| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <gh8qndc296.fsf@gouders.net>
Date: Sat, 03 May 2025 14:22:45 +0200
From: Dirk Gouders <dirk@...ders.net>
To: David Laight <david.laight.linux@...il.com>
Cc: Ian Rogers <irogers@...gle.com>, Peter Zijlstra <peterz@...radead.org>,
Ingo Molnar <mingo@...hat.com>,
Arnaldo Carvalho de Melo
<acme@...nel.org>,
Namhyung Kim <namhyung@...nel.org>,
Mark Rutland
<mark.rutland@....com>,
Alexander Shishkin
<alexander.shishkin@...ux.intel.com>,
Jiri Olsa <jolsa@...nel.org>, Adrian Hunter <adrian.hunter@...el.com>,
Kan Liang
<kan.liang@...ux.intel.com>,
Yury Norov <yury.norov@...il.com>,
Rasmus
Villemoes <linux@...musvillemoes.dk>,
Thomas Gleixner
<tglx@...utronix.de>,
Darren Hart <dvhart@...radead.org>,
Davidlohr
Bueso <dave@...olabs.net>,
André Almeida
<andrealmeid@...lia.com>,
John
Garry <john.g.garry@...cle.com>, Will Deacon <will@...nel.org>,
James
Clark <james.clark@...aro.org>,
Mike Leach <mike.leach@...aro.org>, Leo
Yan <leo.yan@...ux.dev>,
Yicong Yang <yangyicong@...ilicon.com>,
Jonathan Cameron <jonathan.cameron@...wei.com>,
Nathan Chancellor
<nathan@...nel.org>,
Bill Wendling <morbo@...gle.com>,
Justin Stitt
<justinstitt@...gle.com>,
Josh Poimboeuf <jpoimboe@...nel.org>,
Al Viro
<viro@...iv.linux.org.uk>, Kyle Meyer <kyle.meyer@....com>,
Ben Gainey
<ben.gainey@....com>,
Athira Rajeev <atrajeev@...ux.vnet.ibm.com>,
Kajol
Jain <kjain@...ux.ibm.com>,
Aditya Gupta <adityag@...ux.ibm.com>,
Eder
Zulian <ezulian@...hat.com>,
Dapeng Mi <dapeng1.mi@...ux.intel.com>,
Kuan-Wei Chiu <visitorckw@...il.com>, He Zhe <zhe.he@...driver.com>,
Brian Geffon <bgeffon@...gle.com>,
Ravi Bangoria
<ravi.bangoria@....com>,
Howard Chu <howardchu95@...il.com>,
Charlie
Jenkins <charlie@...osinc.com>,
Colin Ian King <colin.i.king@...il.com>,
Dominique Martinet <asmadeus@...ewreck.org>,
Jann Horn
<jannh@...gle.com>, Masahiro Yamada <masahiroy@...nel.org>,
Arnd
Bergmann <arnd@...db.de>, Yang Jihong <yangjihong@...edance.com>,
Dmitry
Vyukov <dvyukov@...gle.com>, Andi Kleen <ak@...ux.intel.com>,
Graham
Woodward <graham.woodward@....com>,
Ilkka Koskinen
<ilkka@...amperecomputing.com>,
Anshuman Khandual
<anshuman.khandual@....com>,
Zhongqiu Han <quic_zhonhan@...cinc.com>, Hao Ge <gehao@...inos.cn>,
Tengda Wu <wutengda@...weicloud.com>,
Gabriele Monaco <gmonaco@...hat.com>,
Chun-Tse Shao <ctshao@...gle.com>, Casey Chen <cachen@...estorage.com>,
"Dr. David Alan Gilbert"
<linux@...blig.org>,
Li Huafei <lihuafei1@...wei.com>,
"Steinar H.
