Re: [PATCH] skbuff: Switch structure bounds to struct_group()

Re: [PATCH] skbuff: Switch structure bounds to struct_group()

[kernel test robot]

[-- Attachment #1: Type: text/plain, Size: 9571 bytes --]

CC: kbuild-all(a)lists.01.org
In-Reply-To: <20211118183615.1281978-1-keescook@chromium.org>
References: <20211118183615.1281978-1-keescook@chromium.org>
TO: Kees Cook <keescook@chromium.org>

Hi Kees,

I love your patch! Perhaps something to improve:

[auto build test WARNING on kees/for-next/pstore]
[also build test WARNING on net-next/master net/master linus/master v5.16-rc1 next-20211118]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Kees-Cook/skbuff-Switch-structure-bounds-to-struct_group/20211119-023639
base:   https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/pstore
:::::: branch date: 6 hours ago
:::::: commit date: 6 hours ago
config: x86_64-randconfig-s031-20211118 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce:
        # apt-get install sparse
        # sparse version: v0.6.4-dirty
        # https://github.com/0day-ci/linux/commit/fc83cc3a3fb04bbc702c6c59ab17f87a3a9d6946
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Kees-Cook/skbuff-Switch-structure-bounds-to-struct_group/20211119-023639
        git checkout fc83cc3a3fb04bbc702c6c59ab17f87a3a9d6946
        # save the attached .config to linux build tree
        make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=x86_64 SHELL=/bin/bash net/x25/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>


sparse warnings: (new ones prefixed by >>)
   net/x25/x25_timer.c: note: in included file (through include/net/net_namespace.h, include/linux/netdevice.h, include/net/sock.h):
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/sysctl_net_x25.c: note: in included file:
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/x25_subr.c: note: in included file:
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/x25_route.c: note: in included file (through include/linux/if_arp.h):
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/x25_dev.c: note: in included file (through include/net/net_namespace.h, include/linux/netdevice.h):
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/x25_forward.c: note: in included file (through include/linux/if_arp.h):
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/af_x25.c: note: in included file (through include/net/net_namespace.h, include/linux/netdevice.h):
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/x25_in.c: note: in included file:
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/x25_link.c: note: in included file (through include/net/net_namespace.h, include/linux/netdevice.h):
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/x25_out.c: note: in included file:
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/x25_facilities.c: note: in included file:
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list
--
   net/x25/x25_proc.c: note: in included file (through include/net/net_namespace.h):
>> include/linux/skbuff.h:820:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:822:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:846:1: sparse: sparse: directive in macro's argument list
   include/linux/skbuff.h:848:1: sparse: sparse: directive in macro's argument list

