From patchwork Tue May 28 14:58:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alice Ryhl X-Patchwork-Id: 13676938 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 58302C27C43 for ; Tue, 28 May 2024 14:58:25 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C337D6B009E; Tue, 28 May 2024 10:58:24 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BE5D56B009F; Tue, 28 May 2024 10:58:24 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 9E73F6B00A0; Tue, 28 May 2024 10:58:24 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) by kanga.kvack.org (Postfix) with ESMTP id 777926B009E for ; Tue, 28 May 2024 10:58:24 -0400 (EDT) Received: from smtpin12.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay08.hostedemail.com (Postfix) with ESMTP id 21A6E141316 for ; Tue, 28 May 2024 14:58:24 +0000 (UTC) X-FDA: 82168110528.12.C8C09B5 Received: from mail-lf1-f73.google.com (mail-lf1-f73.google.com [209.85.167.73]) by imf03.hostedemail.com (Postfix) with ESMTP id 2333A20002 for ; Tue, 28 May 2024 14:58:20 +0000 (UTC) Authentication-Results: imf03.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=OzXiguX5; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf03.hostedemail.com: domain of 3C_FVZgkKCH4cnkegt0jniqqing.eqonkpwz-oomxcem.qti@flex--aliceryhl.bounces.google.com designates 209.85.167.73 as permitted sender) smtp.mailfrom=3C_FVZgkKCH4cnkegt0jniqqing.eqonkpwz-oomxcem.qti@flex--aliceryhl.bounces.google.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1716908301; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=TDs1IJHnbNwo/zETkdmKSImuTQj5Z+oesXCPuXUO86Y=; b=GpB47NHGCM2mxWftalYQdTCS5XUUFg8yyUrpeFgLx2ixihf1SRH7MdHOKhxKCOIsnJ2U1E 3U91HczYO7/uPz2vcMwsbkvqW9xRHflDUVpy3HnCpzxu51UUS6+d/GdwortJ6n/5HEslXe h10kKJqqxMm+JvBm99hzFDEk2dKYG70= ARC-Authentication-Results: i=1; imf03.hostedemail.com; dkim=pass header.d=google.com header.s=20230601 header.b=OzXiguX5; dmarc=pass (policy=reject) header.from=google.com; spf=pass (imf03.hostedemail.com: domain of 3C_FVZgkKCH4cnkegt0jniqqing.eqonkpwz-oomxcem.qti@flex--aliceryhl.bounces.google.com designates 209.85.167.73 as permitted sender) smtp.mailfrom=3C_FVZgkKCH4cnkegt0jniqqing.eqonkpwz-oomxcem.qti@flex--aliceryhl.bounces.google.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1716908301; a=rsa-sha256; cv=none; b=jGC5XRfNU9a4+R6vSBl3H+erJm1VtrdYHjxQt+BLjIelJhbgyZnwtBcMIcpRUO8+XHEFNS KRYo+gxyqYKVv9czDwFN+7VWtJgReLmZtYUbH7YMyN5VR4/PAgLJIB4qlm8PwRPb0hQa7w Gi55PodP5P+LZFBSe+O2A2EtdTI3CIQ= Received: by mail-lf1-f73.google.com with SMTP id 2adb3069b0e04-529a5b739cbso461243e87.0 for ; Tue, 28 May 2024 07:58:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1716908299; x=1717513099; darn=kvack.