Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp58947imm; Thu, 28 Jun 2018 14:53:08 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLmbGG1YBXS5OrjlbbtKpYE2HeGMh/1t9Nid+2Q90gg35eb8iasIR8TwW8SIssPPcWYCN0K X-Received: by 2002:a17:902:14b:: with SMTP id 69-v6mr12182483plb.184.1530222788923; Thu, 28 Jun 2018 14:53:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530222788; cv=none; d=google.com; s=arc-20160816; b=T1qk037xlMhaoJimISSCwvAJ3d5FRvA8zOOY7VWm31wG917ALtbju781DGvFJJ8efB NtRHBk0c8LkDeC8HAr7aIxXYTFB0WKhSpPafmBz39K//qJB3w+gm6MRSPVMigeWZT9lf XpvCuh9ADQuzu6hwTYsHb2i+XYaRvRUTVI2meBPfjtELsrxN7Z1UhMFmDHqleR5V0Rim CbPOS5qWtv2Z4Bj4MZ93YdCuBRWQuoPhMOk7J8TsYI2mZt9Wyy1SzEsIi1RS2I+LIiBy aLNq/I0Qb50vR8j4ic23xw4MowLnZDicwuCFOksDAVJuFrsG6+QmRyYyI6xKnrHcrtfY NK1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=t8Jxx2kCNFOJwyKUMw8G1Hatk0bFBsiPPiLuo3b0isw=; b=WJdQ9S/JH8EpOPDajForl9AfBGrS2ENSeNTFLapAXJv7ni6HycueblyAlQEaC8jbEC e5flpNoeAKP5HzL4df72acwdpDcUIYvbQZiWmeDQIXYk3XWwpD14XoJuBevg9YPkEuKO y+Y8tecBQlar7ZaoxmVdoqEFfIgA8V5i73Wne0c78Sn8JtUX9Ou2e33yn5PZAN+BKW8O lLuOoBAFimiBhRo+OMwm1alS++Z1/F+lPY69ir78p6D7D+GE1YNL4ojIUgLTGN4IXrN2 gmNaxRNm1vDY/H/avQAxS3q5WSHQuEe1zI8FLIuZwiLy9rsgjHH2NSS8twcH+oUhdTju bB8Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b5-v6si6768118pgc.219.2018.06.28.14.52.54; Thu, 28 Jun 2018 14:53:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966641AbeF1OtI (ORCPT + 99 others); Thu, 28 Jun 2018 10:49:08 -0400 Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:48936 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S966385AbeF1OtG (ORCPT ); Thu, 28 Jun 2018 10:49:06 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 66F4818A; Thu, 28 Jun 2018 07:49:06 -0700 (PDT) Received: from armageddon.cambridge.arm.com (armageddon.cambridge.arm.com [10.1.206.84]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 07D793F5AD; Thu, 28 Jun 2018 07:49:01 -0700 (PDT) Date: Thu, 28 Jun 2018 15:48:59 +0100 From: Catalin Marinas To: Luc Van Oostenryck Cc: Mark Rutland , Kate Stewart , "linux-doc@vger.kernel.org" , Will Deacon , Linux Memory Management List , "linux-kselftest@vger.kernel.org" , Chintan Pandya , Shuah Khan , Ingo Molnar , "linux-arch@vger.kernel.org" , Jacob Bramley , Dmitry Vyukov , Evgeniy Stepanov , Kees Cook , Ruben Ayrapetyan , Andrey Konovalov , Ramana Radhakrishnan , Al Viro , nd , Linux ARM , Kostya Serebryany , Greg Kroah-Hartman , LKML , Lee Smith , Andrew Morton , Robin Murphy , "Kirill A . Shutemov" Subject: Re: [PATCH v4 0/7] arm64: untag user pointers passed to the kernel Message-ID: <20180628144858.2fu7kq56cxhp2kpg@armageddon.cambridge.arm.com> References: <20180626172900.ufclp2pfrhwkxjco@armageddon.cambridge.arm.com> <0cef1643-a523-98e7-95e2-9ec595137642@arm.com> <20180627171757.amucnh5znld45cpc@armageddon.cambridge.arm.com> <20180628061758.j6bytsaj5jk4aocg@ltop.local> <20180628102741.vk6vphfinlj3lvhv@armageddon.cambridge.arm.com> <20180628104610.czsnq4w3lfhxrn53@ltop.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180628104610.czsnq4w3lfhxrn53@ltop.local> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 28, 2018 at 12:46:11PM +0200, Luc Van Oostenryck wrote: > On Thu, Jun 28, 2018 at 11:27:42AM +0100, Catalin Marinas wrote: > > On Thu, Jun 28, 2018 at 08:17:59AM +0200, Luc Van Oostenryck wrote: > > > On Wed, Jun 27, 2018 at 06:17:58PM +0100, Catalin Marinas wrote: > > > > sparse is indeed an option. The current implementation doesn't warn on > > > > an explicit cast from (void __user *) to (unsigned long) since that's a > > > > valid thing in the kernel. I couldn't figure out if there's any other > > > > __attribute__ that could be used to warn of such conversion. > > > > > > sparse doesn't have such attribute but would an new option that would warn > > > on such cast be a solution for your case? > > > > I can't tell for sure whether such sparse option would be the full > > solution but detecting explicit __user pointer casts to long is a good > > starting point. So far this patchset pretty much relies on detecting > > a syscall failure and trying to figure out why, patching the kernel. It > > doesn't really scale. > > OK, I'll add such an option this evening. That's great, thanks. I think this should cover casting pointers to any integer types, not just "unsigned long" (e.g. long long). The only downside is that with this patchset the untagging can be done after the conversion to ulong (get_user_pages()) as that's where the problem was noticed. With a new sparse feature, we'd have to annotate the conversion sites (not sure how many until we run the tool though). > > As a side note, we have cases in the user-kernel ABI where the user > > address type is "unsigned long": mmap() and friends. My feedback on an > > early version of this patchset was to always require untagged pointers > > coming from user space on such syscalls, so no need for explicit > > untagging. > > Mmmm yes. > I tend to favor a sort of opposite approach. When we have an address > that must not be dereferenced as-such (and sometimes when the address > can be from both __user & __kernel space) I prefer to use a ulong > which will force the use of the required operation before being > able to do any sort of dereferencing and this won't need horrible > casts with __force (it, of course, all depends on the full context). I agree. That's what the kernel uses in functions like get_user_pages() which take ulong as an argument. Similarly mmap() and friends don't expect the pointer to be dereferenced, hence the ulong argument. The interesting part that the man page (and the C library header declaration) shows such address argument as void *. We could add a syscall wrapper in the arch code, only that it doesn't feel consistent with the "rule" that ulong addresses are not actually tagged pointers. -- Catalin