[0/6] Enable strict percpu address space checks

Message ID	20241126172332.112212-1-ubizjak@gmail.com (mailing list archive)
Headers	show Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com [209.85.218.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 96B5E1AC8A6; Tue, 26 Nov 2024 17:23:54 +0000 (UTC) From: Uros Bizjak <ubizjak@gmail.com> To: x86@kernel.org, linux-sparse@vger.kernel.org, linux-mm@kvack.org, linux-kernel@vger.kernel.org, linux-bcachefs@vger.kernel.org, linux-arch@vger.kernel.org, netdev@vger.kernel.org Cc: Uros Bizjak <ubizjak@gmail.com>, Thomas Gleixner <tglx@linutronix.de>, Dennis Zhou <dennis@kernel.org>, Tejun Heo <tj@kernel.org>, Christoph Lameter <cl@linux.com>, Linus Torvalds <torvalds@linux-foundation.org>, Andy Lutomirski <luto@kernel.org>, Ingo Molnar <mingo@kernel.org>, Luc Van Oostenryck <luc.vanoostenryck@gmail.com>, Nadav Amit <nadav.amit@gmail.com>, Brian Gerst <brgerst@gmail.com>, "H . Peter Anvin" <hpa@zytor.com>, Peter Zijlstra <peterz@infradead.org> Subject: [PATCH 0/6] Enable strict percpu address space checks Date: Tue, 26 Nov 2024 18:21:17 +0100 Message-ID: <20241126172332.112212-1-ubizjak@gmail.com> Precedence: bulk MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit
Series	Enable strict percpu address space checks \| expand [0/6] Enable strict percpu address space checks [1/6] x86/kgdb: Use IS_ERR_PCPU() macro [2/6] compiler.h: Introduce TYPEOF_UNQUAL() macro [3/6] percpu: Use TYPEOF_UNQUAL() in variable declarations [4/6] percpu: Use TYPEOF_UNQUAL() in *_cpu_ptr() accessors [5/6] percpu: Repurpose __percpu tag as a named address space qualifier [6/6] percpu/x86: Enable strict percpu checks via named AS qualifiers

Message ID

20241126172332.112212-1-ubizjak@gmail.com (mailing list archive)

Headers

From: Uros Bizjak <ubizjak@gmail.com>
To: x86@kernel.org,
	linux-sparse@vger.kernel.org,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	linux-bcachefs@vger.kernel.org,
	linux-arch@vger.kernel.org,
	netdev@vger.kernel.org
Cc: Uros Bizjak <ubizjak@gmail.com>,
	Thomas Gleixner <tglx@linutronix.de>,
	Dennis Zhou <dennis@kernel.org>,
	Tejun Heo <tj@kernel.org>,
	Christoph Lameter <cl@linux.com>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Andy Lutomirski <luto@kernel.org>,
	Ingo Molnar <mingo@kernel.org>,
	Luc Van Oostenryck <luc.vanoostenryck@gmail.com>,
	Nadav Amit <nadav.amit@gmail.com>,
	Brian Gerst <brgerst@gmail.com>,
	"H . Peter Anvin" <hpa@zytor.com>,
	Peter Zijlstra <peterz@infradead.org>
Subject: [PATCH 0/6] Enable strict percpu address space checks
Date: Tue, 26 Nov 2024 18:21:17 +0100
Message-ID: <20241126172332.112212-1-ubizjak@gmail.com>
Precedence: bulk
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Series

Enable strict percpu address space checks | expand

Message

Uros Bizjak Nov. 26, 2024, 5:21 p.m. UTC

This patchset enables strict percpu address space checks via x86 named 
address space qualifiers. Percpu variables are declared in
__seg_gs/__seg_fs named AS and kept named AS qualified until they
are dereferenced via percpu accessor. This approach enables various
compiler checks for cross-namespace variable assignments.

Please note that current version of sparse doesn't know anything about
__typeof_unqual__() operator. Avoid the usage of __typeof_unqual__()
when sparse checking is active to prevent sparse errors with unknowing
keyword.

