From: Catalin Marinas <catalin.marinas@arm.com>
To: Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>
Cc: Andrey Konovalov <andreyknvl@google.com>,
Mark Rutland <Mark.Rutland@arm.com>,
Kate Stewart <kstewart@linuxfoundation.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
Will Deacon <Will.Deacon@arm.com>,
Kostya Serebryany <kcc@google.com>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
Chintan Pandya <cpandya@codeaurora.org>,
Shuah Khan <shuah@kernel.org>, Ingo Molnar <mingo@kernel.org>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
Jacob Bramley <Jacob.Bramley@arm.com>,
Dmitry Vyukov <dvyukov@google.com>,
Evgeniy Stepanov <eugenis@google.com>,
Kees Cook <keescook@chromium.org>,
Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>,
Al Viro <viro@zeniv.linux.org.uk>, nd <nd@arm.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Linux Memory Management List <linux-mm@kvack.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
LKML <linux-kernel@vger.kernel.org>,
Lee Smith <Lee.Smith@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Robin Murphy <Robin.Murphy@arm.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Subject: Re: [PATCH v4 0/7] arm64: untag user pointers passed to the kernel
Date: Wed, 27 Jun 2018 18:17:58 +0100 [thread overview]
Message-ID: <20180627171757.amucnh5znld45cpc@armageddon.cambridge.arm.com> (raw)
In-Reply-To: <0cef1643-a523-98e7-95e2-9ec595137642@arm.com>
On Wed, Jun 27, 2018 at 04:08:09PM +0100, Ramana Radhakrishnan wrote:
> On 27/06/2018 16:05, Andrey Konovalov wrote:
> > On Tue, Jun 26, 2018 at 7:29 PM, Catalin Marinas
> > <catalin.marinas@arm.com> wrote:
> >> On Tue, Jun 26, 2018 at 02:47:50PM +0200, Andrey Konovalov wrote:
> >>> On Wed, Jun 20, 2018 at 5:24 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> >>>> arm64 has a feature called Top Byte Ignore, which allows to embed pointer
> >>>> tags into the top byte of each pointer. Userspace programs (such as
> >>>> HWASan, a memory debugging tool [1]) might use this feature and pass
> >>>> tagged user pointers to the kernel through syscalls or other interfaces.
> >>>>
> >>>> This patch makes a few of the kernel interfaces accept tagged user
> >>>> pointers. The kernel is already able to handle user faults with tagged
> >>>> pointers and has the untagged_addr macro, which this patchset reuses.
> >>>>
> >>>> We're not trying to cover all possible ways the kernel accepts user
> >>>> pointers in one patchset, so this one should be considered as a start.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> [1] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html
> >>>
> >>> Is there anything I should do to move forward with this?
> >>>
> >>> I've received zero replies to this patch set (v3 and v4) over the last
> >>> month.
> >>
> >> The patches in this series look fine but my concern is that they are not
> >> sufficient and we don't have (yet?) a way to identify where such
> >> annotations are required. You even say in patch 6 that this is "some
> >> initial work for supporting non-zero address tags passed to the kernel".
> >> Unfortunately, merging (or relaxing) an ABI without a clear picture is
> >> not really feasible.
> >>
> >> While I support this work, as a maintainer I'd like to understand
> >> whether we'd be in a continuous chase of ABI breaks with every kernel
> >> release or we have a better way to identify potential issues. Is there
> >> any way to statically analyse conversions from __user ptr to long for
> >> example? Or, could we get the compiler to do this for us?
> >
> > OK, got it, I'll try to figure out a way to find these conversions.
>
> This sounds like the kind of thing we should be able to get sparse to do
> already, no ? It's been many years since I last looked at it but I
> thought sparse was the tool of choice in the kernel to do this kind of
> checking.
