From patchwork Tue Oct 2 13:12:35 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Konovalov X-Patchwork-Id: 10623619 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8CD2E174E for ; Tue, 2 Oct 2018 13:12:51 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 80C3328938 for ; Tue, 2 Oct 2018 13:12:51 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7485C2897B; Tue, 2 Oct 2018 13:12:51 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, USER_IN_DEF_DKIM_WL autolearn=unavailable version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CFBC228938 for ; Tue, 2 Oct 2018 13:12:50 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id A06B26B0003; Tue, 2 Oct 2018 09:12:49 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 98BA46B0008; Tue, 2 Oct 2018 09:12:49 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 852826B000A; Tue, 2 Oct 2018 09:12:49 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) by kanga.kvack.org (Postfix) with ESMTP id 2678F6B0003 for ; Tue, 2 Oct 2018 09:12:49 -0400 (EDT) Received: by mail-wr1-f69.google.com with SMTP id d16-v6so1542792wrr.17 for ; Tue, 02 Oct 2018 06:12:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:from:to:cc:subject:date :message-id:mime-version:content-transfer-encoding; bh=gXQJN5/mYbcTFUKfsLCjPiu94Tn0A2v77x7OgiEie9w=; b=TFpjknjvoxXSvVVLi/pSHgF7tysyi0C46O0F6ZYSx0Xl4vb4ACUFNJQKhbdExiJGZf 6lKlHavHyPJ+b8k20T05YyrUOxDZLUoA62IjXEEVKYDpCczJBTDHv90O7VGrcwpGQLBl xw47Jm/agCFPcdCjtwACEaXsn+Q22yo2Mhw0fp4xD8tq0Be0PvwVNxUb1V0hayash1px gwymhmsKnAWER27IbodfzV8zwNbnzOvPZvIRbCFLD0st+c/z/NTbS02yceHnCZvuJ8o7 zQmS1cQas4lNyNBn/ch822ZdK2nELgAOTvmxtL3xFoHuzg09BHI6roB8dFwgiJkT3yV0 w2fw== X-Gm-Message-State: ABuFfoiQpo2FQFLw3WEbi5GXcfiTJRAH+TAV8cai9ulKxwpqlrT50WsK doBBhmVtnpWahER1tmLN4u+bRcgKSs342hJ3cmIObmoGjdG1WBSKoyGEJtop6aTAJli+UjV1KuZ 4SOulZ77uqK2v2mib8EIMnTb9+LfBCbX2pY97pmUmfCJzQckSQmwHMb8p5KZwa/sCM+QKFDW+nQ wVwiXLvY+YgbuYBqoB02p54A4FzgjKrBw/lSOgXc+35s2XaKsz6/qkch7X+kGcU88ok1UCxnX6D HOelgq75o/eM07lfAOmDjsSkEghoNjoPVuzdGmJH4CeN8LVXxy8xLlNS3kzCHuBkByMGgf8aVYg heIVP1z/FkEPdbTjuHKHG8nUIjScjzM5qFv0XNMuHiKLvo8m+HXDe7vcj0v5/duVdpHiS/aDgE+ D X-Received: by 2002:a1c:f313:: with SMTP id q19-v6mr1763272wmq.87.1538485968505; Tue, 02 Oct 2018 06:12:48 -0700 (PDT) X-Received: by 2002:a1c:f313:: with SMTP id q19-v6mr1763206wmq.87.1538485967166; Tue, 02 Oct 2018 06:12:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538485967; cv=none; d=google.com; s=arc-20160816; b=fBuVMvnySbVoUbbiBi863V6S2BC1+4ewmCuE6+JEvLIABnbHdyz6756xRwIFi2Lqym cOz8W8TwtDPOe9i++siQ5EjqBGskcqM1KlwmezuYfMtRWsAVjYuyDfKnHOkmXBCM+Jp/ ftJcpmwGVdqbtNmYt1tvj32LpgFSNC33JMe7M9uAICHavMsmdqqN7NnUaPFeSub4bbiP qepG7jZ81k/OEJ3nJwH51kUaohQybsevHIY+ao4XHAx5uRpF6iBJqZMzMyQxuEJZy3IL WlE3kwanTL9pEIzy4amxAvOjpMpCaT0rQ0ptZJuzaMw68Ojzwcyn8KoPTRQIXZY7pn9e qZYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature; bh=gXQJN5/mYbcTFUKfsLCjPiu94Tn0A2v77x7OgiEie9w=; b=vABWe2Vuw2/Ca+F8I24hcwrMdtwhWhA5+iaL9WKFjU7zdt7efN6YVXtXRm/RcvyBn9 A4gtPZVbMIPpec2vWWAK26nLhYERidpRka+7/yu2QsBSVNVSDTyfdSO7h2L86EEwEl2x TlrI2veMi/46icYoc1I3PRQk5oNCennokVDH0104XZ/e4YG7M7l/twc4Vbf5mDeZoufq fDufCQapPNp08OaSC5ESGXDcI0fquFfPos0Tm03Z2QBfLRBkJ9CAOFhBv6zZ+0A/vdnY VpMGJYPePqhiNS6J5p6pHhNJqB3tz4GQGVk7Hv6hiUsCBaUiY7b6+cEdsQ/IUmSxNvW5 GFew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=mpC6ltPJ; spf=pass (google.com: domain of andreyknvl@google.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=andreyknvl@google.