From: Kees Cook <keescook@chromium.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
Oscar Carter <oscar.carter@gmx.com>,
Mitchell Blank Jr <mitch@sfgoth.com>,
kernel-hardening@lists.openwall.com,
Peter Zijlstra <peterz@infradead.org>,
kgdb-bugreport@lists.sourceforge.net,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
alsa-devel@alsa-project.org, Allen Pais <allen.lkml@gmail.com>,
netdev@vger.kernel.org,
Christian Gromm <christian.gromm@microchip.com>,
Will Deacon <will@kernel.org>,
devel@driverdev.osuosl.org, Jonathan Corbet <corbet@lwn.net>,
Daniel Thompson <daniel.thompson@linaro.org>,
"David S. Miller" <davem@davemloft.net>,
Masahiro Yamada <masahiroy@kernel.org>,
Takashi Iwai <tiwai@suse.com>,
Julian Wiedmann <jwi@linux.ibm.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Nishka Dasgupta <nishkadg.linux@gmail.com>,
Jiri Slaby <jslaby@suse.com>, Jakub Kicinski <kuba@kernel.org>,
Guenter Roeck <linux@roeck-us.net>,
Wambui Karuga <wambui.karugax@gmail.com>,
Vasily Gorbik <gor@linux.ibm.com>,
linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
Heiko Carstens <hca@linux.ibm.com>,
linux-input@vger.kernel.org, Ursula Braun <ubraun@linux.ibm.com>,
Stephen Boyd <swboyd@chromium.org>,
Chris Packham <chris.packham@alliedtelesis.co.nz>,
Harald Freudenberger <freude@linux.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Jaroslav Kysela <perex@perex.cz>, Felipe Balbi <balbi@kernel.org>,
Kyungtae Kim <kt0755@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Douglas Anderson <dianders@chromium.org>,
Kevin Curtis <kevin.curtis@farsite.co.uk>,
linux-usb@vger.kernel.org,
Jason Wessel <jason.wessel@windriver.com>,
Romain Perier <romain.perier@gmail.com>,
Karsten Graul <kgraul@linux.ibm.com>
Subject: Re: [PATCH 3/3] tasklet: Introduce new initialization API
Date: Thu, 16 Jul 2020 12:22:17 -0700 [thread overview]
Message-ID: <202007161216.9C9784FEBE@keescook> (raw)
In-Reply-To: <20200716153704.GM12769@casper.infradead.org>
On Thu, Jul 16, 2020 at 04:37:04PM +0100, Matthew Wilcox wrote:
> On Wed, Jul 15, 2020 at 08:08:47PM -0700, Kees Cook wrote:
> > +#define DECLARE_TASKLET(name, _callback) \
> > +struct tasklet_struct name = { \
> > + .count = ATOMIC_INIT(0), \
> > + .callback = _callback, \
> > + .use_callback = true, \
> > +}
> > +
> > +#define DECLARE_TASKLET_DISABLED(name, _callback) \
> > +struct tasklet_struct name = { \
> > + .count = ATOMIC_INIT(1), \
> > + .callback = _callback, \
> > +}
>
> You forgot to set use_callback here.
Eek; thank you.
> > @@ -547,7 +547,10 @@ static void tasklet_action_common(struct softirq_action *a,
> > if (!test_and_clear_bit(TASKLET_STATE_SCHED,
> > &t->state))
> > BUG();
> > - t->func(t->data);
> > + if (t->use_callback)
> > + t->callback(t);
> > + else
> > + t->func(t->data);
>
> I think this is the wrong way to do the conversion. Start out by setting
> t->data to (unsigned long)t in the new initialisers. Then convert the
> drivers (all 350 of them) to the new API. Then you can get rid of 'data'
> from the tasklet_struct.
That's what I did when I converted timer_struct, and it ended up creating
a mess for Control Flow Integrity checking. (The problem isn't actually
casting .data, but rather in how the callsite calls the callback --
casting the callback assignments doesn't fix the mismatch between the
caller and the callback's expectation about the function prototype
under CFI.) I got lucky with timer_struct (in v4.14) in that not much
had been converted, and I was able to do the entire conversion in the
next kernel release.
