| Message ID | 20220705122455.3866745-2-gwan-gyeong.mun@intel.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Fixes integer overflow or integer truncation issues in page lookups, ttm place configuration and scatterlist creation | expand |
On Tue, 5 Jul 2022 15:24:49 +0300 Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> wrote: > It moves overflows_type utility macro into drm util header from i915_utils > header. The overflows_type can be used to catch the truncation between data > types. And it adds safe_conversion() macro which performs a type conversion > (cast) of an source value into a new variable, checking that the > destination is large enough to hold the source value. > And it adds exact_type and exactly_pgoff_t macro to catch type mis-match > while compiling. > > Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> > Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> > Cc: Matthew Auld <matthew.auld@intel.com> > Cc: Nirmoy Das <nirmoy.das@intel.com> > Cc: Jani Nikula <jani.nikula@intel.com> > --- > drivers/gpu/drm/i915/i915_utils.h | 5 +-- > include/drm/drm_util.h | 54 +++++++++++++++++++++++++++++++ > 2 files changed, 55 insertions(+), 4 deletions(-) > > diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h > index c10d68cdc3ca..345e5b2dc1cd 100644 > --- a/drivers/gpu/drm/i915/i915_utils.h > +++ b/drivers/gpu/drm/i915/i915_utils.h > @@ -32,6 +32,7 @@ > #include <linux/types.h> > #include <linux/workqueue.h> > #include <linux/sched/clock.h> > +#include <drm/drm_util.h> > > #ifdef CONFIG_X86 > #include <asm/hypervisor.h> > @@ -111,10 +112,6 @@ bool i915_error_injected(void); > #define range_overflows_end_t(type, start, size, max) \ > range_overflows_end((type)(start), (type)(size), (type)(max)) > > -/* Note we don't consider signbits :| */ > -#define overflows_type(x, T) \ > - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) > - > #define ptr_mask_bits(ptr, n) ({ \ > unsigned long __v = (unsigned long)(ptr); \ > (typeof(ptr))(__v & -BIT(n)); \ > diff --git a/include/drm/drm_util.h b/include/drm/drm_util.h > index 79952d8c4bba..c56230e39e37 100644 > --- a/include/drm/drm_util.h > +++ b/include/drm/drm_util.h > @@ -62,6 +62,60 @@ > */ > #define for_each_if(condition) if (!(condition)) {} else > > +/** > + * overflows_type - helper for checking the truncation between data types > + * @x: Source for overflow type comparison > + * @T: Destination for overflow type comparison > + * > + * It compares the values and size of each data type between the first and > + * second argument to check whether truncation can occur when assigning the > + * first argument to the variable of the second argument. > + * It does't consider signbits. > + * > + * Returns: > + * True if truncation can occur, false otherwise. > + */ > +#define overflows_type(x, T) \ > + (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) As pointed on its description, this macro only works if both types are either signed or unsigned. However, the macro itself doesn't check it. It probably worth adding something there to ensure that both types are either signed or unsigned. I would add this ancillary macro probably on on a generic kernel header - as this can be useful outside drm: #define sign_matches(x, y) \ (!((typeof(x))-1 >= 0) ^ ((typeof(y))-1 >= 0)) And then include use it at overflows_type: BUILD_BUG_ON(!sign_matches(x, T)) > + > +/** > + * exact_type - break compile if source type and destination value's type are > + * not the same > + * @T: Source type > + * @n: Destination value > + * > + * It is a helper macro for a poor man's -Wconversion: only allow variables of > + * an exact type. It determines whether the source type and destination value's > + * type are the same while compiling, and it breaks compile if two types are > + * not the same > + */ > +#define exact_type(T, n) \ > + BUILD_BUG_ON(!__builtin_constant_p(n) && !__builtin_types_compatible_p(T, typeof(n))) > + > +/** > + * exactly_pgoff_t - helper to check if the type of a value is pgoff_t > + * @n: value to compare pgoff_t type > + * > + * It breaks compile if the argument value's type is not pgoff_t type. > + */ > +#define exactly_pgoff_t(n) exact_type(pgoff_t, n) > + > +/* > + * safe_conversion - perform a type conversion (cast) of an source value into > + * a new variable, checking that the destination is large enough to hold the > + * source value. > + * @ptr: Destination pointer address > + * @value: Source value > + * > + * Returns: > + * If the value would overflow the destination, it returns false. > + */ > +#define safe_conversion(ptr, value) ({ \ > + typeof(value) __v = (value); \ > + typeof(ptr) __ptr = (ptr); \ > + overflows_type(__v, *__ptr) ? 0 : (*__ptr = (typeof(*__ptr))__v), 1; \ > +}) > + > /** > * drm_can_sleep - returns true if currently okay to sleep > *
