From: Yury Norov <yury.norov@gmail.com>
To: Kees Cook <kees@kernel.org>
Cc: Nilay Shroff <nilay@linux.ibm.com>,
linux-kernel@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
briannorris@chromium.org, gustavoars@kernel.org,
nathan@kernel.org, steffen.klassert@secunet.com,
daniel.m.jordan@oracle.com, gjoyce@ibm.com,
linux-crypto@vger.kernel.org, linux@weissschuh.net
Subject: Re: [PATCHv3] gcc: disable '-Wstrignop-overread' universally for gcc-13+ and FORTIFY_SOURCE
Date: Thu, 12 Dec 2024 11:34:58 -0800 [thread overview]
Message-ID: <Z1s64indfQHyLJt-@yury-ThinkPad> (raw)
In-Reply-To: <202412121046.FD6F96C63@keescook>
On Thu, Dec 12, 2024 at 10:47:40AM -0800, Kees Cook wrote:
> On Thu, Dec 12, 2024 at 10:24:36AM -0800, Kees Cook wrote:
> > Or we could unconditionally put the OPTIMIZER_HIDE_VAR() inside
> > bitmap_copy() itself:
> >
> >
> > diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
> > index 262b6596eca5..5503ccabe05a 100644
> > --- a/include/linux/bitmap.h
> > +++ b/include/linux/bitmap.h
> > @@ -251,12 +251,14 @@ static __always_inline void bitmap_fill(unsigned long *dst, unsigned int nbits)
> > static __always_inline
> > void bitmap_copy(unsigned long *dst, const unsigned long *src, unsigned int nbits)
> > {
> > - unsigned int len = bitmap_size(nbits);
> > -
> > - if (small_const_nbits(nbits))
> > + if (small_const_nbits(nbits)) {
> > *dst = *src;
> > - else
> > + } else {
> > + unsigned int len = bitmap_size(nbits);
> > +
> > + OPTIMIZER_HIDE_VAR(len);
> > memcpy(dst, src, len);
> > + }
> > }
> >
> > /*
> >
> > I prefer any of these to doing the build-system disabling of the
> > warning.
>
> Actually, this should probably be done in the FORTIFY macro instead --
> it's what actually tripping the GCC warning since it is the code that is
> gleefully issuing a warning and then continuing with a overflowing copy
> anyway...
>
>
> diff --git a/include/linux/fortify-string.h b/include/linux/fortify-string.h
> index 0d99bf11d260..7203acfb9f17 100644
> --- a/include/linux/fortify-string.h
> +++ b/include/linux/fortify-string.h
> @@ -630,7 +630,13 @@ __FORTIFY_INLINE bool fortify_memcpy_chk(__kernel_size_t size,
> __fortify_size, \
> "field \"" #p "\" at " FILE_LINE, \
> __p_size_field); \
> - __underlying_##op(p, q, __fortify_size); \
> + if (__builtin_constant_p(__fortify_size)) { \
> + __underlying_##op(p, q, __fortify_size); \
> + } else { \
> + size_t ___fortify_size = __fortify_size; \
> + OPTIMIZER_HIDE_VAR(___fortify_size); \
> + __underlying_##op(p, q, ___fortify_size); \
> + } \
> })
I like this more than anything else. Bitmap API is an innocent victim,
and trashing it with unrelated warning suppressors is just bad. If GCC
will get more aggressive, we'll end up with the kernel all trashed with
this OPTIMIZER_HIDE_VAR() stuff.
I tried to formulate it when discussed __always_inline story, but now I
think I can do it clear. Bitmaps is an example of very basic coding. It's
not very complicated, but it's the 2nd most popular kernel API after
spinlocks.
People literally spent hundreds hours on every single line of core APIs.
I think all that people expect that the most reviewed system code in
the world will be somewhat a reference for compilers and other tools.
If compiler can't inline a pure wrapper with no additional
functionality at all, or if modpost can't understand that inline
function declared in header can't be a 'section mismatch', or
if CONFIG_FORTIFY complains about an overread that can never happen,
it's not a reason to pollute bitmaps, spinlocks, atomics or whatever
else, or even touch them. The tools should be fixed, not the code.
Acked-by: Yury Norov <yury.norov@gmail.com>
prev parent reply other threads:[~2024-12-12 19:35 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-08 16:12 [PATCHv3] gcc: disable '-Wstrignop-overread' universally for gcc-13+ and FORTIFY_SOURCE Nilay Shroff
2024-12-08 18:25 ` Yury Norov
2024-12-09 19:35 ` Nathan Chancellor
2024-12-10 8:28 ` Nilay Shroff
2024-12-10 16:14 ` Nathan Chancellor
2024-12-11 9:16 ` Nilay Shroff
2024-12-09 6:45 ` Greg Kroah-Hartman
2024-12-09 17:09 ` Nilay Shroff
2024-12-09 20:03 ` Nathan Chancellor
2024-12-09 20:43 ` Yury Norov
2024-12-09 22:24 ` Nathan Chancellor
2024-12-12 18:24 ` Kees Cook
2024-12-12 18:47 ` Kees Cook
2024-12-12 19:34 ` Yury Norov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z1s64indfQHyLJt-@yury-ThinkPad \
--to=yury.norov@gmail.com \
--cc=briannorris@chromium.org \
--cc=daniel.m.jordan@oracle.com \
--cc=gjoyce@ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavoars@kernel.org \
--cc=kees@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@weissschuh.net \
--cc=nathan@kernel.org \
--cc=nilay@linux.ibm.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox