Received: by 10.223.185.116 with SMTP id b49csp809544wrg;
        Fri, 16 Feb 2018 07:32:29 -0800 (PST)
X-Google-Smtp-Source: AH8x227jt9+VKyB63cfHrOQeSrcgaPgDc6XvuHO99yiRxPGJAMd5ZkAUq5xJ78Fe5jw1xYpcLYuh
X-Received: by 10.99.141.200 with SMTP id z191mr5397766pgd.418.1518795149762;
        Fri, 16 Feb 2018 07:32:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1518795149; cv=none;
        d=google.com; s=arc-20160816;
        b=isZ2vyyhlsetwHcYcOAylB9tqZCgXMvuMihCmqnSv/Jhhg+8kwV4H15NFBIhZmU7WQ
         Hj7T0pcGRii21zEmvn9bFFdYOpgQefSB3MBFLPu0ZFeVMyPoxrQh4HJkNCMaG7ie6TQN
         /R6sdJ0xMhioDXIQIUe9nBsEJFWZi89jrVVGBrJCF5bIC9Xe3w0sGC4DQHbTjLDiyX9I
         rFmlZH2xl7e0mJpUBLEC1tA8YEtsr3apbNSIFaXaCfPGgv+sdIkUCwCNu/5JMq3TsX66
         NUbRubGnqbT9BmV46wfO7G97AFHPY9dZEvadIhdaWDVLeXO23moV90YNdaWPKNcQxTTp
         Q66Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=wGPz4ZrCbrlN7vogzzSITwzcw1QdFbp902N+WSzp0xk=;
        b=d/XxuNQ6Y/RtRGpl9xtniCn6b25blpC/lpv9od3fw0Cpk7rfYNS5mAI4RQA+NIp5Jq
         7QZOjpkDXJKXykQK31JAHHp8vc1iGg5ir9wGXbj213klLhU44NoCt4rAeg1nFbcN+gcu
         8a9qkuJQAygsd0eJQPzIgbEWDBvZO5mRiVPjnFq/RSBvCLMILO09JqMqpEcczHgD/6H5
         Z1auO4MXVIa1OF5WY3vZrVodikuhbu8mPdYFLxI8GcxxKfhny62iEXQTVG4No1S94aaA
         Ofz3t/xwyKvbVA0+svxD5gUqf5MoOUWDVKvjRno/cxEfGt5D1WT3VROnMOBU25IyX18U
         +/Ug==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=sLiCkLya;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e68si743149pfa.94.2018.02.16.07.32.14;
        Fri, 16 Feb 2018 07:32:29 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=sLiCkLya;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1164381AbeBOWIq (ORCPT <rfc822;jaysonjohndmello@gmail.com>
        + 99 others); Thu, 15 Feb 2018 17:08:46 -0500
Received: from mail-oi0-f65.google.com ([209.85.218.65]:32827 "EHLO
        mail-oi0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1162892AbeBOWIm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Feb 2018 17:08:42 -0500
Received: by mail-oi0-f65.google.com with SMTP id l124so991420oib.0
        for <linux-kernel@vger.kernel.org>; Thu, 15 Feb 2018 14:08:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=intel-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=wGPz4ZrCbrlN7vogzzSITwzcw1QdFbp902N+WSzp0xk=;
        b=sLiCkLyawbyz0rWztI0B1cAAqw5W48EJvnoGbMcIOLPU+8v6pjeInJ7Rx0c8BNqn8E
         W1Ckyxv3sxOIexsrzhopk02zx9y5yFYpuAIi176i1YtdIsmt2FLdhfHxi9LplKFusn3x
         Fn2bCGJXJI0uHU29afSIram2+hW35wTUMJ5F4IgvIl0p7bY8KYBkVKK+QAtnQcDh/l8C
         wk+Se91B1Efo1d73Yip0CSQGyqhyCa0DOED+6Fe28G/Rf57xmNPm4kvyXIJmseyKt4bl
         27ewSoz+NWLz+TKoj3WJG+FLQ7xBAK9Avqw3LIAz2hpyrkLEI2RyrOu1CZsLQT8iOZHV
         imIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=wGPz4ZrCbrlN7vogzzSITwzcw1QdFbp902N+WSzp0xk=;
        b=eQDCK6rYAOghPd/XkQFAHjppTLU0wq26UsLp7q+f6nwfdzPWoxMRZ13qbpsIRPLZjs
         pUKoym4ZpeCmS+RCumKAD0GQ+dFzKOcVdFk6WJVwYY4naBGO3zvLINtFRQ0A9u2iTIZc
         kCT5nGsuti3xJpSGIoc9WcmIw+0SaNMUV66c43g9EDAXInKO3dQWrAdq+3xrFXT7K6+Z
