Re: [PATCH net-next] net: datagram: Bypass usercopy checks for kernel iterators
From: Paolo Abeni <pabeni@redhat.com>
Date: 2026-03-03 09:42:32
Also in:
linux-fsdevel
On 2/25/26 5:25 PM, Chuck Lever wrote:
From: Chuck Lever <redacted> Profiling NFSD under an iozone workload showed that hardened usercopy checks consume roughly 1.3% of CPU in the TCP receive path. These checks validate memory regions during copies, but provide no security benefit when both source (skb data) and destination (kernel pages in BVEC/KVEC iterators) reside in kernel address space.
Are you sure? AFAICS:
size_t copy_from_iter(void *addr, size_t bytes, struct iov_iter *i)
{
if (check_copy_size(addr, bytes, false))
return _copy_from_iter(addr, bytes, i);
calls check_copy_size() on the source address, and the latter:
static __always_inline __must_check bool
check_copy_size(const void *addr, size_t bytes, bool is_source)
{
int sz = __builtin_object_size(addr, 0);
if (unlikely(sz >= 0 && sz < bytes)) {
if (!__builtin_constant_p(bytes))
copy_overflow(sz, bytes);
else if (is_source)$
__bad_copy_from();
else
__bad_copy_to();
return false;
}
if (WARN_ON_ONCE(bytes > INT_MAX))
return false;
Validates vs overflow regardless of the source address being in kernel
space or user-space.
FTR, I also observe a relevant overhead in check_copy_size(), especially
for oldish CPUs.
/P