From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B69CC433E1 for ; Thu, 16 Jul 2020 19:22:23 +0000 (UTC) Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 599422074B for ; Thu, 16 Jul 2020 19:22:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="IdV9MqF3" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 599422074B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=driverdev-devel-bounces@linuxdriverproject.org Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 0741921FAD; Thu, 16 Jul 2020 19:22:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nKleOmCw4CN1; Thu, 16 Jul 2020 19:22:21 +0000 (UTC) Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34]) by silver.osuosl.org (Postfix) with ESMTP id 8CEF1203FB; Thu, 16 Jul 2020 19:22:21 +0000 (UTC) Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by ash.osuosl.org (Postfix) with ESMTP id 6B8F21BF385 for ; Thu, 16 Jul 2020 19:22:20 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 67C8A86886 for ; Thu, 16 Jul 2020 19:22:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W0TgvDGggKw1 for ; Thu, 16 Jul 2020 19:22:19 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pj1-f68.google.com (mail-pj1-f68.google.com [209.85.216.68]) by fraxinus.osuosl.org (Postfix) with ESMTPS id CACE486881 for ; Thu, 16 Jul 2020 19:22:19 +0000 (UTC) Received: by mail-pj1-f68.google.com with SMTP id ch3so5284521pjb.5 for ; Thu, 16 Jul 2020 12:22:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=JkQIL6u1DfVeBakkxVv5TexNPiL0IlLMXUBOxPWyZ5M=; b=IdV9MqF3NgA5zvwc0WHh4MUmPJhoVdGBqF7mZzHR1z6W9+79kwebX37Odvx1RFYyD5 TIcAItmVFebIbr0UGDR1VqZORhkkWg5GO3jP9SrAYBb/J9j1gAl6NCCYq5DxGfdZceJ5 eJbQvOJJgIUB/uLUSvyqfC/7mWDvVcN1kqTj8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=JkQIL6u1DfVeBakkxVv5TexNPiL0IlLMXUBOxPWyZ5M=; b=j1BWw0Ppypj1T78gQD2k8KbCY5/9D/6KEcq6574ymGNCgXZmXo+P6a2kT+XRoSsXHx JkLZSamRZSVyYtDY6ie8zhzXdO94BcUaTX1hAP1ZiecqLD1k1bykc4qtu03zE1U2DMDr z7iT86deb1IpJdTc008rt7vCw+bcC1EqZoKD8kScnAASTLdY+XKfqZYb2mMLfO8UK8VQ Z1Niditl+Gu3pPRGRwVzkfD1MWrjjyGpl4mSyak/NcTKCSjs1SrzowEHhUMLS+vgXKzy pxchmkU/TZJJatTokke+Rijbl6WEPYQTpYjfP03VTRNLHORJ0fi7BWq6jSjoJhCgnu9/ o4zQ== X-Gm-Message-State: AOAM532umLNWQPRnMkndaPH1xvBGgRI8ee1kZNfxqNcquEE2ua1Ks8Xy cyuYIGva3q1XFxn3ZRpOr+dDNg== X-Google-Smtp-Source: ABdhPJxnO0DLJTMuJCiKhGS2H/q0Dgh7D9XNeLpL7v+ETZT1fO0LQZze/EzzJLe1PvzD9lREJpkfEA== X-Received: by 2002:a17:90a:1901:: with SMTP id 1mr6710009pjg.199.1594927339413; Thu, 16 Jul 2020 12:22:19 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q24sm5641236pfg.95.2020.07.16.12.22.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Jul 2020 12:22:18 -0700 (PDT) Date: Thu, 16 Jul 2020 12:22:17 -0700 From: Kees Cook To: Matthew Wilcox Subject: Re: [PATCH 3/3] tasklet: Introduce new initialization API Message-ID: <202007161216.9C9784FEBE@keescook> References: <20200716030847.1564131-1-keescook@chromium.org> <20200716030847.1564131-4-keescook@chromium.org> <20200716153704.GM12769@casper.infradead.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20200716153704.GM12769@casper.infradead.org> X-BeenThere: driverdev-devel@linuxdriverproject.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Driver Project Developer List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kuppuswamy Sathyanarayanan , "Rafael J. Wysocki" , Oscar Carter , Mitchell Blank Jr , kernel-hardening@lists.openwall.com, Peter Zijlstra , kgdb-bugreport@lists.sourceforge.net, Sebastian Andrzej Siewior , alsa-devel@alsa-project.org, Allen Pais , netdev@vger.kernel.org, Christian Gromm , Will Deacon , devel@driverdev.osuosl.org, Jonathan Corbet , Daniel Thompson , "David S. Miller" , Masahiro Yamada , Takashi Iwai , Julian Wiedmann , Christian Borntraeger , Nishka Dasgupta , Jiri Slaby , Jakub