On Thu, Apr 02, 2020 at 07:03:28PM +0200, Christophe Leroy wrote: > user_access_begin() grants both read and write. > > This patch adds user_read_access_begin() and user_write_access_begin() but > it doesn't remove user_access_begin()
Ouch... So the most generic name is for the rarest case? > > What should we do about that? Do we prohibit such blocks outside > > of arch? > > > > What should we do about arm and s390? There we want a cookie passed > > from beginning of block to its end; should that be a return value? > > That was the way I implemented it in January, see > https://patchwork.ozlabs.org/patch/1227926/ > > There was some discussion around that and most noticeable was: > > H. Peter (hpa) said about it: "I have *deep* concern with carrying state in > a "key" variable: it's a direct attack vector for a crowbar attack, > especially since it is by definition live inside a user access region." > This patch minimises the change by just adding user_read_access_begin() and > user_write_access_begin() keeping the same parameters as the existing > user_access_begin(). Umm... What about the arm situation? The same concerns would apply there, wouldn't they? Currently we have static __always_inline unsigned int uaccess_save_and_enable(void) { #ifdef CONFIG_CPU_SW_DOMAIN_PAN unsigned int old_domain = get_domain(); /* Set the current domain access to permit user accesses */ set_domain((old_domain & ~domain_mask(DOMAIN_USER)) | domain_val(DOMAIN_USER, DOMAIN_CLIENT)); return old_domain; #else return 0; #endif } and static __always_inline void uaccess_restore(unsigned int flags) { #ifdef CONFIG_CPU_SW_DOMAIN_PAN /* Restore the user access mask */ set_domain(flags); #endif } How much do we need nesting on those, anyway? rmk?