On 7/5/22 5:23 PM, Mauro Carvalho Chehab wrote: > On Tue, 5 Jul 2022 15:24:49 +0300 > Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> wrote: > >> It moves overflows_type utility macro into drm util header from i915_utils >> header. The overflows_type can be used to catch the truncation between data >> types. And it adds safe_conversion() macro which performs a type conversion >> (cast) of an source value into a new variable, checking that the >> destination is large enough to hold the source value. >> And it adds exact_type and exactly_pgoff_t macro to catch type mis-match >> while compiling. >> >> Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> >> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> >> Cc: Matthew Auld <matthew.auld@intel.com> >> Cc: Nirmoy Das <nirmoy.das@intel.com> >> Cc: Jani Nikula <jani.nikula@intel.com> >> --- >> drivers/gpu/drm/i915/i915_utils.h | 5 +-- >> include/drm/drm_util.h | 54 +++++++++++++++++++++++++++++++ >> 2 files changed, 55 insertions(+), 4 deletions(-) >> >> diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h >> index c10d68cdc3ca..345e5b2dc1cd 100644 >> --- a/drivers/gpu/drm/i915/i915_utils.h >> +++ b/drivers/gpu/drm/i915/i915_utils.h >> @@ -32,6 +32,7 @@ >> #include <linux/types.h> >> #include <linux/workqueue.h> >> #include <linux/sched/clock.h> >> +#include <drm/drm_util.h> >> >> #ifdef CONFIG_X86 >> #include <asm/hypervisor.h> >> @@ -111,10 +112,6 @@ bool i915_error_injected(void); >> #define range_overflows_end_t(type, start, size, max) \ >> range_overflows_end((type)(start), (type)(size), (type)(max)) >> >> -/* Note we don't consider signbits :| */ >> -#define overflows_type(x, T) \ >> - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) >> - >> #define ptr_mask_bits(ptr, n) ({ \ >> unsigned long __v = (unsigned long)(ptr); \ >> (typeof(ptr))(__v & -BIT(n)); \ >> diff --git a/include/drm/drm_util.h b/include/drm/drm_util.h >> index 79952d8c4bba..c56230e39e37 100644 >> --- a/include/drm/drm_util.h >> +++ b/include/drm/drm_util.h >> @@ -62,6 +62,60 @@ >> */ >> #define for_each_if(condition) if (!(condition)) {} else >> >> +/** >> + * overflows_type - helper for checking the truncation between data types >> + * @x: Source for overflow type comparison >> + * @T: Destination for overflow type comparison >> + * >> + * It compares the values and size of each data type between the first and >> + * second argument to check whether truncation can occur when assigning the >> + * first argument to the variable of the second argument. >> + * It does't consider signbits. >> + * >> + * Returns: >> + * True if truncation can occur, false otherwise. >> + */ >> +#define overflows_type(x, T) \ >> + (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) > > As pointed on its description, this macro only works if both types > are either signed or unsigned. However, the macro itself doesn't check > it. > > It probably worth adding something there to ensure that both types are > either signed or unsigned. I would add this ancillary macro probably on > on a generic kernel header - as this can be useful outside drm: > > #define sign_matches(x, y) \ > (!((typeof(x))-1 >= 0) ^ ((typeof(y))-1 >= 0)) > > And then include use it at overflows_type: > > BUILD_BUG_ON(!sign_matches(x, T)) > Hi Mauro, thanks for checking it. What you commented here (sign_matches macro) is to check whether the sign bits of two types are the same, but the purpose of the overflows_type() macro checks overflows while assigning a variable with a large data size (BITS_PER_TYPE is large) to a variable with a small data size (BITS_PER_TYPE is small). we can check the additional sign bit by adding sign_matches() to the overflows_type() macro, but in the current scenario, it is used only when the sign bit is the same. Should the macro be extended even for cases where the sign bit is different in the current state? (If yes, I'll updated it as v3) In addition, the place where this macro is currently used is only in the i915 driver, so it has been moved to the header of the drm subsystem. IMHO, moving the macro location so that it can be used by multiple subsystems of linux would be a good idea when there is a use case for this macro. What do you think? G.G. >> + >> +/** >> + * exact_type - break compile if source type and destination value's type are >> + * not the same >> + * @T: Source type >> + * @n: Destination value >> + * >> + * It is a helper macro for a poor man's -Wconversion: only allow variables of >> + * an exact type. It determines whether the source type and destination value's >> + * type are the same while compiling, and it breaks compile if two types are >> + * not the same >> + */ >> +#define exact_type(T, n) \ >> + BUILD_BUG_ON(!