Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp666891iog;
        Mon, 13 Jun 2022 10:11:40 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxQNqbgXrjuZTdGIeoeCOdgbvZDLtnzg84s0BSQ+Pv+reCLZEU7zc3MqPT69qw53cheQQFm
X-Received: by 2002:a05:6a00:15c6:b0:51c:61bb:a62d with SMTP id o6-20020a056a0015c600b0051c61bba62dmr233317pfu.30.1655140300748;
        Mon, 13 Jun 2022 10:11:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655140300; cv=none;
        d=google.com; s=arc-20160816;
        b=DdVzLpc7eoFDeB7y0kz4xoajP+ygMR9og+FwxreAIlxSn7UPpjb9dH8ufKnZjSyKIU
         76CYiWy6JCNYAYq6/vaV/HOOWQqoY+VXu0UW5jQtuma8BvgJirW5p1m/F+BqXgUgs8WV
         ZC8kco4MAnjYdIYW+XRxXj/bPYQs6CsIt3WOaCQ3Cfy0ggqWUlAdtck23aSlg2wbvQLV
         Sg5/omM+vxUMv+D54X+tTtsApiv1pf5ZHv4T9wzPwEV0F0GD+7F/JGFBi5yjz/OiUcdh
         PYaA3Kv5Ro291qlkcvmBNLeNi9kZoiDHYaTUcjDbk/TFosmYjBhB2bczHMTWKl4ABt34
         DXXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-transfer-encoding
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=EgVDRPRugv4ujo5MlXy46Y2xsAkIKPNhty2/8oM5/Wg=;
        b=QY+QQP6px0icC2aeK+bkCzTex9W5dTlUUbno6lPGZKdqH1r8RUJbUR1m80+CGJLqYd
         N46KlDM2S5srucQNbygckrpIMVBP6REz3dFXWQCwgY2yNbxpfyfp70uTj2S5LtiPwxa+
         ZFK94YBWVx/vF9xDx6XEDnRM7Kwsgya6Njbt0wcHDEB3DRNmad28f2Rlx+vI9XKNV6mx
         ho1SlaDGbM/uy2DZFuKBXN8GSW/3boZVgDJGosf5XJPGfkF6NFOV+kyBimIpFghjz3+3
         ORyVhFjz2NWQjQOoLDVOs2nfYwL/enfzEFJoJGVDWOEBSHUGuWbKbGtV5ijuzBtxBJHK
         knIw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=KwqgjGM0;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id j192-20020a638bc9000000b0040535ebf0d0si6867870pge.687.2022.06.13.10.11.23;
        Mon, 13 Jun 2022 10:11:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20210112 header.b=KwqgjGM0;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236488AbiFMQyJ (ORCPT <rfc822;adjskylinux@gmail.com>
        + 99 others); Mon, 13 Jun 2022 12:54:09 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43852 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S242039AbiFMQxY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Jun 2022 12:53:24 -0400
Received: from mail-pj1-x102d.google.com (mail-pj1-x102d.google.com [IPv6:2607:f8b0:4864:20::102d])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 471571F4FDB
        for <linux-kernel@vger.kernel.org>; Mon, 13 Jun 2022 07:38:26 -0700 (PDT)
Received: by mail-pj1-x102d.google.com with SMTP id gd1so5826043pjb.2
        for <linux-kernel@vger.kernel.org>; Mon, 13 Jun 2022 07:38:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:content-transfer-encoding:in-reply-to;
        bh=EgVDRPRugv4ujo5MlXy46Y2xsAkIKPNhty2/8oM5/Wg=;
        b=KwqgjGM0eBdCdkcc6qQNpnbNsPwCU6a14MiuQNhI/ngLn7bWw730F9pp1vXj0oUSeG
         GklcOhBQcFP/D3PB1eocetgio7EJTVh8pb5bpI22DnwoYKT0d0oL4bhwqU4yt+UCBjuT
         nukW77qWFdanU0gL6XpROUqvobtjGKkzfQsvYuP1B5bMhTVFvLblRX8ZOsNbvMK6GlRc
         PJzWZK0/ShNOWJwX+7xKAPEy8ZfSaKeIv5Eo3ftGGjqJARoLp9k259VT6PbtS6Y6Yf/y
         9TDpw0C3ugdLyqSRQv6JlH769XJ6SZU4NNvWKvGLwkR1YScWTqZLfieoGhteF7sNRXh0
         +cnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:content-transfer-encoding
         :in-reply-to;
        bh=EgVDRPRugv4ujo5MlXy46Y2xsAkIKPNhty2/8oM5/Wg=;
        b=dyH5PPflFnscLuMum4n//GPLcl7/lJ9hQGgDWPblPjOKlw2XEZAWwnhFw/FOwhZjTL
         zsGgwXomSSqZR13iBQ1dMaFhZ/VNzlvWe3usBzHI0x6voHGgYRFh5sY2fk+mgfOrIK77
         8aJvHc8HNvh5DIxiNlv9dqwUK50PO5X/a5H83/2ZYalIH2MPqH8i720iHE2Vj+Ff4Y57
         F8j/05WOirGbrqJoRbyNBBVE5ypBroT/4+GIDWCrbhUnrBI5vZplbj3yZN5tHhqN2oWr
         81gi8SKYHWPEoW9I7tvcS26yIHvfha10Kj7KfSskWTojkUsGgRxSunVxW9cczm3hJLdd
         URHQ==
X-Gm-Message-State: AJIora8R8V6Pizr+Vc3IRwjg/DAh+9SzWkqtRIDkDs3cjHsVShoJoE4Q
        VWSSDv2NImrQ0ilFFb5RqUTgSw==
X-Received: by 2002:a17:902:f54e:b0:166:3b30:457c with SMTP id h14-20020a170902f54e00b001663b30457cmr126340plf.1.1655131105550;
        Mon, 13 Jun 2022 07:38:25 -0700 (PDT)
Received: from google.com (157.214.185.35.bc.googleusercontent.com. [35.185.214.157])