vim +820 include/linux/skbuff.h

6a5bcd84e886a9a Ilias Apalodimas     2021-06-07  810  
fc83cc3a3fb04bb Kees Cook            2021-11-18  811  	/* Fields enclosed in headers group are copied
b1937227316417a Eric Dumazet         2014-09-28  812  	 * using a single memcpy() in __copy_skb_header()
b1937227316417a Eric Dumazet         2014-09-28  813  	 */
fc83cc3a3fb04bb Kees Cook            2021-11-18  814  	struct_group(headers,
4031ae6edb92f7e Alexander Duyck      2012-01-27  815  
233577a22089fac Hannes Frederic Sowa 2014-09-12  816  /* if you move pkt_type around you also must adapt those constants */
233577a22089fac Hannes Frederic Sowa 2014-09-12  817  #ifdef __BIG_ENDIAN_BITFIELD
233577a22089fac Hannes Frederic Sowa 2014-09-12  818  #define PKT_TYPE_MAX	(7 << 5)
233577a22089fac Hannes Frederic Sowa 2014-09-12  819  #else
233577a22089fac Hannes Frederic Sowa 2014-09-12 @820  #define PKT_TYPE_MAX	7
^1da177e4c3f415 Linus Torvalds       2005-04-16  821  #endif
233577a22089fac Hannes Frederic Sowa 2014-09-12  822  #define PKT_TYPE_OFFSET()	offsetof(struct sk_buff, __pkt_type_offset)
fe55f6d5c0cfec4 Vegard Nossum        2008-08-30  823  
d2f273f0a920525 Randy Dunlap         2020-02-15  824  	/* private: */
233577a22089fac Hannes Frederic Sowa 2014-09-12  825  	__u8			__pkt_type_offset[0];
d2f273f0a920525 Randy Dunlap         2020-02-15  826  	/* public: */
b1937227316417a Eric Dumazet         2014-09-28  827  	__u8			pkt_type:3;
b1937227316417a Eric Dumazet         2014-09-28  828  	__u8			ignore_df:1;
b1937227316417a Eric Dumazet         2014-09-28  829  	__u8			nf_trace:1;
b1937227316417a Eric Dumazet         2014-09-28  830  	__u8			ip_summed:2;
3853b5841c01a3f Tom Herbert          2010-11-21  831  	__u8			ooo_okay:1;
8b7008620b84527 Stefano Brivio       2018-07-11  832  
61b905da33ae25e Tom Herbert          2014-03-24  833  	__u8			l4_hash:1;
a3b18ddb9cc1056 Tom Herbert          2014-07-01  834  	__u8			sw_hash:1;
6e3e939f3b1bf85 Johannes Berg        2011-11-09  835  	__u8			wifi_acked_valid:1;
6e3e939f3b1bf85 Johannes Berg        2011-11-09  836  	__u8			wifi_acked:1;
3bdc0eba0b8b477 Ben Greear           2012-02-11  837  	__u8			no_fcs:1;
77cffe23c1f8883 Tom Herbert          2014-08-27  838  	/* Indicates the inner headers are valid in the skbuff. */
6a674e9c75b17e7 Joseph Gasparakis    2012-12-07  839  	__u8			encapsulation:1;
7e2b10c1e52ca37 Tom Herbert          2014-06-04  840  	__u8			encap_hdr_csum:1;
5d0c2b95bc57cf8 Tom Herbert          2014-06-10  841  	__u8			csum_valid:1;
8b7008620b84527 Stefano Brivio       2018-07-11  842  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 30273 bytes --]

[PATCH] skbuff: Switch structure bounds to struct_group()

[Kees Cook]

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring fields.

Replace the existing empty member position markers "headers_start" and
"headers_end" with a struct_group(). This will allow memcpy() and sizeof()
to more easily reason about sizes, and improve readability.

"pahole" shows no size nor member offset changes to struct sk_buff.
"objdump -d" shows no object code changes (outside of WARNs affected by
source line number changes).

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Jason A. Donenfeld <Jason@zx2c4.com> # drivers/net/wireguard/*
---
 drivers/net/wireguard/queueing.h |  4 +---
 include/linux/skbuff.h           | 10 +++-------
 net/core/skbuff.c                | 14 +++++---------
 3 files changed, 9 insertions(+), 19 deletions(-)

diff --git a/drivers/net/wireguard/queueing.h b/drivers/net/wireguard/queueing.h
index 4ef2944a68bc..52da5e963003 100644
--- a/drivers/net/wireguard/queueing.h
+++ b/drivers/net/wireguard/queueing.h
@@ -79,9 +79,7 @@ static inline void wg_reset_packet(struct sk_buff *skb, bool encapsulating)
 	u8 sw_hash = skb->sw_hash;
 	u32 hash = skb->hash;
 	skb_scrub_packet(skb, true);
-	memset(&skb->headers_start, 0,
-	       offsetof(struct sk_buff, headers_end) -
-		       offsetof(struct sk_buff, headers_start));
+	memset(&skb->headers, 0, sizeof(skb->headers));
 	if (encapsulating) {
 		skb->l4_hash = l4_hash;
 		skb->sw_hash = sw_hash;
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 686a666d073d..875adfd056b6 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -808,12 +808,10 @@ struct sk_buff {
 	__u8			active_extensions;
 #endif
 
-	/* fields enclosed in headers_start/headers_end are copied
+	/* Fields enclosed in headers group are copied
 	 * using a single memcpy() in __copy_skb_header()
 	 */
-	/* private: */
-	__u32			headers_start[0];
-	/* public: */
+	struct_group(headers,
 
 /* if you move pkt_type around you also must adapt those constants */
 #ifdef __BIG_ENDIAN_BITFIELD
@@ -932,9 +930,7 @@ struct sk_buff {
 	u64			kcov_handle;
 #endif
 
-	/* private: */
-	__u32			headers_end[0];
-	/* public: */
+	); /* end headers group */
 
 	/* These elements must be at the end, see alloc_skb() for details.  */
 	sk_buff_data_t		tail;
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index ba2f38246f07..3a42b2a3a571 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -992,12 +992,10 @@ void napi_consume_skb(struct sk_buff *skb, int budget)
 }
 EXPORT_SYMBOL(napi_consume_skb);
 
