Re: [PATCH 12/20] maccess: remove strncpy_from_unsafe

From: Linus Torvalds
Date: Tue May 19 2020 - 12:26:20 EST


On Tue, May 19, 2020 at 6:45 AM Christoph Hellwig <hch@xxxxxx> wrote:
>
> + if (IS_ENABLED(CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE) &&
> + compat && (unsigned long)unsafe_ptr < TASK_SIZE)
> + ret = strncpy_from_user_nofault(dst, user_ptr, size);
> + else
> + ret = strncpy_from_kernel_nofault(dst, unsafe_ptr, size);

These conditionals are completely illegible.

That's true in the next patch too.

Stop using "IS_ENABLED(config)" to make very complex conditionals.

A clear #ifdef is much better if the alternative is a conditional that
is completely impossible to actually understand and needs multiple
lines to read.

If you made this a simple helper (called "bpf_strncpy_from_unsafe()"
with that "compat" flag, perhaps?), it would be much more legible as

/*
* Big comment goes here about the compat behavior and
* non-overlapping address spaces and ambiguous pointers.
*/
static long bpf_strncpy_from_legacy(void *dest, const void
*unsafe_ptr, long size, bool legacy)
{
#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
if (legacy && addr < TASK_SIZE)
return strncpy_from_user_nofault(dst, (const void __user
*) unsafe_ptr, size);
#endif

return strncpy_from_kernel_nofault(dst, unsafe_ptr, size);
}

and then you'd just use

if (bpf_strncpy_from_unsafe(dst, unsafe_ptr, size, compat) < 0)
memset(dst, 0, size);

and avoid any complicated conditionals, goto's, and make the code much
easier to understand thanks to having a big comment about the legacy
case.

In fact, separately I'd probably want that "compat" naming to be
scrapped entirely in that file.

"compat" generally means something very specific and completely
different in the kernel: it's the "I'm a 32-bit binary on a 64-bit
kernel" compatibility case.

Here, it's literally "BPF legacy behavior", not that kind of "compat" thing.

But that renaming is separate, although I'd start the ball rolling
with that "bpf_strncpy_from_legacy()" helper.

Linus