[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 02/17] x86: split __{get,put}_user() into "guest" and "unsafe" variants

  • To: Jan Beulich <jbeulich@xxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Fri, 5 Feb 2021 17:18:51 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0bAEeOhfQmJAQk6Ge3ef0Q9NgE3gNZDzR1tRMu6dHu4=; b=A6YZ2mWwWFdvJpTZtQEZHexoV0L/PCsMEyaeVd+BTT8Dl1lF37JntSBgTRXMW92W+GFFPfEa0hiMpwpszkln/XTJN7cT/6ZsjDXdd/a07/Coke0Z7xPXVln5VvixI8+ZDz5BfYzaXpmZycE5LSDtXSn7yorQBHK7/hV8N9+QKuq2AYWWlcXRUy+5s4YejWbRFTdP5Eph3+Rd0XvC1HEOkyTFmZGk8Jq3JoL6BAKYJoATXciPOviNumwUezy5pj4zikOOum0C8zweEiMTbrQbq/UZvEfE/81f7F0t0rRNOOc0nfCkZoBEGm3OwfekzThFTZJbKG4qOD0drq/B2xsgcA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VFfexuSUFGqhlqKKm493rOYXGepCX9alzz2kCwV/AuQ9536jE3zEFWsj7znI3qUVzgLsrOXk71RKK7dO+kbO0msFiWwn80pNMiy5ZE44GpJ3V6HO1dmBvDIgy8478q6ay4emEDriDyCbkuYfyuONKcNilOITM4rq72ZiREi+jMnsLRZhU/x/izvhPbBajaYiCfJwEvODcxWH6+mcUZwpNrXY+XtdzO2F8xTFMcPBBCr2gzm/BuIbwhx7aPDvGZoeoYOZC7xDXfZHZoTasi/qnVNIs9RSxSCkbDGz06TB3hGDCd3pVpqgSdnLudeWDGmorFwcTkyqZHKzJpNOdOEVeA==
  • Authentication-results: esa1.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>, "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Tim Deegan <tim@xxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>
  • Delivery-date: Fri, 05 Feb 2021 16:19:08 +0000
  • Ironport-sdr: NqSno6kXg1aMleDRpNHKPuxfL8+dHJV2A0YXlmbPUylHwJLN5ke/ZvnBhimVm9Z5GVvWQmpjEt TpWlYPNK85aVuxME6oNdlnfjO0vdvVZYlERa/HNj59cWh/jDsR7dawuTT19HCtDqza/UgAyIQI 4tsf7S1g+nSRT2hJp2e3Sa4EMsMdFP1AVq/7iOTCe317tZmdzEnvFXu5RlKWjxL7R/0jgEfnO5 wsyxNHj0On7ETbqww6M7EUyaoBrt5/DcE+m4QFICCZwKw8ZuJhfMVqBYf8qwop6iYX9gpOlJDg 8tE=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Fri, Feb 05, 2021 at 05:13:22PM +0100, Jan Beulich wrote:
> On 05.02.2021 16:43, Roger Pau Monné wrote:
> > On Thu, Jan 14, 2021 at 04:04:11PM +0100, Jan Beulich wrote:
> >> The "guest" variants are intended to work with (potentially) fully guest
> >> controlled addresses, while the "unsafe" variants are not.
> > 
> > Just to clarify, both work against user addresses, but guest variants
> > need to be more careful because the guest provided address can also be
> > modified?
> > 
> > I'm trying to understand the difference between "fully guest
> > controlled" and "guest controlled".
> Not exactly, not. "unsafe" means access to anything which may
> fault, guest controlled or not. do_invalid_op()'s reading of
> the insn stream is a good example - the faulting insn there
> isn't guest controlled at all, but we still want to be careful
> when trying to read these bytes, as we don't want to fully
> trust %rip there.

Would it make sense to threat everything as 'guest' accesses for the
sake of not having this difference?

I think having two accessors it's likely to cause confusion and could
possibly lead to the wrong one being used in unexpected contexts. Does
it add a too big performance penalty to always use the most
restrictive one?

Thanks, Roger.



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.