| Message ID | 20220926191109.1803094-1-keescook@chromium.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] overflow: Introduce overflows_type() and castable_to_type() | expand |
+ Arnd On Mon, Sep 26, 2022 at 12:11 PM Kees Cook <keescook@chromium.org> wrote: > --- > v2: > - fix comment typo > - wrap clang pragma to avoid GCC warnings > - style nit cleanups > - rename __castable_to_type() to castable_to_type() > - remove prior overflows_type() definition > v1: https://lore.kernel.org/lkml/20220926003743.409911-1-keescook@chromium.org > diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c > index f385ca652b74..fffc3f86181d 100644 > --- a/lib/overflow_kunit.c > +++ b/lib/overflow_kunit.c > @@ -16,6 +16,11 @@ > #include <linux/types.h> > #include <linux/vmalloc.h> > > +/* We're expecting to do a lot of "always true" or "always false" tests. */ > +#ifdef CONFIG_CC_IS_CLANG > +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare" > +#endif Any chance we can reuse parts of __diag_ignore or __diag_clang from include/linux/compiler_types.h or include/linux/compiler-clang.h respectively? Those are needed for pragmas within preprocessor macros, which we don't have here, but I suspect they may be more concise to use here. > +#define TEST_SAME_TYPE(t1, t2, same) do { \ > + typeof(t1) __t1h = type_max(t1); \ > + typeof(t1) __t1l = type_min(t1); \ > + typeof(t2) __t2h = type_max(t2); \ > + typeof(t2) __t2l = type_min(t2); \ Can we use __auto_type here rather than typeof(macro expansion)?
On Mon, Sep 26, 2022 at 01:17:18PM -0700, Nick Desaulniers wrote: > + Arnd > > On Mon, Sep 26, 2022 at 12:11 PM Kees Cook <keescook@chromium.org> wrote: > > --- > > v2: > > - fix comment typo > > - wrap clang pragma to avoid GCC warnings > > - style nit cleanups > > - rename __castable_to_type() to castable_to_type() > > - remove prior overflows_type() definition > > v1: https://lore.kernel.org/lkml/20220926003743.409911-1-keescook@chromium.org > > diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c > > index f385ca652b74..fffc3f86181d 100644 > > --- a/lib/overflow_kunit.c > > +++ b/lib/overflow_kunit.c > > @@ -16,6 +16,11 @@ > > #include <linux/types.h> > > #include <linux/vmalloc.h> > > > > +/* We're expecting to do a lot of "always true" or "always false" tests. */ > > +#ifdef CONFIG_CC_IS_CLANG > > +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare" > > +#endif > > Any chance we can reuse parts of __diag_ignore or __diag_clang from > include/linux/compiler_types.h or include/linux/compiler-clang.h > respectively? Hm, I'm not sure how those are supposed to be used. Those defines don't seem to be used externally? > Those are needed for pragmas within preprocessor macros, which we > don't have here, but I suspect they may be more concise to use here. Yeah, I was surprised when I had to wrap it in #ifdef given "clang" is part of the string. > > > +#define TEST_SAME_TYPE(t1, t2, same) do { \ > > + typeof(t1) __t1h = type_max(t1); \ > > + typeof(t1) __t1l = type_min(t1); \ > > + typeof(t2) __t2h = type_max(t2); \ > > + typeof(t2) __t2l = type_min(t2); \ > > Can we use __auto_type here rather than typeof(macro expansion)? I'd rather it stay explicit -- otherwise we start to wander into "oops, we got lucky" territory for what should be a really distinct test case.
On Mon, Sep 26, 2022, at 11:07 PM, Kees Cook wrote: > On Mon, Sep 26, 2022 at 01:17:18PM -0700, Nick Desaulniers wrote: >> + Arnd >> >> On Mon, Sep 26, 2022 at 12:11 PM Kees Cook <keescook@chromium.org> wrote: >> > --- >> > v2: >> > - fix comment typo >> > - wrap clang pragma to avoid GCC warnings >> > - style nit cleanups >> > - rename __castable_to_type() to castable_to_type() >> > - remove prior overflows_type() definition >> > v1: https://lore.kernel.org/lkml/20220926003743.409911-1-keescook@chromium.org >> > diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c >> > index f385ca652b74..fffc3f86181d 100644 >> > --- a/lib/overflow_kunit.c >> > +++ b/lib/overflow_kunit.c >> > @@ -16,6 +16,11 @@ >> > #include <linux/types.h> >> > #include <linux/vmalloc.h> >> > >> > +/* We're expecting to do a lot of "always true" or "always false" tests. */ >> > +#ifdef CONFIG_CC_IS_CLANG >> > +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare" >> > +#endif >> >> Any chance we can reuse parts of __diag_ignore or __diag_clang from >> include/linux/compiler_types.h or include/linux/compiler-clang.h >> respectively? > > Hm, I'm not sure how those are supposed to be used. Those defines don't > seem to be used externally? We use them in a couple of places. When I originally introduced them, the idea was to add more infrastructure around these to replace the various -Wno-... flags in local makefiles with more targetted annotations, and then have a way to control the warning levels (W=1 W=2 E=1 etc) per directory and per file, but I never completed the work to add the interesting bits. >> Those are needed for pragmas within preprocessor macros, which we >> don't have here, but I suspect they may be more concise to use here. > > Yeah, I was surprised when I had to wrap it in #ifdef given "clang" is > part of the string. > >> >> > +#define TEST_SAME_TYPE(t1, t2, same) do { \ >> > + typeof(t1) __t1h = type_max(t1); \ >> > + typeof(t1) __t1l = type_min(t1); \ >> > + typeof(t2) __t2h = type_max(t2); \ >> > + typeof(t2) __t2l = type_min(t2); \ >> >> Can we use __auto_type here rather than typeof(macro expansion)? > > I'd rather it stay explicit -- otherwise we start to wander into "oops, > we got lucky" territory for what should be a really distinct test case. The idea of __auto_type is to avoid the more deeply nested macros. If the preprocessed file turns into an absolute mess, adding a temporary variable may help. Not sure if that applies here. Arnd
Hi Kees, Thanks for update it to v2. I'm leaving a comment because the patches this patch depends on aren't part of one of the series. If this patch alone is forwarded to the intel-gfx mailing, it will report a build issue. If this patch is only for review, please ignore my comments. In order to remove overflows_type() from the i915 gpu driver and add the updated overflows_type() to overflows.h, the following two patches must be applied first because of dependencies. "overflow: Allow mixed type arguments" [1][2] "overflow: Introduce check_assign() and check_assign_user_ptr()" [2] https://www.spinics.net/lists/kernel/msg4495457.html [1] https://patchwork.freedesktop.org/patch/504792/?series=109063&rev=1 [2] https://patchwork.freedesktop.org/patch/504791/?series=109063&rev=1 [3] br, G.G On 9/26/22 10:11 PM, Kees Cook wrote: > Implement a robust overflows_type() macro to test if a variable or > constant value would overflow another variable or type. This can be > used as a constant expression for static_assert() (which requires a > constant expression[1][2]) when used on constant values. This must be > constructed manually, since __builtin_add_overflow() does not produce > a constant expression[3]. > > Additionally adds castable_to_type(), similar to __same_type(), but for > checking if a constant value would overflow if cast to a given type. > > Add unit tests for overflows_type(), __same_type(), and castable_to_type() > to the existing KUnit "overflow" test. > > [1] https://en.cppreference.com/w/c/language/_Static_assert > [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions > [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html > 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking > Built-in Function: bool __builtin_add_overflow (type1 a, type2 b, > > Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com> > Cc: Nathan Chancellor <nathan@kernel.org> > Cc: Nick Desaulniers <ndesaulniers@google.com> > Cc: Tom Rix <trix@redhat.com> > Cc: Daniel Latypov <dlatypov@google.com> > Cc: Vitor Massaru Iha <vitor@massaru.org> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: linux-hardening@vger.kernel.org > Cc: llvm@lists.linux.dev > Co-developed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> > Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > v2: > - fix comment typo > - wrap clang pragma to avoid GCC warnings > - style nit cleanups > - rename __castable_to_type() to castable_to_type() > - remove prior overflows_type() definition > v1: https://lore.kernel.org/lkml/20220926003743.409911-1-keescook@chromium.org > --- > drivers/gpu/drm/i915/i915_utils.h | 4 - > include/linux/compiler.h | 1 + > include/linux/overflow.h | 48 ++++ > lib/overflow_kunit.c | 388 +++++++++++++++++++++++++++++- > 4 files changed, 436 insertions(+), 5 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h > index c10d68cdc3ca..d14b7faee054 100644 > --- a/drivers/gpu/drm/i915/i915_utils.h > +++ b/drivers/gpu/drm/i915/i915_utils.h > @@ -111,10 +111,6 @@ bool i915_error_injected(void); > #define range_overflows_end_t(type, start, size, max) \ > range_overflows_end((type)(start), (type)(size), (type)(max)) > > -/* Note we don't consider signbits :| */ > -#define overflows_type(x, T) \ > - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) > - > #define ptr_mask_bits(ptr, n) ({ \ > unsigned long __v = (unsigned long)(ptr); \ > (typeof(ptr))(__v & -BIT(n)); \ > diff --git a/include/linux/compiler.h b/include/linux/compiler.h > index 7713d7bcdaea..c631107e93b1 100644 > --- a/include/linux/compiler.h > +++ b/include/linux/compiler.h > @@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off) > * bool and also pointer types. > */ > #define is_signed_type(type) (((type)(-1)) < (__force type)1) > +#define is_unsigned_type(type) (!is_signed_type(type)) > > /* > * This is needed in functions which generate the stack canary, see > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > index 19dfdd74835e..58eb34aa2af9 100644 > --- a/include/linux/overflow.h > +++ b/include/linux/overflow.h > @@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow) > (*_d >> _to_shift) != _a); \ > })) > > +#define __overflows_type_constexpr(x, T) ( \ > + is_unsigned_type(typeof(x)) ? \ > + (x) > type_max(typeof(T)) ? 1 : 0 \ > + : is_unsigned_type(typeof(T)) ? \ > + (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \ > + : (x) < type_min(typeof(T)) || \ > + (x) > type_max(typeof(T)) ? 1 : 0) > + > +#define __overflows_type(x, T) ({ \ > + typeof(T) v = 0; \ > + check_add_overflow((x), v, &v); \ > +}) > + > +/** > + * overflows_type - helper for checking the overflows between value, variables, > + * or data type > + * > + * @n: source constant value or variable to be checked > + * @T: destination variable or data type proposed to store @x > + * > + * Compares the @x expression for whether or not it can safely fit in > + * the storage of the type in @T. @x and @T can have different types. > + * If @x is a constant expression, this will also resolve to a constant > + * expression. > + * > + * Returns: true if overflow can occur, false otherwise. > + */ > +#define overflows_type(n, T) \ > + __builtin_choose_expr(__is_constexpr(n), \ > + __overflows_type_constexpr(n, T), \ > + __overflows_type(n, T)) > + > +/** > + * castable_to_type - like __same_type(), but also allows for casted literals > + * > + * @n: variable or constant value > + * @T: variable or data type > + * > + * Unlike the __same_type() macro, this allows a constant value as the > + * first argument. If this value would not overflow into an assignment > + * of the second argument's type, it returns true. Otherwise, this falls > + * back to __same_type(). > + */ > +#define castable_to_type(n, T) \ > + __builtin_choose_expr(__is_constexpr(n), \ > + !