Gunderson" <sesse@...gle.com>,
Levi Yun <yeoreum.yun@....com>, Weilin
Wang <weilin.wang@...el.com>,
Thomas Falcon <thomas.falcon@...el.com>,
Thomas Richter <tmricht@...ux.ibm.com>,
Andrew Kreimer
<algonell@...il.com>,
Krzysztof Łopatowski
<krzysztof.m.lopatowski@...il.com>,
Christophe Leroy
<christophe.leroy@...roup.eu>,
Jean-Philippe Romain
<jean-philippe.romain@...s.st.com>,
Junhao He <hejunhao3@...wei.com>,
"Masami Hiramatsu (Google)" <mhiramat@...nel.org>,
Xu Yang
<xu.yang_2@....com>,
Steve Clevenger
<scclevenger@...amperecomputing.com>,
Zixian Cai <fzczx123@...il.com>,
Stephen Brennan <stephen.s.brennan@...cle.com>,
Yujie Liu
<yujie.liu@...el.com>, linux-kernel@...r.kernel.org,
linux-perf-users@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
llvm@...ts.linux.dev
Subject: Re: [PATCH v2 04/47] perf bench: Silence -Wshorten-64-to-32 warnings
David Laight <david.laight.linux@...il.com> writes:
> On Fri, 02 May 2025 16:12:17 +0200
> Dirk Gouders <dirk@...ders.net> wrote:
>
>> David Laight <david.laight.linux@...il.com> writes:
>>
>> > On Thu, 01 May 2025 01:11:16 +0200
>> > Dirk Gouders <dirk@...ders.net> wrote:
>> >
>> >> Ian Rogers <irogers@...gle.com> writes:
>> >>
>> >> > On Wed, Apr 30, 2025 at 3:19 PM Dirk Gouders <dirk@...ders.net> wrote:
>> >> >>
>> >> >> Ian Rogers <irogers@...gle.com> writes:
>> >> >>
>> >> >> > On Wed, Apr 30, 2025 at 1:23 PM Dirk Gouders <dirk@...ders.net> wrote:
>> >> >> >>
>> >> >> >> Hi Ian,
>> >> >> >>
>> >> >> >> considering so many eyes looking at this, I am probably wrong.
>> >> >> >>
>> >> >> >> So, this is only a "gauge reply" to see if it's worth I really read
>> >> >> >> through all the commits ;-)
>> >> >> >>
>> >> >> >> Ian Rogers <irogers@...gle.com> writes:
>> >> >> >>
>> >> >> >> [SNIP]
>> >> >> >>
>> >> >> >> > diff --git a/tools/perf/bench/sched-pipe.c b/tools/perf/bench/sched-pipe.c
>> >> >> >> > index 70139036d68f..b847213fd616 100644
>> >> >> >> > --- a/tools/perf/bench/sched-pipe.c
>> >> >> >> > +++ b/tools/perf/bench/sched-pipe.c
>> >> >> >> > @@ -102,7 +102,8 @@ static const char * const bench_sched_pipe_usage[] = {
>> >> >> >> > static int enter_cgroup(int nr)
>> >> >> >> > {
>> >> >> >> > char buf[32];
>> >> >> >> > - int fd, len, ret;
>> >> >> >> > + int fd;
>> >> >> >> > + ssize_t ret, len;
>> >> >> >> > int saved_errno;
>> >> >> >> > struct cgroup *cgrp;
>> >> >> >> > pid_t pid;
>> >> >> >> > @@ -118,7 +119,7 @@ static int enter_cgroup(int nr)
>> >> >> >> > cgrp = cgrps[nr];
>> >> >> >> >
>> >> >> >> > if (threaded)
>> >> >> >> > - pid = syscall(__NR_gettid);
>> >> >> >> > + pid = (pid_t)syscall(__NR_gettid);
>> >> >> >> > else
>> >> >> >> > pid = getpid();
>> >> >> >> >
>> >> >> >> > @@ -172,23 +173,25 @@ static void exit_cgroup(int nr)
>> >> >> >> >
>> >> >> >> > static inline int read_pipe(struct thread_data *td)
>> >> >> >> > {
>> >> >> >> > - int ret, m;
>> >> >> >> > + ssize_t ret;
>> >> >> >> > + int m;
>> >> >> >> > retry:
>> >> >> >> > if (nonblocking) {
>> >> >> >> > ret = epoll_wait(td->epoll_fd, &td->epoll_ev, 1, -1);
>> >> >> >>
>> >> >> >> The epoll_wait(), I know of, returns an int and not ssize_t.
>> >> >> >>
>> >> >> >> That shouldn't show up, because it doesn't cause real problems...
>> >> >> >
>> >> >> > So the function is read_pipe so it should probably return a ssize_t. I
>> >> >> > stopped short of that but made ret a ssize_t to silence the truncation
>> >> >> > warning on the read call. Assigning smaller to bigger is of course not
>> >> >> > an issue for epoll_wait.
>> >> >>
>> >> >> Oh yes, I missed that ret is also used for the result of read().
