From: Catalin Marinas <catalin.marinas@arm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Kate Stewart <kstewart@linuxfoundation.org>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
Will Deacon <will.deacon@arm.com>, linux-mm <linux-mm@kvack.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
cpandya@codeaurora.org, Shuah Khan <shuah@kernel.org>,
Ingo Molnar <mingo@kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Jacob Bramley <Jacob.Bramley@arm.com>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
Evgenii Stepanov <eugenis@google.com>,
Kees Cook <keescook@chromium.org>,
Ruben.Ayrapetyan@arm.com,
Andrey Konovalov <andreyknvl@google.com>,
Lee Smith <Lee.Smith@arm.com>, Al Viro <viro@zeniv.linux.org.uk>,
Dmitry Vyukov <dvyukov@google.com>,
Kostya
Subject: Re: [PATCH v6 11/11] arm64: annotate user pointers casts detected by sparse
Date: Tue, 11 Sep 2018 17:41:53 +0100 [thread overview]
Message-ID: <20180911164152.GA29166@arrakis.emea.arm.com> (raw)
In-Reply-To: <CA+55aFzQ+ykLu10q3AdyaaKJx8SDWWL9Qiu6WH2jbN_ugRUTOg@mail.gmail.com>
Hi Linus,
On Fri, Sep 07, 2018 at 09:30:35AM -0700, Linus Torvalds wrote:
> On Fri, Sep 7, 2018 at 8:26 AM Catalin Marinas <catalin.marinas@arm.com> wrote:
> > So it's not about casting to another pointer; it's rather about no
> > longer using the value as a user pointer but as an actual (untyped,
> > untagged) virtual address.
[...]
> I actually originally wanted to have sparse not just check types, but
> actually do transformations too, in order to check more.
[...]
> But it sounds like this is exactly what you guys would want for the
> tagged pointers. Some functions can take a "wild" pointer, because
> they deal with the tag part natively. And others need to be "checked"
> and have gone through the cleaning and verification.
>
> But sparse is sadly not the right tool for this, and having a single
> "__user" address space is not sufficient. I guess for the arm64 case,
> you really could make up a *new* address space: "__user_untagged", and
> then have functions that convert from "void __user *" to "void
> __user_untagged *", and then mark the functions that need the tag
> removed as taking that new kind of user pointer.
Fortunately, most (all) functions taking a __user pointer can cope with
tagged pointers since they never dereference the pointer directly but
pass it through uaccess functions (which can access tagged pointers
without untagging). The problem appears when the pointer is no longer
used for access but converted to a long for other uses like rbtree
look-up, so not actually dereferenced. Such conversion, in a few cases,
needs to lose the tag.
Of course, there are lots of void __user * conversions to long where
removing the tag is not always the right thing or required (hence the
__force annotations in this patchset).
As Luc mentioned in this thread, we can consider that __user pointers
are always tagged. What I think we'd need is a few annotations where
ulong must be an __untagged address (and I guess in smaller numbers than
the __force ones proposed here). For example we can allow
get_user_pages() to get an (ulong)(void __user *) conversion but
find_vma() would only take an (unsigned long __untagged) argument. Such
attribute conversion would be handled by an untagged_addr() macro. So we
move the detection problem from pointer conversion to an ulong (tagged
by default) to ulong __untagged conversion (I'm not sure sparse can do
this).
That's slightly different than trying to identify all the __user ptr to
long conversions but, as you said, it's probably not a complete solution
anyway and with lots of __force annotations throughout the kernel.
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mark Rutland <mark.rutland@arm.com>,
Kate Stewart <kstewart@linuxfoundation.org>,
"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
Will Deacon <will.deacon@arm.com>, linux-mm <linux-mm@kvack.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
cpandya@codeaurora.org, Shuah Khan <shuah@kernel.org>,
Ingo Molnar <mingo@kernel.org>,
linux-arch <linux-arch@vger.kernel.org>,
Jacob Bramley <Jacob.Bramley@arm.com>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
Evgenii Stepanov <eugenis@google.com>,
Kees Cook <keescook@chromium.org>,
Ruben.Ayrapetyan@arm.com,
Andrey Konovalov <andreyknvl@google.com>,
Lee Smith <Lee.Smith@arm.com>, Al Viro <viro@zeniv.linux.org.uk>,
Dmitry Vyukov <dvyukov@google.com>,
Kostya Serebryany <kcc@google.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Robin Murphy <robin.murphy@arm.com>,
"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Subject: Re: [PATCH v6 11/11] arm64: annotate user pointers casts detected by sparse
Date: Tue, 11 Sep 2018 17:41:53 +0100 [thread overview]
Message-ID: <20180911164152.GA29166@arrakis.emea.arm.com> (raw)
Message-ID: <20180911164153.dCYZ7ArJphlw0k1CfbvUgFEQgok0Ql3fyZpP_pSfV5A@z> (raw)
In-Reply-To: <CA+55aFzQ+ykLu10q3AdyaaKJx8SDWWL9Qiu6WH2jbN_ugRUTOg@mail.gmail.com>
Hi Linus,
On Fri, Sep 07, 2018 at 09:30:35AM -0700, Linus Torvalds wrote:
> On Fri, Sep 7, 2018 at 8:26 AM Catalin Marinas <catalin.marinas@arm.com> wrote:
> > So it's not about casting to another pointer; it's rather about no
> > longer using the value as a user pointer but as an actual (untyped,
> > untagged) virtual address.
[...]
> I actually originally wanted to have sparse not just check types, but
> actually do transformations too, in order to check more.
[...]
> But it sounds like this is exactly what you guys would want for the
> tagged pointers. Some functions can take a "wild" pointer, because
> they deal with the tag part natively. And others need to be "checked"
> and have gone through the cleaning and verification.