So, this time, I'm trying to avoid the prototype mismatch mess by
providing a selector to determine which prototype the callback should
be called through, and I was happy to discover I could do it without
growing the tasklet structure. Obviously the memory corruption safety
improvement won't be realized until both .data, .use_callback, and .func
are removed, but that was true even with the earlier style of conversion.
--
Kees Cook
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
Oscar Carter <oscar.carter@gmx.com>,
Mitchell Blank Jr <mitch@sfgoth.com>,
kernel-hardening@lists.openwall.com,
Peter Zijlstra <peterz@infradead.org>,
kgdb-bugreport@lists.sourceforge.net,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
alsa-devel@alsa-project.org, Allen Pais <allen.lkml@gmail.com>,
netdev@vger.kernel.org,
Christian Gromm <christian.gromm@microchip.com>,
Will Deacon <will@kernel.org>,
devel@driverdev.osuosl.org, Jonathan Corbet <corbet@lwn.net>,
Daniel Thompson <daniel.thompson@linaro.org>,
"David S. Miller" <davem@davemloft.net>,
Masahiro Yamada <masahiroy@kernel.org>,
Takashi Iwai <tiwai@suse.com>,
Julian Wiedmann <jwi@linux.ibm.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Nishka Dasgupta <nishkadg.linux@gmail.com>,
Jiri Slaby <jslaby@suse.com>, Jakub Kicinski <kuba@kernel.org>,
Guenter Roeck <linux@roeck-us.net>,
Wambui Karuga <wambui.karugax@gmail.com>,
Vasily Gorbik <gor@linux.ibm.com>,
linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
Heiko Carstens <hca@linux.ibm.com>,
linux-input@vger.kernel.org, Ursula Braun <ubraun@linux.ibm.com>,
Stephen Boyd <swboyd@chromium.org>,
Chris Packham <chris.packham@alliedtelesis.co.nz>,
Harald Freudenberger <freude@linux.ibm.com>,
Thomas Gleixner <tglx@linutronix.de>,
Felipe Balbi <balbi@kernel.org>, Kyungtae Kim <kt0755@gmail.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Douglas Anderson <dianders@chromium.org>,
Kevin Curtis <kevin.curtis@farsite.co.uk>,
linux-usb@vger.kernel.org,
Jason Wessel <jason.wessel@windriver.com>,
Romain Perier <romain.perier@gmail.com>,
Karsten Graul <kgraul@linux.ibm.com>
Subject: Re: [PATCH 3/3] tasklet: Introduce new initialization API
Date: Thu, 16 Jul 2020 12:22:17 -0700 [thread overview]
Message-ID: <202007161216.9C9784FEBE@keescook> (raw)
In-Reply-To: <20200716153704.GM12769@casper.infradead.org>
On Thu, Jul 16, 2020 at 04:37:04PM +0100, Matthew Wilcox wrote:
> On Wed, Jul 15, 2020 at 08:08:47PM -0700, Kees Cook wrote:
> > +#define DECLARE_TASKLET(name, _callback) \
> > +struct tasklet_struct name = { \
> > + .count = ATOMIC_INIT(0), \
> > + .callback = _callback, \
> > + .use_callback = true, \
> > +}
> > +
> > +#define DECLARE_TASKLET_DISABLED(name, _callback) \
> > +struct tasklet_struct name = { \
> > + .count = ATOMIC_INIT(1), \
> > + .callback = _callback, \
> > +}
>
> You forgot to set use_callback here.
Eek; thank you.
> > @@ -547,7 +547,10 @@ static void tasklet_action_common(struct softirq_action *a,
> > if (!test_and_clear_bit(TASKLET_STATE_SCHED,
> > &t->state))
> > BUG();
> > - t->func(t->data);
> > + if (t->use_callback)
> > + t->callback(t);
> > + else
> > + t->func(t->data);
>
> I think this is the wrong way to do the conversion. Start out by setting
> t->data to (unsigned long)t in the new initialisers. Then convert the
> drivers (all 350 of them) to the new API. Then you can get rid of 'data'
> from the tasklet_struct.