__builtin_constant_p(n) && !__builtin_types_compatible_p(T, typeof(n))) >> + >> +/** >> + * exactly_pgoff_t - helper to check if the type of a value is pgoff_t >> + * @n: value to compare pgoff_t type >> + * >> + * It breaks compile if the argument value's type is not pgoff_t type. >> + */ >> +#define exactly_pgoff_t(n) exact_type(pgoff_t, n) >> + >> +/* >> + * safe_conversion - perform a type conversion (cast) of an source value into >> + * a new variable, checking that the destination is large enough to hold the >> + * source value. >> + * @ptr: Destination pointer address >> + * @value: Source value >> + * >> + * Returns: >> + * If the value would overflow the destination, it returns false. >> + */ >> +#define safe_conversion(ptr, value) ({ \ >> + typeof(value) __v = (value); \ >> + typeof(ptr) __ptr = (ptr); \ >> + overflows_type(__v, *__ptr) ? 0 : (*__ptr = (typeof(*__ptr))__v), 1; \ >> +}) >> + >> /** >> * drm_can_sleep - returns true if currently okay to sleep >> *
On Wed, 6 Jul 2022 18:04:20 +0300 Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> wrote: > On 7/5/22 5:23 PM, Mauro Carvalho Chehab wrote: > > On Tue, 5 Jul 2022 15:24:49 +0300 > > Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> wrote: > > > >> It moves overflows_type utility macro into drm util header from i915_utils > >> header. The overflows_type can be used to catch the truncation between data > >> types. And it adds safe_conversion() macro which performs a type conversion > >> (cast) of an source value into a new variable, checking that the > >> destination is large enough to hold the source value. > >> And it adds exact_type and exactly_pgoff_t macro to catch type mis-match > >> while compiling. > >> > >> Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> > >> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> > >> Cc: Matthew Auld <matthew.auld@intel.com> > >> Cc: Nirmoy Das <nirmoy.das@intel.com> > >> Cc: Jani Nikula <jani.nikula@intel.com> > >> --- > >> drivers/gpu/drm/i915/i915_utils.h | 5 +-- > >> include/drm/drm_util.h | 54 +++++++++++++++++++++++++++++++ > >> 2 files changed, 55 insertions(+), 4 deletions(-) > >> > >> diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h > >> index c10d68cdc3ca..345e5b2dc1cd 100644 > >> --- a/drivers/gpu/drm/i915/i915_utils.h > >> +++ b/drivers/gpu/drm/i915/i915_utils.h > >> @@ -32,6 +32,7 @@ > >> #include <linux/types.h> > >> #include <linux/workqueue.h> > >> #include <linux/sched/clock.h> > >> +#include <drm/drm_util.h> > >> > >> #ifdef CONFIG_X86 > >> #include <asm/hypervisor.h> > >> @@ -111,10 +112,6 @@ bool i915_error_injected(void); > >> #define range_overflows_end_t(type, start, size, max) \ > >> range_overflows_end((type)(start), (type)(size), (type)(max)) > >> > >> -/* Note we don't consider signbits :| */ > >> -#define overflows_type(x, T) \ > >> - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) > >> - > >> #define ptr_mask_bits(ptr, n) ({ \ > >> unsigned long __v = (unsigned long)(ptr); \ > >> (typeof(ptr))(__v & -BIT(n)); \ > >> diff --git a/include/drm/drm_util.h b/include/drm/drm_util.h > >> index 79952d8c4bba..c56230e39e37 100644 > >> --- a/include/drm/drm_util.h > >> +++ b/include/drm/drm_util.h > >> @@ -62,6 +62,60 @@ > >> */ > >> #define for_each_if(condition) if (!(condition)) {} else > >> > >> +/** > >> + * overflows_type - helper for checking the truncation between data types > >> + * @x: Source for overflow type comparison > >> + * @T: Destination for overflow type comparison > >> + * > >> + * It compares the values and size of each data type between the first and > >> + * second argument to check whether truncation can occur when assigning the > >> + * first argument to the variable of the second argument. > >> + * It does't consider signbits. > >> + * > >> + * Returns: > >> + * True if truncation can occur, false otherwise. > >> + */ > >> +#define overflows_type(x, T) \ > >> + (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) > > > > As pointed on its description, this macro only works if both types > > are either signed or unsigned. However, the macro itself doesn't check > > it. > > > > It probably worth adding something there to ensure that both types are > > either signed or unsigned. I would add this ancillary macro probably on > > on a generic kernel header - as this can be useful outside drm: > > > > #define sign_matches(x, y) \ > > (!