Message ID | 20180908142837.2819693-6-arnd@arndb.de |
---|---|
State | Superseded |
Headers | show |
Series | [01/11] compat_ioctl: remove keyboard ioctl translation | expand |
On Sat, Sep 08, 2018 at 04:28:12PM +0200, Arnd Bergmann wrote: > These are all handled by the random driver, so instead of listing > each ioctl, we can just use the same function to deal with both > native and compat commands. Umm... I don't think it's right - > .unlocked_ioctl = random_ioctl, > + .compat_ioctl = random_ioctl, ->compat_ioctl() gets called in error = f.file->f_op->compat_ioctl(f.file, cmd, arg); so you do *NOT* get compat_ptr() for those - they have to do it on their own. It's not hard to provide a proper compat_ioctl() instance for that one, but this is not it. What you need in drivers/char/random.c part of that one is something like diff --git a/drivers/char/random.c b/drivers/char/random.c index bf5f99fc36f1..1de75c784cf6 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1954,10 +1954,9 @@ static ssize_t random_write(struct file *file, const char __user *buffer, return (ssize_t)count; } -static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) +static long __random_ioctl(struct file *f, unsigned int cmd, int __user *p) { int size, ent_count; - int __user *p = (int __user *)arg; int retval; switch (cmd) { @@ -2011,6 +2010,18 @@ static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) } } +static long random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) +{ + return __random_ioctl(f, cmd, (int __user *)arg); +} + +#ifdef CONFIG_COMPAT +static long compat_random_ioctl(struct file *f, unsigned int cmd, unsigned long arg) +{ + return __random_ioctl(f, cmd, compat_ptr(arg)); +} +#endif + static int random_fasync(int fd, struct file *filp, int on) { return fasync_helper(fd, filp, on, &fasync); @@ -2021,6 +2032,9 @@ const struct file_operations random_fops = { .write = random_write, .poll = random_poll, .unlocked_ioctl = random_ioctl, +#ifdef CONFIG_COMPAT + .compat_ioctl = compat_random_ioctl, +#endif .fasync = random_fasync, .llseek = noop_llseek, };
On Sun, Sep 9, 2018 at 6:12 AM Al Viro <viro@zeniv.linux.org.uk> wrote: > > On Sat, Sep 08, 2018 at 04:28:12PM +0200, Arnd Bergmann wrote: > > These are all handled by the random driver, so instead of listing > > each ioctl, we can just use the same function to deal with both > > native and compat commands. > > Umm... I don't think it's right - > > > .unlocked_ioctl = random_ioctl, > > + .compat_ioctl = random_ioctl, > > > ->compat_ioctl() gets called in > error = f.file->f_op->compat_ioctl(f.file, cmd, arg); > so you do *NOT* get compat_ptr() for those - they have to do it on their > own. It's not hard to provide a proper compat_ioctl() instance for that > one, but this is not it. What you need in drivers/char/random.c part of > that one is something like Looping in some s390 folks. As you suggested in another reply, I had a look at what other drivers do the same thing and have only pointer arguments. I created a patch to move them all over to using a new helper function that adds the