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=TDs1IJHnbNwo/zETkdmKSImuTQj5Z+oesXCPuXUO86Y=; b=OzXiguX5W0tC901seBbtqH4NNpFJPW8ZPFsYUp0QtA/BNNylZbGf+UaAy3RHSCn7ZV r2EssO2tBp4bE7u6vvX1UrJxlW+ccaznYfjgLJ/ukFdkd9J5gypvxLQZcOShdhoDn55V Hr8VUTpbVlClhzd8PxyaaYbymtI2oo25S+an0Mloe6QSlzuJV9y3xjEoWVJUupvD6zJO gf3879hx7ZsOrgSJcU8haEA1bHDaVlPS6qPDy2sYeK++NsL+JYRBdmg7PL3IKCpH56iC hJs1gVJn+6CGN3ZQdPG5+921OVN01OMtsH9z9tpLyL8jd+tHNg0/s7BRQ9gvmB9RUL7d Acnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716908299; x=1717513099; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=TDs1IJHnbNwo/zETkdmKSImuTQj5Z+oesXCPuXUO86Y=; b=fUCYkZRXNcKS33GqzB4T0I14/gkChJlcqD8v5muLUnv9/92IPnqs2VPItD2U04QsvA oVVggyGuHtPHaACNY2x8Y8lVoF6fnqiDrz31wXC0KT0ol5xyTq0RyqRfpXtBI6hA1gEj WIAQZKcip7So0vh54NgtEBpSgSHlkpeLK0jTVI+cvdoYHKUrhyfXKMOF6yNwLZ8VcBo4 CNnijCQSNDz2I6j2vaJDI2CbN0tU0lBSqqgfSB4Vv2rc+6YrNsqV/30ZC7skBfbxSeaG kih9wgMJGta7z1Vg2yqIX6inI638S1Sb5x56an+CBbfKbMrX82ioABUUuExMkdFkFtHh Dehg== X-Forwarded-Encrypted: i=1; AJvYcCUoqA8YWcPGr70G1ttVU1Ytm1gjiXtMiYwJflKOQZVfjxDJdhk5I+ETq7ZTq8iodYVsPTYOj/t2EHIP13ns2FJ7Vlc= X-Gm-Message-State: AOJu0YyDVSnyJf6Et2frDgEzpqptgUM1kNhZvj64+vbEgbrDUUgZYi6F nw+hjB5WCJeZu0tF+83fUIG41nu1U0hvVc3InU/OyFlNXPlTwOcmxK75KtJGQnY80bx1U0J9gFW K9p5EoQLMRJtFmg== X-Google-Smtp-Source: AGHT+IE0/smWA0nv7DnIzJunDnNDJqSN2EHjtIqsT2/sKJP0Nv5knZ9MVxp5tyeosgZSBFdOKEeD2mUHzkRd5q0= X-Received: from aliceryhl2.c.googlers.com ([fda3:e722:ac3:cc00:68:949d:c0a8:572]) (user=aliceryhl job=sendgmr) by 2002:a05:6512:4508:b0:527:4ba:5c90 with SMTP id 2adb3069b0e04-527f16c29eemr16354e87.4.1716908299488; Tue, 28 May 2024 07:58:19 -0700 (PDT) Date: Tue, 28 May 2024 14:58:03 +0000 In-Reply-To: <20240528-alice-mm-v7-0-78222c31b8f4@google.com> Mime-Version: 1.0 References: <20240528-alice-mm-v7-0-78222c31b8f4@google.com> X-Developer-Key: i=aliceryhl@google.com; a=openpgp; fpr=49F6C1FAA74960F43A5B86A1EE7A392FDE96209F X-Developer-Signature: v=1; a=openpgp-sha256; l=5419; i=aliceryhl@google.com; h=from:subject:message-id; bh=yETbsBE1UqQkTUzr6kFMmtAy1ZCV9RovzSXiqjWQMC0=; b=owEBbQKS/ZANAwAKAQRYvu5YxjlGAcsmYgBmVfEBZqo9IvVPwPO5CrRJ9S+efkmY181jkflVc +WDKDaJ64KJAjMEAAEKAB0WIQSDkqKUTWQHCvFIvbIEWL7uWMY5RgUCZlXxAQAKCRAEWL7uWMY5 RueSD/4wGfhLRtZZBSvagz2Tr+7o+akzMLKWhMQWrJ8eKjNds02I9WbzFLZQUGXQ+4RqiLvddU4 n8fLx3irk1ez8T2CEBs2O9zrruwTzwEi76SM9MbP9366gM1BH3RZV/48csVSYgCW6qUBSdVqE3r S4Yk9ttNOYeJxILvebO8goJJgqQIcmyI7J8JG7HlmLdq33wrdNfNwCvH1bkxj27/BzRUqOAnRdG 4emSEQudPjgRcQAUqYek+ZPl1t70K18AjpySXsRtbvdPk84CpoCMCUBmx0q9XIbEs96+qBvCjmU