As with 9cbf61445cda ("xen/earlycpio: Drop nextoff parameter"): While
this is imported from Linux, the parameter not being pointer-to-const is
dubious in the first place and we're not plausibly going to gain a write
through it.

Signed-off-by: Jan Beulich <jbeulich@suse.com>

--- a/xen/common/earlycpio.c
+++ b/xen/common/earlycpio.c
@@ -64,7 +64,8 @@ enum cpio_fields {
  *              the match returned an empty filename string.
  */
 
-struct cpio_data __init find_cpio_data(const char *path, void *data, size_t len)
+struct cpio_data __init find_cpio_data(
+	const char *path, const void *data, size_t len)
 {
 	const size_t cpio_header_len = 8*C_NFIELDS - 2;
 	struct cpio_data cd = { NULL, 0, "" };
--- a/xen/include/xen/earlycpio.h
+++ b/xen/include/xen/earlycpio.h
@@ -9,6 +9,6 @@ struct cpio_data {
 	char name[MAX_CPIO_FILE_NAME];
 };
 
-struct cpio_data find_cpio_data(const char *path, void *data, size_t len);
+struct cpio_data find_cpio_data(const char *path, const void *data, size_t len);
 
 #endif /* _EARLYCPIO_H */

On 28/10/2024 4:03 pm, Jan Beulich wrote:
> As with 9cbf61445cda ("xen/earlycpio: Drop nextoff parameter"): While
> this is imported from Linux, the parameter not being pointer-to-const is
> dubious in the first place and we're not plausibly going to gain a write
> through it.
>
> Signed-off-by: Jan Beulich <jbeulich@suse.com>

You haven't tried compiling this, have you?

There's a reason why the only user us non-const and staying that way.

~Andrew

On 28.10.2024 17:07, Andrew Cooper wrote:
> On 28/10/2024 4:03 pm, Jan Beulich wrote:
>> As with 9cbf61445cda ("xen/earlycpio: Drop nextoff parameter"): While
>> this is imported from Linux, the parameter not being pointer-to-const is
>> dubious in the first place and we're not plausibly going to gain a write
>> through it.
>>
>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> 
> You haven't tried compiling this, have you?

Of course I have. Is there any subtlety with compiler versions? Or what
else am I missing?

Jan

On 28/10/2024 4:12 pm, Jan Beulich wrote:
> On 28.10.2024 17:07, Andrew Cooper wrote:
>> On 28/10/2024 4:03 pm, Jan Beulich wrote:
>>> As with 9cbf61445cda ("xen/earlycpio: Drop nextoff parameter"): While
>>> this is imported from Linux, the parameter not being pointer-to-const is
>>> dubious in the first place and we're not plausibly going to gain a write
>>> through it.
>>>
>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>> You haven't tried compiling this, have you?
> Of course I have. Is there any subtlety with compiler versions? Or what
> else am I missing?

struct cpio_data's copy of this field is non-const (which you keep on
noting that new compilers will object to), and you can't change that
without breaking the build in microcode.

Nothing of this form can be taken until the constness is consistent in
microcode, after which yes it can mostly become const.

~Andrew

On 28.10.2024 17:18, Andrew Cooper wrote:
> On 28/10/2024 4:12 pm, Jan Beulich wrote:
>> On 28.10.2024 17:07, Andrew Cooper wrote:
>>> On 28/10/2024 4:03 pm, Jan Beulich wrote:
>>>> As with 9cbf61445cda ("xen/earlycpio: Drop nextoff parameter"): While
>>>> this is imported from Linux, the parameter not being pointer-to-const is
>>>> dubious in the first place and we're not plausibly going to gain a write
>>>> through it.
>>>>
>>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>>> You haven't tried compiling this, have you?
>> Of course I have. Is there any subtlety with compiler versions? Or what
>> else am I missing?
> 
> struct cpio_data's copy of this field is non-const (which you keep on
> noting that new compilers will object to),

New compilers? I'm afraid I'm missing context. With gcc14 the patch builds
fine. I didn't try _older_ ones (but I see no reason why they might object;
see below).

