From: Julia Lawall <julia.lawall@inria.fr>
To: Thomas Gleixner <tglx@linutronix.de>
Cc: LKML <linux-kernel@vger.kernel.org>,
"Julia Lawall" <Julia.Lawall@inria.fr>,
"Nicolas Palix" <nicolas.palix@imag.fr>,
"kernel test robot" <lkp@intel.com>,
"Russell King" <linux@armlinux.org.uk>,
linux-arm-kernel@lists.infradead.org,
"Linus Torvalds" <torvalds@linux-foundation.org>,
x86@kernel.org, "Madhavan Srinivasan" <maddy@linux.ibm.com>,
"Michael Ellerman" <mpe@ellerman.id.au>,
"Nicholas Piggin" <npiggin@gmail.com>,
"Christophe Leroy" <christophe.leroy@csgroup.eu>,
linuxppc-dev@lists.ozlabs.org, "Paul Walmsley" <pjw@kernel.org>,
"Palmer Dabbelt" <palmer@dabbelt.com>,
linux-riscv@lists.infradead.org,
"Heiko Carstens" <hca@linux.ibm.com>,
"Christian Borntraeger" <borntraeger@linux.ibm.com>,
"Sven Schnelle" <svens@linux.ibm.com>,
linux-s390@vger.kernel.org,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
"Andrew Cooper" <andrew.cooper3@citrix.com>,
"Peter Zijlstra" <peterz@infradead.org>,
"Darren Hart" <dvhart@infradead.org>,
"Davidlohr Bueso" <dave@stgolabs.net>,
"André Almeida" <andrealmeid@igalia.com>,
"Alexander Viro" <viro@zeniv.linux.org.uk>,
"Christian Brauner" <brauner@kernel.org>,
"Jan Kara" <jack@suse.cz>,
linux-fsdevel@vger.kernel.org
Subject: Re: [patch V3 09/12] [RFC] coccinelle: misc: Add scoped_masked_$MODE_access() checker script
Date: Fri, 17 Oct 2025 18:51:31 +0800 (+08) [thread overview]
Message-ID: <46ea566b-6c42-a73-31da-ba15ed82aaf@inria.fr> (raw)
In-Reply-To: <20251017093030.378863263@linutronix.de>
On Fri, 17 Oct 2025, Thomas Gleixner wrote:
> A common mistake in user access code is that the wrong access mode is
> selected for starting the user access section. As most architectures map
> Read and Write modes to ReadWrite this goes often unnoticed for quite some
> time.
>
> Aside of that the scoped user access mechanism requires that the same
> pointer is used for the actual accessor macros that was handed in to start
> the scope because the pointer can be modified by the scope begin mechanism
> if the architecture supports masking.
>
> Add a basic (and incomplete) coccinelle script to check for the common
> issues. The error output is:
>
> kernel/futex/futex.h:303:2-17: ERROR: Invalid pointer for unsafe_put_user(p) in scoped_masked_user_write_access(to)
> kernel/futex/futex.h:292:2-17: ERROR: Invalid access mode unsafe_get_user() in scoped_masked_user_write_access()
>
> Not-Yet-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
> Cc: Julia Lawall <Julia.Lawall@inria.fr>
> Cc: Nicolas Palix <nicolas.palix@imag.fr>
> ---
> scripts/coccinelle/misc/scoped_uaccess.cocci | 108 +++++++++++++++++++++++++++
> 1 file changed, 108 insertions(+)
>
> --- /dev/null
> +++ b/scripts/coccinelle/misc/scoped_uaccess.cocci
> @@ -0,0 +1,108 @@
> +// SPDX-License-Identifier: GPL-2.0-only
> +/// Validate scoped_masked_user*access() scopes
> +///
> +// Confidence: Zero
> +// Options: --no-includes --include-headers
> +
> +virtual context
> +virtual report
> +virtual org
> +
> +@initialize:python@
> +@@
> +
> +scopemap = {
> + 'scoped_masked_user_read_access_size' : 'scoped_masked_user_read_access',
> + 'scoped_masked_user_write_access_size' : 'scoped_masked_user_write_access',
> + 'scoped_masked_user_rw_access_size' : 'scoped_masked_user_rw_access',
> +}
> +
> +# Most common accessors. Incomplete list
> +noaccessmap = {
> + 'scoped_masked_user_read_access' : ('unsafe_put_user', 'unsafe_copy_to_user'),
> + 'scoped_masked_user_write_access' : ('unsafe_get_user', 'unsafe_copy_from_user'),
> +}
> +
> +# Most common accessors. Incomplete list
> +ptrmap = {
> + 'unsafe_put_user' : 1,
> + 'unsafe_get_user' : 1,
> + 'unsafe_copy_to_user' : 0,
> + 'unsafe_copy_from_user' : 0,
> +}
> +
> +print_mode = None
> +
> +def pr_err(pos, msg):
> + if print_mode == 'R':
> + coccilib.report.print_report(pos[0], msg)
> + elif print_mode == 'O':
> + cocci.print_main(msg, pos)
> +
> +@r0 depends on report || org@
> +iterator name scoped_masked_user_read_access,
> + scoped_masked_user_read_access_size,
> + scoped_masked_user_write_access,
> + scoped_masked_user_write_access_size,
> + scoped_masked_user_rw_access,
> + scoped_masked_user_rw_access_size;
> +iterator scope;
> +statement S;
> +@@
> +
> +(
> +(
> +scoped_masked_user_read_access(...) S
> +|
> +scoped_masked_user_read_access_size(...) S
> +|
> +scoped_masked_user_write_access(...) S
> +|
> +scoped_masked_user_write_access_size(...) S
> +|
> +scoped_masked_user_rw_access(...) S
> +|
> +scoped_masked_user_rw_access_size(...) S
> +)
> +&
> +scope(...) S
> +)
> +
> +@script:python depends on r0 && report@
> +@@
> +print_mode = 'R'
> +
> +@script:python depends on r0 && org@
> +@@
> +print_mode = 'O'
> +
> +@r1@
> +expression sp, a0, a1;
> +iterator r0.scope;
> +identifier ac;
> +position p;
> +@@
> +
> + scope(sp,...) {
> + <+...
