Received: by 10.223.185.116 with SMTP id b49csp7230101wrg; Thu, 1 Mar 2018 01:59:35 -0800 (PST) X-Google-Smtp-Source: AG47ELs0hr00uZj1a6y6FoLo9e0Yw46BZlAKAiHG30cGfgXqJxu7mlGnaOhLNjBtGujooMefUQpF X-Received: by 10.99.171.70 with SMTP id k6mr1091580pgp.355.1519898375869; Thu, 01 Mar 2018 01:59:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519898375; cv=none; d=google.com; s=arc-20160816; b=g/EOZUxBr+QOSKyAGlvF+nK/qPwKM+xFYLl59yAOXKDo938Ob581idTvLzvk/oyyah MgifVC7F5x0RM/r+6TzZnZCyGx6TuZS0a8oeKSVhCdNYkh2ceXq20ezY78XtTEXY3mYf 0lfqaNOkxGNtjxsaVafbgRaGFQ+f2j90MtK2XGLdAFhFohDNPIyrPQ2An5mC5EBDoOg+ qAkyNCsHIpNm2rdUyXBs8qbPJpKTpc0hRLHB1KpWIuVx38RogXvtCgZdklPqESfxOrFo 8qYFFLZnK7UHbmZC5dws50/dnjKcBjcwSOtpQNPjce73HrATS9zt2zFsbYJpemP7jwKe /ikg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=zLnjBcFRZZde/xT4A5GUPWo7VmLHENlTmBUX52lnNKI=; b=hliZlSAo8+Bc17T6uWpi5KFBFz72yqs36wYlTXTEKyumsX9yvPPMpIEWYcp+R79ZPU HOsn+x8yeHw7AfvpoqNR+G77bE5DyR/XkFY02zlJsiqScV4Z7NJYDupAwtjJJerJWtAJ z6rxwCHAFve2yoiBJT8jlbN+8dGkoquPdbgLoVSj+heZtzLcj+4lBRlAeOu0DSII/nEO AGGMdWdQSguF70//+wYrtQTBynhJf94DMR1tyw2R7JbTZUYHOQbKFw/rbnAsKCHGQXwJ r8AXgvRAOdDU6y7Ji2MluwBR0fk47gf0u7P9T0daLwJGAgDd8mC2QwqcLBFqfz7Rjj37 5zng== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=dt5l1fY1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u17si2197257pgv.116.2018.03.01.01.59.20; Thu, 01 Mar 2018 01:59:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=dt5l1fY1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S967290AbeCAJ5y (ORCPT + 99 others); Thu, 1 Mar 2018 04:57:54 -0500 Received: from mail-qt0-f194.google.com ([209.85.216.194]:43915 "EHLO mail-qt0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S967141AbeCAJ5v (ORCPT ); Thu, 1 Mar 2018 04:57:51 -0500 Received: by mail-qt0-f194.google.com with SMTP id d26so6749113qtk.10 for ; Thu, 01 Mar 2018 01:57:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zLnjBcFRZZde/xT4A5GUPWo7VmLHENlTmBUX52lnNKI=; b=dt5l1fY1oeHCMSsbfadycXwLu9D4WCMHbnOFjkmHGcpnPJdbF/3TGfB5MH9fX7A0FO f8zcTfES7zRA4quaGLoQS6C8L9u/LSdeh4dboHRtiooRi4hwHroRfjhyaiAsHtIBphyU z0cEZiDdfpRQr2D3Ep7yZDPJznbb0TE8nxEKMfA+Z2MO0thUNuswAMihdmE2UXXtSr3C yZY7a3NMZioTmXGM2+vHtUbCXoHes2LNHfIlMeDO8lHqd9XMVMdEnjuCygx4EorV2fxY iubPRC2rsKd3es3VIUvFdC2T5yixeqph1ksUKWS/cfSnBPk412VZjIl+mhNsgd99itf2 J4LA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=zLnjBcFRZZde/xT4A5GUPWo7VmLHENlTmBUX52lnNKI=; b=l+M9kis7QTIF9DCOEodC+f5OMG6MQ0rKMKFdSkMzn4S1SFe8ZkBDvCGZKW1uHVtR5+ Smp+TpcGhxiYJf9J51WA9sCauP6watQW693ShqZKCbj07WFaSpyIkTj1YfjvhVtLP4DA CwlOQMso9pA2NbeOTgTJZTFldu4W7WPHqm2gM4odlEP9OsNrkmxz2euqI1xVYi+J4mn6 c8Vuoqhxnl3lsu/rNvnppQcJEYx46imbqwBJ97kZglL9rrsUCYgwQI2iMS8QOihMgtBW rzAEc26IZuWLYxcHdwcjjHinE/JMMp6jGY33DXIOF1TuKCp4pW9enOrC59tRxWagSkun 5L6A== X-Gm-Message-State: AElRT7ESuUjz98LDqekIaE0rAIcoLVPPuojAY/OVbyPpE4Tyt2WUD808 2dQ4IBpKeWJzcEWBitvH+JqpNY/w/5dAhThnlEQ= X-Received: by 10.200.56.153 with SMTP id f25mr2058802qtc.9.1519898270365; Thu, 01 Mar 2018 01:57:50 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.185.46 with HTTP; Thu, 1 Mar 2018 01:57:49 -0800 (PST) In-Reply-To: References: <20180217191035.gol4woxsgzpo4bfq@gmail.com> From: Arnd Bergmann Date: Thu, 1 Mar 2018 10:57:49 +0100 X-Google-Sender-Auth: 2tvNMmOClD8FrgcGmXAcA1BKzcY Message-ID: Subject: Re: [PATCH] Support the nonstring variable attribute (gcc >= 8) To: Miguel Ojeda Cc: David Rientjes , Ingo Molnar , Josh Poimboeuf , Kees Cook , Andrew Morton , Thomas Gleixner , Geert Uytterhoeven , Greg KH , "Lendacky, Thomas" , Will Deacon , linux-kernel , Willy Tarreau , Xiongfeng Wang , Martin Sebor Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 19, 2018 at 1:01 AM, Miguel Ojeda wrote: > On Mon, Feb 19, 2018 at 12:20 AM, David Rientjes wrote: >> On Sat, 17 Feb 2018, Miguel Ojeda wrote: >> >>> From the GCC manual: >>> >>> The nonstring variable attribute specifies that an object or member >>> declaration with type array of char or pointer to char is intended to >>> store character arrays that do not necessarily contain a terminating NUL >>> character. This is