From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-fsdevel-owner@vger.kernel.org>
Received: from usa-sjc-mx-foss1.foss.arm.com ([217.140.101.70]:53386 "EHLO
        foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S967182AbeFSQNW (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
        Tue, 19 Jun 2018 12:13:22 -0400
Date: Tue, 19 Jun 2018 17:13:17 +0100
From: Catalin Marinas <catalin.marinas@arm.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: linux-arm-kernel@lists.infradead.org, will.deacon@arm.com,
        marc.zyngier@arm.com, linux@dominikbrodowski.net,
        hch@infradead.org, james.morse@arm.com, viro@zeniv.linux.org.uk,
        linux-fsdevel@vger.kernel.org, dave.martin@arm.com
Subject: Re: [PATCHv3 19/19] arm64: implement syscall wrappers
Message-ID: <20180619161316.le4rfp36ewjjegon@armageddon.cambridge.arm.com>
References: <20180618120310.39527-1-mark.rutland@arm.com>
 <20180618120310.39527-20-mark.rutland@arm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180618120310.39527-20-mark.rutland@arm.com>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Mon, Jun 18, 2018 at 01:03:10PM +0100, Mark Rutland wrote:
> To minimize the risk of userspace-controlled values being used under
> speculation, this patch adds pt_regs based syscall wrappers for arm64,
> which pass the minimum set of required userspace values to syscall
> implementations. For each syscall, a wrapper which takes a pt_regs
> argument is automatically generated, and this extracts the arguments
> before calling the "real" syscall implementation.
> 
> Each syscall has three functions generated:
> 
> * __do_<compat_>sys_<name> is the "real" syscall implementation, with
>   the expected prototype.
> 
> * __se_<compat_>sys_<name> is the sign-extension/narrowing wrapper,
>   inherited from common code. This takes a series of long parameters,
>   casting each to the requisite types required by the "real" syscall
>   implementation in __do_<compat_>sys_<name>.
> 
>   This wrapper *may* not be necessary on arm64 given the AAPCS rules on
>   unused register bits, but it seemed safer to keep the wrapper for now.
> 
> * __arm64_<compat_>_sys_<name> takes a struct pt_regs pointer, and
>   extracts *only* the relevant register values, passing these on to the
>   __se_<compat_>sys_<name> wrapper.
> 
> The syscall invocation code is updated to handle the calling convention
> required by __arm64_<compat_>_sys_<name>, and passes a single struct
> pt_regs pointer.
> 
> The compiler can fold the syscall implementation and its wrappers, such
> that the overhead of this approach is minimized.
> 
> Note that we play games with sys_ni_syscall(). It can't be defined with
> SYSCALL_DEFINE0() because we must avoid the possibility of error
> injection. Additionally, there are a couple of locations where we need
> to call it from C code, and we don't (currently) have a
> ksys_ni_syscall().  While it has no wrapper, passing in a redundant
> pt_regs pointer is benign per the AAPCS.
> 
> When ARCH_HAS_SYSCALL_WRAPPER is selected, no prototype is defines for
> sys_ni_syscall(). Since we need to treat it differently for in-kernel
> calls and the syscall tables, the prototype is defined as-required.
> 
> The wrappers are largely the same as their x86 counterparts, but
> simplified as we don't have a variety of compat calling conventions that
> require separate stubs. Unlike x86, we have some zero-argument compat
> syscalls, and must define COMPAT_SYSCALL_DEFINE0() to ensure that these
> are also given an __arm64_compat_sys_ prefix.
> 
> Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> Reviewed-by: Dominik Brodowski <linux@dominikbrodowski.net>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Will Deacon <will.deacon@arm.com>

Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>