Re: [git pull] uaccess-related bits of vfs.git

From: Linus Torvalds
Date: Sat May 13 2017 - 13:18:30 EST

Next message: Yury Norov: "[PATCH] arch: remove GENERIC_FIND_FIRST_BIT"
Previous message: Rob Landley: "Re: Is there an recommended way to refer to bitkeepr commits?"
In reply to: Al Viro: "Re: [git pull] uaccess-related bits of vfs.git"
Next in thread: Al Viro: "Re: [git pull] uaccess-related bits of vfs.git"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, May 13, 2017 at 10:00 AM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
> On Sat, May 13, 2017 at 09:15:07AM -0700, Linus Torvalds wrote:
>> > IOW, we have
>> > * most of users in arch/* (heavily dominated by signal-related code,
>> > both loads and stores). Those need careful massage; maybe unsafe-based
>> > solution, maybe something else, but it's obviously per-architecture work
>> > and these paths are sensitive.
>>
>> Why are they sensitive?
>
> Because there we do have tons of back-to-back __get_user() (on sigreturn())
> or __put_user() (on signal setup).

It doesn't actually matter. Regular "put_user()" doesn't generate
noticeably worse code.

It's not a normal function call, it's still an inline asm - so it
basically generates the exact same code as __xyz_user(), except it's a
call to a fixed copy of the code.

So the only difference tends to be
(a) the extra call/ret instructions, possibly frame pointers
(b) fixed registers
(c) the added addr_limit checks

but (a) is cheap, and (b) isn't a big deal since with "asm volatile"
you can't re-order those things against each other anyway. So (b) ends
up being approximately the cost of "one extra lea instruction" for the
address generation that would otherwise be in the load/store
instruction.

And (c) is actually a reason *for* doing it. We've had bugs due to
people not getting it right.

So there really is basically no performance downside. Even with
consecutive uses. The code that uses a function call might even be
smaller (ie the 1.7kB savings isn't necessarily all in the out-of-line
exception handling cases: the stac/clac instructions are six bytes for
each use, so it more than makes up for the call instruction).

> x86 actually tends to use get_user_ex/put_user_ex instead.

Yes. Because anybody who *really* cared about performance will have
converted already. The real cost has been stac/clac for a few years
now.

So we pretty much know that none of the remaining users are really all
that critical. Certainly not "five cycles" kind of critical.

>> Anybody who *relies* on not checking the address_limit is so broken as
>> to be not even funny.
>
> Except for open-coded probe_kernel_read() somewhere in arch/*; I have not
> read through those 700+ callers, so I don't know if there's any such.

.. and those need to be fixed.

But I'm not seeing the point in wasting valuable human time in reading
through thousands of cases, when we can just automate it and see if
anything breaks.

Because it will break in a *safe* direction. You'll get an error from
bad uses that shouldn't have worked to begin with.

And some of the existing cases are just disgusting. There's no excuse
for compat code or for ioctl to use the "__" versions. That seems to
be the bulk of those uses too.

Linus

Next message: Yury Norov: "[PATCH] arch: remove GENERIC_FIND_FIRST_BIT"
Previous message: Rob Landley: "Re: Is there an recommended way to refer to bitkeepr commits?"
In reply to: Al Viro: "Re: [git pull] uaccess-related bits of vfs.git"
Next in thread: Al Viro: "Re: [git pull] uaccess-related bits of vfs.git"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]