From: Linus Torvalds <torvalds@linux-foundation.org>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Andrey Konovalov <andreyknvl@google.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Kate Stewart <kstewart@linuxfoundation.org>,
	"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
	Will Deacon <will.deacon@arm.com>,
	Kostya Serebryany <kcc@google.com>,
	"open list:KERNEL SELFTEST FRAMEWORK"
	<linux-kselftest@vger.kernel.org>,
	cpandya@codeaurora.org, Shuah Khan <shuah@kernel.org>,
	Ingo Molnar <mingo@kernel.org>,
	linux-arch <linux-arch@vger.kernel.org>,
	Jacob Bramley <Jacob.Bramley@arm.com>,
	linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
	Evgenii Stepanov <eugenis@google.com>,
	Kees Cook <keescook@chromium.org>,
	Ruben.Ayrapetyan@arm.com,
	Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Dmitry Vyukov <dvyukov@google.co>
Subject: Re: [PATCH v6 11/11] arm64: annotate user pointers casts detected by sparse
Date: Fri, 7 Sep 2018 09:30:35 -0700	[thread overview]
Message-ID: <CA+55aFzQ+ykLu10q3AdyaaKJx8SDWWL9Qiu6WH2jbN_ugRUTOg@mail.gmail.com> (raw)
In-Reply-To: <20180907152600.myidisza5o4kdmvf@armageddon.cambridge.arm.com>
On Fri, Sep 7, 2018 at 8:26 AM Catalin Marinas <catalin.marinas@arm.com> wrote:
>
> So it's not about casting to another pointer; it's rather about no
> longer using the value as a user pointer but as an actual (untyped,
> untagged) virtual address.
>
> There may be better options to address this but I haven't seen any
> concrete proposal so far. Or we could simply consider that we've found
> all places where it matters and not bother with any static analysis
> tools (but for the time being it's still worth investigating whether we
> can do better than this).
I actually originally wanted to have sparse not just check types, but
actually do transformations too, in order to check more.
For example, for just the user pointer case, we actually have two
wildy different kinds of user pointers: "checked" user pointers and
"wild" user pointers.
Most of the time it doesn't matter, but it does for the unsafe ones:
"__get_user()" and friends.
So long long ago I wanted sparse to not just do the completely static
type analysis, but also do actual "data flow" analysis where doing an
"access_on()" on a pointer would turn it from "wild" to "checked", and
then I could have warned about "hey, this function does __get_user(),
but the flow analysis shows that you passed it a pointer that had
never been checked".
But sparse never ended up doing that kind of much smarter things. Some
of the lock context stuff does it on a very small local level, and not
very well there either.
But it sounds like this is exactly what you guys would want for the
tagged pointers. Some functions can take a "wild" pointer, because
they deal with the tag part natively. And others need to be "checked"
and have gone through the cleaning and verification.
But sparse is sadly not the right tool for this, and having a single
"__user" address space is not sufficient. I guess for the arm64 case,
you really could make up a *new* address space: "__user_untagged", and
then have functions that convert from "void __user *" to "void
__user_untagged *", and then mark the functions that need the tag
removed as taking that new kind of user pointer.
And if you never mix types, that would actually work. But I'm guessing
you can also pass "__user_untagged" pointers to the regular user
access functions, and you do?
