Re: [patch V5 07/12] uaccess: Provide scoped user access regions

[patch V5 00/12] uaccess: Provide and use scopes for user access · Thomas Gleixner <hidden> · 2025-10-27
[patch V5 01/12] ARM: uaccess: Implement missing __get_user_asm_dword() · Thomas Gleixner <hidden> · 2025-10-27
Re: [patch V5 01/12] ARM: uaccess: Implement missing __get_user_asm_dword() · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
[patch V5 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() · Thomas Gleixner <hidden> · 2025-10-27
Re: [patch V5 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() · Andrew Cooper <hidden> · 2025-10-27
Re: [patch V5 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
Re: [patch V5 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() · Yann Ylavic <hidden> · 2025-10-28
Re: [patch V5 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() · Thomas Gleixner <hidden> · 2025-10-28
[patch V6 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() · Thomas Gleixner <hidden> · 2025-10-29
Re: [patch V6 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() · patchwork-bot+linux-riscv@kernel.org · 2025-12-19
Re: [patch V5 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() · Christophe Leroy <hidden> · 2025-11-04
[patch V5 03/12] x86/uaccess: Use unsafe wrappers for ASM GOTO · Thomas Gleixner <hidden> · 2025-10-27
Re: [patch V5 03/12] x86/uaccess: Use unsafe wrappers for ASM GOTO · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
[patch V5 04/12] powerpc/uaccess: Use unsafe wrappers for ASM GOTO · Thomas Gleixner <hidden> · 2025-10-27
Re: [patch V5 04/12] powerpc/uaccess: Use unsafe wrappers for ASM GOTO · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
Re: [patch V5 04/12] powerpc/uaccess: Use unsafe wrappers for ASM GOTO · Christophe Leroy <hidden> · 2025-11-04
[patch V5 05/12] riscv/uaccess: Use unsafe wrappers for ASM GOTO · Thomas Gleixner <hidden> · 2025-10-27
Re: [patch V5 05/12] riscv/uaccess: Use unsafe wrappers for ASM GOTO · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
[patch V5 06/12] s390/uaccess: Use unsafe wrappers for ASM GOTO · Thomas Gleixner <hidden> · 2025-10-27
Re: [patch V5 06/12] s390/uaccess: Use unsafe wrappers for ASM GOTO · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
[patch V5 07/12] uaccess: Provide scoped user access regions · Thomas Gleixner <hidden> · 2025-10-27
Re: [patch V5 07/12] uaccess: Provide scoped user access regions · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
Re: [patch V5 07/12] uaccess: Provide scoped user access regions · Christophe Leroy <hidden> · 2025-11-04
Re: [patch V5 07/12] uaccess: Provide scoped user access regions · David Laight <hidden> · 2025-11-07
[patch V5 08/12] uaccess: Provide put/get_user_inline() · Thomas Gleixner <hidden> · 2025-10-27
Re: [patch V5 08/12] uaccess: Provide put/get_user_inline() · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
Re: [patch V5 08/12] uaccess: Provide put/get_user_inline() · Christophe Leroy <hidden> · 2025-11-04
[patch V5 09/12] [RFC] coccinelle: misc: Add scoped_masked_$MODE_access() checker script · Thomas Gleixner <hidden> · 2025-10-27
[patch V5 10/12] futex: Convert to get/put_user_inline() · Thomas Gleixner <hidden> · 2025-10-27
Re: [patch V5 10/12] futex: Convert to get/put_user_inline() · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
Re: [patch V5 10/12] futex: Convert to get/put_user_inline() · Thomas Gleixner <hidden> · 2025-10-28
Re: [patch V5 10/12] futex: Convert to get/put_user_inline() · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
Re: [patch V5 10/12] futex: Convert to get/put_user_inline() · Linus Torvalds <torvalds@linux-foundation.org> · 2025-10-28
Re: [patch V5 10/12] futex: Convert to get/put_user_inline() · Christophe Leroy <hidden> · 2025-11-04
[patch V5 11/12] x86/futex: Convert to scoped user access · Thomas Gleixner <hidden> · 2025-10-27
[patch V5 12/12] select: Convert to scoped user access · Thomas Gleixner <hidden> · 2025-10-27
Re: [patch V5 12/12] select: Convert to scoped user access · Mathieu Desnoyers <mathieu.desnoyers@efficios.com> · 2025-10-28
Re: [patch V5 12/12] select: Convert to scoped user access · Christophe Leroy <hidden> · 2025-11-04
Re: [patch V5 00/12] uaccess: Provide and use scopes for user access · Linus Torvalds <torvalds@linux-foundation.org> · 2025-10-27
Re: [patch V5 00/12] uaccess: Provide and use scopes for user access · Peter Zijlstra <peterz@infradead.org> · 2025-10-29
Re: [patch V5 00/12] uaccess: Provide and use scopes for user access · Peter Zijlstra <peterz@infradead.org> · 2025-11-03
Re: [patch V5 00/12] uaccess: Provide and use scopes for user access · Christophe Leroy <hidden> · 2025-11-04
Re: [patch V5 00/12] uaccess: Provide and use scopes for user access · patchwork-bot+linux-riscv@kernel.org · 2025-12-19

