Re: [PATCH 1/1] s390/dasd: fix string length handling

Re: [PATCH 1/1] s390/dasd: fix string length handling

[Nick Desaulniers]

On Mon, Aug 28, 2023 at 05:31:42PM +0200, Heiko Carstens wrote:
> Building dasd_eckd.o with latest clang reveals this bug:
> 
>     CC      drivers/s390/block/dasd_eckd.o
>       drivers/s390/block/dasd_eckd.c:1082:3: warning: 'snprintf' will always be truncated;
>       specified size is 1, but format string expands to at least 11 [-Wfortify-source]
>        1082 |                 snprintf(print_uid, sizeof(*print_uid),
>             |                 ^
>       drivers/s390/block/dasd_eckd.c:1087:3: warning: 'snprintf' will always be truncated;
>       specified size is 1, but format string expands to at least 10 [-Wfortify-source]
>        1087 |                 snprintf(print_uid, sizeof(*print_uid),
>             |                 ^
> 
> Fix this by moving and using the existing UID_STRLEN for the arrays
> that are being written to. Also rename UID_STRLEN to DASD_UID_STRLEN
> to clarify its scope.
> 
> Fixes: 23596961b437 ("s390/dasd: split up dasd_eckd_read_conf")
> Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
> Signed-off-by: Heiko Carstens <hca@linux.ibm.com>

Thanks for the patch! Nathan just reported a bunch of these. I took a
look at these two and thought "yeah that's clearly a bug in the kernel
sources." Fix LGTM.

Reported-by: Nathan Chancellor <nathan@kernel.org>
Closes: https://github.com/ClangBuiltLinux/linux/issues/1923
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>

I also like David's idea of passing `char ident [DASD_UID_STRLEN]`, too,
but I don't feel strongly either way.

Re: [PATCH 1/1] s390/dasd: fix string length handling

[Nick Desaulniers]

On Mon, Aug 28, 2023 at 3:46 PM Nick Desaulniers
<ndesaulniers@google.com> wrote:
>
> On Mon, Aug 28, 2023 at 05:31:42PM +0200, Heiko Carstens wrote:
> > Building dasd_eckd.o with latest clang reveals this bug:
> >
> >     CC      drivers/s390/block/dasd_eckd.o
> >       drivers/s390/block/dasd_eckd.c:1082:3: warning: 'snprintf' will always be truncated;
> >       specified size is 1, but format string expands to at least 11 [-Wfortify-source]
> >        1082 |                 snprintf(print_uid, sizeof(*print_uid),
> >             |                 ^
> >       drivers/s390/block/dasd_eckd.c:1087:3: warning: 'snprintf' will always be truncated;
> >       specified size is 1, but format string expands to at least 10 [-Wfortify-source]
> >        1087 |                 snprintf(print_uid, sizeof(*print_uid),
> >             |                 ^
> >
> > Fix this by moving and using the existing UID_STRLEN for the arrays
> > that are being written to. Also rename UID_STRLEN to DASD_UID_STRLEN
> > to clarify its scope.
> >
> > Fixes: 23596961b437 ("s390/dasd: split up dasd_eckd_read_conf")
> > Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
> > Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
>
> Thanks for the patch! Nathan just reported a bunch of these. I took a
> look at these two and thought "yeah that's clearly a bug in the kernel
> sources." Fix LGTM.
>
> Reported-by: Nathan Chancellor <nathan@kernel.org>
> Closes: https://github.com/ClangBuiltLinux/linux/issues/1923
> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>

Meant to add:

Tested-by: Nick Desaulniers <ndesaulniers@google.com> # build

>
> I also like David's idea of passing `char ident [DASD_UID_STRLEN]`, too,
> but I don't feel strongly either way.



