| Message ID | 20221102163252.49175-1-nathan@kernel.org |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp16295wru;
Wed, 2 Nov 2022 09:40:40 -0700 (PDT)
X-Google-Smtp-Source:
AMsMyM41QsDUUax14aVtUcAwNyFNr6OpawCzf2b4uq9/lfIoWafYaIDsGTUhCm61PlScRZ0JtuBk
X-Received: by 2002:a17:902:aa44:b0:186:7a6b:7bbd with SMTP id
c4-20020a170902aa4400b001867a6b7bbdmr26015463plr.78.1667407239800;
Wed, 02 Nov 2022 09:40:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1667407239; cv=none;
d=google.com; s=arc-20160816;
b=r1um7lMZPrkQBDMlqMZIYJTGEQ+NoNpPziV1aTyjyk3yNyikoSQ7zfndygbFDjsBeA
mAqHpApeebtw43a3uwlaQV3ZljLvLHdgCtGs2rW2hAwj5QPc7S6Pwl4zaxNY+rjCvx+L
Bv3UHy5D9Kz9k9aLgZyVox7SJ/G1b3SoOxcNPKocR3tS/UvNW8ne3I2mo76w8s56O8f3
tbRidt47ExS65sUKxg7LlTJfQ5VhmnFm6UOB48kQrJysTJmvyggMCclDHhvwYM2g4sGv
+3dPNRoZIg8JUVEOqxyRXtEAQ0UhlbxnVr7tUpl0z4pBya+yJXkCPzobOIYMdcE0sJK/
vLlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=4ZhT+KdADqCdYCqodP2ce9CLKP+XZ8yjs4grfZ5s1Zw=;
b=qWn/XiGwFv8eLf/PrLvunYTB2WBzfFvqyvvCOxcyAbo62bnZYQiNXq2BM0qiGkLJy4
gBE9cPJ7CrQkzccUwuyR4yWQjsiwGuW+n9jwvG/R0l2aSBIEoYmL/BsLp8hbkKAENTB6
4ooOx4W6FJz/f02uWVAC79+2KUqwPCrGGGuEYtfa31SnaLktNeXSrKtaZgXOv7znnYPe
fOyVzXxxDP7O+04PWPlb/7M3U/a4zkl8b7oVFXn/xZfZYvJSImlaTsk+f/TPCWyFCI9l
VNi4HsfvfSUisg/OKtLzP2KbOTq0XKmCOy/OgvTBaS4wlaNdpn9kSTpXLEtvAXMG/vAh
HsIw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=OVWh4pJE;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
f6-20020a170902ce8600b00186ffe624e8si20810382plg.436.2022.11.02.09.40.14;
Wed, 02 Nov 2022 09:40:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@kernel.org header.s=k20201202 header.b=OVWh4pJE;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S231803AbiKBQiV (ORCPT <rfc822;yves.mi.zy@gmail.com> + 99 others);
Wed, 2 Nov 2022 12:38:21 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34038 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231721AbiKBQh4 (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 2 Nov 2022 12:37:56 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org
[IPv6:2604:1380:4641:c500::1])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9F0C431DE1;
Wed, 2 Nov 2022 09:33:01 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by dfw.source.kernel.org (Postfix) with ESMTPS id EDA8761A56;
Wed, 2 Nov 2022 16:33:00 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6C573C433C1;
Wed, 2 Nov 2022 16:32:59 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
s=k20201202; t=1667406780;
bh=X6xqT5Q+gVJ0fSUPZGCRiXKotwL6OxS8B+0WmVkabE4=;
h=From:To:Cc:Subject:Date:From;
b=OVWh4pJER+b69tT/lzefyIZrWEZ5hg0SPIMfoJWLTsR9bJbMocFw4sqplf61P4ZTG
o0V14tacLjtPAz4u8ic5H5OYNRr6xxm9P20i1jPDXC+ksocQi2J3QBCWd4sDxKgBg0
VSJdSVkI3PdRgsbebmf06LtHYSYZp5+9xrZZv9Jzyp3gl9erOAQeAWCQmZlSBsqREX
/8nR88FXpSezKRBWnpTKSweTw9QSu8EbYBP2a8ECv/uS6eBr74jBY+kk0ttipIKWWH
QJU/7XSrni5lMQ0YbkB2WKjJqEEBbkX+xnETcMD/8JXHgKGEXUt0OhU0rYuTyMPWy5
308C7CV67PCgA==
From: Nathan Chancellor <nathan@kernel.org>
To: Alexandra Winter <wintera@linux.ibm.com>,
Wenjia Zhang <wenjia@linux.ibm.com>
Cc: Heiko Carstens <hca@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>,
Christian Borntraeger <borntraeger@linux.ibm.com>,
Sven Schnelle <svens@linux.ibm.com>,
linux-s390@vger.kernel.org, netdev@vger.kernel.org,
Nick Desaulniers <ndesaulniers@google.com>,
Tom Rix <trix@redhat.com>, Kees Cook <keescook@chromium.org>,
Sami Tolvanen <samitolvanen@google.com>, llvm@lists.linux.dev,
linux-kernel@vger.kernel.org, patches@lists.linux.dev,
Nathan Chancellor <nathan@kernel.org>
Subject: [PATCH 1/3] s390/ctcm: Fix return type of ctc{mp,}m_tx()
Date: Wed, 2 Nov 2022 09:32:50 -0700
Message-Id: <20221102163252.49175-1-nathan@kernel.org>
X-Mailer: git-send-email 2.38.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-8.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1748403214258154140?=
X-GMAIL-MSGID: =?utf-8?q?1748403214258154140?=
|
| Series |
[1/3] s390/ctcm: Fix return type of ctc{mp,}m_tx()
|
|
Commit Message
Nathan Chancellor
Nov. 2, 2022, 4:32 p.m. UTC
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
proposed warning in clang aims to catch these at compile time, which
reveals:
drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = ctcm_tx,
^~~~~~~
drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = ctcmpc_tx,
^~~~~~~~~
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to
match the prototype's to resolve the warning and potential CFI failure,
should s390 select ARCH_SUPPORTS_CFI_CLANG in the future.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
---
drivers/s390/net/ctcm_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
base-commit: 9abf2313adc1ca1b6180c508c25f22f9395cc780
Comments
On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: > With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), > indirect call targets are validated against the expected function > pointer prototype to make sure the call target is valid to help mitigate > ROP attacks. If they are not identical, there is a failure at run time, > which manifests as either a kernel panic or thread getting killed. A > proposed warning in clang aims to catch these at compile time, which > reveals: > > drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] > .ndo_start_xmit = ctcm_tx, > ^~~~~~~ > drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] > .ndo_start_xmit = ctcmpc_tx, > ^~~~~~~~~ > > ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of > 'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to > match the prototype's to resolve the warning and potential CFI failure, > should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. > > Link: https://github.com/ClangBuiltLinux/linux/issues/1750 > Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org>
Hi Nathan, On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: > should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. Yes, s390 should select that :) But, is there any switch or option I need to set when compiling clang, so it knows about the kcfi sanitizer? I get: clang-16: error: unsupported option '-fsanitize=kcfi' for target 's390x-ibm-linux' > clang --version clang version 16.0.0 (https://github.com/llvm/llvm-project.git e02110e2ab4dd71b276e887483f0e6e286d243ed)
Hi Heiko, On Wed, Nov 02, 2022 at 08:48:42PM +0100, Heiko Carstens wrote: > On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: > > should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. > > Yes, s390 should select that :) > > But, is there any switch or option I need to set when compiling clang, > so it knows about the kcfi sanitizer? > > I get: > clang-16: error: unsupported option '-fsanitize=kcfi' for target 's390x-ibm-linux' > > > clang --version > clang version 16.0.0 (https://github.com/llvm/llvm-project.git e02110e2ab4dd71b276e887483f0e6e286d243ed) No, kCFI is currently implemented in a target specific manner and Sami only added AArch64 and X86 support in the initial change: https://github.com/llvm/llvm-project/commit/cff5bef948c91e4919de8a5fb9765e0edc13f3de He does have a generic version in progress but I assume it would not be hard for one of your LLVM folks to add the kCFI operand bundle lowering to the SystemZ backend to get access to it sooner (and it may allow for a more optimized sequence of instructions if I understand correctly?): https://reviews.llvm.org/D135411 Cheers, Nathan
On Wed, Nov 02, 2022 at 08:48:42PM +0100, Heiko Carstens wrote: > On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: > > should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. > > Yes, s390 should select that :) > > But, is there any switch or option I need to set when compiling clang, > so it knows about the kcfi sanitizer? > > I get: > clang-16: error: unsupported option '-fsanitize=kcfi' for target 's390x-ibm-linux' > > > clang --version > clang version 16.0.0 (https://github.com/llvm/llvm-project.git e02110e2ab4dd71b276e887483f0e6e286d243ed) You'll need the "generic arch support": https://reviews.llvm.org/D135411 which is _almost_ landed. Testing would be welcome, for sure! Sami, do you have any notes on what common things were needed to get arm64 and x86_64 booting under kCFI? My only oh-so-helpful notes are "keep CFI away from early boot code". :P
