lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADEbmW0BZbJQbaycqq+vfisEJyGd57uzEgFEckusGLJSLvmYDA@mail.gmail.com>
Date: Tue, 21 May 2024 16:44:33 +0200
From: Michal Schmidt <mschmidt@...hat.com>
To: Alex Elder <elder@...aro.org>
Cc: Yury Norov <yury.norov@...il.com>, Rasmus Villemoes <linux@...musvillemoes.dk>, 
	linux-kernel@...r.kernel.org, Jakub Kicinski <kuba@...nel.org>, 
	"David S. Miller" <davem@...emloft.net>
Subject: Re: [PATCH] bitfield.h: add FIELD_MAX_CONST

On Tue, May 21, 2024 at 2:33 PM Alex Elder <elder@...aro.org> wrote:
> On 5/20/24 2:29 PM, Yury Norov wrote:
> > + Alex Elder <elder@...aro.org>, Jakub Kicinski <kuba@...nel.org> and
> > David S. Miller <davem@...emloft.net>
>
> Thanks for adding me to this.
>
> My bottom line response is that I don't understand exactly
> what problem this is solving (but I trust it solves a
> problem for you).  It *seems* like the existing macro(s)
> should work for you, and if they don't, you might not be
> using it (them) correctly.  And... if a fix is needed, it
> should be made to the existing macro if possible.

Yury, Jakub, Alex,
thanks for your reviews so far.

All of you want to avoid adding another macro. I agree and I will be back
with v2.

To clarify where exactly I ran into the current limitations of FIELD_MAX:
I am reworking drivers/net/ethernet/intel/ice/ice_gnss.c:ice_gnss_read().
There, I will be changing "buf" to a small on-stack array:
  char buf[ICE_MAX_I2C_DATA_SIZE];
where ICE_MAX_I2C_DATA_SIZE is defined using FIELD_MAX.

There are a few more issues. I extracted them into this test case that
I would like to make compilable:
=======================================================
#define TEST_REG_1 GENMASK(3,0)
#define TEST_MAX_1 FIELD_MAX(TEST_REG_1)

#define TEST_REG_2 GENMASK(BITS_PER_LONG - 1, BITS_PER_LONG - 2)
#define TEST_MAX_2 FIELD_MAX(TEST_REG_2)

/* Using FIELD_MAX inside a static_assert yields:
 *   error: braced-group within expression allowed only inside a function
 */
static_assert(TEST_MAX_1 == 15);

/* Even after the above is solved, using a mask that has the highest bit set
 * will expose another issue:
 *   error: bit-field ‘<anonymous>’ width not an integer constant
 * This one *might* be a gcc bug triggered by -fsanitize=shift.
 * It does not appear with clang.
 * Defining __bf_shf as __builtin_ctzll(x) instead of __builtin_ffsll(x)-1 can
 * work around it, apparently.
 */
static_assert(TEST_MAX_2 == 3);

int test_field_max_array(void);
int test_field_max_array(void)
{
        /* Using FIELD_MAX for sizing a local array yields:
         *   error: ISO C90 forbids variable length array ‘buf’ [-Werror=vla]
         */
        char buf[TEST_MAX_1];

        /* This line compiles OK in the current implementation and must keep
         * working.
         */
        WARN_ON(TEST_MAX_2 > 3);

        return sizeof(buf);
}
=======================================================


> > On Wed, May 15, 2024 at 07:27:31PM +0200, Michal Schmidt wrote:
> >> FIELD_MAX_CONST is like FIELD_MAX, but it can be used where statement
> >> expressions are forbidden. For example, using FIELD_MAX in a
> >> static_assert gives:
> >>    error: braced-group within expression allowed only inside a function
>
> So you want to use FIELD_MAX() in the outer scope in a file,
> not within a function?  And the way it's currently defined
> doesn't permit that?

Right. Although, I don't *really* need to use it in outer scope.
It would be just nice to have. I just need the next thing:

> >> It can be used also in array declarations, where using FIELD_MAX would
> >> trigger a warning :
> >>    warning: ISO C90 forbids variable length array ‘buf’ [-Wvla]
>
> Are you passing a constant to FIELD_MAX() when computing the
> array size?  If so, I don't understand this warning.

Yes, the array is an automatic variable and its size is calculated with
FIELD_MAX from a constant GENMASK. Indeed, the warning is surprising.

