Re: [PATCH 12/20] maccess: remove strncpy_from_unsafe
From: Linus Torvalds
Date: Tue May 19 2020 - 12:26:20 EST
On Tue, May 19, 2020 at 6:45 AM Christoph Hellwig <hch@xxxxxx> wrote:
>
> + if (IS_ENABLED(CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE) &&
> + compat && (unsigned long)unsafe_ptr < TASK_SIZE)
> + ret = strncpy_from_user_nofault(dst, user_ptr, size);
> + else
> + ret = strncpy_from_kernel_nofault(dst, unsafe_ptr, size);
These conditionals are completely illegible.
That's true in the next patch too.
Stop using "IS_ENABLED(config)" to make very complex conditionals.
A clear #ifdef is much better if the alternative is a conditional that
is completely impossible to actually understand and needs multiple
lines to read.
If you made this a simple helper (called "bpf_strncpy_from_unsafe()"
with that "compat" flag, perhaps?), it would be much more legible as
/*
* Big comment goes here about the compat behavior and
* non-overlapping address spaces and ambiguous pointers.
*/
static long bpf_strncpy_from_legacy(void *dest, const void
*unsafe_ptr, long size, bool legacy)
{
#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
if (legacy && addr < TASK_SIZE)
return strncpy_from_user_nofault(dst, (const void __user
*) unsafe_ptr, size);
#endif
return strncpy_from_kernel_nofault(dst, unsafe_ptr, size);
}
and then you'd just use
if (bpf_strncpy_from_unsafe(dst, unsafe_ptr, size, compat) < 0)
memset(dst, 0, size);
and avoid any complicated conditionals, goto's, and make the code much
easier to understand thanks to having a big comment about the legacy
case.
In fact, separately I'd probably want that "compat" naming to be
scrapped entirely in that file.
"compat" generally means something very specific and completely
different in the kernel: it's the "I'm a 32-bit binary on a 64-bit
kernel" compatibility case.
Here, it's literally "BPF legacy behavior", not that kind of "compat" thing.
But that renaming is separate, although I'd start the ball rolling
with that "bpf_strncpy_from_legacy()" helper.
Linus