On Tue, Jun 02, 2020 at 04:45:05AM -0400, Michael S. Tsirkin wrote:
So vhost needs to poke at userspace *a lot* in a quick succession. ItBTW, what are you going to do about vq->iotlb != NULL case? Because
is thus benefitial to enable userspace access, do our thing, then
disable. Except access_ok has already been pre-validated with all the
relevant nospec checks, so we don't need that. Add an API to allow
userspace access after access_ok and barrier_nospec are done.
you sure as hell do *NOT* want e.g. translate_desc() under STAC.
Disable it around the calls of translate_desc()?
How widely do you hope to stretch the user_access areas, anyway?
BTW, speaking of possible annotations: looks like there's a large
subset of call graph that can be reached only from vhost_worker()
or from several ioctls, with all uaccess limited to that subgraph
(thankfully). Having that explicitly marked might be a good idea...
Unrelated question, while we are at it: is there any point having
vhost_get_user() a polymorphic macro? In all callers the third
argument is __virtio16 __user * and the second one is an explicit
*<something> where <something> is __virtio16 *. Similar for
vhost_put_user(): in all callers the third arugment is
__virtio16 __user * and the second - cpu_to_vhost16(vq, something).
Incidentally, who had come up with the name __vhost_get_user?
Makes for lovey WTF moment for readers - esp. in vhost_put_user()...