> and you can't change that
> without breaking the build in microcode.

I don't need to change that, "thanks" to

			cd.data = (void *)dptr;

casting away const-ness. That is - compilers ought to be fine with the
change; Misra won't like it.

> Nothing of this form can be taken until the constness is consistent in
> microcode, after which yes it can mostly become const.

We can move there in steps, can't we?

Jan

On 28/10/2024 4:25 pm, Jan Beulich wrote:
> On 28.10.2024 17:18, Andrew Cooper wrote:
>> On 28/10/2024 4:12 pm, Jan Beulich wrote:
>>> On 28.10.2024 17:07, Andrew Cooper wrote:
>>>> On 28/10/2024 4:03 pm, Jan Beulich wrote:
>>>>> As with 9cbf61445cda ("xen/earlycpio: Drop nextoff parameter"): While
>>>>> this is imported from Linux, the parameter not being pointer-to-const is
>>>>> dubious in the first place and we're not plausibly going to gain a write
>>>>> through it.
>>>>>
>>>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>>>> You haven't tried compiling this, have you?
>>> Of course I have. Is there any subtlety with compiler versions? Or what
>>> else am I missing?
>> struct cpio_data's copy of this field is non-const (which you keep on
>> noting that new compilers will object to),
> New compilers? I'm afraid I'm missing context. With gcc14 the patch builds
> fine. I didn't try _older_ ones (but I see no reason why they might object;
> see below).
>
>> and you can't change that
>> without breaking the build in microcode.
> I don't need to change that, "thanks" to
>
> 			cd.data = (void *)dptr;
>
> casting away const-ness. That is - compilers ought to be fine with the
> change; Misra won't like it.

You have literally complained about patches of mine on the grounds of
"GCC is about to start caring about casting away const on a void pointer".

So which is it.

>
>> Nothing of this form can be taken until the constness is consistent in
>> microcode, after which yes it can mostly become const.
> We can move there in steps, can't we?

Or you can stop trying to insist that I rebase around an
incorrect/incomplete patch, just for the sake of the const of one void
pointer, which can still be laundered by this function.

Especially when you could wait the ~day it will take to get an
otherwise-good series in, and then change cpio and get all of the const
problems in one go.

~Andrew

On 28.10.2024 17:45, Andrew Cooper wrote:
> On 28/10/2024 4:25 pm, Jan Beulich wrote:
>> On 28.10.2024 17:18, Andrew Cooper wrote:
>>> On 28/10/2024 4:12 pm, Jan Beulich wrote:
>>>> On 28.10.2024 17:07, Andrew Cooper wrote:
>>>>> On 28/10/2024 4:03 pm, Jan Beulich wrote:
>>>>>> As with 9cbf61445cda ("xen/earlycpio: Drop nextoff parameter"): While
>>>>>> this is imported from Linux, the parameter not being pointer-to-const is
>>>>>> dubious in the first place and we're not plausibly going to gain a write
>>>>>> through it.
>>>>>>
>>>>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
>>>>> You haven't tried compiling this, have you?
>>>> Of course I have. Is there any subtlety with compiler versions? Or what
>>>> else am I missing?
>>> struct cpio_data's copy of this field is non-const (which you keep on
>>> noting that new compilers will object to),
>> New compilers? I'm afraid I'm missing context. With gcc14 the patch builds
>> fine. I didn't try _older_ ones (but I see no reason why they might object;
>> see below).
>>
>>> and you can't change that
>>> without breaking the build in microcode.
>> I don't need to change that, "thanks" to
>>
>> 			cd.data = (void *)dptr;
>>
>> casting away const-ness. That is - compilers ought to be fine with the
>> change; Misra won't like it.
> 
> You have literally complained about patches of mine on the grounds of
> "GCC is about to start caring about casting away const on a void pointer".

I still don't remember what context this was in, I'm sorry.

> So which is it.

I'm not adding any such casts; the (potentially problematic) cast is
there already. I therefore still don't see what's wrong with the patch.