Kicinski , Guenter Roeck , Wambui Karuga , Vasily Gorbik , linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, Heiko Carstens , linux-input@vger.kernel.org, Ursula Braun , Stephen Boyd , Chris Packham , Harald Freudenberger , Thomas Gleixner , Jaroslav Kysela , Felipe Balbi , Kyungtae Kim , Greg Kroah-Hartman , Dmitry Torokhov , Douglas Anderson , Kevin Curtis , linux-usb@vger.kernel.org, Jason Wessel , Romain Perier , Karsten Graul Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: driverdev-devel-bounces@linuxdriverproject.org Sender: "devel" On Thu, Jul 16, 2020 at 04:37:04PM +0100, Matthew Wilcox wrote: > On Wed, Jul 15, 2020 at 08:08:47PM -0700, Kees Cook wrote: > > +#define DECLARE_TASKLET(name, _callback) \ > > +struct tasklet_struct name = { \ > > + .count = ATOMIC_INIT(0), \ > > + .callback = _callback, \ > > + .use_callback = true, \ > > +} > > + > > +#define DECLARE_TASKLET_DISABLED(name, _callback) \ > > +struct tasklet_struct name = { \ > > + .count = ATOMIC_INIT(1), \ > > + .callback = _callback, \ > > +} > > You forgot to set use_callback here. Eek; thank you. > > @@ -547,7 +547,10 @@ static void tasklet_action_common(struct softirq_action *a, > > if (!test_and_clear_bit(TASKLET_STATE_SCHED, > > &t->state)) > > BUG(); > > - t->func(t->data); > > + if (t->use_callback) > > + t->callback(t); > > + else > > + t->func(t->data); > > I think this is the wrong way to do the conversion. Start out by setting > t->data to (unsigned long)t in the new initialisers. Then convert the > drivers (all 350 of them) to the new API. Then you can get rid of 'data' > from the tasklet_struct. That's what I did when I converted timer_struct, and it ended up creating a mess for Control Flow Integrity checking. (The problem isn't actually casting .data, but rather in how the callsite calls the callback -- casting the callback assignments doesn't fix the mismatch between the caller and the callback's expectation about the function prototype under CFI.) I got lucky with timer_struct (in v4.14) in that not much had been converted, and I was able to do the entire conversion in the next kernel release. So, this time, I'm trying to avoid the prototype mismatch mess by providing a selector to determine which prototype the callback should be called through, and I was happy to discover I could do it without growing the tasklet structure. Obviously the memory corruption safety improvement won't be realized until both .data, .use_callback, and .func are removed, but that was true even with the earlier style of conversion. -- Kees Cook _______________________________________________ devel mailing list devel@linuxdriverproject.org http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ECB7AC433E1 for ; Fri, 17 Jul 2020 07:07:04 +0000 (UTC) Received: from alsa0.perex.cz (alsa0.perex.cz [77.48.224.243]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 71A6C20734 for ; Fri, 17 Jul 2020 07:07:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=alsa-project.org header.i=@alsa-project.org header.b="L8SzkBjZ"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="IdV9MqF3" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 71A6C20734 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=alsa-devel-bounces@alsa-project.org Received: from alsa1.perex.cz (alsa1.perex.cz [207.180.221.201]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by alsa0.perex.cz (Postfix) with ESMTPS id 0D6D4167A; Fri, 17 Jul 2020 09:06:13 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa0.perex.cz 0D6D4167A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=alsa-project.org; s=default; t=1594969623; bh=VearAje4Qfs2XzZOx+4/lmvcvIYPIU4qhv+R/RZrFZA=; h=Date:From:To:Subject:References:In-Reply-To:Cc:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=L8SzkBjZ8VlsLxDBoJ5mlNyPnsA8jLUckZPRI0/Hpy7XgSFV0J2+7CUJj/aegQq32 