From nobody Wed Dec 17 09:32:55 2025 Received: from pegase2.c-s.fr (pegase2.c-s.fr [93.17.235.10]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 90C0B3101DC; Thu, 6 Nov 2025 11:50:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=93.17.235.10 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762429846; cv=none; b=nW22boax026XFxT1lgSbPpsFOxdbSaZWLhHlI+JOCd8WfZfWx/DDUUM5cv+G7Ky6teQGJIuf6hijO+vbQtPMSI6qC7F9U5iMCiny3QYv0rturRyWI4lhcA0BLsqTjfoBZmkIkSu5zjVjJGOmeoUkQCh8D8lzM7BxtxPEWlNX1/k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1762429846; c=relaxed/simple; bh=W82BJoxsF/uaSl8+888M/Hm7CO4JVyWj0vi85xuDhyA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=turtuIv8Ss0w+QnM0C5a10UB4+ImmffHyYiFYo7mu83butGcfFhzVduN7s+bnYwEnIA4qfGsVPd9/3fy/ZfHwIKmtXwCyxY9Ah6mAfj4YQJklQhfS+Giy73KH0LdMahBw4lcbiJFkJ+4EynivMc8Z1EZgVQUIny5lmPJkBdkW+U= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=csgroup.eu; spf=pass smtp.mailfrom=csgroup.eu; arc=none smtp.client-ip=93.17.235.10 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=csgroup.eu Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=csgroup.eu Received: from localhost (mailhub4.si.c-s.fr [172.26.127.67]) by localhost (Postfix) with ESMTP id 4d2KmG0g3gz9sSN; Thu, 6 Nov 2025 12:32:14 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from pegase2.c-s.fr ([172.26.127.65]) by localhost (pegase2.c-s.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kumAkxYI07Um; Thu, 6 Nov 2025 12:32:14 +0100 (CET) Received: from messagerie.si.c-s.fr (messagerie.si.c-s.fr [192.168.25.192]) by pegase2.c-s.fr (Postfix) with ESMTP id 4d2KmF6QcGz9sSL; Thu, 6 Nov 2025 12:32:13 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by messagerie.si.c-s.fr (Postfix) with ESMTP id C72008B773; Thu, 6 Nov 2025 12:32:13 +0100 (CET) X-Virus-Scanned: amavisd-new at c-s.fr Received: from messagerie.si.c-s.fr ([127.0.0.1]) by localhost (messagerie.si.c-s.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id Uo2LeIc8mkPM; Thu, 6 Nov 2025 12:32:13 +0100 (CET) Received: from PO20335.idsi0.si.c-s.fr (unknown [192.168.235.99]) by messagerie.si.c-s.fr (Postfix) with ESMTP id 05BB88B77E; Thu, 6 Nov 2025 12:32:12 +0100 (CET) From: Christophe Leroy To: Alexander Viro , Christian Brauner , Jan Kara , Thomas Gleixner , Ingo Molnar , Peter Zijlstra , Darren Hart , Davidlohr Bueso , "Andre Almeida" , Andrew Morton , Eric Dumazet , Kuniyuki Iwashima , Paolo Abeni , Willem de Bruijn , "David S. Miller" , Jakub Kicinski , Simon Horman , Daniel Borkmann , Dave Hansen , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin Cc: Christophe Leroy , linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linuxppc-dev@lists.ozlabs.org Subject: [PATCH v4 02/10] uaccess: Add speculation barrier to copy_from_user_iter() Date: Thu, 6 Nov 2025 12:31:20 +0100 Message-ID: <598e9ec31716ce351f1456c81eee140477d4ecc4.1762427933.git.christophe.leroy@csgroup.eu> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=1421; i=christophe.leroy@csgroup.eu; h=from:subject:message-id; bh=W82BJoxsF/uaSl8+888M/Hm7CO4JVyWj0vi85xuDhyA=; b=owGbwMvMwCV2d0KB2p7V54MZT6slMWTytGve97+tP2FVN7v3eoEWN4s9bSpm+1+6PJ2l/vDvq t8873PdOkpZGMS4GGTFFFmO/+feNaPrS2r+1F36MHNYmUCGMHBxCsBELs1m+MPztej3jq2bH5ja rG9ssJMyjNktePpbi6LdgvWW2ft+zprE8M8scqPoI/46Z6HHk5kvRPc/uKp9c+OTpLgnTOEXlju 6O3MDAA== X-Developer-Key: i=christophe.leroy@csgroup.eu; a=openpgp; fpr=10FFE6F8B390DE17ACC2632368A92FEB01B8DD78 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The results of "access_ok()" can be mis-speculated. The result is that you can end speculatively: if (access_ok(from, size)) // Right here For the same reason as done in copy_from_user() by commit 74e19ef0ff80 ("uaccess: Add speculation barrier to copy_from_user()"), add a speculation barrier to copy_from_user_iter(). See commit 74e19ef0ff80 ("uaccess: Add speculation barrier to copy_from_user()") for more details. Signed-off-by: Christophe Leroy --- lib/iov_iter.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/lib/iov_iter.c b/lib/iov_iter.c index a589935bf3025..896760bad455f 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -49,11 +49,19 @@ size_t copy_from_user_iter(void __user *iter_from, size= _t progress, =20 if (should_fail_usercopy()) return len; - if (can_do_masked_user_access()) + if (can_do_masked_user_access()) { iter_from =3D mask_user_address(iter_from); - else if (!access_ok(iter_from, len)) - return res; + } else { + if (!access_ok(iter_from, len)) + return res; =20 + /* + * Ensure that bad access_ok() speculation will not + * lead to nasty side effects *after* the copy is + * finished: + */ + barrier_nospec(); + } to +=3D progress; instrument_copy_from_user_before(to, iter_from, len); res =3D raw_copy_from_user(to, iter_from, len); --=20 2.49.0