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Dennis Zhou <dennis@kernel.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Christoph Lameter <cl@linux.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
Cc: Nadav Amit <nadav.amit@gmail.com>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Peter Zijlstra <peterz@infradead.org>

Uros Bizjak (6):
  x86/kgdb: Use IS_ERR_PCPU() macro
  compiler.h: Introduce TYPEOF_UNQUAL() macro
  percpu: Use TYPEOF_UNQUAL() in variable declarations
  percpu: Use TYPEOF_UNQUAL() in *_cpu_ptr() accessors
  percpu: Repurpose __percpu tag as a named address space qualifier
  percpu/x86: Enable strict percpu checks via named AS qualifiers

 arch/x86/include/asm/percpu.h  | 34 +++++++++++++++++++---------
 arch/x86/kernel/kgdb.c         |  2 +-
 fs/bcachefs/util.h             |  2 +-
 include/asm-generic/percpu.h   | 41 +++++++++++++++++++++++-----------
 include/linux/compiler.h       | 13 +++++++++++
 include/linux/compiler_types.h |  2 +-
 include/linux/part_stat.h      |  2 +-
 include/linux/percpu-defs.h    |  6 ++---
 include/net/snmp.h             |  5 ++---
 init/Kconfig                   |  3 +++
 kernel/locking/percpu-rwsem.c  |  2 +-
 net/mpls/internal.h            |  4 ++--
 12 files changed, 80 insertions(+), 36 deletions(-)

Comments

Dan Carpenter Dec. 4, 2024, 7:24 a.m. UTC | #1

On Tue, Nov 26, 2024 at 06:21:17PM +0100, Uros Bizjak wrote:
> This patchset enables strict percpu address space checks via x86 named 
> address space qualifiers. Percpu variables are declared in
> __seg_gs/__seg_fs named AS and kept named AS qualified until they
> are dereferenced via percpu accessor. This approach enables various
> compiler checks for cross-namespace variable assignments.
> 
> Please note that current version of sparse doesn't know anything about
> __typeof_unqual__() operator. Avoid the usage of __typeof_unqual__()
> when sparse checking is active to prevent sparse errors with unknowing
> keyword.

I don't think it would be super hard to add support to Sparse.  The only places
where typeof and typeof_unqual are different is that you have to mask away the
qualifiers in examine_typeof()?

I would take over Sparse maintainership but I'm far too sloppy to do it.  We
should get Greg to take over, he likes abandoned projects.  ;)

Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
 ast-inspect.c |  1 +
 ctags.c       |  1 +
 dissect.c     |  1 +
 evaluate.c    |  3 ++-
 parse.c       | 24 +++++++++++++++++++++---
 show-parse.c  |  1 +
 symbol.c      | 17 ++++++++++++++++-
 symbol.h      |  1 +
 8 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/ast-inspect.c b/ast-inspect.c
index b510cd9b1d2c..e940a93a411e 100644
--- a/ast-inspect.c
+++ b/ast-inspect.c
@@ -110,6 +110,7 @@ static const char *symbol_type_name(enum type type)
 		[SYM_UNION] = "SYM_UNION",
 		[SYM_ENUM] = "SYM_ENUM",
 		[SYM_TYPEOF] = "SYM_TYPEOF",
+		[SYM_TYPEOF_UNQUAL] = "SYM_TYPEOF_UNQUAL",
 		[SYM_BITFIELD] = "SYM_BITFIELD",
 		[SYM_LABEL] = "SYM_LABEL",
 		[SYM_RESTRICT] = "SYM_RESTRICT",
diff --git a/ctags.c b/ctags.c
index aa5f9718d847..afdc42b77b98 100644
--- a/ctags.c
+++ b/ctags.c
@@ -151,6 +151,7 @@ static void examine_symbol(struct symbol *sym)
 		sym->kind = 'e';
 	case SYM_PTR:
 	case SYM_TYPEOF:
+	case SYM_TYPEOF_UNQUAL:
 	case SYM_BITFIELD:
 	case SYM_FN:
 	case SYM_ARRAY:
diff --git a/dissect.c b/dissect.c
index 300d5ca99c97..9419c5931fbb 100644
--- a/dissect.c
+++ b/dissect.c
@@ -212,6 +212,7 @@ static void examine_sym_node(struct symbol *node, struct symbol *parent)
 	while ((base = node->ctype.base_type) != NULL)
 		switch (base->type) {
 		case SYM_TYPEOF:
+		case SYM_TYPEOF_UNQUAL:
 			node->ctype.base_type =
 				do_expression(U_VOID, base->initializer);
 			break;
diff --git a/evaluate.c b/evaluate.c
index fe716f631987..85a6447ba3ce 100644
--- a/evaluate.c
+++ b/evaluate.c
@@ -358,7 +358,8 @@ static inline int classify_type(struct symbol *type, struct symbol **base)
 	};
 	if (type->type == SYM_NODE)
 		type = type->ctype.base_type;
-	if (type->type == SYM_TYPEOF) {
+	if (type->type == SYM_TYPEOF ||
+	    type->type == SYM_TYPEOF_UNQUAL) {
 		type = examine_symbol_type(type);
 		if (type->type == SYM_NODE)
 			type = type->ctype.base_type;
diff --git a/parse.c b/parse.c
index f868bf63a0f5..95894bf5e54d 100644
--- a/parse.c
+++ b/parse.c
@@ -54,7 +54,7 @@ static struct token *handle_attributes(struct token *token, struct decl_state *c
 typedef struct token *declarator_t(struct token *, struct symbol *, struct decl_state *);
 static declarator_t
 	struct_specifier, union_specifier, enum_specifier,
-	attribute_specifier, typeof_specifier,
+	attribute_specifier, typeof_specifier, typeof_unqual_specifier,
 	storage_specifier, thread_specifier;
 static declarator_t generic_qualifier;
 static declarator_t autotype_specifier;
@@ -196,6 +196,13 @@ static struct symbol_op typeof_op = {
 	.set = Set_S|Set_T,
 };
 
+static struct symbol_op typeof_unqual_op = {
+	.type = KW_SPECIFIER,
+	.declarator = typeof_unqual_specifier,
+	.test = Set_Any,
+	.set = Set_S|Set_T,
+};
+
 static struct symbol_op autotype_op = {
 	.type = KW_SPECIFIER,
 	.declarator = autotype_specifier,
@@ -480,6 +487,7 @@ static struct init_keyword {
 	/* Typedef ... */
 	N("typedef",		&typedef_op,	.mods = MOD_USERTYPE),
 	A("typeof",		&typeof_op),
+	A("typeof_unqual",	&typeof_unqual_op),
 	N("__auto_type",	&autotype_op),
 
 	/* Type qualifiers */
@@ -1052,7 +1060,7 @@ static struct token *enum_specifier(struct token *token, struct symbol *sym, str
 	return ret;
 }
 
-static struct token *typeof_specifier(struct token *token, struct symbol *sym, struct decl_state *ctx)
+static struct token *typeof_specifier_helper(struct token *token, struct symbol *sym, struct decl_state *ctx, bool qual)
 {
 
 	if (!match_op(token, '(')) {
@@ -1065,7 +1073,7 @@ static struct token *typeof_specifier(struct token *token, struct symbol *sym, s
 		ctx->ctype.base_type = sym->ctype.base_type;
 		apply_ctype(token->pos, &ctx->ctype, &sym->ctype);
 	} else {
-		struct symbol *typeof_sym = alloc_symbol(token->pos, SYM_TYPEOF);
+		struct symbol *typeof_sym = alloc_symbol(token->pos, qual? SYM_TYPEOF : SYM_TYPEOF_UNQUAL);
 		token = parse_expression(token->next, &typeof_sym->initializer);
 
 		typeof_sym->endpos = token->pos;
@@ -1078,6 +1086,16 @@ static struct token *typeof_specifier(struct token *token, struct symbol *sym, s
 	return expect(token, ')', "after typeof");
 }
 
