From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 238CFC7115A
	for <linux-mm@archiver.kernel.org>; Sun, 22 Jun 2025 20:26:51 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 88C766B00A7; Sun, 22 Jun 2025 16:26:50 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 8638C6B00A8; Sun, 22 Jun 2025 16:26:50 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 7A06F6B00A9; Sun, 22 Jun 2025 16:26:50 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11])
	by kanga.kvack.org (Postfix) with ESMTP id 6C6DC6B00A7
	for <linux-mm@kvack.org>; Sun, 22 Jun 2025 16:26:50 -0400 (EDT)
Received: from smtpin23.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay05.hostedemail.com (Postfix) with ESMTP id 661F85DBCF
	for <linux-mm@kvack.org>; Sun, 22 Jun 2025 20:26:49 +0000 (UTC)
X-FDA: 83584170138.23.D1F39CD
Received: from mail-lf1-f44.google.com (mail-lf1-f44.google.com [209.85.167.44])
	by imf10.hostedemail.com (Postfix) with ESMTP id 5F568C0007
	for <linux-mm@kvack.org>; Sun, 22 Jun 2025 20:26:47 +0000 (UTC)
Authentication-Results: imf10.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=aUbKnBH2;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf10.hostedemail.com: domain of david.laight.linux@gmail.com designates 209.85.167.44 as permitted sender) smtp.mailfrom=david.laight.linux@gmail.com
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1750624007; a=rsa-sha256;
	cv=none;
	b=YPpIxTJINyugS4M4Zx2+mlBPwnbLBuV2nAxTke4cY3XelrivUi0yx/9V9GQh1YuTM3feRs
	B3q+mJyudVu4R+qiD/jEjuTfp5ckYhti6oOve0+4+5CHGUJuccvf995331Lo+EuH/MQ/y0
	ddx09DH/PDjMNl96zuzzPK325MyQtCQ=
ARC-Authentication-Results: i=1;
	imf10.hostedemail.com;
	dkim=pass header.d=gmail.com header.s=20230601 header.b=aUbKnBH2;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (imf10.hostedemail.com: domain of david.laight.linux@gmail.com designates 209.85.167.44 as permitted sender) smtp.mailfrom=david.laight.linux@gmail.com
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com;
	s=arc-20220608; t=1750624007;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:dkim-signature;
	bh=pr4/VSOPhXARWL+bOVMhVKBcRaNKG6LoHmVnJev7O/o=;
	b=fPRRvy5HsRFVZyMoecRSdz20ssmBSXJ97UVy++WGbBuCBl6pg6daQ7GJsZJxnfiUjFsD5z
	Hp5VkaOQnJgv4aQ/t4hLstQTZh1AAmzF0Czitw+gYnF0WbHyjRXU3dssKhdb0lL+d8IC5+
	+FLH/KdnEQLA6rOye1W0LDsdqDcPyp0=
Received: by mail-lf1-f44.google.com with SMTP id 2adb3069b0e04-553dceb342fso2875543e87.0
        for <linux-mm@kvack.org>; Sun, 22 Jun 2025 13:26:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1750624005; x=1751228805; darn=kvack.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:from:to:cc:subject:date
         :message-id:reply-to;
        bh=pr4/VSOPhXARWL+bOVMhVKBcRaNKG6LoHmVnJev7O/o=;
        b=aUbKnBH22wWtahnlCKt3Kid99qJLxlNvr/kjcqqCVUWMJgasLLR5qoZ3bI4GASVzck
         GTwS2ayu60PRcWzShz0/AzNhApy0qa6wS12oZx/skd06Jqf98tNhAu76pNdp2dQW9p3h
         tgJYNUV5bVwJKQ5cSqrsWKnVlC+R7SqBnPDmEnEZWw2D6JRaIyeBM4GEpP4GbJ0hqjTB
         A9q4npCw8sKSLZjNSDY5MPopHxp/t1RZ5RBaLdVKaCcWGZpTB4Rvr6WDhOa4Qhu8YVen
         Ak4wpxTeN/9sObydJ39OAlELC1v+LVvU7OVBnfRWrlUkRPupnmA24S5UdKFh52aD17L0
         /xcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1750624005; x=1751228805;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=pr4/VSOPhXARWL+bOVMhVKBcRaNKG6LoHmVnJev7O/o=;
        b=tmp9RaHQafqeqyR/kRo2E0zFDkBxB1Ema+Yktd9J76bAcEJkDBopT3lkFFiwQKTqmq
         ClfdmB2RnB+uyoLGNi+hy5c+lAfBsljbgdBzi2u8eFswR2SOuS0eN4hTbnPpt/bdulOS
         zB7Jz4aUiAsDlQv1JTeyr/tPmwCpVfK1J3PNpCQIPBEnzSwpq4RULb74ORuxFfvtmFw9
         zHZK71W4PGjatItTLJER0Mv8svoqMFICj3te0WXKF1C+94CH9Jzny3xinCldajdqfgEB
         LvZDaqbDpl5xi4IXs8+6LAOr0YXmPrmeEbj4bOr2rDmu/uLq2ubsHGuhDS22nY57sDod
         lv7w==
X-Forwarded-Encrypted: i=1; AJvYcCUyl65z7SMSG4sBxkQ+oBq+XKzo+/5K1FGAOBNEV8cqkG1CWgLgz7oyQJ8HrIy/PTmSKWYPMJ37DQ==@kvack.org
X-Gm-Message-State: AOJu0YxjkcWla0QGeE6BWU49nwneQvfwgOKpIjHXjrST+qhRi5sGlUHu
	+o3xYkyBNRnyHkztVFThC5knM7hwTFRP5J/0kJLb5UBviS3DaCFC9rKeUSCicg==
X-Gm-Gg: ASbGncvxQGv3ITXzIG4gVO32uLPH05ZXywlDUby74p44sgGoF6nBmorIpGXYLnrVWBt
