From patchwork Mon Sep 14 16:09:58 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nick Desaulniers X-Patchwork-Id: 303478 Delivered-To: patch@linaro.org Received: by 2002:a92:5ad1:0:0:0:0:0 with SMTP id b78csp1759604ilg; Mon, 14 Sep 2020 09:10:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyXSPkOgAKGUtdnrsdvGiH71H2cLgKqBQTOykClErFP+xRyfW0dltc6c0MiOE+wT6d8DZ8j X-Received: by 2002:a05:6402:6c9:: with SMTP id n9mr18019574edy.297.1600099827445; Mon, 14 Sep 2020 09:10:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600099827; cv=none; d=google.com; s=arc-20160816; b=rW2S8DGkT7/d/MmcpVqDeih1BWN5NmFPM+HwmEx0zMiBsr1MyfqvS+kvucURHUPyIj +dywWu9gVUlUkwQ8Y83HfKgfRtm9KkbCQmWrcfwjuQzGqj+Ealb79FpKiCLMj8/DOEta mSMfNaMa19NVzESjBwLm/xtrMcCBZPRpl/4rSKt07rBrRNnkb/PkmHB/92qLD20hJbrd OL25DJNx6R6lZjg9weTL3Rc6HHytJw/Hq6Wojc9WZLrxOin/ZvQXT3/feg3E3eRT2gc7 yibaVUdYWhouHk5+x38Uq9UKYBmWEuOaU8yjau4hdoBWEb4TxjDZtYNq0byER2wX3RGC O89w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:from:subject:mime-version :message-id:date:dkim-signature; bh=C2H9/eVSssk9N9c19TNJ2NvJt1R7mxUsxPzXQi2K3kk=; b=hi7Z8LbEbwRkbzykBAPqrMBl9hBEifvNK4MpXeUNQPmDM5ldY6sdtXE5aINezUDZ0i fDitkw5z5y3Z4r5FAriBAJtlUtdvCuWXud3qcG2ydcX4AtmvRSnci1AmMsNKxxbELHfl yIt0qDh7B2yWlE7M5dzNwnKhvMCIRf4fSqkd1OFmcSVTGHnsMHA1FLgMfxqu21Nal4jp thjm86aPjBlFYTnE3bi1J7UrEjCAtuzrjLVorxAJNzG3qk/Jz3zwcubKatc8Qe5PhG5G 8kfUeVsm2MUbc/dG2mcem5yMdCAhevSVo2EYu++ac5MCEItRZkk3C0rztSf6qgdl/sAv pzCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=fDeporrs; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l21si3499148ejq.222.2020.09.14.09.10.26; Mon, 14 Sep 2020 09:10:27 -0700 (PDT) Received-SPF: pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@google.com header.s=20161025 header.b=fDeporrs; spf=pass (google.com: domain of stable-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=fail (p=REJECT sp=REJECT dis=QUARANTINE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726476AbgINQKW (ORCPT + 15 others); Mon, 14 Sep 2020 12:10:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53644 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726424AbgINQKM (ORCPT ); Mon, 14 Sep 2020 12:10:12 -0400 Received: from mail-yb1-xb49.google.com (mail-yb1-xb49.google.com [IPv6:2607:f8b0:4864:20::b49]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2D768C061788 for ; Mon, 14 Sep 2020 09:10:12 -0700 (PDT) Received: by mail-yb1-xb49.google.com with SMTP id 125so248297ybg.12 for ; Mon, 14 Sep 2020 09:10:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=sender:date:message-id:mime-version:subject:from:to:cc; bh=C2H9/eVSssk9N9c19TNJ2NvJt1R7mxUsxPzXQi2K3kk=; b=fDeporrsJV/dWDridcsDYkD9WhhQkww1EXqMrmF2B+RkyEVSOGhQaNCxuIJMlEjRrx g8yfIrEKwcaPWD45Cpmg/l2Ubu31x/5g9qomcMGC96Uz6Y3nNgJLfc+f9/zNobLxS5xV ks/jS5e+LzBvu8WZ6zb/8FzufYgbNJIfEy/qWYpB4a77W972KfC2n+6Ti/WcpxSbF/I+ vyeqiimeIgc5PPnZRXKKYMp1q8UKtOjRi3RnX7GOTeX7czYvGgVahPR/IhJ8Z2ROoj1W qTgvO1xxTV2J/uQkiGlvyoG3z714GWisc9F5JAkhdNcsBatzCc118wMvfwKOSlQPhWgB vptQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:message-id:mime-version:subject:from :to:cc; bh=C2H9/eVSssk9N9c19TNJ2NvJt1R7mxUsxPzXQi2K3kk=; b=JmqttLOhf8co7lKxqdgNB35Ob/04s+angyWYsTUGwS2AVePHO2N1+x/zHzf8Fh4fyG esDK2juOBHPP+EAof9E3rMVaazBahE8xbLP/TW136oWcbTL4JT1OeW/zHI373eEvKGjv