Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4994247ybl;
        Sat, 21 Dec 2019 19:13:38 -0800 (PST)
X-Google-Smtp-Source: APXvYqwTkhOCF68tn279pKxvv2qWD3No/Xhk7R94BeirT+016mMukeZuIOh/+2wn9dwtFpLf6dIv
X-Received: by 2002:a05:6830:1e21:: with SMTP id t1mr4434024otr.194.1576984418377;
        Sat, 21 Dec 2019 19:13:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1576984418; cv=none;
        d=google.com; s=arc-20160816;
        b=Sh0aw2mwroGovM8qKYhkiZOTo8zP+2AoWvqzWxnJDARABdXDnAUfGg12tu1ADQ8IOK
         K/CVC7zftY8Szu9kpoB2+S69xdSzS6Qvep8O2v7N24MmMKZ4jZxttw/duOlFsKjJygyQ
         4LAadk9/IjLOdd+wO3436pGasbjnXpal0RhW6A1vcVEj8QXgeDzMlgt5GHg4e9FlzhV3
         Vrmpnh1OheyykWLRRb0fNCIl3Rjrvofg3AD3wt/D0ZavyLFg1coWSMYkD/gAgbTYNOau
         /xqyl8sxrbqAnDDWXc/doMrPFuwGq5MYPgRiNNBpH1JJtQQJhnVxoG/Kth15MXfKVAB/
         9htA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=FLxLMHWzhvsAyc7YSZ1UcqmlBwxpr3w938KiSSxaokg=;
        b=uAQG9DmiEjxs1oKAAFZLIh/7kzhh5xKFkUjd7cgfM43Re/ol2JpFDi/EJdDBgiHoZI
         Ny/2MeTs4yB/jmxUtv4AeckE8DaalZ5/bKIViu2qw75FGpWWQHN4rBvMnJO5n8xsInBE
         ACTioyhtm/0jX5GCSxzgySy4/8CQJZo1/fs+5Y5oBklRfF9O4eBHG8+kSh5Wpx6APX1N
         O2ua5I8irzGlRGHj0UROShGNejF7LqJNOTPw1iVCSbx+owUxlGiESfzTNcfrKEH4byrt
         f/mMzvIToAVsfXqDSK4eVrwtM577an0pyaMHaU2pZdxo+GHC+yx5zpNujSVx/WAF5eYk
         pRQw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="J//ypFVJ";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c24si8066458otf.14.2019.12.21.19.13.13;
        Sat, 21 Dec 2019 19:13:38 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="J//ypFVJ";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726549AbfLVDJT (ORCPT <rfc822;ahaning.tech@gmail.com>
        + 99 others); Sat, 21 Dec 2019 22:09:19 -0500
Received: from mail-ot1-f67.google.com ([209.85.210.67]:39797 "EHLO
        mail-ot1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726318AbfLVDJS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 21 Dec 2019 22:09:18 -0500
Received: by mail-ot1-f67.google.com with SMTP id 77so17350691oty.6
        for <linux-kernel@vger.kernel.org>; Sat, 21 Dec 2019 19:09:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=FLxLMHWzhvsAyc7YSZ1UcqmlBwxpr3w938KiSSxaokg=;
        b=J//ypFVJPHCHhD3mOZb7/3Ti3EJCW6jmrc3PIdLwqX4nQxX4Lmwah28XNfXUoXIl0O
         xDwdR/qYwLFvn3mcvv10Q55wtQnb3Ar07tzDUwFHRbOf4aFJQQvzdG95mw2TD/YQm/3G
         zk9Mnu8tU8jZoAqdk+huPCtjYQz6MEBaRZ55aK96mAbIP77k7ff30hAdpwtW/cxmKa45
         Qdhbm0Pgklj6g2XvVUxY3+SWJU5L733Za8z3iE+LnFfEt/5PBD9IXUtkAtKwkiPEwY+W
         nPTYpq+XviR4cUR0S/KRpKrcmRwhGXN5pdVITJJ3Fn3ryv0dwEVfbk3CNcODs6toZHsz
         OeFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=FLxLMHWzhvsAyc7YSZ1UcqmlBwxpr3w938KiSSxaokg=;
        b=OZs9HOA9EegqqUMV9vC+XhSGUwRiqZz6unBl2i/W+75WHZBKriwqNkd8P+ERR9sx8x
         s5qAAltgqMPl/0yaWGYr1pfQ/8odKQmz7NmbrD2VkDTyo8fBFKUaoYr4dWsN0MrUNo/T
         2EQkbty3IGzs3WbpJzENqbwaiIJ2gToZELhM8TbmMRHwl2aD9T88uk1R7xGNjN+8yhKD
         ygOGVZYMefuYCWloljlCVWueFC4S6n+ML4dR6rR/ClEUHeFhaExLdt5x2nR+QFwz4MRC
         JXonyWBVOw0iK1DLhLKU8PC1buuYBkB7zdg/b+NoJyjUVBEQBx+EA9DomA1RzhKMXZ3N
         SuyQ==
X-Gm-Message-State: APjAAAXDTNFpzilD+leCY39M2itbOjUpHcTKlZuaIquLyFVmc3Ow0CuD
        nx7UUcxYx/dj7yZqql0x5EfR7Sln
X-Received: by 2002:a05:6830:1cd3:: with SMTP id p19mr8523090otg.70.1576984157645;
        Sat, 21 Dec 2019 19:09:17 -0800 (PST)
Received: from ubuntu-m2-xlarge-x86 ([2604:1380:4111:8b00::1])
        by smtp.gmail.com with ESMTPSA id 47sm5494666otf.54.2019.12.21.19.09.16
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sat, 21 Dec 2019 19:09:16 -0800 (PST)
Date:   Sat, 21 Dec 2019 20:09:15 -0700
From:   Nathan Chancellor <natechancellor@gmail.com>
To:     Nick Desaulniers <ndesaulniers@google.com>
Cc:     Chris Wilson <chris@chris-wilson.co.uk>,
        Jani Nikula <jani.nikula@linux.intel.com>,
