| Message ID | 47a464307d4df3c0cb65f88d1fe83f9a741dd74b.1538485901.git.andreyknvl@google.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | arm64: untag user pointers passed to the kernel | expand |
On Tue, Oct 02, 2018 at 03:12:42PM +0200, Andrey Konovalov wrote: > diff --git a/Documentation/arm64/tagged-pointers.txt b/Documentation/arm64/tagged-pointers.txt > index a25a99e82bb1..ae877d185fdb 100644 > --- a/Documentation/arm64/tagged-pointers.txt > +++ b/Documentation/arm64/tagged-pointers.txt > @@ -17,13 +17,21 @@ this byte for application use. > Passing tagged addresses to the kernel > -------------------------------------- > > -All interpretation of userspace memory addresses by the kernel assumes > -an address tag of 0x00. > +Some initial work for supporting non-zero address tags passed to the > +kernel has been done. As of now, the kernel supports tags in: With my maintainer hat on, the above statement leads me to think this new ABI is work in progress, so not yet suitable for upstream. Also, how is user space supposed to know that it can now pass tagged pointers into the kernel? An ABI change (or relaxation), needs to be advertised by the kernel, usually via a new HWCAP bit (e.g. HWCAP_TBI). Once we have a HWCAP bit in place, we need to be pretty clear about which syscalls can and cannot cope with tagged pointers. The "as of now" implies potential further relaxation which, again, would need to be advertised to user in some (additional) way. > -This includes, but is not limited to, addresses found in: > + - user fault addresses While the kernel currently supports this in some way (by clearing the tag exception entry, el0_da), the above implies (at least to me) that sigcontext.fault_address would contain the tagged address. That's not the case (unless I missed it in your patches). > - - pointer arguments to system calls, including pointers in structures > - passed to system calls, > + - pointer arguments (including pointers in structures), which don't > + describe virtual memory ranges, passed to system calls I think we need to be more precise here... > +All other interpretations of userspace memory addresses by the kernel > +assume an address tag of 0x00. This includes, but is not limited to, > +addresses found in: > + > + - pointer arguments (including pointers in structures), which describe > + virtual memory ranges, passed to memory system calls (mmap, mprotect, > + etc.) ...and probably a full list here.
On Wed, Oct 3, 2018 at 7:32 PM, Catalin Marinas <catalin.marinas@arm.com> wrote: > On Tue, Oct 02, 2018 at 03:12:42PM +0200, Andrey Konovalov wrote: >> diff --git a/Documentation/arm64/tagged-pointers.txt b/Documentation/arm64/tagged-pointers.txt >> index a25a99e82bb1..ae877d185fdb 100644 >> --- a/Documentation/arm64/tagged-pointers.txt >> +++ b/Documentation/arm64/tagged-pointers.txt >> @@ -17,13 +17,21 @@ this byte for application use. >> Passing tagged addresses to the kernel >> -------------------------------------- >> >> -All interpretation of userspace memory addresses by the kernel assumes >> -an address tag of 0x00. >> +Some initial work for supporting non-zero address tags passed to the >> +kernel has been done. As of now, the kernel supports tags in: > > With my maintainer hat on, the above statement leads me to think this > new ABI is work in progress, so not yet suitable for upstream. OK, I think we can just say "The kernel supports tags in:" here. Will do in v8. > > Also, how is user space supposed to know that it can now pass tagged > pointers into the kernel? An ABI change (or relaxation), needs to be > advertised by the kernel, usually via a new HWCAP bit (e.g. HWCAP_TBI). > Once we have a HWCAP bit in place, we need to be pretty clear about > which syscalls can and cannot cope with tagged pointers. The "as of now" > implies potential further relaxation which, again, would need to be > advertised to user in some (additional) way. How exactly should I do that? Something like this [1]? Or is it only for hardware specific things and for this patchset I need to do something else? [1] https://github.com/torvalds/linux/commit/7206dc93a58fb76421c4411eefa3c003337bcb2d > >> -This includes, but is not limited to, addresses found in: >> + - user fault addresses > > While the kernel currently supports this in some way (by clearing the > tag exception entry, el0_da), the above implies (at least to me) that > sigcontext.fault_address would contain the tagged address. That's not > the case (unless I missed it in your patches). I'll update the doc to reflect this in v8. > >> - - pointer arguments to system calls, including pointers in structures >> - passed to system calls, >> + - pointer arguments (including pointers in structures), which don't >> + describe virtual memory ranges, passed to system calls > > I think we need to be more precise here... In what way? > >> +All other interpretations of userspace memory addresses by the kernel >> +assume an address tag of 0x00. This includes, but is not limited to, >> +addresses found in: >> + >> + - pointer arguments (including pointers in structures), which describe >> + virtual memory ranges, passed to memory system calls (mmap, mprotect, >> + etc.) > > ...and probably a full list here. Will add a full list in v8.