((typeof(x))-1 >= 0) ^ ((typeof(y))-1 >= 0)) > > > > And then include use it at overflows_type: > > > > BUILD_BUG_ON(!sign_matches(x, T)) > > > Hi Mauro, thanks for checking it. > > What you commented here (sign_matches macro) is to check whether the > sign bits of two types are the same, but the purpose of the > overflows_type() macro checks overflows while assigning a variable with > a large data size (BITS_PER_TYPE is large) to a variable with a small > data size (BITS_PER_TYPE is small). True, but the problem is that such macro just assumes that either both are signed or unsigned without actually checking it. Basically, if one tries to store for instance a s32 value on an u64 var, the value won't be stored correctly, due to an underflow. As the hole idea of this macro is to exactly detect if the "container" variable is big enough to properly represent the measure, it sounds incomplete to not handle the integer signal. Btw, after reviewing all patches, using BUILD_BUG_ON() is not needed here, as such macro (or similar) is already used at the callers code. So, I would just return false if the signals are incompatible, e. g. if the type of the source value is signed and the type of the destination value is unsigned. So: #define overflows_type(x, T) \ (!signal_matches(x,T) || (sizeof(x) > sizeof(T))) Should do the trick[1]. [1] using BITS_PER_TYPE() macro is not really needed, as this is defined as: #define BITS_PER_BYTE 8 #define BITS_PER_TYPE(type) (sizeof(type) * BITS_PER_BYTE) So, checking if sizeof(x) > sizeof(T) is enough. Btw, the check there seems to be inverted, making the macro to always return zero! Yet, strictly speaking, it is possible to store an unsigned value on a signed type, if the signed type is bigger than the size of unsigned (so, a s64 int can store u32, but a s32 can't store u32). Adding a check that would consider this should be like: #define is_type_unsigned(x) ((typeof(x))-1 >= 0) #define is_type_signed(x) (!is_type_unsigned(x)) #define overflows_type(x, T) \ ( \ (is_type_signed(x) && is_type_unsigned(T)) || \ (is_type_unsigned(x) && is_type_signed(T) && (sizeof(x) == sizeof(T))) ||\ (sizeof(x) > sizeof(T)) \ ) This should be generic enough to be used anywhere. > we can check the additional sign bit by adding sign_matches() to the > overflows_type() macro, but in the current scenario, it is used only > when the sign bit is the same. Yeah, but "current scenarios" can easily be extended to something else, quickly going sideways specially on a subsystem-wide macro. Also, getting this right is particularly tricky when comparing typedef integers. So, I would be more comfortable if the logic will also check the signal at the destination variable. > Should the macro be extended even for cases where the sign bit is > different in the current state? (If yes, I'll updated it as v3) > > In addition, the place where this macro is currently used is only in the > i915 driver, so it has been moved to the header of the drm subsystem. > IMHO, moving the macro location so that it can be used by multiple > subsystems of linux would be a good idea when there is a use case for > this macro. What do you think? Good point. Yeah, it can stay there while not needed outside drm. Btw, in order to get it right, I suggest double-checking in userspace how each macros are evaluated, like using the code below. It helps to check if the logic is doing what's expected or not. ---- #include <stdio.h> #include <stdint.h> // Kernel definitions from bits.h and bitops.h #define BITS_PER_BYTE 8 #define BITS_PER_TYPE(type) (sizeof(type) * BITS_PER_BYTE) #define sign_matches(x, y) \ (!((typeof(x))-1 >= 0) ^ ((typeof(y))-1 >= 0)) #define is_type_unsigned(x) ((typeof(x))-1 >= 0) #define is_type_signed(x) (!is_type_unsigned(x)) #define overflows_type(x, T) \ ( \ (is_type_signed(x) && is_type_unsigned(T)) || \ (is_type_unsigned(x) && is_type_signed(T) && (sizeof(x) == sizeof(T))) ||\ (sizeof(x) > sizeof(T)) \ ) ? "OVERFLOW" : "don't overflow" int main(void) { uint32_t u32_1 = 0, u32_2 = 0; int32_t s32_1 = 0, s32_2 = 0; uint64_t u64_1 = 0, u64_2 = 0; int64_t s64_1 = 0, s64_2 = 0; printf("u32 stored into u32: %s\n", overflows_type(u32_1, u32_2)); printf("u64 stored into u32: %s\n", overflows_type(u64_1, u32_2)); printf("s32 stored into u32: %s\n", overflows_type(s32_1, u32_2)); printf("s64 stored into u32: %s\n", overflows_type(s64_1, u32_2)); printf("u32 stored into s32: %s\n", overflows_type(u32_1, s32_2)); printf("u64 stored into s32: %s\n", overflows_type(u64_1, s32_2)); printf("s32 stored into s32: %s\n", overflows_type(s32_1, s32_2)); printf("s64 stored into s32: %s\n", overflows_type(s64_1, s32_2)); printf("u32 stored into u64: %s\n", overflows_type(u32_1, u64_2)); printf("u64 stored into u64: %s\n", overflows_type(u64_1, u64_2)); printf("s32 stored into u64: %s\n", overflows_type(s32_1, u64_2)); printf("s64 stored into u64: %s\n", overflows_type(s64_1, u64_2)); printf("u32 stored into s64: %s\n", overflows_type(u32_1, s64_2)); printf("u64 stored into s64: %s\n", overflows_type(u64_1, s64_2)); printf("s32 stored into u64: %s\n", overflows_type(s32_1, u64_2)); printf("s64 stored into u64: %s\n", overflows_type(s64_1, u64_2)); // Shutup warnings s64_1 = u32_1 + u32_2 + s64_2 + s32_1 + s32_2 + u64_1 + u64_2; return 0; }