TSVZMeDNfjPf85ytfkxy8P7LATjZZ7f+F6k1apVsqFRuEa2FjTvBnsQXPOC3559fxd 7f8/ARvft8207uHZoGWbp5kXF/rSZnF/xGJyAng4= Received: from alsa1.perex.cz (localhost.localdomain [127.0.0.1]) by alsa1.perex.cz (Postfix) with ESMTP id 23C6FF802BE; Fri, 17 Jul 2020 09:05:06 +0200 (CEST) Received: by alsa1.perex.cz (Postfix, from userid 50401) id 98A0CF801EC; Thu, 16 Jul 2020 21:22:30 +0200 (CEST) Received: from mail-pl1-x644.google.com (mail-pl1-x644.google.com [IPv6:2607:f8b0:4864:20::644]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by alsa1.perex.cz (Postfix) with ESMTPS id EAC3BF8014E for ; Thu, 16 Jul 2020 21:22:21 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 alsa1.perex.cz EAC3BF8014E Authentication-Results: alsa1.perex.cz; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="IdV9MqF3" Received: by mail-pl1-x644.google.com with SMTP id q17so4280297pls.9 for ; Thu, 16 Jul 2020 12:22:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=JkQIL6u1DfVeBakkxVv5TexNPiL0IlLMXUBOxPWyZ5M=; b=IdV9MqF3NgA5zvwc0WHh4MUmPJhoVdGBqF7mZzHR1z6W9+79kwebX37Odvx1RFYyD5 TIcAItmVFebIbr0UGDR1VqZORhkkWg5GO3jP9SrAYBb/J9j1gAl6NCCYq5DxGfdZceJ5 eJbQvOJJgIUB/uLUSvyqfC/7mWDvVcN1kqTj8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=JkQIL6u1DfVeBakkxVv5TexNPiL0IlLMXUBOxPWyZ5M=; b=EJDFJk0NTaO8E2kdsHQFWzLsVxf50Sdlk0LIJPVj5QNMKk/bydv9wfCYPWhsNQXl5N hnURSSpdUW8ak6HDpsFI0bOmzjj8RHBiJgnYrM884+CGune+XCPLp72gwOaYKxo10JA/ fWfkQ/qtakOdXCcvqPzc2XtRAaKd9vNnJCO3Fg6iX7lIczVsaF3+vX8kwhE5hu8sfPi5 Akfghs5Bbc1HyDv0RiU1PFgdgypoBGU8BvnLHGpxee8BL7PHj7p1O+oDTb+5sA+pojwc Um3lanhZ2rf7Amf4Y8RDR1fWCj7Ap7ZOslCZW8oNEWTvtYc7nTK3oxSjdoxOX/b2unx/ f0qQ== X-Gm-Message-State: AOAM53068e3tRq45JiDVEnxJwHsXy+FcOk5Tw0RWJ7OQFbNrVUjshcie F0vuA+d70ktgLbNaV3lsNTraAg== X-Google-Smtp-Source: ABdhPJxnO0DLJTMuJCiKhGS2H/q0Dgh7D9XNeLpL7v+ETZT1fO0LQZze/EzzJLe1PvzD9lREJpkfEA== X-Received: by 2002:a17:90a:1901:: with SMTP id 1mr6710009pjg.199.1594927339413; Thu, 16 Jul 2020 12:22:19 -0700 (PDT) Received: from www.outflux.net (smtp.outflux.net. [198.145.64.163]) by smtp.gmail.com with ESMTPSA id q24sm5641236pfg.95.2020.07.16.12.22.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Jul 2020 12:22:18 -0700 (PDT) Date: Thu, 16 Jul 2020 12:22:17 -0700 From: Kees Cook To: Matthew Wilcox Subject: Re: [PATCH 3/3] tasklet: Introduce new initialization API Message-ID: <202007161216.9C9784FEBE@keescook> References: <20200716030847.1564131-1-keescook@chromium.org> <20200716030847.1564131-4-keescook@chromium.org> <20200716153704.GM12769@casper.infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200716153704.GM12769@casper.infradead.org> X-Mailman-Approved-At: Fri, 17 Jul 2020 09:05:03 +0200 Cc: Kuppuswamy Sathyanarayanan , "Rafael J. Wysocki" , Oscar Carter , Mitchell Blank Jr , kernel-hardening@lists.openwall.com, Peter Zijlstra , kgdb-bugreport@lists.sourceforge.net, Sebastian Andrzej Siewior , alsa-devel@alsa-project.org, Allen Pais , netdev@vger.kernel.org, Christian Gromm , Will Deacon , devel@driverdev.osuosl.org, Jonathan Corbet , Daniel Thompson , "David S. Miller" , Masahiro Yamada , Takashi Iwai , Julian Wiedmann , Christian Borntraeger , Nishka Dasgupta , Jiri Slaby , Jakub Kicinski , Guenter Roeck , Wambui Karuga , Vasily Gorbik , linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org, Heiko Carstens , linux-input@vger.kernel.org, Ursula Braun , Stephen Boyd , Chris Packham , Harald Freudenberger , Thomas Gleixner , Felipe Balbi , Kyungtae Kim , Greg Kroah-Hartman , Dmitry Torokhov , Douglas Anderson , Kevin Curtis , linux-usb@vger.kernel.org, Jason Wessel , Romain Perier , Karsten Graul X-BeenThere: alsa-devel@alsa-project.