compat_ptr(), and arrived at drivers/android/binder.c | 2 +- drivers/crypto/qat/qat_common/adf_ctl_drv.c | 2 +- drivers/dma-buf/dma-buf.c | 4 +--- drivers/dma-buf/sw_sync.c | 2 +- drivers/dma-buf/sync_file.c | 2 +- drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- drivers/hid/hidraw.c | 4 +--- drivers/iio/industrialio-core.c | 2 +- drivers/infiniband/core/uverbs_main.c | 4 ++-- drivers/media/rc/lirc_dev.c | 4 +--- drivers/mfd/cros_ec_dev.c | 4 +--- drivers/misc/vmw_vmci/vmci_host.c | 2 +- drivers/nvdimm/bus.c | 4 ++-- drivers/nvme/host/core.c | 6 +++--- drivers/pci/switch/switchtec.c | 2 +- drivers/platform/x86/wmi.c | 2 +- drivers/rpmsg/rpmsg_char.c | 4 ++-- drivers/s390/char/sclp_ctl.c | 8 ++------ drivers/s390/char/vmcp.c | 2 ++---- drivers/s390/cio/chsc_sch.c | 8 ++------ drivers/sbus/char/display7seg.c | 2 +- drivers/sbus/char/envctrl.c | 4 +--- drivers/scsi/3w-xxxx.c | 4 +--- drivers/scsi/cxlflash/main.c | 2 +- drivers/scsi/esas2r/esas2r_main.c | 2 +- drivers/scsi/pmcraid.c | 4 +--- drivers/staging/android/ion/ion.c | 4 +--- drivers/staging/vme/devices/vme_user.c | 2 +- drivers/tee/tee_core.c | 2 +- drivers/usb/class/cdc-wdm.c | 2 +- drivers/usb/class/usbtmc.c | 4 +--- drivers/video/fbdev/ps3fb.c | 2 +- drivers/video/fbdev/sis/sis_main.c | 4 +--- drivers/virt/fsl_hypervisor.c | 2 +- fs/btrfs/super.c | 2 +- fs/ceph/dir.c | 2 +- fs/ceph/file.c | 2 +- fs/fuse/dev.c | 2 +- fs/notify/fanotify/fanotify_user.c | 2 +- fs/userfaultfd.c | 2 +- net/rfkill/core.c | 2 +- 41 files changed, 48 insertions(+), 76 deletions(-) Out of those, there are only a few that may get used on s390, in particular at most infiniband/uverbs, nvme, nvdimm, btrfs, ceph, fuse, fanotify and userfaultfd. [Note: there are three s390 drivers in the list, which use a different method: they check in_compat_syscall() from a shared handler to decide whether to do compat_ptr(). According to my memory from when I last worked on this, the compat_ptr() is mainly a safeguard for legacy binaries that got created with ancient C compilers (or compilers for something other than C) and might leave the high bit set in a pointer, but modern C compilers (gcc-3+) won't ever do that. You are probably right about /dev/random, which could be used in lots of weird code, but I wonder to what degree we need to worry about it for the rest. Arnd
On Tue, 11 Sep 2018 22:26:54 +0200 Arnd Bergmann <arnd@arndb.de> wrote: > On Sun, Sep 9, 2018 at 6:12 AM Al Viro <viro@zeniv.linux.org.uk> wrote: > > > > On Sat, Sep 08, 2018 at 04:28:12PM +0200, Arnd Bergmann wrote: > > > These are all handled by the random driver, so instead of listing > > > each ioctl, we can just use the same function to deal with both > > > native and compat commands. > > > > Umm... I don't think it's right - > > > > > .unlocked_ioctl = random_ioctl, > > > + .compat_ioctl = random_ioctl, > > > > > > ->compat_ioctl() gets called in > > error = f.file->f_op->compat_ioctl(f.file, cmd, arg); > > so you do *NOT* get compat_ptr() for those - they have to do it on their > > own. It's not hard to provide a proper compat_ioctl() instance