That's what I did when I converted timer_struct, and it ended up creating
a mess for Control Flow Integrity checking. (The problem isn't actually
casting .data, but rather in how the callsite calls the callback --
casting the callback assignments doesn't fix the mismatch between the
caller and the callback's expectation about the function prototype
under CFI.) I got lucky with timer_struct (in v4.14) in that not much
had been converted, and I was able to do the entire conversion in the
next kernel release.
So, this time, I'm trying to avoid the prototype mismatch mess by
providing a selector to determine which prototype the callback should
be called through, and I was happy to discover I could do it without
growing the tasklet structure. Obviously the memory corruption safety
improvement won't be realized until both .data, .use_callback, and .func
are removed, but that was true even with the earlier style of conversion.
--
Kees Cook
WARNING: multiple messages have this Message-ID (diff)
From: Kees Cook <keescook@chromium.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Romain Perier <romain.perier@gmail.com>,
Allen Pais <allen.lkml@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
Oscar Carter <oscar.carter@gmx.com>,
Dmitry Torokhov <dmitry.torokhov@gmail.com>,
Kevin Curtis <kevin.curtis@farsite.co.uk>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Harald Freudenberger <freude@linux.ibm.com>,
Heiko Carstens <hca@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Christian Borntraeger <borntraeger@de.ibm.com>,
Jiri Slaby <jslaby@suse.com>, Felipe Balbi <balbi@kernel.org>,
Jason Wessel <jason.wessel@windriver.com>,
Daniel Thompson <daniel.thompson@linaro.org>,
Douglas Anderson <dianders@chromium.org>,
Mitchell Blank Jr <mitch@sfgoth.com>,
Julian Wiedmann <jwi@linux.ibm.com>,
Karsten Graul <kgraul@linux.ibm.com>,
Ursula Braun <ubraun@linux.ibm.com>,
Jaroslav Kysela <perex@perex.cz>, Takashi Iwai <tiwai@suse.com>,
Christian Gromm <christian.gromm@microchip.com>,
Nishka Dasgupta <nishkadg.linux@gmail.com>,
Masahiro Yamada <masahiroy@kernel.org>,
Stephen Boyd <swboyd@chromium.org>,
Wambui Karuga <wambui.karugax@gmail.com>,
Guenter Roeck <linux@roeck-us.net>,
Chris Packham <chris.packham@alliedtelesis.co.nz>,
Kyungtae Kim <kt0755@gmail.com>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@linux.intel.com>,
Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
"Rafael J. Wysocki" <rafael.j.wysocki@intel.com>,
Jonathan Corbet <corbet@lwn.net>,
Peter Zijlstra <peterz@infradead.org>,
Will Deacon <will@kernel.org>,
linux-input@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, linux-s390@vger.kernel.org,
devel@driverdev.osuosl.org, linux-usb@vger.kernel.org,
kgdb-bugreport@lists.sourceforge.net,
alsa-devel@alsa-project.org, kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 3/3] tasklet: Introduce new initialization API
Date: Thu, 16 Jul 2020 12:22:17 -0700 [thread overview]
Message-ID: <202007161216.9C9784FEBE@keescook> (raw)
In-Reply-To: <20200716153704.GM12769@casper.infradead.org>
On Thu, Jul 16, 2020 at 04:37:04PM +0100, Matthew Wilcox wrote:
> On Wed, Jul 15, 2020 at 08:08:47PM -0700, Kees Cook wrote:
> > +#define DECLARE_TASKLET(name, _callback) \
> > +struct tasklet_struct name = { \
> > + .count = ATOMIC_INIT(0), \
> > + .callback = _callback, \
> > + .use_callback = true, \
> > +}
> > +
> > +#define DECLARE_TASKLET_DISABLED(name, _callback) \
> > +struct tasklet_struct name = { \
> > + .count = ATOMIC_INIT(1), \
> > + .callback = _callback, \
> > +}
>
> You forgot to set use_callback here.