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: "Alsa-devel mailing list for ALSA developers - http://www.alsa-project.org" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: alsa-devel-bounces@alsa-project.org Sender: "Alsa-devel" On Thu, Jul 16, 2020 at 04:37:04PM +0100, Matthew Wilcox wrote: > On Wed, Jul 15, 2020 at 08:08:47PM -0700, Kees Cook wrote: > > +#define DECLARE_TASKLET(name, _callback) \ > > +struct tasklet_struct name = { \ > > + .count = ATOMIC_INIT(0), \ > > + .callback = _callback, \ > > + .use_callback = true, \ > > +} > > + > > +#define DECLARE_TASKLET_DISABLED(name, _callback) \ > > +struct tasklet_struct name = { \ > > + .count = ATOMIC_INIT(1), \ > > + .callback = _callback, \ > > +} > > You forgot to set use_callback here. Eek; thank you. > > @@ -547,7 +547,10 @@ static void tasklet_action_common(struct softirq_action *a, > > if (!test_and_clear_bit(TASKLET_STATE_SCHED, > > &t->state)) > > BUG(); > > - t->func(t->data); > > + if (t->use_callback) > > + t->callback(t); > > + else > > + t->func(t->data); > > I think this is the wrong way to do the conversion. Start out by setting > t->data to (unsigned long)t in the new initialisers. Then convert the > drivers (all 350 of them) to the new API. Then you can get rid of 'data' > from the tasklet_struct. That's what I did when I converted timer_struct, and it ended up creating a mess for Control Flow Integrity checking. (The problem isn't actually casting .data, but rather in how the callsite calls the callback -- casting the callback assignments doesn't fix the mismatch between the caller and the callback's expectation about the function prototype under CFI.) I got lucky with timer_struct (in v4.14) in that not much had been converted, and I was able to do the entire conversion in the next kernel release. So, this time, I'm trying to avoid the prototype mismatch mess by providing a selector to determine which prototype the callback should be called through, and I was happy to discover I could do it without growing the tasklet structure. Obviously the memory corruption safety improvement won't be realized until both .data, .use_callback, and .func are removed, but that was true even with the earlier style of conversion. -- Kees Cook From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF657C433EA for ; Thu, 16 Jul 2020 19:22:38 +0000 (UTC) Received: from mother.openwall.net (mother.openwall.net [195.42.179.200]) by mail.kernel.org (Postfix) with SMTP id 1D8B42074B for ; Thu, 16 Jul 2020 19:22:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=chromium.org header.i=@chromium.org header.b="IdV9MqF3" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1D8B42074B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=chromium.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kernel-hardening-return-19361-kernel-hardening=archiver.kernel.org@lists.openwall.com Received: (qmail 7649 invoked by uid 550); 16 Jul 2020 19:22:32 -0000 Mailing-List: contact kernel-hardening-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Received: (qmail 7616 invoked from network); 16 Jul 2020 19:22:31 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=JkQIL6u1DfVeBakkxVv5TexNPiL0IlLMXUBOxPWyZ5M=; b=IdV9MqF3NgA5zvwc0WHh4MUmPJhoVdGBqF7mZzHR1z6W9+79kwebX37Odvx1RFYyD5 TIcAItmVFebIbr0UGDR1VqZORhkkWg5GO3jP9SrAYBb/J9j1gAl6NCCYq5DxGfdZceJ5 eJbQvOJJgIUB/uLUSvyqfC/7mWDvVcN1kqTj8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=JkQIL6u1DfVeBakkxVv5TexNPiL0IlLMXUBOxPWyZ5M=; b=rVHJlKvVwR2DzUbolVSge6z1fJzJ7S9jlXy4UVfgmavayCwjYUua45VljckRHFXpcO fnmlAtiuaMdgmmSJ85KPV53PseDy45D+upfQo4NRui8aIMUsM7KC+9CgtDa1FGtPmaln CwVsk9XSjm//qc75GQlmuzDBPSRH4FXmZ9QurP76smVNle2TvV2xC1mMkzbSqK4qS4T2 rsuDdS2tAywKmkftYtFP7tSHtBGRSel+KVSGmcAnfdRkE6xR7ZSs0TKchPr7AAkGvNgW