From mboxrd@z Thu Jan  1 00:00:00 1970
Content-Type: multipart/mixed; boundary="===============2205494730473239028=="
MIME-Version: 1.0
From: David Laight <David.Laight@ACULAB.COM>
To: kbuild-all@lists.01.org
Subject: Re: arch/x86/kernel/cpu/sgx/virt.c:295:36: sparse: sparse: cast removes address space '__user' of expression
Date: Tue, 22 Feb 2022 10:27:49 +0000
Message-ID: <3b28b453484648209007d9ac098a424c@AcuMS.aculab.com>
In-Reply-To: <202202220814.BN1x9yF4-lkp@intel.com>
List-Id: <oe-kbuild-all.lists.linux.dev>

--===============2205494730473239028==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

From: kernel test robot
> Sent: 22 February 2022 00:43
...
> vim +/__user +295 arch/x86/kernel/cpu/sgx/virt.c
> =

>    260
>    261	/**
>    262	 * sgx_virt_ecreate() - Run ECREATE on behalf of guest
>    263	 * @pageinfo:	Pointer to PAGEINFO structure
>    264	 * @secs:	Userspace pointer to SECS page
>    265	 * @trapnr:	trap number injected to guest in case of ECREATE error
>    266	 *
>    267	 * Run ECREATE on behalf of guest after KVM traps ECREATE for the =
purpose
>    268	 * of enforcing policies of guest's enclaves, and return the trap =
number
>    269	 * which should be injected to guest in case of any ECREATE error.
>    270	 *
>    271	 * Return:
>    272	 * -  0:	ECREATE was successful.
>    273	 * - <0:	on error.
>    274	 */
>    275	int sgx_virt_ecreate(struct sgx_pageinfo *pageinfo, void __user *s=
ecs,
>    276			     int *trapnr)
>    277	{
>    278		int ret;
>    279
>    280		/*
>    281		 * @secs is an untrusted, userspace-provided address.  It comes f=
rom
>    282		 * KVM and is assumed to be a valid pointer which points somewher=
e in
>    283		 * userspace.  This can fault and call SGX or other fault handler=
s when
>    284		 * userspace mapping @secs doesn't exist.
>    285		 *
>    286		 * Add a WARN() to make sure @secs is already valid userspace poi=
nter
>    287		 * from caller (KVM), who should already have handled invalid poi=
nter
>    288		 * case (for instance, made by malicious guest).  All other check=
s,
>    289		 * such as alignment of @secs, are deferred to ENCLS itself.
>    290		 */
>    291		if (WARN_ON_ONCE(!access_ok(secs, PAGE_SIZE)))
>    292			return -EINVAL;
>    293
>    294		__uaccess_begin();
>  > 295		ret =3D __ecreate(pageinfo, (void *)secs);
>    296		__uaccess_end();

How on earth is that expected to work - or am I missing something.

If accessing 'secs' page faults then doesn't the address on the
instruction that faults need to be in the exception table (or
whatever it is called) in order for the kernel not to panic?

Isn't that even true if pagefault_disable() is called to stop
the page being loaded?

The only way the above can work is if the relevant user pages
are 'locked' so they can't possibly fault.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1=
PT, UK
Registration No: 1397386 (Wales)

--===============2205494730473239028==--