>> >> >>
>> >> >> Some lines down there is also a combination of
>> >> >>
>> >> >> ret = enter_cgroup() (which is int)
>> >> >>
>> >> >> and
>> >> >>
>> >> >> ret = write()
>> >> >>
>> >> >>
>> >> >> Just confusing but yes, because ret is also used for read() and write()
>> >> >> in those cases it should be ssize_t.
>> >> >>
>> >> >> I'm sorry for the noise.
>> >> >
>> >> > No worries, I'm appreciative of the eyes. I suspect we'll only pick up
>> >> > the first patches in this series to fix what is a bug on ARM. I think
>> >> > I'm responsible for too much noise here ;-)
>> >>
>> >> A final thought (in case this patch will also be picked):
>> >>
>> >> Why not, in case of read_pipe() and worker_thread() just cast
>> >> read() and write() to int? Both get counts of sizeof(int) and
>> >> it would clearly show: we know the result fits into an int.
>> >
>> > This is an obvious case of the entire insanity of these changes.
>>
>> You mean, because there is still the -1 case where the sign-lost can
>> happen?
>>
>> I guess your reply is in combination with your replies to another thread
>> to this subject. As far as I understood, Ian also has problems with
>> full understanding and I wonder if it helps to talk about a real
>> example. As far as I understood you say that code like this
>> (from tools/perf/bench/sched-pipe.c) is simply wrong:
>>
>> static inline int read_pipe(struct thread_data *td)
>> {
>> int ret, m;
>> retry:
>> if (nonblocking) {
>> ret = epoll_wait(td->epoll_fd, &td->epoll_ev, 1, -1);
>> if (ret < 0)
>> return ret;
>> }
>> ret = read(td->pipe_read, &m, sizeof(int));
>> if (nonblocking && ret < 0 && errno == EWOULDBLOCK)
>> goto retry;
>> return ret;
>> }
>>
>> And from your reply I understand that casting the read() explicitely to
>> int is insane. And now, I wonder what you would suggest -- honestly, I
>> am expecting to learn something, here.
First, thank you for elaborating on this. As I expected, I indeed learn
more than one thing.
> If you look through pretty much all 'posix' userspace code the return
> value from 'read' is assigned to an 'int' variable.
I looked at some read()s in util-linux and all those that I looked at
use ssize_t. Two reads, I found in bash use int. In mpich, both
versions are used... I didn't see a single cast, though ;-)
> If the compiler is going to complain that the return value doesn't fit
> into a 32bit int, it better have a pretty good idea the return value
> might exceed 2^^32.
> That requires knowledge of what 'read' does and analysis of the domain
> (not just type) of the length passed to read.
> Now if you add an (int) cast, you won't get an error (on 32bit) if
> the value is a pointer - and that is an error you always want.
You mean something like:
char *ptr = (int)read(fd, buf, sizeof(buf));
Here in my environment, I'd get an error:
error: assignment to ‘char *’ from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
(I have no 32bit system to test it but from my memory, I'd say I know
such error from times when 64bit wasn't available...)
> I'm pretty sure that it is also true the linux limits read (and write)
> to INT_MAX - so, for linux, the return value from read() always fits
> int 'int'.
Yes, didn't know that. From read(2):
------------------------------------------------------------------------
NOTES
On Linux, read() (and similar system calls) will transfer at most
0x7ffff000 (2,147,479,552) bytes, returning the number of bytes
actually transferred. (This is true on both 32-bit and 64-bit systems.)
------------------------------------------------------------------------
Oh well, I myself took `ssize_t read()' always so serious that I gave my
best to always try to match that type...
> The underlying problem is that if you start adding unnecessary casts for
> integer type conversions you end up with so many casts that it is far too
> easy for a 'broken' one to slip into the code.
OK, in the other thread, you also said that, in your opinion, (just
integer?) casts should be kept to an absolute minimum and I wonder, what
would be an example for such (mandatory) cases. Just the ones where the
compiler would complain (except for -Wshorten-64-to-32)?
> If you scan the kernel for min_t() there are plenty of very dubious ones.
> They've been added to 'fix' a compile time warning, but there are plenty
> that cast to u8, u16 or long (where there are u64 lurking).
> One of the u16 ones I found was a real bug and found/fixed separately
> from my scans of all the min_t().
Sorry for me still failing to fully understand: do your concerns then
mean you'd vote for not enabling -Wshorten-64-to-32 and live with the
perhaps rare cases of problems like the one in
https://lore.kernel.org/lkml/20250331172759.115604-1-leo.yan@arm.com/
or identify them by other means?
Best regards,
Dirk
Powered by blists - more mailing lists