On Wed, Oct 10, 2018 at 04:09:25PM +0200, Andrey Konovalov wrote: > On Wed, Oct 3, 2018 at 7:32 PM, Catalin Marinas <catalin.marinas@arm.com> wrote: > > On Tue, Oct 02, 2018 at 03:12:42PM +0200, Andrey Konovalov wrote: [...] > > Also, how is user space supposed to know that it can now pass tagged > > pointers into the kernel? An ABI change (or relaxation), needs to be > > advertised by the kernel, usually via a new HWCAP bit (e.g. HWCAP_TBI). > > Once we have a HWCAP bit in place, we need to be pretty clear about > > which syscalls can and cannot cope with tagged pointers. The "as of now" > > implies potential further relaxation which, again, would need to be > > advertised to user in some (additional) way. > > How exactly should I do that? Something like this [1]? Or is it only > for hardware specific things and for this patchset I need to do > something else? > > [1] https://github.com/torvalds/linux/commit/7206dc93a58fb76421c4411eefa3c003337bcb2d Thinking some more on this, we should probably keep the HWCAP_* bits for actual hardware features. Maybe someone else has a better idea (the linux-abi list?). An option would be to make use of AT_FLAGS auxv (currently 0) in Linux. I've seen some MIPS patches in the past but nothing upstream. Yet another option would be for the user to probe on some innocuous syscall currently returning -EFAULT on tagged pointer arguments but I don't particularly like this. > >> - - pointer arguments to system calls, including pointers in structures > >> - passed to system calls, > >> + - pointer arguments (including pointers in structures), which don't > >> + describe virtual memory ranges, passed to system calls > > > > I think we need to be more precise here... > > In what way? In the way of being explicit about which syscalls support tagged pointers, unless we find a good reason to support tagged pointers on all syscalls and avoid any lists.
diff --git a/Documentation/arm64/tagged-pointers.txt b/Documentation/arm64/tagged-pointers.txt index a25a99e82bb1..ae877d185fdb 100644 --- a/Documentation/arm64/tagged-pointers.txt +++ b/Documentation/arm64/tagged-pointers.txt @@ -17,13 +17,21 @@ this byte for application use. Passing tagged addresses to the kernel -------------------------------------- -All interpretation of userspace memory addresses by the kernel assumes -an address tag of 0x00. +Some initial work for supporting non-zero address tags passed to the +kernel has been done. As of now, the kernel supports tags in: -This includes, but is not limited to, addresses found in: + - user fault addresses - - pointer arguments to system calls, including pointers in structures - passed to system calls, + - pointer arguments (including pointers in structures), which don't + describe virtual memory ranges, passed to system calls + +All other interpretations of userspace memory addresses by the kernel +assume an address tag of 0x00. This includes, but is not limited to, +addresses found in: + + - pointer arguments (including pointers in structures), which describe + virtual memory ranges, passed to memory system calls (mmap, mprotect, + etc.) - the stack pointer (sp), e.g. when interpreting it to deliver a signal, @@ -33,11 +41,7 @@ This includes, but is not limited to, addresses found in: Using non-zero address tags in any of these locations may result in an error code being returned, a (fatal) signal being raised, or other modes -of failure. - -For these reasons, passing non-zero address tags to the kernel via -system calls is forbidden, and using a non-zero address tag for sp is -strongly discouraged. +of failure. Using a non-zero address tag for sp is strongly discouraged. Programs maintaining a frame pointer and frame records that use non-zero address tags may suffer impaired or inaccurate debug and profiling
Document the changes in Documentation/arm64/tagged-pointers.txt. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> --- Documentation/arm64/tagged-pointers.txt | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-)