for that > > one, but this is not it. What you need in drivers/char/random.c part of > > that one is something like > > Looping in some s390 folks. > > As you suggested in another reply, I had a look at what other drivers > do the same thing and have only pointer arguments. I created a > patch to move them all over to using a new helper function that > adds the compat_ptr(), and arrived at > > drivers/android/binder.c | 2 +- > drivers/crypto/qat/qat_common/adf_ctl_drv.c | 2 +- > drivers/dma-buf/dma-buf.c | 4 +--- > drivers/dma-buf/sw_sync.c | 2 +- > drivers/dma-buf/sync_file.c | 2 +- > drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +- > drivers/hid/hidraw.c | 4 +--- > drivers/iio/industrialio-core.c | 2 +- > drivers/infiniband/core/uverbs_main.c | 4 ++-- > drivers/media/rc/lirc_dev.c | 4 +--- > drivers/mfd/cros_ec_dev.c | 4 +--- > drivers/misc/vmw_vmci/vmci_host.c | 2 +- > drivers/nvdimm/bus.c | 4 ++-- > drivers/nvme/host/core.c | 6 +++--- > drivers/pci/switch/switchtec.c | 2 +- > drivers/platform/x86/wmi.c | 2 +- > drivers/rpmsg/rpmsg_char.c | 4 ++-- > drivers/s390/char/sclp_ctl.c | 8 ++------ > drivers/s390/char/vmcp.c | 2 ++---- > drivers/s390/cio/chsc_sch.c | 8 ++------ > drivers/sbus/char/display7seg.c | 2 +- > drivers/sbus/char/envctrl.c | 4 +--- > drivers/scsi/3w-xxxx.c | 4 +--- > drivers/scsi/cxlflash/main.c | 2 +- > drivers/scsi/esas2r/esas2r_main.c | 2 +- > drivers/scsi/pmcraid.c | 4 +--- > drivers/staging/android/ion/ion.c | 4 +--- > drivers/staging/vme/devices/vme_user.c | 2 +- > drivers/tee/tee_core.c | 2 +- > drivers/usb/class/cdc-wdm.c | 2 +- > drivers/usb/class/usbtmc.c | 4 +--- > drivers/video/fbdev/ps3fb.c | 2 +- > drivers/video/fbdev/sis/sis_main.c | 4 +--- > drivers/virt/fsl_hypervisor.c | 2 +- > fs/btrfs/super.c | 2 +- > fs/ceph/dir.c | 2 +- > fs/ceph/file.c | 2 +- > fs/fuse/dev.c | 2 +- > fs/notify/fanotify/fanotify_user.c | 2 +- > fs/userfaultfd.c | 2 +- > net/rfkill/core.c | 2 +- > 41 files changed, 48 insertions(+), 76 deletions(-) > > Out of those, there are only a few that may get used on s390, > in particular at most infiniband/uverbs, nvme, nvdimm, > btrfs, ceph, fuse, fanotify and userfaultfd. > [Note: there are three s390 drivers in the list, which use > a different method: they check in_compat_syscall() from > a shared handler to decide whether to do compat_ptr(). Using in_compat_syscall() seems to be a good solution, no? > According to my memory from when I last worked on this, > the compat_ptr() is mainly a safeguard for legacy binaries > that got created with ancient C compilers (or compilers for > something other than C) and might leave the high bit set > in a pointer, but modern C compilers (gcc-3+) won't ever > do that. And compat_ptr clears the upper 32-bit of the register. If the register is loaded to e.g. "lr" or "l" there will be junk in the 4 upper bytes. > You are probably right about /dev/random, which could be > used in lots of weird code, but I wonder to what degree we > need to worry about it for the rest. -- blue skies, Martin. "Reality continues to ruin my life." - Calvin.
