| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 12 May 2017 18:00:44 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Al Viro <viro@...iv.linux.org.uk>
Cc: Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
"linux-arch@...r.kernel.org" <linux-arch@...r.kernel.org>
Subject: Re: [git pull] uaccess-related bits of vfs.git
So I should have asked earlier, but I was feeling rather busy during
the early merge window..
On Sun, Apr 30, 2017 at 8:45 PM, Al Viro <viro@...iv.linux.org.uk> wrote:
> uaccess unification pile. It's _not_ the end of uaccess work, but
> the next batch of that will go into the next cycle. This one mostly takes
> copy_from_user() and friends out of arch/* and gets the zero-padding behaviour
> in sync for all architectures.
> Dealing with the nocache/writethrough mess is for the next cycle;
> fortunately, that's x86-only.
So I'm actually more interested to hear if you have any pending work
on cleaning up the __get/put_user() mess we have. Is that on your
radar at all?
In particular, right now, both __get_user() and __put_user() are nasty
and broken interfaces.
It *used* to be that they were designed to just generate a single
instruction. That's not what they currently do at all, due to the
whole SMAP/PAN on x86 and arm.
For example, on x86, right now a single __put_user() call ends up
generating something like
#APP
# 58 "./arch/x86/include/asm/smap.h" 1
661:
662:
.skip -(((6651f-6641f)-(662b-661b)) > 0) * ((6651f-6641f)-(662b-661b)),0x90
663:
.pushsection .altinstructions,"a"
.long 661b - .
.long 6641f - .
.word ( 9*32+20)
.byte 663b-661b
.byte 6651f-6641f
.byte 663b-662b
.popsection
.pushsection .altinstr_replacement, "ax"
6641:
.byte 0x0f,0x01,0xcb
6651:
.popsection
# 0 "" 2
#NO_APP
xorl %eax, %eax # __pu_err
#APP
# 269 "fs/readdir.c" 1
1: movq %rcx,8(%rdi) # offset, MEM[(struct __large_struct *)_16]
2:
.section .fixup,"ax"
3: mov $-14,%eax #, __pu_err
jmp 2b
.previous
.pushsection "__ex_table","a"
.balign 4
.long (1b) - .
.long (3b) - .
.long (ex_handler_default) - .
.popsection
# 0 "" 2
# 52 "./arch/x86/include/asm/smap.h" 1
661:
662:
.skip -(((6651f-6641f)-(662b-661b)) > 0) * ((6651f-6641f)-(662b-661b)),0x90
663:
.pushsection .altinstructions,"a"
.long 661b - .
.long 6641f - .
.word ( 9*32+20)
.byte 663b-661b
.byte 6651f-6641f
.byte 663b-662b
.popsection
.pushsection .altinstr_replacement, "ax"
6641:
.byte 0x0f,0x01,0xca
6651:
.popsection
# 0 "" 2
#NO_APP
and while much of that is out-of-line and in different sections, it
basically means that it's insane how we inline these things.
Yes, yes, the inlined part of the above horror-story ends up being just
clac
xor %eax,%eax
mov %rcx,0x8(%rdi)
stac
and everything else is just boiler-plate for the alt-instruction
handling and the exception handling.
But even that small thing is rather debatable from a performance
angle: the actual cost of __put_user() these days is not the function
call, but the clac/stac (on modern x86) and the PAN bit games (on
arm).
So I'm actually inclined to just say "We should make
__get_user/__put_user() just be aliases for the normal
get_user/put_user() model".
The *correct* way to do fast user space accesses when you hoist error
checking outside is to use
if (!access_ok(..))
goto efault;
user_access_begin();
..
... loop over or otherwise do multiple "raw" accessess ...
unsafe_get/put_user(c, ptr, got_fault);
unsafe_get/put_user(c, ptr, got_fault);
...
user_access_end();
return 0;
got_fault:
user_access_end();
efault:
return -EFAULT;
which is more boilerplate, but ends up generating much better code.
And for "unsafe_put_user()" in particular, we actually could teach gcc
to use "asm goto" to really improve code generation. I have patches
for that if you want to look.
I'm attaching an example patch for "filldir()" that does that modern
thing. It almost had the right form as-is anyway, and under some loads
(eg "find") filldir actually shows up in profiles too.\
And just from a code generation standpoint, look at what the attached
patch does:
[torvalds@i7 linux]$ diff -u fs/readdir.s ~/readdir.s | diffstat
readdir.s | 548 ++++++++++++++++++++++----------------------------------------
1 file changed, 201 insertions(+), 347 deletions(-)
just from getting rid of that crazy repeated SMAP overhead.
Yeah, yeah, doing diffstat on generated assembly files is all kinds of
crazy, but it's an example of what kind of odd garbage we currently
generate.
But the *first* thing I'd like to do would be to just get rid of
__get_user/__put_user as a thing. It really does generate nasty code,
and we might as well just make it do that function call.
Because what we do now isn't right. If we care about performance, the
"__xyz_user" versions are wrong (use unsafe_xyz_user() instead). And
if you don't care about performance, you should use the regular
xyz_user() functions that do an ok job by just calling the right-sized
helper function instead of inlining the crud.
Hmm?
Linus
View attachment "patch.diff" of type "text/plain" (1378 bytes)
Powered by blists - more mailing lists