[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+55aFyW9N2tSb2bQvkthbVVyY6nt5yFeWQRLHp1zruBmb5ocw@mail.gmail.com>
Date: Thu, 6 Sep 2018 14:13:41 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Andrey Konovalov <andreyknvl@...gle.com>
Cc: Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will.deacon@....com>,
Mark Rutland <mark.rutland@....com>,
Robin Murphy <robin.murphy@....com>,
Al Viro <viro@...iv.linux.org.uk>,
Kees Cook <keescook@...omium.org>,
Kate Stewart <kstewart@...uxfoundation.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Ingo Molnar <mingo@...nel.org>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Shuah Khan <shuah@...nel.org>,
linux-arm-kernel <linux-arm-kernel@...ts.infradead.org>,
"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
linux-mm <linux-mm@...ck.org>,
linux-arch <linux-arch@...r.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Dmitry Vyukov <dvyukov@...gle.com>,
Kostya Serebryany <kcc@...gle.com>, eugenis@...gle.com,
Lee.Smith@....com,
Ramana Radhakrishnan <Ramana.Radhakrishnan@....com>,
Jacob.Bramley@....com, Ruben.Ayrapetyan@....com,
cpandya@...eaurora.org
Subject: Re: [PATCH v6 11/11] arm64: annotate user pointers casts detected by sparse
On Thu, Aug 30, 2018 at 4:41 AM Andrey Konovalov <andreyknvl@...gle.com> wrote:
>
> This patch adds __force annotations for __user pointers casts detected by
> sparse with the -Wcast-from-as flag enabled (added in [1]).
No, several of these are wrong, and just silence a warning that shows a problem.
So for example:
> static inline compat_uptr_t ptr_to_compat(void __user *uptr)
> {
> - return (u32)(unsigned long)uptr;
> + return (u32)(__force unsigned long)uptr;
> }
this actually looks correct.
But:
> --- a/arch/arm64/include/asm/uaccess.h
> +++ b/arch/arm64/include/asm/uaccess.h
> @@ -76,7 +76,7 @@ static inline unsigned long __range_ok(const void __user *addr, unsigned long si
> {
> unsigned long ret, limit = current_thread_info()->addr_limit;
>
> - __chk_user_ptr(addr);
> + __chk_user_ptr((void __force *)addr);
This looks actively wrong. The whole - and only - point of
"__chk_user_ptr()" is that it warns about a lack of a "__user *" type.
So the above makes no sense at all.
There are other similar "that makes no sense what-so-ever", like this one:
> - struct compat_group_req __user *gr32 = (void *)optval;
> + struct compat_group_req __user *gr32 = (__force void *)optval;
no, the additionl of __force is not the right thing, the problem, is
that a __user pointer is cast to a non-user 'void *' only to be
assigned to another user type.
The fix should have been to use (void __user *) as the cast instead,
no __force needed.
In general, I think the patch shows all the signs of "mindlessly just
add casts", which is exactly the wrong thing to do to sparse warnings.
Linus
Powered by blists - more mailing lists