On Wed, Sep 12, 2018 at 7:29 AM Martin Schwidefsky <schwidefsky@de.ibm.com> wrote: > On Tue, 11 Sep 2018 22:26:54 +0200 Arnd Bergmann <arnd@arndb.de> wrote: > > On Sun, Sep 9, 2018 at 6:12 AM Al Viro <viro@zeniv.linux.org.uk> wrote: > > Out of those, there are only a few that may get used on s390, > > in particular at most infiniband/uverbs, nvme, nvdimm, > > btrfs, ceph, fuse, fanotify and userfaultfd. > > [Note: there are three s390 drivers in the list, which use > > a different method: they check in_compat_syscall() from > > a shared handler to decide whether to do compat_ptr(). > > Using in_compat_syscall() seems to be a good solution, no? It works fine for you, but wouldn't work on architecture-independent code, since 32-bit architectures generally don't provide a compat_ptr() implementation. This could of course be changed easily, but after this change it, your drivers work just as well with a couple few lines, and more consistent with other drivers: --- a/drivers/s390/char/sclp_ctl.c +++ b/drivers/s390/char/sclp_ctl.c @@ -93,12 +93,8 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area) static long sclp_ctl_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) { - void __user *argp; + void __user *argp = (void __user *)arg; - if (is_compat_task()) - argp = compat_ptr(arg); - else - argp = (void __user *) arg; switch (cmd) { case SCLP_CTL_SCCB: return sclp_ctl_ioctl_sccb(argp); @@ -114,7 +110,7 @@ static const struct file_operations sclp_ctl_fops = { .owner = THIS_MODULE, .open = nonseekable_open, .unlocked_ioctl = sclp_ctl_ioctl, - .compat_ioctl = sclp_ctl_ioctl, + .compat_ioctl = generic_compat_ioctl_ptrarg, .llseek = no_llseek, }; This should probably be separate from the change to using compat_ptr() in all other drivers, and I could easily drop this change if you prefer, it is meant only as a cosmetic change. > > According to my memory from when I last worked on this, > > the compat_ptr() is mainly a safeguard for legacy binaries > > that got created with ancient C compilers (or compilers for > > something other than C) and might leave the high bit set > > in a pointer, but modern C compilers (gcc-3+) won't ever > > do that. > > And compat_ptr clears the upper 32-bit of the register. If > the register is loaded to e.g. "lr" or "l" there will be > junk in the 4 upper bytes. I don't think we hit that problem anywhere: in the ioctl argument we pass an 'unsigned long' that has already been zero-extended by the compat_sys_ioctl() wrapper, while any other usage would get extended by the compiler when casting from compat_uptr_t to a 64-bit type. This would be different if you had a function call with the wrong prototype, i.e. calling a function declared as taking an compat_uptr_t, but defining it as taking a void __user*. (I suppose that is undefined behavior). Unless I'm missing something, compat_ptr() should always just clear bit 31. What I'd like to confirm is whether you have encountered any code that actually passes a pointer with that bit set by a user application in the past 15 years. As Al said, it's probably best to just always apply the compat_ptr() conversion in each case that s390 needs it even for drivers that don't run on s390, but I'd also like to understand how much it matters in practice. (A separate question would be how long we expect to need 32 bit compat mode on arch/s390 at all, but for the moment I assume this is not up for debate at all). Arnd
On Wed, 12 Sep 2018 16:02:40 +0200 Arnd Bergmann <arnd@arndb.de> wrote: > On Wed, Sep 12, 2018 at 7:29 AM Martin Schwidefsky > <schwidefsky@de.ibm.com> wrote: > > On Tue, 11 Sep 2018 22:26:54 +0200 Arnd Bergmann <arnd@arndb.de> wrote: > > > On Sun, Sep 9, 2018 at 6:12 AM Al Viro <viro@zeniv.linux.org.uk> wrote: > > > > Out of those, there are only a few that may get used on s390, > > > in particular at most infiniband/uverbs, nvme, nvdimm, > > > btrfs, ceph, fuse, fanotify and userfaultfd. > > > [Note: there are three s390 drivers in the list, which use > > > a different method: they check in_compat_syscall() from > > > a shared handler to decide whether to do compat_ptr(). > > > > Using in_compat_syscall() seems to be a good solution, no? > > It works fine for you, but