                  Linus
WARNING: multiple messages have this Message-ID (diff)
From: Linus Torvalds <torvalds@linux-foundation.org>
To: Catalin Marinas <catalin.marinas@arm.com>
Cc: Andrey Konovalov <andreyknvl@google.com>,
	Mark Rutland <mark.rutland@arm.com>,
	Kate Stewart <kstewart@linuxfoundation.org>,
	"open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
	Will Deacon <will.deacon@arm.com>,
	Kostya Serebryany <kcc@google.com>,
	"open list:KERNEL SELFTEST FRAMEWORK"
	<linux-kselftest@vger.kernel.org>,
	cpandya@codeaurora.org, Shuah Khan <shuah@kernel.org>,
	Ingo Molnar <mingo@kernel.org>,
	linux-arch <linux-arch@vger.kernel.org>,
	Jacob Bramley <Jacob.Bramley@arm.com>,
	linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
	Evgenii Stepanov <eugenis@google.com>,
	Kees Cook <keescook@chromium.org>,
	Ruben.Ayrapetyan@arm.com,
	Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Dmitry Vyukov <dvyukov@google.com>, linux-mm <linux-mm@kvack.org>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	Lee Smith <Lee.Smith@arm.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Robin Murphy <robin.murphy@arm.com>,
	"Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Subject: Re: [PATCH v6 11/11] arm64: annotate user pointers casts detected by sparse
Date: Fri, 7 Sep 2018 09:30:35 -0700	[thread overview]
Message-ID: <CA+55aFzQ+ykLu10q3AdyaaKJx8SDWWL9Qiu6WH2jbN_ugRUTOg@mail.gmail.com> (raw)
Message-ID: <20180907163035.-CE3W6FQqI9QlNX1qS3GNIPT-6cF-Kr6Sc1cdPcWd0g@z> (raw)
In-Reply-To: <20180907152600.myidisza5o4kdmvf@armageddon.cambridge.arm.com>
On Fri, Sep 7, 2018 at 8:26 AM Catalin Marinas <catalin.marinas@arm.com> wrote:
>
> So it's not about casting to another pointer; it's rather about no
> longer using the value as a user pointer but as an actual (untyped,
> untagged) virtual address.
>
> There may be better options to address this but I haven't seen any
> concrete proposal so far. Or we could simply consider that we've found
> all places where it matters and not bother with any static analysis
> tools (but for the time being it's still worth investigating whether we
> can do better than this).
I actually originally wanted to have sparse not just check types, but
actually do transformations too, in order to check more.
For example, for just the user pointer case, we actually have two
wildy different kinds of user pointers: "checked" user pointers and
"wild" user pointers.
Most of the time it doesn't matter, but it does for the unsafe ones:
"__get_user()" and friends.
So long long ago I wanted sparse to not just do the completely static
type analysis, but also do actual "data flow" analysis where doing an
"access_on()" on a pointer would turn it from "wild" to "checked", and
then I could have warned about "hey, this function does __get_user(),
but the flow analysis shows that you passed it a pointer that had
never been checked".
But sparse never ended up doing that kind of much smarter things. Some
of the lock context stuff does it on a very small local level, and not
very well there either.
But it sounds like this is exactly what you guys would want for the
tagged pointers. Some functions can take a "wild" pointer, because
they deal with the tag part natively. And others need to be "checked"
and have gone through the cleaning and verification.
But sparse is sadly not the right tool for this, and having a single
"__user" address space is not sufficient. I guess for the arm64 case,
you really could make up a *new* address space: "__user_untagged", and
then have functions that convert from "void __user *" to "void
__user_untagged *", and then mark the functions that need the tag
removed as taking that new kind of user pointer.
And if you never mix types, that would actually work. But I'm guessing
you can also pass "__user_untagged" pointers to the regular user
access functions, and you do?
