Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp3080652ybt; Mon, 29 Jun 2020 14:50:20 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyAy795MwZZWcY/4WmF0w5Udc11fykQ3BQPt++Dq2Z+o5rJiFzhoJb2KrH3ZiKonHxhagh/ X-Received: by 2002:a50:ee01:: with SMTP id g1mr12615347eds.264.1593467420201; Mon, 29 Jun 2020 14:50:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593467420; cv=none; d=google.com; s=arc-20160816; b=gL0cAVFSgli3Wi0IJJMDISTM0g+Ays0vGc62ihR3ITnYJoU2BZVB59MnHeHoFn6jHa 7vHC8Q4n58QpAwO/YLjwwKIWkkvybINlEAekjsY9BA+IAOMck0NV36jzzCdFYlZofsL4 h8d59M8qGT4UwkY2U2F0fNRgKuRpA4qDJRIos/Aq9ky44bRjouT61Ueg3yhpNkKmvGJi Qtj7u6iMTlGtwrL1B717FsD3k0dj/9ouhTpzYIj45zRp39+TjDeZf+RahCCxlEPyl2Hv kAxLxFrvYyRq7ugfnTfGvw4U3ZF4kFkafVWRNQvMHs3GdMU3K5Rx7cqWHFZLdHIH3m5w 5nZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=xDU696YPFQFByaDgj4TaIBYY7b7GogdeGS2pZGLrlCo=; b=aYe8vJ79DLu5t7e0mGusaeXXB6Dy0hBYBhnSjAJm2MZW9phNaKaiK59SlizGQKwKcx ybSUH38ZPvARzu9Bv9Nwk30N8h7Nb/j0LncnmWzN0m6zbUQWoEExzt1/+SrxUAjHbiNw PwYpIX6sZHier+Ukp8DMibYDcX3iUnn7/Fw0da1fOAFBrCimc3wwaMEe1dfvUndI54gF 1ITQLwE7HCdvdZE7pqDL0Yj/sRYqcgbSXvZYfaKIIt8gOcfp7OvR+rW+xWKuiO0A7ACL ffVepzO32AiEbvSxG/2SgAc8O6pfQ9lPb/+FxDkdaNV0jtWdhhmzxQs43ndNAjKHGWV3 AnCA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=VRvSW+Uk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n6si460588edy.324.2020.06.29.14.49.57; Mon, 29 Jun 2020 14:50:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=VRvSW+Uk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404185AbgF2VrB (ORCPT + 99 others); Mon, 29 Jun 2020 17:47:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40026 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732044AbgF2Vqv (ORCPT ); Mon, 29 Jun 2020 17:46:51 -0400 Received: from mail-pj1-x1044.google.com (mail-pj1-x1044.google.com [IPv6:2607:f8b0:4864:20::1044]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A4818C061755 for ; Mon, 29 Jun 2020 14:46:51 -0700 (PDT) Received: by mail-pj1-x1044.google.com with SMTP id o22so3523341pjw.2 for ; Mon, 29 Jun 2020 14:46:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=xDU696YPFQFByaDgj4TaIBYY7b7GogdeGS2pZGLrlCo=; b=VRvSW+UkmvsRa52leABslqppFhohbUv2Y57EAfRfPkSiCXJCBOO9xVFfpsrzQDJOz1 tjHENNBB0/+3Up4/WUfV+mnRv86LFjidyGgKNMUbXJ9VfrhsySuQhWo3Gx5q+g60UJ06 OLGHuN6fNwEWTFEnUExSpqTC0CaLqdgr6Zs/PmudwGeW35RPOrTzF8HQ/A+2MLCM5QIY 5IXlTK0hW/R7RPNOXKFl8XLNkZO8/FR+FHMFUtVj6lML7eI4+rCW9SFrAiQT0bM+SKYf JGfnagg6+MAuL+UEPKM/5LG1Z0FFnenGZAI9pMDD+20HXrnQMR3GSCqrRwC+7ujmg/02 FWbQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=xDU696YPFQFByaDgj4TaIBYY7b7GogdeGS2pZGLrlCo=; b=S1I3zoABur6Fq5Ohu2Fi5CG0Wyy4qQ3142DH1d1G02vrWZs5nny3JiCclUjESGyQbw JZuFaoMFjPC+1vcPvrhaaLA8p5bZB0ro07Gbv6QT9k1kb3uVXHjjcoQMbdr02kp/ieQG tsY5J4Tcyjlqku+nQ0FJCOzmkozkWVrUg0ijrjjVR3KP8KMil6VfVulLK15gKjt2M94T lOXkMjt6BD3RHnxWQ69MrlZaNYqF0WieqsmMyrxhAdQ3EkNY2laZkhq+cBvNnTo/Q7w+ CLJR4B8V0SUwJFYiwIAe8m4XsDQ072AWYSwsI7bhRcKV4PrYdxUav6oFJTzVBTWaFjPc 3XHw== X-Gm-Message-State: AOAM533gDUxtHuWfcxvFiGTWFm1unvT2eD3AyiWsZY495udE9bYLF9I5 gNPujNDJc0/mkOmJSxwIoZUFeJ9Pi9H6gftCXrrJ4Q== X-Received: by 2002:a17:90a:21ef:: with SMTP id q102mr20001058pjc.101.1593467210715; Mon, 29 Jun 2020 14:46:50 -0700 (PDT) MIME-Version: 1.0 References: <20200627190230.1191796-1-luca.stefani.ge1@gmail.com> In-Reply-To: <20200627190230.1191796-1-luca.stefani.ge1@gmail.com> From: Nick Desaulniers Date: Mon, 29 Jun 2020 14:46:39 -0700 Message-ID: Subject: Re: [PATCH] ntfs: Fix ntfs_test_inode and ntfs_init_locked_inode function type To: Luca Stefani Cc: clang-built-linux , freak07 , Anton Altaparmakov , linux-ntfs-dev@lists.sourceforge.net, LKML , Sami Tolvanen Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jun 27, 2020 at 12:02 PM Luca Stefani wrote: > > If the kernel is built with CFI we hit a __cfi_check_fail > while mounting a partition Luca, Since CFI is not yet upstream (is downstream in Android, blocked on LTO patches currently working their way through upstreaming+code review), it might help explain to reviewers what CFI *even is*. Something like: """ Clang's Control Flow Integrity (CFI) is a security mechanism that can help prevent JOP chains, deployed extensively in downstream kernels used in Android. It's deployment is hindered by mismatches in function signatures. For this case, we make callbacks match their intended function signature, and cast parameters within them rather than casting the callback when passed as a parameter. When running `mount -t ntfs ...` we observe the following trace: """ I also always recommend setting an explicit `--to=` when sending patches; some maintainers only know to take a look at patches if they're in the To: list. Maybe they have email filters on this. You can you `./script/get_maintainer.pl` on your patch file, or manually check MAINTAINERS. In this case, it looks like Anton is cc'ed at least. Since this patch modifies the type signature of callbacks to the expected type, casting the callback's parameters instead; I'm happy with this patch. The callbacks never get invoked directly (not explicitly called, only invoked indirectly), there is no argument for loss of type safety (the interfaces are already lossy in that the interface uses void* parameters). I just would like the commit message beefed up before I sign off. Are you comfortable sending a V2? More on JOP/CFI: https://www.comp.nus.edu.sg/~liangzk/papers/asiaccs11.pdf > CFI has not seen wide deployment, likely due to concerns over performance, especially in the case of real-time enforcement. > > Call trace: > __cfi_check_fail+0x1c/0x24 > name_to_dev_t+0x0/0x404 > iget5_locked+0x594/0x5e8 > ntfs_fill_super+0xbfc/0x43ec > mount_bdev+0x30c/0x3cc > ntfs_mount+0x18/0x24 > mount_fs+0x1b0/0x380 > vfs_kern_mount+0x90/0x398 > do_mount+0x5d8/0x1a10 > SyS_mount+0x108/0x144 > el0_svc_naked+0x34/0x38 > > Fixing iget5_locked and ilookup5 callers seems enough > > Signed-off-by: Luca Stefani > Tested-by: freak07 > --- > fs/ntfs/dir.c | 2 +- > fs/ntfs/inode.c | 23 ++++++++++++----------- > fs/ntfs/inode.h | 4 +--- > fs/ntfs/mft.c | 4 ++-- > 4 files changed, 16 insertions(+), 17 deletions(-) > > diff --git a/fs/ntfs/dir.c b/fs/ntfs/dir.c > index 3c4811469ae8..e278bfc5ee7f 100644 > --- a/fs/ntfs/dir.c > +++ b/fs/ntfs/dir.c > @@ -1503,7 +1503,7 @@ static int ntfs_dir_fsync(struct file *filp, loff_t start, loff_t end, > na.type = AT_BITMAP; > na.name = I30; > na.name_len = 4; > - bmp_vi = ilookup5(vi->i_sb, vi->i_ino, (test_t)ntfs_test_inode, &na); > + bmp_vi = ilookup5(vi->i_sb, vi->i_ino, ntfs_test_inode, &na); Looks like the signature of ilookup5 is: struct inode *ilookup5(struct super_block *sb, unsigned long hashval, int (*test)(struct inode *, void *), void *data) while ntfs_test_inode is: int ntfs_test_inode(struct inode *vi, ntfs_attr *na) while test_t is defined way below to: typedef int (*test_t)(struct inode *, void *); > if (bmp_vi) { > write_inode_now(bmp_vi, !datasync); > iput(bmp_vi); > diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c > index d4359a1df3d5..a5d3bebe7a85 100644 > --- a/fs/ntfs/inode.c > +++ b/fs/ntfs/inode.c > @@ -30,7 +30,7 @@ > /** > * ntfs_test_inode - compare two (possibly fake) inodes for equality > * @vi: vfs inode which to test > - * @na: ntfs attribute which is being tested with > + * @data: data which is being tested with > * > * Compare the ntfs attribute embedded in the ntfs specific part of the vfs > * inode @vi for equality with the ntfs attribute @na. > @@ -43,8 +43,9 @@ > * NOTE: This function runs with the inode_hash_lock spin lock held so it is not > * allowed to sleep. > */ > -int ntfs_test_inode(struct inode *vi, ntfs_attr *na) > +int ntfs_test_inode(struct inode *vi, void *data) > { > + ntfs_attr *na = (ntfs_attr *)data; > ntfs_inode *ni; > > if (vi->i_ino != na->mft_no) > @@ -72,7 +73,7 @@ int ntfs_test_inode(struct inode *vi, ntfs_attr *na) > /** > * ntfs_init_locked_inode - initialize an inode > * @vi: vfs inode to initialize > - * @na: ntfs attribute which to initialize @vi to > + * @data: data which to initialize @vi to > * > * Initialize the vfs inode @vi with the values from the ntfs attribute @na in > * order to enable ntfs_test_inode() to do its work. > @@ -87,8 +88,9 @@ int ntfs_test_inode(struct inode *vi, ntfs_attr *na) > * NOTE: This function runs with the inode->i_lock spin lock held so it is not > * allowed to sleep. (Hence the GFP_ATOMIC allocation.) > */ > -static int ntfs_init_locked_inode(struct inode *vi, ntfs_attr *na) > +static int ntfs_init_locked_inode(struct inode *vi, void *data) > { > + ntfs_attr *na = (ntfs_attr *)data; > ntfs_inode *ni = NTFS_I(vi); > > vi->i_ino = na->mft_no; > @@ -131,7 +133,6 @@ static int ntfs_init_locked_inode(struct inode *vi, ntfs_attr *na) > return 0; > } > > -typedef int (*set_t)(struct inode *, void *); > static int ntfs_read_locked_inode(struct inode *vi); > static int ntfs_read_locked_attr_inode(struct inode *base_vi, struct inode *vi); > static int