[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+55aFzYyWLiWb_O3KFZiJAZPzoopaa2cuj8ByWDi4ERjg0ZHw@mail.gmail.com>
Date: Thu, 15 Feb 2018 12:59:57 -0800
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: Rasmus Villemoes <linux@...musvillemoes.dk>
Cc: Thomas Gleixner <tglx@...utronix.de>,
Dan Williams <dan.j.williams@...el.com>,
Will Deacon <will.deacon@....com>,
Ingo Molnar <mingo@...nel.org>,
stable <stable@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] linux/nospec.h: allow index argument to have
const-qualified type
On Thu, Feb 15, 2018 at 11:52 AM, Rasmus Villemoes
<linux@...musvillemoes.dk> wrote:
>
> This way, we can allow index to have const-qualified type, which will in
> some cases avoid the need for introducing a local copy of index of
> non-const qualified type.
Ack.
That said, looking at this header file, I find a couple of of other issues..
(a) we should just remove the array_index_mask_nospec_check() thing.
(b) once fixed, there's no reason for that extra "_s" variable in
array_index_nospec()
That (a) thing causes horrible code generation, and is pointless and wrong.
The "wrong" part is because it wants about "index" being larger than
LONG_MAX, and that's really stupid and wrong, because by *definition*
we don't trust index and it came from user space. The whole point was
that array_index_nospec() would limit those things!
Yes, it's true that the compiler may optimize that warning away if the
type of 'index' is such that it cannot happen, but that doesn't make
the warning any more valid.
It is only the sign of *size* that can matter and be an issue.
HOWEVER, even then it's wrong, because if "size" is of a signed type,
the check in WARN_ONCE is pure garbage.
To make matters worse, that warning means that
array_index_mask_nospec_check() currently uses it's arguments twice.
It so happens that the only current use of that macro is ok with that,
because it's being extra careful, but it's *WRONG*. Macros that look
like functions should not use arguments twice.
So (a) is just wrong right now. It's better to just remove it.
A valid warning *might* be
WARN_ONCE((long)(size) < 0, "array_index_mask only works for sizes
that fit in a positive long");
but honestly, it's just not worth the code generation pain.
Linus
Powered by blists - more mailing lists