NPrv8FeHccanWwXO4RcLeSt5hYpuPnhL1pfBzUhiu1xfFvUhMkXqNg3v8XLf+OroPbC6 EtRA36ex/0/Dert5aU2Ljecy2pqVlmEoZNbhmzXQ9K+N/7cDNYSnjkDBq1pOCEPxXwmX 2XbSnW/SXxOIQbNvZGBu1j0lbtlXYhWTIQCLuiL+MQn1Qys2MpKYu/gaVIfHD5Wn5QlS LIRQ== X-Gm-Message-State: AOAM532WtpHkI+NfVEGP2BaleQBdWqRZHcfR9VU0JqcBfPfICCxamEB5 Y1VUD9lfiUbFPqdKRKGXDX6Hs9ooq/2mrPr+HZA= X-Received: from ndesaulniers1.mtv.corp.google.com ([2620:15c:211:202:f693:9fff:fef4:4d25]) (user=ndesaulniers job=sendgmr) by 2002:a5b:f03:: with SMTP id x3mr8451188ybr.137.1600099811376; Mon, 14 Sep 2020 09:10:11 -0700 (PDT) Date: Mon, 14 Sep 2020 09:09:58 -0700 Message-Id: <20200914160958.889694-1-ndesaulniers@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.28.0.618.gf4bc123cb7-goog Subject: [PATCH v4] lib/string.c: implement stpcpy From: Nick Desaulniers To: Andrew Morton Cc: Kees Cook , Arvind Sankar , Masahiro Yamada , linux-kernel@vger.kernel.org, clang-built-linux@googlegroups.com, Nick Desaulniers , Sami Tolvanen , Andy Lavr , Joe Perches , Rasmus Villemoes , Nathan Chancellor , stable@vger.kernel.org Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org LLVM implemented a recent "libcall optimization" that lowers calls to `sprintf(dest, "%s", str)` where the return value is used to `stpcpy(dest, str) - dest`. This generally avoids the machinery involved in parsing format strings. `stpcpy` is just like `strcpy` except it returns the pointer to the new tail of `dest`. This optimization was introduced into clang-12. Implement this so that we don't observe linkage failures due to missing symbol definitions for `stpcpy`. Similar to last year's fire drill with: commit 5f074f3e192f ("lib/string.c: implement a basic bcmp") The kernel is somewhere between a "freestanding" environment (no full libc) and "hosted" environment (many symbols from libc exist with the same type, function signature, and semantics). As H. Peter Anvin notes, there's not really a great way to inform the compiler that you're targeting a freestanding environment but would like to opt-in to some libcall optimizations (see pr/47280 below), rather than opt-out. Arvind notes, -fno-builtin-* behaves slightly differently between GCC and Clang, and Clang is missing many __builtin_* definitions, which I consider a bug in Clang and am working on fixing. Masahiro summarizes the subtle distinction between compilers justly: To prevent transformation from foo() into bar(), there are two ways in Clang to do that; -fno-builtin-foo, and -fno-builtin-bar. There is only one in GCC; -fno-buitin-foo. (Any difference in that behavior in Clang is likely a bug from a missing __builtin_* definition.) Masahiro also notes: We want to disable optimization from foo() to bar(), but we may still benefit from the optimization from foo() into something else. If GCC implements the same transform, we would run into a problem because it is not -fno-builtin-bar, but -fno-builtin-foo that disables that optimization. In this regard, -fno-builtin-foo would be more future-proof than -fno-built-bar, but -fno-builtin-foo is still potentially overkill. We may want to prevent calls from foo() being optimized into calls to bar(), but we still may want other optimization on calls to foo(). It seems that compilers today don't quite provide the fine grain control over which libcall optimizations