Re: [patch V4 07/12] uaccess: Provide scoped user access regions

Wed, 22 Oct 2025 07:20:31 -0700 

On Wed, 22 Oct 2025 14:49:10 +0200 (CEST)
Thomas Gleixner <[email protected]> wrote:

> User space access regions are tedious and require similar code patterns all
> over the place:
> 
>       if (!user_read_access_begin(from, sizeof(*from)))
>               return -EFAULT;
>       unsafe_get_user(val, from, Efault);
>       user_read_access_end();
>       return 0;
> Efault:
>       user_read_access_end();
>       return -EFAULT;
> 
> This got worse with the recent addition of masked user access, which
> optimizes the speculation prevention:
> 
>       if (can_do_masked_user_access())
>               from = masked_user_read_access_begin((from));
>       else if (!user_read_access_begin(from, sizeof(*from)))
>               return -EFAULT;
>       unsafe_get_user(val, from, Efault);
>       user_read_access_end();
>       return 0;
> Efault:
>       user_read_access_end();
>       return -EFAULT;
> 
> There have been issues with using the wrong user_*_access_end() variant in
> the error path and other typical Copy&Pasta problems, e.g. using the wrong
> fault label in the user accessor which ends up using the wrong accesss end
> variant. 
> 
> These patterns beg for scopes with automatic cleanup. The resulting outcome
> is:
>       scoped_user_read_access(from, Efault)
>               unsafe_get_user(val, from, Efault);
>       return 0;
>   Efault:
>       return -EFAULT;
> 
> The scope guarantees the proper cleanup for the access mode is invoked both
> in the success and the failure (fault) path.
> 
> The scoped_user_$MODE_access() macros are implemented as self terminating
> nested for() loops. Thanks to Andrew Cooper for pointing me at them. The
> scope can therefore be left with 'break', 'goto' and 'return'.  Even
> 'continue' "works" due to the self termination mechanism.

I think that 'feature' should be marked as a 'bug', consider code like:
        for (; len >= sizeof (*uaddr); uaddr++; len -= sizeof (*uaddr)) {
                scoped_user_read_access(uaddr, Efault) {
                        int frag_len;
                        unsafe_get_user(frag_len, &uaddr->len, Efault);
                        if (!frag_len)
                                break;
                        ...
                }
                ...
        }

The expectation would be that the 'break' applies to the visible 'for' loop.
But you need a 'goto' to escape from the visible loop.

Someone who groks the static checkers might want to try to detect
continue/break in those loops.

        David

Reply via email to