mode =3D 'R' + +@script:python depends on r0 && org@ +@@ +print_mode =3D 'O' + +@r1@ +expression sp, a0, a1; +iterator r0.scope; +identifier ac; +position p; +@@ + + scope(sp,...) { + <+... + ac@p(a0, a1, ...); + ...+> + } + +@script:python@ +pos << r1.p; +scope << r0.scope; +ac << r1.ac; +sp << r1.sp; +a0 << r1.a0; +a1 << r1.a1; +@@ + +scope =3D scopemap.get(scope, scope) +if ac in noaccessmap.get(scope, []): + pr_err(pos, 'ERROR: Invalid access mode %s() in %s()' %(ac, scope)) + +if ac in ptrmap: + ap =3D (a0, a1)[ptrmap[ac]] + if sp !=3D ap.lstrip('&').split('->')[0].strip(): + pr_err(pos, 'ERROR: Invalid pointer for %s(%s) in %s(%s)' %(ac, ap, = scope, sp)) From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0EAEC31B81B; Fri, 17 Oct 2025 10:09:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695758; cv=none; b=n4XSf/bb1ekQqixngYwn7vosGcxxjeRY+ns29/rTMPQcfzBCUksXtth9RlyapVo/cVGyg/Kj10CdQHKQuD3QZV8QU3yP/7TApfTMrp8b6cQ1tdFXF/9FGg06dnjquFhfIdgIRsRDzZczncEQdexqjuWHfTpMbZW0lizg4socMMM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695758; c=relaxed/simple; bh=jZt3lX6b7IAxTr/Gh+f+KZ2oGjnAXKy0rws7gLHX7sw=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=J2DquXuC/REAlhFDlB3xdrIYlErycq7Gcc/zJtTH6CvY2Ed8gn3VDGuFIeVCsiPPtCgjsk4XUzFq3Sgj3nlflW6hSPCzZghOF1mq633udQ8/uzyOa4A6B/PgKeL/4HOLDmK4UtAC1XUEKFIIs/cVld+GNF0VGJ67J96KTkTJ4hY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=mpkjILJo; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=tdhXCPyA; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="mpkjILJo"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="tdhXCPyA" Message-ID: <20251017093030.443142844@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695755; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=kgiZQ2LHnoAuUeU4bAPUZQG9DpHKgtV5g2vXbnxY3WU=; b=mpkjILJoMW+NxL7mj7Gkt8KfTdP8hlJpo2Od+7iroOPr22g6zAYrA6yUvqMmBvxNsIgubm CvGY3j5HuJ+GKdxHiPMjY9rCQ53bXOmVeodjH//fzeLUVju5Bb6VUVR8AgiWuur7rbvdkV gxn/pTETiDGuMBDkvtMVlTJDHVlPeeW33L6tqfdVc7PoE4GjPdtSjlMNaKd52hrDg2+tL7 wUV768CPkGumlygCkw7AUUe6cdpax17aJuyAMZOir0K0ahKMAwQCDdK6KEUtEhAAp3+WlU 17Zuy6C9rKn8fIYmyOjnpI4ODlq+tUAt8V9oX846q250RQEpr3Ctvv7+PvRq8w== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695755; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=kgiZQ2LHnoAuUeU4bAPUZQG9DpHKgtV5g2vXbnxY3WU=; b=tdhXCPyA4ZEVvsSHbhYKGj01qPJmkWPTgxxpK9M9rn0Kr9sE2FveZ1mXCHtQvUnuVlAgry ZcvdOvRAb0kTDZAw== From: Thomas Gleixner To: LKML Cc: Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, Linus Torvalds , x86@kernel.org, Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Mathieu Desnoyers , Andrew Cooper , Julia Lawall , Nicolas Palix , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Subject: [patch V3 10/12] futex: Convert to scoped masked user access References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Date: Fri, 17 Oct 2025 12:09:14 +0200 (CEST) Content-Transfer-Encoding: quoted-printable From: Thomas Gleixner Replace the open coded implementation with the new get/put_user_masked() helpers. No functional change intended Signed-off-by: Thomas Gleixner Cc: Peter Zijlstra Cc: Darren Hart Cc: Davidlohr Bueso Cc: "Andr=C3=A9 Almeida" Acked-by: Peter Zijlstra (Intel) --- V3: Adapt to scope changes V2: Convert to scoped variant --- kernel/futex/futex.h | 37 ++----------------------------------- 1 file changed, 2 insertions(+), 35 deletions(-) --- --- a/kernel/futex/futex.h +++ b/kernel/futex/futex.h @@ -285,48 +285,15 @@ static inline int futex_cmpxchg_value_lo * This does a plain atomic user space read, and the user pointer has * already been verified earlier by get_futex_key() to be both