Re: [PATCH] kbuild: Remove CONFIG_DEBUG_SECTION_MISMATCH

Re: [PATCH] kbuild: Remove CONFIG_DEBUG_SECTION_MISMATCH

[Nick Desaulniers]

Lore thread start for newly cc'ed ML readers:
https://lore.kernel.org/lkml/7fad83ecde03540e65677959034315f8fbb3755e.1649434832.git.jpoimboe@redhat.com/

On Fri, Apr 8, 2022 at 12:14 PM Peter Zijlstra <peterz@infradead.org> wrote:
>
> On Sat, Apr 09, 2022 at 03:29:21AM +0900, Masahiro Yamada wrote:
> > Is [2] caused by dead code that was not optimized out
> > due to the unusual inlining decisions by the compiler ?
>
> The complaint is due to SMAP validation; objtool will scream if there's
> a CALL in between STAC/CLAC. The thinking is that since they open a
> security window, we want tight code between them. We also very much
> don't want tracing and other funnies to happen there. As such, any CALL
> is dis-allowed.

Just indirect calls, which might be manipulated, or static calls, too?

>
> This weird option is having us upgrade quite a few 'inline' to
> '__always_inline'.

As is, the assumption that __init functions only call other __init
functions or __always_inline is a brittle house of cards that leads to
a "what color is your function" [0] scenario, and leads to code that
happens to not emit warnings for compiler X (or compiler X version Y).
There's also curious exceptions in modpost that look like memory leaks
to me.

We already have such toolchain portability issues for different
toolchains and different configs; warnings from section mismatches,
and objtool STAC/CLAC checks.  I feel that Josh's patch would sweep
more of those under the rug, so I'm not in favor of it, but could be
convinced otherwise.

TBH, I kind of think that we could use a C extension to permit
__attribute__((always_inline)) to additionally be a statement
attribute, rather than just a function attribute because of cases like
this; we need the flexibility to make one call site __always_inline
without necessarily forcing ALL callsites to be __always_inline'd.

void y (void);
void x (void) { __attribute__((always_inline)) y(); };

(This is already expressable in LLVM IR; not (yet) in C. I'm not sure
yet _why_ this was added to LLVM; whether a different language front
end can express this, if C can and I'm mistaken, or whether it's only
used for optimizations).

I think that would give developers maximal flexibility to defer as
much to the compiler's inlining decisions when they don't care, and
express precisely what they need when they do [care].

[0] https://journal.stuffwithstuff.com/2015/02/01/what-color-is-your-function/
-- 
Thanks,
~Nick Desaulniers

Re: [PATCH] kbuild: Remove CONFIG_DEBUG_SECTION_MISMATCH

[Nick Desaulniers]

On Fri, Apr 8, 2022 at 1:08 PM Nick Desaulniers <ndesaulniers@google.com> wrote:
>
> Lore thread start for newly cc'ed ML readers:
> https://lore.kernel.org/lkml/7fad83ecde03540e65677959034315f8fbb3755e.1649434832.git.jpoimboe@redhat.com/
>
> On Fri, Apr 8, 2022 at 12:14 PM Peter Zijlstra <peterz@infradead.org> wrote:
> >
> > This weird option is having us upgrade quite a few 'inline' to
> > '__always_inline'.
>
> As is, the assumption that __init functions only call other __init
> functions or __always_inline is a brittle house of cards that leads to
> a "what color is your function" [0] scenario, and leads to code that
> happens to not emit warnings for compiler X (or compiler X version Y).
> There's also curious exceptions in modpost that look like memory leaks
> to me.

These assumptions perhaps made more sense in a world prior to
commit 889b3c1245de ("compiler: remove CONFIG_OPTIMIZE_INLINING entirely")
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=889b3c1245de48ed0cacf7aebb25c489d3e4a3e9

(I view 889b3c1245de favorably; perhaps this whole thread is just
fallout from that change though.  It's also interesting to note that
CONFIG_OPTIMIZE_INLINING was enabled in the i386 and x86_64
defconfigs. That might color some folk's experience with the use of
`inline` in the kernel sources and whether "inline means
__attribute__((always_inline))").
-- 
Thanks,
~Nick Desaulniers

Re: [PATCH] kbuild: Remove CONFIG_DEBUG_SECTION_MISMATCH

[Peter Zijlstra]

