From: Mark Rutland <mark.rutland@arm.com>
To: Mark Brown <broonie@kernel.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
Will Deacon <will@kernel.org>,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, kernel test robot <lkp@intel.com>
Subject: Re: [PATCH] arm64/signal: Silence spurious sparse warning storing GCSPR_EL0
Date: Tue, 10 Dec 2024 16:35:57 +0000 [thread overview]
Message-ID: <Z1ht7X2LRw34pMJK@J2N7QTR9R3> (raw)
In-Reply-To: <20c12aac-193e-43ae-9418-39db1af4ede9@sirena.org.uk>
On Tue, Dec 10, 2024 at 03:44:29PM +0000, Mark Brown wrote:
> On Tue, Dec 10, 2024 at 02:48:48PM +0000, Mark Rutland wrote:
> > On Tue, Dec 10, 2024 at 12:42:53AM +0000, Mark Brown wrote:
> > > We are seeing a false postive sparse warning in gcs_restore_signal()
> > >
> > > arch/arm64/kernel/signal.c:1054:9: sparse: sparse: cast removes address space '__user' of expression
>
> > This isn't a false positive; this is a cross-address space cast that
> > sparse is accurately warning about. That might be *benign*, but the tool
> > is doing exactly what it is supposed to.
>
> The spuriousness is arguable, from my point of view it's spurious in
> that we don't have the type of the system register we're writing to.
All that I'm asking for here is a trivial rewording; make the title say
something like:
arm64/signal: Avoid sparse warning when manipulating GCSPR_EL0
... and in the commit message, say something like:
Sparse complains about the manipulation of the GCSPR_EL0 value in
gcs_restore_signal(), because we cast to/from the __user address space
without a __force cast. Silence this warning by ${DOING_THING}.
... which clearly explains what's actually going wrong, rather than
making spurious complaints about the tool that may mislead a reader of
the commit message.
> > > + write_sysreg_s((unsigned long)(gcspr_el0 + 1), SYS_GCSPR_EL0);
>
> > Only one line here wants a __user pointer, so wouldn't it be simpler to
> > pass 'gcspr_el0' as an integer type, and cast it at the point it's used
> > as an actual pointer, rather than the other way around?
>
> > Then you could also simplify gcs_restore_signal(), etc.
>
> I find it both safer and clearer to keep values which are userspace
> pointers as userspace pointers rather than working with them as
> integers, using integers just sets off alarm bells.
Having casts strewn throughout the code sets off more alarm bells for
me.
> > Similarly in map_shadow_stack(), it'd be simpler to treat cap_ptr as an
> > integer type.
>
> With map_shadow_stack() it's a bit of an issue with letting users
> specify a size but yeah, we could do better there.
I don't follow. The only place where size interacts with cap_ptr is when
we initialize cap_ptr, and there we're adding size to an integer type:
cap_ptr = (unsigned long __user *)(addr + size -
(cap_offset * sizeof(unsigned long)));
I was suggesting something along the lines of the diff below.
Mark.
diff --git a/arch/arm64/mm/gcs.c b/arch/arm64/mm/gcs.c
index 5c46ec527b1cd..096add5f2ddb2 100644
--- a/arch/arm64/mm/gcs.c
+++ b/arch/arm64/mm/gcs.c
@@ -71,10 +71,7 @@ unsigned long gcs_alloc_thread_stack(struct task_struct *tsk,
SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsigned int, flags)
{
unsigned long alloc_size;
- unsigned long __user *cap_ptr;
- unsigned long cap_val;
int ret = 0;
- int cap_offset;
if (!system_supports_gcs())
return -EOPNOTSUPP;
@@ -106,17 +103,16 @@ SYSCALL_DEFINE3(map_shadow_stack, unsigned long, addr, unsigned long, size, unsi
* can be switched to.
*/
if (flags & SHADOW_STACK_SET_TOKEN) {
+ unsigned long cap_addr = addr + size - sizeof(unsigned long);
+ unsigned long cap_val;
+
/* Leave an extra empty frame as a top of stack marker? */
if (flags & SHADOW_STACK_SET_MARKER)
- cap_offset = 2;
- else
- cap_offset = 1;
+ cap_addr -= sizeof(unsigned long)
- cap_ptr = (unsigned long __user *)(addr + size -
- (cap_offset * sizeof(unsigned long)));
- cap_val = GCS_CAP(cap_ptr);
+ cap_val = GCS_CAP(cap_addr);
- put_user_gcs(cap_val, cap_ptr, &ret);
+ put_user_gcs(cap_val, (unsigned long __user *)cap_addr, &ret);
if (ret != 0) {
vm_munmap(addr, size);
return -EFAULT;
next prev parent reply other threads:[~2024-12-10 16:37 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-10 0:42 [PATCH] arm64/signal: Silence spurious sparse warning storing GCSPR_EL0 Mark Brown
2024-12-10 14:17 ` Catalin Marinas
2024-12-10 14:45 ` Mark Brown
2024-12-10 14:48 ` Mark Rutland
2024-12-10 15:44 ` Mark Brown
2024-12-10 16:35 ` Mark Rutland [this message]
2024-12-10 16:52 ` Mark Brown
2024-12-13 16:17 ` Catalin Marinas
2024-12-13 17:21 ` Mark Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z1ht7X2LRw34pMJK@J2N7QTR9R3 \
--to=mark.rutland@arm.com \
--cc=broonie@kernel.org \
--cc=catalin.marinas@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lkp@intel.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.