aligned * and actually in user space, just like futex_atomic_cmpxchg_inatomic(). - * - * We still want to avoid any speculation, and while __get_user() is - * the traditional model for this, it's actually slower than doing - * this manually these days. - * - * We could just have a per-architecture special function for it, - * the same way we do futex_atomic_cmpxchg_inatomic(), but rather - * than force everybody to do that, write it out long-hand using - * the low-level user-access infrastructure. - * - * This looks a bit overkill, but generally just results in a couple - * of instructions. */ static __always_inline int futex_get_value(u32 *dest, u32 __user *from) { - u32 val; - - if (can_do_masked_user_access()) - from =3D masked_user_access_begin(from); - else if (!user_read_access_begin(from, sizeof(*from))) - return -EFAULT; - unsafe_get_user(val, from, Efault); - user_read_access_end(); - *dest =3D val; - return 0; -Efault: - user_read_access_end(); - return -EFAULT; + return get_user_masked(*dest, from) ? 0 : -EFAULT; } =20 static __always_inline int futex_put_value(u32 val, u32 __user *to) { - if (can_do_masked_user_access()) - to =3D masked_user_access_begin(to); - else if (!user_write_access_begin(to, sizeof(*to))) - return -EFAULT; - unsafe_put_user(val, to, Efault); - user_write_access_end(); - return 0; -Efault: - user_write_access_end(); - return -EFAULT; + return put_user_masked(val, to) ? 0 : -EFAULT; } =20 static inline int futex_get_value_locked(u32 *dest, u32 __user *from) From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 22DC4320A39; Fri, 17 Oct 2025 10:09:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695760; cv=none; b=RCTPPwaMzKe/RTI4ksEqu7/RNJ/7NNbZKbhynSz5oy6szrFY/hXjQoBdbcLlxT9uZbKeJnXJnyCaQw2AfpAQ2n9nUsNH/Kmdi1wbj/gMrR3OZH/KNYJIIH2d1Nv2ZB5ZEv+TqhVNtsfrR/s1SM/KHw6wT9RhwajoxnouysTF5eQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695760; c=relaxed/simple; bh=A3pdkVAofqRGXnioJKEyMVyfLGqb8bD7W/o454hellk=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=BShd1dXseUsQlV5yGoYZybFfC1Sw1slB9zHdQZK552vtRX5U4LXEL2RFvlICBtW/i0/0v9qOeTEuttA845v0y+ycuigVWC8hv+A1B2BgeCkqUgMKsp7M1Ad/vvP3sm6vE5QId8+4tfe1lMNrWdGhzFwrsDC77v+E/rEs/pFS0/8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=IxmzYTBf; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=tXLovSJd; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="IxmzYTBf"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="tXLovSJd" Message-ID: <20251017093030.506939239@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=imtHkr/s1EgDhFpHdqDFKeA7fLJRHDRNr716F17Aia0=; b=IxmzYTBfKeP9PdlygwW7c3ZP9RsEre+9I9Ey2tCdF2r4gM5hRSxvZOgB2ZLVGOdPGXmKU1 +c28eI+CQpneZgUdj/lriB9ag5dTOGtuqXD15nxa5UXlpIpMczCKiocdjT0TVrERWiHUyx B1W1XHif/HWSLsDJ1nx87OhoXNRPlg8O5YXz2UGSMHh3EdLm4J1Uj7udO1S/MhoJ2JUuwm YRwTS4vWjwKj+jetDYmTFxWTdSdvwVOj336LD4FgupH+XPVMUYSslfG3wlPbFb8EhUw/kW 9X4Sd0io6pZfWY+0dDBIBCP78dmmq/qY+yUiuFO6HoBDI1YBYics9RbbUuLpQA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695757; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=imtHkr/s1EgDhFpHdqDFKeA7fLJRHDRNr716F17Aia0=; b=tXLovSJd0rwq2r5yozTcKThhOnpAdq0BuaTsusGQM16gqfWgKUw8QGS1yKgXpz/pjSKgCv yXO1lDz+ddt6kiAA== From: Thomas Gleixner To: LKML Cc: x86@kernel.org, kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, Linus Torvalds , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Mathieu Desnoyers , Andrew Cooper , Julia Lawall , Nicolas Palix , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= , Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org Subject: [patch V3 11/12] x86/futex: Convert to scoped masked user access