On 7/6/22 8:05 PM, Mauro Carvalho Chehab wrote: > On Wed, 6 Jul 2022 18:04:20 +0300 > Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> wrote: > >> On 7/5/22 5:23 PM, Mauro Carvalho Chehab wrote: >>> On Tue, 5 Jul 2022 15:24:49 +0300 >>> Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> wrote: >>> >>>> It moves overflows_type utility macro into drm util header from i915_utils >>>> header. The overflows_type can be used to catch the truncation between data >>>> types. And it adds safe_conversion() macro which performs a type conversion >>>> (cast) of an source value into a new variable, checking that the >>>> destination is large enough to hold the source value. >>>> And it adds exact_type and exactly_pgoff_t macro to catch type mis-match >>>> while compiling. >>>> >>>> Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> >>>> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> >>>> Cc: Matthew Auld <matthew.auld@intel.com> >>>> Cc: Nirmoy Das <nirmoy.das@intel.com> >>>> Cc: Jani Nikula <jani.nikula@intel.com> >>>> --- >>>> drivers/gpu/drm/i915/i915_utils.h | 5 +-- >>>> include/drm/drm_util.h | 54 +++++++++++++++++++++++++++++++ >>>> 2 files changed, 55 insertions(+), 4 deletions(-) >>>> >>>> diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h >>>> index c10d68cdc3ca..345e5b2dc1cd 100644 >>>> --- a/drivers/gpu/drm/i915/i915_utils.h >>>> +++ b/drivers/gpu/drm/i915/i915_utils.h >>>> @@ -32,6 +32,7 @@ >>>> #include <linux/types.h> >>>> #include <linux/workqueue.h> >>>> #include <linux/sched/clock.h> >>>> +#include <drm/drm_util.h> >>>> >>>> #ifdef CONFIG_X86 >>>> #include <asm/hypervisor.h> >>>> @@ -111,10 +112,6 @@ bool i915_error_injected(void); >>>> #define range_overflows_end_t(type, start, size, max) \ >>>> range_overflows_end((type)(start), (type)(size), (type)(max)) >>>> >>>> -/* Note we don't consider signbits :| */ >>>> -#define overflows_type(x, T) \ >>>> - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) >>>> - >>>> #define ptr_mask_bits(ptr, n) ({ \ >>>> unsigned long __v = (unsigned long)(ptr); \ >>>> (typeof(ptr))(__v & -BIT(n)); \ >>>> diff --git a/include/drm/drm_util.h b/include/drm/drm_util.h >>>> index 79952d8c4bba..c56230e39e37 100644 >>>> --- a/include/drm/drm_util.h >>>> +++ b/include/drm/drm_util.h >>>> @@ -62,6 +62,60 @@ >>>> */ >>>> #define for_each_if(condition) if (!(condition)) {} else >>>> >>>> +/** >>>> + * overflows_type - helper for checking the truncation between data types >>>> + * @x: Source for overflow type comparison >>>> + * @T: Destination for overflow type comparison >>>> + * >>>> + * It compares the values and size of each data type between the first and >>>> + * second argument to check whether truncation can occur when assigning the >>>> + * first argument to the variable of the second argument. >>>> + * It does't consider signbits. >>>> + * >>>> + * Returns: >>>> + * True if truncation can occur, false otherwise. >>>> + */ >>>> +#define overflows_type(x, T) \ >>>> + (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) >>> >>> As pointed on its description, this macro only works if both types >>> are either signed or unsigned. However, the macro itself doesn't check >>> it. >>> >>> It probably worth adding something there to ensure that both types are >>> either signed or unsigned. I would add this ancillary macro probably on >>> on a generic kernel header - as this can be useful outside drm: >>> >>> #define sign_matches(x, y) \ >>> (!