sparse is indeed an option. The current implementation doesn't warn on
an explicit cast from (void __user *) to (unsigned long) since that's a
valid thing in the kernel. I couldn't figure out if there's any other
__attribute__ that could be used to warn of such conversion.
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>
Cc: Andrey Konovalov <andreyknvl@google.com>,
Mark Rutland <Mark.Rutland@arm.com>,
Kate Stewart <kstewart@linuxfoundation.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
Will Deacon <Will.Deacon@arm.com>,
Kostya Serebryany <kcc@google.com>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
Chintan Pandya <cpandya@codeaurora.org>,
Shuah Khan <shuah@kernel.org>, Ingo Molnar <mingo@kernel.org>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
Jacob Bramley <Jacob.Bramley@arm.com>,
Dmitry Vyukov <dvyukov@google.com>,
Evgeniy Stepanov <eugenis@google.com>,
Kees Cook <keescook@chromium.org>,
Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>,
Al Viro <viro@zeniv.linux.org.uk>, nd <nd@arm.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Linux Memory Management List <linux-mm@kvack.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
LKML <linux-kernel@vger.kernel.org>,
Lee Smith <Lee.Smith@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Robin Murphy <Robin.Murphy@arm.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Subject: Re: [PATCH v4 0/7] arm64: untag user pointers passed to the kernel
Date: Wed, 27 Jun 2018 18:17:58 +0100 [thread overview]
Message-ID: <20180627171757.amucnh5znld45cpc@armageddon.cambridge.arm.com> (raw)
In-Reply-To: <0cef1643-a523-98e7-95e2-9ec595137642@arm.com>
On Wed, Jun 27, 2018 at 04:08:09PM +0100, Ramana Radhakrishnan wrote:
> On 27/06/2018 16:05, Andrey Konovalov wrote:
> > On Tue, Jun 26, 2018 at 7:29 PM, Catalin Marinas
> > <catalin.marinas@arm.com> wrote:
> >> On Tue, Jun 26, 2018 at 02:47:50PM +0200, Andrey Konovalov wrote:
> >>> On Wed, Jun 20, 2018 at 5:24 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> >>>> arm64 has a feature called Top Byte Ignore, which allows to embed pointer
> >>>> tags into the top byte of each pointer. Userspace programs (such as
> >>>> HWASan, a memory debugging tool [1]) might use this feature and pass
> >>>> tagged user pointers to the kernel through syscalls or other interfaces.
> >>>>
> >>>> This patch makes a few of the kernel interfaces accept tagged user
> >>>> pointers. The kernel is already able to handle user faults with tagged
> >>>> pointers and has the untagged_addr macro, which this patchset reuses.
> >>>>
> >>>> We're not trying to cover all possible ways the kernel accepts user
> >>>> pointers in one patchset, so this one should be considered as a start.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> [1] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html
> >>>
> >>> Is there anything I should do to move forward with this?
> >>>
> >>> I've received zero replies to this patch set (v3 and v4) over the last
> >>> month.
> >>
> >> The patches in this series look fine but my concern is that they are not
> >> sufficient and we don't have (yet?) a way to identify where such
> >> annotations are required. You even say in patch 6 that this is "some
> >> initial work for supporting non-zero address tags passed to the kernel".
> >> Unfortunately, merging (or relaxing) an ABI without a clear picture is
> >> not really feasible.
> >>
> >> While I support this work, as a maintainer I'd like to understand
> >> whether we'd be in a continuous chase of ABI breaks with every kernel
> >> release or we have a better way to identify potential issues. Is there
> >> any way to statically analyse conversions from __user ptr to long for
> >> example? Or, could we get the compiler to do this for us?
> >
> > OK, got it, I'll try to figure out a way to find these conversions.
>
> This sounds like the kind of thing we should be able to get sparse to do
> already, no ? It's been many years since I last looked at it but I
> thought sparse was the tool of choice in the kernel to do this kind of
> checking.
sparse is indeed an option. The current implementation doesn't warn on
an explicit cast from (void __user *) to (unsigned long) since that's a
valid thing in the kernel. I couldn't figure out if there's any other
__attribute__ that could be used to warn of such conversion.
--
Catalin
--
To unsubscribe from this list: send the line "unsubscribe linux-doc" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: catalin.marinas at arm.com (Catalin Marinas)
Subject: [PATCH v4 0/7] arm64: untag user pointers passed to the kernel
Date: Wed, 27 Jun 2018 18:17:58 +0100 [thread overview]
Message-ID: <20180627171757.amucnh5znld45cpc@armageddon.cambridge.arm.com> (raw)
In-Reply-To: <0cef1643-a523-98e7-95e2-9ec595137642@arm.com>
On Wed, Jun 27, 2018 at 04:08:09PM +0100, Ramana Radhakrishnan wrote:
> On 27/06/2018 16:05, Andrey Konovalov wrote:
> > On Tue, Jun 26, 2018 at 7:29 PM, Catalin Marinas
> > <catalin.marinas at arm.com> wrote:
> >> On Tue, Jun 26, 2018 at 02:47:50PM +0200, Andrey Konovalov wrote:
> >>> On Wed, Jun 20, 2018 at 5:24 PM, Andrey Konovalov <andreyknvl at google.com> wrote:
> >>>> arm64 has a feature called Top Byte Ignore, which allows to embed pointer
> >>>> tags into the top byte of each pointer. Userspace programs (such as
> >>>> HWASan, a memory debugging tool [1]) might use this feature and pass
> >>>> tagged user pointers to the kernel through syscalls or other interfaces.