__overflows_type_constexpr(n, T), \ > + __same_type(n, T)) > + > /** > * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX > * > diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c > index f385ca652b74..fffc3f86181d 100644 > --- a/lib/overflow_kunit.c > +++ b/lib/overflow_kunit.c > @@ -16,6 +16,11 @@ > #include <linux/types.h> > #include <linux/vmalloc.h> > > +/* We're expecting to do a lot of "always true" or "always false" tests. */ > +#ifdef CONFIG_CC_IS_CLANG > +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare" > +#endif > + > #define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \ > static const struct test_ ## t1 ## _ ## t2 ## __ ## t { \ > t1 a; \ > @@ -246,7 +251,7 @@ DEFINE_TEST_ARRAY(s64) = { > > #define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \ > static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \ > -{ \ > +{ \ > check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \ > check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \ > check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \ > @@ -708,6 +713,384 @@ static void overflow_size_helpers_test(struct kunit *test) > #undef check_one_size_helper > } > > +static void overflows_type_test(struct kunit *test) > +{ > + int count = 0; > + unsigned int var; > + > +#define __TEST_OVERFLOWS_TYPE(func, arg1, arg2, of) do { \ > + bool __of = func(arg1, arg2); \ > + KUNIT_EXPECT_EQ_MSG(test, __of, of, \ > + "expected " #func "(" #arg1 ", " #arg2 " to%s overflow\n",\ > + of ? "" : " not"); \ > + count++; \ > +} while (0) > + > +/* Args are: first type, second type, value, overflow expected */ > +#define TEST_OVERFLOWS_TYPE(__t1, __t2, v, of) do { \ > + __t1 t1 = (v); \ > + __t2 t2; \ > + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, t2, of); \ > + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, __t2, of); \ > + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, t2, of); \ > + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, __t2, of);\ > +} while (0) > + > + TEST_OVERFLOWS_TYPE(u8, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(u8, u16, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(u8, s8, U8_MAX, true); > + TEST_OVERFLOWS_TYPE(u8, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(u8, s8, (u8)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u8, s16, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, u8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, u8, -1, true); > + TEST_OVERFLOWS_TYPE(s8, u8, S8_MIN, true); > + TEST_OVERFLOWS_TYPE(s8, u16, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, u16, -1, true); > + TEST_OVERFLOWS_TYPE(s8, u16, S8_MIN, true); > + TEST_OVERFLOWS_TYPE(s8, u32, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, u32, -1, true); > + TEST_OVERFLOWS_TYPE(s8, u32, S8_MIN, true); > +#if BITS_PER_LONG == 64 > + TEST_OVERFLOWS_TYPE(s8, u64, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, u64, -1, true); > + TEST_OVERFLOWS_TYPE(s8, u64, S8_MIN, true); > +#endif > + TEST_OVERFLOWS_TYPE(s8, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, s8, S8_MIN, false); > + TEST_OVERFLOWS_TYPE(s8, s16, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, s16, S8_MIN, false); > + TEST_OVERFLOWS_TYPE(u16, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(u16, u8, (u16)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u16, u8, U16_MAX, true); > + TEST_OVERFLOWS_TYPE(u16, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(u16, s8, (u16)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u16, s8, U16_MAX, true); > + TEST_OVERFLOWS_TYPE(u16, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(u16, s16, (u16)S16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u16, s16, U16_MAX, true); > + TEST_OVERFLOWS_TYPE(u16, u32, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(u16, s32, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, u8, (s16)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s16, u8, -1, true); > + TEST_OVERFLOWS_TYPE(s16, u8, S16_MIN, true); > + TEST_OVERFLOWS_TYPE(s16, u16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, u16, -1, true); > + TEST_OVERFLOWS_TYPE(s16, u16, S16_MIN, true); > + TEST_OVERFLOWS_TYPE(s16, u32, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, u32, -1, true); > + TEST_OVERFLOWS_TYPE(s16, u32, S16_MIN, true); > +#if BITS_PER_LONG == 64 > + TEST_OVERFLOWS_TYPE(s16, u64, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, u64, -1, true); > + TEST_OVERFLOWS_TYPE(s16, u64, S16_MIN, true); > +#endif > + TEST_OVERFLOWS_TYPE(s16, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, s8, S8_MIN, false); > + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s16, s8, S16_MAX, true); > + TEST_OVERFLOWS_TYPE(s16, s8, S16_MIN, true); > + TEST_OVERFLOWS_TYPE(s16, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, s16, S16_MIN, false); > + TEST_OVERFLOWS_TYPE(s16, s32, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, s32, S16_MIN, false); > + TEST_OVERFLOWS_TYPE(u32, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, u8, (u32)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u32, u8, U32_MAX, true); > + TEST_OVERFLOWS_TYPE(u32, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, s8, (u32)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u32, s8, U32_MAX, true); > + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u32, u16, U32_MAX, true); > + TEST_OVERFLOWS_TYPE(u32, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, s16, (u32)S16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u32, s16, U32_MAX, true); > + TEST_OVERFLOWS_TYPE(u32, u32, U32_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, s32, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, s32, U32_MAX, true); > + TEST_OVERFLOWS_TYPE(u32, s32, (u32)S32_MAX + 1, true); > +#if BITS_PER_LONG == 64 > + TEST_OVERFLOWS_TYPE(u32, u64, U32_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, s64, U32_MAX, false); > +#endif > + TEST_OVERFLOWS_TYPE(s32, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, u8, (s32)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true); > + TEST_OVERFLOWS_TYPE(s32, u8, -1, true); > + TEST_OVERFLOWS_TYPE(s32, u8, S32_MIN, true); > + TEST_OVERFLOWS_TYPE(s32, u16, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, u16, (s32)U16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true); > + TEST_OVERFLOWS_TYPE(s32, u16, -1, true); > + TEST_OVERFLOWS_TYPE(s32, u16, S32_MIN, true); > + TEST_OVERFLOWS_TYPE(s32, u32, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, u32, -1, true); > + TEST_OVERFLOWS_TYPE(s32, u32, S32_MIN, true); > +#if BITS_PER_LONG == 64 > + TEST_OVERFLOWS_TYPE(s32, u64, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, u64, -1, true); > + TEST_OVERFLOWS_TYPE(s32, u64, S32_MIN, true); > +#endif > + TEST_OVERFLOWS_TYPE(s32, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, s8, S8_MIN, false); > + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s32, s8, S32_MAX, true); > + TEST_OVERFLOWS_TYPE(s32, s8, S32_MIN, true); > + TEST_OVERFLOWS_TYPE(s32, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, s16, S16_MIN, false); > + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s32, s16, S32_MAX, true); > + TEST_OVERFLOWS_TYPE(s32, s16, S32_MIN, true); > + TEST_OVERFLOWS_TYPE(s32, s32, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, s32, S32_MIN, false); > +#if BITS_PER_LONG == 64 > + TEST_OVERFLOWS_TYPE(s32, s64, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, s64, S32_MIN, false); > + TEST_OVERFLOWS_TYPE(u64, u8, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, u8, (u64)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, u16, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, u16, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, u16, (u64)U16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, u32, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, u32, U32_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, u32, (u64)U32_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, u64, U64_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, s8, (u64)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, s8, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, s16, (u64)S16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, s16, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, s32, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, s32, (u64)S32_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, s32, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, s64, S64_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, s64, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, s64, (u64)S64_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, u8, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, u8, S64_MIN, true); > + TEST_OVERFLOWS_TYPE(s64, u8, -1, true); > + TEST_OVERFLOWS_TYPE(s64, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, u8, (s64)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, u16, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, u16, S64_MIN, true); > + TEST_OVERFLOWS_TYPE(s64, u16, -1, true); > + TEST_OVERFLOWS_TYPE(s64, u16, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, u16, (s64)U16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, u32, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, u32, S64_MIN, true); > + TEST_OVERFLOWS_TYPE(s64, u32, -1, true); > + TEST_OVERFLOWS_TYPE(s64, u32, U32_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, u32, (s64)U32_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, u64, S64_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, u64, S64_MIN, true); > + TEST_OVERFLOWS_TYPE(s64, u64, -1, true); > + TEST_OVERFLOWS_TYPE(s64, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, s8, S8_MIN, false); > + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s64, s8, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, s16, S16_MIN, false); > + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s64, s16, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, s32, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, s32, S32_MIN, false); > + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s64, s32, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, s64, S64_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, s64, S64_MIN, false); > +#endif > + > + /* Check for macro side-effects. */ > + var = INT_MAX - 1; > + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false); > + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false); > + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, true); > + var = INT_MAX - 1; > + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false); > + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false); > + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, true); > + > + kunit_info(test, "%d overflows_type() tests finished\n", count); > +#undef TEST_OVERFLOWS_TYPE > +#undef __TEST_OVERFLOWS_TYPE > +} > + > +static void same_type_test(struct kunit *test) > +{ > + int count = 0; > + int var; > + > +#define TEST_SAME_TYPE(t1, t2, same) do { \ > + typeof(t1) __t1h = type_max(t1); \ > + typeof(t1) __t1l = type_min(t1); \ > + typeof(t2) __t2h = type_max(t2); \ > + typeof(t2) __t2l = type_min(t2); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1h)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1l)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(__t1h, t1)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(__t1l, t1)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2h)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2l)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(__t2h, t2)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(__t2l, t2)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(t1, t2)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1h)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1l)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(__t1h, t2)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(__t1l, t2)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2h)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2l)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(__t2h, t1)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(__t2l, t1)); \ > +} while (0) > + > +#if BITS_PER_LONG == 64 > +# define TEST_SAME_TYPE64(base, t, m) TEST_SAME_TYPE(base, t, m) > +#else > +# define TEST_SAME_TYPE64(base, t, m) do { } while (0) > +#endif > + > +#define TEST_TYPE_SETS(base, mu8, mu16, mu32, ms8, ms16, ms32, mu64, ms64) \ > +do { \ > + TEST_SAME_TYPE(base, u8, mu8); \ > + TEST_SAME_TYPE(base, u16, mu16); \ > + TEST_SAME_TYPE(base, u32, mu32); \ > + TEST_SAME_TYPE(base, s8, ms8); \ > + TEST_SAME_TYPE(base, s16, ms16); \ > + TEST_SAME_TYPE(base, s32, ms32); \ > + TEST_SAME_TYPE64(base, u64, mu64); \ > + TEST_SAME_TYPE64(base, s64, ms64); \ > +} while (0) > + > + TEST_TYPE_SETS(u8, true, false, false, false, false, false, false, false); > + TEST_TYPE_SETS(u16, false, true, false, false, false, false, false, false); > + TEST_TYPE_SETS(u32, false, false, true, false, false, false, false, false); > + TEST_TYPE_SETS(s8, false, false, false, true, false, false, false, false); > + TEST_TYPE_SETS(s16, false, false, false, false, true, false, false, false); > + TEST_TYPE_SETS(s32, false, false, false, false, false, true, false, false); > +#if BITS_PER_LONG == 64 > + TEST_TYPE_SETS(u64, false, false, false, false, false, false, true, false); > + TEST_TYPE_SETS(s64, false, false, false, false, false, false, false, true); > +#endif > + > + /* Check for macro side-effects. */ > + var = 4; > + KUNIT_EXPECT_EQ(test, var, 4); > + KUNIT_EXPECT_TRUE(test, __same_type(var++, int)); > + KUNIT_EXPECT_EQ(test, var, 4); > + KUNIT_EXPECT_TRUE(test, __same_type(int, var++)); > + KUNIT_EXPECT_EQ(test, var, 4); > + KUNIT_EXPECT_TRUE(test, __same_type(var++, var++)); > + KUNIT_EXPECT_EQ(test, var, 4); > + > + kunit_info(test, "%d __same_type() tests finished\n", count); > + > +#undef TEST_TYPE_SETS > +#undef TEST_SAME_TYPE64 > +#undef TEST_SAME_TYPE > +} > + > +static void castable_to_type_test(struct