From patchwork Sun Mar 10 02:05:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ian Rogers X-Patchwork-Id: 13587989 Received: from mail-yw1-f202.google.com (mail-yw1-f202.google.com [209.85.128.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 60FC238FAD for ; Sun, 10 Mar 2024 02:06:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710036363; cv=none; b=qrZoYyTKoyxCwHPVKraqowcq4rn7lb6IPOh9+8rKJKXoeDo9TP+GUzwHWy8A/HgpMImGe+dtGUCL/0gThSM2cPKNc+ZN7VJYslFGJT8motijd5qSs5AcW2henefBvExNjqS2N+8SR3DLXSQPce/BDNI25lgyj8XRJefqA4u1hgM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710036363; c=relaxed/simple; bh=5SZh2mNEl5n+h2lF7KiTxzvDIwYjug3hRJqLAmoNhNQ=; h=Date:In-Reply-To:Message-Id:Mime-Version:References:Subject:From: To:Content-Type; b=EMvDNGZ4/kye+swt0HLbsAZqvZo60Lau9E5JiuCoVCuviRu9kpXFvXKJR5kfTaevGfBE5ICZzl/Uf1t3c2fMg6xkxvbFxwAUDOPr23IOYP7MND9+KAJ3XZb2Twf/XuKmF7w8mV6ei36MOuM41xXlUXERJomyWsHjG8NItYLZkCY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--irogers.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Di6pDk6N; arc=none smtp.client-ip=209.85.128.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--irogers.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Di6pDk6N" Received: by mail-yw1-f202.google.com with SMTP id 00721157ae682-60832a48684so51576057b3.1 for ; Sat, 09 Mar 2024 18:06:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1710036359; x=1710641159; darn=vger.kernel.org; h=to:from:subject:references:mime-version:message-id:in-reply-to:date :from:to:cc:subject:date:message-id:reply-to; bh=Hl1/umpZGVsczLzrKS1GZCeAFysDY04buU8ZoM+JBKw=; b=Di6pDk6NePavMF2yALztmcFiJt+x7tbKH41g7V7tmKXpI1KI8Xp6mAzitCxmfo9DcO 6raBeb+eQk7G9fIGxVMs/sYQblO2BRyfy90v+WkYhzFg1GGiizQv742FDU8EK+ZFwRwU vfGTaQ7N0pXROHAxr6tk9DokTsKmKfe1AQ8N86r+BqVYtjAC2Gtzli84MJerVNK2z188 EBaQWSa+L2Dp9j/wtYynGlH/igpaNvLsz7UviGOx9PDXXU3IblAnGvrUmlr7IYjXhR9O P91Fwx4+QnSkrZeNQIXzDa/cwZaDOYB/XdM/pdVfwu8y36kr+LbfT0iQGnEcKivrpxaw odaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710036359; x=1710641159; h=to:from:subject:references:mime-version:message-id:in-reply-to:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Hl1/umpZGVsczLzrKS1GZCeAFysDY04buU8ZoM+JBKw=; b=fZVAp3nvcsohemBn8Y5Bb2VfQJKbHEvPR/Rbb826m6XLt1JHS639GM7pQqalPodg5R cq1GOIjzuyS8idltQSSETC8f/HiuA90TUW4V+mBlntrjFd+nEeYEuv0ObragDthF0whQ LxVMFE/QlcIo38zYv1o4M5UjGmWhW8JBqBQBLq8zH5rE3o/NmixRj4KIXtSq3nhwbYen V/0i+aVecFksDyGtpLyOjclEufyS2vVxc6dFjPovtqJkZolIW95ylTC0sNJOY1J2OUxm 577C1IovqX+tWL8p9qwa9rhXYnmFNMGF4vguq9KjnKaueMJYz6tmB/cfFneGjsHOMwLX V/Tw== X-Forwarded-Encrypted: i=1; AJvYcCVq4SdFPzESF5rVK1yuqQ4vsTKVxl5KLtrysn8knKD42uymeAF9pQZNigXNpmstlFz7LQwwihMIhUIrdcQo8QdHTvZ0 X-Gm-Message-State: AOJu0YzSD/Sg8d1HsdLc+r1y8y+kAUv7QaO9dKW0TRQ3EX4M3fv4nYja a9wJGNQLJItWitYvEqMNgSdK/FgbijDqW5hY/LDNOI+c8NnLiR1tXh1SBC1aQz2Ap/T1miubYUA 6F3XFvA== X-Google-Smtp-Source: AGHT+IFPbWB3/192KGdZtIg9F9X7CoqlPRJZXE+414zWtjFld4XzM0pldNt12CDgHpD/F24xaEQHAI0MEqre X-Received: from irogers.svl.corp.google.com ([2620:15c:2a3:200:a63d:1b65:e810:3ad3]) (user=irogers job=sendgmr) by 2002:a05:6902:1820:b0:dc2:5456:d9ac with SMTP id cf32-20020a056902182000b00dc25456d9acmr147760ybb.5.1710036359574; Sat, 09 Mar 2024 18:05:59 -0800 (PST) Date: Sat, 9 Mar 2024 18:05:06 -0800 In-Reply-To: <20240310020509.647319-1-irogers@google.com> Message-Id: <20240310020509.647319-12-irogers@google.com> Precedence: bulk X-Mailing-List: kvm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20240310020509.647319-1-irogers@google.com> X-Mailer: git-send-email 2.44.0.278.ge034bb2e1d-goog Subject: [PATCH v1 11/13] tools headers: Sync linux/overflow.h From: Ian Rogers To: Arnd Bergmann , Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Peter Zijlstra , Ingo Molnar , Arnaldo Carvalho de Melo , Namhyung Kim , Mark Rutland , Alexander Shishkin , Ian Rogers , Adrian Hunter , Paolo Bonzini , Shuah Khan , Kees Cook , "Gustavo A. R. Silva" , Nathan Chancellor , Nick Desaulniers , Bill Wendling , Justin Stitt , Andrew Morton , Liam Howlett , Miguel Ojeda , Will Deacon , Mark Brown , David Laight , "Michael S. Tsirkin" , Shunsuke Mie , Yafang Shao , Kui-Feng Lee , James Clark , Nick Forrington , Leo Yan , German Gomez , Rob Herring , John Garry , Sean Christopherson , Anup Patel , Fuad Tabba , Andrew Jones , Chao Peng , Haibo Xu , Peter Xu , Vishal Annapurve , linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org, bpf@vger.kernel.org, linux-perf-users@vger.kernel.org, kvm@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-hardening@vger.kernel.org, llvm@lists.linux.dev Bring in the changes: 26dd68d293fd overflow: add DEFINE_FLEX() for on-stack allocs d67790ddf021 overflow: Add struct_size_t() helper 4b21d25bf519 overflow: Introduce overflows_type() and castable_to_type() 31970608a6d3 overflow: Fix kern-doc markup for functions d219d2a9a92e overflow: Allow mixed type arguments 92d23c6e9415 overflow, tracing: Define the is_signed_type() macro once 230f6fa2c1db overflow: Provide constant expression struct_size e1be43d9b5d0 overflow: Implement size_t saturating arithmetic helpers Add file to check-headers.sh, so there is a warning if the tools version of the file drifts from the kernel's version. Signed-off-by: Ian Rogers --- tools/include/linux/overflow.h | 331 ++++++++++++++++++++++++++------- tools/perf/check-headers.sh | 1 + 2 files changed, 268 insertions(+), 64 deletions(-) diff --git a/tools/include/linux/overflow.h b/tools/include/linux/overflow.h index dcb0c1bf6866..7b5cf4a5cd19 100644 --- a/tools/include/linux/overflow.h +++ b/tools/include/linux/overflow.h @@ -3,6 +3,8 @@ #define __LINUX_OVERFLOW_H #include +#include +#include /* * We need to compute the minimum and maximum values representable in a given @@ -28,117 +30,318 @@ * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html - * credit to Christian Biere. */ -#define is_signed_type(type) (((type)(-1)) < (type)1) #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type))) #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T))) #define type_min(T) ((T)((T)-type_max(T)-(T)1)) /* - * For simplicity and code hygiene, the fallback code below insists on - * a, b and *d having the same type (similar to the min() and max() - * macros), whereas gcc's type-generic overflow checkers accept - * different types. Hence we don't just make check_add_overflow an - * alias for __builtin_add_overflow, but add type checks similar to - * below. - */ -#define check_add_overflow(a, b, d) ({ \ - typeof(a) __a = (a); \ - typeof(b) __b = (b); \ - typeof(d) __d = (d); \ - (void) (&__a == &__b); \ - (void) (&__a == __d); \ - __builtin_add_overflow(__a, __b, __d); \ -}) + * Avoids triggering -Wtype-limits compilation warning, + * while using unsigned data types to check a < 0. + */ +#define is_non_negative(a) ((a) > 0 || (a) == 0) +#define is_negative(a) (!(is_non_negative(a))) -#define check_sub_overflow(a, b, d) ({ \ - typeof(a) __a = (a); \ - typeof(b) __b = (b); \ - typeof(d) __d = (d); \ - (void) (&__a == &__b); \ - (void) (&__a == __d); \ - __builtin_sub_overflow(__a, __b, __d); \ -}) +/* + * Allows for effectively applying __must_check to a macro so we can have + * both the type-agnostic benefits of the macros while also being able to + * enforce that the return value is, in fact, checked. + */ +static inline bool __must_check __must_check_overflow(bool overflow) +{ + return unlikely(overflow); +} + +/** + * check_add_overflow() - Calculate addition with overflow checking + * @a: first addend + * @b: second addend + * @d: pointer to store sum + * + * Returns 0 on success. + * + * *@d holds the results of the attempted addition, but is not considered + * "safe for