On Fri, Jan 19, 2018 at 10:18 AM, Linus Torvalds <torva...@linux-foundation.org> wrote: > On Fri, Jan 19, 2018 at 2:20 AM, Jann Horn <ja...@google.com> wrote: >>> + \ >>> + __u._ptr = _arr + (_i & _mask); \ >>> + __u._bit &= _mask; \ >> >> AFAICS, if `idx` is out of bounds, you first zero out the index >> (`_i & _mask`) and then immediately afterwards zero out >> the whole pointer (`_u._bit &= _mask`). >> Is there a reason for the `_i & _mask`, and if so, can you >> add a comment explaining that? > > I think that's just leftovers from my original (untested) thing that > also did the access itself. So that __u._bit masking wasn't masking > the pointer, it was masking the value that was *read* from the > pointer, so that you could know that an invalid access returned > 0/NULL, not just the first value in the array.
Yes, the index masking can be dropped since we're returning a sanitized array element pointer now.