kunit *test) > +{ > + int count = 0; > + > +#define TEST_CASTABLE_TO_TYPE(arg1, arg2, pass) do { \ > + bool __pass = castable_to_type(arg1, arg2); \ > + KUNIT_EXPECT_EQ_MSG(test, __pass, pass, \ > + "expected castable_to_type(" #arg1 ", " #arg2 ") to%s pass\n",\ > + pass ? "" : " not"); \ > + count++; \ > +} while (0) > + > + TEST_CASTABLE_TO_TYPE(16, u8, true); > + TEST_CASTABLE_TO_TYPE(16, u16, true); > + TEST_CASTABLE_TO_TYPE(16, u32, true); > + TEST_CASTABLE_TO_TYPE(16, s8, true); > + TEST_CASTABLE_TO_TYPE(16, s16, true); > + TEST_CASTABLE_TO_TYPE(16, s32, true); > + TEST_CASTABLE_TO_TYPE(-16, s8, true); > + TEST_CASTABLE_TO_TYPE(-16, s16, true); > + TEST_CASTABLE_TO_TYPE(-16, s32, true); > +#if BITS_PER_LONG == 64 > + TEST_CASTABLE_TO_TYPE(16, u64, true); > + TEST_CASTABLE_TO_TYPE(-16, s64, true); > +#endif > + > +#define TEST_CASTABLE_TO_TYPE_VAR(width) do { \ > + u ## width u ## width ## var = 0; \ > + s ## width s ## width ## var = 0; \ > + \ > + /* Constant expressions that fit types. */ \ > + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width, true); \ > + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width, true); \ > + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width ## var, true); \ > + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width ## var, true); \ > + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width, true); \ > + TEST_CASTABLE_TO_TYPE(type_min(s ## width), s ## width, true); \ > + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width ## var, true); \ > + TEST_CASTABLE_TO_TYPE(type_min(u ## width), s ## width ## var, true); \ > + /* Constant expressions that do not fit types. */ \ > + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width, false); \ > + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width ## var, false); \ > + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width, false); \ > + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width ## var, false); \ > + /* Non-constant expression with mismatched type. */ \ > + TEST_CASTABLE_TO_TYPE(s ## width ## var, u ## width, false); \ > + TEST_CASTABLE_TO_TYPE(u ## width ## var, s ## width, false); \ > +} while (0) > + > +#define TEST_CASTABLE_TO_TYPE_RANGE(width) do { \ > + unsigned long big = U ## width ## _MAX; \ > + signed long small = S ## width ## _MIN; \ > + u ## width u ## width ## var = 0; \ > + s ## width s ## width ## var = 0; \ > + \ > + /* Constant expression in range. */ \ > + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width, true); \ > + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width ## var, true); \ > + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width, true); \ > + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width ## var, true); \ > + /* Constant expression out of range. */ \ > + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width, false); \ > + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width ## var, false); \ > + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width, false); \ > + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width ## var, false); \ > + /* Non-constant expression with mismatched type. */ \ > + TEST_CASTABLE_TO_TYPE(big, u ## width, false); \ > + TEST_CASTABLE_TO_TYPE(big, u ## width ## var, false); \ > + TEST_CASTABLE_TO_TYPE(small, s ## width, false); \ > + TEST_CASTABLE_TO_TYPE(small, s ## width ## var, false); \ > +} while (0) > + > + TEST_CASTABLE_TO_TYPE_VAR(8); > + TEST_CASTABLE_TO_TYPE_VAR(16); > + TEST_CASTABLE_TO_TYPE_VAR(32); > +#if BITS_PER_LONG == 64 > + TEST_CASTABLE_TO_TYPE_VAR(64); > +#endif > + > + TEST_CASTABLE_TO_TYPE_RANGE(8); > + TEST_CASTABLE_TO_TYPE_RANGE(16); > +#if BITS_PER_LONG == 64 > + TEST_CASTABLE_TO_TYPE_RANGE(32); > +#endif > + kunit_info(test, "%d castable_to_type() tests finished\n", count); > + > +#undef TEST_CASTABLE_TO_TYPE_RANGE > +#undef TEST_CASTABLE_TO_TYPE_VAR > +#undef TEST_CASTABLE_TO_TYPE > +} > + > static struct kunit_case overflow_test_cases[] = { > KUNIT_CASE(u8_u8__u8_overflow_test), > KUNIT_CASE(s8_s8__s8_overflow_test), > @@ -730,6 +1113,9 @@ static struct kunit_case overflow_test_cases[] = { > KUNIT_CASE(shift_nonsense_test), > KUNIT_CASE(overflow_allocation_test), > KUNIT_CASE(overflow_size_helpers_test), > + KUNIT_CASE(overflows_type_test), > + KUNIT_CASE(same_type_test), > + KUNIT_CASE(castable_to_type_test), > {} > }; >
Hi Kees,
I love your patch! Yet something to improve:
[auto build test ERROR on kees/for-next/hardening]
[also build test ERROR on next-20220927]
[cannot apply to drm-tip/drm-tip drm-intel/for-linux-next drm-misc/drm-misc-next linus/master v6.0-rc7]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
config: x86_64-rhel-8.3-func
compiler: gcc-11 (Debian 11.3.0-5) 11.3.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/ffc9129a19eb65b2d20780558b0c1af24d66434a
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
git checkout ffc9129a19eb65b2d20780558b0c1af24d66434a
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash drivers/gpu/drm/i915/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from drivers/gpu/drm/i915/i915_utils.h:29,
from drivers/gpu/drm/i915/i915_user_extensions.c:14:
drivers/gpu/drm/i915/i915_user_extensions.c: In function 'i915_user_extensions':
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:132:23: note: in expansion of macro 'type_max'
132 | (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:132:23: note: in expansion of macro 'type_max'
132 | (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:134:34: note: in expansion of macro 'type_max'
134 | (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:134:34: note: in expansion of macro 'type_max'
134 | (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: in expansion of macro 'type_max'
35 | #define type_min(T) ((T)((T)-type_max(T)-(T)1))
| ^~~~~~~~
include/linux/overflow.h:135:25: note: in expansion of macro 'type_min'
135 | : (x) < type_min(typeof(T)) || \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: in expansion of macro 'type_max'
35 | #define type_min(T) ((T)((T)-type_max(T)-(T)1))
| ^~~~~~~~
include/linux/overflow.h:135:25: note: in expansion of macro 'type_min'
135 | : (x) < type_min(typeof(T)) || \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:136:25: note: in expansion of macro 'type_max'
136 | (x) > type_max(typeof(T)) ? 1 : 0)
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'long unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| long unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:136:25: note: in expansion of macro 'type_max'
136 | (x) > type_max(typeof(T)) ? 1 : 0)
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> drivers/gpu/drm/i915/i915_user_extensions.c:54:21: error: argument 2 in call to function '__builtin_add_overflow' does not have integral type
vim +33 include/linux/overflow.h
f0907827a8a915 Rasmus Villemoes 2018-05-08 8
f0907827a8a915 Rasmus Villemoes 2018-05-08 9 /*
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 10 * We need to compute the minimum and maximum values representable in a given
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 11 * type. These macros may also be useful elsewhere. It would seem more obvious
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 12 * to do something like:
f0907827a8a915 Rasmus Villemoes 2018-05-08 13 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 14 * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
f0907827a8a915 Rasmus Villemoes 2018-05-08 15 * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
f0907827a8a915 Rasmus Villemoes 2018-05-08 16 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 17 * Unfortunately, the middle expressions, strictly speaking, have
f0907827a8a915 Rasmus Villemoes 2018-05-08 18 * undefined behaviour, and at least some versions of gcc warn about
f0907827a8a915 Rasmus Villemoes 2018-05-08 19 * the type_max expression (but not if -fsanitize=undefined is in
f0907827a8a915 Rasmus Villemoes 2018-05-08 20 * effect; in that case, the warning is deferred to runtime...).
f0907827a8a915 Rasmus Villemoes 2018-05-08 21 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 22 * The slightly excessive casting in type_min is to make sure the
f0907827a8a915 Rasmus Villemoes 2018-05-08 23 * macros also produce sensible values for the exotic type _Bool. [The
f0907827a8a915 Rasmus Villemoes 2018-05-08 24 * overflow checkers only almost work for _Bool, but that's
f0907827a8a915 Rasmus Villemoes 2018-05-08 25 * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
f0907827a8a915 Rasmus Villemoes 2018-05-08 26 * _Bools. Besides, the gcc builtins don't allow _Bool* as third
f0907827a8a915 Rasmus Villemoes 2018-05-08 27 * argument.]
f0907827a8a915 Rasmus Villemoes 2018-05-08 28 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 29 * Idea stolen from
f0907827a8a915 Rasmus Villemoes 2018-05-08 30 * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
f0907827a8a915 Rasmus Villemoes 2018-05-08 31 * credit to Christian Biere.
f0907827a8a915 Rasmus Villemoes 2018-05-08 32 */
f0907827a8a915 Rasmus Villemoes 2018-05-08 @33 #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
f0907827a8a915 Rasmus Villemoes 2018-05-08 34 #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
f0907827a8a915 Rasmus Villemoes 2018-05-08 35 #define type_min(T) ((T)((T)-type_max(T)-(T)1))
f0907827a8a915 Rasmus Villemoes 2018-05-08 36
Hi Kees, To check the intel-gfx ci results and test results from other mailing lists, I have rebased this patch and included it in this series [1]. [1] https://patchwork.freedesktop.org/series/109169/ G.G On 9/26/22 10:11 PM, Kees Cook wrote: > Implement a robust overflows_type() macro to test if a variable or > constant value would overflow another variable or type. This can be > used as a constant expression for static_assert() (which requires a > constant expression[1][2]) when used on constant values. This must be > constructed manually, since __builtin_add_overflow() does not produce > a constant expression[3]. > > Additionally adds castable_to_type(), similar to __same_type(), but for > checking if a constant value would overflow if cast to a given type. > > Add unit tests for overflows_type(), __same_type(), and castable_to_type() > to the existing KUnit "overflow" test. > > [1] https://en.cppreference.com/w/c/language/_Static_assert > [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions > [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html > 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking > Built-in Function: bool __builtin_add_overflow (type1 a, type2 b, > > Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com> > Cc: Nathan Chancellor <nathan@kernel.org> > Cc: Nick Desaulniers <ndesaulniers@google.com> > Cc: Tom Rix <trix@redhat.com> > Cc: Daniel Latypov <dlatypov@google.com> > Cc: Vitor Massaru Iha <vitor@massaru.org> > Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> > Cc: linux-hardening@vger.kernel.org > Cc: llvm@lists.linux.dev > Co-developed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> > Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > v2: > - fix comment typo > - wrap clang pragma to avoid GCC warnings > - style nit cleanups > - rename __castable_to_type() to castable_to_type() > - remove prior overflows_type() definition > v1: https://lore.kernel.org/lkml/20220926003743.409911-1-keescook@chromium.org > --- > drivers/gpu/drm/i915/i915_utils.h | 4 - > include/linux/compiler.h | 1 + > include/linux/overflow.h | 48 ++++ > lib/overflow_kunit.c | 388 +++++++++++++++++++++++++++++- > 4 files changed, 436 insertions(+), 5 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h > index c10d68cdc3ca..d14b7faee054 100644 > --- a/drivers/gpu/drm/i915/i915_utils.h > +++ b/drivers/gpu/drm/i915/i915_utils.h > @@ -111,10 +111,6 @@ bool i915_error_injected(void); > #define range_overflows_end_t(type, start, size, max) \ > range_overflows_end((type)(start), (type)(size), (type)(max)) > > -/* Note we don't consider signbits :| */ > -#define overflows_type(x, T) \ > - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) > - > #define ptr_mask_bits(ptr, n) ({ \ > unsigned long __v = (unsigned long)(ptr); \ > (typeof(ptr))(__v & -BIT(n)); \ > diff --git a/include/linux/compiler.h b/include/linux/compiler.h > index 7713d7bcdaea..c631107e93b1 100644 > --- a/include/linux/compiler.h > +++ b/include/linux/compiler.h > @@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off) > * bool and also pointer types. > */ > #define is_signed_type(type) (((type)(-1)) < (__force type)1) > +#define is_unsigned_type(type) (!is_signed_type(type)) > > /* > * This is needed in functions which generate the stack canary, see > diff --git a/include/linux/overflow.h b/include/linux/overflow.h > index 19dfdd74835e..58eb34aa2af9 100644 > --- a/include/linux/overflow.h > +++ b/include/linux/overflow.h > @@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow) > (*_d >> _to_shift) != _a); \ > })) > > +#define __overflows_type_constexpr(x, T) ( \ > + is_unsigned_type(typeof(x)) ? \ > + (x) > type_max(typeof(T)) ? 