Received: by 2002:a05:7412:d008:b0:f9:6acb:47ec with SMTP id bd8csp135066rdb; Tue, 19 Dec 2023 11:30:14 -0800 (PST) X-Google-Smtp-Source: AGHT+IEFV8YMud2cHkMVOJIyeNmK/tYdqAWYyH+S5el5CI4jNoz4Z+4F/4G8WnpjD8DccY5oajNo X-Received: by 2002:a05:6871:4581:b0:203:eafb:db30 with SMTP id nl1-20020a056871458100b00203eafbdb30mr2172610oab.103.1703014214104; Tue, 19 Dec 2023 11:30:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703014214; cv=none; d=google.com; s=arc-20160816; b=gwYh108M4LOm8wXCfzbR+RRLemfuC9MdLn5uQPm1J8eNABSTQv8NKkVZfDK68xKsVl fDv0ZyPK27w7xEzOUQ4JQM2myXz81W+baTH064PAlgls5V5GYdIeHlM2Ugty8E0VzCzp zm0S+W3t9NXZNd4IMgfR4Sfe1nyevAgvz2yX5vuKBzZjxm6B1RdAzOsI68cQp1YCJePM 6jDa/04A3pqwEPnem2aEeTZ4vEVQnwT0Zundmkj6bk1YOtQL6w/8roUVKFeHS+L3l5jc DyGprrScttlwW2WGGdXNJ93dnhCr5Oz+XSm4CL9sgZOQIkLQPcjD0Tr6THJtmsL9LepP cQ7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:date:dkim-signature; bh=qH/h/WKOsBaKnhovf2CB2EPuNEDicb3PEBUE019eTMs=; fh=rEWCRfO8u2QogDyks0PxiFc2+D5KIXzWG0guIzT6ohE=; b=Mjo4vC3+l1KBMTjoe8aLYouTipv+QNIFqEPu2jSLdVJUYJ608ABa+u99+KZHUUqXCr DojM/9Z4R28bbTDaV21VIM/t8eH7OEqbitMLVfsy/PMLggEHevG57PMrdSpYuSKdFp8O DIo6uRN3k7GCHhH5o5c/qeoQFcqnlU1K+UlKjzArA5d1YB//mzQyKhea8SaNz0bMPySA YcC28C8yVLneuOzW2dfn0zXFazlJJOi/4eg842r/xohiGtQhWGYV6/ORsL0hqiAqHLLv FrPKIonRBs9OsruXboamd8rxTKDJMA1JLwOcInTuY8jOZJdeXHSYgNFWUjobl4MSB8NO RBfA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@weissschuh.net header.s=mail header.b=hASqtFp8; spf=pass (google.com: domain of linux-kernel+bounces-5870-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-5870-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id x14-20020a05620a14ae00b00773e4b0d065si26078250qkj.532.2023.12.19.11.30.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 Dec 2023 11:30:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-5870-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@weissschuh.net header.s=mail header.b=hASqtFp8; spf=pass (google.com: domain of linux-kernel+bounces-5870-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-5870-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id C33201C24E5A for ; Tue, 19 Dec 2023 19:30:13 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 561993985A; Tue, 19 Dec 2023 19:30:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=weissschuh.net header.i=@weissschuh.net header.b="hASqtFp8" X-Original-To: linux-kernel@vger.kernel.org Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2CEE639AC0; Tue, 19 Dec 2023 19:29:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=weissschuh.net Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=weissschuh.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=weissschuh.net; s=mail; t=1703014190; bh=GMFosoqH618A0escG3KIeky1Bglzu9iNu3oJdI75r2c=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hASqtFp8t11cv7FEJdQUJ9GxREwItyc99qkE4NvBl5NoggRb0wDTMY60eN8hn4LNd Hny29ryLOertfQrxFYW+0RZTky3PESA471v0LguQi8ddRcFuZ8BLut0FkPqxGTRU/4 QNqIiynuflzz2mjSZu2gyKOFTH79xuPyRZR/t7DQ= Date: Tue, 19 Dec 2023 20:29:50 +0100 From: Thomas =?utf-8?Q?Wei=C3=9Fschuh?= To: Luis Chamberlain , Julia Lawall Cc: Joel Granados , Dan Carpenter , Kees Cook , "Gustavo A. R. Silva" , Iurii Zaikin , Greg Kroah-Hartman , linux-hardening@vger.kernel.org, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH v2 00/18] sysctl: constify sysctl ctl_tables Message-ID: References: <20231204-const-sysctl-v2-0-7a5060b11447@weissschuh.net> <20231207104357.kndqvzkhxqkwkkjo@localhost> <20231208095926.aavsjrtqbb5rygmb@localhost> <8509a36b-ac23-4fcd-b797-f8915662d5e1@t-8ch.de> <20231212090930.y4omk62wenxgo5by@localhost> <20231217120201.z4gr3ksjd4ai2nlk@localhost> <908dc370-7cf6-4b2b-b7c9-066779bc48eb@t-8ch.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Hi Luis and Julia, (Julia, there is a question and context for you inline, marked with your name) On 2023-12-18 13:21:49-0800, Luis Chamberlain wrote: > So we can split this up concentually in two: > > * constificaiton of the table handlers > * constification of the table struct itself > > On Sun, Dec 17, 2023 at 11:10:15PM +0100, Thomas Weißschuh wrote: > > The handlers can already be made const as shown in this series, > > The series did already produce issues with some builds, and so > Julia's point is confirmed that the series only proves hanlders > which you did build and for which 0-day has coverage for. > > The challenge here was to see if we could draw up a test case > that would prove this without build tests, and what occurred to > me was coccinelle or smatch. I used the following coccinelle script to find more handlers that I missed before: virtual patch virtual context virtual report @@ identifier func; identifier ctl; identifier write; identifier buffer; identifier lenp; identifier ppos; type loff_t; @@ int func( - struct ctl_table *ctl, + const struct ctl_table *ctl, int write, void *buffer, size_t *lenp, loff_t *ppos) { ... } It did not find any additional occurrences while it was able to match the existing changes. After that I manually reviewed all handlers that they are not modifying their table argument, which they don't. Should we do more? For Julia: Maybe you could advise on how to use coccinelle to find where a const function argument or one of its members are modified directly or passed to some other function as non-const arguments. See the coccinelle patch above. Is this possible? > > > If that is indeed what you are proposing, you might not even need the > > > un-register step as all the mutability that I have seen occurs before > > > the register. So maybe instead of re-registering it, you can so a copy > > > (of the changed ctl_table) to a const pointer and then pass that along > > > to the register function. > > > > Tables that are modified, but *not* through the handler, would crop > > during the constification of the table structs. > > Which should be a second step. > > Instead of "croping up" at build time again, I wonder if we can do > better with coccinelle / smatch. As for smatch: Doesn't smatch itself run as part of a normal build [0]? So it would have the same visibility issues as the compiler itself. > Joel, and yes, what you described is what I was suggesting, that is to > avoid having to add a non-const handler a first step, instead we modify > those callers which do require to modify the table by first a > deregistration and later a registration. In fact to make this even > easier a new call would be nice so to aslo be able to git grep when > this is done in the kernel. > > But if what you suggest is true that there are no registrations which > later modify the table, we don't need that. It is the uncertainty that > we might have that this is a true statment that I wanted to challenge > to see if we could do better. Can we avoid this being a stupid > regression later by doing code analysis with coccinelle / smatch? > > The template of the above endeavor seems useful not only to this use > case but to any place in the kernel where this previously has been done > before, and hence my suggestion that this seems like a sensible thing > to think over to see if we could generalize. I'd like to split the series and submit the part up until and including the constification of arguments first and on its own. It keeps the subsystem maintainers out of the discussion of the core sysctl changes. I'll submit the core sysctl changes after I figure out proper responses to all review comments and we can do this in parallel to the tree-wide preparation. What do you think Luis and Joel? [0] https://repo.or.cz/smatch.git/blob/HEAD:/smatch_scripts/test_kernel.sh