Received: by 10.213.65.68 with SMTP id h4csp1140791imn;
        Wed, 14 Mar 2018 10:46:20 -0700 (PDT)
X-Google-Smtp-Source: AG47ELvd0sfZAMs18qVdmVeg/O5EScms4Ypw47sjmLtJZ7cgs8vaczQeuSXzhPIg/9anrEH/xOdu
X-Received: by 10.98.153.86 with SMTP id d83mr5082058pfe.46.1521049580921;
        Wed, 14 Mar 2018 10:46:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521049580; cv=none;
        d=google.com; s=arc-20160816;
        b=oQPysid3RXRh/VJlMhYenpz4UQbRxJd3B9iB6zg+dLxQxwOPTtJXUVxI78I1g+WkIw
         8jpRgbY91MtdLUxCN2+un1ridEfJ3mfpfcGUcXyYPMxKG63kp2MPlSG3+xyl2Xrvq8N2
         MvOCldcO4Fzpj226ErAxwyQikPic9DtqbUj4MRM6eDdjmswcYKK4M79N8am/81W2Z2Qt
         c6NZLy6sZSNgGV28AIBaSExN/WPcwcvRDxcBtV9YpFcKdVQVCctltvOnWC5xIFsxg+ZF
         tAZ84IUF41pcdZd4894a5oCYtHNw+AKxTzH8M36CE0hDguSWuP+CoFAuuWOM0gBVGcTv
         5uJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=eOWqRxs0bLcbgG2jl56sPnahYLH4Qm10To/sShqbyUA=;
        b=ehgQ3S0NyJOMEeqjVW9VeV3vcHLifuQkI3tAM9klGPdGj1fCeG3/5kphiAkb3y0Lmm
         6l1648vsMnP5qdoI1dj8/jDhZhJQd/a7lYHKp6pqyalNTFBTRQSumfwQfpT+MHbywFuP
         KZBZ0UhViLqZeM6aAVngp4t4T7B98/zdGXLTMB9cAfS0PhWWfQ210M04DKHzd2lGt+Ii
         jJjcIKuWorvYYUPDjG3sMYOFs/JU8vYQa6aL0SyOva+CkLipAkygDsScl0B7H9JmosQW
         oGuOkDzhYJzOMju/cEyuyyX4R/NDrrP8RRAn5nB1G2bomX78yGpYhCATvUu1U/oPSKbg
         z2eA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e4si2167993pgp.516.2018.03.14.10.46.06;
        Wed, 14 Mar 2018 10:46:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751886AbeCNRou (ORCPT <rfc822;uzarths@gmail.com> + 99 others);
        Wed, 14 Mar 2018 13:44:50 -0400
Received: from foss.arm.com ([217.140.101.70]:57498 "EHLO foss.arm.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751131AbeCNRos (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Mar 2018 13:44:48 -0400
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249])
        by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 787DD80D;
        Wed, 14 Mar 2018 10:44:48 -0700 (PDT)
Received: from armageddon.cambridge.arm.com (armageddon.cambridge.arm.com [10.1.206.84])
        by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id EF9723F53D;
        Wed, 14 Mar 2018 10:44:45 -0700 (PDT)
Date:   Wed, 14 Mar 2018 17:44:43 +0000
From:   Catalin Marinas <catalin.marinas@arm.com>
To:     Andrey Konovalov <andreyknvl@google.com>
Cc:     Evgenii Stepanov <eugenis@google.com>,
        Mark Rutland <mark.rutland@arm.com>,
        linux-arch@vger.kernel.org, Jacob Bramley <Jacob.Bramley@arm.com>,
        Arnd Bergmann <arnd@arndb.de>,
        Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>,
        Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        LKML <linux-kernel@vger.kernel.org>,
        Kostya Serebryany <kcc@google.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Lee Smith <Lee.Smith@arm.com>,
        Robin Murphy <robin.murphy@arm.com>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>
Subject: Re: [RFC PATCH 3/6] mm, arm64: untag user addresses in memory
 syscalls
Message-ID: <20180314174442.lclslnqc3egfjg4c@armageddon.cambridge.arm.com>
References: <cover.1520600533.git.andreyknvl@google.com>
 <beea8ac394bfae3c7c949645fb887ceacc3f3bb3.1520600533.git.andreyknvl@google.com>
 <20180309155315.4x44sbp3darractt@armageddon.cambridge.arm.com>
 <CAAeHK+xF0X-SQuPVmZF--VnmvYrbpDkznSwYTh_3LHq1H2V=9Q@mail.gmail.com>
 <CAFKCwrgPEhBEbXn95ugxVuxHw7UTiQWuo3+HJ_t7UBG69fbUcw@mail.gmail.com>
 <CAAeHK+y3hJ4jAByvfGDYyNb_RZ3_As4r-FCyZL9u69Vv_HS2AA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAAeHK+y3hJ4jAByvfGDYyNb_RZ3_As4r-FCyZL9u69Vv_HS2AA@mail.gmail.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Mar 14, 2018 at 04:45:20PM +0100, Andrey Konovalov wrote:
> On Fri, Mar 9, 2018 at 6:42 PM, Evgenii Stepanov <eugenis@google.com> wrote:
> > On Fri, Mar 9, 2018 at 9:31 AM, Andrey Konovalov <andreyknvl@google.com> wrote:
> >> On Fri, Mar 9, 2018 at 4:53 PM, Catalin Marinas <catalin.marinas@arm.com> wrote:
> >>> I'm not yet convinced these functions need to allow tagged pointers.
> >>> They are not doing memory accesses but rather dealing with the memory
> >>> range, hence an untagged pointer is better suited. There is probably a
> >>> reason why the "start" argument is "unsigned long" vs "void __user *"
> >>> (in the kernel, not the man page).
> >>
> >> So that would make the user to untag pointers before passing to these syscalls.
> >>
> >> Evgeniy, would that be possible to untag pointers in HWASan before
> >> using memory subsystem syscalls? Is there a reason for untagging them
> >> in the kernel?
> >
> > Generally, no. It's possible to intercept a libc call using symbol
> > interposition, but I don't know how to rewrite arguments of a raw
> > system call other than through ptrace, and that creates more problems
> > than it solves.

With these patches, we are trying to relax the user/kernel ABI so that
tagged pointers can be passed into the kernel. Since this is a new ABI
(or an extension to the existing one), it might be ok to change the libc
so that the top byte is zeroed on specific syscalls before issuing the
SVC.

I agree that it is problematic for HWASan if it only relies on
overriding malloc/free.

> > AFAIU, it's valid for a program to pass an address obtained from
> > malloc or, better, posix_memalign to an mm syscall like mprotect().
> > These arguments are pointers from the userspace point of view.
> 
> Catalin, do you think this is a good reason to have the untagging done
> in the kernel?

malloc() or posix_memalign() are C library implementations and it's the
C library (or overridden functions) setting a tag on the returned
pointers. Since the TBI hardware feature allows memory accesses with a
non-zero tag, we could allow them in the kernel for syscalls performing
such accesses on behalf of the user (e.g. get_user/put_user would not
need to clear the tag).

madvise(), OTOH, does not perform a memory access on behalf of the user,
it's just advising the kernel about a range of virtual addresses. That's
where I think, from an ABI perspective, it doesn't make much sense to
allow tags into the kernel for these syscalls (even if it's simpler from
a user space perspective).

(but I don't have a very strong opinion on this ;))

-- 
Catalin