        by smtp.gmail.com with ESMTPSA id z9-20020a1709027e8900b0015e8d4eb208sm5233408pla.82.2022.06.13.07.38.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 13 Jun 2022 07:38:25 -0700 (PDT)
Date:   Mon, 13 Jun 2022 14:38:21 +0000
From:   Sean Christopherson <seanjc@google.com>
To:     Andrew Jones <drjones@redhat.com>
Cc:     Paolo Bonzini <pbonzini@redhat.com>, kvm@vger.kernel.org,
        Vitaly Kuznetsov <vkuznets@redhat.com>,
        David Matlack <dmatlack@google.com>,
        Ben Gardon <bgardon@google.com>,
        Oliver Upton <oupton@google.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 144/144] KVM: selftests: Sanity check input to
 ioctls() at build time
Message-ID: <YqdL3R/ep3b0XoCo@google.com>
References: <20220603004331.1523888-1-seanjc@google.com>
 <20220603004331.1523888-145-seanjc@google.com>
 <20220610184953.34yn2eq2mmm7cp4n@gator>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20220610184953.34yn2eq2mmm7cp4n@gator>
X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
        ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jun 10, 2022, Andrew Jones wrote:
> On Fri, Jun 03, 2022 at 12:43:31AM +0000, Sean Christopherson wrote:
> > Add a static assert to the KVM/VM/vCPU ioctl() helpers to verify that the
> > size of the argument provided matches the expected size of the IOCTL.
> > Because ioctl() ultimately takes a "void *", it's all too easy to pass in
> > garbage and not detect the error until runtime.  E.g. while working on a
> > CPUID rework, selftests happily compiled when vcpu_set_cpuid()
> > unintentionally passed the cpuid() function as the parameter to ioctl()
> > (a local "cpuid" parameter was removed, but its use was not replaced with
> > "vcpu->cpuid" as intended).
> > 
> > Tweak a variety of benign issues that aren't compatible with the sanity
> > check, e.g. passing a non-pointer for ioctls().
> > 
> > Note, static_assert() requires a string on older versions of GCC.  Feed
> > it an empty string to make the compiler happy.
> > 
> > Signed-off-by: Sean Christopherson <seanjc@google.com>
> > ---
> >  .../selftests/kvm/include/kvm_util_base.h     | 61 +++++++++++++------
> >  .../selftests/kvm/lib/aarch64/processor.c     |  2 +-
> >  tools/testing/selftests/kvm/lib/guest_modes.c |  2 +-
> >  tools/testing/selftests/kvm/lib/kvm_util.c    | 29 +--------
> >  tools/testing/selftests/kvm/s390x/resets.c    |  6 +-
> >  .../selftests/kvm/x86_64/mmio_warning_test.c  |  2 +-
> >  .../kvm/x86_64/pmu_event_filter_test.c        |  2 +-
> >  .../selftests/kvm/x86_64/xen_shinfo_test.c    |  6 +-
> >  8 files changed, 56 insertions(+), 54 deletions(-)
> > 
> > diff --git a/tools/testing/selftests/kvm/include/kvm_util_base.h b/tools/testing/selftests/kvm/include/kvm_util_base.h
> > index 04ddab322b6b..0eaf0c9b7612 100644
> > --- a/tools/testing/selftests/kvm/include/kvm_util_base.h
> > +++ b/tools/testing/selftests/kvm/include/kvm_util_base.h
> > @@ -180,29 +180,56 @@ static inline bool kvm_has_cap(long cap)
> >  #define __KVM_IOCTL_ERROR(_name, _ret)	__KVM_SYSCALL_ERROR(_name, _ret)
> >  #define KVM_IOCTL_ERROR(_ioctl, _ret) __KVM_IOCTL_ERROR(#_ioctl, _ret)
> >  
> > -#define __kvm_ioctl(kvm_fd, cmd, arg) \
> > -	ioctl(kvm_fd, cmd, arg)
> > +#define kvm_do_ioctl(fd, cmd, arg)						\
> > +({										\
> > +	static_assert(!_IOC_SIZE(cmd) || sizeof(*arg) == _IOC_SIZE(cmd), "");	\
> > +	ioctl(fd, cmd, arg);							\
> > +})
> >  
> > -static inline void _kvm_ioctl(int kvm_fd, unsigned long cmd, const char *name,
> > -			      void *arg)
> > -{
> > -	int ret = __kvm_ioctl(kvm_fd, cmd, arg);
> > +#define __kvm_ioctl(kvm_fd, cmd, arg)						\
> > +	kvm_do_ioctl(kvm_fd, cmd, arg)
> >  
> > -	TEST_ASSERT(!ret, __KVM_IOCTL_ERROR(name, ret));
> > -}
> > +
> 
> While we've gained the static asserts we've also lost the type checking
> that the inline functions provided. Is there anyway we can bring them back
> with more macro tricks?