> >> (It's a bit surprising, because despite the warning, gcc calculated
> >> the array size correctly at compile time.)
> >>
> >> A simplified example of what I actually want to use in a driver:
> >>    #define DATA_SIZE_M GENMASK(3, 0)
> >>    #define MAX_DATA_SIZE FIELD_MAX_CONST(DATA_SIZE_M)
>
> FIELD_MAX() returns the maximum representable value, not the
> number of possible values.
>
> >>    static void f(void) {
> >>      char buf[MAX_DATA_SIZE];
> >>      /* ... */
> >>    }
> >>
> >> In the implementation, reuse the existing compile-time checks from
> >> FIELD_PREP_CONST.
> >>
> >> Signed-off-by: Michal Schmidt <mschmidt@...hat.com>
> >
> > Hi Michal,
> >
> > So... FIELD_MAX() already requires the _mask to be a const value.
> > Now you add a FIELD_MAX_CONST(), which makes it more confusing.
>
> Yes, it's not clear when you would use one rather than the other.
> I think a better fix is to fix the existing FIELD_MAX() (and
> field_max(), defined later in that file).
>
> > It looks like your new _CONST() macro would work anywhere where the
> > existing FIELD_MAX() works. At least for me, if I apply your patch
> > and do:
> >
> >          #define FIELD_MAX FIELD_MAX_CONST
> >
> > The implementation of the 'const' version looks the same as the
> > 'variable' one, except for that sanity checking business.
> >
> > I think the right path to go would be making the __BF_FIELD_CHECK()
> > a structure initializers friendly by using the BUILD_BUG_ON_ZERO(),
> > just like you did with the __BF_FIELD_CHECK_CONST(), so that the
> > FIELD_MAX() would work in all cases.
>
> I haven't investigated this much further, but yes, I agree that
> you should fix what's there to work the way you like if possible,
> while preserving all guarantees provided before.
>
> Still, I'll provide some comments on the patch below.
>
> > Thanks,
> > Yury
> >
> >> ---
> >>   include/linux/bitfield.h | 34 +++++++++++++++++++++++++++-------
> >>   1 file changed, 27 insertions(+), 7 deletions(-)
> >>
> >> diff --git a/include/linux/bitfield.h b/include/linux/bitfield.h
> >> index 63928f173223..50bbab317319 100644
> >> --- a/include/linux/bitfield.h
> >> +++ b/include/linux/bitfield.h
> >> @@ -76,6 +76,16 @@
> >>                                            (1ULL << __bf_shf(_mask))); \
> >>      })
> >>
> >> +#define __BF_FIELD_CHECK_CONST(_mask, _val)                         \
> >> +    (                                                               \
> >> +            /* mask must be non-zero */                             \
> >> +            BUILD_BUG_ON_ZERO((_mask) == 0) +                       \
>
> This ^^^ implements the opposite of what the comment says.  Use:
>                 BUILD_BUG_ON_ZERO(_mask);

No, I think you're misunderstanding what BUILD_BUG_ON_ZERO does.
It does not mean "BUG if the argument is zero".
It means "BUG if the argument is true. Otherwise, the value is 0."

> Also, why are you adding?  The way this macro is defined, it
> really should return Boolean, but you're returning an integer
> sum.
>
> >> +            /* check if value fits */                               \
> >> +            BUILD_BUG_ON_ZERO(~((_mask) >> __bf_shf(_mask)) & (_val)) + \
> >> +            /* check if mask is contiguous */                       \
> >> +            __BF_CHECK_POW2((_mask) + (1ULL << __bf_shf(_mask)))    \
>
> I don't really see why __BUILD_BUG_ON_NOT_POWER_OF_2() isn't used
> here (and in FIELD_PREP_CONST() for that matter--other than line
> length).
>
> Each of the above checks can stand alone, and if they all pass,
> you can simply return true (or return the result of the last
> check, but I really think they should be treated as void type).

Note that I did not come up with the addition pattern. I just moved it
from FIELD_PREP_CONST. Its purpose is to avoid using a statement expression,
because that has certains limitations on where it can be used.

> >> +    )
> >> +
> >>   /**
> >>    * FIELD_MAX() - produce the maximum value representable by a field
> >>    * @_mask: shifted mask defining the field's length and position
> >> @@ -89,6 +99,22 @@
> >>              (typeof(_mask))((_mask) >> __bf_shf(_mask));            \
> >>      })
> >>
> >> +/**
> >> + * FIELD_MAX_CONST() - produce the maximum value representable by a field
> >> + * @_mask: shifted mask defining the field's length and position
> >> + *
> >> + * FIELD_MAX_CONST() returns the maximum value that can be held in
> >> + * the field specified by @_mask.
>
> I don't think this part of the description adds much; it
> basically restates what the one-liner does.

Right.
Anyway, v2 won't add the new macro.

Thanks!
Michal

>                                         -Alex
>
> >> + *
> >> + * Unlike FIELD_MAX(), it can be used where statement expressions can't.
> >> + * Error checking is less comfortable for this version.
> >> + */
> >> +#define FIELD_MAX_CONST(_mask)                                              \
> >> +    (                                                               \
> >> +            __BF_FIELD_CHECK_CONST(_mask, 0ULL) +                   \
> >> +            (typeof(_mask))((_mask) >> __bf_shf(_mask))             \
> >> +    )
> >> +
> >>   /**
> >>    * FIELD_FIT() - check if value fits in the field
> >>    * @_mask: shifted mask defining the field's length and position
> >> @@ -132,13 +158,7 @@
> >>    */
> >>   #define FIELD_PREP_CONST(_mask, _val)                                      \
> >>      (                                                               \
> >> -            /* mask must be non-zero */                             \
> >> -            BUILD_BUG_ON_ZERO((_mask) == 0) +                       \
> >> -            /* check if value fits */                               \
> >> -            BUILD_BUG_ON_ZERO(~((_mask) >> __bf_shf(_mask)) & (_val)) + \
> >> -            /* check if mask is contiguous */                       \
> >> -            __BF_CHECK_POW2((_mask) + (1ULL << __bf_shf(_mask))) +  \
> >> -            /* and create the value */                              \
> >> +            __BF_FIELD_CHECK_CONST(_mask, _val) +                   \
> >>              (((typeof(_mask))(_val) << __bf_shf(_mask)) & (_mask))  \
> >>      )
> >>
> >> --
> >> 2.44.0
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