From: Linus Torvalds <torvalds@linux-foundation.org>
To: Kees Cook <keescook@chromium.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
"Tobin C. Harding" <me@tobin.cc>,
Steven Rostedt <rostedt@goodmis.org>,
Jonathan Corbet <corbet@lwn.net>, Chris Mason <clm@fb.com>,
Josef Bacik <jbacik@fb.com>, David Sterba <dsterba@suse.com>,
"David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Ingo Molnar <mingo@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@linutronix.de>,
Masahiro Yamada <yamada.masahiro@socionext.com>,
Borislav Petkov <bp@suse.de>,
Randy Dunlap <rdunlap@infradead.org>,
Ian Abbott <abbotti@mev.co.uk>,
Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>,
Petr Mladek <pmladek@suse.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Pantelis Antoniou <pantelis.antoniou@konsulko.com>,
linux-btrfs <linux-btrfs@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH] kernel.h: Skip single-eval logic on literals in min()/max()
Date: Thu, 8 Mar 2018 17:35:15 -0800 [thread overview]
Message-ID: <CA+55aFxXb8JhpELWcFJnQMYy6sTyndwdNpCLFUznA9ML7-oL_Q@mail.gmail.com> (raw)
In-Reply-To: <CAGXu5j+JiYcsdaC4V9+SmUM2SKW1yRHr18d74G5SM_sSrQm=Nw@mail.gmail.com>
On Thu, Mar 8, 2018 at 4:45 PM, Kees Cook <keescook@chromium.org> wrote:
>
> Rasmus mentioned this too. What I said there was that I was shy to
> make that change, since we already can't mix that kind of thing with
> the existing min()/max() implementation. The existing min()/max() is
> already extremely strict, so there are no instances of this in the
> tree.
Yes, but I also didn't want to add any new cases in case people add
new min/max() users.
But:
> If I explicitly add one, I see this with or without the patch:
>
> In file included from drivers/misc/lkdtm.h:7:0,
> from drivers/misc/lkdtm_core.c:33:
> drivers/misc/lkdtm_core.c: In function ‘lkdtm_module_exit’:
> ./include/linux/kernel.h:809:16: warning: comparison of distinct
> pointer types lacks a cast
Oh, ok, in that case, just drop the __builtin_types_compatible_p()
entirely. It's not adding anything.
I was expecting the non-chosen expression in __builtin_choose_expr()
to not cause type warnings. I'm actually surprised it does. Type games
is why __builtin_choose_expr() tends to exist in the first place.
> So are you saying you _want_ the type enforcement weakened here, or
> that I should just not use __builtin_types_compatible_p()?
I don't want to weaken the type enforcement, and I _thought_ you had
done that __builtin_types_compatible_p() to keep it in place.
But if that's not why you did it, then why was it there at all? If the
type warning shows through even if it's in the other expression, then
just a
#define __min(t1, t2, x, y) \
__builtin_choose_expr( \
__builtin_constant_p(x) & \
__builtin_constant_p(y), \
(t1)(x) < (t2)(y) ? (t1)(x) : (t2)(y), \
__single_eval_min(t1, t2, \
...
would seem to be sufficient?
Because logically, the only thing that matters is that x and y don't
have any side effects and can be evaluated twice, and
"__builtin_constant_p()" is already a much stronger version of that.
Hmm? The __builtin_types_compatible_p() just doesn't seem to matter
for the only thing I thought it was there for.
Linus
next prev parent reply other threads:[~2018-03-09 1:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-08 21:40 [PATCH] kernel.h: Skip single-eval logic on literals in min()/max() Kees Cook
2018-03-08 21:59 ` Ian Campbell
2018-03-08 22:18 ` Andrew Morton
2018-03-08 22:49 ` Kees Cook
2018-03-08 23:48 ` Linus Torvalds
2018-03-09 0:45 ` Kees Cook
2018-03-09 1:35 ` Linus Torvalds [this message]
2018-03-09 1:46 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CA+55aFxXb8JhpELWcFJnQMYy6sTyndwdNpCLFUznA9ML7-oL_Q@mail.gmail.com \
--to=torvalds@linux-foundation.org \
--cc=abbotti@mev.co.uk \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bp@suse.de \
--cc=clm@fb.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dsterba@suse.com \
--cc=gustavo@embeddedor.com \
--cc=jbacik@fb.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=me@tobin.cc \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pantelis.antoniou@konsulko.com \
--cc=peterz@infradead.org \
--cc=pmladek@suse.com \
--cc=rdunlap@infradead.org \
--cc=rostedt@goodmis.org \
--cc=sergey.senozhatsky.work@gmail.com \
--cc=tglx@linutronix.de \
--cc=yamada.masahiro@socionext.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).