[PATCH] kunit/fortify: Add back "volatile" for sizeof() constants

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] kunit/fortify: Add back "volatile" for sizeof() constants
@ 2025-06-28 23:40 Kees Cook
  2025-07-01 12:35 ` Nathan Chancellor
  2025-07-01 13:41 ` Jann Horn
  0 siblings, 2 replies; 6+ messages in thread
From: Kees Cook @ 2025-06-28 23:40 UTC (permalink / raw)
  To: Jannik Glückert, Nathan Chancellor
  Cc: Kees Cook, linux-hardening, Nick Desaulniers, Bill Wendling,
	Justin Stitt, linux-kernel, llvm

It seems the Clang can see through OPTIMIZER_HIDE_VAR when the constant
is coming from sizeof. Adding "volatile" back to these variables solves
this false positive without reintroducing the issues that originally led
to switching to OPTIMIZER_HIDE_VAR in the first place[1].

Reported-by: Nathan Chancellor <nathan@kernel.org>
Closes: https://github.com/ClangBuiltLinux/linux/issues/2075 [1]
Cc: "Jannik Glückert" <jannik.glueckert@gmail.com>
Suggested-by: Nathan Chancellor <nathan@kernel.org>
Fixes: 6ee149f61bcc ("kunit/fortify: Replace "volatile" with OPTIMIZER_HIDE_VAR()")
Signed-off-by: Kees Cook <kees@kernel.org>
---
Cc: <linux-hardening@vger.kernel.org>
---
 lib/tests/fortify_kunit.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/tests/fortify_kunit.c b/lib/tests/fortify_kunit.c
index 29ffc62a71e3..fc9c76f026d6 100644
--- a/lib/tests/fortify_kunit.c
+++ b/lib/tests/fortify_kunit.c
@@ -1003,8 +1003,8 @@ static void fortify_test_memcmp(struct kunit *test)
 {
 	char one[] = "My mind is going ...";
 	char two[] = "My mind is going ... I can feel it.";
-	size_t one_len = sizeof(one) - 1;
-	size_t two_len = sizeof(two) - 1;
+	volatile size_t one_len = sizeof(one) - 1;
+	volatile size_t two_len = sizeof(two) - 1;
 
 	OPTIMIZER_HIDE_VAR(one_len);
 	OPTIMIZER_HIDE_VAR(two_len);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH] kunit/fortify: Add back "volatile" for sizeof() constants
  2025-06-28 23:40 [PATCH] kunit/fortify: Add back "volatile" for sizeof() constants Kees Cook
@ 2025-07-01 12:35 ` Nathan Chancellor
  2025-07-01 13:41 ` Jann Horn
  1 sibling, 0 replies; 6+ messages in thread
From: Nathan Chancellor @ 2025-07-01 12:35 UTC (permalink / raw)
  To: Kees Cook
  Cc: Jannik Glückert, linux-hardening, Nick Desaulniers,
	Bill Wendling, Justin Stitt, linux-kernel, llvm

On Sat, Jun 28, 2025 at 04:40:38PM -0700, Kees Cook wrote:
> It seems the Clang can see through OPTIMIZER_HIDE_VAR when the constant
> is coming from sizeof. Adding "volatile" back to these variables solves
> this false positive without reintroducing the issues that originally led
> to switching to OPTIMIZER_HIDE_VAR in the first place[1].
> 
> Reported-by: Nathan Chancellor <nathan@kernel.org>
> Closes: https://github.com/ClangBuiltLinux/linux/issues/2075 [1]
> Cc: "Jannik Glückert" <jannik.glueckert@gmail.com>
> Suggested-by: Nathan Chancellor <nathan@kernel.org>
> Fixes: 6ee149f61bcc ("kunit/fortify: Replace "volatile" with OPTIMIZER_HIDE_VAR()")
> Signed-off-by: Kees Cook <kees@kernel.org>

Reviewed-by: Nathan Chancellor <nathan@kernel.org>

> ---
> Cc: <linux-hardening@vger.kernel.org>
> ---
>  lib/tests/fortify_kunit.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lib/tests/fortify_kunit.c b/lib/tests/fortify_kunit.c
> index 29ffc62a71e3..fc9c76f026d6 100644
> --- a/lib/tests/fortify_kunit.c
> +++ b/lib/tests/fortify_kunit.c
> @@ -1003,8 +1003,8 @@ static void fortify_test_memcmp(struct kunit *test)
>  {
>  	char one[] = "My mind is going ...";
>  	char two[] = "My mind is going ... I can feel it.";
> -	size_t one_len = sizeof(one) - 1;
> -	size_t two_len = sizeof(two) - 1;
> +	volatile size_t one_len = sizeof(one) - 1;
> +	volatile size_t two_len = sizeof(two) - 1;
>  
>  	OPTIMIZER_HIDE_VAR(one_len);
>  	OPTIMIZER_HIDE_VAR(two_len);
> -- 
> 2.34.1
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] kunit/fortify: Add back "volatile" for sizeof() constants
  2025-06-28 23:40 [PATCH] kunit/fortify: Add back "volatile" for sizeof() constants Kees Cook
  2025-07-01 12:35 ` Nathan Chancellor
@ 2025-07-01 13:41 ` Jann Horn
  2025-07-01 16:27   ` Kees Cook
  1 sibling, 1 reply; 6+ messages in thread
From: Jann Horn @ 2025-07-01 13:41 UTC (permalink / raw)
  To: Kees Cook
  Cc: Jannik Glückert, Nathan Chancellor, linux-hardening,
	Nick Desaulniers, Bill Wendling, Justin Stitt, linux-kernel, llvm

On Sun, Jun 29, 2025 at 1:40 AM Kees Cook <kees@kernel.org> wrote:
> It seems the Clang can see through OPTIMIZER_HIDE_VAR when the constant
> is coming from sizeof.