1 : 0 \ > + : is_unsigned_type(typeof(T)) ? \ > + (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \ > + : (x) < type_min(typeof(T)) || \ > + (x) > type_max(typeof(T)) ? 1 : 0) > + > +#define __overflows_type(x, T) ({ \ > + typeof(T) v = 0; \ > + check_add_overflow((x), v, &v); \ > +}) > + > +/** > + * overflows_type - helper for checking the overflows between value, variables, > + * or data type > + * > + * @n: source constant value or variable to be checked > + * @T: destination variable or data type proposed to store @x > + * > + * Compares the @x expression for whether or not it can safely fit in > + * the storage of the type in @T. @x and @T can have different types. > + * If @x is a constant expression, this will also resolve to a constant > + * expression. > + * > + * Returns: true if overflow can occur, false otherwise. > + */ > +#define overflows_type(n, T) \ > + __builtin_choose_expr(__is_constexpr(n), \ > + __overflows_type_constexpr(n, T), \ > + __overflows_type(n, T)) > + > +/** > + * castable_to_type - like __same_type(), but also allows for casted literals > + * > + * @n: variable or constant value > + * @T: variable or data type > + * > + * Unlike the __same_type() macro, this allows a constant value as the > + * first argument. If this value would not overflow into an assignment > + * of the second argument's type, it returns true. Otherwise, this falls > + * back to __same_type(). > + */ > +#define castable_to_type(n, T) \ > + __builtin_choose_expr(__is_constexpr(n), \ > + !__overflows_type_constexpr(n, T), \ > + __same_type(n, T)) > + > /** > * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX > * > diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c > index f385ca652b74..fffc3f86181d 100644 > --- a/lib/overflow_kunit.c > +++ b/lib/overflow_kunit.c > @@ -16,6 +16,11 @@ > #include <linux/types.h> > #include <linux/vmalloc.h> > > +/* We're expecting to do a lot of "always true" or "always false" tests. */ > +#ifdef CONFIG_CC_IS_CLANG > +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare" > +#endif > + > #define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \ > static const struct test_ ## t1 ## _ ## t2 ## __ ## t { \ > t1 a; \ > @@ -246,7 +251,7 @@ DEFINE_TEST_ARRAY(s64) = { > > #define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \ > static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \ > -{ \ > +{ \ > check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \ > check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \ > check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \ > @@ -708,6 +713,384 @@ static void overflow_size_helpers_test(struct kunit *test) > #undef check_one_size_helper > } > > +static void overflows_type_test(struct kunit *test) > +{ > + int count = 0; > + unsigned int var; > + > +#define __TEST_OVERFLOWS_TYPE(func, arg1, arg2, of) do { \ > + bool __of = func(arg1, arg2); \ > + KUNIT_EXPECT_EQ_MSG(test, __of, of, \ > + "expected " #func "(" #arg1 ", " #arg2 " to%s overflow\n",\ > + of ? "" : " not"); \ > + count++; \ > +} while (0) > + > +/* Args are: first type, second type, value, overflow expected */ > +#define TEST_OVERFLOWS_TYPE(__t1, __t2, v, of) do { \ > + __t1 t1 = (v); \ > + __t2 t2; \ > + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, t2, of); \ > + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, __t2, of); \ > + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, t2, of); \ > + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, __t2, of);\ > +} while (0) > + > + TEST_OVERFLOWS_TYPE(u8, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(u8, u16, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(u8, s8, U8_MAX, true); > + TEST_OVERFLOWS_TYPE(u8, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(u8, s8, (u8)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u8, s16, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, u8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, u8, -1, true); > + TEST_OVERFLOWS_TYPE(s8, u8, S8_MIN, true); > + TEST_OVERFLOWS_TYPE(s8, u16, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, u16, -1, true); > + TEST_OVERFLOWS_TYPE(s8, u16, S8_MIN, true); > + TEST_OVERFLOWS_TYPE(s8, u32, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, u32, -1, true); > + TEST_OVERFLOWS_TYPE(s8, u32, S8_MIN, true); > +#if BITS_PER_LONG == 64 > + TEST_OVERFLOWS_TYPE(s8, u64, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, u64, -1, true); > + TEST_OVERFLOWS_TYPE(s8, u64, S8_MIN, true); > +#endif > + TEST_OVERFLOWS_TYPE(s8, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, s8, S8_MIN, false); > + TEST_OVERFLOWS_TYPE(s8, s16, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s8, s16, S8_MIN, false); > + TEST_OVERFLOWS_TYPE(u16, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(u16, u8, (u16)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u16, u8, U16_MAX, true); > + TEST_OVERFLOWS_TYPE(u16, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(u16, s8, (u16)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u16, s8, U16_MAX, true); > + TEST_OVERFLOWS_TYPE(u16, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(u16, s16, (u16)S16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u16, s16, U16_MAX, true); > + TEST_OVERFLOWS_TYPE(u16, u32, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(u16, s32, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, u8, (s16)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s16, u8, -1, true); > + TEST_OVERFLOWS_TYPE(s16, u8, S16_MIN, true); > + TEST_OVERFLOWS_TYPE(s16, u16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, u16, -1, true); > + TEST_OVERFLOWS_TYPE(s16, u16, S16_MIN, true); > + TEST_OVERFLOWS_TYPE(s16, u32, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, u32, -1, true); > + TEST_OVERFLOWS_TYPE(s16, u32, S16_MIN, true); > +#if BITS_PER_LONG == 64 > + TEST_OVERFLOWS_TYPE(s16, u64, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, u64, -1, true); > + TEST_OVERFLOWS_TYPE(s16, u64, S16_MIN, true); > +#endif > + TEST_OVERFLOWS_TYPE(s16, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, s8, S8_MIN, false); > + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s16, s8, S16_MAX, true); > + TEST_OVERFLOWS_TYPE(s16, s8, S16_MIN, true); > + TEST_OVERFLOWS_TYPE(s16, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, s16, S16_MIN, false); > + TEST_OVERFLOWS_TYPE(s16, s32, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s16, s32, S16_MIN, false); > + TEST_OVERFLOWS_TYPE(u32, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, u8, (u32)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u32, u8, U32_MAX, true); > + TEST_OVERFLOWS_TYPE(u32, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, s8, (u32)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u32, s8, U32_MAX, true); > + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u32, u16, U32_MAX, true); > + TEST_OVERFLOWS_TYPE(u32, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, s16, (u32)S16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u32, s16, U32_MAX, true); > + TEST_OVERFLOWS_TYPE(u32, u32, U32_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, s32, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, s32, U32_MAX, true); > + TEST_OVERFLOWS_TYPE(u32, s32, (u32)S32_MAX + 1, true); > +#if BITS_PER_LONG == 64 > + TEST_OVERFLOWS_TYPE(u32, u64, U32_MAX, false); > + TEST_OVERFLOWS_TYPE(u32, s64, U32_MAX, false); > +#endif > + TEST_OVERFLOWS_TYPE(s32, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, u8, (s32)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true); > + TEST_OVERFLOWS_TYPE(s32, u8, -1, true); > + TEST_OVERFLOWS_TYPE(s32, u8, S32_MIN, true); > + TEST_OVERFLOWS_TYPE(s32, u16, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, u16, (s32)U16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true); > + TEST_OVERFLOWS_TYPE(s32, u16, -1, true); > + TEST_OVERFLOWS_TYPE(s32, u16, S32_MIN, true); > + TEST_OVERFLOWS_TYPE(s32, u32, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, u32, -1, true); > + TEST_OVERFLOWS_TYPE(s32, u32, S32_MIN, true); > +#if BITS_PER_LONG == 64 > + TEST_OVERFLOWS_TYPE(s32, u64, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, u64, -1, true); > + TEST_OVERFLOWS_TYPE(s32, u64, S32_MIN, true); > +#endif > + TEST_OVERFLOWS_TYPE(s32, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, s8, S8_MIN, false); > + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s32, s8, S32_MAX, true); > + TEST_OVERFLOWS_TYPE(s32, s8, S32_MIN, true); > + TEST_OVERFLOWS_TYPE(s32, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, s16, S16_MIN, false); > + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s32, s16, S32_MAX, true); > + TEST_OVERFLOWS_TYPE(s32, s16, S32_MIN, true); > + TEST_OVERFLOWS_TYPE(s32, s32, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, s32, S32_MIN, false); > +#if BITS_PER_LONG == 64 > + TEST_OVERFLOWS_TYPE(s32, s64, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(s32, s64, S32_MIN, false); > + TEST_OVERFLOWS_TYPE(u64, u8, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, u8, (u64)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, u16, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, u16, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, u16, (u64)U16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, u32, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, u32, U32_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, u32, (u64)U32_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, u64, U64_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, s8, (u64)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, s8, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, s16, (u64)S16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, s16, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, s32, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, s32, (u64)S32_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(u64, s32, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, s64, S64_MAX, false); > + TEST_OVERFLOWS_TYPE(u64, s64, U64_MAX, true); > + TEST_OVERFLOWS_TYPE(u64, s64, (u64)S64_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, u8, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, u8, S64_MIN, true); > + TEST_OVERFLOWS_TYPE(s64, u8, -1, true); > + TEST_OVERFLOWS_TYPE(s64, u8, U8_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, u8, (s64)U8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, u16, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, u16, S64_MIN, true); > + TEST_OVERFLOWS_TYPE(s64, u16, -1, true); > + TEST_OVERFLOWS_TYPE(s64, u16, U16_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, u16, (s64)U16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, u32, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, u32, S64_MIN, true); > + TEST_OVERFLOWS_TYPE(s64, u32, -1, true); > + TEST_OVERFLOWS_TYPE(s64, u32, U32_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, u32, (s64)U32_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, u64, S64_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, u64, S64_MIN, true); > + TEST_OVERFLOWS_TYPE(s64, u64, -1, true); > + TEST_OVERFLOWS_TYPE(s64, s8, S8_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, s8, S8_MIN, false); > + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s64, s8, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, s16, S16_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, s16, S16_MIN, false); > + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s64, s16, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, s32, S32_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, s32, S32_MIN, false); > + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MAX + 1, true); > + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MIN - 1, true); > + TEST_OVERFLOWS_TYPE(s64, s32, S64_MAX, true); > + TEST_OVERFLOWS_TYPE(s64, s64, S64_MAX, false); > + TEST_OVERFLOWS_TYPE(s64, s64, S64_MIN, false); > +#endif > + > + /* Check for macro side-effects. */ > + var = INT_MAX - 1; > + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false); > + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false); > + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, true); > + var = INT_MAX - 1; > + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false); > + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false); > + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, true); > + > + kunit_info(test, "%d overflows_type() tests finished\n", count); > +#undef TEST_OVERFLOWS_TYPE > +#undef __TEST_OVERFLOWS_TYPE > +} > + > +static void same_type_test(struct kunit *test) > +{ > + int count = 0; > + int var; > + > +#define TEST_SAME_TYPE(t1, t2, same) do { \ > + typeof(t1) __t1h = type_max(t1); \ > + typeof(t1) __t1l = type_min(t1); \ > + typeof(t2) __t2h = type_max(t2); \ > + typeof(t2) __t2l = type_min(t2); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1h)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1l)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(__t1h, t1)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(__t1l, t1)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2h)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2l)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(__t2h, t2)); \ > + KUNIT_EXPECT_EQ(test, true, __same_type(__t2l, t2)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(t1, t2)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1h)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1l)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(__t1h, t2)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(__t1l, t2)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2h)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2l)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(__t2h, t1)); \ > + KUNIT_EXPECT_EQ(test, same, __same_type(__t2l, t1)); \ > +} while (0) > + > +#if BITS_PER_LONG == 64 > +# define TEST_SAME_TYPE64(base, t, m) TEST_SAME_TYPE(base, t, m) > +#else > +# define TEST_SAME_TYPE64(base, t, m) do { } while (0) > +#endif > + > +#define TEST_TYPE_SETS(base, mu8, mu16, mu32, ms8, ms16, ms32, mu64, ms64) \ > +do { \ > + TEST_SAME_TYPE(base, u8, mu8); \ > + TEST_SAME_TYPE(base, u16, mu16); \ > + TEST_SAME_TYPE(base, u32, mu32); \ > + TEST_SAME_TYPE(base, s8, ms8); \ > + TEST_SAME_TYPE(base, s16, ms16); \ > + TEST_SAME_TYPE(base, s32, ms32); \ > + TEST_SAME_TYPE64(base, u64, mu64); \ > + TEST_SAME_TYPE64(base, s64, ms64); \ > +} while (0) > + > + TEST_TYPE_SETS(u8, true, false, false, false, false, false, false, false); > + TEST_TYPE_SETS(u16, false, true, false, false, false, false, false, false); > + TEST_TYPE_SETS(u32, false, false, true, false, false, false, false, false); > + TEST_TYPE_SETS(s8, false, false, false, true, false, false, false, false); > + TEST_TYPE_SETS(s16, false, false, false, false, true, false, false, false); > + TEST_TYPE_SETS(s32, false, false, false, false, false, true, false, false); > +#if BITS_PER_LONG == 64 > + TEST_TYPE_SETS(u64, false, false, false, false, false, false, true, false); > + TEST_TYPE_SETS(s64, false, false, false, false, false, false, false, true); > +#endif > + > + /* Check for macro side-effects. */ > + var = 4; > + KUNIT_EXPECT_EQ(test, var, 4); > + KUNIT_EXPECT_TRUE(test, __same_type(var++, int)); > + KUNIT_EXPECT_EQ(test, var, 4); > + KUNIT_EXPECT_TRUE(test, __same_type(int, var++)); > + KUNIT_EXPECT_EQ(test, var, 4); > + KUNIT_EXPECT_TRUE(test, __same_type(var++, var++)); > + KUNIT_EXPECT_EQ(test, var, 4); > + > + kunit_info(test, "%d __same_type() tests finished\n", count); > + > +#undef TEST_TYPE_SETS > +#undef TEST_SAME_TYPE64 > +#undef TEST_SAME_TYPE > +} > + > +static void castable_to_type_test(struct kunit *test) > +{ > + int count = 0; > + > +#define TEST_CASTABLE_TO_TYPE(arg1, arg2, pass) do { \ > + bool __pass = castable_to_type(arg1, arg2); \ > + KUNIT_EXPECT_EQ_MSG(test, __pass, pass, \ > + "expected castable_to_type(" #arg1 ", " #arg2 ") to%s pass\n",\ > + pass ? "" : " not"); \ > + count++; \ > +} while (0) > + > + TEST_CASTABLE_TO_TYPE(16, u8, true); > + TEST_CASTABLE_TO_TYPE(16, u16, true); > + TEST_CASTABLE_TO_TYPE(16, u32, true); > + TEST_CASTABLE_TO_TYPE(16, s8, true); > + TEST_CASTABLE_TO_TYPE(16, s16, true); > + TEST_CASTABLE_TO_TYPE(16, s32, true); > + TEST_CASTABLE_TO_TYPE(-16, s8, true); > + TEST_CASTABLE_TO_TYPE(-16, s16, true); > + TEST_CASTABLE_TO_TYPE(-16, s32, true); > +#if BITS_PER_LONG == 64 > + TEST_CASTABLE_TO_TYPE(16, u64, true); > + TEST_CASTABLE_TO_TYPE(-16, s64, true); > +#endif > + > +#define TEST_CASTABLE_TO_TYPE_VAR(width) do { \ > + u ## width u ## width ## var = 0; \ > + s ## width s ## width ## var = 0; \ > + \ > + /* Constant expressions that fit types. */ \ > + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width, true); \ > + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width, true); \ > + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width ## var, true); \ > + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width ## var, true); \ > + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width, true); \ > + TEST_CASTABLE_TO_TYPE(type_min(s ## width), s ## width, true); \ > + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width ## var, true); \ > + TEST_CASTABLE_TO_TYPE(type_min(u ## width), s ## width ## var, true); \ > + /* Constant expressions that do not fit types. */ \ > + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width, false); \ > + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width ## var, false); \ > + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width, false); \ > + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width ## var, false); \ > + /* Non-constant expression with mismatched type. */ \ > + TEST_CASTABLE_TO_TYPE(s ## width ## var, u ## width, false); \ > + TEST_CASTABLE_TO_TYPE(u ## width ## var, s ## width, false); \ > +} while (0) > + > +#define TEST_CASTABLE_TO_TYPE_RANGE(width) do { \ > + unsigned long big = U ## width ## _MAX; \ > + signed long small = S ## width ## _MIN; \ > + u ## width u ## width ## var = 0; \ > + s ## width s ## width ## var = 0; \ > + \ > + /* Constant expression in range. */ \ > + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width, true); \ > + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width ## var, true); \ > + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width, true); \ > + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width ## var, true); \ > + /* Constant expression out of range. */ \ > + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width, false); \ > + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width ## var, false); \ > + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width, false); \ > + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width ## var, false); \ > + /* Non-constant expression with mismatched type. */ \ > + TEST_CASTABLE_TO_TYPE(big, u ## width, false); \ > + TEST_CASTABLE_TO_TYPE(big, u ## width ## var, false); \ > + TEST_CASTABLE_TO_TYPE(small, s ## width, false); \ > + TEST_CASTABLE_TO_TYPE(small, s ## width ## var, false); \ > +} while (0) > + > + TEST_CASTABLE_TO_TYPE_VAR(8); > + TEST_CASTABLE_TO_TYPE_VAR(16); > + TEST_CASTABLE_TO_TYPE_VAR(32); > +#if BITS_PER_LONG == 64 > + TEST_CASTABLE_TO_TYPE_VAR(64); > +#endif > + > + TEST_CASTABLE_TO_TYPE_RANGE(8); > + TEST_CASTABLE_TO_TYPE_RANGE(16); > +#if BITS_PER_LONG == 64 > + TEST_CASTABLE_TO_TYPE_RANGE(32); > +#endif > + kunit_info(test, "%d castable_to_type() tests finished\n", count); > + > +#undef TEST_CASTABLE_TO_TYPE_RANGE > +#undef TEST_CASTABLE_TO_TYPE_VAR > +#undef TEST_CASTABLE_TO_TYPE > +} > + > static struct kunit_case overflow_test_cases[] = { > KUNIT_CASE(u8_u8__u8_overflow_test), > KUNIT_CASE(s8_s8__s8_overflow_test), > @@ -730,6 +1113,9 @@ static struct kunit_case overflow_test_cases[] = { > KUNIT_CASE(shift_nonsense_test), > KUNIT_CASE(overflow_allocation_test), > KUNIT_CASE(overflow_size_helpers_test), > + KUNIT_CASE(overflows_type_test), > + KUNIT_CASE(same_type_test), > + KUNIT_CASE(castable_to_type_test), > {} > }; >
Hi Kees,
I love your patch! Yet something to improve:
[auto build test ERROR on kees/for-next/hardening]
[also build test ERROR on next-20220928]
[cannot apply to drm-tip/drm-tip drm-intel/for-linux-next drm-misc/drm-misc-next linus/master v6.0-rc7]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
config: i386-defconfig
compiler: gcc-11 (Debian 11.3.0-5) 11.3.0
reproduce (this is a W=1 build):
# https://github.com/intel-lab-lkp/linux/commit/ffc9129a19eb65b2d20780558b0c1af24d66434a
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
git checkout ffc9129a19eb65b2d20780558b0c1af24d66434a
# save the config file
mkdir build_dir && cp config build_dir/.config
make W=1 O=build_dir ARCH=i386 SHELL=/bin/bash
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from drivers/gpu/drm/i915/i915_utils.h:29,
from drivers/gpu/drm/i915/i915_user_extensions.c:14:
drivers/gpu/drm/i915/i915_user_extensions.c: In function 'i915_user_extensions':
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:132:23: note: in expansion of macro 'type_max'
132 | (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:132:23: note: in expansion of macro 'type_max'
132 | (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:134:34: note: in expansion of macro 'type_max'
134 | (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:134:34: note: in expansion of macro 'type_max'
134 | (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: in expansion of macro 'type_max'
35 | #define type_min(T) ((T)((T)-type_max(T)-(T)1))
| ^~~~~~~~
include/linux/overflow.h:135:25: note: in expansion of macro 'type_min'
135 | : (x) < type_min(typeof(T)) || \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: in expansion of macro 'type_max'
35 | #define type_min(T) ((T)((T)-type_max(T)-(T)1))
| ^~~~~~~~
include/linux/overflow.h:135:25: note: in expansion of macro 'type_min'
135 | : (x) < type_min(typeof(T)) || \
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:27: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:136:25: note: in expansion of macro 'type_max'
136 | (x) > type_max(typeof(T)) ? 1 : 0)
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
>> include/linux/overflow.h:33:40: error: invalid operands to binary << (have 'struct i915_user_extension *' and 'unsigned int')
33 | #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
| ^~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| |
| unsigned int
include/linux/overflow.h:34:53: note: in expansion of macro '__type_half_max'
34 | #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
| ^~~~~~~~~~~~~~~
include/linux/overflow.h:136:25: note: in expansion of macro 'type_max'
136 | (x) > type_max(typeof(T)) ? 1 : 0)
| ^~~~~~~~
include/linux/overflow.h:159:31: note: in expansion of macro '__overflows_type_constexpr'
159 | __overflows_type_constexpr(n, T), \
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: note: in expansion of macro 'overflows_type'
54 | overflows_type(next, ext))
| ^~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:21: error: argument 2 in call to function '__builtin_add_overflow' does not have integral type
vim +33 include/linux/overflow.h
f0907827a8a915 Rasmus Villemoes 2018-05-08 8
f0907827a8a915 Rasmus Villemoes 2018-05-08 9 /*
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 10 * We need to compute the minimum and maximum values representable in a given
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 11 * type. These macros may also be useful elsewhere. It would seem more obvious
4eb6bd55cfb22f Nick Desaulniers 2021-09-10 12 * to do something like:
f0907827a8a915 Rasmus Villemoes 2018-05-08 13 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 14 * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
f0907827a8a915 Rasmus Villemoes 2018-05-08 15 * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
f0907827a8a915 Rasmus Villemoes 2018-05-08 16 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 17 * Unfortunately, the middle expressions, strictly speaking, have
f0907827a8a915 Rasmus Villemoes 2018-05-08 18 * undefined behaviour, and at least some versions of gcc warn about
f0907827a8a915 Rasmus Villemoes 2018-05-08 19 * the type_max expression (but not if -fsanitize=undefined is in
f0907827a8a915 Rasmus Villemoes 2018-05-08 20 * effect; in that case, the warning is deferred to runtime...).
f0907827a8a915 Rasmus Villemoes 2018-05-08 21 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 22 * The slightly excessive casting in type_min is to make sure the
f0907827a8a915 Rasmus Villemoes 2018-05-08 23 * macros also produce sensible values for the exotic type _Bool. [The
f0907827a8a915 Rasmus Villemoes 2018-05-08 24 * overflow checkers only almost work for _Bool, but that's
f0907827a8a915 Rasmus Villemoes 2018-05-08 25 * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
f0907827a8a915 Rasmus Villemoes 2018-05-08 26 * _Bools. Besides, the gcc builtins don't allow _Bool* as third
f0907827a8a915 Rasmus Villemoes 2018-05-08 27 * argument.]
f0907827a8a915 Rasmus Villemoes 2018-05-08 28 *
f0907827a8a915 Rasmus Villemoes 2018-05-08 29 * Idea stolen from
f0907827a8a915 Rasmus Villemoes 2018-05-08 30 * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
f0907827a8a915 Rasmus Villemoes 2018-05-08 31 * credit to Christian Biere.