-/* Make sure a field is enclosed inside headers_start/headers_end section */
+/* Make sure a field is contained by headers group */
 #define CHECK_SKB_FIELD(field) \
-	BUILD_BUG_ON(offsetof(struct sk_buff, field) <		\
-		     offsetof(struct sk_buff, headers_start));	\
-	BUILD_BUG_ON(offsetof(struct sk_buff, field) >		\
-		     offsetof(struct sk_buff, headers_end));	\
+	BUILD_BUG_ON(offsetof(struct sk_buff, field) !=		\
+		     offsetof(struct sk_buff, headers.field));	\
 
 static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
 {
@@ -1009,14 +1007,12 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
 	__skb_ext_copy(new, old);
 	__nf_copy(new, old, false);
 
-	/* Note : this field could be in headers_start/headers_end section
+	/* Note : this field could be in the headers group.
 	 * It is not yet because we do not want to have a 16 bit hole
 	 */
 	new->queue_mapping = old->queue_mapping;
 
-	memcpy(&new->headers_start, &old->headers_start,
-	       offsetof(struct sk_buff, headers_end) -
-	       offsetof(struct sk_buff, headers_start));
+	memcpy(&new->headers, &old->headers, sizeof(new->headers));
 	CHECK_SKB_FIELD(protocol);
 	CHECK_SKB_FIELD(csum);
 	CHECK_SKB_FIELD(hash);
-- 
2.30.2

Re: [PATCH] skbuff: Switch structure bounds to struct_group()

[Jakub Kicinski]

On Thu, 18 Nov 2021 10:36:15 -0800 Kees Cook wrote:
> In preparation for FORTIFY_SOURCE performing compile-time and run-time
> field bounds checking for memcpy(), memmove(), and memset(), avoid
> intentionally writing across neighboring fields.
> 
> Replace the existing empty member position markers "headers_start" and
> "headers_end" with a struct_group(). This will allow memcpy() and sizeof()
> to more easily reason about sizes, and improve readability.
> 
> "pahole" shows no size nor member offset changes to struct sk_buff.
> "objdump -d" shows no object code changes (outside of WARNs affected by
> source line number changes).

This adds ~27k of these warnings to W=1 gcc builds:

include/linux/skbuff.h:851:1: warning: directive in macro's argument list

Re: [PATCH] skbuff: Switch structure bounds to struct_group()

[Kees Cook]

On Thu, Nov 18, 2021 at 11:13:55PM -0800, Jakub Kicinski wrote:
> On Thu, 18 Nov 2021 10:36:15 -0800 Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
> > intentionally writing across neighboring fields.
> > 
> > Replace the existing empty member position markers "headers_start" and
> > "headers_end" with a struct_group(). This will allow memcpy() and sizeof()
> > to more easily reason about sizes, and improve readability.
> > 
> > "pahole" shows no size nor member offset changes to struct sk_buff.
> > "objdump -d" shows no object code changes (outside of WARNs affected by
> > source line number changes).
> 
> This adds ~27k of these warnings to W=1 gcc builds:
> 
> include/linux/skbuff.h:851:1: warning: directive in macro's argument list

Oh my, I see it[1]. I will get that fixed. This smells like a missing
header or something weird. I have a dim memory of fixing this warning
long ago when evolving this series.

Thanks!

-Kees

[1] https://patchwork.kernel.org/project/netdevbpf/patch/20211118183615.1281978-1-keescook@chromium.org/

-- 
Kees Cook

Re: [PATCH] skbuff: Switch structure bounds to struct_group()

[Kees Cook]

On Thu, Nov 18, 2021 at 11:13:55PM -0800, Jakub Kicinski wrote:
> On Thu, 18 Nov 2021 10:36:15 -0800 Kees Cook wrote:
> > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > field bounds checking for memcpy(), memmove(), and memset(), avoid
> > intentionally writing across neighboring fields.
> > 
> > Replace the existing empty member position markers "headers_start" and
> > "headers_end" with a struct_group(). This will allow memcpy() and sizeof()
> > to more easily reason about sizes, and improve readability.
> > 
> > "pahole" shows no size nor member offset changes to struct sk_buff.
> > "objdump -d" shows no object code changes (outside of WARNs affected by
> > source line number changes).
> 
> This adds ~27k of these warnings to W=1 gcc builds:
> 
> include/linux/skbuff.h:851:1: warning: directive in macro's argument list

Hrm, I can't reproduce this, using several GCC versions and net-next. What
compiler version[1] and base commit[2] were used here?

