Re: [PATCH] linux/nospec.h: allow index argument to have const-qualified type

From: Dan Williams <dan.j.williams@intel.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>,
	Thomas Gleixner <tglx@linutronix.de>,
	Will Deacon <will.deacon@arm.com>, Ingo Molnar <mingo@kernel.org>,
	stable <stable@vger.kernel.org>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] linux/nospec.h: allow index argument to have const-qualified type
Date: Thu, 15 Feb 2018 13:56:22 -0800	[thread overview]
Message-ID: <CAPcyv4hFn7jXLY43xTVPgzXVjECkpqhuj24mn5XXAyjiJq3Hyg@mail.gmail.com> (raw)
In-Reply-To: <CA+55aFzYyWLiWb_O3KFZiJAZPzoopaa2cuj8ByWDi4ERjg0ZHw@mail.gmail.com>

On Thu, Feb 15, 2018 at 12:59 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Thu, Feb 15, 2018 at 11:52 AM, Rasmus Villemoes
> <linux@rasmusvillemoes.dk> wrote:
>>
>> This way, we can allow index to have const-qualified type, which will in
>> some cases avoid the need for introducing a local copy of index of
>> non-const qualified type.
>
> Ack.
>
> That said, looking at this header file, I find a couple of of other issues..
>
>  (a) we should just remove the array_index_mask_nospec_check() thing.
>
>  (b) once fixed, there's no reason for that extra "_s" variable in
> array_index_nospec()
>
> That (a) thing causes horrible code generation, and is pointless and wrong.
>
> The "wrong" part is because it wants about "index" being larger than
> LONG_MAX, and that's really stupid and wrong, because by *definition*
> we don't trust index and it came from user space. The whole point was
> that array_index_nospec() would limit those things!
>
> Yes, it's true that the compiler may optimize that warning away if the
> type of 'index' is such that it cannot happen, but that doesn't make
> the warning any more valid.
>
> It is only the sign of *size* that can matter and be an issue.
> HOWEVER, even then it's wrong, because if "size" is of a signed type,
> the check in WARN_ONCE is pure garbage.
>
> To make matters worse, that warning means that
> array_index_mask_nospec_check() currently uses it's arguments twice.
> It so happens that the only current use of that macro is ok with that,
> because it's being extra careful, but it's *WRONG*. Macros that look
> like functions should not use arguments twice.

Yes, that piece is new and I should have noticed that breakage when I
reviewed that patch from Will.

>
> So (a) is just wrong right now. It's better to just remove it.
>
> A valid warning *might* be
>
>     WARN_ONCE((long)(size) < 0, "array_index_mask only works for sizes
> that fit in a positive long");
>
> but honestly, it's just not worth the code generation pain.

So I don't mind removing it, but I don't think it is garbage. It's
there purely as a notification to the odd kernel developer that wants
to pass "insane" index values, It compiles away in most cases because
all current users are sane and have indexes that are right sized. It
also used to be the case that it was only used when the arch did not
provide a custom array_index_mask_nospec(), but now that it is "on all
the time" I do think it is in the way.