On Fri, Apr 08, 2022 at 01:08:47PM -0700, Nick Desaulniers wrote:
> Lore thread start for newly cc'ed ML readers:
> https://lore.kernel.org/lkml/7fad83ecde03540e65677959034315f8fbb3755e.1649434832.git.jpoimboe@redhat.com/
> 
> On Fri, Apr 8, 2022 at 12:14 PM Peter Zijlstra <peterz@infradead.org> wrote:
> >
> > On Sat, Apr 09, 2022 at 03:29:21AM +0900, Masahiro Yamada wrote:
> > > Is [2] caused by dead code that was not optimized out
> > > due to the unusual inlining decisions by the compiler ?
> >
> > The complaint is due to SMAP validation; objtool will scream if there's
> > a CALL in between STAC/CLAC. The thinking is that since they open a
> > security window, we want tight code between them. We also very much
> > don't want tracing and other funnies to happen there. As such, any CALL
> > is dis-allowed.
> 
> Just indirect calls, which might be manipulated, or static calls, too?

Any CALL instruction is a no-no. Only 'simple' code is allowed between
STAC and CLAC.

> > This weird option is having us upgrade quite a few 'inline' to
> > '__always_inline'.
> 
> As is, the assumption that __init functions only call other __init
> functions or __always_inline is a brittle house of cards that leads to
> a "what color is your function" [0] scenario, and leads to code that
> happens to not emit warnings for compiler X (or compiler X version Y).
> There's also curious exceptions in modpost that look like memory leaks
> to me.
> 
> We already have such toolchain portability issues for different
> toolchains and different configs; warnings from section mismatches,
> and objtool STAC/CLAC checks.  I feel that Josh's patch would sweep
> more of those under the rug, so I'm not in favor of it, but could be
> convinced otherwise.
> 
> TBH, I kind of think that we could use a C extension to permit
> __attribute__((always_inline)) to additionally be a statement
> attribute, rather than just a function attribute because of cases like
> this; we need the flexibility to make one call site __always_inline
> without necessarily forcing ALL callsites to be __always_inline'd.
> 
> void y (void);
> void x (void) { __attribute__((always_inline)) y(); };
> 
> (This is already expressable in LLVM IR; not (yet) in C. I'm not sure
> yet _why_ this was added to LLVM; whether a different language front
> end can express this, if C can and I'm mistaken, or whether it's only
> used for optimizations).
> 
> I think that would give developers maximal flexibility to defer as
> much to the compiler's inlining decisions when they don't care, and
> express precisely what they need when they do [care].
> 
> [0] https://journal.stuffwithstuff.com/2015/02/01/what-color-is-your-function/

So in the case of that latest __always_inline patch, there was only a
single caller. New syntax would buy us absolutely nothing there.

If we're talking extentions, I'd much rather have function spaces. That
is, being able to tag functions *AND* function pointers with an address
space qualifier.

I want to be able to create a function pointer that can only be assigned
functions from the noinstr space for example. Ideally calling such a
functino pointer would only be possible from within that space.

Anyway, let me go read that blog you linked.

Re: [PATCH] kbuild: Remove CONFIG_DEBUG_SECTION_MISMATCH

[Peter Zijlstra]

On Fri, Apr 08, 2022 at 10:32:28PM +0200, Peter Zijlstra wrote:

> > > This weird option is having us upgrade quite a few 'inline' to
> > > '__always_inline'.
> > 
> > As is, the assumption that __init functions only call other __init
> > functions or __always_inline is a brittle house of cards that leads to
> > a "what color is your function" [0] scenario, and leads to code that
> > happens to not emit warnings for compiler X (or compiler X version Y).
> > There's also curious exceptions in modpost that look like memory leaks
> > to me.

So I don't see __always_inline that way (also I'm in the 'inline' should
be '__always_inline' camp).

To me inline is more like: 'instantiate that pattern *here*'. It's like
CPP macros, only less horrible. You get the code generated according to
the local rules (instrumentation yes/no, section, and whatever other
function attributes we have that affect code-gen).

So with inline we can get the same pattern instantiated a number of
different times, leading to different actual code, without having to
type the whole thing multiple times (which would be terrible for
maintenance) etc..

Combine __always_inline with constant propagation of inline function
'pointers' and you get do beautiful things ;-) /me runs