>>> Nothing of this form can be taken until the constness is consistent in
>>> microcode, after which yes it can mostly become const.
>> We can move there in steps, can't we?
> 
> Or you can stop trying to insist that I rebase around an
> incorrect/incomplete patch, just for the sake of the const of one void
> pointer, which can still be laundered by this function.

Okay, I won't insist; take my ack as unconditional one. I still consider
it a bad precedent though that we'd set, when elsewhere we ask for const-
correctness wherever possible.

> Especially when you could wait the ~day it will take to get an
> otherwise-good series in, and then change cpio and get all of the const
> problems in one go.

If that turns out to be true, all will indeed be fine in the end. Question
is whether we really want to diverge earlycpio.c by more than minimal
changes.

Jan

On Mon, Oct 28, 2024 at 4:51 PM Jan Beulich <jbeulich@suse.com> wrote:
>
> On 28.10.2024 17:45, Andrew Cooper wrote:
> > On 28/10/2024 4:25 pm, Jan Beulich wrote:
> >> On 28.10.2024 17:18, Andrew Cooper wrote:
> >>> On 28/10/2024 4:12 pm, Jan Beulich wrote:
> >>>> On 28.10.2024 17:07, Andrew Cooper wrote:
> >>>>> On 28/10/2024 4:03 pm, Jan Beulich wrote:
> >>>>>> As with 9cbf61445cda ("xen/earlycpio: Drop nextoff parameter"): While
> >>>>>> this is imported from Linux, the parameter not being pointer-to-const is
> >>>>>> dubious in the first place and we're not plausibly going to gain a write
> >>>>>> through it.
> >>>>>>
> >>>>>> Signed-off-by: Jan Beulich <jbeulich@suse.com>
> >>>>> You haven't tried compiling this, have you?
> >>>> Of course I have. Is there any subtlety with compiler versions? Or what
> >>>> else am I missing?
> >>> struct cpio_data's copy of this field is non-const (which you keep on
> >>> noting that new compilers will object to),
> >> New compilers? I'm afraid I'm missing context. With gcc14 the patch builds
> >> fine. I didn't try _older_ ones (but I see no reason why they might object;
> >> see below).
> >>
> >>> and you can't change that
> >>> without breaking the build in microcode.
> >> I don't need to change that, "thanks" to
> >>
> >>                      cd.data = (void *)dptr;
> >>
> >> casting away const-ness. That is - compilers ought to be fine with the
> >> change; Misra won't like it.
> >
> > You have literally complained about patches of mine on the grounds of
> > "GCC is about to start caring about casting away const on a void pointer".
>
> I still don't remember what context this was in, I'm sorry.
>
> > So which is it.
>
> I'm not adding any such casts; the (potentially problematic) cast is
> there already. I therefore still don't see what's wrong with the patch.
>

You usually don't want some const data to be silently transformed to
no-const data. In this case the "find_cpio_data" is getting a no-const
pointer "data" and returning it into "cpio_data.data". As
"cpio_data.data" is no-const for the previously stated rule the
initial data (that is "data" pointer) should not be const.

Internally you change from no-const to const with the assignment to
"p" and than "dptr". However the "find_cpio_data" function has
knowledge of the original no-const so it uses that knowledge for the
no-const conversion done by "cd.data = (void *)dptr". That makes that
conversion less "silent".

> >>> Nothing of this form can be taken until the constness is consistent in
> >>> microcode, after which yes it can mostly become const.
> >> We can move there in steps, can't we?
> >
> > Or you can stop trying to insist that I rebase around an
> > incorrect/incomplete patch, just for the sake of the const of one void
> > pointer, which can still be laundered by this function.
>
> Okay, I won't insist; take my ack as unconditional one. I still consider
> it a bad precedent though that we'd set, when elsewhere we ask for const-
> correctness wherever possible.
>
> > Especially when you could wait the ~day it will take to get an
> > otherwise-good series in, and then change cpio and get all of the const
> > problems in one go.
>
> If that turns out to be true, all will indeed be fine in the end. Question
> is whether we really want to diverge earlycpio.c by more than minimal
> changes.
>
> Jan
>

Frediano