-- 
Thanks,
~Nick Desaulniers

Re: [PATCH 1/1] s390/dasd: fix string length handling

[Heiko Carstens]

On Mon, Aug 28, 2023 at 03:46:52PM -0700, Nick Desaulniers wrote:
> On Mon, Aug 28, 2023 at 05:31:42PM +0200, Heiko Carstens wrote:
> > Building dasd_eckd.o with latest clang reveals this bug:
> > 
> >     CC      drivers/s390/block/dasd_eckd.o
> >       drivers/s390/block/dasd_eckd.c:1082:3: warning: 'snprintf' will always be truncated;
> >       specified size is 1, but format string expands to at least 11 [-Wfortify-source]
> >        1082 |                 snprintf(print_uid, sizeof(*print_uid),
> >             |                 ^
> >       drivers/s390/block/dasd_eckd.c:1087:3: warning: 'snprintf' will always be truncated;
> >       specified size is 1, but format string expands to at least 10 [-Wfortify-source]
> >        1087 |                 snprintf(print_uid, sizeof(*print_uid),
> >             |                 ^
> > 
> > Fix this by moving and using the existing UID_STRLEN for the arrays
> > that are being written to. Also rename UID_STRLEN to DASD_UID_STRLEN
> > to clarify its scope.
> > 
> > Fixes: 23596961b437 ("s390/dasd: split up dasd_eckd_read_conf")
> > Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
> > Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
> 
> Thanks for the patch! Nathan just reported a bunch of these. I took a
> look at these two and thought "yeah that's clearly a bug in the kernel
> sources." Fix LGTM.
> 
> Reported-by: Nathan Chancellor <nathan@kernel.org>
> Closes: https://github.com/ClangBuiltLinux/linux/issues/1923
> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
> 
> I also like David's idea of passing `char ident [DASD_UID_STRLEN]`, too,
> but I don't feel strongly either way.

Well, this is supposed to be the "minimal" fix. I consider everything else
additional cleanup work, which can and should be done by Stefan and Jan who
maintain this device driver.

For example there is more or less identical code within dasd_devmap.c
(dasd_uid_show()), where it would make sense to de-deduplicate the
code. And then of course there is the already mentioned rather pointless
strlen() invocation; plus there are many other string operations / format
strings, which also should be addressed.
E.g. there are quite a couple of "%p" printk format specifiers which are
pointless, since pointer values get hashed since years - so a more or less
random value will be printed, etc.

However all of this is up to Stefan and Jan.

So I consider this current fix as good enough and final.

Re: [PATCH 1/1] s390/dasd: fix string length handling

[Nick Desaulniers]

On Tue, Aug 29, 2023 at 1:02 AM Heiko Carstens <hca@linux.ibm.com> wrote:
>
> On Mon, Aug 28, 2023 at 03:46:52PM -0700, Nick Desaulniers wrote:
> > On Mon, Aug 28, 2023 at 05:31:42PM +0200, Heiko Carstens wrote:
> > > Building dasd_eckd.o with latest clang reveals this bug:
> > >
> > >     CC      drivers/s390/block/dasd_eckd.o
> > >       drivers/s390/block/dasd_eckd.c:1082:3: warning: 'snprintf' will always be truncated;
> > >       specified size is 1, but format string expands to at least 11 [-Wfortify-source]
> > >        1082 |                 snprintf(print_uid, sizeof(*print_uid),
> > >             |                 ^
> > >       drivers/s390/block/dasd_eckd.c:1087:3: warning: 'snprintf' will always be truncated;
> > >       specified size is 1, but format string expands to at least 10 [-Wfortify-source]
> > >        1087 |                 snprintf(print_uid, sizeof(*print_uid),
> > >             |                 ^
> > >
> > > Fix this by moving and using the existing UID_STRLEN for the arrays
> > > that are being written to. Also rename UID_STRLEN to DASD_UID_STRLEN
> > > to clarify its scope.
> > >
> > > Fixes: 23596961b437 ("s390/dasd: split up dasd_eckd_read_conf")
> > > Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
> > > Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
> >
> > Thanks for the patch! Nathan just reported a bunch of these. I took a
> > look at these two and thought "yeah that's clearly a bug in the kernel
> > sources." Fix LGTM.
> >
> > Reported-by: Nathan Chancellor <nathan@kernel.org>
> > Closes: https://github.com/ClangBuiltLinux/linux/issues/1923
> > Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
> >
> > I also like David's idea of passing `char ident [DASD_UID_STRLEN]`, too,
> > but I don't feel strongly either way.
>
> Well, this is supposed to be the "minimal" fix. I consider everything else
> additional cleanup work, which can and should be done by Stefan and Jan who
> maintain this device driver.

Sure, like I said, I don't care either way.