On 02.11.22 20:09, Kees Cook wrote: > On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: >> With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), >> indirect call targets are validated against the expected function >> pointer prototype to make sure the call target is valid to help mitigate >> ROP attacks. If they are not identical, there is a failure at run time, >> which manifests as either a kernel panic or thread getting killed. A >> proposed warning in clang aims to catch these at compile time, which >> reveals: >> >> drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] >> .ndo_start_xmit = ctcm_tx, >> ^~~~~~~ >> drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] >> .ndo_start_xmit = ctcmpc_tx, >> ^~~~~~~~~ >> >> ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of >> 'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to >> match the prototype's to resolve the warning and potential CFI failure, >> should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. >> >> Link: https://github.com/ClangBuiltLinux/linux/issues/1750 >> Signed-off-by: Nathan Chancellor <nathan@kernel.org> > > Reviewed-by: Kees Cook <keescook@chromium.org> > Could you please also remove the corresponding comments: diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c index 37b551bd43bf..14200548704a 100644 --- a/drivers/s390/net/ctcm_main.c +++ b/drivers/s390/net/ctcm_main.c @@ -825,13 +825,6 @@ static int ctcmpc_transmit_skb(struct channel *ch, struct sk_buff *skb) /* * Start transmission of a packet. * Called from generic network device layer. - * - * skb Pointer to buffer containing the packet. - * dev Pointer to interface struct. - * - * returns 0 if packet consumed, !0 if packet rejected. - * Note: If we return !0, then the packet is free'd by - * the generic network layer. */ /* first merge version - leaving both functions separated */ static int ctcm_tx(struct sk_buff *skb, struct net_device *dev) Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
On Wed, Nov 2, 2022 at 1:01 PM Kees Cook <keescook@chromium.org> wrote: > > On Wed, Nov 02, 2022 at 08:48:42PM +0100, Heiko Carstens wrote: > > On Wed, Nov 02, 2022 at 09:32:50AM -0700, Nathan Chancellor wrote: > > > should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. > > > > Yes, s390 should select that :) > > > > But, is there any switch or option I need to set when compiling clang, > > so it knows about the kcfi sanitizer? > > > > I get: > > clang-16: error: unsupported option '-fsanitize=kcfi' for target 's390x-ibm-linux' > > > > > clang --version > > clang version 16.0.0 (https://github.com/llvm/llvm-project.git e02110e2ab4dd71b276e887483f0e6e286d243ed) > > You'll need the "generic arch support": https://reviews.llvm.org/D135411 > which is _almost_ landed. Testing would be welcome, for sure! > > Sami, do you have any notes on what common things were needed to get > arm64 and x86_64 booting under kCFI? My only oh-so-helpful notes are > "keep CFI away from early boot code". :P You don't need to keep CFI away from early boot code, but bringing this up in qemu+gdb initially is probably the best way forward. We also had plenty of type mismatches in syscall wrappers in the currently supported architectures, so that's another thing to watch out for once your kernel boots far enough to start init. Sami
diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c index 37b551bd43bf..4eea7d0285c1 100644 --- a/drivers/s390/net/ctcm_main.c +++ b/drivers/s390/net/ctcm_main.c @@ -834,7 +834,7 @@ static int ctcmpc_transmit_skb(struct channel *ch, struct sk_buff *skb) * the generic network layer. */ /* first merge version - leaving both functions separated */ -static int ctcm_tx(struct sk_buff *skb, struct net_device *dev) +static netdev_tx_t ctcm_tx(struct sk_buff *skb, struct net_device *dev) { struct ctcm_priv *priv = dev->ml_priv; @@ -877,7 +877,7 @@ static int ctcm_tx(struct sk_buff *skb, struct net_device *dev) } /* unmerged MPC variant of ctcm_tx */ -static int ctcmpc_tx(struct sk_buff *skb, struct net_device *dev) +static netdev_tx_t ctcmpc_tx(struct sk_buff *skb, struct net_device *dev) { int len = 0; struct ctcm_priv *priv = dev->ml_priv;