pseudo-freestanding environments would prefer. Finally, Kees notes that this interface is unsafe, so we should not encourage its use. As such, I've removed the declaration from any header, but it still needs to be exported to avoid linkage errors in modules. Reported-by: Sami Tolvanen Suggested-by: Andy Lavr Suggested-by: Arvind Sankar Suggested-by: Joe Perches Suggested-by: Kees Cook Suggested-by: Masahiro Yamada Suggested-by: Rasmus Villemoes Signed-off-by: Nick Desaulniers Tested-by: Nathan Chancellor Reviewed-by: Kees Cook Cc: stable@vger.kernel.org Link: https://bugs.llvm.org/show_bug.cgi?id=47162 Link: https://bugs.llvm.org/show_bug.cgi?id=47280 Link: https://github.com/ClangBuiltLinux/linux/issues/1126 Link: https://man7.org/linux/man-pages/man3/stpcpy.3.html Link: https://pubs.opengroup.org/onlinepubs/9699919799/functions/stpcpy.html Link: https://reviews.llvm.org/D85963 --- Changes V4: * Roll up Kees' comment fixup from https://lore.kernel.org/lkml/202009060302.4574D8D0E0@keescook/#t. * Keep Nathan's tested by tag. * Add Kees' reviewed by tag from https://lore.kernel.org/lkml/202009031446.3865FE82B@keescook/. Changes V3: * Drop Sami's Tested by tag; newer patch. * Add EXPORT_SYMBOL as per Andy. * Rewrite commit message, rewrote part of what Masahiro said to be generic in terms of foo() and bar(). * Prefer %NUL-terminated to NULL terminated. NUL is the ASCII character '\0', as per Arvind and Rasmus. Changes V2: * Added Sami's Tested by; though the patch changed implementation, the missing symbol at link time was the problem Sami was observing. * Fix __restrict -> __restrict__ typo as per Joe. * Drop note about restrict from commit message as per Arvind. * Fix NULL -> NUL as per Arvind; NUL is ASCII '\0'. TIL * Fix off by one error as per Arvind; I had another off by one error in my test program that was masking this. lib/string.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) -- 2.28.0.618.gf4bc123cb7-goog diff --git a/lib/string.c b/lib/string.c index 6012c385fb31..b6b8847218b5 100644 --- a/lib/string.c +++ b/lib/string.c @@ -272,6 +272,30 @@ ssize_t strscpy_pad(char *dest, const char *src, size_t count) } EXPORT_SYMBOL(strscpy_pad); +/** + * stpcpy - copy a string from src to dest returning a pointer to the new end + * of dest, including src's %NUL-terminator. May overrun dest. + * @dest: pointer to end of string being copied into. Must be large enough + * to receive copy. + * @src: pointer to the beginning of string being copied from. Must not overlap + * dest. + * + * stpcpy differs from strcpy in a key way: the return value is a pointer + * to the new %NUL-terminating character in @dest. (For strcpy, the return + * value is a pointer to the start of @dest. This interface is considered + * unsafe as it doesn't perform bounds checking of the inputs. As such it's + * not recommended for usage. Instead, its definition is provided in case + * the compiler lowers other libcalls to stpcpy. + */ +char *stpcpy(char *__restrict__ dest, const char *__restrict__ src); +char *stpcpy(char *__restrict__ dest, const char *__restrict__ src) +{ + while ((*dest++ = *src++) != '\0') + /* nothing */; + return --dest; +} +EXPORT_SYMBOL(stpcpy); + #ifndef __HAVE_ARCH_STRCAT /** * strcat - Append one %NUL-terminated string to another