	VZBqP1q0GTyDvrxqjnVwZVHqEuOhbbZJE8D87RmCmKhOv9hh3Ky0+r4Wv/uBfZ+u1t3uosGEFo4
	tdAntCsCn22P9c2iZNFwdorL1+bb6Q45rm84/ShGuZc3vq7jkVGxLosHo3cFQtYZ3dGkUefl8t3
	VwCuP4Y9uYdUChsYyHlKY4EuGZSOKGQtpVndvCVXJcCqEiCP36+21cTCxCH6cFHi2nmyX2ahOPn
	OsfPluDRqzE+dQjapW0Xpjld55jajMn4AWY9ZPCdbtELUTm0w0oQuwMsG3uQN45UW2eRW+UrOJ/
	rGJ3W3mspUuK6o14tKs91WCpS
X-Google-Smtp-Source: AGHT+IElsMZ2fJjwqKXfyVpdKdO8zPbMehF7uv/JZtWl4fvT4tyhNfUZ6+9Rb0gPk0YEsBVPO/RZ8A==
X-Received: by 2002:a05:600c:4452:b0:43c:f0ae:da7 with SMTP id 5b1f17b1804b1-453716b567bmr20424905e9.7.1750623537213;
        Sun, 22 Jun 2025 13:18:57 -0700 (PDT)
Received: from pumpkin (82-69-66-36.dsl.in-addr.zen.co.uk. [82.69.66.36])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4535e98b48asm123388755e9.16.2025.06.22.13.18.56
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 22 Jun 2025 13:18:56 -0700 (PDT)
Date: Sun, 22 Jun 2025 21:18:55 +0100
From: David Laight <david.laight.linux@gmail.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>, Michael Ellerman
 <mpe@ellerman.id.au>, Nicholas Piggin <npiggin@gmail.com>, Naveen N Rao
 <naveen@kernel.org>, Madhavan Srinivasan <maddy@linux.ibm.com>, Alexander
 Viro <viro@zeniv.linux.org.uk>, Christian Brauner <brauner@kernel.org>, Jan
 Kara <jack@suse.cz>, Thomas Gleixner <tglx@linutronix.de>, Ingo Molnar
 <mingo@redhat.com>, Peter Zijlstra <peterz@infradead.org>, Darren Hart
 <dvhart@infradead.org>, Davidlohr Bueso <dave@stgolabs.net>, Andre Almeida
 <andrealmeid@igalia.com>, Andrew Morton <akpm@linux-foundation.org>, Dave
 Hansen <dave.hansen@linux.intel.com>, linux-kernel@vger.kernel.org,
 linuxppc-dev@lists.ozlabs.org, linux-fsdevel@vger.kernel.org,
 linux-mm@kvack.org
Subject: Re: [PATCH 2/5] uaccess: Add speculation barrier to
 copy_from_user_iter()
Message-ID: <20250622211855.7e5b97ab@pumpkin>
In-Reply-To: <CAHk-=wj4P6p1kBVW7aJbWAOGJZkB7fXFmwaXLieBRhjmvnWgvQ@mail.gmail.com>
References: <cover.1750585239.git.christophe.leroy@csgroup.eu>
	<f4b2a32853b5daba7aeac9e9b96ec1ab88981589.1750585239.git.christophe.leroy@csgroup.eu>
	<CAHk-=wj4P6p1kBVW7aJbWAOGJZkB7fXFmwaXLieBRhjmvnWgvQ@mail.gmail.com>
X-Mailer: Claws Mail 4.1.1 (GTK 3.24.38; arm-unknown-linux-gnueabihf)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Rspam-User: 
X-Rspamd-Queue-Id: 5F568C0007
X-Rspamd-Server: rspam10
X-Stat-Signature: ffdceg3mjrqfmdriorsuce3kgyjt7u7x
X-HE-Tag: 1750624007-892385
X-HE-Meta: U2FsdGVkX1/eR2AF0UKNHyqVSazYGX4RoZWC7ziJb+535rOosCqnIho4mmz5cPlAO25WP/meRF89vXUAj2VK9v1YBePjqU61NGXRq/oqiiE6hM2ZE1NB1WuknOFZAJFVzSOcTRuQq9sDKueTrYj+UWG5IuVdzZFQEOZuenrCiBdr+XFu30+ueazeBpvvBcH15LgTEJtsaEy5ktl7/FBUF+sK2nl9EItVnCPnYje4fd1/K9pJrmxLMkWJ3Ldy3hEUHf05O5Rt9IOLDf55CmCyTwqjtAlmW+0C9zJz+1Jl4VPwqJaRH3kGcV8Wm4qPq1JGNW/waiatps4hgq38U37MALqIUm77yZaDVp/1bcevNXimUWA08EFcvXRDzJgGLfeg9+XW6EZHT3FrtU0G+Iv4F/mYhzv8CglaS10tIfYJGFWT+hEOkaeP+SUAdDxzvWLv5yJzNezYNwVBK7xjPzU26QPYt3qxgIesoq+v2O0J9oov7yONrL7L4takKxLbHNQYSTXXY4uICKYcNYA6Y8B3W60ymNplJWt/BDkm3IDyXL6L+2ZywqH7xkn5yZcX5g3VvwB50dSnFE27KbF6l+N8vBm0kp6LyCep9gSgCDMGndoJo/PcMlR7B+fUfv5hnVeWDgHcFGspCWOUgf3gASZIWGL4gYBClEyRJsOKpGWz+vTF+OymakJBj9K7v8qWh8qL4AAAK6k64FYPaN8G1n9xEKbz4U1xthtJHqwiHWVSAyhJKCN0169aUS3BfQNbMl1q39mBTFSlvfS/U57yKZ+ak1Zlve7o1IbOqpKA05uGRtHtimge5KrPNeMztKVQXDUMFY3VUyKrqQkllXmoPXcgwlFgCpsNEgpuduUAwhFcCK4Fdwg3zCIoZRtyfIyQP07yHPBkBLlLkqOTGCrMMjlW4fVPRucuVrZ0naT+Wv+tV4cH/w+j1M+BtfIMfUaG/xK9qNKYTH+vVJXsfz1gI0m
 B7mWWUBB
 xbu0C06qfrzPsBqckZ4Q8gayTsD5/NgY1T25XkaR4MJb+tpUH9rKyaxsEVazXMO2WlFkI1L56F1jC2uG5a89QMhTlbiR2EBiSPk5XsW7AWgHuDH45pN1w01tXkiVuFPwjh4FnhMXQNnlCsJF2JWEIwVleOQo5UWsHTOPh1R4os/OoeYnFuTjiYA25hzvXzlEjPSbrfkDuUBGQV7xRsoPcbPTwPgAojh72MpCbQ9U51HVgTbP0XlpX+uFTcZALICW1UxnMHstYMEtTyWToDHcpBJqa5YQ/rx4Fx5P84E/sj8BoBnWGbb/IEmVgiKTL+gHesmC57SZEg4yYlbjP7wJ6fvWCb7SgHQsCCEDF02iiGk90i/ZMRppwhipSY1qq0aStKlPNL6wiKXYMYdF5+8P7/iwAr09nQ96PjkGFNo53Y4mmLKGHoiFZXUMEz3b8BVPDglrNDFRQnE2439JnHNZCssoIrLhxFNEovFssO7fv6oXSmM0O0dnX+h7Ttmm397Yt2ndeR08EC0qqnfDCCfoq57X4VSFn1wE5jIzdm3SlP4ccgCgjKkTjD5lBsQ==
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