ntfs_read_locked_index_inode(struct inode *base_vi, > @@ -164,8 +165,8 @@ struct inode *ntfs_iget(struct super_block *sb, unsigned long mft_no) > na.name = NULL; > na.name_len = 0; > > - vi = iget5_locked(sb, mft_no, (test_t)ntfs_test_inode, > - (set_t)ntfs_init_locked_inode, &na); > + vi = iget5_locked(sb, mft_no, ntfs_test_inode, > + ntfs_init_locked_inode, &na); > if (unlikely(!vi)) > return ERR_PTR(-ENOMEM); > > @@ -225,8 +226,8 @@ struct inode *ntfs_attr_iget(struct inode *base_vi, ATTR_TYPE type, > na.name = name; > na.name_len = name_len; > > - vi = iget5_locked(base_vi->i_sb, na.mft_no, (test_t)ntfs_test_inode, > - (set_t)ntfs_init_locked_inode, &na); > + vi = iget5_locked(base_vi->i_sb, na.mft_no, ntfs_test_inode, > + ntfs_init_locked_inode, &na); > if (unlikely(!vi)) > return ERR_PTR(-ENOMEM); > > @@ -280,8 +281,8 @@ struct inode *ntfs_index_iget(struct inode *base_vi, ntfschar *name, > na.name = name; > na.name_len = name_len; > > - vi = iget5_locked(base_vi->i_sb, na.mft_no, (test_t)ntfs_test_inode, > - (set_t)ntfs_init_locked_inode, &na); > + vi = iget5_locked(base_vi->i_sb, na.mft_no, ntfs_test_inode, > + ntfs_init_locked_inode, &na); > if (unlikely(!vi)) > return ERR_PTR(-ENOMEM); > > diff --git a/fs/ntfs/inode.h b/fs/ntfs/inode.h > index 98e670fbdd31..363e4e820673 100644 > --- a/fs/ntfs/inode.h > +++ b/fs/ntfs/inode.h > @@ -253,9 +253,7 @@ typedef struct { > ATTR_TYPE type; > } ntfs_attr; > > -typedef int (*test_t)(struct inode *, void *); > - > -extern int ntfs_test_inode(struct inode *vi, ntfs_attr *na); > +extern int ntfs_test_inode(struct inode *vi, void *data); > > extern struct inode *ntfs_iget(struct super_block *sb, unsigned long mft_no); > extern struct inode *ntfs_attr_iget(struct inode *base_vi, ATTR_TYPE type, > diff --git a/fs/ntfs/mft.c b/fs/ntfs/mft.c > index fbb9f1bc623d..0d62cd5bb7f8 100644 > --- a/fs/ntfs/mft.c > +++ b/fs/ntfs/mft.c > @@ -958,7 +958,7 @@ bool ntfs_may_write_mft_record(ntfs_volume *vol, const unsigned long mft_no, > * dirty code path of the inode dirty code path when writing > * $MFT occurs. > */ > - vi = ilookup5_nowait(sb, mft_no, (test_t)ntfs_test_inode, &na); > + vi = ilookup5_nowait(sb, mft_no, ntfs_test_inode, &na); > } > if (vi) { > ntfs_debug("Base inode 0x%lx is in icache.", mft_no); > @@ -1019,7 +1019,7 @@ bool ntfs_may_write_mft_record(ntfs_volume *vol, const unsigned long mft_no, > vi = igrab(mft_vi); > BUG_ON(vi != mft_vi); > } else > - vi = ilookup5_nowait(sb, na.mft_no, (test_t)ntfs_test_inode, > + vi = ilookup5_nowait(sb, na.mft_no, ntfs_test_inode, > &na); > if (!vi) { > /* > -- > 2.26.2 > > -- > You received this message because you are subscribed to the Google Groups "Clang Built Linux" group. > To unsubscribe from this group and stop receiving emails from it, send an email to clang-built-linux+unsubscribe@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/msgid/clang-built-linux/20200627190230.1191796-1-luca.stefani.ge1%40gmail.com. -- Thanks, ~Nick Desaulniers