> >>>>
> >>>> This patch makes a few of the kernel interfaces accept tagged user
> >>>> pointers. The kernel is already able to handle user faults with tagged
> >>>> pointers and has the untagged_addr macro, which this patchset reuses.
> >>>>
> >>>> We're not trying to cover all possible ways the kernel accepts user
> >>>> pointers in one patchset, so this one should be considered as a start.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> [1] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html
> >>>
> >>> Is there anything I should do to move forward with this?
> >>>
> >>> I've received zero replies to this patch set (v3 and v4) over the last
> >>> month.
> >>
> >> The patches in this series look fine but my concern is that they are not
> >> sufficient and we don't have (yet?) a way to identify where such
> >> annotations are required. You even say in patch 6 that this is "some
> >> initial work for supporting non-zero address tags passed to the kernel".
> >> Unfortunately, merging (or relaxing) an ABI without a clear picture is
> >> not really feasible.
> >>
> >> While I support this work, as a maintainer I'd like to understand
> >> whether we'd be in a continuous chase of ABI breaks with every kernel
> >> release or we have a better way to identify potential issues. Is there
> >> any way to statically analyse conversions from __user ptr to long for
> >> example? Or, could we get the compiler to do this for us?
> >
> > OK, got it, I'll try to figure out a way to find these conversions.
>
> This sounds like the kind of thing we should be able to get sparse to do
> already, no ? It's been many years since I last looked at it but I
> thought sparse was the tool of choice in the kernel to do this kind of
> checking.
sparse is indeed an option. The current implementation doesn't warn on
an explicit cast from (void __user *) to (unsigned long) since that's a
valid thing in the kernel. I couldn't figure out if there's any other
__attribute__ that could be used to warn of such conversion.
--
Catalin
--
To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: catalin.marinas@arm.com (Catalin Marinas)
Subject: [PATCH v4 0/7] arm64: untag user pointers passed to the kernel
Date: Wed, 27 Jun 2018 18:17:58 +0100 [thread overview]
Message-ID: <20180627171757.amucnh5znld45cpc@armageddon.cambridge.arm.com> (raw)
Message-ID: <20180627171758.vZiY8KmGBIJDpT75GdieKWAQy1yiarT5yDMhX9NuqF8@z> (raw)
In-Reply-To: <0cef1643-a523-98e7-95e2-9ec595137642@arm.com>
On Wed, Jun 27, 2018@04:08:09PM +0100, Ramana Radhakrishnan wrote:
> On 27/06/2018 16:05, Andrey Konovalov wrote:
> > On Tue, Jun 26, 2018 at 7:29 PM, Catalin Marinas
> > <catalin.marinas@arm.com> wrote:
> >> On Tue, Jun 26, 2018@02:47:50PM +0200, Andrey Konovalov wrote:
> >>> On Wed, Jun 20, 2018@5:24 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> >>>> arm64 has a feature called Top Byte Ignore, which allows to embed pointer
> >>>> tags into the top byte of each pointer. Userspace programs (such as
> >>>> HWASan, a memory debugging tool [1]) might use this feature and pass
> >>>> tagged user pointers to the kernel through syscalls or other interfaces.
> >>>>
> >>>> This patch makes a few of the kernel interfaces accept tagged user
> >>>> pointers. The kernel is already able to handle user faults with tagged
> >>>> pointers and has the untagged_addr macro, which this patchset reuses.
> >>>>
> >>>> We're not trying to cover all possible ways the kernel accepts user
> >>>> pointers in one patchset, so this one should be considered as a start.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> [1] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html
> >>>
> >>> Is there anything I should do to move forward with this?
> >>>
> >>> I've received zero replies to this patch set (v3 and v4) over the last
> >>> month.
> >>
> >> The patches in this series look fine but my concern is that they are not
> >> sufficient and we don't have (yet?) a way to identify where such
> >> annotations are required. You even say in patch 6 that this is "some
> >> initial work for supporting non-zero address tags passed to the kernel".
> >> Unfortunately, merging (or relaxing) an ABI without a clear picture is
> >> not really feasible.
> >>
> >> While I support this work, as a maintainer I'd like to understand
> >> whether we'd be in a continuous chase of ABI breaks with every kernel
> >> release or we have a better way to identify potential issues. Is there
> >> any way to statically analyse conversions from __user ptr to long for
> >> example? Or, could we get the compiler to do this for us?
> >
> > OK, got it, I'll try to figure out a way to find these conversions.
