Received: by 2002:ac0:8845:0:0:0:0:0 with SMTP id g63csp1149828img;
        Tue, 26 Feb 2019 15:18:33 -0800 (PST)
X-Google-Smtp-Source: AHgI3IYgv2IY4dgcQykNycXRKghyZN6kkBnt1k6mfqLGnAfgC5HcspIhVJRb1o9IbZOsUvnskAee
X-Received: by 2002:a62:ab04:: with SMTP id p4mr28544668pff.142.1551223113839;
        Tue, 26 Feb 2019 15:18:33 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551223113; cv=none;
        d=google.com; s=arc-20160816;
        b=QE1IeI7urYATJlOk3tJdCqhf7GNpRs+m8Xv1P8t6mXMXqHYmtU2gWZatprLg8WLNgO
         sVy8n/YVVJVM9LvRcH05W49ELx7rvlQfzXMCUkJEo7H9IvupV1LjeqOA+5Q6EN5Giw4V
         vbJVv5SGHeoWNhz4iFZebGgT0jP20/zaWi5+T7dhIjlsNjisnE/PlLDJ/mZnFcD3kG7o
         c38jsApx/0uehi6bYkNs67yz5THk9m/0/USs4xzJkjA1ij8ooGyCxUzRf/N8vNWHvXWl
         k2xPYlKjdBiQbhTH2GF2AqL/AP8QA4MjzlqH3rDFfDi5umiOH8JXd97OzXfnAEb/mvvX
         q6oQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=F/ZWUspDnO9H+N1b+3KaSbEisQ9DROKLGDc6Wk9zF/Q=;
        b=0DKoicqKK53m1psbsxgYx34CZOah0CKIpABKNobDeuWfj6czl/q3yTIVhQuVL+R60L
         8QjGM/6d4PaeGECut4kcuQsPwPGEEJv+U4A8btJm6PUVmCTjalvxbA2kkUTCHPApS4BZ
         1p4GiWxBBzFjFm3RZzRJkStKNvDGINCNGDku4aeUd8+dyLagnFvSRgOwRnEp2cDHmoFN
         Hs2ZWFbRo5Pw9dCJ8eGZUQ1QrPbH84AM6RO55EtsXqhIlS1VuJ7+OP/2CZsZgYTh/IjJ
         c5EXTPsVOeRGnDWRgx1cgFwA1U+JZ9mQffBf4S7qoF85r8059BjczhY4ficZm1kz1Pi8
         SbUg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ns64+bku;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 31si3830520ple.389.2019.02.26.15.18.18;
        Tue, 26 Feb 2019 15:18:33 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=Ns64+bku;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729360AbfBZXRy (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 99 others); Tue, 26 Feb 2019 18:17:54 -0500
Received: from mail-ed1-f65.google.com ([209.85.208.65]:34710 "EHLO
        mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729038AbfBZXRy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 26 Feb 2019 18:17:54 -0500
Received: by mail-ed1-f65.google.com with SMTP id a16so12331156edn.1;
        Tue, 26 Feb 2019 15:17:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=F/ZWUspDnO9H+N1b+3KaSbEisQ9DROKLGDc6Wk9zF/Q=;
        b=Ns64+bkuLm12DoKtMqYvm9spiyuFy91esqRW620Tr8a7c6yO/zBoKktXkM25pJWO7N
         KYZHrHySgbKp0ukEqgvOhVKztZuddf20j5XWcS8omSkG42v0aRxVNYrlBxPtJ5MKsME7
         ICL0xa9DMOfylbdIxpEwAZmOFNWw8UhcTBw6asiXQj4RekvDc6+JweuyVSjAgI3eHELu
         vrpNWsBvdmFuFoBrNOxVtfbPgEBXp3J4Y4DdxNVAhdJW9HKxxO6kJVWQ6cQR3MOt6yFp
         sJZMlrFYPfy5nxUdukFrBbjcMPSYdZIfmqc7x6DDDKYm9VEv7xqnU2PBR6i514uULX4k
         dhBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=F/ZWUspDnO9H+N1b+3KaSbEisQ9DROKLGDc6Wk9zF/Q=;
        b=PInyJwQ3bxoIhfe6qFrVbVSVhuzdQVNxRMZDpbXkTKEebgurTmJumQhrEb/oWjqxVP
         bTOnbTH3yNvwQWcBxETP2IeoCODFdPSsycThk/kPg8IJ+ezriGbaOLu4JgDNYjj7jRmW
         5+bW/asmJQ4AWWxsoVMe91LxyEaQujMYOBV9oit2RO3m5UF1ivb6S0OwSlz70pTfKz+d
         5xmoZMz9+qICnRl4WfXxTps7H+L2p1HGpa42zMQvxnC7www6T/dvxmmjbWqEVmy0BDDB
         Y1SZjsGX9KbdErHqBAbj3waXdSbOFLBN1VM4n2lRaAv0MCZxf7dYz9Uex5jVcjpS2dWw
         66Ow==
X-Gm-Message-State: AHQUAuZbox7xhCX0UPBwsCUwTYZ+9PDratzLpN+Y3I2J9OAiShLcKNW8
        MVVSaKC0E7Y4FQn7jcTv/Rw=
X-Received: by 2002:a50:ca41:: with SMTP id e1mr3769377edi.73.1551223071600;
        Tue, 26 Feb 2019 15:17:51 -0800 (PST)
Received: from ltop.local ([2a02:a03f:4034:3c00:69ad:1253:f4b5:5458])
        by smtp.gmail.com with ESMTPSA id fy6sm2459233ejb.52.2019.02.26.15.17.49
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 26 Feb 2019 15:17:50 -0800 (PST)
Date:   Wed, 27 Feb 2019 00:17:49 +0100
From:   Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