         Cu/A1QiHh1UyJSoRPiNp2nzlmU/DcDm3VoBXsGPplQ+x0gCPvRKu5iNVQYtNKeyV10eA
         9HttEfixfhs4x3M974BUXj0ISbSaj8aDGN/S9kxSsK7Yy1MIXv9cnyIVDiPHBsp2OtlZ
         J7Qg==
X-Gm-Message-State: APf1xPA+Q4dZDpz3Qw3nrA0rGLXoEtj/mtEwn9TU7AVWJHbHC/mdN7gi
        ASHGO6DirZrLOpnu09KlPfzAtIWwiKrHzxryjw9JQw==
X-Received: by 10.202.17.25 with SMTP id 25mr2721590oir.187.1518732521671;
 Thu, 15 Feb 2018 14:08:41 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.17.229 with HTTP; Thu, 15 Feb 2018 14:08:41 -0800 (PST)
In-Reply-To: <CA+55aFz7g4wuwgc7hNFfYf+OqgPax3-F=yz8Xar7iemTin=FEg@mail.gmail.com>
References: <CAPcyv4i-bULZp1WTUgUVtdEY5i_fTGkFWKBsVLDu6dsuxUwoug@mail.gmail.com>
 <20180215195209.15299-1-linux@rasmusvillemoes.dk> <CA+55aFzYyWLiWb_O3KFZiJAZPzoopaa2cuj8ByWDi4ERjg0ZHw@mail.gmail.com>
 <CAPcyv4hFn7jXLY43xTVPgzXVjECkpqhuj24mn5XXAyjiJq3Hyg@mail.gmail.com> <CA+55aFz7g4wuwgc7hNFfYf+OqgPax3-F=yz8Xar7iemTin=FEg@mail.gmail.com>
From:   Dan Williams <dan.j.williams@intel.com>
Date:   Thu, 15 Feb 2018 14:08:41 -0800
Message-ID: <CAPcyv4iDDBWD09b5Pm5=D8+EKZQpMfK4zs1dGfptf5Sf8sSdJA@mail.gmail.com>
Subject: Re: [PATCH] linux/nospec.h: allow index argument to have
 const-qualified type
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     Rasmus Villemoes <linux@rasmusvillemoes.dk>,
        Thomas Gleixner <tglx@linutronix.de>,
        Will Deacon <will.deacon@arm.com>,
        Ingo Molnar <mingo@kernel.org>,
        stable <stable@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Feb 15, 2018 at 2:03 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Thu, Feb 15, 2018 at 1:56 PM, Dan Williams <dan.j.williams@intel.com> wrote:
>>
>> So I don't mind removing it, but I don't think it is garbage. It's
>> there purely as a notification to the odd kernel developer that wants
>> to pass "insane" index values,
>
> But the thing is, the "index" value isn't even kernel-supplied.
>
> Here's a test:  run a 32-bit kernel, and then do an ioctl() or
> something with a negative fd.
>
> What I think will happen is:
>
>  - the negative fd will be seen as a big 'unsigned int' here:
>
>         fcheck_files(struct files_struct *files, unsigned int fd)
>
> which then does
>
>                 fd = array_index_nospec(fd, fdt->max_fds);
>
> and that existing *STUPID* and *WRONG* WARN_ON() will trigger.
>
> Sure, you can't trigger it on 64-bit kernels because there the
> "unsigned int" will be small compared to LONG_MAX, but..
>
> It is simply is *wrong* to check the "index".  It really fundamentally
> is complete garbage.
>
> Because the whole - and ONLY - *point* of this is that you have an
> untrusted index. So checking it and giving a warning when it's out of
> range is pure garbage.
>
> Really. That warning must go away. Stop arguing for it, it's stupid and wrong.

True, I had been myopically focused on the 64-bit case.

> Checking _size_ is one thing, but honestly, that's questionable too.

Nah, I'm not going to argue for that.