>
> This sounds like the kind of thing we should be able to get sparse to do
> already, no ? It's been many years since I last looked at it but I
> thought sparse was the tool of choice in the kernel to do this kind of
> checking.
sparse is indeed an option. The current implementation doesn't warn on
an explicit cast from (void __user *) to (unsigned long) since that's a
valid thing in the kernel. I couldn't figure out if there's any other
__attribute__ that could be used to warn of such conversion.
--
Catalin
--
To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>
Cc: Andrey Konovalov <andreyknvl@google.com>,
Mark Rutland <Mark.Rutland@arm.com>,
Kate Stewart <kstewart@linuxfoundation.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
Will Deacon <Will.Deacon@arm.com>,
Kostya Serebryany <kcc@google.com>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
Chintan Pandya <cpandya@codeaurora.org>,
Shuah Khan <shuah@kernel.org>, Ingo Molnar <mingo@kernel.org>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
Jacob Bramley <Jacob.Bramley@arm.com>,
Dmitry Vyukov <dvyukov@google.com>,
Evgeniy Stepanov <eugenis@google.com>,
Kees Cook <keescook@chromium.org>,
Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>,
Al Viro <viro@zeniv.linux.org.uk>nd <nd@arm.com>,
Linux ARM <linux-arm-kernel@lists.infr>
Subject: Re: [PATCH v4 0/7] arm64: untag user pointers passed to the kernel
Date: Wed, 27 Jun 2018 18:17:58 +0100 [thread overview]
Message-ID: <20180627171757.amucnh5znld45cpc@armageddon.cambridge.arm.com> (raw)
In-Reply-To: <0cef1643-a523-98e7-95e2-9ec595137642@arm.com>
On Wed, Jun 27, 2018 at 04:08:09PM +0100, Ramana Radhakrishnan wrote:
> On 27/06/2018 16:05, Andrey Konovalov wrote:
> > On Tue, Jun 26, 2018 at 7:29 PM, Catalin Marinas
> > <catalin.marinas@arm.com> wrote:
> >> On Tue, Jun 26, 2018 at 02:47:50PM +0200, Andrey Konovalov wrote:
> >>> On Wed, Jun 20, 2018 at 5:24 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> >>>> arm64 has a feature called Top Byte Ignore, which allows to embed pointer
> >>>> tags into the top byte of each pointer. Userspace programs (such as
> >>>> HWASan, a memory debugging tool [1]) might use this feature and pass
> >>>> tagged user pointers to the kernel through syscalls or other interfaces.
> >>>>
> >>>> This patch makes a few of the kernel interfaces accept tagged user
> >>>> pointers. The kernel is already able to handle user faults with tagged
> >>>> pointers and has the untagged_addr macro, which this patchset reuses.
> >>>>
> >>>> We're not trying to cover all possible ways the kernel accepts user
> >>>> pointers in one patchset, so this one should be considered as a start.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> [1] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html
> >>>
> >>> Is there anything I should do to move forward with this?
> >>>
> >>> I've received zero replies to this patch set (v3 and v4) over the last
> >>> month.
> >>
> >> The patches in this series look fine but my concern is that they are not
> >> sufficient and we don't have (yet?) a way to identify where such
> >> annotations are required. You even say in patch 6 that this is "some
> >> initial work for supporting non-zero address tags passed to the kernel".
> >> Unfortunately, merging (or relaxing) an ABI without a clear picture is
> >> not really feasible.
> >>
> >> While I support this work, as a maintainer I'd like to understand
> >> whether we'd be in a continuous chase of ABI breaks with every kernel
> >> release or we have a better way to identify potential issues. Is there
> >> any way to statically analyse conversions from __user ptr to long for
> >> example? Or, could we get the compiler to do this for us?
> >
> > OK, got it, I'll try to figure out a way to find these conversions.
>
> This sounds like the kind of thing we should be able to get sparse to do
> already, no ? It's been many years since I last looked at it but I
> thought sparse was the tool of choice in the kernel to do this kind of
> checking.