+static struct token *typeof_specifier(struct token *token, struct symbol *sym, struct decl_state *ctx)
+{
+	return typeof_specifier_helper(token, sym, ctx, true);
+}
+
+static struct token *typeof_unqual_specifier(struct token *token, struct symbol *sym, struct decl_state *ctx)
+{
+	return typeof_specifier_helper(token, sym, ctx, false);
+}
+
 static struct token *autotype_specifier(struct token *token, struct symbol *sym, struct decl_state *ctx)
 {
 	ctx->ctype.base_type = &autotype_ctype;
diff --git a/show-parse.c b/show-parse.c
index e2fc18bb4b3d..ceb6b3cb6f82 100644
--- a/show-parse.c
+++ b/show-parse.c
@@ -59,6 +59,7 @@ static void do_debug_symbol(struct symbol *sym, int indent)
 		[SYM_UNION] = "unin",
 		[SYM_ENUM] = "enum",
 		[SYM_TYPEOF] = "tpof",
+		[SYM_TYPEOF_UNQUAL] = "tpof_unqual",
 		[SYM_BITFIELD] = "bitf",
 		[SYM_LABEL] = "labl",
 		[SYM_RESTRICT] = "rstr",
diff --git a/symbol.c b/symbol.c
index 91352a3a447b..7060acb666d9 100644
--- a/symbol.c
+++ b/symbol.c
@@ -541,7 +541,7 @@ static struct symbol *examine_pointer_type(struct symbol *sym)
 	return sym;
 }
 
-static struct symbol *examine_typeof(struct symbol *sym)
+static struct symbol *examine_typeof_helper(struct symbol *sym, bool qual)
 {
 	struct symbol *base = evaluate_expression(sym->initializer);
 	unsigned long mod = 0;
@@ -550,6 +550,8 @@ static struct symbol *examine_typeof(struct symbol *sym)
 		base = &bad_ctype;
 	if (base->type == SYM_NODE) {
 		mod |= base->ctype.modifiers & MOD_TYPEOF;
+		if (!qual)
+			mod &= ~MOD_QUALIFIER;
 		base = base->ctype.base_type;
 	}
 	if (base->type == SYM_BITFIELD)
@@ -560,6 +562,16 @@ static struct symbol *examine_typeof(struct symbol *sym)
 	return examine_node_type(sym);
 }
 
+static struct symbol *examine_typeof(struct symbol *sym)
+{
+	return examine_typeof_helper(sym, true);
+}
+
+static struct symbol *examine_typeof_unqual(struct symbol *sym)
+{
+	return examine_typeof_helper(sym, false);
+}
+
 /*
  * Fill in type size and alignment information for
  * regular SYM_TYPE things.
@@ -595,6 +607,8 @@ struct symbol *examine_symbol_type(struct symbol * sym)
 		return sym;
 	case SYM_TYPEOF:
 		return examine_typeof(sym);
+	case SYM_TYPEOF_UNQUAL:
+		return examine_typeof_unqual(sym);
 	case SYM_PREPROCESSOR:
 		sparse_error(sym->pos, "ctype on preprocessor command? (%s)", show_ident(sym->ident));
 		return NULL;
@@ -628,6 +642,7 @@ const char* get_type_name(enum type type)
 	[SYM_UNION] = "union",
 	[SYM_ENUM] = "enum",
 	[SYM_TYPEOF] = "typeof",
+	[SYM_TYPEOF_UNQUAL] = "typeof_unqual",
 	[SYM_BITFIELD] = "bitfield",
 	[SYM_LABEL] = "label",
 	[SYM_RESTRICT] = "restrict",
diff --git a/symbol.h b/symbol.h
index 88130c15d4bd..3552d4391621 100644
--- a/symbol.h
+++ b/symbol.h
@@ -65,6 +65,7 @@ enum type {
 	SYM_UNION,
 	SYM_ENUM,
 	SYM_TYPEOF,
+	SYM_TYPEOF_UNQUAL,
 	SYM_BITFIELD,
 	SYM_LABEL,
 	SYM_RESTRICT,