use" on a non-zero return value, which indicates that the + * sum has overflowed or been truncated. + */ +#define check_add_overflow(a, b, d) \ + __must_check_overflow(__builtin_add_overflow(a, b, d)) + +/** + * check_sub_overflow() - Calculate subtraction with overflow checking + * @a: minuend; value to subtract from + * @b: subtrahend; value to subtract from @a + * @d: pointer to store difference + * + * Returns 0 on success. + * + * *@d holds the results of the attempted subtraction, but is not considered + * "safe for use" on a non-zero return value, which indicates that the + * difference has underflowed or been truncated. + */ +#define check_sub_overflow(a, b, d) \ + __must_check_overflow(__builtin_sub_overflow(a, b, d)) + +/** + * check_mul_overflow() - Calculate multiplication with overflow checking + * @a: first factor + * @b: second factor + * @d: pointer to store product + * + * Returns 0 on success. + * + * *@d holds the results of the attempted multiplication, but is not + * considered "safe for use" on a non-zero return value, which indicates + * that the product has overflowed or been truncated. + */ +#define check_mul_overflow(a, b, d) \ + __must_check_overflow(__builtin_mul_overflow(a, b, d)) + +/** + * check_shl_overflow() - Calculate a left-shifted value and check overflow + * @a: Value to be shifted + * @s: How many bits left to shift + * @d: Pointer to where to store the result + * + * Computes *@d = (@a << @s) + * + * Returns true if '*@d' cannot hold the result or when '@a << @s' doesn't + * make sense. Example conditions: + * + * - '@a << @s' causes bits to be lost when stored in *@d. + * - '@s' is garbage (e.g. negative) or so large that the result of + * '@a << @s' is guaranteed to be 0. + * - '@a' is negative. + * - '@a << @s' sets the sign bit, if any, in '*@d'. + * + * '*@d' will hold the results of the attempted shift, but is not + * considered "safe for use" if true is returned. + */ +#define check_shl_overflow(a, s, d) __must_check_overflow(({ \ + typeof(a) _a = a; \ + typeof(s) _s = s; \ + typeof(d) _d = d; \ + u64 _a_full = _a; \ + unsigned int _to_shift = \ + is_non_negative(_s) && _s < 8 * sizeof(*d) ? _s : 0; \ + *_d = (_a_full << _to_shift); \ + (_to_shift != _s || is_negative(*_d) || is_negative(_a) || \ + (*_d >> _to_shift) != _a); \ +})) -#define check_mul_overflow(a, b, d) ({ \ - typeof(a) __a = (a); \ - typeof(b) __b = (b); \ - typeof(d) __d = (d); \ - (void) (&__a == &__b); \ - (void) (&__a == __d); \ - __builtin_mul_overflow(__a, __b, __d); \ +#define __overflows_type_constexpr(x, T) ( \ + is_unsigned_type(typeof(x)) ? \ + (x) > type_max(typeof(T)) : \ + is_unsigned_type(typeof(T)) ? \ + (x) < 0 || (x) > type_max(typeof(T)) : \ + (x) < type_min(typeof(T)) || (x) > type_max(typeof(T))) + +#define __overflows_type(x, T) ({ \ + typeof(T) v = 0; \ + check_add_overflow((x), v, &v); \ }) /** - * array_size() - Calculate size of 2-dimensional array. + * overflows_type - helper for checking the overflows between value, variables, + * or data type * - * @a: dimension one - * @b: dimension two + * @n: source constant value or variable to be checked + * @T: destination variable or data type proposed to store @x * - * Calculates size of 2-dimensional array: @a * @b. + * Compares the @x expression for whether or not it can safely fit in + * the storage of the type in @T. @x and @T can have different types. + * If @x is a constant expression, this will also resolve to a constant + * expression. * - * Returns: number of bytes needed to represent the array or SIZE_MAX on - * overflow. + * Returns: true if overflow can occur, false otherwise. + */ +#define overflows_type(n, T) \ + __builtin_choose_expr(__is_constexpr(n), \ + __overflows_type_constexpr(n, T), \ + __overflows_type(n, T)) + +/** + * castable_to_type - like __same_type(), but also allows for casted literals + * + * @n: variable or constant value + * @T: variable or data type + * + * Unlike the __same_type() macro, this allows a constant value as the + * first argument. If this value would not overflow into an assignment + * of the second argument's type, it returns true. Otherwise, this falls + * back to __same_type(). */ -static inline __must_check size_t array_size(size_t a, size_t b) +#define castable_to_type(n, T) \ + __builtin_choose_expr(__is_constexpr(n), \ + !