f0907827a8a915 Rasmus Villemoes 2018-05-08 32 */
f0907827a8a915 Rasmus Villemoes 2018-05-08 @33 #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
f0907827a8a915 Rasmus Villemoes 2018-05-08 34 #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
f0907827a8a915 Rasmus Villemoes 2018-05-08 35 #define type_min(T) ((T)((T)-type_max(T)-(T)1))
f0907827a8a915 Rasmus Villemoes 2018-05-08 36
Hi Kees,
I love your patch! Perhaps something to improve:
[auto build test WARNING on kees/for-next/hardening]
[also build test WARNING on next-20220928]
[cannot apply to drm-tip/drm-tip drm-intel/for-linux-next drm-misc/drm-misc-next linus/master v6.0-rc7]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
base: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git for-next/hardening
config: i386-randconfig-a013
compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project f28c006a5895fc0e329fe15fead81e37457cb1d1)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/ffc9129a19eb65b2d20780558b0c1af24d66434a
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Kees-Cook/overflow-Introduce-overflows_type-and-castable_to_type/20220927-094847
git checkout ffc9129a19eb65b2d20780558b0c1af24d66434a
# save the config file
mkdir build_dir && cp config build_dir/.config
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=i386 SHELL=/bin/bash drivers/gpu/drm/i915/
If you fix the issue, kindly add following tag where applicable
| Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:132:9: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0 \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:27: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:132:9: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0 \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:53: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> drivers/gpu/drm/i915/i915_user_extensions.c:54:7: warning: ordered comparison between pointer and integer ('u64' (aka 'unsigned long long') and 'typeof (ext)' (aka 'struct i915_user_extension *'))
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:132:7: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0 \
~~~ ^ ~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:134:20: note: expanded from macro '__overflows_type_constexpr'
(x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:27: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:134:20: note: expanded from macro '__overflows_type_constexpr'
(x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:53: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> drivers/gpu/drm/i915/i915_user_extensions.c:54:7: warning: ordered comparison between pointer and integer ('u64' (aka 'unsigned long long') and 'typeof (ext)' (aka 'struct i915_user_extension *'))
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:134:18: note: expanded from macro '__overflows_type_constexpr'
(x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \
~~~ ^ ~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:135:11: note: expanded from macro '__overflows_type_constexpr'
: (x) < type_min(typeof(T)) || \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: expanded from macro 'type_min'
#define type_min(T) ((T)((T)-type_max(T)-(T)1))
^~~~~~~~~~~
include/linux/overflow.h:34:27: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:135:11: note: expanded from macro '__overflows_type_constexpr'
: (x) < type_min(typeof(T)) || \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:35:30: note: expanded from macro 'type_min'
#define type_min(T) ((T)((T)-type_max(T)-(T)1))
^~~~~~~~~~~
include/linux/overflow.h:34:53: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid argument type 'typeof (ext)' (aka 'struct i915_user_extension *') to unary expression
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:135:11: note: expanded from macro '__overflows_type_constexpr'
: (x) < type_min(typeof(T)) || \
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:35:29: note: expanded from macro 'type_min'
#define type_min(T) ((T)((T)-type_max(T)-(T)1))
^~~~~~~~~~~~
>> drivers/gpu/drm/i915/i915_user_extensions.c:54:7: warning: ordered comparison between pointer and integer ('u64' (aka 'unsigned long long') and 'typeof (ext)' (aka 'struct i915_user_extension *'))
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:135:9: note: expanded from macro '__overflows_type_constexpr'
: (x) < type_min(typeof(T)) || \
~~~ ^ ~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:136:11: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0)
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:27: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: invalid operands to binary expression ('typeof (ext)' (aka 'struct i915_user_extension *') and 'unsigned int')
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:136:11: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0)
^~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:34:53: note: expanded from macro 'type_max'
#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^~~~~~~~~~~~~~~~~~
include/linux/overflow.h:33:40: note: expanded from macro '__type_half_max'
#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> drivers/gpu/drm/i915/i915_user_extensions.c:54:7: warning: ordered comparison between pointer and integer ('u64' (aka 'unsigned long long') and 'typeof (ext)' (aka 'struct i915_user_extension *'))
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:159:10: note: expanded from macro 'overflows_type'
__overflows_type_constexpr(n, T), \
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:136:9: note: expanded from macro '__overflows_type_constexpr'
(x) > type_max(typeof(T)) ? 1 : 0)
~~~ ^ ~~~~~~~~~~~~~~~~~~~
drivers/gpu/drm/i915/i915_user_extensions.c:54:7: error: operand argument to overflow builtin must be an integer ('typeof (ext)' (aka 'struct i915_user_extension *') invalid)
overflows_type(next, ext))
^~~~~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:160:10: note: expanded from macro 'overflows_type'
__overflows_type(n, T))
^~~~~~~~~~~~~~~~~~~~~~
include/linux/overflow.h:140:26: note: expanded from macro '__overflows_type'
check_add_overflow((x), v, &v); \
^
include/linux/overflow.h:67:50: note: expanded from macro 'check_add_overflow'
__must_check_overflow(__builtin_add_overflow(a, b, d))
^
4 warnings and 10 errors generated.
vim +54 drivers/gpu/drm/i915/i915_user_extensions.c
9d1305ef80b95d Chris Wilson 2019-03-22 15
9d1305ef80b95d Chris Wilson 2019-03-22 16 int i915_user_extensions(struct i915_user_extension __user *ext,
9d1305ef80b95d Chris Wilson 2019-03-22 17 const i915_user_extension_fn *tbl,
9d1305ef80b95d Chris Wilson 2019-03-22 18 unsigned int count,
9d1305ef80b95d Chris Wilson 2019-03-22 19 void *data)
9d1305ef80b95d Chris Wilson 2019-03-22 20 {
9d1305ef80b95d Chris Wilson 2019-03-22 21 unsigned int stackdepth = 512;
9d1305ef80b95d Chris Wilson 2019-03-22 22
9d1305ef80b95d Chris Wilson 2019-03-22 23 while (ext) {
9d1305ef80b95d Chris Wilson 2019-03-22 24 int i, err;
9d1305ef80b95d Chris Wilson 2019-03-22 25 u32 name;
9d1305ef80b95d Chris Wilson 2019-03-22 26 u64 next;
9d1305ef80b95d Chris Wilson 2019-03-22 27
9d1305ef80b95d Chris Wilson 2019-03-22 28 if (!stackdepth--) /* recursion vs useful flexibility */
9d1305ef80b95d Chris Wilson 2019-03-22 29 return -E2BIG;
9d1305ef80b95d Chris Wilson 2019-03-22 30
9d1305ef80b95d Chris Wilson 2019-03-22 31 err = check_user_mbz(&ext->flags);
9d1305ef80b95d Chris Wilson 2019-03-22 32 if (err)
9d1305ef80b95d Chris Wilson 2019-03-22 33 return err;
9d1305ef80b95d Chris Wilson 2019-03-22 34
9d1305ef80b95d Chris Wilson 2019-03-22 35 for (i = 0; i < ARRAY_SIZE(ext->rsvd); i++) {
9d1305ef80b95d Chris Wilson 2019-03-22 36 err = check_user_mbz(&ext->rsvd[i]);
9d1305ef80b95d Chris Wilson 2019-03-22 37 if (err)
9d1305ef80b95d Chris Wilson 2019-03-22 38 return err;
9d1305ef80b95d Chris Wilson 2019-03-22 39 }
9d1305ef80b95d Chris Wilson 2019-03-22 40
9d1305ef80b95d Chris Wilson 2019-03-22 41 if (get_user(name, &ext->name))
9d1305ef80b95d Chris Wilson 2019-03-22 42 return -EFAULT;
9d1305ef80b95d Chris Wilson 2019-03-22 43
9d1305ef80b95d Chris Wilson 2019-03-22 44 err = -EINVAL;
9d1305ef80b95d Chris Wilson 2019-03-22 45 if (name < count) {
9d1305ef80b95d Chris Wilson 2019-03-22 46 name = array_index_nospec(name, count);
9d1305ef80b95d Chris Wilson 2019-03-22 47 if (tbl[name])
9d1305ef80b95d Chris Wilson 2019-03-22 48 err = tbl[name](ext, data);
9d1305ef80b95d Chris Wilson 2019-03-22 49 }
9d1305ef80b95d Chris Wilson 2019-03-22 50 if (err)
9d1305ef80b95d Chris Wilson 2019-03-22 51 return err;
9d1305ef80b95d Chris Wilson 2019-03-22 52
9d1305ef80b95d Chris Wilson 2019-03-22 53 if (get_user(next, &ext->next_extension) ||
9d1305ef80b95d Chris Wilson 2019-03-22 @54 overflows_type(next, ext))
diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h index c10d68cdc3ca..d14b7faee054 100644 --- a/drivers/gpu/drm/i915/i915_utils.h +++ b/drivers/gpu/drm/i915/i915_utils.h @@ -111,10 +111,6 @@ bool i915_error_injected(void); #define range_overflows_end_t(type, start, size, max) \ range_overflows_end((type)(start), (type)(size), (type)(max)) -/* Note we don't consider signbits :| */ -#define overflows_type(x, T) \ - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) - #define ptr_mask_bits(ptr, n) ({ \ unsigned long __v = (unsigned long)(ptr); \ (typeof(ptr))(__v & -BIT(n)); \ diff --git a/include/linux/compiler.h b/include/linux/compiler.h index 7713d7bcdaea..c631107e93b1 100644 --- a/include/linux/compiler.h +++ b/include/linux/compiler.h @@ -244,6 +244,7 @@ static inline void *offset_to_ptr(const int *off) * bool and also pointer types. */ #define is_signed_type(type) (((type)(-1)) < (__force type)1) +#define is_unsigned_type(type) (!is_signed_type(type)) /* * This is needed in functions which generate the stack canary, see diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 19dfdd74835e..58eb34aa2af9 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -127,6 +127,54 @@ static inline bool __must_check __must_check_overflow(bool overflow) (*_d >> _to_shift) != _a); \ })) +#define __overflows_type_constexpr(x, T) ( \ + is_unsigned_type(typeof(x)) ? \ + (x) > type_max(typeof(T)) ? 1 : 0 \ + : is_unsigned_type(typeof(T)) ? \ + (x) < 0 || (x) > type_max(typeof(T)) ? 1 : 0 \ + : (x) < type_min(typeof(T)) || \ + (x) > type_max(typeof(T)) ? 