useful in detecting uses of such arrays or pointers >>> with functions that expect NUL-terminated strings, and to avoid warnings >>> when such an array or pointer is used as an argument to a bounded string >>> manipulation function such as strncpy. >>> >>> https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html >>> >>> Some reports are already coming to the LKML regarding these >>> warnings. When they are false positives, we can use __nonstring to let >>> gcc know a NUL character is not required; like in this case: >>> >>> https://lkml.org/lkml/2018/1/16/135 >>> >>> Signed-off-by: Miguel Ojeda >>> Cc: Ingo Molnar >>> Cc: Josh Poimboeuf >>> Cc: Kees Cook >>> Cc: Andrew Morton >>> Cc: Geert Uytterhoeven >>> Cc: Will Deacon >>> Cc: Greg Kroah-Hartman >>> Cc: David Rientjes >> >> I would have expected to have seen __nonstring used somewhere as part of >> this patch. > > Do you mean to expand the commit message with an actual code example > instead of the links to the docs and the discussion about the report? > Otherwise, if you mean in the actual commit, I think in that case it > should be a patch series, not a single commit. > > In any case, the key point here is to agree on the short-term policy: > i.e. whether we want to disable the upcoming warning or try to take > advantage of it (which not *necessarily* implies using __nonstring, > there are other workarounds; though where applicable, __nonstring is > probably the right thing to use). What David was asking for is to have a couple of users of the __nonstring attribute in places for which it is the right solution. I would suggest making it a patch series, with patch 1/x introducing the attribute (i.e. your patch), and followed by additional patches that add the attribute to individual header files or drivers for which it is the right solution. When I looked at the warning, I found that we have around 120 file for which we warn. The majority of them are actually questionable uses of strncpy() that probably should have been strscpy(), but most of those do not actually cause undefined behavior. A smaller number like the example from ext4 are nonstrings (i.e. character arrays without nul-termination) that would benefit from the nonstring attribute. About half of those are actually arrays of u8/__u8/uint8_t/__uint8_t for which the currently implemented nonstring attribute is invalid, and it seems odd to convert those to 'char', e.g. struct ext4_super_block { __le32 s_first_error_time; /* first time an error happened */ __le32 s_first_error_ino; /* inode involved in first error */ __le64 s_first_error_block; /* block involved of first error */ - __u8 s_first_error_func[32]; /* function where the error happened */ + char s_first_error_func[32] __nonstring; /* function where the error happened */ __le32 s_first_error_line; /* line number where error happened */ __le32 s_last_error_time; /* most recent time of an error */ __le32 s_last_error_ino; /* inode involved in last error */ __le32 s_last_error_line; /* line number where error happened */ __le64 s_last_error_block; /* block involved of last error */ - __u8 s_last_error_func[32]; /* function where the error happened */ + char s_last_error_func[32] __nonstring; /* function where the error happened */ doesn't feel right. Maybe we can extend gcc to also accept the attribute on arrays of other 8-bit types. > [By the way, CC'ing Xiongfeng, Willy and Arnd, since they were > involved in the example report; sorry guys!]. Martin Sebor also asked me about this, he's the one that worked on the gcc code that introduced the warning. Sorry for not replying earlier. For a complete list of affected files, see https://pastebin.com/eWFQf58i this is what I come up with by doing randconfig builds, but I have not tried to submit additional patches here, since I'm sure that a lot of those are wrong -- they need a much closer inspection to decide which ones are actual bugs vs harmless warnings, and which ones should use strscpy()/strlcpy() vs a nonstring annotation or a rewrite of that function. Arnd