        Joonas Lahtinen <joonas.lahtinen@linux.intel.com>,
        Rodrigo Vivi <rodrigo.vivi@intel.com>,
        intel-gfx@lists.freedesktop.org,
        dri-devel <dri-devel@lists.freedesktop.org>,
        LKML <linux-kernel@vger.kernel.org>,
        clang-built-linux <clang-built-linux@googlegroups.com>,
        Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH] drm/i915: Remove tautological compare in eb_relocate_vma
Message-ID: <20191222030915.GA27679@ubuntu-m2-xlarge-x86>
References: <20191123195321.41305-1-natechancellor@gmail.com>
 <157453950786.2524.16955749910067219709@skylake-alporthouse-com>
 <CAKwvOdniXqn3xt3-W0Pqi-X1nWjJ2vUVofjCm1O-UPXZ7_4rXw@mail.gmail.com>
 <157538056769.7230.15356495786856166580@skylake-alporthouse-com>
 <CAKwvOd=ov789Lixdq8QE+MVXeYyh=W_sODSuj++4T8uF-hpVMw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAKwvOd=ov789Lixdq8QE+MVXeYyh=W_sODSuj++4T8uF-hpVMw@mail.gmail.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 03, 2019 at 10:45:22AM -0800, Nick Desaulniers wrote:
> On Tue, Dec 3, 2019 at 5:42 AM Chris Wilson <chris@chris-wilson.co.uk> wrote:
> >
> > Quoting Nick Desaulniers (2019-12-02 19:18:20)
> > > On Sat, Nov 23, 2019 at 12:05 PM Chris Wilson <chris@chris-wilson.co.uk> wrote:
> > > >
> > > > Quoting Nathan Chancellor (2019-11-23 19:53:22)
> > > > > -Wtautological-compare was recently added to -Wall in LLVM, which
> > > > > exposed an if statement in i915 that is always false:
> > > > >
> > > > > ../drivers/gpu/drm/i915/gem/i915_gem_execbuffer.c:1485:22: warning:
> > > > > result of comparison of constant 576460752303423487 with expression of
> > > > > type 'unsigned int' is always false
> > > > > [-Wtautological-constant-out-of-range-compare]
> > > > >         if (unlikely(remain > N_RELOC(ULONG_MAX)))
> > > > >             ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~
> > > > >
> > > > > Since remain is an unsigned int, it can never be larger than UINT_MAX,
> > > > > which is less than ULONG_MAX / sizeof(struct drm_i915_gem_relocation_entry).
> > > > > Remove this statement to fix the warning.
> > > >
> > > > The check should remain as we do want to document the overflow
> > > > calculation, and it should represent the types used -- it's much easier
> > >
> > > What do you mean "represent the types used?"  Are you concerned that
> > > the type of drm_i915_gem_exec_object2->relocation_count might change
> > > in the future?
> >
> > We may want to change the restriction, yes.
> >
> > > > to review a stub than trying to find a missing overflow check. If the
> > > > overflow cannot happen as the types are wide enough, no problem, the
> > > > compiler can remove the known false branch.
> > >
> > > What overflow are you trying to protect against here?
> >
> > These values are under user control, our validation steps should be
> > clear and easy to check. If we have the types wrong, if the checks are
> > wrong, we need to fix them. If the code is removed because it can be
> > evaluated by the compiler to be redundant, it is much harder for us to
> > verify that we have tried to validate user input.
> >
> > > > Tautology here has a purpose for conveying information to the reader.
> > >
> > > Well leaving a warning unaddressed is also not a solution.  Either
> > > replace it with a comment or turn off the warning for your subdir.
> >
> > My personal preference would be to use a bunch of central macros for the
> > various type/kmalloc overflows, and have the warnings suppressed there
> > since they are very much about documenting user input validation.
> > -Chris
> 
> Is kmalloc_array what you're looking for?  Looks like it has the
> `check_mul_overflow` call in it.

I don't think kmalloc_array is right because we are not validating an
allocation. I am not sure that any of these overflow macros are correct,
we would probably need something new but I am not sure.

Cheers,
Nathan