d1tfY5ownnLtICHOXdO7pDJULJwqjgodFM3RmnxN04HZF24d+BfA1gLfAN5yxsfoJezz w4Vw== X-Gm-Message-State: AOAM533DL0SUMDcMAA3iFfC4qPucS5V+pJulycPV6WAgJz4+1fZB0/vo h+l8d3js0v7l2Bmrs0EZfLh2UQ== X-Google-Smtp-Source: ABdhPJxnO0DLJTMuJCiKhGS2H/q0Dgh7D9XNeLpL7v+ETZT1fO0LQZze/EzzJLe1PvzD9lREJpkfEA== X-Received: by 2002:a17:90a:1901:: with SMTP id 1mr6710009pjg.199.1594927339413; Thu, 16 Jul 2020 12:22:19 -0700 (PDT) Date: Thu, 16 Jul 2020 12:22:17 -0700 From: Kees Cook To: Matthew Wilcox Cc: Greg Kroah-Hartman , Romain Perier , Allen Pais , Thomas Gleixner , Oscar Carter , Dmitry Torokhov , Kevin Curtis , "David S. Miller" , Jakub Kicinski , Harald Freudenberger , Heiko Carstens , Vasily Gorbik , Christian Borntraeger , Jiri Slaby , Felipe Balbi , Jason Wessel , Daniel Thompson , Douglas Anderson , Mitchell Blank Jr , Julian Wiedmann , Karsten Graul , Ursula Braun , Jaroslav Kysela , Takashi Iwai , Christian Gromm , Nishka Dasgupta , Masahiro Yamada , Stephen Boyd , Wambui Karuga , Guenter Roeck , Chris Packham , Kyungtae Kim , Kuppuswamy Sathyanarayanan , Sebastian Andrzej Siewior , "Rafael J. Wysocki" , Jonathan Corbet , Peter Zijlstra , Will Deacon , linux-input@vger.kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-s390@vger.kernel.org, devel@driverdev.osuosl.org, linux-usb@vger.kernel.org, kgdb-bugreport@lists.sourceforge.net, alsa-devel@alsa-project.org, kernel-hardening@lists.openwall.com Subject: Re: [PATCH 3/3] tasklet: Introduce new initialization API Message-ID: <202007161216.9C9784FEBE@keescook> References: <20200716030847.1564131-1-keescook@chromium.org> <20200716030847.1564131-4-keescook@chromium.org> <20200716153704.GM12769@casper.infradead.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200716153704.GM12769@casper.infradead.org> On Thu, Jul 16, 2020 at 04:37:04PM +0100, Matthew Wilcox wrote: > On Wed, Jul 15, 2020 at 08:08:47PM -0700, Kees Cook wrote: > > +#define DECLARE_TASKLET(name, _callback) \ > > +struct tasklet_struct name = { \ > > + .count = ATOMIC_INIT(0), \ > > + .callback = _callback, \ > > + .use_callback = true, \ > > +} > > + > > +#define DECLARE_TASKLET_DISABLED(name, _callback) \ > > +struct tasklet_struct name = { \ > > + .count = ATOMIC_INIT(1), \ > > + .callback = _callback, \ > > +} > > You forgot to set use_callback here. Eek; thank you. > > @@ -547,7 +547,10 @@ static void tasklet_action_common(struct softirq_action *a, > > if (!test_and_clear_bit(TASKLET_STATE_SCHED, > > &t->state)) > > BUG(); > > - t->func(t->data); > > + if (t->use_callback) > > + t->callback(t); > > + else > > + t->func(t->data); > > I think this is the wrong way to do the conversion. Start out by setting > t->data to (unsigned long)t in the new initialisers. Then convert the > drivers (all 350 of them) to the new API. Then you can get rid of 'data' > from the tasklet_struct. That's what I did when I converted timer_struct, and it ended up creating a mess for Control Flow Integrity checking. (The problem isn't actually casting .data, but rather in how the callsite calls the callback -- casting the callback assignments doesn't fix the mismatch between the caller and the callback's expectation about the function prototype under CFI.) I got lucky with timer_struct (in v4.14) in that not much had been converted, and I was able to do the entire conversion in the next kernel release. So, this time, I'm trying to avoid the prototype mismatch mess by providing a selector to determine which prototype the callback should be called through, and I was happy to discover I could do it without growing the tasklet structure. Obviously the memory corruption safety improvement won't be realized until both .data, .use_callback, and .func are removed, but that was true even with the earlier style of conversion. -- Kees Cook