To:     Andrey Konovalov <andreyknvl@google.com>
Cc:     Dave Hansen <dave.hansen@intel.com>,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will.deacon@arm.com>,
        Mark Rutland <mark.rutland@arm.com>,
        Robin Murphy <robin.murphy@arm.com>,
        Kees Cook <keescook@chromium.org>,
        Kate Stewart <kstewart@linuxfoundation.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        Ingo Molnar <mingo@kernel.org>,
        "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>,
        Shuah Khan <shuah@kernel.org>,
        Vincenzo Frascino <vincenzo.frascino@arm.com>,
        Linux ARM <linux-arm-kernel@lists.infradead.org>,
        "open list:DOCUMENTATION" <linux-doc@vger.kernel.org>,
        Linux Memory Management List <linux-mm@kvack.org>,
        linux-arch <linux-arch@vger.kernel.org>,
        "open list:KERNEL SELFTEST FRAMEWORK" 
        <linux-kselftest@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Dmitry Vyukov <dvyukov@google.com>,
        Kostya Serebryany <kcc@google.com>,
        Evgeniy Stepanov <eugenis@google.com>,
        Lee Smith <Lee.Smith@arm.com>,
        Ramana Radhakrishnan <Ramana.Radhakrishnan@arm.com>,
        Jacob Bramley <Jacob.Bramley@arm.com>,
        Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>,
        Chintan Pandya <cpandya@codeaurora.org>,
        Dave Martin <Dave.Martin@arm.com>,
        Kevin Brodsky <kevin.brodsky@arm.com>,
        Szabolcs Nagy <Szabolcs.Nagy@arm.com>
Subject: Re: [PATCH v10 00/12] arm64: untag user pointers passed to the kernel
Message-ID: <20190226231747.z3lc6yr6xmrw5q2z@ltop.local>
References: <cover.1550839937.git.andreyknvl@google.com>
 <2ad5f897-25c0-90cf-f54f-827876873a0a@intel.com>
 <CAAeHK+xCi2MxaykYWCz9mwbOzNpjrFcHex7B-VXektNNWBT+Hw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAAeHK+xCi2MxaykYWCz9mwbOzNpjrFcHex7B-VXektNNWBT+Hw@mail.gmail.com>
User-Agent: NeoMutt/20180716
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Feb 26, 2019 at 06:18:25PM +0100, Andrey Konovalov wrote:
> On Fri, Feb 22, 2019 at 11:55 PM Dave Hansen <dave.hansen@intel.com> wrote:
> >
> > On 2/22/19 4:53 AM, Andrey Konovalov wrote:
> > > The following testing approaches has been taken to find potential issues
> > > with user pointer untagging:
> > >
> > > 1. Static testing (with sparse [3] and separately with a custom static
> > >    analyzer based on Clang) to track casts of __user pointers to integer
> > >    types to find places where untagging needs to be done.
> >
> > First of all, it's really cool that you took this approach.  Sounds like
> > there was a lot of systematic work to fix up the sites in the existing
> > codebase.
> >
> > But, isn't this a _bit_ fragile going forward?  Folks can't just "make
> > sparse" to find issues with missing untags.
> 
> Yes, this static approach can only be used as a hint to find some
> places where untagging is needed, but certainly not all.
> 
> > This seems like something
> > where we would ideally add an __tagged annotation (or something) to the
> > source tree and then have sparse rules that can look for missed untags.
> 
> This has been suggested before, search for __untagged here [1].
> However there are many places in the kernel where a __user pointer is
> casted into unsigned long and passed further. I'm not sure if it's
> possible apply a __tagged/__untagged kind of attribute to non-pointer
> types, is it?
> 
> [1] https://patchwork.kernel.org/patch/10581535/

It's something that should need to be added to sparse since it's
different from what sparse already have (the existing __bitwise and
concept of address-space doesn't seem to do the job here).

-- Luc Van Oostenryck