wouldn't work on architecture-independent > code, since 32-bit architectures generally don't provide > a compat_ptr() implementation. This could of course > be changed easily, but after this change it, your drivers > work just as well with a couple few lines, and more consistent > with other drivers: > > --- a/drivers/s390/char/sclp_ctl.c > +++ b/drivers/s390/char/sclp_ctl.c > @@ -93,12 +93,8 @@ static int sclp_ctl_ioctl_sccb(void __user *user_area) > static long sclp_ctl_ioctl(struct file *filp, unsigned int cmd, > unsigned long arg) > { > - void __user *argp; > + void __user *argp = (void __user *)arg; > > - if (is_compat_task()) > - argp = compat_ptr(arg); > - else > - argp = (void __user *) arg; > switch (cmd) { > case SCLP_CTL_SCCB: > return sclp_ctl_ioctl_sccb(argp); > @@ -114,7 +110,7 @@ static const struct file_operations sclp_ctl_fops = { > .owner = THIS_MODULE, > .open = nonseekable_open, > .unlocked_ioctl = sclp_ctl_ioctl, > - .compat_ioctl = sclp_ctl_ioctl, > + .compat_ioctl = generic_compat_ioctl_ptrarg, > .llseek = no_llseek, > }; > > This should probably be separate from the change to using compat_ptr() > in all other drivers, and I could easily drop this change if you prefer, > it is meant only as a cosmetic change. So generic_compat_ioctl_ptrarg will to the compat_ptr thing on the "unsigned int cmd" argument? Should work just fine. > > > According to my memory from when I last worked on this, > > > the compat_ptr() is mainly a safeguard for legacy binaries > > > that got created with ancient C compilers (or compilers for > > > something other than C) and might leave the high bit set > > > in a pointer, but modern C compilers (gcc-3+) won't ever > > > do that. > > > > And compat_ptr clears the upper 32-bit of the register. If > > the register is loaded to e.g. "lr" or "l" there will be > > junk in the 4 upper bytes. > > I don't think we hit that problem anywhere: in the ioctl > argument we pass an 'unsigned long' that has already > been zero-extended by the compat_sys_ioctl() wrapper, > while any other usage would get extended by the compiler > when casting from compat_uptr_t to a 64-bit type. > This would be different if you had a function call with the > wrong prototype, i.e. calling a function declared as taking > an compat_uptr_t, but defining it as taking a void __user*. > (I suppose that is undefined behavior). That is true. For the ioctls we have a compat "unsigned int" or "unsigned long" and the system call wrapper must have cleared the upper half already. There are a few places where we copy a data structure from user space, then read a 32-bit pointer from the structure. These get the compat_ptr treatment as well. All of those structure definitions should use compat_uptr_t though, the compiler has to do the zero extension at the time the 32-bit value is cast to a pointer. > Unless I'm missing something, compat_ptr() should > always just clear bit 31. What I'd like to confirm is whether > you have encountered any code that actually passes > a pointer with that bit set by a user application in the > past 15 years. As Al said, it's probably best to just always > apply the compat_ptr() conversion in each case that s390 > needs it even for drivers that don't run on s390, but I'd also > like to understand how much it matters in practice. > (A separate question would be how long we expect to need > 32 bit compat mode on arch/s390 at all, but for the moment > I assume this is not up for debate at all). I don't know if that is worth the risk, yes it should work if compat_ptr just removes bit 31 and leaves the other bits alone. But if you have to clear one bit, you can as well remove all the other bits as well. -- blue skies, Martin. "Reality continues to ruin my life." - Calvin.