>
> For example there is more or less identical code within dasd_devmap.c
> (dasd_uid_show()), where it would make sense to de-deduplicate the
> code. And then of course there is the already mentioned rather pointless
> strlen() invocation; plus there are many other string operations / format
> strings, which also should be addressed.
> E.g. there are quite a couple of "%p" printk format specifiers which are
> pointless, since pointer values get hashed since years - so a more or less
> random value will be printed, etc.

kptr_restrict can be disabled at runtime though, so it's not useless
to print pointer values (IMO).

>
> However all of this is up to Stefan and Jan.
>
> So I consider this current fix as good enough and final.

Thanks for the patch.

-- 
Thanks,
~Nick Desaulniers

Re: [PATCH 1/1] s390/dasd: fix string length handling

[Nick Desaulniers]

On Mon, Aug 28, 2023 at 05:18:37PM +0000, David Laight wrote:
> From: Heiko Carstens
> > Sent: 28 August 2023 16:32
> >  	if (strlen(uid.vduit) > 0)
> 
> Does the compiler know enough to optimise that brain-dead test?
> 

For the purposes of skipping diagnostics, no; clang performs semantic
analysis BEFORE optimization (which is handled by LLVM). As such, clang
will produce diagnostics on dead code.

Partly because LLVM isn't very ergonomic at emitting diagnostics from
the backend, partly because Clang code owner and developers don't want
clang to emit diagnostics dependent on optimization level.

I disagree with my compatriots, and you can read more thoughts here:
https://discourse.llvm.org/t/rfc-improving-clangs-middle-and-back-end-diagnostics/69261?u=nickdesaulniers

Re: [PATCH 1/1] s390/dasd: fix string length handling

[Heiko Carstens]

On Mon, Aug 28, 2023 at 03:51:00PM -0700, Nick Desaulniers wrote:
> On Mon, Aug 28, 2023 at 05:18:37PM +0000, David Laight wrote:
> > From: Heiko Carstens
> > > Sent: 28 August 2023 16:32
> > >  	if (strlen(uid.vduit) > 0)
> > 
> > Does the compiler know enough to optimise that brain-dead test?
> > 
> 
> For the purposes of skipping diagnostics, no; clang performs semantic
> analysis BEFORE optimization (which is handled by LLVM). As such, clang
> will produce diagnostics on dead code.
> 
> Partly because LLVM isn't very ergonomic at emitting diagnostics from
> the backend, partly because Clang code owner and developers don't want
> clang to emit diagnostics dependent on optimization level.
> 
> I disagree with my compatriots, and you can read more thoughts here:
> https://discourse.llvm.org/t/rfc-improving-clangs-middle-and-back-end-diagnostics/69261?u=nickdesaulniers

Maybe I misunderstand what you write above, however clang (latest+greatest)
does indeed optimize the strlen() away and generates code which only tests
if uid.vduit[0] is zero or not.

Unlike gcc, which does not optimize this away and which uses the strlen()
inline assembly provided via string.h...

RE: [PATCH 1/1] s390/dasd: fix string length handling

[David Laight]

From: Heiko Carstens
> Sent: 29 August 2023 08:49
> 
> On Mon, Aug 28, 2023 at 03:51:00PM -0700, Nick Desaulniers wrote:
> > On Mon, Aug 28, 2023 at 05:18:37PM +0000, David Laight wrote:
> > > From: Heiko Carstens
> > > > Sent: 28 August 2023 16:32
> > > >  	if (strlen(uid.vduit) > 0)
> > >
> > > Does the compiler know enough to optimise that brain-dead test?
> > >
> >
> > For the purposes of skipping diagnostics, no; clang performs semantic
> > analysis BEFORE optimization (which is handled by LLVM). As such, clang
> > will produce diagnostics on dead code.
> >
> > Partly because LLVM isn't very ergonomic at emitting diagnostics from
> > the backend, partly because Clang code owner and developers don't want
> > clang to emit diagnostics dependent on optimization level.
> >
> > I disagree with my compatriots, and you can read more thoughts here:
> > https://discourse.llvm.org/t/rfc-improving-clangs-middle-and-back-end-
> diagnostics/69261?u=nickdesaulniers
> 
> Maybe I misunderstand what you write above, however clang (latest+greatest)
> does indeed optimize the strlen() away and generates code which only tests
> if uid.vduit[0] is zero or not.
> 
> Unlike gcc, which does not optimize this away and which uses the strlen()
> inline assembly provided via string.h...