References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 17 Oct 2025 12:09:16 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Replace the open coded implementation with the scoped masked user access guards No functional change intended. Signed-off-by: Thomas Gleixner Cc: x86@kernel.org Acked-by: Peter Zijlstra (Intel) --- V3: Adapt to scope changes V2: Convert to scoped masked access Use RW access functions - Christophe --- arch/x86/include/asm/futex.h | 75 ++++++++++++++++++--------------------= ----- 1 file changed, 33 insertions(+), 42 deletions(-) --- --- a/arch/x86/include/asm/futex.h +++ b/arch/x86/include/asm/futex.h @@ -46,38 +46,31 @@ do { \ } while(0) =20 static __always_inline int arch_futex_atomic_op_inuser(int op, int oparg, = int *oval, - u32 __user *uaddr) + u32 __user *uaddr) { - if (can_do_masked_user_access()) - uaddr =3D masked_user_access_begin(uaddr); - else if (!user_access_begin(uaddr, sizeof(u32))) - return -EFAULT; - - switch (op) { - case FUTEX_OP_SET: - unsafe_atomic_op1("xchgl %0, %2", oval, uaddr, oparg, Efault); - break; - case FUTEX_OP_ADD: - unsafe_atomic_op1(LOCK_PREFIX "xaddl %0, %2", oval, - uaddr, oparg, Efault); - break; - case FUTEX_OP_OR: - unsafe_atomic_op2("orl %4, %3", oval, uaddr, oparg, Efault); - break; - case FUTEX_OP_ANDN: - unsafe_atomic_op2("andl %4, %3", oval, uaddr, ~oparg, Efault); - break; - case FUTEX_OP_XOR: - unsafe_atomic_op2("xorl %4, %3", oval, uaddr, oparg, Efault); - break; - default: - user_access_end(); - return -ENOSYS; + scoped_masked_user_rw_access(uaddr, Efault) { + switch (op) { + case FUTEX_OP_SET: + unsafe_atomic_op1("xchgl %0, %2", oval, uaddr, oparg, Efault); + break; + case FUTEX_OP_ADD: + unsafe_atomic_op1(LOCK_PREFIX "xaddl %0, %2", oval, uaddr, oparg, Efaul= t); + break; + case FUTEX_OP_OR: + unsafe_atomic_op2("orl %4, %3", oval, uaddr, oparg, Efault); + break; + case FUTEX_OP_ANDN: + unsafe_atomic_op2("andl %4, %3", oval, uaddr, ~oparg, Efault); + break; + case FUTEX_OP_XOR: + unsafe_atomic_op2("xorl %4, %3", oval, uaddr, oparg, Efault); + break; + default: + return -ENOSYS; + } } - user_access_end(); return 0; Efault: - user_access_end(); return -EFAULT; } =20 @@ -86,21 +79,19 @@ static inline int futex_atomic_cmpxchg_i { int ret =3D 0; =20 - if (can_do_masked_user_access()) - uaddr =3D masked_user_access_begin(uaddr); - else if (!user_access_begin(uaddr, sizeof(u32))) - return -EFAULT; - asm volatile("\n" - "1:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" - "2:\n" - _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG, %0) \ - : "+r" (ret), "=3Da" (oldval), "+m" (*uaddr) - : "r" (newval), "1" (oldval) - : "memory" - ); - user_access_end(); - *uval =3D oldval; + scoped_masked_user_rw_access(uaddr, Efault) { + asm volatile("\n" + "1:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" + "2:\n" + _ASM_EXTABLE_TYPE_REG(1b, 2b, EX_TYPE_EFAULT_REG, %0) \ + : "+r" (ret), "=3Da" (oldval), "+m" (*uaddr) + : "r" (newval), "1" (oldval) + : "memory"); + *uval =3D oldval; + } return ret; +Efault: + return -EFAULT; } =20 #endif From nobody Fri Dec 19 06:31:29 2025 Received: from galois.linutronix.de (Galois.linutronix.de [193.142.43.