((typeof(x))-1 >= 0) ^ ((typeof(y))-1 >= 0)) >>> >>> And then include use it at overflows_type: >>> >>> BUILD_BUG_ON(!sign_matches(x, T)) >>> >> Hi Mauro, thanks for checking it. >> >> What you commented here (sign_matches macro) is to check whether the >> sign bits of two types are the same, but the purpose of the >> overflows_type() macro checks overflows while assigning a variable with >> a large data size (BITS_PER_TYPE is large) to a variable with a small >> data size (BITS_PER_TYPE is small). > > True, but the problem is that such macro just assumes that either both > are signed or unsigned without actually checking it. > > Basically, if one tries to store for instance a s32 value on an u64 var, > the value won't be stored correctly, due to an underflow. As the hole > idea of this macro is to exactly detect if the "container" variable > is big enough to properly represent the measure, it sounds incomplete > to not handle the integer signal. > > Btw, after reviewing all patches, using BUILD_BUG_ON() is not needed > here, as such macro (or similar) is already used at the callers code. > > So, I would just return false if the signals are incompatible, e. g. > if the type of the source value is signed and the type of the > destination value is unsigned. > > So: > > #define overflows_type(x, T) \ > (!signal_matches(x,T) || (sizeof(x) > sizeof(T))) > > Should do the trick[1]. > > [1] using BITS_PER_TYPE() macro is not really needed, as this is > defined as: > > #define BITS_PER_BYTE 8 > #define BITS_PER_TYPE(type) (sizeof(type) * BITS_PER_BYTE) > > So, checking if sizeof(x) > sizeof(T) is enough. Btw, the check > there seems to be inverted, making the macro to always return zero! > > Yet, strictly speaking, it is possible to store an unsigned value on a > signed type, if the signed type is bigger than the size of unsigned > (so, a s64 int can store u32, but a s32 can't store u32). > > Adding a check that would consider this should be like: > > #define is_type_unsigned(x) ((typeof(x))-1 >= 0) > #define is_type_signed(x) (!is_type_unsigned(x)) > #define overflows_type(x, T) \ > ( \ > (is_type_signed(x) && is_type_unsigned(T)) || \ > (is_type_unsigned(x) && is_type_signed(T) && (sizeof(x) == sizeof(T))) ||\ > (sizeof(x) > sizeof(T)) \ > ) > > This should be generic enough to be used anywhere. > >> we can check the additional sign bit by adding sign_matches() to the >> overflows_type() macro, but in the current scenario, it is used only >> when the sign bit is the same. > > Yeah, but "current scenarios" can easily be extended to something > else, quickly going sideways specially on a subsystem-wide macro. > Also, getting this right is particularly tricky when comparing typedef > integers. So, I would be more comfortable if the logic will also > check the signal at the destination variable. > >> Should the macro be extended even for cases where the sign bit is >> different in the current state? (If yes, I'll updated it as v3) >> >> In addition, the place where this macro is currently used is only in the >> i915 driver, so it has been moved to the header of the drm subsystem. >> IMHO, moving the macro location so that it can be used by multiple >> subsystems of linux would be a good idea when there is a use case for >> this macro. What do you think? > > Good point. Yeah, it can stay there while not needed outside drm. > > Btw, in order to get it right, I suggest double-checking in userspace > how each macros are evaluated, like using the code below. > > It helps to check if the logic is doing what's expected or not. > Thanks for sharing your nice comments and ideas. The currently used oveflows_type() macro has a requirement to check not only the overflow check using the size of the container, but also the overflow that may occur when an actual variable is assigned. In relation to this, I wrote a macro based on the logic below and tested all scenarios that can be used in c code. #define BITS_PER_BYTE 8 #define BITS_PER_TYPE(type) (sizeof(type) * BITS_PER_BYTE) #define is_type_unsigned(x) ((typeof(x))-1 >= 0) bool overflows = false; if (is_type_unsigned(x)) { if (is_type_unsigned(T)) { // x: unsigned, T: unsigned if (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) overflows = true; } else { // x: unsigned, T: signed if (sizeof(x) >= sizeof(T) && (x) >> BITS_PER_TYPE(T) - 1) overflows = true; } } else { if (is_type_unsigned(T)) { // x: signed, T: unsigned if ((x) < 0) // sign bit is negative, negative value overflows = true; else { // sign bit is positive, positive value if (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) overflows = true; } } else { // x: signed, T: signed if (sizeof(x) > sizeof(T)) { if ((x) < 0) { // sign bit is negative, negative value if (((x) * -1) >> BITS_PER_TYPE(T)) { /* Since signed numbers treat negative numbers as 2's complement, convert them to positive numbers, perform bitshift operations, and perform overflow checking. */ overflows = true; } } else { // positive value. if ((x) >> BITS_PER_TYPE(T)) overflows = true; } } } } Here is the code that was actually tested: The patch applied with is_type_unsigned() / oveflows_type() used in the code below will be sent back as a new version. #include <stdio.h> #include <limits.h> #include <assert.h> #define BITS_PER_BYTE 8 #define BITS_PER_TYPE(type) (sizeof(type) * BITS_PER_BYTE) #define is_type_unsigned(x) ((typeof(x))-1 >= (typeof(x))0) #define overflows_type(x, T) \ (is_type_unsigned(x) ? \ is_type_unsigned(T) ? \ (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) ? 