>
> But sparse is sadly not the right tool for this, and having a single
> "__user" address space is not sufficient. I guess for the arm64 case,
> you really could make up a *new* address space: "__user_untagged", and
> then have functions that convert from "void __user *" to "void
> __user_untagged *", and then mark the functions that need the tag
> removed as taking that new kind of user pointer.
Fortunately, most (all) functions taking a __user pointer can cope with
tagged pointers since they never dereference the pointer directly but
pass it through uaccess functions (which can access tagged pointers
without untagging). The problem appears when the pointer is no longer
used for access but converted to a long for other uses like rbtree
look-up, so not actually dereferenced. Such conversion, in a few cases,
needs to lose the tag.
Of course, there are lots of void __user * conversions to long where
removing the tag is not always the right thing or required (hence the
__force annotations in this patchset).
As Luc mentioned in this thread, we can consider that __user pointers
are always tagged. What I think we'd need is a few annotations where
ulong must be an __untagged address (and I guess in smaller numbers than
the __force ones proposed here). For example we can allow
get_user_pages() to get an (ulong)(void __user *) conversion but
find_vma() would only take an (unsigned long __untagged) argument. Such
attribute conversion would be handled by an untagged_addr() macro. So we
move the detection problem from pointer conversion to an ulong (tagged
by default) to ulong __untagged conversion (I'm not sure sparse can do
this).
That's slightly different than trying to identify all the __user ptr to
long conversions but, as you said, it's probably not a complete solution
anyway and with lots of __force annotations throughout the kernel.
--
Catalin
next prev parent reply other threads:[~2018-09-11 16:41 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-30 11:41 [PATCH v6 00/11] arm64: untag user pointers passed to the kernel Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 01/11] arm64: add type casts to untagged_addr macro Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 02/11] uaccess: add untagged_addr definition for other arches Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 03/11] arm64: untag user addresses in access_ok and __uaccess_mask_ptr Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 04/11] mm, arm64: untag user addresses in mm/gup.c Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 05/11] lib, arm64: untag addrs passed to strncpy_from_user and strnlen_user Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 06/11] arm64: untag user address in __do_user_fault Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 07/11] fs, arm64: untag user address in copy_mount_options Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 08/11] usb, arm64: untag user addresses in devio Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 09/11] arm64: update Documentation/arm64/tagged-pointers.txt Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 10/11] selftests, arm64: add a selftest for passing tagged pointers to kernel Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 11/11] arm64: annotate user pointers casts detected by sparse Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-31 8:11 ` Luc Van Oostenryck
2018-08-31 8:11 ` Luc Van Oostenryck
2018-08-31 13:42 ` Al Viro
2018-08-31 13:42 ` Al Viro
2018-09-03 12:34 ` Andrey Konovalov
2018-09-03 12:34 ` Andrey Konovalov
2018-09-03 13:49 ` Vincenzo Frascino
2018-09-03 13:49 ` Vincenzo Frascino
2018-09-03 15:10 ` Luc Van Oostenryck
2018-09-03 15:10 ` Luc Van Oostenryck
2018-09-04 11:27 ` Vincenzo Frascino
2018-09-04 11:27 ` Vincenzo Frascino
2018-09-05 19:03 ` Luc Van Oostenryck
2018-09-05 19:03 ` Luc Van Oostenryck
2018-09-06 14:13 ` Vincenzo Frascino
2018-09-06 14:13 ` Vincenzo Frascino
2018-09-06 20:10 ` Luc Van Oostenryck
2018-09-06 20:10 ` Luc Van Oostenryck
2018-09-03 13:56 ` Al Viro
2018-09-03 13:56 ` Al Viro
2018-09-06 21:13 ` Linus Torvalds
2018-09-06 21:13 ` Linus Torvalds
2018-09-06 21:16 ` Linus Torvalds
2018-09-06 21:16 ` Linus Torvalds
2018-09-06 23:08 ` Luc Van Oostenryck
2018-09-06 23:08 ` Luc Van Oostenryck
2018-09-07 15:26 ` Catalin Marinas
2018-09-07 15:26 ` Catalin Marinas
2018-09-07 16:30 ` Linus Torvalds
2018-09-07 16:30 ` Linus Torvalds
2018-09-11 16:41 ` Catalin Marinas [this message]
2018-09-11 16:41 ` Catalin Marinas
2018-09-17 17:01 ` Andrey Konovalov
2018-09-17 17:01 ` Andrey Konovalov
2018-09-24 15:04 ` Andrey Konovalov
2018-09-24 15:04 ` Andrey Konovalov
2018-09-28 17:50 ` Catalin Marinas
2018-09-28 17:50 ` Catalin Marinas
2018-10-02 13:19 ` Andrey Konovalov
2018-10-02 13:19 ` Andrey Konovalov
2018-09-14 1:25 ` [LKP] [arm64] 7b5b51e7b3: kvm-unit-tests.rmap_chain.fail kernel test robot
2018-08-30 11:48 ` [PATCH v6 00/11] arm64: untag user pointers passed to the kernel Andrey Konovalov
2018-08-30 11:48 ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180911164152.GA29166@arrakis.emea.arm.com \
--to=catalin.marinas@arm.com \
--cc=Jacob.Bramley@arm.com \
--cc=Lee.Smith@arm.com \
--cc=Ruben.Ayrapetyan@arm.com \
--cc=andreyknvl@google.com \
--cc=cpandya@codeaurora.org \
--cc=dvyukov@google.com \
--cc=eugenis@google.com \
--cc=keescook@chromium.org \
--cc=kstewart@linuxfoundation.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mark.rutland@arm.com \
--cc=mingo@kernel.org \
--cc=shuah@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).