> + ac@p(a0, a1, ...);
> + ...+>
> + }
This will be more efficient and equally useful with <... ...>
Using + requires that there is at least one match, which has a cost.
julia
> +
> +@script:python@
> +pos << r1.p;
> +scope << r0.scope;
> +ac << r1.ac;
> +sp << r1.sp;
> +a0 << r1.a0;
> +a1 << r1.a1;
> +@@
> +
> +scope = scopemap.get(scope, scope)
> +if ac in noaccessmap.get(scope, []):
> + pr_err(pos, 'ERROR: Invalid access mode %s() in %s()' %(ac, scope))
> +
> +if ac in ptrmap:
> + ap = (a0, a1)[ptrmap[ac]]
> + if sp != ap.lstrip('&').split('->')[0].strip():
> + pr_err(pos, 'ERROR: Invalid pointer for %s(%s) in %s(%s)' %(ac, ap, scope, sp))
>
>
next prev parent reply other threads:[~2025-10-17 10:51 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-17 10:08 [patch V3 00/12] uaccess: Provide and use scopes for user masked access Thomas Gleixner
2025-10-17 10:08 ` [patch V3 01/12] ARM: uaccess: Implement missing __get_user_asm_dword() Thomas Gleixner
2025-10-17 12:36 ` Mathieu Desnoyers
2025-10-17 10:08 ` [patch V3 02/12] uaccess: Provide ASM GOTO safe wrappers for unsafe_*_user() Thomas Gleixner
2025-10-17 12:43 ` Mathieu Desnoyers
2025-10-17 12:48 ` Mathieu Desnoyers
2025-10-17 10:09 ` [patch V3 03/12] x86/uaccess: Use unsafe wrappers for ASM GOTO Thomas Gleixner
2025-10-17 10:09 ` [patch V3 04/12] powerpc/uaccess: " Thomas Gleixner
2025-10-17 10:09 ` [patch V3 05/12] riscv/uaccess: " Thomas Gleixner
2025-10-17 10:09 ` [patch V3 06/12] s390/uaccess: " Thomas Gleixner
2025-10-17 10:09 ` [patch V3 07/12] uaccess: Provide scoped masked user access regions Thomas Gleixner
2025-10-17 11:08 ` Andrew Cooper
2025-10-17 11:21 ` Thomas Gleixner
2025-10-17 11:29 ` Andrew Cooper
2025-10-17 11:25 ` Peter Zijlstra
2025-10-17 13:23 ` Mathieu Desnoyers
2025-10-20 18:28 ` David Laight
2025-10-21 14:29 ` Thomas Gleixner
2025-10-21 14:42 ` Thomas Gleixner
2025-10-21 20:52 ` David Laight
2025-10-21 14:44 ` Peter Zijlstra
2025-10-21 15:06 ` Linus Torvalds
2025-10-21 15:45 ` Thomas Gleixner
2025-10-21 15:51 ` Linus Torvalds
2025-10-21 18:55 ` David Laight
2025-10-17 10:09 ` [patch V3 08/12] uaccess: Provide put/get_user_masked() Thomas Gleixner
2025-10-17 13:41 ` Mathieu Desnoyers
2025-10-17 13:45 ` Mathieu Desnoyers
2025-10-20 6:50 ` Thomas Gleixner
2025-10-17 10:09 ` [patch V3 09/12] [RFC] coccinelle: misc: Add scoped_masked_$MODE_access() checker script Thomas Gleixner
2025-10-17 10:51 ` Julia Lawall [this message]
2025-10-17 10:09 ` [patch V3 10/12] futex: Convert to scoped masked user access Thomas Gleixner
2025-10-17 10:09 ` [patch V3 11/12] x86/futex: " Thomas Gleixner
2025-10-17 13:37 ` Andrew Cooper
2025-10-17 10:09 ` [patch V3 12/12] select: " Thomas Gleixner
2025-10-17 10:35 ` Peter Zijlstra
2025-10-17 11:12 ` Thomas Gleixner
2025-10-17 10:37 ` [patch V3 00/12] uaccess: Provide and use scopes for user masked access Peter Zijlstra
2025-10-17 10:50 ` Andrew Cooper
2025-10-17 12:25 ` Mathieu Desnoyers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46ea566b-6c42-a73-31da-ba15ed82aaf@inria.fr \
--to=julia.lawall@inria.fr \
--cc=andrealmeid@igalia.com \
--cc=andrew.cooper3@citrix.com \
--cc=borntraeger@linux.ibm.com \
--cc=brauner@kernel.org \
--cc=christophe.leroy@csgroup.eu \
--cc=dave@stgolabs.net \
--cc=dvhart@infradead.org \
--cc=hca@linux.ibm.com \
--cc=jack@suse.cz \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux@armlinux.org.uk \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=lkp@intel.com \
--cc=maddy@linux.ibm.com \
--cc=mathieu.desnoyers@efficios.com \
--cc=mpe@ellerman.id.au \
--cc=nicolas.palix@imag.fr \
--cc=npiggin@gmail.com \
--cc=palmer@dabbelt.com \
--cc=peterz@infradead.org \
--cc=pjw@kernel.org \
--cc=svens@linux.ibm.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).