On Sun, 22 Jun 2025 09:57:20 -0700
Linus Torvalds <torvalds@linux-foundation.org> wrote:

> On Sun, 22 Jun 2025 at 02:52, Christophe Leroy
> <christophe.leroy@csgroup.eu> wrote:
> >
> > The results of "access_ok()" can be mis-speculated.
> 
> Hmm. This code is critical. I think it should be converted to use that
> masked address thing if we have to add it here.

If access_ok() is mis-speculated then you get a read from the user-specified
kernel address - I don't think that matters.
The hacker would need to find somewhere where the read value was used
in a test or memory access so that side effects (typically cache line
evictions) can be detected.
But copy_from_user_iter() is pretty much always used for 'data' not
'control pane' - so you'd be hard pushed to find somewhere 'useful'.
Not only that the cpu would have to return from copy_from_user_iter()
before correcting the mis-speculation.
I can't imagine that happening - even without all the 'return thunk' stuff.

The same might be true for copy_from_user().
It might only be get_user() that actually has any chance of being exploited.

> 
> And at some point this access_ok() didn't even exist, because we check
> the addresses at iter creation time. So this one might be a "belt and
> suspenders" check, rather than something critical.

IIRC there was a patch to move the access_ok() much nearer the use copy.
But it didn't go as far as removing the one from import_iovec().
Although removing that one might make sense.
(I've also looked about whether the 'direction' is needed in the 'iter'.
98% of the code knows what it should be - and may contain pointless
checks, but some bits seem to rely on it.)

	David

> 
> (Although I also suspect that when we added ITER_UBUF we might have
> created cases where those user addresses aren't checked at iter
> creation time any more).
> 
>              Linus