Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3380826pxb; Mon, 17 Jan 2022 19:07:50 -0800 (PST) X-Google-Smtp-Source: ABdhPJxY8EZw8fLT991YqbyDvkinOprWvsYLgqP4wH0i4NDp90yJrf5fGUgimj49/75ebC0zjWSx X-Received: by 2002:a17:90a:1b49:: with SMTP id q67mr546773pjq.230.1642475269837; Mon, 17 Jan 2022 19:07:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642475269; cv=none; d=google.com; s=arc-20160816; b=pFO0EJxZS0N6CqzgED3O92XJZI2cvJwUm7IzxsquIWOCpgx/O6dDu0xhkYyFZTG2JN UZ/ubF5+7CMTn7sWDhwGTM4SGvFSJLB/j6/lnO4QKzCqEfLJAoin5ma07aPtf34x7RKf IzjgO8UzDBw9kzqJ3CKaLKlyXNNcaivYalKa0J1vjbv8BQh7zIbxA7JmfNKCYpNourZU Qhd9miVHogq8DBIjGlYs1v+/SIHIhMux5vLDUgjnEvj1GMXyFzjkZ2/HKx5PIRus0N04 lrkXhGyLt1ffyOzYJFcczitFThLmEhR9TbnmQnpVAeEAgKmuhjBCgjjd597brqZIkST3 HjoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=oXIsGqtWuBZwQt34Mc0qnUxUqceYhgwq0Yz1lnrp/Ok=; b=hCl5LXHTS+mHXxHSJ0yPaC8MRaeBGJQOJeiIrJtUueM1e/BlZxxw9fwQyiZ/akcpcb 3AS8Udm+WhBun9EHnFZUg9IXVWN75+2lyjlkagRei50/ycwcyE3CwtoIn3qYHL+3+iPU qAmSDllqjTELh9LgqanbL2hB/Im0DAoS8++GRDAtKHK8MDZALF8PrQ7xs5wvqjU67Zuh e45wmO68Qw7HU1n47Ttf6es05Vp7lrE1E1gwHXQhQ82Y+C+uGMYJc1AQ94DvR9U6i3lH 1aPv27JqtUQQagMuphQPeNpG2Sb8bg6Ep7uxx15h4GiYFroNy8ZueevWu0HjCISjzISc B+fQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j13si1270044pjn.128.2022.01.17.19.07.37; Mon, 17 Jan 2022 19:07:49 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238891AbiARBgg (ORCPT + 99 others); Mon, 17 Jan 2022 20:36:36 -0500 Received: from szxga01-in.huawei.com ([45.249.212.187]:35849 "EHLO szxga01-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231266AbiARBgf (ORCPT ); Mon, 17 Jan 2022 20:36:35 -0500 Received: from dggpeml500023.china.huawei.com (unknown [172.30.72.57]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4JdBDh6bKwzccS2; Tue, 18 Jan 2022 09:35:48 +0800 (CST) Received: from [10.67.110.112] (10.67.110.112) by dggpeml500023.china.huawei.com (7.185.36.114) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Tue, 18 Jan 2022 09:36:32 +0800 Subject: Re: [PATCH -next, v2] sched: Use struct_size() helper in task_numa_group() To: Kees Cook , Peter Zijlstra CC: Steven Rostedt , , , , , , , , , , , Linus Torvalds References: <20220110012354.144394-1-xiujianfeng@huawei.com> <20220110193158.31e1eaea@gandalf.local.home> <20220111101425.7c59de5b@rorschach.local.home> <202201141935.A3F2ED1CF@keescook> From: xiujianfeng Message-ID: <81169efd-66bc-8cb3-c61a-f3ac30f089da@huawei.com> Date: Tue, 18 Jan 2022 09:36:32 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1 MIME-Version: 1.0 In-Reply-To: <202201141935.A3F2ED1CF@keescook> Content-Type: text/plain; charset="gbk"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.67.110.112] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To dggpeml500023.china.huawei.com (7.185.36.114) X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ?? 2022/1/15 11:50, Kees Cook ะด??: > On Thu, Jan 13, 2022 at 10:18:57AM +0100, Peter Zijlstra wrote: >> On Tue, Jan 11, 2022 at 10:14:25AM -0500, Steven Rostedt wrote: >>> On Tue, 11 Jan 2022 12:30:42 +0100 >>> Peter Zijlstra wrote: >>> >>>>>>> if (unlikely(!deref_curr_numa_group(p))) { >>>>>>> - unsigned int size = sizeof(struct numa_group) + >>>>>>> - NR_NUMA_HINT_FAULT_STATS * >>>>>>> - nr_node_ids * sizeof(unsigned long); >>>>>>> + unsigned int size = struct_size(grp, faults, >>>>>>> + NR_NUMA_HINT_FAULT_STATS * nr_node_ids); >>>>>> Again, why?! The old code was perfectly readable, this, not so much. >>>>> Because it is unsafe, >>>> Unsafe how? Changelog doesn't mention anything, nor do you. In fact, >>>> Changelog says there is no functional change, which makes me hate the >>>> thing for obscuring something that was simple. >>> If for some reason faults changes in size, the original code must be >>> updated whereas the new code is robust enough to not need changing. > I think this alone is reason enough. :) > >> Then I would still much prefer something like: >> >> unsigned int size = sizeof(*grp) + >> NR_NUMA_HINT_FAULT_STATS * numa_node_ids * sizeof(gfp->faults); >> >> Which is still far more readable than some obscure macro. But again, the > I'm not sure it's _obscure_, but it is relatively new. It's even > documented. ;) > https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments > > That said, the original patch is incomplete: it should be using size_t > for "size". thanks, I will send a v3 patch with this change and more detailed commit message. >> It is a fairly useful and common pattern to have a small structure and >> an array in the same memory allocation. >> >> Think hash-tables, the structure contains the size of the table and some >> other things, like for example a seed for the hash function or a lock, >> and then the table itself as an array. > Right, the use of flexible arrays is very common in the kernel. So much > so that we've spent years fixing all the ancient "fake flexible arrays" > scattered around the kernel messing up all kinds of compile-time and > run-time flaw mitigations. Flexible array manipulations are notoriously > prone to mistakes (overflows in allocation, mismatched bounds storage > sizes, array index overflows, etc). These helpers (with more to come) > help remove some of the foot-guns that C would normally impart to them. > >> I can't, nor do I want to, remember all these stupid little macros. Esp. >> not for trivial things like this. > Well, the good news is that other folks will (and are) fixing them for > you. :) Even if you never make mistakes with flexible arrays, other > people do, and so we need to take on some improvements to the robustness > of the kernel source tree-wide. > > -Kees >