Eek; thank you.
> > @@ -547,7 +547,10 @@ static void tasklet_action_common(struct softirq_action *a,
> > if (!test_and_clear_bit(TASKLET_STATE_SCHED,
> > &t->state))
> > BUG();
> > - t->func(t->data);
> > + if (t->use_callback)
> > + t->callback(t);
> > + else
> > + t->func(t->data);
>
> I think this is the wrong way to do the conversion. Start out by setting
> t->data to (unsigned long)t in the new initialisers. Then convert the
> drivers (all 350 of them) to the new API. Then you can get rid of 'data'
> from the tasklet_struct.
That's what I did when I converted timer_struct, and it ended up creating
a mess for Control Flow Integrity checking. (The problem isn't actually
casting .data, but rather in how the callsite calls the callback --
casting the callback assignments doesn't fix the mismatch between the
caller and the callback's expectation about the function prototype
under CFI.) I got lucky with timer_struct (in v4.14) in that not much
had been converted, and I was able to do the entire conversion in the
next kernel release.
So, this time, I'm trying to avoid the prototype mismatch mess by
providing a selector to determine which prototype the callback should
be called through, and I was happy to discover I could do it without
growing the tasklet structure. Obviously the memory corruption safety
improvement won't be realized until both .data, .use_callback, and .func
are removed, but that was true even with the earlier style of conversion.
--
Kees Cook
next prev parent reply other threads:[~2020-07-16 19:22 UTC|newest]
Thread overview: 85+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-16 3:08 [PATCH 0/3] Modernize tasklet callback API Kees Cook
2020-07-16 3:08 ` Kees Cook
2020-07-16 3:08 ` Kees Cook
2020-07-16 3:08 ` [PATCH 1/3] usb: gadget: udc: Avoid tasklet passing a global Kees Cook
2020-07-16 3:08 ` Kees Cook
2020-07-16 3:08 ` Kees Cook
2020-07-16 7:28 ` Greg Kroah-Hartman
2020-07-16 7:28 ` Greg Kroah-Hartman
2020-07-16 7:28 ` Greg Kroah-Hartman
2020-07-16 19:41 ` Kees Cook
2020-07-16 19:41 ` Kees Cook
2020-07-16 19:41 ` Kees Cook
2020-07-31 9:20 ` Felipe Balbi
2020-07-31 9:20 ` Felipe Balbi
2020-07-31 9:20 ` Felipe Balbi
2020-07-16 3:08 ` [PATCH 2/3] treewide: Replace DECLARE_TASKLET() with DECLARE_TASKLET_OLD() Kees Cook
2020-07-16 3:08 ` Kees Cook
2020-07-16 3:08 ` Kees Cook
2020-07-16 7:30 ` Greg Kroah-Hartman
2020-07-16 7:30 ` Greg Kroah-Hartman
2020-07-16 7:30 ` Greg Kroah-Hartman
2020-07-16 11:29 ` Matthew Wilcox
2020-07-16 11:29 ` Matthew Wilcox
2020-07-16 11:29 ` Matthew Wilcox
2020-07-16 19:15 ` Kees Cook
2020-07-16 19:15 ` Kees Cook
2020-07-16 19:15 ` Kees Cook
2020-07-16 3:08 ` [PATCH 3/3] tasklet: Introduce new initialization API Kees Cook
2020-07-16 3:08 ` Kees Cook
2020-07-16 3:08 ` Kees Cook
2020-07-16 7:30 ` Greg Kroah-Hartman
2020-07-16 7:30 ` Greg Kroah-Hartman
2020-07-16 7:30 ` Greg Kroah-Hartman
2020-07-16 15:37 ` Matthew Wilcox
2020-07-16 15:37 ` Matthew Wilcox