-Kees

[1] https://github.com/kuba-moo/nipa/pull/10
[2] https://github.com/kuba-moo/nipa/pull/11

-- 
Kees Cook

Re: [PATCH] skbuff: Switch structure bounds to struct_group()

[Jakub Kicinski]

On Fri, 19 Nov 2021 10:26:19 -0800 Kees Cook wrote:
> On Thu, Nov 18, 2021 at 11:13:55PM -0800, Jakub Kicinski wrote:
> > On Thu, 18 Nov 2021 10:36:15 -0800 Kees Cook wrote:  
> > > In preparation for FORTIFY_SOURCE performing compile-time and run-time
> > > field bounds checking for memcpy(), memmove(), and memset(), avoid
> > > intentionally writing across neighboring fields.
> > > 
> > > Replace the existing empty member position markers "headers_start" and
> > > "headers_end" with a struct_group(). This will allow memcpy() and sizeof()
> > > to more easily reason about sizes, and improve readability.
> > > 
> > > "pahole" shows no size nor member offset changes to struct sk_buff.
> > > "objdump -d" shows no object code changes (outside of WARNs affected by
> > > source line number changes).  
> > 
> > This adds ~27k of these warnings to W=1 gcc builds:
> > 
> > include/linux/skbuff.h:851:1: warning: directive in macro's argument list  
> 
> Hrm, I can't reproduce this, using several GCC versions and net-next. What
> compiler version[1] and base commit[2] were used here?

gcc version 11.2.1 20210728 (Red Hat 11.2.1-1) (GCC) 

HEAD was at: 3b1abcf12894 Merge tag 'regmap-no-bus-update-bits' of git://...

> [1] https://github.com/kuba-moo/nipa/pull/10
> [2] https://github.com/kuba-moo/nipa/pull/11

Thanks for these! Will pull in as soon as the bot finishes with what
it's chewing on right now.

Re: [PATCH] skbuff: Switch structure bounds to struct_group()

[Jakub Kicinski]

On Fri, 19 Nov 2021 10:41:44 -0800 Jakub Kicinski wrote:
> On Fri, 19 Nov 2021 10:26:19 -0800 Kees Cook wrote:
> > On Thu, Nov 18, 2021 at 11:13:55PM -0800, Jakub Kicinski wrote:  
> > > This adds ~27k of these warnings to W=1 gcc builds:
> > > 
> > > include/linux/skbuff.h:851:1: warning: directive in macro's argument list    
> > 
> > Hrm, I can't reproduce this, using several GCC versions and net-next. What
> > compiler version[1] and base commit[2] were used here?  
> 
> gcc version 11.2.1 20210728 (Red Hat 11.2.1-1) (GCC) 
> 
> HEAD was at: 3b1abcf12894 Merge tag 'regmap-no-bus-update-bits' of git://...

Ah, damn, I just realized, it's probably sparse! The build sets C=1.

Re: [PATCH] skbuff: Switch structure bounds to struct_group()

[Kees Cook]

On Fri, Nov 19, 2021 at 10:53:05AM -0800, Jakub Kicinski wrote:
> On Fri, 19 Nov 2021 10:41:44 -0800 Jakub Kicinski wrote:
> > On Fri, 19 Nov 2021 10:26:19 -0800 Kees Cook wrote:
> > > On Thu, Nov 18, 2021 at 11:13:55PM -0800, Jakub Kicinski wrote:  
> > > > This adds ~27k of these warnings to W=1 gcc builds:
> > > > 
> > > > include/linux/skbuff.h:851:1: warning: directive in macro's argument list    
> > > 
> > > Hrm, I can't reproduce this, using several GCC versions and net-next. What
> > > compiler version[1] and base commit[2] were used here?  
> > 
> > gcc version 11.2.1 20210728 (Red Hat 11.2.1-1) (GCC) 
> > 
> > HEAD was at: 3b1abcf12894 Merge tag 'regmap-no-bus-update-bits' of git://...
> 
> Ah, damn, I just realized, it's probably sparse! The build sets C=1.

*head desk* I looked right at the "C=1" (noting it was missing for the
clang build) and didn't put it together. Let me see what I need to do to
make sparse happy...

-- 
Kees Cook