Gah, I overthought this.  It doesn't even require macros, just a dummy helper.
I wasn't trying to use static_assert() to enforce the type check, which is how I
ended up with the sizeof() ugliness (not the one above).  But it's far easier to
let the compiler do the checking.

I'll send a small fixup series to address this and your other feedback.

static __always_inline void static_assert_is_vm(struct kvm_vm *vm) { }

#define __vm_ioctl(vm, cmd, arg)				\
({								\
	static_assert_is_vm(vm);				\
	kvm_do_ioctl((vm)->fd, cmd, arg);			\
})

static __always_inline void static_assert_is_vcpu(struct kvm_vcpu *vcpu) { }

#define __vcpu_ioctl(vcpu, cmd, arg)				\
({								\
	static_assert_is_vcpu(vcpu);				\
	kvm_do_ioctl((vcpu)->fd, cmd, arg);			\
})


In file included from include/kvm_util.h:10,
                 from lib/x86_64/processor.c:9:
lib/x86_64/processor.c: In function ‘_vcpu_set_msr’:
lib/x86_64/processor.c:831:33: error: passing argument 1 of ‘static_assert_is_vcpu’ from incompatible pointer type [-Werror=incompatible-pointer-types]
  831 |         return __vcpu_ioctl(vcpu->vm, KVM_SET_MSRS, &buffer.header);
      |                             ~~~~^~~~
      |                                 |
      |                                 struct kvm_vm *
include/kvm_util_base.h:232:31: note: in definition of macro ‘__vcpu_ioctl’
  232 |         static_assert_is_vcpu(vcpu);                            \
      |                               ^~~~
include/kvm_util_base.h:225:68: note: expected ‘struct kvm_vcpu *’ but argument is of type ‘struct kvm_vm *’
  225 | static __always_inline void static_assert_is_vcpu(struct kvm_vcpu *vcpu)
      |                                                   ~~~~~~~~~~~~~~~~~^~~~
cc1: all warnings being treated as errors