[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CABCJKueOu+MwgvTcEUY51tJ1YjNjS-3zHhAHP=1TQUC1wd_1VA@mail.gmail.com>
Date: Fri, 15 Sep 2023 12:05:50 -0700
From: Sami Tolvanen <samitolvanen@...gle.com>
To: David Gow <davidgow@...gle.com>
Cc: Nathan Chancellor <nathan@...nel.org>,
Kees Cook <keescook@...omium.org>,
Brendan Higgins <brendan.higgins@...ux.dev>,
Rae Moar <rmoar@...gle.com>, dlatypov@...gle.com,
Benjamin Berg <benjamin.berg@...el.com>,
Maxime Ripard <mripard@...nel.org>,
Richard Fitzgerald <rf@...nsource.cirrus.com>,
llvm@...ts.linux.dev, linux-kernel@...r.kernel.org,
kunit-dev@...glegroups.com, linux-kselftest@...r.kernel.org,
linux-hardening@...r.kernel.org,
Nick Desaulniers <ndesaulniers@...gle.com>,
Tom Rix <trix@...hat.com>
Subject: Re: [RFC PATCH] kunit: Add a macro to wrap a deferred action function
Hi David,
On Thu, Sep 14, 2023 at 10:01 PM David Gow <davidgow@...gle.com> wrote:
>
> KUnit's deferred action API accepts a void(*)(void *) function pointer
> which is called when the test is exited. However, we very frequently
> want to use existing functions which accept a single pointer, but which
> may not be of type void*. While this is probably dodgy enough to be on
> the wrong side of the C standard, it's been often used for similar
> callbacks, and gcc's -Wcast-function-type seems to ignore cases where
> the only difference is the type of the argument, assuming it's
> compatible (i.e., they're both pointers to data).
>
> However, clang 16 has introduced -Wcast-function-type-strict, which no
> longer permits any deviation in function pointer type. This seems to be
> because it'd break CFI, which validates the type of function calls.
>
> This rather ruins our attempts to cast functions to defer them, and
> leaves us with a few options:
> 1. Stick our fingers in our ears an ignore the warning. (It's worked so
> far, but probably isn't the right thing to do.)
> 2. Find some horrible way of casting which fools the compiler into
> letting us do the cast. (It'd still break CFI, though.)
> 3. Disable the warning, and CFI for this function. This isn't optimal,
> but may make sense for test-only code. However, I think we'd have to
> do this for every function called, not just the caller, so maybe it's
> not practical.
> 4. Manually write wrappers around any such functions. This is ugly (do
> we really want two copies of each function, one of which has no type
> info and just forwards to the other). It could get repetitive.
> 5. Generate these wrappers with a macro. That's what this patch does.
>
> I'm broadly okay with any of the options above, though whatever we go
> with will no doubt require some bikeshedding of details (should these
> wrappers be public, do we dedupe them, etc).
>
> Thoughts?
Using a macro to generate a wrapper is a reasonable approach IMO, and
we've used it before in the kernel to fix type mismatches in
indirectly called functions (v4l2-ioctl and cfg80211 come to mind at
least).
Sami
Powered by blists - more mailing lists