1 : 0 \ : (sizeof(x) >= sizeof(T) && (x) >> (BITS_PER_TYPE(T) - 1)) ? 1 : 0 \ : is_type_unsigned(T) ? \ ((x) < 0) ? 1 : (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) ? 1 : 0 \ : (sizeof(x) > sizeof(T)) ? \ ((x) < 0) ? (((x) * -1) >> BITS_PER_TYPE(T)) ? 1 : 0\ : ((x) >> BITS_PER_TYPE(T)) ? 1 : 0 \ : 0) typedef char s8; typedef unsigned char u8; typedef short s16; typedef unsigned short u16; typedef int s32; typedef unsigned int u32; typedef long long s64; typedef unsigned long long u64; int main(void) { /* test variable, test type */ /* 1. overflows_type(x, T) x: unsigned, T: unsigned */ { u32 x = UINT_MAX; u16 T; /* expected overflow */ assert(overflows_type(x, T)); assert(overflows_type(x, u16)); x = USHRT_MAX; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, u16)); } { u64 x = ULLONG_MAX; u8 T; /* expected overflow */ assert(overflows_type(x, T)); assert(overflows_type(x, u8)); x = UCHAR_MAX; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, u8)); } { u8 x = UCHAR_MAX; u64 T; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, u64)); } /* 2. overflows_type(x, T) x: unsigned, T: signed */ { u32 x = UINT_MAX; s16 T; /* expected overflow */ assert(overflows_type(x, T)); assert(overflows_type(x, s16)); x = SHRT_MAX; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, s16)); x = SHRT_MAX + 1; /* expected overflow */ assert(overflows_type(x, T)); assert(overflows_type(x, s16)); } { u64 x = ULLONG_MAX; s8 T; /* expected overflow */ assert(overflows_type(x, T)); assert(overflows_type(x, s8)); x = SCHAR_MAX; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, s8)); } { u8 x = UCHAR_MAX; s32 T; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, s32)); } /* 3. overflows_type(x, T) x: signed, T: unsigned */ { s32 x = INT_MAX; u16 T; /* expected overflow */ assert(overflows_type(x, T)); assert(overflows_type(x, u16)); x = INT_MIN; /* expected underflow */ assert(overflows_type(x, T)); assert(overflows_type(x, u16)); x = USHRT_MAX; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, u16)); } { s16 x = SHRT_MAX; u32 T; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, u32)); x = SHRT_MIN; /* expected underflow */ assert(overflows_type(x, T)); assert(overflows_type(x, u32)); } { s32 x = INT_MAX; u32 T; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, u32)); x = INT_MIN; /* expected underflow */ assert(overflows_type(x, T)); assert(overflows_type(x, u32)); } /* 4. overflows_type(x, T) x: signed, T: signed */ { s32 x = INT_MAX; s16 T; /* expected overflow */ assert(overflows_type(x, T)); assert(overflows_type(x, s16)); x = INT_MIN; /* expected overflow */ assert(overflows_type(x, T)); assert(overflows_type(x, s16)); x = SHRT_MAX; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, s16)); x = SHRT_MIN; /* expected not underflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, s16)); } { s16 x = SHRT_MAX; s32 T; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, s32)); x = SHRT_MIN; /* expected not underflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, s32)); } { s64 x = LLONG_MAX; s64 T; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, s64)); x = LLONG_MIN; /* expected not underflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, s64)); } { u64 x = 123456; int *T; /* expected not overflow */ assert(!overflows_type(x, T)); assert(!overflows_type(x, int *)); } return 0; } > ---- > > #include <stdio.h> > #include <stdint.h> > > // Kernel definitions from bits.h and bitops.h > #define BITS_PER_BYTE 8 > #define BITS_PER_TYPE(type) (sizeof(type) * BITS_PER_BYTE) > > #define sign_matches(x, y) \ > (!((typeof(x))-1 >= 0) ^ ((typeof(y))-1 >= 0)) > > #define is_type_unsigned(x) ((typeof(x))-1 >= 0) > #define is_type_signed(x) (!is_type_unsigned(x)) > > #define overflows_type(x, T) \ > ( \ > (is_type_signed(x) && is_type_unsigned(T)) || \ > (is_type_unsigned(x) && is_type_signed(T) && (sizeof(x) == sizeof(T))) ||\ > (sizeof(x) > sizeof(T)) \ > ) ? "OVERFLOW" : "don't overflow" > > int main(void) > { > uint32_t u32_1 = 0, u32_2 = 0; > int32_t s32_1 = 0, s32_2 = 0; > uint64_t u64_1 = 0, u64_2 = 0; > int64_t s64_1 = 0, s64_2 = 0; > > printf("u32 stored into u32: %s\n", overflows_type(u32_1, u32_2)); > printf("u64 stored into u32: %s\n", overflows_type(u64_1, u32_2)); > printf("s32 stored into u32: %s\n", overflows_type(s32_1, u32_2)); > printf("s64 stored into u32: %s\n", overflows_type(s64_1, u32_2)); > > printf("u32 stored into s32: %s\n", overflows_type(u32_1, s32_2)); > printf("u64 