sparse is indeed an option. The current implementation doesn't warn on
an explicit cast from (void __user *) to (unsigned long) since that's a
valid thing in the kernel. I couldn't figure out if there's any other
__attribute__ that could be used to warn of such conversion.
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: Catalin Marinas <catalin.marinas@arm.com>
To: Ramana Radhakrishnan <ramana.radhakrishnan@arm.com>
Cc: Andrey Konovalov <andreyknvl@google.com>,
Mark Rutland <Mark.Rutland@arm.com>,
Kate Stewart <kstewart@linuxfoundation.org>,
"linux-doc@vger.kernel.org" <linux-doc@vger.kernel.org>,
Will Deacon <Will.Deacon@arm.com>,
Kostya Serebryany <kcc@google.com>,
"linux-kselftest@vger.kernel.org"
<linux-kselftest@vger.kernel.org>,
Chintan Pandya <cpandya@codeaurora.org>,
Shuah Khan <shuah@kernel.org>, Ingo Molnar <mingo@kernel.org>,
"linux-arch@vger.kernel.org" <linux-arch@vger.kernel.org>,
Jacob Bramley <Jacob.Bramley@arm.com>,
Dmitry Vyukov <dvyukov@google.com>,
Evgeniy Stepanov <eugenis@google.com>,
Kees Cook <keescook@chromium.org>,
Ruben Ayrapetyan <Ruben.Ayrapetyan@arm.com>,
Al Viro <viro@zeniv.linux.org.uk>nd <nd@arm.com>,
Linux ARM <linux-arm-kernel@lists.infradead.org>,
Linux Memory Management List <linux-mm@kvack.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
LKML <linux-kernel@vger.kernel.org>,
Lee Smith <Lee.Smith@arm.com>,
Andrew Morton <akpm@linux-foundation.org>,
Robin Murphy <Robin.Murphy@arm.com>,
"Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Subject: Re: [PATCH v4 0/7] arm64: untag user pointers passed to the kernel
Date: Wed, 27 Jun 2018 18:17:58 +0100 [thread overview]
Message-ID: <20180627171757.amucnh5znld45cpc@armageddon.cambridge.arm.com> (raw)
Message-ID: <20180627171758.PJXKibJGby9SqqiERY2rN09cK0-76wXU6ll4j82-CC8@z> (raw)
In-Reply-To: <0cef1643-a523-98e7-95e2-9ec595137642@arm.com>
On Wed, Jun 27, 2018 at 04:08:09PM +0100, Ramana Radhakrishnan wrote:
> On 27/06/2018 16:05, Andrey Konovalov wrote:
> > On Tue, Jun 26, 2018 at 7:29 PM, Catalin Marinas
> > <catalin.marinas@arm.com> wrote:
> >> On Tue, Jun 26, 2018 at 02:47:50PM +0200, Andrey Konovalov wrote:
> >>> On Wed, Jun 20, 2018 at 5:24 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> >>>> arm64 has a feature called Top Byte Ignore, which allows to embed pointer
> >>>> tags into the top byte of each pointer. Userspace programs (such as
> >>>> HWASan, a memory debugging tool [1]) might use this feature and pass
> >>>> tagged user pointers to the kernel through syscalls or other interfaces.
> >>>>
> >>>> This patch makes a few of the kernel interfaces accept tagged user
> >>>> pointers. The kernel is already able to handle user faults with tagged
> >>>> pointers and has the untagged_addr macro, which this patchset reuses.
> >>>>
> >>>> We're not trying to cover all possible ways the kernel accepts user
> >>>> pointers in one patchset, so this one should be considered as a start.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> [1] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html
> >>>
> >>> Is there anything I should do to move forward with this?
> >>>
> >>> I've received zero replies to this patch set (v3 and v4) over the last
> >>> month.
> >>
> >> The patches in this series look fine but my concern is that they are not
> >> sufficient and we don't have (yet?) a way to identify where such
> >> annotations are required. You even say in patch 6 that this is "some
> >> initial work for supporting non-zero address tags passed to the kernel".
> >> Unfortunately, merging (or relaxing) an ABI without a clear picture is
> >> not really feasible.
> >>
> >> While I support this work, as a maintainer I'd like to understand
> >> whether we'd be in a continuous chase of ABI breaks with every kernel
> >> release or we have a better way to identify potential issues. Is there
> >> any way to statically analyse conversions from __user ptr to long for
> >> example? Or, could we get the compiler to do this for us?
> >
> > OK, got it, I'll try to figure out a way to find these conversions.
>
> This sounds like the kind of thing we should be able to get sparse to do
> already, no ? It's been many years since I last looked at it but I
> thought sparse was the tool of choice in the kernel to do this kind of
> checking.