From: David Laight <hidden>
Date: 2025-11-07 19:18:04
Also in: linux-arm-kernel, linux-fsdevel, linux-riscv, linux-s390, lkml

On Mon, 27 Oct 2025 09:43:55 +0100 (CET)
Thomas Gleixner [off-list ref] wrote:

User space access regions are tedious and require similar code patterns all
over the place:

...

There have been issues with using the wrong user_*_access_end() variant in
the error path and other typical Copy&Pasta problems, e.g. using the wrong
fault label in the user accessor which ends up using the wrong accesss end
variant. 

These patterns beg for scopes with automatic cleanup. The resulting outcome
is:
    	scoped_user_read_access(from, Efault)
		unsafe_get_user(val, from, Efault);
	return 0;
  Efault:
	return -EFAULT;

The scope guarantees the proper cleanup for the access mode is invoked both
in the success and the failure (fault) path.

...

The code doesn't work if the 'from' (above) is 'const foo __user *from'.
Due to assigning away constness.

The changes below fix the build, I suspect the code is then correct.

...

+/* Define RW variant so the below _mode macro expansion works */
+#define masked_user_rw_access_begin(u)	masked_user_access_begin(u)
+#define user_rw_access_begin(u, s)	user_access_begin(u, s)
+#define user_rw_access_end()		user_access_end()
+
+/* Scoped user access */
+#define USER_ACCESS_GUARD(_mode)				\

#define USER_ACCESS_GUARD(_mode, void)
(but change all the void below to a different name...)

+static __always_inline void __user *				\
+class_user_##_mode##_begin(void __user *ptr)			\
+{								\
+	return ptr;						\
+}								\
+								\
+static __always_inline void					\
+class_user_##_mode##_end(void __user *ptr)			\
+{								\
+	user_##_mode##_access_end();				\
+}								\
+								\
+DEFINE_CLASS(user_ ##_mode## _access, void __user *,		\
+	     class_user_##_mode##_end(_T),			\
+	     class_user_##_mode##_begin(ptr), void __user *ptr)	\
+								\
+static __always_inline class_user_##_mode##_access_t		\
+class_user_##_mode##_access_ptr(void __user *scope)		\
+{								\
+	return scope;						\
+}
+
+USER_ACCESS_GUARD(read)
+USER_ACCESS_GUARD(write)
+USER_ACCESS_GUARD(rw)

USER_ACCESS_GUARD(read, const void)
USER_ACCESS_GUARD(write, void)
USER_ACCESS_GUARD(rw, void)

+#undef USER_ACCESS_GUARD

...

+#define __scoped_user_access(mode, uptr, size, elbl)					\
+for (bool done = false; !done; done = true)						\
+	for (void __user *_tmpptr = __scoped_user_access_begin(mode, uptr, size, elbl); \

	for (typeof(uptr) _tmpptr = ...

+	     !done; done = true)							\
+		for (CLASS(user_##mode##_access, scope)(_tmpptr); !done; done = true)	\
+			/* Force modified pointer usage within the scope */		\
+			for (const typeof(uptr) uptr = _tmpptr; !done; done = true)
+

	David

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help