Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp2593969pxf; Sun, 4 Apr 2021 07:10:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwe1UoUgM2KL0xezCq9J2GO9TDdA7R1qV5hVDPc/eL/q52OpgOlN3pqVTCIStKRPLxU6u0y X-Received: by 2002:a17:906:5d06:: with SMTP id g6mr23988127ejt.216.1617545436621; Sun, 04 Apr 2021 07:10:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617545436; cv=none; d=google.com; s=arc-20160816; b=QmibF/vDsmjTP4HbKMkSlq+3flKwpbM8GyChqktRnArHOn3d43ocFKs2hNq5uj1Dzu t3kIxyWwdSr+ByUrx7h2OML08cKGTCCUAhdjb0qTKT2vkA2KKlLBP4JGzC/82IyBGdrf tVGDe99/U7042EEiXwh5RSN6mFawU0FI+NcrVB8D07c2MhHmvxaTCFsMaAiHGa2+nLNF sATh7blnWarenJeIGJyFtYcD/MMbr3agVFZyLNOYYKefK8SyU7XMJ57hV6Xw4l5nZJWb OXz35FRa6tnttkvg/iChqDfmPYE4NGT+zNP88hH+DFKon5rRr/q7axEfDQ9vo+L9/V72 0tsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=0ZjxEGyqxVpobPm/RJ+EZNtUYuEiSg65YJlV16IYPyU=; b=cp5wqIAHtoVu6jkQHAk15ipug7zEk1nmNPLxm3BDAJ3Mn1VnlIoUdnCamapte8sttt CoqfrocNxATVnNdYOg27LPNB9JmhAST6e8m0smHDRgT28LPhSCX2bA7JnogG1bl5Xd4A zeLRer5Y3bF9i0s4jieI/ua9mBNmGq2pxfCDr1GWkQgyL/odDI/S4CUvQv7Z+LpkEDQZ 5zajDnnqW9ZipNosKMqsjbesqgmDOacgEgq2AkJkKVtEWHW85GDarTYLLlWY3EDqrkvv td+uRHcNX7LWfEGGAsCngGHWBju+yracuzBB9AuFDOV/9jbIyhtSMityN4tUacoq5cjQ 60jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=LCW+fT8r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id o6si6645481edi.480.2021.04.04.07.10.02; Sun, 04 Apr 2021 07:10:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ziepe.ca header.s=google header.b=LCW+fT8r; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229665AbhDDN5W (ORCPT + 99 others); Sun, 4 Apr 2021 09:57:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34754 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229827AbhDDN5W (ORCPT ); Sun, 4 Apr 2021 09:57:22 -0400 Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0BB9C0613E6 for ; Sun, 4 Apr 2021 06:57:15 -0700 (PDT) Received: by mail-qv1-xf2a.google.com with SMTP id o19so4508937qvu.0 for ; Sun, 04 Apr 2021 06:57:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ziepe.ca; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=0ZjxEGyqxVpobPm/RJ+EZNtUYuEiSg65YJlV16IYPyU=; b=LCW+fT8rx2qHIIP239+nDUBLp+c1282aG2+FqtHvbjuZI6brFk5QP6aCj9eROh0eQI GRfKmrH15iGTQdZFmnmNuDuERSzQR+t0ZlrNKQOngvVotuM5gUxBY0vdDKnJWZgL0kvh 03gfu+aLd+hBeopKcIbFZ/vno2nJwwoGDhk/9nXBiG8Myw7/4OPpGRnE7jTdsU7KtzUM eM0ber+/GZWfef/mP3pSG48Qayj1qZc9RhVujD98ljtPjIdpiZXC1cpAhTlmwrDWG0I8 Yl1GtgxO8PENZkacmAgZh8+WDdp2GVX+uGCvBkSRb8bkRq+HixHxbCPJosZysNt47uT9 KqwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=0ZjxEGyqxVpobPm/RJ+EZNtUYuEiSg65YJlV16IYPyU=; b=f7VmNGtS9JsA9zz3C8705zCrWpIExVioMAf4aqrMI7XljbFdFMGJ4FOuciPsxbdOnY TnPHBTQP5uSGaH2JYaNJTh8eABFuLvRn/rKL6uZpyzLIZs60y1XKtiRd0zxSbYm6LPav TqM8JhegpaTmCM4ENsIYZOvc5ZX22J6LbrKJ19xihEPVCvuIAbqcHsS1fIGbXkAqrro+ Fcp9QXrddxq9/y2tCx+jK4w70qfWgqwyjbWew/kU+hYCfTerp9acK4hxLPOIs5Yo2HgL 2F+mjMDItuWR7kXCXUO+LNKHZDG8pH8kid8kz/d/ZdOgHkKv7vA52/ISCgLHpkDSMklw 36Sw== X-Gm-Message-State: AOAM531tjFwS+r+iqVI0fsD2/6o8YraIvhKI2g7btOZgIWWXR7wTNFfT 70Faa190Iyyz8DmjsWiY+xBpTQ== X-Received: by 2002:a0c:f749:: with SMTP id e9mr1900291qvo.14.1617544634869; Sun, 04 Apr 2021 06:57:14 -0700 (PDT) Received: from ziepe.ca (hlfxns017vw-142-162-115-133.dhcp-dynamic.fibreop.ns.bellaliant.net. [142.162.115.133]) by smtp.gmail.com with ESMTPSA id d2sm9830886qte.84.2021.04.04.06.57.13 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 04 Apr 2021 06:57:14 -0700 (PDT) Received: from jgg by mlx with local (Exim 4.94) (envelope-from ) id 1lT3FZ-000Vay-2X; Sun, 04 Apr 2021 10:57:13 -0300 Date: Sun, 4 Apr 2021 10:57:13 -0300 From: Jason Gunthorpe To: Kees Cook Cc: Nathan Chancellor , Doug Ledford , Leon Romanovsky , Parav Pandit , Sami Tolvanen , linux-rdma@vger.kernel.org, linux-kernel@vger.kernel.org, clang-built-linux@googlegroups.com Subject: Re: CFI violation in drivers/infiniband/core/sysfs.c Message-ID: <20210404135713.GB7721@ziepe.ca> References: <20210402195241.gahc5w25gezluw7p@archlinux-ax161> <202104021555.08B883C7@keescook> <20210402233018.GA7721@ziepe.ca> <202104021823.64FA6119@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <202104021823.64FA6119@keescook> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Apr 02, 2021 at 06:29:55PM -0700, Kees Cook wrote: > On Fri, Apr 02, 2021 at 08:30:18PM -0300, Jason Gunthorpe wrote: > > On Fri, Apr 02, 2021 at 04:03:30PM -0700, Kees Cook wrote: > > > > > > relevant. It seems to me that the hw_counters 'struct attribute_group' > > > > should probably be its own kobj within both of these structures so they > > > > can have their own sysfs ops (unless there is some other way to do this > > > > that I am missing). > > > > Err, yes, every subclass of the attribute should be accompanied by a > > distinct kobject type to relay the show methods with typesafety, this > > is how this design pattern is intended to be used. > > > > If I understand your report properly the hw_stats_attribute is being > > assigned to a 'port_type' kobject and it only works by pure luck because > > the show/store happens to overlap between port and hsa attributes? > > "happens to" :) Yeah, they're all like this, unfortunately: > https://lore.kernel.org/lkml/202006112217.2E6CE093@keescook/ All? I think these are all bugs, no? struct kobj_attribute is only to be used with a kobj_sysfs_ops type kobject To cross it over to a 'struct device' kobj is completely wrong, the same basic wrongness being done here. > I'm not convinced that just backing everything off to kobject isn't > simpler? It might be simpler, but isn't right - everything should continue to work after a patch like this: --- a/drivers/infiniband/core/sysfs.c +++ b/drivers/infiniband/core/sysfs.c @@ -67,6 +67,7 @@ struct ib_port { struct port_attribute { struct attribute attr; + uu64 pad[2]; ssize_t (*show)(struct ib_port *, struct port_attribute *, char *buf); ssize_t (*store)(struct ib_port *, struct port_attribute *, const char *buf, size_t count); If it doesn't it is still broken. Using container_of() with the wrong types is an unconditional error. A kasn test to catch this would be very cool (think like RTTI and dynamic_cast<>() in C++) > > And then two show/set functions that bounce through the correct types > > to the data. > > I'd like to make these things compile-time safe (there is not type > associated with use the __ATTR() macro, for example). That I haven't > really figured out how to do right. They are in many places, for instance. int device_create_file(struct device *dev, const struct device_attribute *attr) We loose the type safety when working with attribute arrays, and people can just bypass the "proper" APIs to raw sysfs ones whenever they like. It is fundamentally completely wrong to attach a 'struct kobject_attribute' to a 'struct device' kobject. Which is what is happening here and the link above. Jason