* Dan Williams <dan.j.willi...@intel.com> wrote:
> Quoting Linus:
>
> I do think that it would be a good idea to very expressly document
> the fact that it's not that the user access itself is unsafe. I do
> agree that things like "get_user()" want to be protected, but not
> because of any direct bugs or problems with get_user() and friends,
> but simply because get_user() is an excellent source of a pointer
> that is obviously controlled from a potentially attacking user
> space. So it's a prime candidate for then finding _subsequent_
> accesses that can then be used to perturb the cache.
>
> '__uaccess_begin_nospec' covers '__get_user' and 'copy_from_iter' where
> the limit check is far away from the user pointer de-reference. In those
> cases an 'lfence' prevents speculation with a potential pointer to
> privileged memory.
(Same style comments as for the previous patches)
>
> Suggested-by: Linus Torvalds <torva...@linux-foundation.org>
> Suggested-by: Andi Kleen <a...@linux.intel.com>
> Cc: Al Viro <v...@zeniv.linux.org.uk>
> Cc: Kees Cook <keesc...@chromium.org>
> Cc: Thomas Gleixner <t...@linutronix.de>
> Cc: "H. Peter Anvin" <h...@zytor.com>
> Cc: Ingo Molnar <mi...@redhat.com>
> Cc: x...@kernel.org
> Signed-off-by: Dan Williams <dan.j.willi...@intel.com>
> ---
> arch/x86/include/asm/uaccess.h | 6 +++---
> arch/x86/include/asm/uaccess_32.h | 6 +++---
> arch/x86/include/asm/uaccess_64.h | 12 ++++++------
> arch/x86/lib/usercopy_32.c | 8 ++++----
> 4 files changed, 16 insertions(+), 16 deletions(-)
>
> diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
> index 626caf58183a..a930585fa3b5 100644
> --- a/arch/x86/include/asm/uaccess.h
> +++ b/arch/x86/include/asm/uaccess.h
> @@ -450,7 +450,7 @@ do {
> \
> ({ \
> int __gu_err; \
> __inttype(*(ptr)) __gu_val; \
> - __uaccess_begin(); \
> + __uaccess_begin_nospec(); \
> __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
> __uaccess_end(); \
> (x) = (__force __typeof__(*(ptr)))__gu_val; \
> @@ -557,7 +557,7 @@ struct __large_struct { unsigned long buf[100]; };
> * get_user_ex(...);
> * } get_user_catch(err)
> */
> -#define get_user_try uaccess_try
> +#define get_user_try uaccess_try_nospec
> #define get_user_catch(err) uaccess_catch(err)
>
> #define get_user_ex(x, ptr) do { \
> @@ -591,7 +591,7 @@ extern void __cmpxchg_wrong_size(void)
> __typeof__(ptr) __uval = (uval); \
> __typeof__(*(ptr)) __old = (old); \
> __typeof__(*(ptr)) __new = (new); \
> - __uaccess_begin(); \
> + __uaccess_begin_nospec(); \
> else
> n = __copy_user_intel(to, from, n);
> - clac();
> + __uaccess_end();
> return n;
> }
> EXPORT_SYMBOL(__copy_user_ll);
> @@ -344,7 +344,7 @@ EXPORT_SYMBOL(__copy_user_ll);
> unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user
> *from,
> unsigned long n)
> {
> - stac();
> + __uaccess_begin_nospec();
> #ifdef CONFIG_X86_INTEL_USERCOPY
> if (n > 64 && static_cpu_has(X86_FEATURE_XMM2))
> n = __copy_user_intel_nocache(to, from, n);
> @@ -353,7 +353,7 @@ unsigned long __copy_from_user_ll_nocache_nozero(void
> *to, const void __user *fr
> #else
> __copy_user(to, from, n);
> #endif
> - clac();
> + __uaccess_end();
> return n;
> }
> EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
>
These three chunks appears to be unrelated changes changing open-coded clac()s
to
__uaccess_end() calls correctly: please split these out into a separate patch.
Thanks,
Ingo