sparse is indeed an option. The current implementation doesn't warn on
an explicit cast from (void __user *) to (unsigned long) since that's a
valid thing in the kernel. I couldn't figure out if there's any other
__attribute__ that could be used to warn of such conversion.
--
Catalin
WARNING: multiple messages have this Message-ID (diff)
From: catalin.marinas@arm.com (Catalin Marinas)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v4 0/7] arm64: untag user pointers passed to the kernel
Date: Wed, 27 Jun 2018 18:17:58 +0100 [thread overview]
Message-ID: <20180627171757.amucnh5znld45cpc@armageddon.cambridge.arm.com> (raw)
In-Reply-To: <0cef1643-a523-98e7-95e2-9ec595137642@arm.com>
On Wed, Jun 27, 2018 at 04:08:09PM +0100, Ramana Radhakrishnan wrote:
> On 27/06/2018 16:05, Andrey Konovalov wrote:
> > On Tue, Jun 26, 2018 at 7:29 PM, Catalin Marinas
> > <catalin.marinas@arm.com> wrote:
> >> On Tue, Jun 26, 2018 at 02:47:50PM +0200, Andrey Konovalov wrote:
> >>> On Wed, Jun 20, 2018 at 5:24 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> >>>> arm64 has a feature called Top Byte Ignore, which allows to embed pointer
> >>>> tags into the top byte of each pointer. Userspace programs (such as
> >>>> HWASan, a memory debugging tool [1]) might use this feature and pass
> >>>> tagged user pointers to the kernel through syscalls or other interfaces.
> >>>>
> >>>> This patch makes a few of the kernel interfaces accept tagged user
> >>>> pointers. The kernel is already able to handle user faults with tagged
> >>>> pointers and has the untagged_addr macro, which this patchset reuses.
> >>>>
> >>>> We're not trying to cover all possible ways the kernel accepts user
> >>>> pointers in one patchset, so this one should be considered as a start.
> >>>>
> >>>> Thanks!
> >>>>
> >>>> [1] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html
> >>>
> >>> Is there anything I should do to move forward with this?
> >>>
> >>> I've received zero replies to this patch set (v3 and v4) over the last
> >>> month.
> >>
> >> The patches in this series look fine but my concern is that they are not
> >> sufficient and we don't have (yet?) a way to identify where such
> >> annotations are required. You even say in patch 6 that this is "some
> >> initial work for supporting non-zero address tags passed to the kernel".
> >> Unfortunately, merging (or relaxing) an ABI without a clear picture is
> >> not really feasible.
> >>
> >> While I support this work, as a maintainer I'd like to understand
> >> whether we'd be in a continuous chase of ABI breaks with every kernel
> >> release or we have a better way to identify potential issues. Is there
> >> any way to statically analyse conversions from __user ptr to long for
> >> example? Or, could we get the compiler to do this for us?
> >
> > OK, got it, I'll try to figure out a way to find these conversions.
>
> This sounds like the kind of thing we should be able to get sparse to do
> already, no ? It's been many years since I last looked at it but I
> thought sparse was the tool of choice in the kernel to do this kind of
> checking.
sparse is indeed an option. The current implementation doesn't warn on
an explicit cast from (void __user *) to (unsigned long) since that's a
valid thing in the kernel. I couldn't figure out if there's any other
__attribute__ that could be used to warn of such conversion.
--
Catalin
next prev parent reply other threads:[~2018-06-27 17:18 UTC|newest]
Thread overview: 196+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-20 15:24 [PATCH v4 0/7] arm64: untag user pointers passed to the kernel Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` andreyknvl
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` [PATCH v4 1/7] arm64: add type casts to untagged_addr macro Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` andreyknvl
