Re: [PATCH v2 02/10] uaccess: Add speculation barrier to copy_from_user_iter()

From: David Laight
Date: Fri Aug 22 2025 - 14:53:26 EST


On Fri, 22 Aug 2025 09:46:37 -0400
Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:

> On Fri, 22 Aug 2025 at 05:58, Christophe Leroy
> <christophe.leroy@xxxxxxxxxx> wrote:
> >
> > The results of "access_ok()" can be mis-speculated. The result is that
> > you can end speculatively:
> >
> > if (access_ok(from, size))
> > // Right here
>
> I actually think that we should probably just make access_ok() itself do this.

You'd need to re-introduce the read/write parameter.
And you'd want it to be compile time.
Although going through the code changing them to read_access_ok()
and write_access_ok() would probably leave you with a lot fewer calls.

> We don't have *that* many users since we have been de-emphasizing the
> "check ahead of time" model, and any that are performance-critical can
> these days be turned into masked addresses.

Or aim to allocate a guard page on all archs, support 'masked' access
on all of them, and then just delete access_ok().
That'll make it look less ugly.
Perhaps not this week though :-)

David

>
> As it is, now we're in the situation that careful places - like
> _inline_copy_from_user(), and with your patch copy_from_user_iter() -
> do maybe wethis by hand and are ugly as a result, and lazy and
> probably incorrect places don't do it at all.
>
> That said, I don't object to this patch and maybe we should do that
> access_ok() change later and independently of any powerpc work.
>
> Linus