On Thu, Sep 13, 2018 at 8:42 AM Martin Schwidefsky <schwidefsky@de.ibm.com> wrote: > > On Wed, 12 Sep 2018 16:02:40 +0200 > Arnd Bergmann <arnd@arndb.de> wrote: > > > On Wed, Sep 12, 2018 at 7:29 AM Martin Schwidefsky > > <schwidefsky@de.ibm.com> wrote: > > > On Tue, 11 Sep 2018 22:26:54 +0200 Arnd Bergmann <arnd@arndb.de> wrote: > > > > This should probably be separate from the change to using compat_ptr() > > in all other drivers, and I could easily drop this change if you prefer, > > it is meant only as a cosmetic change. > > So generic_compat_ioctl_ptrarg will to the compat_ptr thing on the > "unsigned int cmd" argument? Should work just fine. It will do it on the "unsigned long arg" argument, I assume that's what you meant. The "cmd" argument is correctly zero-extended by the COMPAT_SYSCALL_DEFINE() wrapper on architectures that need that (IIRC s390 is in that category). > > I don't think we hit that problem anywhere: in the ioctl > > argument we pass an 'unsigned long' that has already > > been zero-extended by the compat_sys_ioctl() wrapper, > > while any other usage would get extended by the compiler > > when casting from compat_uptr_t to a 64-bit type. > > This would be different if you had a function call with the > > wrong prototype, i.e. calling a function declared as taking > > an compat_uptr_t, but defining it as taking a void __user*. > > (I suppose that is undefined behavior). > > That is true. For the ioctls we have a compat "unsigned int" > or "unsigned long" and the system call wrapper must have cleared > the upper half already. There are a few places where we copy > a data structure from user space, then read a 32-bit pointer > from the structure. These get the compat_ptr treatment as well. > All of those structure definitions should use compat_uptr_t > though, the compiler has to do the zero extension at the time > the 32-bit value is cast to a pointer. There is actually one more case: A number of the newer interfaces that have ioctl structures with indirect pointers encoded as __u64, so the layout becomes and we don't normally need a conversion handler. An example of this would be the sys_rseq() system call that passes a relatively complex structure in place of a pointer: struct rseq { ... union { __u64 ptr64; #ifdef __LP64__ __u64 ptr; #else struct { #if (defined(__BYTE_ORDER) && (__BYTE_ORDER == __BIG_ENDIAN)) || defined(__BIG_ENDIAN) __u32 padding; /* Initialized to zero. */ __u32 ptr32; #else /* LITTLE */ __u32 ptr32; __u32 padding; /* Initialized to zero. */ #endif /* ENDIAN */ } ptr; #endif } rseq_cs; __u32 flags; }; We require user space to initialize the __padding field to zero and then use the ptr64 field in the kernel as a pointer: u64 ptr; u32 __user *usig; copy_from_user(&ptr, &t->rseq->rseq_cs.ptr64, sizeof(ptr)); urseq_cs = (struct rseq_cs __user *)(unsigned long)ptr; but we don't ever clear bit 31 here. A similar pattern is used in many device drivers (I could not find any that would apply to s390 though). In theory, 32 bit user space might pass a pointer with the high bit set in the ptr32 field, and that gets misinterpreted by the kernel (resulting in -EFAULT). It would be interesting to know whether there could be user space that gets compiled from portable source code with a normal C compiler but produces that high bit set, as opposed to someone intentially settting the bit just to trigger the bug. Arnd
diff --git a/drivers/char/random.c b/drivers/char/random.c index bf5f99fc36f1..103abf82444a 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -2021,6 +2021,7 @@ const struct file_operations random_fops = { .write = random_write, .poll = random_poll, .unlocked_ioctl = random_ioctl, + .compat_ioctl = random_ioctl, .fasync = random_fasync, .llseek = noop_llseek, }; diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c index b56a3842d61d..eb29188d1dbb 100644 --- a/fs/compat_ioctl.c +++ b/fs/compat_ioctl.c @@ -594,13 +594,6 @@ COMPATIBLE_IOCTL(WDIOC_SETTIMEOUT) COMPATIBLE_IOCTL(WDIOC_GETTIMEOUT) COMPATIBLE_IOCTL(WDIOC_SETPRETIMEOUT) COMPATIBLE_IOCTL(WDIOC_GETPRETIMEOUT) -/* Big R */ -COMPATIBLE_IOCTL(RNDGETENTCNT) -COMPATIBLE_IOCTL(RNDADDTOENTCNT) -COMPATIBLE_IOCTL(RNDGETPOOL) -COMPATIBLE_IOCTL(RNDADDENTROPY) -COMPATIBLE_IOCTL(RNDZAPENTCNT) -COMPATIBLE_IOCTL(RNDCLEARPOOL) /* Bluetooth */ COMPATIBLE_IOCTL(HCIDEVUP) COMPATIBLE_IOCTL(HCIDEVDOWN)
These are all handled by the random driver, so instead of listing each ioctl, we can just use the same function to deal with both native and compat commands. Signed-off-by: Arnd Bergmann <arnd@arndb.de> --- drivers/char/random.c | 1 + fs/compat_ioctl.c | 7 ------- 2 files changed, 1 insertion(+), 7 deletions(-) -- 2.18.0