Wait, what? That sounds extremely implausible/broken to me.

https://godbolt.org/z/ndeP5chcb also suggests that clang does not
generally "see through OPTIMIZER_HIDE_VAR when the constant is coming
from sizeof".

Do you have a minimal reproducer of what you're talking about?

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] kunit/fortify: Add back "volatile" for sizeof() constants
  2025-07-01 13:41 ` Jann Horn
@ 2025-07-01 16:27   ` Kees Cook
  2025-07-01 17:38     ` Bill Wendling
  0 siblings, 1 reply; 6+ messages in thread
From: Kees Cook @ 2025-07-01 16:27 UTC (permalink / raw)
  To: Jann Horn
  Cc: Jannik Glückert, Nathan Chancellor, linux-hardening,
	Nick Desaulniers, Bill Wendling, Justin Stitt, linux-kernel, llvm

On Tue, Jul 01, 2025 at 03:41:35PM +0200, Jann Horn wrote:
> On Sun, Jun 29, 2025 at 1:40 AM Kees Cook <kees@kernel.org> wrote:
> > It seems the Clang can see through OPTIMIZER_HIDE_VAR when the constant
> > is coming from sizeof.
> 
> Wait, what? That sounds extremely implausible/broken to me.
> 
> https://godbolt.org/z/ndeP5chcb also suggests that clang does not
> generally "see through OPTIMIZER_HIDE_VAR when the constant is coming
> from sizeof".

I agree -- something is very unstable about this case, and it's been
very frustrating to pin down.

> Do you have a minimal reproducer of what you're talking about?

I have not had the time to minimize it, no.

-Kees

-- 
Kees Cook

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] kunit/fortify: Add back "volatile" for sizeof() constants
  2025-07-01 16:27   ` Kees Cook
@ 2025-07-01 17:38     ` Bill Wendling
  2025-07-02 21:12       ` Nathan Chancellor
  0 siblings, 1 reply; 6+ messages in thread
From: Bill Wendling @ 2025-07-01 17:38 UTC (permalink / raw)
  To: Kees Cook
  Cc: Jann Horn, Jannik Glückert, Nathan Chancellor,
	linux-hardening, Nick Desaulniers, Justin Stitt, linux-kernel,
	llvm

On Tue, Jul 1, 2025 at 9:27 AM Kees Cook <kees@kernel.org> wrote:
> On Tue, Jul 01, 2025 at 03:41:35PM +0200, Jann Horn wrote:
> > On Sun, Jun 29, 2025 at 1:40 AM Kees Cook <kees@kernel.org> wrote:
> > > It seems the Clang can see through OPTIMIZER_HIDE_VAR when the constant
> > > is coming from sizeof.
> >
> > Wait, what? That sounds extremely implausible/broken to me.
> >
Agreed. 'sizeof' should be calculated by the front-end.

> > https://godbolt.org/z/ndeP5chcb also suggests that clang does not
> > generally "see through OPTIMIZER_HIDE_VAR when the constant is coming
> > from sizeof".
>
> I agree -- something is very unstable about this case, and it's been
> very frustrating to pin down.
>
> > Do you have a minimal reproducer of what you're talking about?
>
> I have not had the time to minimize it, no.
>
OPTIMIZER_HIDE_VAR doesn't have a 'volatile' on it. Could that be it?

As a side note, the current definition:

  __asm__ ("" : "=r" (var) : "0" (var))

seems like

  __asm__ ("" : "+r" (var))

with extra steps.

-bw

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH] kunit/fortify: Add back "volatile" for sizeof() constants
  2025-07-01 17:38     ` Bill Wendling
@ 2025-07-02 21:12       ` Nathan Chancellor
  0 siblings, 0 replies; 6+ messages in thread
From: Nathan Chancellor @ 2025-07-02 21:12 UTC (permalink / raw)
  To: Bill Wendling
  Cc: Kees Cook, Jann Horn, Jannik Glückert, linux-hardening,
	Nick Desaulniers, Justin Stitt, linux-kernel, llvm

On Tue, Jul 01, 2025 at 10:38:36AM -0700, Bill Wendling wrote:
> On Tue, Jul 1, 2025 at 9:27 AM Kees Cook <kees@kernel.org> wrote:
> > I have not had the time to minimize it, no.

I can try to extract this into a minimal reproducer next week if nothing
major crops up over the long weekend.

> OPTIMIZER_HIDE_VAR doesn't have a 'volatile' on it. Could that be it?

I tested

diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 6f04a1d8c720..eab208a9a6f4 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -160,7 +160,7 @@ void ftrace_likely_update(struct ftrace_likely_data *f, int val,
 #ifndef OPTIMIZER_HIDE_VAR
 /* Make the optimizer believe the variable can be manipulated arbitrarily. */
 #define OPTIMIZER_HIDE_VAR(var)						\
-	__asm__ ("" : "=r" (var) : "0" (var))
+	__asm__ volatile("" : "=r" (var) : "0" (var))
 #endif
 
 #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__)

but that did not resolve the error.

Cheers,
Nathan

^ permalink raw reply related	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2025-07-02 21:12 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-28 23:40 [PATCH] kunit/fortify: Add back "volatile" for sizeof() constants Kees Cook
2025-07-01 12:35 ` Nathan Chancellor
2025-07-01 13:41 ` Jann Horn
2025-07-01 16:27   ` Kees Cook
2025-07-01 17:38     ` Bill Wendling
2025-07-02 21:12       ` Nathan Chancellor

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).