1 : 0) + +#define __overflows_type(x, T) ({ \ + typeof(T) v = 0; \ + check_add_overflow((x), v, &v); \ +}) + +/** + * overflows_type - helper for checking the overflows between value, variables, + * or data type + * + * @n: source constant value or variable to be checked + * @T: destination variable or data type proposed to store @x + * + * Compares the @x expression for whether or not it can safely fit in + * the storage of the type in @T. @x and @T can have different types. + * If @x is a constant expression, this will also resolve to a constant + * expression. + * + * Returns: true if overflow can occur, false otherwise. + */ +#define overflows_type(n, T) \ + __builtin_choose_expr(__is_constexpr(n), \ + __overflows_type_constexpr(n, T), \ + __overflows_type(n, T)) + +/** + * castable_to_type - like __same_type(), but also allows for casted literals + * + * @n: variable or constant value + * @T: variable or data type + * + * Unlike the __same_type() macro, this allows a constant value as the + * first argument. If this value would not overflow into an assignment + * of the second argument's type, it returns true. Otherwise, this falls + * back to __same_type(). + */ +#define castable_to_type(n, T) \ + __builtin_choose_expr(__is_constexpr(n), \ + !__overflows_type_constexpr(n, T), \ + __same_type(n, T)) + /** * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX * diff --git a/lib/overflow_kunit.c b/lib/overflow_kunit.c index f385ca652b74..fffc3f86181d 100644 --- a/lib/overflow_kunit.c +++ b/lib/overflow_kunit.c @@ -16,6 +16,11 @@ #include <linux/types.h> #include <linux/vmalloc.h> +/* We're expecting to do a lot of "always true" or "always false" tests. */ +#ifdef CONFIG_CC_IS_CLANG +#pragma clang diagnostic ignored "-Wtautological-constant-out-of-range-compare" +#endif + #define DEFINE_TEST_ARRAY_TYPED(t1, t2, t) \ static const struct test_ ## t1 ## _ ## t2 ## __ ## t { \ t1 a; \ @@ -246,7 +251,7 @@ DEFINE_TEST_ARRAY(s64) = { #define DEFINE_TEST_FUNC_TYPED(n, t, fmt) \ static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \ -{ \ +{ \ check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of); \ check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of); \ check_one_op(t, fmt, sub, "-", p->a, p->b, p->diff, p->d_of); \ @@ -708,6 +713,384 @@ static void overflow_size_helpers_test(struct kunit *test) #undef check_one_size_helper } +static void overflows_type_test(struct kunit *test) +{ + int count = 0; + unsigned int var; + +#define __TEST_OVERFLOWS_TYPE(func, arg1, arg2, of) do { \ + bool __of = func(arg1, arg2); \ + KUNIT_EXPECT_EQ_MSG(test, __of, of, \ + "expected " #func "(" #arg1 ", " #arg2 " to%s overflow\n",\ + of ? "" : " not"); \ + count++; \ +} while (0) + +/* Args are: first type, second type, value, overflow expected */ +#define TEST_OVERFLOWS_TYPE(__t1, __t2, v, of) do { \ + __t1 t1 = (v); \ + __t2 t2; \ + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, t2, of); \ + __TEST_OVERFLOWS_TYPE(__overflows_type, t1, __t2, of); \ + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, t2, of); \ + __TEST_OVERFLOWS_TYPE(__overflows_type_constexpr, t1, __t2, of);\ +} while (0) + + TEST_OVERFLOWS_TYPE(u8, u8, U8_MAX, false); + TEST_OVERFLOWS_TYPE(u8, u16, U8_MAX, false); + TEST_OVERFLOWS_TYPE(u8, s8, U8_MAX, true); + TEST_OVERFLOWS_TYPE(u8, s8, S8_MAX, false); + TEST_OVERFLOWS_TYPE(u8, s8, (u8)S8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u8, s16, U8_MAX, false); + TEST_OVERFLOWS_TYPE(s8, u8, S8_MAX, false); + TEST_OVERFLOWS_TYPE(s8, u8, -1, true); + TEST_OVERFLOWS_TYPE(s8, u8, S8_MIN, true); + TEST_OVERFLOWS_TYPE(s8, u16, S8_MAX, false); + TEST_OVERFLOWS_TYPE(s8, u16, -1, true); + TEST_OVERFLOWS_TYPE(s8, u16, S8_MIN, true); + TEST_OVERFLOWS_TYPE(s8, u32, S8_MAX, false); + TEST_OVERFLOWS_TYPE(s8, u32, -1, true); + TEST_OVERFLOWS_TYPE(s8, u32, S8_MIN, true); +#if BITS_PER_LONG == 64 + TEST_OVERFLOWS_TYPE(s8, u64, S8_MAX, false); + TEST_OVERFLOWS_TYPE(s8, u64, -1, true); + TEST_OVERFLOWS_TYPE(s8, u64, S8_MIN, true); +#endif + TEST_OVERFLOWS_TYPE(s8, s8, S8_MAX, false); + TEST_OVERFLOWS_TYPE(s8, s8, S8_MIN, false); + TEST_OVERFLOWS_TYPE(s8, s16, S8_MAX, false); + TEST_OVERFLOWS_TYPE(s8, s16, S8_MIN, false); + TEST_OVERFLOWS_TYPE(u16, u8, U8_MAX, false); + TEST_OVERFLOWS_TYPE(u16, u8, (u16)U8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u16, u8, U16_MAX, true); + TEST_OVERFLOWS_TYPE(u16, s8, S8_MAX, false); + TEST_OVERFLOWS_TYPE(u16, s8, (u16)S8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u16, s8, U16_MAX, true); + TEST_OVERFLOWS_TYPE(u16, s16, S16_MAX, false); + TEST_OVERFLOWS_TYPE(u16, s16, (u16)S16_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u16, s16, U16_MAX, true); + TEST_OVERFLOWS_TYPE(u16, u32, U16_MAX, false); + TEST_OVERFLOWS_TYPE(u16, s32, U16_MAX, false); + TEST_OVERFLOWS_TYPE(s16, u8, U8_MAX, false); + TEST_OVERFLOWS_TYPE(s16, u8, (s16)U8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s16, u8, -1, true); + TEST_OVERFLOWS_TYPE(s16, u8, S16_MIN, true); + TEST_OVERFLOWS_TYPE(s16, u16, S16_MAX, false); + TEST_OVERFLOWS_TYPE(s16, u16, -1, true); + TEST_OVERFLOWS_TYPE(s16, u16, S16_MIN, true); + TEST_OVERFLOWS_TYPE(s16, u32, S16_MAX, false); + TEST_OVERFLOWS_TYPE(s16, u32, -1, true); + TEST_OVERFLOWS_TYPE(s16, u32, S16_MIN, true); +#if BITS_PER_LONG == 64 + TEST_OVERFLOWS_TYPE(s16, u64, S16_MAX, false); + TEST_OVERFLOWS_TYPE(s16, u64, -1, true); + TEST_OVERFLOWS_TYPE(s16, u64, S16_MIN, true); +#endif + TEST_OVERFLOWS_TYPE(s16, s8, S8_MAX, false); + TEST_OVERFLOWS_TYPE(s16, s8, S8_MIN, false); + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s16, s8, (s16)S8_MIN - 1, true); + TEST_OVERFLOWS_TYPE(s16, s8, S16_MAX, true); + TEST_OVERFLOWS_TYPE(s16, s8, S16_MIN, true); + TEST_OVERFLOWS_TYPE(s16, s16, S16_MAX, false); + TEST_OVERFLOWS_TYPE(s16, s16, S16_MIN, false); + TEST_OVERFLOWS_TYPE(s16, s32, S16_MAX, false); + TEST_OVERFLOWS_TYPE(s16, s32, S16_MIN, false); + TEST_OVERFLOWS_TYPE(u32, u8, U8_MAX, false); + TEST_OVERFLOWS_TYPE(u32, u8, (u32)U8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u32, u8, U32_MAX, true); + TEST_OVERFLOWS_TYPE(u32, s8, S8_MAX, false); + TEST_OVERFLOWS_TYPE(u32, s8, (u32)S8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u32, s8, U32_MAX, true); + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX, false); + TEST_OVERFLOWS_TYPE(u32, u16, U16_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u32, u16, U32_MAX, true); + TEST_OVERFLOWS_TYPE(u32, s16, S16_MAX, false); + TEST_OVERFLOWS_TYPE(u32, s16, (u32)S16_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u32, s16, U32_MAX, true); + TEST_OVERFLOWS_TYPE(u32, u32, U32_MAX, false); + TEST_OVERFLOWS_TYPE(u32, s32, S32_MAX, false); + TEST_OVERFLOWS_TYPE(u32, s32, U32_MAX, true); + TEST_OVERFLOWS_TYPE(u32, s32, (u32)S32_MAX + 1, true); +#if BITS_PER_LONG == 64 + TEST_OVERFLOWS_TYPE(u32, u64, U32_MAX, false); + TEST_OVERFLOWS_TYPE(u32, s64, U32_MAX, false); +#endif + TEST_OVERFLOWS_TYPE(s32, u8, U8_MAX, false); + TEST_OVERFLOWS_TYPE(s32, u8, (s32)U8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true); + TEST_OVERFLOWS_TYPE(s32, u8, -1, true); + TEST_OVERFLOWS_TYPE(s32, u8, S32_MIN, true); + TEST_OVERFLOWS_TYPE(s32, u16, U16_MAX, false); + TEST_OVERFLOWS_TYPE(s32, u16, (s32)U16_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s32, u16, S32_MAX, true); + TEST_OVERFLOWS_TYPE(s32, u16, -1, true); + TEST_OVERFLOWS_TYPE(s32, u16, S32_MIN, true); + TEST_OVERFLOWS_TYPE(s32, u32, S32_MAX, false); + TEST_OVERFLOWS_TYPE(s32, u32, -1, true); + TEST_OVERFLOWS_TYPE(s32, u32, S32_MIN, true); +#if BITS_PER_LONG == 64 + TEST_OVERFLOWS_TYPE(s32, u64, S32_MAX, false); + TEST_OVERFLOWS_TYPE(s32, u64, -1, true); + TEST_OVERFLOWS_TYPE(s32, u64, S32_MIN, true); +#endif + TEST_OVERFLOWS_TYPE(s32, s8, S8_MAX, false); + TEST_OVERFLOWS_TYPE(s32, s8, S8_MIN, false); + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s32, s8, (s32)S8_MIN - 1, true); + TEST_OVERFLOWS_TYPE(s32, s8, S32_MAX, true); + TEST_OVERFLOWS_TYPE(s32, s8, S32_MIN, true); + TEST_OVERFLOWS_TYPE(s32, s16, S16_MAX, false); + TEST_OVERFLOWS_TYPE(s32, s16, S16_MIN, false); + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s32, s16, (s32)S16_MIN - 1, true); + TEST_OVERFLOWS_TYPE(s32, s16, S32_MAX, true); + TEST_OVERFLOWS_TYPE(s32, s16, S32_MIN, true); + TEST_OVERFLOWS_TYPE(s32, s32, S32_MAX, false); + TEST_OVERFLOWS_TYPE(s32, s32, S32_MIN, false); +#if BITS_PER_LONG == 64 + TEST_OVERFLOWS_TYPE(s32, s64, S32_MAX, false); + TEST_OVERFLOWS_TYPE(s32, s64, S32_MIN, false); + TEST_OVERFLOWS_TYPE(u64, u8, U64_MAX, true); + TEST_OVERFLOWS_TYPE(u64, u8, U8_MAX, false); + TEST_OVERFLOWS_TYPE(u64, u8, (u64)U8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u64, u16, U64_MAX, true); + TEST_OVERFLOWS_TYPE(u64, u16, U16_MAX, false); + TEST_OVERFLOWS_TYPE(u64, u16, (u64)U16_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u64, u32, U64_MAX, true); + TEST_OVERFLOWS_TYPE(u64, u32, U32_MAX, false); + TEST_OVERFLOWS_TYPE(u64, u32, (u64)U32_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u64, u64, U64_MAX, false); + TEST_OVERFLOWS_TYPE(u64, s8, S8_MAX, false); + TEST_OVERFLOWS_TYPE(u64, s8, (u64)S8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u64, s8, U64_MAX, true); + TEST_OVERFLOWS_TYPE(u64, s16, S16_MAX, false); + TEST_OVERFLOWS_TYPE(u64, s16, (u64)S16_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u64, s16, U64_MAX, true); + TEST_OVERFLOWS_TYPE(u64, s32, S32_MAX, false); + TEST_OVERFLOWS_TYPE(u64, s32, (u64)S32_MAX + 1, true); + TEST_OVERFLOWS_TYPE(u64, s32, U64_MAX, true); + TEST_OVERFLOWS_TYPE(u64, s64, S64_MAX, false); + TEST_OVERFLOWS_TYPE(u64, s64, U64_MAX, true); + TEST_OVERFLOWS_TYPE(u64, s64, (u64)S64_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s64, u8, S64_MAX, true); + TEST_OVERFLOWS_TYPE(s64, u8, S64_MIN, true); + TEST_OVERFLOWS_TYPE(s64, u8, -1, true); + TEST_OVERFLOWS_TYPE(s64, u8, U8_MAX, false); + TEST_OVERFLOWS_TYPE(s64, u8, (s64)U8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s64, u16, S64_MAX, true); + TEST_OVERFLOWS_TYPE(s64, u16, S64_MIN, true); + TEST_OVERFLOWS_TYPE(s64, u16, -1, true); + TEST_OVERFLOWS_TYPE(s64, u16, U16_MAX, false); + TEST_OVERFLOWS_TYPE(s64, u16, (s64)U16_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s64, u32, S64_MAX, true); + TEST_OVERFLOWS_TYPE(s64, u32, S64_MIN, true); + TEST_OVERFLOWS_TYPE(s64, u32, -1, true); + TEST_OVERFLOWS_TYPE(s64, u32, U32_MAX, false); + TEST_OVERFLOWS_TYPE(s64, u32, (s64)U32_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s64, u64, S64_MAX, false); + TEST_OVERFLOWS_TYPE(s64, u64, S64_MIN, true); + TEST_OVERFLOWS_TYPE(s64, u64, -1, true); + TEST_OVERFLOWS_TYPE(s64, s8, S8_MAX, false); + TEST_OVERFLOWS_TYPE(s64, s8, S8_MIN, false); + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s64, s8, (s64)S8_MIN - 1, true); + TEST_OVERFLOWS_TYPE(s64, s8, S64_MAX, true); + TEST_OVERFLOWS_TYPE(s64, s16, S16_MAX, false); + TEST_OVERFLOWS_TYPE(s64, s16, S16_MIN, false); + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s64, s16, (s64)S16_MIN - 1, true); + TEST_OVERFLOWS_TYPE(s64, s16, S64_MAX, true); + TEST_OVERFLOWS_TYPE(s64, s32, S32_MAX, false); + TEST_OVERFLOWS_TYPE(s64, s32, S32_MIN, false); + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MAX + 1, true); + TEST_OVERFLOWS_TYPE(s64, s32, (s64)S32_MIN - 1, true); + TEST_OVERFLOWS_TYPE(s64, s32, S64_MAX, true); + TEST_OVERFLOWS_TYPE(s64, s64, S64_MAX, false); + TEST_OVERFLOWS_TYPE(s64, s64, S64_MIN, false); +#endif + + /* Check for macro side-effects. */ + var = INT_MAX - 1; + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false); + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, false); + __TEST_OVERFLOWS_TYPE(__overflows_type, var++, int, true); + var = INT_MAX - 1; + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false); + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, false); + __TEST_OVERFLOWS_TYPE(overflows_type, var++, int, true); + + kunit_info(test, "%d overflows_type() tests finished\n", count); +#undef TEST_OVERFLOWS_TYPE +#undef __TEST_OVERFLOWS_TYPE +} + +static void same_type_test(struct kunit *test) +{ + int count = 0; + int var; + +#define TEST_SAME_TYPE(t1, t2, same) do { \ + typeof(t1) __t1h = type_max(t1); \ + typeof(t1) __t1l = type_min(t1); \ + typeof(t2) __t2h = type_max(t2); \ + typeof(t2) __t2l = type_min(t2); \ + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1h)); \ + KUNIT_EXPECT_EQ(test, true, __same_type(t1, __t1l)); \ + KUNIT_EXPECT_EQ(test, true, __same_type(__t1h, t1)); \ + KUNIT_EXPECT_EQ(test, true, __same_type(__t1l, t1)); \ + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2h)); \ + KUNIT_EXPECT_EQ(test, true, __same_type(t2, __t2l)); \ + KUNIT_EXPECT_EQ(test, true, __same_type(__t2h, t2)); \ + KUNIT_EXPECT_EQ(test, true, __same_type(__t2l, t2)); \ + KUNIT_EXPECT_EQ(test, same, __same_type(t1, t2)); \ + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1h)); \ + KUNIT_EXPECT_EQ(test, same, __same_type(t2, __t1l)); \ + KUNIT_EXPECT_EQ(test, same, __same_type(__t1h, t2)); \ + KUNIT_EXPECT_EQ(test, same, __same_type(__t1l, t2)); \ + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2h)); \ + KUNIT_EXPECT_EQ(test, same, __same_type(t1, __t2l)); \ + KUNIT_EXPECT_EQ(test, same, __same_type(__t2h, t1)); \ + KUNIT_EXPECT_EQ(test, same, __same_type(__t2l, t1)); \ +} while (0) + +#if BITS_PER_LONG == 64 +# define TEST_SAME_TYPE64(base, t, m) TEST_SAME_TYPE(base, t, m) +#else +# define TEST_SAME_TYPE64(base, t, m) do { } while (0) +#endif + +#define TEST_TYPE_SETS(base, mu8, mu16, mu32, ms8, ms16, ms32, mu64, ms64) \ +do { \ + TEST_SAME_TYPE(base, u8, mu8); \ + TEST_SAME_TYPE(base, u16, mu16); \ + TEST_SAME_TYPE(base, u32, mu32); \ + TEST_SAME_TYPE(base, s8, ms8); \ + TEST_SAME_TYPE(base, s16, ms16); \ + TEST_SAME_TYPE(base, s32, ms32); \ + TEST_SAME_TYPE64(base, u64, mu64); \ + TEST_SAME_TYPE64(base, s64, ms64); \ +} while (0) + + TEST_TYPE_SETS(u8, true, false, false, false, false, false, false, false); + TEST_TYPE_SETS(u16, false, true, false, false, false, false, false, false); + TEST_TYPE_SETS(u32, false, false, true, false, false, false, false, false); + TEST_TYPE_SETS(s8, false, false, false, true, false, false, false, false); + TEST_TYPE_SETS(s16, false, false, false, false, true, false, false, false); + TEST_TYPE_SETS(s32, false, false, false, false, false, true, false, false); +#if BITS_PER_LONG == 64 + TEST_TYPE_SETS(u64, false, false, false, false, false, false, true, false); + TEST_TYPE_SETS(s64, false, false, false, false, false, false, false, true); +#endif + + /* Check for macro side-effects. */ + var = 4; + KUNIT_EXPECT_EQ(test, var, 4); + KUNIT_EXPECT_TRUE(test, __same_type(var++, int)); + KUNIT_EXPECT_EQ(test, var, 4); + KUNIT_EXPECT_TRUE(test, __same_type(int, var++)); + KUNIT_EXPECT_EQ(test, var, 4); + KUNIT_EXPECT_TRUE(test, __same_type(var++, var++)); + KUNIT_EXPECT_EQ(test, var, 4); + + kunit_info(test, "%d __same_type() tests finished\n", count); + +#undef TEST_TYPE_SETS +#undef TEST_SAME_TYPE64 +#undef TEST_SAME_TYPE +} + +static void castable_to_type_test(struct kunit *test) +{ + int count = 0; + +#define TEST_CASTABLE_TO_TYPE(arg1, arg2, pass) do { \ + bool __pass = castable_to_type(arg1, arg2); \ + KUNIT_EXPECT_EQ_MSG(test, __pass, pass, \ + "expected castable_to_type(" #arg1 ", " #arg2 ") to%s pass\n",\ + pass ? "" : " not"); \ + count++; \ +} while (0) + + TEST_CASTABLE_TO_TYPE(16, u8, true); + TEST_CASTABLE_TO_TYPE(16, u16, true); + TEST_CASTABLE_TO_TYPE(16, u32, true); + TEST_CASTABLE_TO_TYPE(16, s8, true); + TEST_CASTABLE_TO_TYPE(16, s16, true); + TEST_CASTABLE_TO_TYPE(16, s32, true); + TEST_CASTABLE_TO_TYPE(-16, s8, true); + TEST_CASTABLE_TO_TYPE(-16, s16, true); + TEST_CASTABLE_TO_TYPE(-16, s32, true); +#if BITS_PER_LONG == 64 + TEST_CASTABLE_TO_TYPE(16, u64, true); + TEST_CASTABLE_TO_TYPE(-16, s64, true); +#endif + +#define TEST_CASTABLE_TO_TYPE_VAR(width) do { \ + u ## width u ## width ## var = 0; \ + s ## width s ## width ## var = 0; \ + \ + /* Constant expressions that fit types. */ \ + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width, true); \ + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width, true); \ + TEST_CASTABLE_TO_TYPE(type_max(u ## width), u ## width ## var, true); \ + TEST_CASTABLE_TO_TYPE(type_min(u ## width), u ## width ## var, true); \ + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width, true); \ + TEST_CASTABLE_TO_TYPE(type_min(s ## width), s ## width, true); \ + TEST_CASTABLE_TO_TYPE(type_max(s ## width), s ## width ## var, true); \ + TEST_CASTABLE_TO_TYPE(type_min(u ## width), s ## width ## var, true); \ + /* Constant expressions that do not fit types. */ \ + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width, false); \ + TEST_CASTABLE_TO_TYPE(type_max(u ## width), s ## width ## var, false); \ + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width, false); \ + TEST_CASTABLE_TO_TYPE(type_min(s ## width), u ## width ## var, false); \ + /* Non-constant expression with mismatched type. */ \ + TEST_CASTABLE_TO_TYPE(s ## width ## var, u ## width, false); \ + TEST_CASTABLE_TO_TYPE(u ## width ## var, s ## width, false); \ +} while (0) + +#define TEST_CASTABLE_TO_TYPE_RANGE(width) do { \ + unsigned long big = U ## width ## _MAX; \ + signed long small = S ## width ## _MIN; \ + u ## width u ## width ## var = 0; \ + s ## width s ## width ## var = 0; \ + \ + /* Constant expression in range. */ \ + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width, true); \ + TEST_CASTABLE_TO_TYPE(U ## width ## _MAX, u ## width ## var, true); \ + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width, true); \ + TEST_CASTABLE_TO_TYPE(S ## width ## _MIN, s ## width ## var, true); \ + /* Constant expression out of range. */ \ + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width, false); \ + TEST_CASTABLE_TO_TYPE((unsigned long)U ## width ## _MAX + 1, u ## width ## var, false); \ + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width, false); \ + TEST_CASTABLE_TO_TYPE((signed long)S ## width ## _MIN - 1, s ## width ## var, false); \ + /* Non-constant expression with mismatched type. */ \ + TEST_CASTABLE_TO_TYPE(big, u ## width, false); \ + TEST_CASTABLE_TO_TYPE(big, u ## width ## var, false); \ + TEST_CASTABLE_TO_TYPE(small, s ## width, false); \ + TEST_CASTABLE_TO_TYPE(small, s ## width ## var, false); \ +} while (0) + + TEST_CASTABLE_TO_TYPE_VAR(8); + TEST_CASTABLE_TO_TYPE_VAR(16); + TEST_CASTABLE_TO_TYPE_VAR(32); +#if BITS_PER_LONG == 64 + TEST_CASTABLE_TO_TYPE_VAR(64); +#endif + + TEST_CASTABLE_TO_TYPE_RANGE(8); + TEST_CASTABLE_TO_TYPE_RANGE(16); +#if BITS_PER_LONG == 64 + TEST_CASTABLE_TO_TYPE_RANGE(32); +#endif + kunit_info(test, "%d castable_to_type() tests finished\n", count); + +#undef TEST_CASTABLE_TO_TYPE_RANGE +#undef TEST_CASTABLE_TO_TYPE_VAR +#undef TEST_CASTABLE_TO_TYPE +} + static struct kunit_case overflow_test_cases[] = { KUNIT_CASE(u8_u8__u8_overflow_test), KUNIT_CASE(s8_s8__s8_overflow_test), @@ -730,6 +1113,9 @@ static struct kunit_case overflow_test_cases[] = { KUNIT_CASE(shift_nonsense_test), KUNIT_CASE(overflow_allocation_test), KUNIT_CASE(overflow_size_helpers_test), + KUNIT_CASE(overflows_type_test), + KUNIT_CASE(same_type_test), + KUNIT_CASE(castable_to_type_test), {} };
Implement a robust overflows_type() macro to test if a variable or constant value would overflow another variable or type. This can be used as a constant expression for static_assert() (which requires a constant expression[1][2]) when used on constant values. This must be constructed manually, since __builtin_add_overflow() does not produce a constant expression[3]. Additionally adds castable_to_type(), similar to __same_type(), but for checking if a constant value would overflow if cast to a given type. Add unit tests for overflows_type(), __same_type(), and castable_to_type() to the existing KUnit "overflow" test. [1] https://en.cppreference.com/w/c/language/_Static_assert [2] C11 standard (ISO/IEC 9899:2011): 6.7.10 Static assertions [3] https://gcc.gnu.org/onlinedocs/gcc/Integer-Overflow-Builtins.html 6.56 Built-in Functions to Perform Arithmetic with Overflow Checking Built-in Function: bool __builtin_add_overflow (type1 a, type2 b, Cc: Luc Van Oostenryck <luc.vanoostenryck@gmail.com> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Tom Rix <trix@redhat.com> Cc: Daniel Latypov <dlatypov@google.com> Cc: Vitor Massaru Iha <vitor@massaru.org> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Cc: linux-hardening@vger.kernel.org Cc: llvm@lists.linux.dev Co-developed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> Signed-off-by: Kees Cook <keescook@chromium.org> --- v2: - fix comment typo - wrap clang pragma to avoid GCC warnings - style nit cleanups - rename __castable_to_type() to castable_to_type() - remove prior overflows_type() definition v1: https://lore.kernel.org/lkml/20220926003743.409911-1-keescook@chromium.org --- drivers/gpu/drm/i915/i915_utils.h | 4 - include/linux/compiler.h | 1 + include/linux/overflow.h | 48 ++++ lib/overflow_kunit.c | 388 +++++++++++++++++++++++++++++- 4 files changed, 436 insertions(+), 5 deletions(-)