stored into s32: %s\n", overflows_type(u64_1, s32_2)); > printf("s32 stored into s32: %s\n", overflows_type(s32_1, s32_2)); > printf("s64 stored into s32: %s\n", overflows_type(s64_1, s32_2)); > > printf("u32 stored into u64: %s\n", overflows_type(u32_1, u64_2)); > printf("u64 stored into u64: %s\n", overflows_type(u64_1, u64_2)); > printf("s32 stored into u64: %s\n", overflows_type(s32_1, u64_2)); > printf("s64 stored into u64: %s\n", overflows_type(s64_1, u64_2)); > > printf("u32 stored into s64: %s\n", overflows_type(u32_1, s64_2)); > printf("u64 stored into s64: %s\n", overflows_type(u64_1, s64_2)); > printf("s32 stored into u64: %s\n", overflows_type(s32_1, u64_2)); > printf("s64 stored into u64: %s\n", overflows_type(s64_1, u64_2)); > > // Shutup warnings > s64_1 = u32_1 + u32_2 + s64_2 + s32_1 + s32_2 + u64_1 + u64_2; > > return 0; > } >
diff --git a/drivers/gpu/drm/i915/i915_utils.h b/drivers/gpu/drm/i915/i915_utils.h index c10d68cdc3ca..345e5b2dc1cd 100644 --- a/drivers/gpu/drm/i915/i915_utils.h +++ b/drivers/gpu/drm/i915/i915_utils.h @@ -32,6 +32,7 @@ #include <linux/types.h> #include <linux/workqueue.h> #include <linux/sched/clock.h> +#include <drm/drm_util.h> #ifdef CONFIG_X86 #include <asm/hypervisor.h> @@ -111,10 +112,6 @@ bool i915_error_injected(void); #define range_overflows_end_t(type, start, size, max) \ range_overflows_end((type)(start), (type)(size), (type)(max)) -/* Note we don't consider signbits :| */ -#define overflows_type(x, T) \ - (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) - #define ptr_mask_bits(ptr, n) ({ \ unsigned long __v = (unsigned long)(ptr); \ (typeof(ptr))(__v & -BIT(n)); \ diff --git a/include/drm/drm_util.h b/include/drm/drm_util.h index 79952d8c4bba..c56230e39e37 100644 --- a/include/drm/drm_util.h +++ b/include/drm/drm_util.h @@ -62,6 +62,60 @@ */ #define for_each_if(condition) if (!(condition)) {} else +/** + * overflows_type - helper for checking the truncation between data types + * @x: Source for overflow type comparison + * @T: Destination for overflow type comparison + * + * It compares the values and size of each data type between the first and + * second argument to check whether truncation can occur when assigning the + * first argument to the variable of the second argument. + * It does't consider signbits. + * + * Returns: + * True if truncation can occur, false otherwise. + */ +#define overflows_type(x, T) \ + (sizeof(x) > sizeof(T) && (x) >> BITS_PER_TYPE(T)) + +/** + * exact_type - break compile if source type and destination value's type are + * not the same + * @T: Source type + * @n: Destination value + * + * It is a helper macro for a poor man's -Wconversion: only allow variables of + * an exact type. It determines whether the source type and destination value's + * type are the same while compiling, and it breaks compile if two types are + * not the same + */ +#define exact_type(T, n) \ + BUILD_BUG_ON(!__builtin_constant_p(n) && !__builtin_types_compatible_p(T, typeof(n))) + +/** + * exactly_pgoff_t - helper to check if the type of a value is pgoff_t + * @n: value to compare pgoff_t type + * + * It breaks compile if the argument value's type is not pgoff_t type. + */ +#define exactly_pgoff_t(n) exact_type(pgoff_t, n) + +/* + * safe_conversion - perform a type conversion (cast) of an source value into + * a new variable, checking that the destination is large enough to hold the + * source value. + * @ptr: Destination pointer address + * @value: Source value + * + * Returns: + * If the value would overflow the destination, it returns false. + */ +#define safe_conversion(ptr, value) ({ \ + typeof(value) __v = (value); \ + typeof(ptr) __ptr = (ptr); \ + overflows_type(__v, *__ptr) ? 0 : (*__ptr = (typeof(*__ptr))__v), 1; \ +}) + /** * drm_can_sleep - returns true if currently okay to sleep *
It moves overflows_type utility macro into drm util header from i915_utils header. The overflows_type can be used to catch the truncation between data types. And it adds safe_conversion() macro which performs a type conversion (cast) of an source value into a new variable, checking that the destination is large enough to hold the source value. And it adds exact_type and exactly_pgoff_t macro to catch type mis-match while compiling. Signed-off-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com> Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com> Cc: Matthew Auld <matthew.auld@intel.com> Cc: Nirmoy Das <nirmoy.das@intel.com> Cc: Jani Nikula <jani.nikula@intel.com> --- drivers/gpu/drm/i915/i915_utils.h | 5 +-- include/drm/drm_util.h | 54 +++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 4 deletions(-)