All of lore.kernel.org
 help / color / mirror / Atom feed
From: Guenter Roeck <linux@roeck-us.net>
To: Ingo Molnar <mingo@kernel.org>, Jan Beulich <JBeulich@suse.com>
Cc: mingo@elte.hu, tglx@linutronix.de, hpa@zytor.com,
	arjan@linux.intel.com, linux-kernel@vger.kernel.org,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	Peter Zijlstra <a.p.zijlstra@chello.nl>
Subject: Re: [PATCH 1/2] x86: unify copy_from_user() size checking
Date: Sat, 26 Oct 2013 09:05:09 -0700	[thread overview]
Message-ID: <526BE835.2030608@roeck-us.net> (raw)
In-Reply-To: <20131026103109.GC14949@gmail.com>

On 10/26/2013 03:31 AM, Ingo Molnar wrote:
>
> * Jan Beulich <JBeulich@suse.com> wrote:
>
>> Commits 4a3127693001c61a21d1ce680db6340623f52e93 ("x86: Turn the
>> copy_from_user check into an (optional) compile time warning") and
>> 63312b6a6faae3f2e5577f2b001e3b504f10a2aa ("x86: Add a Kconfig option to
>> turn the copy_from_user warnings into errors") touched only the 32-bit
>> variant of copy_from_user(), whereas the original commit
>> 9f0cf4adb6aa0bfccf675c938124e68f7f06349d ("x86: Use
>> __builtin_object_size() to validate the buffer size for
>> copy_from_user()") also added the same code to the 64-bit one.
>>
>> Further the earlier conversion from an inline WARN() to the call to
>> copy_from_user_overflow() went a little too far: When the number of
>> bytes to be copied is not a constant (e.g. [looking at 3.11] in
>> drivers/net/tun.c:__tun_chr_ioctl() or
>> drivers/pci/pcie/aer/aer_inject.c:aer_inject_write()), the compiler
>> will always have to keep the funtion call, and hence there will always
>> be a warning. By using __builtin_constant_p() we can avoid this.
>>
>> And then this slightly extends the effect of
>> CONFIG_DEBUG_STRICT_USER_COPY_CHECKS in that apart from converting
>> warnings to errors in the constant size case, it retains the (possibly
>> wrong) warnings in the non-constant size case, such that if someone is
>> prepared to get a few false positives, (s)he'll be able to recover the
>> current behavior (except that these diagnostics now will never be
>> converted to errors).
>>
>> Since the 32-bit variant (intentionally) didn't call might_fault(), the
>> unification results in this being called twice now. Adding a suitable
>> #ifdef would be the alternative if that's a problem.
>
> Addressing that sanely would be nice.
>
>> I'd like to point out though that with __compiletime_object_size()
>> being restricted to gcc before 4.6, the whole construct is going to
>> become more and more pointless going forward. I would question
>> however that commit 2fb0815c9ee6b9ac50e15dd8360ec76d9fa46a2 ("gcc4:
>> disable __compiletime_object_size for GCC 4.6+") was really necessary,
>> and instead this should have been dealt with as is done here from the
>> beginning.
>
> Can we now revert 2fb0815c9ee6?
>

I sure don't mind if there is a different and better solution.

Guenter


  reply	other threads:[~2013-10-26 16:05 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-21  8:43 [PATCH 1/2] x86: unify copy_from_user() size checking Jan Beulich
2013-10-26 10:31 ` Ingo Molnar
2013-10-26 16:05   ` Guenter Roeck [this message]
2013-10-28  7:23   ` Jan Beulich
2013-10-28 10:55     ` Ingo Molnar
2013-10-29  9:43   ` Jan Beulich
2013-10-29  9:54     ` Ingo Molnar
2013-10-29 10:08       ` Jan Beulich
2013-10-29 10:12         ` Ingo Molnar
2013-11-25 16:15           ` [PATCH] x86: override __compiletime_object_size() Jan Beulich
2013-11-27 14:03             ` Ingo Molnar
2013-11-27 14:20               ` Jan Beulich
2013-11-27 14:36                 ` Ingo Molnar
2013-10-26 13:51 ` [tip:x86/asm] x86: Unify copy_from_user() size checking tip-bot for Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=526BE835.2030608@roeck-us.net \
    --to=linux@roeck-us.net \
    --cc=JBeulich@suse.com \
    --cc=a.p.zijlstra@chello.nl \
    --cc=akpm@linux-foundation.org \
    --cc=arjan@linux.intel.com \
    --cc=hpa@zytor.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mingo@elte.hu \
    --cc=mingo@kernel.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.