| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 30 May 2023 22:09:24 +0100
From: "Russell King (Oracle)" <linux@...linux.org.uk>
To: Andrew Lunn <andrew@...n.ch>
Cc: Jakub Kicinski <kuba@...nel.org>,
Dan Carpenter <dan.carpenter@...aro.org>,
Oleksij Rempel <linux@...pel-privat.de>,
Heiner Kallweit <hkallweit1@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>,
netdev@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH net] net: phy: fix a signedness bug in genphy_loopback()
On Tue, May 30, 2023 at 10:04:52PM +0200, Andrew Lunn wrote:
> > > This is what I meant FWIW:
> > >
> > > diff --git a/include/linux/phy.h b/include/linux/phy.h
> > > index 7addde5d14c0..829bd57b8794 100644
> > > --- a/include/linux/phy.h
> > > +++ b/include/linux/phy.h
> > > @@ -1206,10 +1206,13 @@ static inline int phy_read(struct phy_device *phydev, u32 regnum)
> > > #define phy_read_poll_timeout(phydev, regnum, val, cond, sleep_us, \
> > > timeout_us, sleep_before_read) \
> > > ({ \
> > > - int __ret = read_poll_timeout(phy_read, val, val < 0 || (cond), \
> > > + int __ret, __val; \
> > > + \
> > > + __ret = read_poll_timeout(phy_read, __val, __val < 0 || (cond), \
> > > sleep_us, timeout_us, sleep_before_read, phydev, regnum); \
> > > - if (val < 0) \
> > > - __ret = val; \
> > > + val = __val;
>
> This results in the sign being discarded if val is unsigned. Yes, the
> test is remove, which i assume will stop Smatch complaining, but it is
> still broken.
I was going to ask you to explain that, but having thought about
this more, there's much bigger problems with the proposal.
First, if I'm understanding you correctly, your point doesn't seem
relevant, because if val is unsigned, we have an implicit cast from a
signed int to an unsigned int _at_ _some_ _point_. With the existing
code, that implicit cast is buried inside read_poll_timeout(), here
to be exact:
(val) = op(args);
because "op" will be one of the phy_read*() functions that returns an
"int", but "val" is unsigned - which means there's an implicit cast
here. Jakub's patch moves that cast after read_poll_timeout().
The elephant in the room has nothing to do with this, but everything
to do with "cond". "cond" is an expression to be evaluated inside the
loop, which must have access to the value read from the phy_read*()
function, and that value is referenced via whatever variable was
provided via "val". So changing "val" immediately breaks "cond".
Having thought about this, the best I can come up with is this, which
I think gives us everything we want without needing BUILD_BUG_ONs:
#define phy_read_poll_timeout(phydev, regnum, val, cond, sleep_us, \
timeout_us, sleep_before_read) \
({ \
int __ret, __val;
__ret = read_poll_timeout(__val = phy_read, val, __val < 0 || (cond), \
sleep_us, timeout_us, sleep_before_read, phydev, regnum); \
if (__val < 0) \
__ret = __val; \
if (__ret) \
phydev_err(phydev, "%s failed: %d\n", __func__, __ret); \
__ret; \
})
This looks rather horrid, but what it essentially does is:
(val) = op(args); \
if (cond) \
break; \
expands to:
(val) = __val = phy_read(args);
if (__val < 0 || (cond))
break;
As phy_read() returns an int, there is no cast or loss assigning it
to __val, since that is also an int. The conversion from int to
something else happens at the same point it always has.
Hmm?
--
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTP is here! 80Mbps down 10Mbps up. Decent connectivity at last!
Powered by blists - more mailing lists