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from mail-sor-f65.google.com (mail-sor-f65.google.com. [209.85.220.65]) by mx.google.com with SMTPS id a12-v6sor8006876wrc.42.2018.10.02.06.12.46 for (Google Transport Security); Tue, 02 Oct 2018 06:12:47 -0700 (PDT) Received-SPF: pass (google.com: domain of andreyknvl@google.com designates 209.85.220.65 as permitted sender) client-ip=209.85.220.65; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=mpC6ltPJ; spf=pass (google.com: domain of andreyknvl@google.com designates 209.85.220.65 as permitted sender) smtp.mailfrom=andreyknvl@google.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=gXQJN5/mYbcTFUKfsLCjPiu94Tn0A2v77x7OgiEie9w=; b=mpC6ltPJGJlGd34YZ/Qs5gI+Ffq9tG+HvFBzQBmI7MRKYSBk9BvtrLVxtgjOEPFk0+ oUQfcKkF5hvO59b7aO6FA2yAEkyRkElhfhZrZ+IcCjJTNiB+AUgHYl93kBy3qJYPTEll Pta+xwmcCczWOhPNBVWZxg6hx7GNaHRlRCoKhY5e6PJNUzg/M6I756svrmxGUkYmY5O1 0NJpq+8aFGccjVaHa7efnQZjIGCY83PIyzO5Bwt+dvdVDOdHtbLcG4Wet0JljtEk5dTr +kZ6ERsNbY9O5HoLE+WHntRqHfgktxYB1Hrlu18nEsO1HxGbTDDxRVn4f1xIYlk2pvXa GDvw== X-Google-Smtp-Source: ACcGV630HX4IhsHu3l0v51SFXWagAwZSqYlNgcp3UOU0Jze+SvrS1IrHCRMul6p7phL9fLdRnmoUlg== X-Received: by 2002:a5d:6608:: with SMTP id n8-v6mr11042178wru.281.1538485966358; Tue, 02 Oct 2018 06:12:46 -0700 (PDT) Received: from andreyknvl0.muc.corp.google.com ([2a00:79e0:15:10:84be:a42a:826d:c530]) by smtp.gmail.com with ESMTPSA id v10-v6sm17458681wrp.0.2018.10.02.06.12.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Oct 2018 06:12:45 -0700 (PDT) From: Andrey Konovalov To: Catalin Marinas , Will Deacon , Mark Rutland , Robin Murphy , Kees Cook , Kate Stewart , Greg Kroah-Hartman , Andrew Morton , Ingo Molnar , "Kirill A . Shutemov" , Shuah Khan , linux-arm-kernel@lists.infradead.org, linux-doc@vger.kernel.org, linux-mm@kvack.org, linux-arch@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Dmitry Vyukov , Kostya Serebryany , Evgeniy Stepanov , Lee Smith , Ramana Radhakrishnan , Jacob Bramley , Ruben Ayrapetyan , Chintan Pandya , Luc Van Oostenryck , Andrey Konovalov Subject: [PATCH v7 0/8] arm64: untag user pointers passed to the kernel Date: Tue, 2 Oct 2018 15:12:35 +0200 Message-Id: X-Mailer: git-send-email 2.19.0.605.g01d371f741-goog MIME-Version: 1.0 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP arm64 has a feature called Top Byte Ignore, which allows to embed pointer tags into the top byte of each pointer. Userspace programs (such as HWASan, a memory debugging tool [1]) might use this feature and pass tagged user pointers to the kernel through syscalls or other interfaces. Right now the kernel is already able to handle user faults with tagged pointers, due to these patches: 1. 81cddd65 ("arm64: traps: fix userspace cache maintenance emulation on a tagged pointer") 2. 7dcd9dd8 ("arm64: hw_breakpoint: fix watchpoint matching for tagged pointers") 3. 276e9327 ("arm64: entry: improve data abort handling of tagged pointers") When passing tagged pointers to syscalls, there's a special case of such a pointer being passed to one of the memory syscalls (mmap, mprotect, etc.). These syscalls don't do memory accesses but rather deal with memory ranges, hence an untagged pointer is better suited. This patchset extends tagged pointer support to non-memory syscalls. This is done by reusing the untagged_addr macro to untag user pointers when the kernel performs pointer checking to find out whether the pointer comes from userspace (most notably in access_ok). The following testing approaches has been taken to find potential issues with user pointer untagging: 1. Static testing (with sparse [2] and separately with