And, if -ffreestanding is set (as in some kernel builds), the compiler
can't assume what strlen() does.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Re: [PATCH 1/1] s390/dasd: fix string length handling

[Nick Desaulniers]

On Tue, Aug 29, 2023 at 1:32 AM David Laight <David.Laight@aculab.com> wrote:
>
> From: Heiko Carstens
> > Sent: 29 August 2023 08:49
> >
> > On Mon, Aug 28, 2023 at 03:51:00PM -0700, Nick Desaulniers wrote:
> > > On Mon, Aug 28, 2023 at 05:18:37PM +0000, David Laight wrote:
> > > > From: Heiko Carstens
> > > > > Sent: 28 August 2023 16:32
> > > > >         if (strlen(uid.vduit) > 0)
> > > >
> > > > Does the compiler know enough to optimise that brain-dead test?
> > > >
> > >
> > > For the purposes of skipping diagnostics, no; clang performs semantic
> > > analysis BEFORE optimization (which is handled by LLVM). As such, clang
> > > will produce diagnostics on dead code.
> > >
> > > Partly because LLVM isn't very ergonomic at emitting diagnostics from
> > > the backend, partly because Clang code owner and developers don't want
> > > clang to emit diagnostics dependent on optimization level.
> > >
> > > I disagree with my compatriots, and you can read more thoughts here:
> > > https://discourse.llvm.org/t/rfc-improving-clangs-middle-and-back-end-
> > diagnostics/69261?u=nickdesaulniers
> >
> > Maybe I misunderstand what you write above, however clang (latest+greatest)
> > does indeed optimize the strlen() away and generates code which only tests
> > if uid.vduit[0] is zero or not.
> >
> > Unlike gcc, which does not optimize this away and which uses the strlen()
> > inline assembly provided via string.h...
>
> And, if -ffreestanding is set (as in some kernel builds), the compiler
> can't assume what strlen() does.

Exactly.

But triple checking if -ffreestanding is being used in arch/s390/ I only see:

arch/s390/purgatory/Makefile
26:KBUILD_CFLAGS += -fno-zero-initialized-in-bss -fno-builtin -ffreestanding

arch/s390/Makefile
28:KBUILD_CFLAGS_DECOMPRESSOR += -ffreestanding

---
So I don't think -ffreestanding is at play here.
-- 
Thanks,
~Nick Desaulniers

Re: [PATCH 1/1] s390/dasd: fix string length handling

[Nick Desaulniers]

On Tue, Aug 29, 2023 at 12:49 AM Heiko Carstens <hca@linux.ibm.com> wrote:
>
> On Mon, Aug 28, 2023 at 03:51:00PM -0700, Nick Desaulniers wrote:
> > On Mon, Aug 28, 2023 at 05:18:37PM +0000, David Laight wrote:
> > > From: Heiko Carstens
> > > > Sent: 28 August 2023 16:32
> > > >   if (strlen(uid.vduit) > 0)
> > >
> > > Does the compiler know enough to optimise that brain-dead test?
> > >
> >
> > For the purposes of skipping diagnostics, no; clang performs semantic
> > analysis BEFORE optimization (which is handled by LLVM). As such, clang
> > will produce diagnostics on dead code.
> >
> > Partly because LLVM isn't very ergonomic at emitting diagnostics from
> > the backend, partly because Clang code owner and developers don't want
> > clang to emit diagnostics dependent on optimization level.
> >
> > I disagree with my compatriots, and you can read more thoughts here:
> > https://discourse.llvm.org/t/rfc-improving-clangs-middle-and-back-end-diagnostics/69261?u=nickdesaulniers
>
> Maybe I misunderstand what you write above, however clang (latest+greatest)
> does indeed optimize the strlen() away and generates code which only tests
> if uid.vduit[0] is zero or not.

Oh, yeah, sorry I was talking about something else. Nevermind my point.

>
> Unlike gcc, which does not optimize this away and which uses the strlen()
> inline assembly provided via string.h...

heh, I feel like I was just having a conversation yesterday with
someone about pessimizing compile-time calculations...

-- 
Thanks,
~Nick Desaulniers