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D3E72320CCA; Fri, 17 Oct 2025 10:09:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=193.142.43.55 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695763; cv=none; b=qSKLbxuu+clzQcZ00rOBTFhQnlLgk3/LR40j3PGXvDBA2bOhU8oeGGRuiunjyjZhCaB2otnUhffN4Dt2bTwA3fBcSt+vfem5e5fjU6ZTCLZAYGUXhcrpmhVhN7bkjzbdZrT/Uj63o76TrAJLkTHDG9p059LWvGiQL3HzfUOONeQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760695763; c=relaxed/simple; bh=JB1wWLqgBD068mwsnwSg83owykU7Yonrry4abca5MAE=; h=Message-ID:From:To:Cc:Subject:References:MIME-Version: Content-Type:Date; b=ontSjJ3myHddHelJVzf1p2JpR1wcqhWfAspnH9gPTgAwwiHPh740JPHuaqarpvTjPTR6yiAe8QmZACUKBgaV0k2dp9vOXiZDDjbFhc4o8Aht9m2SfY+EI9Wt1Iqdss98JtmbDAN6xEeR65zhpVHZltN6oP7irvpJL53zktuF//M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de; spf=pass smtp.mailfrom=linutronix.de; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=C9k9phXB; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b=NqCfqZvI; arc=none smtp.client-ip=193.142.43.55 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linutronix.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linutronix.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="C9k9phXB"; dkim=permerror (0-bit key) header.d=linutronix.de header.i=@linutronix.de header.b="NqCfqZvI" Message-ID: <20251017093030.570048808@linutronix.de> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1760695759; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=pR7+HoSAZ5DPHGbJNIgf4IBT7k17Ap8Nygw2CprMOJk=; b=C9k9phXBv3eSc0l2GIAi2J0FDFvKBMovIjwdFiDy0e0i1kEvIzJQWQtsVykSYWQA3zjanX qK3FqAmeA4xpyNd7UTfXnUV56EjTSIUeQtC9nFHZEArPQ/fbOm6glmVPTvfaVQoaS64AGl c0H5PbeukmuOWNI3zg7uznrWybvjBa9ctDylchNsPz63c2AcGkhbqt2XawHnh2gquvGOiY QZ6/TwVeXt4VR/n2CM0osByZwoQCPo5GbmlRV84rc5i3dXEBh5eUrp9liWqkWxgX8mlObi ABikS60oKdGSbS6eP+JMOOnnRu35rw9ZacukDYaMdGK1k0mW/MewxBrep5VpHQ== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1760695759; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: references:references; bh=pR7+HoSAZ5DPHGbJNIgf4IBT7k17Ap8Nygw2CprMOJk=; b=NqCfqZvIshq24z2AZVleQwm35Sz2Df1iT0581FbObZM20gQEQEv4ZdvC1q1Mdnah93RMie jPyBo6i+7usluCDg== From: Thomas Gleixner To: LKML Cc: Alexander Viro , Christian Brauner , Jan Kara , linux-fsdevel@vger.kernel.org, kernel test robot , Russell King , linux-arm-kernel@lists.infradead.org, Linus Torvalds , x86@kernel.org, Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Christophe Leroy , linuxppc-dev@lists.ozlabs.org, Paul Walmsley , Palmer Dabbelt , linux-riscv@lists.infradead.org, Heiko Carstens , Christian Borntraeger , Sven Schnelle , linux-s390@vger.kernel.org, Mathieu Desnoyers , Andrew Cooper , Julia Lawall , Nicolas Palix , Peter Zijlstra , Darren Hart , Davidlohr Bueso , =?UTF-8?q?Andr=C3=A9=20Almeida?= Subject: [patch V3 12/12] select: Convert to scoped masked user access References: <20251017085938.150569636@linutronix.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Date: Fri, 17 Oct 2025 12:09:18 +0200 (CEST) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Thomas Gleixner Replace the open coded implementation with the scoped masked user access guard. No functional change intended. Signed-off-by: Thomas Gleixner Cc: Alexander Viro Cc: Christian Brauner Cc: Jan Kara Cc: linux-fsdevel@vger.kernel.org Acked-by: Peter Zijlstra (Intel) --- V3: Adopt to scope changes --- fs/select.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) --- --- a/fs/select.c +++ b/fs/select.c @@ -776,17 +776,13 @@ static inline int get_sigset_argpack(str { // the path is hot enough for overhead of copy_from_user() to matter if (from) { - if (can_do_masked_user_access()) - from =3D masked_user_access_begin(from); - else if (!user_read_access_begin(from, sizeof(*from))) - return -EFAULT; - unsafe_get_user(to->p, &from->p, Efault); - unsafe_get_user(to->size, &from->size, Efault); - user_read_access_end(); + scoped_masked_user_rw_access(from, Efault) { + unsafe_get_user(to->p, &from->p, Efault); + unsafe_get_user(to->size, &from->size, Efault); + } } return 0; Efault: - user_read_access_end(); return -EFAULT; }