a custom static analyzer based on Clang) to track casts of __user pointers to integer types to find places where untagging needs to be done. 2. Dynamic testing: adding BUG_ON(has_tag(addr)) to find_vma() and running a modified syzkaller version that passes tagged pointers to the kernel. Based on the results of the testing the requried patches have been added to the patchset. This patchset is a prerequisite for ARM's memory tagging hardware feature support [3]. Thanks! [1] http://clang.llvm.org/docs/HardwareAssistedAddressSanitizerDesign.html [2] https://github.com/lucvoo/sparse-dev/commit/5f960cb10f56ec2017c128ef9d16060e0145f292 [3] https://community.arm.com/processors/b/blog/posts/arm-a-profile-architecture-2018-developments-armv85a Changes in v7: - Rebased onto 17b57b18 (4.19-rc6). - Dropped the "arm64: untag user address in __do_user_fault" patch, since the existing patches already handle user faults properly. - Dropped the "usb, arm64: untag user addresses in devio" patch, since the passed pointer must come from a vma and therefore be untagged. - Dropped the "arm64: annotate user pointers casts detected by sparse" patch (see the discussion to the replies of the v6 of this patchset). - Added more context to the cover letter. - Updated Documentation/arm64/tagged-pointers.txt. Changes in v6: - Added annotations for user pointer casts found by sparse. - Rebased onto 050cdc6c (4.19-rc1+). Changes in v5: - Added 3 new patches that add untagging to places found with static analysis. - Rebased onto 44c929e1 (4.18-rc8). Changes in v4: - Added a selftest for checking that passing tagged pointers to the kernel succeeds. - Rebased onto 81e97f013 (4.18-rc1+). Changes in v3: - Rebased onto e5c51f30 (4.17-rc6+). - Added linux-arch@ to the list of recipients. Changes in v2: - Rebased onto 2d618bdf (4.17-rc3+). - Removed excessive untagging in gup.c. - Removed untagging pointers returned from __uaccess_mask_ptr. Changes in v1: - Rebased onto 4.17-rc1. Changes in RFC v2: - Added "#ifndef untagged_addr..." fallback in linux/uaccess.h instead of defining it for each arch individually. - Updated Documentation/arm64/tagged-pointers.txt. - Dropped "mm, arm64: untag user addresses in memory syscalls". - Rebased onto 3eb2ce82 (4.16-rc7). Andrey Konovalov (8): arm64: add type casts to untagged_addr macro uaccess: add untagged_addr definition for other arches arm64: untag user addresses in access_ok and __uaccess_mask_ptr mm, arm64: untag user addresses in mm/gup.c lib, arm64: untag addrs passed to strncpy_from_user and strnlen_user fs, arm64: untag user address in copy_mount_options arm64: update Documentation/arm64/tagged-pointers.txt selftests, arm64: add a selftest for passing tagged pointers to kernel Documentation/arm64/tagged-pointers.txt | 24 +++++++++++-------- arch/arm64/include/asm/uaccess.h | 14 +++++++---- fs/namespace.c | 2 +- include/linux/uaccess.h | 4 ++++ lib/strncpy_from_user.c | 2 ++ lib/strnlen_user.c | 2 ++ mm/gup.c | 4 ++++ tools/testing/selftests/arm64/.gitignore | 1 + tools/testing/selftests/arm64/Makefile | 11 +++++++++ .../testing/selftests/arm64/run_tags_test.sh | 12 ++++++++++ tools/testing/selftests/arm64/tags_test.c | 19 +++++++++++++++ 11 files changed, 79 insertions(+), 16 deletions(-) create mode 100644 tools/testing/selftests/arm64/.gitignore create mode 100644 tools/testing/selftests/arm64/Makefile create mode 100755 tools/testing/selftests/arm64/run_tags_test.sh create mode 100644 tools/testing/selftests/arm64/tags_test.c Reviewed-by: Luc Van Oostenryck