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` [PATCH v4 2/7] uaccess: add untagged_addr definition for other arches Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` andreyknvl
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` [PATCH v4 3/7] arm64: untag user addresses in access_ok and __uaccess_mask_ptr Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` andreyknvl
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` [PATCH v4 4/7] mm, arm64: untag user addresses in mm/gup.c Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` andreyknvl
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` [PATCH v4 5/7] lib, arm64: untag addrs passed to strncpy_from_user and strnlen_user Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` andreyknvl
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` [PATCH v4 6/7] arm64: update Documentation/arm64/tagged-pointers.txt Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` andreyknvl
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` [PATCH v4 7/7] selftests, arm64: add a selftest for passing tagged pointers to kernel Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` Andrey Konovalov
2018-06-20 15:24 ` andreyknvl
2018-06-20 15:24 ` Andrey Konovalov
2018-06-26 12:47 ` [PATCH v4 0/7] arm64: untag user pointers passed to the kernel Andrey Konovalov
2018-06-26 12:47 ` Andrey Konovalov
2018-06-26 12:47 ` Andrey Konovalov
2018-06-26 12:47 ` andreyknvl
2018-06-26 12:47 ` Andrey Konovalov
2018-06-26 17:29 ` Catalin Marinas
2018-06-26 17:29 ` Catalin Marinas
2018-06-26 17:29 ` Catalin Marinas
2018-06-26 17:29 ` Catalin Marinas
2018-06-26 17:29 ` catalin.marinas
2018-06-26 17:29 ` Catalin Marinas
2018-06-27 15:05 ` Andrey Konovalov
2018-06-27 15:05 ` Andrey Konovalov
2018-06-27 15:05 ` Andrey Konovalov
2018-06-27 15:05 ` Andrey Konovalov
2018-06-27 15:05 ` andreyknvl
2018-06-27 15:05 ` Andrey Konovalov
2018-06-27 15:08 ` Ramana Radhakrishnan
2018-06-27 15:08 ` Ramana Radhakrishnan
2018-06-27 15:08 ` Ramana Radhakrishnan
2018-06-27 15:08 ` Ramana Radhakrishnan
2018-06-27 15:08 ` Ramana Radhakrishnan
2018-06-27 15:08 ` ramana.radhakrishnan
2018-06-27 15:08 ` Ramana Radhakrishnan
2018-06-27 17:17 ` Catalin Marinas [this message]
2018-06-27 17:17 ` Catalin Marinas
2018-06-27 17:17 ` Catalin Marinas
2018-06-27 17:17 ` Catalin Marinas
2018-06-27 17:17 ` Catalin Marinas
2018-06-27 17:17 ` catalin.marinas
2018-06-27 17:17 ` Catalin Marinas
2018-06-28 6:17 ` Luc Van Oostenryck
2018-06-28 6:17 ` Luc Van Oostenryck
2018-06-28 6:17 ` Luc Van Oostenryck
2018-06-28 6:17 ` Luc Van Oostenryck
2018-06-28 6:17 ` Luc Van Oostenryck
2018-06-28 6:17 ` luc.vanoostenryck
2018-06-28 6:17 ` Luc Van Oostenryck
2018-06-28 10:27 ` Catalin Marinas
2018-06-28 10:27 ` Catalin Marinas
2018-06-28 10:27 ` Catalin Marinas
2018-06-28 10:27 ` Catalin Marinas
2018-06-28 10:27 ` Catalin Marinas
2018-06-28 10:27 ` catalin.marinas
2018-06-28 10:27 ` Catalin Marinas
2018-06-28 10:46 ` Luc Van Oostenryck
2018-06-28 10:46 ` Luc Van Oostenryck
2018-06-28 10:46 ` Luc Van Oostenryck
2018-06-28 10:46 ` Luc Van Oostenryck
2018-06-28 10:46 ` Luc Van Oostenryck
2018-06-28 10:46 ` luc.vanoostenryck
2018-06-28 10:46 ` Luc Van Oostenryck
2018-06-28 14:48 ` Catalin Marinas
2018-06-28 14:48 ` Catalin Marinas
2018-06-28 14:48 ` Catalin Marinas
2018-06-28 14:48 ` Catalin Marinas
2018-06-28 14:48 ` Catalin Marinas
2018-06-28 14:48 ` catalin.marinas
2018-06-28 14:48 ` Catalin Marinas
2018-06-28 15:28 ` Luc Van Oostenryck
2018-06-28 15:28 ` Luc Van Oostenryck
2018-06-28 15:28 ` Luc Van Oostenryck
2018-06-28 15:28 ` Luc Van Oostenryck
2018-06-28 15:28 ` Luc Van Oostenryck
2018-06-28 15:28 ` luc.vanoostenryck
2018-06-28 15:28 ` Luc Van Oostenryck
2018-06-29 15:27 ` David Laight
2018-06-29 15:27 ` David Laight
2018-06-29 15:27 ` David Laight
2018-06-29 15:27 ` David Laight