saj6XzYGCChZpUMn4ERwoPTvmnIrKCcc4PDYxImnLEi7TsXDbrEMBpP3bRIVjupFwEpskKqI6Oe 7fZ1KycxvBFAq+/Cp/wiYClD0TxxK41XS9oK/qRukR9BlMHf0zadfQlwnx4dbMLyxGk7Fl2hlwH G0Sc3XFE0Mkud0WOFEKQ+0l85lZq/vTdHxYqzjUCmhlg8nkMrF4IfRAdk9R7EZvdWy1ioq7PUMD xEsXLgsyhIdd3nDBtRIFjIXNkeXeMrgy/tnBwk/hCIIM+bFJcx3e/6JvMdWJVhIBI1SEYxLjzyB zxqRBpw1O+VulD9zCEJFIthq2o0jSikBBtciQBV+VZFr/debLYs26gcJTVHfDPh/jOhqRPdf/sO swwxMcc0sTnOzbg== X-Mailer: b4 0.13-dev-26615 Message-ID: <20240528-alice-mm-v7-2-78222c31b8f4@google.com> Subject: [PATCH v7 2/4] uaccess: always export _copy_[from|to]_user with CONFIG_RUST From: Alice Ryhl To: Miguel Ojeda , Matthew Wilcox , Al Viro , Andrew Morton , Kees Cook Cc: Alex Gaynor , Wedson Almeida Filho , Boqun Feng , Gary Guo , " =?utf-8?q?Bj=C3=B6rn_Roy_Baron?= " , Benno Lossin , Andreas Hindborg , Greg Kroah-Hartman , " =?utf-8?q?Arve_Hj=C3=B8?= =?utf-8?q?nnev=C3=A5g?= " , Todd Kjos , Martijn Coenen , Joel Fernandes , Carlos Llamas , Suren Baghdasaryan , Arnd Bergmann , Trevor Gross , linux-mm@kvack.org, linux-kernel@vger.kernel.org, rust-for-linux@vger.kernel.org, Alice Ryhl , Christian Brauner X-Rspamd-Queue-Id: 2333A20002 X-Stat-Signature: q9dtwwgwmamzrecetdm8xaa9noom8qs7 X-Rspam-User: X-Rspamd-Server: rspam04 X-HE-Tag: 1716908300-198066 X-HE-Meta: U2FsdGVkX18gnLuS+09ZcVIDmsJQ8NB7LbkNqqUZl3j5m1Z1/mkgHkFw1ByoRhGIcOmY8HKpyD534KseHVOEs4gBXynvsv/7WNOjOlc7ehGh7aIwBwud/Dw+OQRvI4d4k29lOoSuQGH/H77XNEqCQ2zmGLEGR+0j95i4NsCC8HxjAA4EPHUUFKqMFQEOykD9xa//OMSPx3GY4u+sJPfgJ6s3fSj13UnygF+BHvqRlf9gRyQVg/zlqWzRF8N/ZyzYwJaRI5PzUxrjZxrxSuWFbZU6Hezbc0s1C6J/+uD4/Dg84xEv0gF9pzP1MaMNcjWFGJ1lSbWYiQeoLPGMfZkWrpdd0C396AJKhk4m9hxqKmiIZL0cTa0ozVI+icx+ktUg7My437aLwCT7qQSmnPfXMvCSqs5UQ53BLKOzZ5o7ulPw5bJnbtD1fVFWb/32In4EMibcz9GrK9cq0cCdXkV8ZkB9Kd2LeTSJYoT6gyrByTTgZ1ifEPB+cNiCymNfcVmHzSvu4asFJkt4EdHE8/2tICK8VZKWC36HREPpkDQym54fLHx3QG8w6Sxno+sWUjdDPnfiDXKWBlTU1Gb9JuExrL0tU0n3+EQmVDRJYSDlH3YXPq74Sr2oun45Dn00dJAFW7Eh7ekngzkZrnD3vUeE33cOZKTJnueJz0fmtOJ/t4kR5zK25Cw6v4LRknK8JvUbBNkEw20PIkr1dAKQ6gSw3zMk+1Ng3mkHcYgcYvqbdOd8l4iO1DLzoABQik2r7blYh6FiL/2yw3NSGrSjcWV+w5l2hyEvG46xjuxZtbbUJok2o9eU1QUNfk4JU5H1615ir5o6A8Rom6MAbcCDxdjz4uYkPkQyaXx2ZkZp0An9PS3ECJHrs1YXcWnv1GCdD/TzR+RalfIy72LbQwSLXNSWybu9BlAIAqy6RJCkYbwDuVB6chr98b39JcYT7/yUgGXpPQqjH0PIHaId8oRMjQd q/E+Y7kl BVNdgdjn3Cf69SZZcNUCytWdK5jNrd51dm15Qwpk8E7/MMmyRVVmtef149GnhPDWN1GFjhWggRuaWw56Zx/eYW857BMfhVIQXtFE53Ev+qcMAFkde13ZoZOj39VOy6sLNsnJmnacuHg21G/5ySBu6JATB2SuzskyCjBb7RdiREzZpBszAhTJVCF/G6Eo0lNSk/V1nWA6D8jwjATsJHc+wluXAGMHwtnSJ+5jJjzW0Q9jIAQV+5PlygdOZ6tT6FxBEn07U+GhbYbzvKtcdVMiFdWfBcyoYto3bdCL332yGuP6tTuAe77ay+jlNjaqn3apmA9RVZlrjyVxao84E1t4CvyNFy872A0wTQ69Fub1llGUhY2On+AMWiH1F1deBipnjfw77SDXd/0wp+Ke+HBwqCyZzW0ji5knlsHPehgQbVbkKQ6SueBspEswejPyOu+f2lMUCiBSkz/heUCh7kpMPwHTyGgbRB2zcYYP/o+T+aREEqWevJilZ9P58tRDE3JPEYSiDfXT2v0QUuPUdbFyaXYHtnu6WuQzCg0xCcoP6eeFU7WLLn5j37LYQ49PGKaAHaciy9A1zvuFVaKe56auXVj32cdkbu24a2gIQjWcHJseykLr06bAByxWXPfJ/Oh/Z7JjphjZSthxCcMVCMGE0Wk0i2rw6KG9EN1f8fbEKANcWQkZ/Pfdu+G+kOCZFRGlhcN5Wgz99qzQOEXXj00hyTN3GYbpRc7PDYqMj6D42wxVqyixj6QIngVNc+cFzQ31AceDM+A4TptAdOfnN3yubOjuEKJOpWMteT3e40VJuRi8FQr8bxmo4pY+7UokrZLrpZgkUbO3Y+WcAp9A= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Arnd Bergmann Rust code needs to be able to access _copy_from_user and _copy_to_user so that it can skip the check_copy_size check in cases where the length is known at compile-time, mirroring the logic for when C code will skip check_copy_size. To do this, we ensure that exported versions of these methods are available when CONFIG_RUST is enabled. Alice has verified that this patch passes the CONFIG_TEST_USER_COPY test on x86 using the Android cuttlefish emulator. Signed-off-by: Arnd Bergmann Tested-by: Alice Ryhl Reviewed-by: Boqun Feng Reviewed-by: Kees Cook Signed-off-by: Alice Ryhl Acked-by: Andrew Morton --- include/linux/uaccess.h | 46 ++++++++++++++++++++++++++++++++-------------- lib/usercopy.c | 30 ++++-------------------------- 2 files changed, 36 insertions(+), 40 deletions(-) diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h index 3064314f4832..d8e4105a2f21 100644 --- a/include/linux/uaccess.h +++ b/include/linux/uaccess.h @@ -5,6 +5,7 @@ #include #include #include +#include #include #include @@ -138,13 +139,26 @@ __copy_to_user(void __user *to, const void *from, unsigned long n) return raw_copy_to_user(to, from, n); } -#ifdef INLINE_COPY_FROM_USER +/* + * Architectures that #define INLINE_COPY_TO_USER use this function + * directly in the normal copy_to/from_user(), the other ones go + * through an extern _copy_to/from_user(), which expands the same code + * here. + * + * Rust code always uses the extern definition. + */ static inline __must_check unsigned long -_copy_from_user(void *to, const void __user *from, unsigned long n) +_inline_copy_from_user(void *to, const void __user *from, unsigned long n) { unsigned long res = n; might_fault(); if (!should_fail_usercopy() && likely(access_ok(from, n))) { + /* + * Ensure that bad access_ok() speculation will not + * lead to nasty side effects *after* the copy is + * finished: + */ + barrier_nospec(); instrument_copy_from_user_before(to, from, n); res = raw_copy_from_user(to, from, n); instrument_copy_from_user_after(to, from, n, res); @@ -153,14 +167,11 @@ _copy_from_user(void *to, const void __user *from, unsigned long n) memset(to + (n - res), 0, res); return res; } -#else extern __must_check unsigned long _copy_from_user(void *, const void __user *, unsigned long); -#endif -#ifdef INLINE_COPY_TO_USER static inline __must_check unsigned long -_copy_to_user(void __user *to, const void *from, unsigned long n) +_inline_copy_to_user(void __user *to, const void *from, unsigned long n) { might_fault(); if (should_fail_usercopy()) @@ -171,25 +182,32 @@ _copy_to_user(void __user *to, const void *from, unsigned long n) } return n; } -#else extern __must_check unsigned long _copy_to_user(void __user *, const void *, unsigned long); -#endif static __always_inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n) { - if (check_copy_size(to, n, false)) - n = _copy_from_user(to, from, n); - return n; + if (!check_copy_size(to, n, false)) + return n; +#ifdef INLINE_COPY_FROM_USER + return _inline_copy_from_user(to, from, n); +#else + return _copy_from_user(to, from, n); +#endif } static __always_inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n) { - if (check_copy_size(from, n, true)) - n = _copy_to_user(to, from, n); - return n; + if (!check_copy_size(from, n, true)) + return n; + +#ifdef INLINE_COPY_TO_USER + return _inline_copy_to_user(to, from, n); +#else + return _copy_to_user(to, from, n); +#endif } #ifndef copy_mc_to_kernel diff --git a/lib/usercopy.c b/lib/usercopy.c index 499a7a7d54db..7b17b83c8042 100644 --- a/lib/usercopy.c +++ b/lib/usercopy.c @@ -12,40 +12,18 @@ /* out-of-line parts */ -#ifndef INLINE_COPY_FROM_USER +#if !defined(INLINE_COPY_FROM_USER) || defined(CONFIG_RUST) unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n) { - unsigned long res = n; - might_fault(); - if (!should_fail_usercopy() && likely(access_ok(from, n))) { - /* - * Ensure that bad access_ok() speculation will not - * lead to nasty side effects *after* the copy is - * finished: - */ - barrier_nospec(); - instrument_copy_from_user_before(to, from, n); - res = raw_copy_from_user(to, from, n); - instrument_copy_from_user_after(to, from, n, res); - } - if (unlikely(res)) - memset(to + (n - res), 0, res); - return res; + return _inline_copy_from_user(to, from, n); } EXPORT_SYMBOL(_copy_from_user); #endif -#ifndef INLINE_COPY_TO_USER +#if !defined(INLINE_COPY_TO_USER) || defined(CONFIG_RUST) unsigned long _copy_to_user(void __user *to, const void *from, unsigned long n) { - might_fault(); - if (should_fail_usercopy()) - return n; - if (likely(access_ok(to, n))) { - instrument_copy_to_user(to, from, n); - n = raw_copy_to_user(to, from, n); - } - return n; + return _inline_copy_to_user(to, from, n); } EXPORT_SYMBOL(_copy_to_user); #endif