lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <edb7ab60-f0e2-8fc4-ca73-9614bb547ab5@linaro.org>
Date:   Fri, 19 Mar 2021 07:38:26 -0500
From:   Alex Elder <elder@...aro.org>
To:     Leon Romanovsky <leon@...nel.org>
Cc:     davem@...emloft.net, kuba@...nel.org, bjorn.andersson@...aro.org,
        evgreen@...omium.org, cpratapa@...eaurora.org, elder@...nel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net-next 3/4] net: ipa: introduce ipa_assert()

On 3/18/21 11:55 PM, Leon Romanovsky wrote:
> On Thu, Mar 18, 2021 at 11:29:22PM -0500, Alex Elder wrote:
>> Create a new macro ipa_assert() to verify that a condition is true.
>> This produces a build-time error if the condition can be evaluated
>> at build time; otherwise __ipa_assert_runtime() is called (described
>> below).
>>
>> Another macro, ipa_assert_always() verifies that an expression
>> yields true at runtime, and if it does not, reports an error
>> message.
>>
>> When IPA validation is enabled, __ipa_assert_runtime() becomes a
>> call to ipa_assert_always(), resulting in runtime verification of
>> the asserted condition.  Otherwise __ipa_assert_runtime() has no
>> effect, so such ipa_assert() calls are effectively ignored.
>>
>> IPA assertion errors will be reported using the IPA device if
>> possible.
>>
>> Signed-off-by: Alex Elder <elder@...aro.org>
>> ---
>>   drivers/net/ipa/ipa_assert.h | 50 ++++++++++++++++++++++++++++++++++++
>>   1 file changed, 50 insertions(+)
>>   create mode 100644 drivers/net/ipa/ipa_assert.h
>>
>> diff --git a/drivers/net/ipa/ipa_assert.h b/drivers/net/ipa/ipa_assert.h
>> new file mode 100644
>> index 0000000000000..7e5b9d487f69d
>> --- /dev/null
>> +++ b/drivers/net/ipa/ipa_assert.h
>> @@ -0,0 +1,50 @@
>> +/* SPDX-License-Identifier: GPL-2.0 */
>> +/*
>> + * Copyright (C) 2021 Linaro Ltd.
>> + */
>> +#ifndef _IPA_ASSERT_H_
>> +#define _IPA_ASSERT_H_
>> +
>> +#include <linux/compiler.h>
>> +#include <linux/printk.h>
>> +#include <linux/device.h>
>> +
>> +/* Verify the expression yields true, and fail at build time if possible */
>> +#define ipa_assert(dev, expr) \
>> +	do { \
>> +		if (__builtin_constant_p(expr)) \
>> +			compiletime_assert(expr, __ipa_failure_msg(expr)); \
>> +		else \
>> +			__ipa_assert_runtime(dev, expr); \
>> +	} while (0)
>> +
>> +/* Report an error if the given expression evaluates to false at runtime */
>> +#define ipa_assert_always(dev, expr) \
>> +	do { \
>> +		if (unlikely(!(expr))) { \
>> +			struct device *__dev = (dev); \
>> +			\
>> +			if (__dev) \
>> +				dev_err(__dev, __ipa_failure_msg(expr)); \
>> +			else  \
>> +				pr_err(__ipa_failure_msg(expr)); \
>> +		} \
>> +	} while (0)
> 
> It will be much better for everyone if you don't obfuscate existing
> kernel primitives and don't hide constant vs. dynamic expressions.

I don't agree with this characterization.

Yes, there is some complexity in this one source file, where
ipa_assert() is defined.  But as a result, callers are simple
one-line statements (similar to WARN_ON()).

Existing kernel primitives don't achieve these objectives:
- Don't check things at run time under normal conditions
- Do check things when validation is enabled
- If you can check it at compile time, check it regardless
If there is something that helps me do that, suggest it because
I will be glad to use it.

> So any random kernel developer will be able to change the code without
> investing too much time to understand this custom logic.

There should be almost no need to change the definition of
ipa_assert().  Even so, this custom logic is not all that
complicated in my view; it's broken into a few macros that
are each pretty simple.  It was actuallyl a little simpler
before I added some things to satisfy checkpatch.pl.

> And constant expressions are checked with BUILD_BUG_ON().

BUILD_BUG_ON() is great.  But it doesn't work for
non-constant expressions.

Suppose I try to simplify ipa_assert() as:

    #define ipa_assert(dev, expr) \
	do { \
	    BUILD_BUG_ON(expr); \
	    __ipa_runtime_assert(dev, expr); \
	} while (0)

I can't do that, because BUILD_BUG_ON() evaluates the
expression, so I can't safely do that again in the called
macro.

I explained how I wanted it to work earlier, but the main
reason for doing this is to communicate to the reader
that the asserted properties are guaranteed to be true.
It can be valuable for making things understandable.
You don't have to wonder, "what if the value passed
is out of range?"  It won't be, and the assertion tells
you that.

> If you still feel need to provide assertion like this, it should be done
> in general code.

I could do that but I'm afraid it's more than I intend
to take on, and am not aware of anyone else asking for
a feature like this.  Do you want it?

I honestly appreciate your input, but I don't agree with
it.  I can do without codifying informative assertions
but I'd really like to be able to test them.

					-Alex

> Thanks
> 
>> +
>> +/* Constant message used when an assertion fails */
>> +#define __ipa_failure_msg(expr)	"IPA assertion failed: " #expr "\n"
>> +
>> +#ifdef IPA_VALIDATION
>> +
>> +/* Only do runtime checks for "normal" assertions if validating the code */
>> +#define __ipa_assert_runtime(dev, expr)	ipa_assert_always(dev, expr)
>> +
>> +#else /* !IPA_VALIDATION */
>> +
>> +/* "Normal" assertions aren't checked when validation is disabled */
>> +#define __ipa_assert_runtime(dev, expr)	\
>> +	do { (void)(dev); (void)(expr); } while (0)
>> +
>> +#endif /* !IPA_VALIDATION */
>> +
>> +#endif /* _IPA_ASSERT_H_ */
>> -- 
>> 2.27.0
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