2020-07-16 15:37 ` Matthew Wilcox
2020-07-16 19:22 ` Kees Cook [this message]
2020-07-16 19:22 ` Kees Cook
2020-07-16 19:22 ` Kees Cook
2020-07-16 7:57 ` [PATCH 0/3] Modernize tasklet callback API Peter Zijlstra
2020-07-16 7:57 ` Peter Zijlstra
2020-07-16 7:57 ` Peter Zijlstra
2020-07-16 8:15 ` Sebastian Andrzej Siewior
2020-07-16 8:15 ` Sebastian Andrzej Siewior
2020-07-16 8:15 ` Sebastian Andrzej Siewior
2020-07-16 19:24 ` Kees Cook
2020-07-16 19:24 ` Kees Cook
2020-07-16 19:24 ` Kees Cook
2020-07-16 19:14 ` Kees Cook
2020-07-16 19:14 ` Kees Cook
2020-07-16 19:14 ` Kees Cook
2020-07-16 20:48 ` Dmitry Torokhov
2020-07-16 20:48 ` Dmitry Torokhov
2020-07-16 20:48 ` Dmitry Torokhov
2020-07-16 21:24 ` Kees Cook
2020-07-16 21:24 ` Kees Cook
2020-07-16 21:24 ` Kees Cook
2020-07-30 7:03 ` Thomas Gleixner
2020-07-30 7:03 ` Thomas Gleixner
2020-07-30 7:03 ` Thomas Gleixner
2020-07-30 18:14 ` Kees Cook
2020-07-30 18:14 ` Kees Cook
2020-07-30 18:14 ` Kees Cook
2020-08-03 8:46 ` Allen
2020-08-03 8:46 ` Allen
2020-08-03 8:46 ` Allen
2020-08-03 8:46 ` Allen
2020-08-11 12:16 ` Allen
2020-08-11 12:16 ` Allen
2020-08-11 12:16 ` Allen
2020-08-11 12:16 ` Allen
2020-08-11 21:33 ` Kees Cook
2020-08-11 21:33 ` Kees Cook
2020-08-11 21:33 ` Kees Cook
2020-08-12 6:21 ` Takashi Iwai
2020-08-12 6:21 ` Takashi Iwai
2020-08-12 6:21 ` Takashi Iwai
2020-08-12 11:32 ` Allen
2020-08-12 11:32 ` Allen
2020-08-12 11:32 ` Allen
2020-08-12 11:32 ` Allen
2020-08-12 12:31 ` Allen
2020-08-12 12:31 ` Allen
2020-08-12 12:31 ` Allen
2020-08-12 12:31 ` Allen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202007161216.9C9784FEBE@keescook \
--to=keescook@chromium.org \
--cc=allen.lkml@gmail.com \
--cc=alsa-devel@alsa-project.org \
--cc=balbi@kernel.org \
--cc=bigeasy@linutronix.de \
--cc=borntraeger@de.ibm.com \
--cc=chris.packham@alliedtelesis.co.nz \
--cc=christian.gromm@microchip.com \
--cc=corbet@lwn.net \
--cc=daniel.thompson@linaro.org \
--cc=davem@davemloft.net \
--cc=devel@driverdev.osuosl.org \
--cc=dianders@chromium.org \
--cc=dmitry.torokhov@gmail.com \
--cc=freude@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=hca@linux.ibm.com \
--cc=jason.wessel@windriver.com \
--cc=jslaby@suse.com \
--cc=jwi@linux.ibm.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kevin.curtis@farsite.co.uk \
--cc=kgdb-bugreport@lists.sourceforge.net \
--cc=kgraul@linux.ibm.com \
--cc=kt0755@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=masahiroy@kernel.org \
--cc=mitch@sfgoth.com \
--cc=netdev@vger.kernel.org \
--cc=nishkadg.linux@gmail.com \
--cc=oscar.carter@gmx.com \
--cc=perex@perex.cz \
--cc=peterz@infradead.org \
--cc=rafael.j.wysocki@intel.com \
--cc=romain.perier@gmail.com \
--cc=sathyanarayanan.kuppuswamy@linux.intel.com \
--cc=swboyd@chromium.org \
--cc=tglx@linutronix.de \
--cc=tiwai@suse.com \
--cc=ubraun@linux.ibm.com \
--cc=wambui.karugax@gmail.com \
--cc=will@kernel.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.