Since user is u64, it is best to have a predictable return value for all
possible values of user. So maybe:
static u64 user2rate_bytes(u64 user)
{
u64 r;
r = user ? U32_MAX / (u32) min(user, U32_MAX) : U32_MAX;
r = (r - 1) << XT_HASHLIMIT_BYTE_SHIFT;
return r;
}
-----Original Message-----
From: Vishwanath Pai [mailto:v...@akamai.com]
Sent: Thursday, September 07, 2017 4:17 PM
To: Linus Torvalds <torva...@linux-foundation.org>
Cc: Ingo Molnar <mi...@kernel.org>; Lubashev, Igor <iluba...@akamai.com>; Hunt,
Joshua <joh...@akamai.com>; Pablo Neira Ayuso <pa...@netfilter.org>; Borislav
Petkov <b...@alien8.de>; Andy Lutomirski <l...@kernel.org>; the arch/x86
maintainers <x...@kernel.org>; Linux Kernel Mailing List
<linux-kernel@vger.kernel.org>; Brian Gerst <brge...@gmail.com>; Andrew Cooper
<andrew.coop...@citrix.com>; Juergen Gross <jgr...@suse.com>; Boris Ostrovsky
<boris.ostrov...@oracle.com>; Kees Cook <keesc...@chromium.org>; Andrew Morton
<a...@linux-foundation.org>; David S. Miller <da...@davemloft.net>; Arnd
Bergmann <a...@arndb.de>
Subject: Re: xt_hashlimig build error (was Re: [RFC 01/17] x86/asm/64: Remove
the restore_c_regs_and_iret label)
On 09/07/2017 02:43 PM, Linus Torvalds wrote:
> Note: that patch has *exactly* the issue I was talking about above.
>
> Doing that
>
> if (user > 0xFFFFFFFFULL)
> return 0;
>
> is different from the old code, which used to result in a zero in the
> divide, and then
>
> r = (r - 1) << 4;
>
> would cause it to return a large value.
>
> So the patch in question doesn't just fix the build error, it
> completely changes the semantics of the function too.
>
> I *think* the new behavior is likely what you want, but these kinds of
> things should be _described_.
>
> Also, even with the patch, we have garbage:
>
> 0xFFFFFFFFULL / (u32)user
>
> why is that sub-expression pointlessly doing a 64-bit divide with a
> 32-bit number? The compiler is hopefully smart enough to point things
> out, but that "ULL" really is _wrong_ there, and could cause a stupid
> compiler to still do a 64-bit divide (although hopefully the simpler
> version that is 64/32).
>
> So please clarify both the correct behavior _and_ the actual typing of
> the divide, ok?
>
> Linus
The value of 'user' is sent from userspace, which is the return value of this
function:
static uint64_t bytes_to_cost(uint32_t bytes) {
uint32_t r = bytes >> XT_HASHLIMIT_BYTE_SHIFT;
return UINT32_MAX / (r+1);
}
What user2rate_bytes() is trying to do is the opposite of above. The size of
'user' is 64bit for a different reason altogether, but in this case it is
guaranteed to be always < U32_MAX. And hence using 64bit divide is completely
pointless (which I now realize).
Writing U32INT_MAX as 0xFFFFFFFFULL was a mistake on my part. I could have
avoided all of this by using built-in constants instead of trying to define
them myself. I will rewrite the function as below and send out another patch:
static u64 user2rate_bytes(u64 user)
{
u64 r;
r = user ? U32_MAX / (u32) user : U32_MAX;
r = (r - 1) << XT_HASHLIMIT_BYTE_SHIFT;
return r;
}
-Vishwanath