                  Linus
next prev parent reply	other threads:[~2018-09-07 16:30 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-30 11:41 [PATCH v6 00/11] arm64: untag user pointers passed to the kernel Andrey Konovalov
2018-08-30 11:41 ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 01/11] arm64: add type casts to untagged_addr macro Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 02/11] uaccess: add untagged_addr definition for other arches Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 03/11] arm64: untag user addresses in access_ok and __uaccess_mask_ptr Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 04/11] mm, arm64: untag user addresses in mm/gup.c Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 05/11] lib, arm64: untag addrs passed to strncpy_from_user and strnlen_user Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 06/11] arm64: untag user address in __do_user_fault Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 07/11] fs, arm64: untag user address in copy_mount_options Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 08/11] usb, arm64: untag user addresses in devio Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 09/11] arm64: update Documentation/arm64/tagged-pointers.txt Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 10/11] selftests, arm64: add a selftest for passing tagged pointers to kernel Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-30 11:41 ` [PATCH v6 11/11] arm64: annotate user pointers casts detected by sparse Andrey Konovalov
2018-08-30 11:41   ` Andrey Konovalov
2018-08-31  8:11   ` Luc Van Oostenryck
2018-08-31  8:11     ` Luc Van Oostenryck
2018-08-31 13:42     ` Al Viro
2018-08-31 13:42       ` Al Viro
2018-09-03 12:34       ` Andrey Konovalov
2018-09-03 12:34         ` Andrey Konovalov
2018-09-03 13:49         ` Vincenzo Frascino
2018-09-03 13:49           ` Vincenzo Frascino
2018-09-03 15:10           ` Luc Van Oostenryck
2018-09-03 15:10             ` Luc Van Oostenryck
2018-09-04 11:27             ` Vincenzo Frascino
2018-09-04 11:27               ` Vincenzo Frascino
2018-09-05 19:03               ` Luc Van Oostenryck
2018-09-05 19:03                 ` Luc Van Oostenryck
2018-09-06 14:13                 ` Vincenzo Frascino
2018-09-06 14:13                   ` Vincenzo Frascino
2018-09-06 20:10                   ` Luc Van Oostenryck
2018-09-06 20:10                     ` Luc Van Oostenryck
2018-09-03 13:56         ` Al Viro
2018-09-03 13:56           ` Al Viro
2018-09-06 21:13   ` Linus Torvalds
2018-09-06 21:13     ` Linus Torvalds
2018-09-06 21:16     ` Linus Torvalds
2018-09-06 21:16       ` Linus Torvalds
2018-09-06 23:08       ` Luc Van Oostenryck
2018-09-06 23:08         ` Luc Van Oostenryck
2018-09-07 15:26       ` Catalin Marinas
2018-09-07 15:26         ` Catalin Marinas
2018-09-07 16:30         ` Linus Torvalds [this message]
2018-09-07 16:30           ` Linus Torvalds
2018-09-11 16:41           ` Catalin Marinas
2018-09-11 16:41             ` Catalin Marinas
2018-09-17 17:01             ` Andrey Konovalov
2018-09-17 17:01               ` Andrey Konovalov
2018-09-24 15:04               ` Andrey Konovalov
2018-09-24 15:04                 ` Andrey Konovalov
2018-09-28 17:50               ` Catalin Marinas
2018-09-28 17:50                 ` Catalin Marinas
2018-10-02 13:19                 ` Andrey Konovalov
2018-10-02 13:19                   ` Andrey Konovalov
2018-09-14  1:25   ` [LKP] [arm64] 7b5b51e7b3: kvm-unit-tests.rmap_chain.fail kernel test robot
2018-08-30 11:48 ` [PATCH v6 00/11] arm64: untag user pointers passed to the kernel Andrey Konovalov
2018-08-30 11:48   ` Andrey Konovalov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox
  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):
  git send-email \
    --in-reply-to=CA+55aFzQ+ykLu10q3AdyaaKJx8SDWWL9Qiu6WH2jbN_ugRUTOg@mail.gmail.com \
    --to=torvalds@linux-foundation.org \
    --cc=Jacob.Bramley@arm.com \
    --cc=Ramana.Radhakrishnan@arm.com \
    --cc=Ruben.Ayrapetyan@arm.com \
    --cc=andreyknvl@google.com \
    --cc=catalin.marinas@arm.com \
    --cc=cpandya@codeaurora.org \
    --cc=dvyukov@google.co \
    --cc=eugenis@google.com \
    --cc=kcc@google.com \
    --cc=keescook@chromium.org \
    --cc=kstewart@linuxfoundation.org \
    --cc=linux-arch@vger.kernel.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=mark.rutland@arm.com \
    --cc=mingo@kernel.org \
    --cc=shuah@kernel.org \
    --cc=viro@zeniv.linux.org.uk \
    --cc=will.deacon@arm.com \
    /path/to/YOUR_REPLY
  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
  Be sure your reply has a Subject: header at the top and a blank line
  before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).