__overflows_type_constexpr(n, T), \ + __same_type(n, T)) + +/** + * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX + * @factor1: first factor + * @factor2: second factor + * + * Returns: calculate @factor1 * @factor2, both promoted to size_t, + * with any overflow causing the return value to be SIZE_MAX. The + * lvalue must be size_t to avoid implicit type conversion. + */ +static inline size_t __must_check size_mul(size_t factor1, size_t factor2) { size_t bytes; - if (check_mul_overflow(a, b, &bytes)) + if (check_mul_overflow(factor1, factor2, &bytes)) return SIZE_MAX; return bytes; } /** - * array3_size() - Calculate size of 3-dimensional array. + * size_add() - Calculate size_t addition with saturation at SIZE_MAX + * @addend1: first addend + * @addend2: second addend * - * @a: dimension one - * @b: dimension two - * @c: dimension three - * - * Calculates size of 3-dimensional array: @a * @b * @c. - * - * Returns: number of bytes needed to represent the array or SIZE_MAX on - * overflow. + * Returns: calculate @addend1 + @addend2, both promoted to size_t, + * with any overflow causing the return value to be SIZE_MAX. The + * lvalue must be size_t to avoid implicit type conversion. */ -static inline __must_check size_t array3_size(size_t a, size_t b, size_t c) +static inline size_t __must_check size_add(size_t addend1, size_t addend2) { size_t bytes; - if (check_mul_overflow(a, b, &bytes)) - return SIZE_MAX; - if (check_mul_overflow(bytes, c, &bytes)) + if (check_add_overflow(addend1, addend2, &bytes)) return SIZE_MAX; return bytes; } -static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c) +/** + * size_sub() - Calculate size_t subtraction with saturation at SIZE_MAX + * @minuend: value to subtract from + * @subtrahend: value to subtract from @minuend + * + * Returns: calculate @minuend - @subtrahend, both promoted to size_t, + * with any overflow causing the return value to be SIZE_MAX. For + * composition with the size_add() and size_mul() helpers, neither + * argument may be SIZE_MAX (or the result with be forced to SIZE_MAX). + * The lvalue must be size_t to avoid implicit type conversion. + */ +static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend) { size_t bytes; - if (check_mul_overflow(n, size, &bytes)) - return SIZE_MAX; - if (check_add_overflow(bytes, c, &bytes)) + if (minuend == SIZE_MAX || subtrahend == SIZE_MAX || + check_sub_overflow(minuend, subtrahend, &bytes)) return SIZE_MAX; return bytes; } /** - * struct_size() - Calculate size of structure with trailing array. + * array_size() - Calculate size of 2-dimensional array. + * @a: dimension one + * @b: dimension two + * + * Calculates size of 2-dimensional array: @a * @b. + * + * Returns: number of bytes needed to represent the array or SIZE_MAX on + * overflow. + */ +#define array_size(a, b) size_mul(a, b) + +/** + * array3_size() - Calculate size of 3-dimensional array. + * @a: dimension one + * @b: dimension two + * @c: dimension three + * + * Calculates size of 3-dimensional array: @a * @b * @c. + * + * Returns: number of bytes needed to represent the array or SIZE_MAX on + * overflow. + */ +#define array3_size(a, b, c) size_mul(size_mul(a, b), c) + +/** + * flex_array_size() - Calculate size of a flexible array member + * within an enclosing structure. * @p: Pointer to the structure. + * @member: Name of the flexible array member. + * @count: Number of elements in the array. + * + * Calculates size of a flexible array of @count number of @member + * elements, at the end of structure @p. + * + * Return: number of bytes needed or SIZE_MAX on overflow. + */ +#define flex_array_size(p, member, count) \ + __builtin_choose_expr(__is_constexpr(count), \ + (count) * sizeof(*(p)->member) + __must_be_array((p)->member), \ + size_mul(count, sizeof(*(p)->member) + __must_be_array((p)->member))) + +/** + * struct_size() - Calculate size of structure with trailing flexible array. + * @p: Pointer to the structure. + * @member: Name of the array member. + * @count: Number of elements in the array. + * + * Calculates size of memory needed for structure of @p followed by an + * array of @count number of @member elements. + * + * Return: number of bytes needed or SIZE_MAX on overflow. + */ +#define struct_size(p, member, count) \ + __builtin_choose_expr(__is_constexpr(count), \ + sizeof(*(p)) + flex_array_size(p, member, count), \ + size_add(sizeof(*(p)), flex_array_size(p, member, count))) + +/** + * struct_size_t() - Calculate size of structure with trailing flexible array + * @type: structure type name. * @member: Name of the array member. - * @n: Number of elements in the array. + * @count: Number of elements in the array. * - * Calculates size of memory needed for structure @p followed by an - * array of @n @member elements. + * Calculates size of memory needed for structure @type followed by an + * array of @count number of @member elements. Prefer using struct_size() + * when possible instead, to keep calculations associated with a specific + * instance variable of type @type. * * Return: number of bytes needed or SIZE_MAX on overflow. */ -#define struct_size(p, member, n) \ - __ab_c_size(n, \ - sizeof(*(p)->member) + __must_be_array((p)->member),\ - sizeof(*(p))) +#define struct_size_t(type, member, count) \ + struct_size((type *)NULL, member, count) + +/** + * _DEFINE_FLEX() - helper macro for DEFINE_FLEX() family. + * Enables caller macro to pass (different) initializer. + * + * @type: structure type name, including "struct" keyword. + * @name: Name for a variable to define. + * @member: Name of the array member. + * @count: Number of elements in the array; must be compile-time const. + * @initializer: initializer expression (could be empty for no init). + */ +#define _DEFINE_FLEX(type, name, member, count, initializer) \ + _Static_assert(__builtin_constant_p(count), \ + "onstack flex array members require compile-time const count"); \ + union { \ + u8 bytes[struct_size_t(type, member, count)]; \ + type obj; \ + } name##_u initializer; \ + type *name = (type *)&name##_u + +/** + * DEFINE_FLEX() - Define an on-stack instance of structure with a trailing + * flexible array member. + * + * @type: structure type name, including "struct" keyword. + * @name: Name for a variable to define. + * @member: Name of the array member. + * @count: Number of elements in the array; must be compile-time const. + * + * Define a zeroed, on-stack, instance of @type structure with a trailing + * flexible array member. + * Use __struct_size(@name) to get compile-time size of it afterwards. + */ +#define DEFINE_FLEX(type, name, member, count) \ + _DEFINE_FLEX(type, name, member, count, = {}) #endif /* __LINUX_OVERFLOW_H */ diff --git a/tools/perf/check-headers.sh b/tools/perf/check-headers.sh index 64dbf199dff9..272a37d8e1c4 100755 --- a/tools/perf/check-headers.sh +++ b/tools/perf/check-headers.sh @@ -35,6 +35,7 @@ FILES=( "include/vdso/const.h" "include/linux/hash.h" "include/linux/list-sort.h" + "include/linux/overflow.h" "include/uapi/linux/hw_breakpoint.h" "arch/x86/include/asm/disabled-features.h" "arch/x86/include/asm/required-features.h"