2018-06-29 15:27 ` David Laight
2018-06-29 15:27 ` David.Laight
2018-06-29 15:27 ` David Laight
2018-06-28 23:21 ` [PATCH] sparse: stricter warning for explicit cast to ulong Luc Van Oostenryck
2018-06-28 23:21 ` Luc Van Oostenryck
2018-06-28 23:21 ` Luc Van Oostenryck
2018-06-28 23:21 ` Luc Van Oostenryck
2018-06-28 23:21 ` luc.vanoostenryck
2018-06-28 23:21 ` Luc Van Oostenryck
2018-06-28 23:21 ` Luc Van Oostenryck
2018-06-28 19:30 ` [PATCH v4 0/7] arm64: untag user pointers passed to the kernel Andrey Konovalov
2018-06-28 19:30 ` Andrey Konovalov
2018-06-28 19:30 ` Andrey Konovalov
2018-06-28 19:30 ` Andrey Konovalov
2018-06-28 19:30 ` andreyknvl
2018-06-28 19:30 ` Andrey Konovalov
2018-06-29 15:19 ` Andrey Konovalov
2018-06-29 15:19 ` Andrey Konovalov
2018-06-29 15:19 ` Andrey Konovalov
2018-06-29 15:19 ` Andrey Konovalov
2018-06-29 15:19 ` andreyknvl
2018-06-29 15:19 ` Andrey Konovalov
2018-06-29 15:20 ` Andrey Konovalov
2018-06-29 15:20 ` Andrey Konovalov
2018-06-29 15:20 ` Andrey Konovalov
2018-06-29 15:20 ` Andrey Konovalov
2018-06-29 15:20 ` andreyknvl
2018-06-29 15:20 ` Andrey Konovalov
2018-07-16 11:25 ` Andrey Konovalov
2018-07-16 11:25 ` Andrey Konovalov
2018-07-16 11:25 ` Andrey Konovalov
2018-07-16 11:25 ` Andrey Konovalov
2018-07-16 11:25 ` andreyknvl
2018-07-16 11:25 ` Andrey Konovalov
2018-07-31 13:23 ` Andrey Konovalov
2018-07-31 13:23 ` Andrey Konovalov
2018-07-31 13:23 ` Andrey Konovalov
2018-07-31 13:23 ` Andrey Konovalov
2018-07-31 13:23 ` andreyknvl
2018-07-31 13:23 ` Andrey Konovalov
2018-08-01 17:42 ` Catalin Marinas
2018-08-01 17:42 ` Catalin Marinas
2018-08-01 17:42 ` Catalin Marinas
2018-08-01 17:42 ` Catalin Marinas
2018-08-01 17:42 ` catalin.marinas
2018-08-01 17:42 ` Catalin Marinas
2018-08-02 15:00 ` Andrey Konovalov
2018-08-02 15:00 ` Andrey Konovalov
2018-08-02 15:00 ` Andrey Konovalov
2018-08-02 15:00 ` Andrey Konovalov
2018-08-02 15:00 ` andreyknvl
2018-08-02 15:00 ` Andrey Konovalov
2018-08-03 14:59 ` Andrey Konovalov
2018-08-03 14:59 ` Andrey Konovalov
2018-08-03 14:59 ` Andrey Konovalov
2018-08-03 14:59 ` Andrey Konovalov
2018-08-03 14:59 ` andreyknvl
2018-08-03 14:59 ` Andrey Konovalov
2018-08-03 15:09 ` Greg Kroah-Hartman
2018-08-03 15:09 ` Greg Kroah-Hartman
2018-08-03 15:09 ` Greg Kroah-Hartman
2018-08-03 15:09 ` Greg Kroah-Hartman
2018-08-03 15:09 ` gregkh
2018-08-03 15:09 ` Greg Kroah-Hartman
2018-08-03 16:43 ` Matthew Wilcox
2018-08-03 16:43 ` Matthew Wilcox
2018-08-03 16:43 ` Matthew Wilcox
2018-08-03 16:43 ` Matthew Wilcox
2018-08-03 16:43 ` willy
2018-08-03 16:43 ` Matthew Wilcox
2018-08-03 16:54 ` Andrey Konovalov
2018-08-03 16:54 ` Andrey Konovalov
2018-08-03 16:54 ` Andrey Konovalov
2018-08-03 16:54 ` Andrey Konovalov
2018-08-03 16:54 ` andreyknvl
2018-08-03 16:54 ` Andrey Konovalov
2018-08-06 19:12 ` Luc Van Oostenryck
2018-08-06 19:12 ` Luc Van Oostenryck
2018-08-06 19:12 ` Luc Van Oostenryck
2018-08-06 19:12 ` Luc Van Oostenryck
2018-08-06 19:12 ` luc.vanoostenryck
2018-08-06 19:12 ` Luc Van Oostenryck
2023-05-17 18:39 Parlett23
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180627171757.amucnh5znld45cpc@armageddon.cambridge.arm.com \
--to=catalin.marinas@arm.com \
--cc=Jacob.Bramley@arm.com \
--cc=Lee.Smith@arm.com \
--cc=Mark.Rutland@arm.com \
--cc=Robin.Murphy@arm.com \
--cc=Ruben.Ayrapetyan@arm.com \
--cc=Will.Deacon@arm.com \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@google.com \
--cc=cpandya@codeaurora.org \
--cc=dvyukov@google.com \
--cc=eugenis@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=kcc@google.com \
--cc=keescook@chromium.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=kstewart@linuxfoundation.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mingo@kernel.org \
--cc=nd@arm.com \
--cc=ramana.radhakrishnan@arm.com \
--cc=shuah@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.