Re: GCC bug ? Re: [PATCH v2 10/10] powerpc/32s: Implement Kernel Userspace Access Protection

From: Christophe Leroy
Date: Wed Jan 22 2020 - 01:52:14 EST

Next message: light.hsieh: "[PATCH v8 2/6] pinctrl: mediatek: Supporting driving setting without mapping current to register value"
Previous message: Cyrill Gorcunov: "Re: [PATCH] x86/fpu: remove unused macros"
In reply to: Segher Boessenkool: "Re: GCC bug ? Re: [PATCH v2 10/10] powerpc/32s: Implement Kernel Userspace Access Protection"
Next in thread: Segher Boessenkool: "Re: GCC bug ? Re: [PATCH v2 10/10] powerpc/32s: Implement Kernel Userspace Access Protection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Le 21/01/2020 Ã 20:55, Segher Boessenkool a ÃcritÂ:

On Tue, Jan 21, 2020 at 05:22:32PM +0000, Christophe Leroy wrote:

g1() should return 3, not 5.

What makes you say that?

What makes me say that is that NULL is obviously a constant pointer and I think we are all expecting gcc to see it as a constant during kernel build, ie at -O2

"A return of 0 does not indicate that the
value is _not_ a constant, but merely that GCC cannot prove it is a
constant with the specified value of the '-O' option."

(And the rules it uses for this are *not* the same as C "constant
expressions" or C "integer constant expression" or C "arithmetic
constant expression" or anything like that -- which should be already
obvious from that it changes with different -Ox).

You can use builtin_constant_p to have the compiler do something better
if the compiler feels like it, but not anything more. Often people
want stronger guarantees, but when they see how much less often it then
returns "true", they do not want that either.

in asm/book3s/64/kup-radix.h we have:

static inline void allow_user_access(void __user *to, const void __user *from,
unsigned long size)
{
// This is written so we can resolve to a single case at build time
if (__builtin_constant_p(to) && to == NULL)
set_kuap(AMR_KUAP_BLOCK_WRITE);
else if (__builtin_constant_p(from) && from == NULL)
set_kuap(AMR_KUAP_BLOCK_READ);
else
set_kuap(0);
}

and in asm/kup.h we have:

static inline void allow_read_from_user(const void __user *from, unsigned long size)
{
allow_user_access(NULL, from, size);
}

static inline void allow_write_to_user(void __user *to, unsigned long size)
{
allow_user_access(to, NULL, size);
}

If GCC doesn't see NULL as a constant, then the above doesn't work as expected.

What's surprising and frustrating is that if you remove the __builtin_constant_p() and only leave the NULL check, then GCC sees it as a constant and drops the other leg.

So if we remove the __builtin_constant_p(to) and leave only the (to == NULL), it will work as expected for allow_read_from_user(). But for the others where (to) is not a constant, the NULL test will remain together with the associated leg.

Christophe

Next message: light.hsieh: "[PATCH v8 2/6] pinctrl: mediatek: Supporting driving setting without mapping current to register value"
Previous message: Cyrill Gorcunov: "Re: [PATCH] x86/fpu: remove unused macros"
In reply to: Segher Boessenkool: "Re: GCC bug ? Re: [PATCH v2 10/10] powerpc/32s: Implement Kernel Userspace Access Protection"
Next in thread: Segher Boessenkool: "Re: GCC bug ? Re: [PATCH v2 10/10] powerpc/32s: Implement Kernel Userspace Access Protection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]