public inbox for linux-doc@vger.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <kees@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Miguel Ojeda" <miguel.ojeda.sandonis@gmail.com>,
	"Peter Zijlstra" <peterz@infradead.org>,
	"Justin Stitt" <justinstitt@google.com>,
	"Miguel Ojeda" <ojeda@kernel.org>,
	"Nathan Chancellor" <nathan@kernel.org>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Andy Shevchenko" <andriy.shevchenko@linux.intel.com>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Mark Rutland" <mark.rutland@arm.com>,
	"Matthew Wilcox (Oracle)" <willy@infradead.org>,
	"Suren Baghdasaryan" <surenb@google.com>,
	"Thomas Gleixner" <tglx@kernel.org>,
	"Finn Thain" <fthain@linux-m68k.org>,
	"Geert Uytterhoeven" <geert+renesas@glider.be>,
	"Thomas Weißschuh" <thomas.weissschuh@linutronix.de>,
	llvm@lists.linux.dev, "Marco Elver" <elver@google.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Nicolas Schier" <nsc@kernel.org>,
	"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
	linux-hardening@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-kbuild@vger.kernel.org
Subject: Re: [PATCH 5/5] types: Add standard __ob_trap and __ob_wrap scalar types
Date: Tue, 31 Mar 2026 11:59:23 -0700	[thread overview]
Message-ID: <202603311155.503B3DA5B@keescook> (raw)
In-Reply-To: <CAHk-=wgKB5f3MM40FGGUWUm_9eyESe2PAqCa6uZ=YTi0CdPwDg@mail.gmail.com>

On Tue, Mar 31, 2026 at 11:25:20AM -0700, Linus Torvalds wrote:
> If you want to use the overflow builtins (or our wrappers aorund
> them), you can't just do the math. You have to do crazy crap like
> 
>      int end;
>      if (check_add_overflow(start, len, &end))
>         ... handle overflow ...
>      do_something(start, end);
> 
> which obviously no sane person will do, when they can just write
> 
>    do_something(start, start+len);
> [...]
> So I think overflow handling should do the same. Instead of the bad
> "check_sub_overflow()" model we have now, we should have
> 
>      res = add_overflow(a,b,label);
> 
> and now you can use a trapping operation *without* having to break the
> normal flow of code, ie you can do
> 
>       do_something(start, add_overflow(start, len, overflow))
>       ...
>   overflow:
>       // Maybe needs to release locks, who knows
>       return -EINVAL;
> 
> notice?

The syntax problem (as made clear by many other people, and even you
here in the first half of this email) is that no one will use function
based math primitives. Everyone absolutely hates it. I would have gone
this route (as it is the design of the user-access code), but everyone
so violently rejected functional math that it seemed not even worth the
attempt.

> Wrapping does not need this kind of thing. Wrapping is literally a "I
> know I don't need to care", while trapping is a "I know I need to
> handle it".
> 
> It's just that handling the trapping should not need to be done right
> where the operation is done.

I agree completely. The trouble is how to build that into the existing
arithmetic statement syntax of C. This has been an unsolved problem for
50 years. :(

-- 
Kees Cook

  reply	other threads:[~2026-03-31 18:59 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-31 16:37 [PATCH 0/5] Introduce Overflow Behavior Types Kees Cook
2026-03-31 16:37 ` [PATCH 1/5] refcount: Remove unused __signed_wrap function annotations Kees Cook
2026-03-31 16:37 ` [PATCH 2/5] hardening: Introduce Overflow Behavior Types support Kees Cook
2026-03-31 16:37 ` [PATCH 3/5] compiler_attributes: Add overflow_behavior macros __ob_trap and __ob_wrap Kees Cook
2026-03-31 17:01   ` Miguel Ojeda
2026-03-31 17:09     ` Miguel Ojeda
2026-03-31 17:09     ` Justin Stitt
2026-03-31 17:14       ` Miguel Ojeda
2026-03-31 17:17         ` Justin Stitt
2026-03-31 19:52       ` Kees Cook
2026-04-01  9:08         ` Peter Zijlstra
2026-04-01 20:21           ` Kees Cook
2026-04-01 20:30             ` Peter Zijlstra
2026-04-01 20:55               ` Kees Cook
2026-04-01 23:42               ` Justin Stitt
2026-04-02  9:13             ` David Laight
2026-03-31 17:16   ` Linus Torvalds
2026-03-31 17:18     ` Linus Torvalds
2026-04-01  7:19   ` Vincent Mailhol
2026-04-01  9:20     ` Peter Zijlstra
2026-04-01 19:43       ` Kees Cook
2026-04-01 19:42     ` Kees Cook
2026-03-31 16:37 ` [PATCH 4/5] lkdtm/bugs: Add basic Overflow Behavior Types test Kees Cook
2026-03-31 17:16   ` Justin Stitt
2026-03-31 16:37 ` [PATCH 5/5] types: Add standard __ob_trap and __ob_wrap scalar types Kees Cook
2026-03-31 17:10   ` Linus Torvalds
2026-03-31 17:47     ` Miguel Ojeda
2026-03-31 18:02       ` Linus Torvalds
2026-03-31 18:25         ` Linus Torvalds
2026-03-31 18:59           ` Kees Cook [this message]
2026-03-31 20:01             ` Linus Torvalds
2026-03-31 18:32         ` Kees Cook
2026-03-31 18:36           ` Linus Torvalds
2026-03-31 18:16       ` Kees Cook
2026-03-31 20:03     ` Kees Cook
2026-03-31 20:11       ` Linus Torvalds
2026-03-31 20:18         ` Linus Torvalds
2026-03-31 20:31         ` Kees Cook
2026-03-31 20:58           ` Linus Torvalds
2026-03-31 21:50             ` Justin Stitt
2026-03-31 23:49               ` Kees Cook
2026-03-31 23:50               ` Linus Torvalds
2026-04-01  8:31           ` Peter Zijlstra
2026-04-01 20:52             ` Kees Cook
2026-04-02  5:38               ` Peter Zijlstra
2026-04-01  8:57           ` Peter Zijlstra
2026-04-01 20:23             ` Kees Cook
2026-04-01  9:38           ` Peter Zijlstra
2026-04-01 21:41             ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202603311155.503B3DA5B@keescook \
    --to=kees@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=arnd@arndb.de \
    --cc=corbet@lwn.net \
    --cc=elver@google.com \
    --cc=fthain@linux-m68k.org \
    --cc=geert+renesas@glider.be \
    --cc=gregkh@linuxfoundation.org \
    --cc=justinstitt@google.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=mark.rutland@arm.com \
    --cc=miguel.ojeda.sandonis@gmail.com \
    --cc=nathan@kernel.org \
    --cc=nsc@kernel.org \
    --cc=ojeda@kernel.org \
    --cc=peterz@infradead.org \
    --cc=surenb@google.com \
    --cc=tglx@kernel.org \
    --cc=thomas.weissschuh@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox