lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250919101727.16152-20-farbere@amazon.com>
Date: Fri, 19 Sep 2025 10:17:19 +0000
From: Eliav Farber <farbere@...zon.com>
To: <linux@...linux.org.uk>, <jdike@...toit.com>, <richard@....at>,
	<anton.ivanov@...bridgegreys.com>, <dave.hansen@...ux.intel.com>,
	<luto@...nel.org>, <peterz@...radead.org>, <tglx@...utronix.de>,
	<mingo@...hat.com>, <bp@...en8.de>, <x86@...nel.org>, <hpa@...or.com>,
	<tony.luck@...el.com>, <qiuxu.zhuo@...el.com>, <mchehab@...nel.org>,
	<james.morse@....com>, <rric@...nel.org>, <harry.wentland@....com>,
	<sunpeng.li@....com>, <alexander.deucher@....com>,
	<christian.koenig@....com>, <airlied@...ux.ie>, <daniel@...ll.ch>,
	<evan.quan@....com>, <james.qian.wang@....com>, <liviu.dudau@....com>,
	<mihail.atanassov@....com>, <brian.starkey@....com>,
	<maarten.lankhorst@...ux.intel.com>, <mripard@...nel.org>,
	<tzimmermann@...e.de>, <robdclark@...il.com>, <sean@...rly.run>,
	<jdelvare@...e.com>, <linux@...ck-us.net>, <fery@...ress.com>,
	<dmitry.torokhov@...il.com>, <agk@...hat.com>, <snitzer@...hat.com>,
	<dm-devel@...hat.com>, <rajur@...lsio.com>, <davem@...emloft.net>,
	<kuba@...nel.org>, <peppe.cavallaro@...com>, <alexandre.torgue@...com>,
	<joabreu@...opsys.com>, <mcoquelin.stm32@...il.com>, <malattia@...ux.it>,
	<hdegoede@...hat.com>, <mgross@...ux.intel.com>, <intel-linux-scu@...el.com>,
	<artur.paszkiewicz@...el.com>, <jejb@...ux.ibm.com>,
	<martin.petersen@...cle.com>, <sakari.ailus@...ux.intel.com>,
	<gregkh@...uxfoundation.org>, <clm@...com>, <josef@...icpanda.com>,
	<dsterba@...e.com>, <jack@...e.com>, <tytso@....edu>,
	<adilger.kernel@...ger.ca>, <dushistov@...l.ru>,
	<luc.vanoostenryck@...il.com>, <rostedt@...dmis.org>, <pmladek@...e.com>,
	<sergey.senozhatsky@...il.com>, <andriy.shevchenko@...ux.intel.com>,
	<linux@...musvillemoes.dk>, <minchan@...nel.org>, <ngupta@...are.org>,
	<akpm@...ux-foundation.org>, <kuznet@....inr.ac.ru>,
	<yoshfuji@...ux-ipv6.org>, <pablo@...filter.org>, <kadlec@...filter.org>,
	<fw@...len.de>, <jmaloy@...hat.com>, <ying.xue@...driver.com>,
	<willy@...radead.org>, <farbere@...zon.com>, <sashal@...nel.org>,
	<ruanjinjie@...wei.com>, <David.Laight@...LAB.COM>,
	<herve.codina@...tlin.com>, <Jason@...c4.com>, <bvanassche@....org>,
	<keescook@...omium.org>, <linux-arm-kernel@...ts.infradead.org>,
	<linux-kernel@...r.kernel.org>, <linux-um@...ts.infradead.org>,
	<linux-edac@...r.kernel.org>, <amd-gfx@...ts.freedesktop.org>,
	<dri-devel@...ts.freedesktop.org>, <linux-arm-msm@...r.kernel.org>,
	<freedreno@...ts.freedesktop.org>, <linux-hwmon@...r.kernel.org>,
	<linux-input@...r.kernel.org>, <linux-media@...r.kernel.org>,
	<netdev@...r.kernel.org>, <linux-stm32@...md-mailman.stormreply.com>,
	<platform-driver-x86@...r.kernel.org>, <linux-scsi@...r.kernel.org>,
	<linux-staging@...ts.linux.dev>, <linux-btrfs@...r.kernel.org>,
	<linux-ext4@...r.kernel.org>, <linux-sparse@...r.kernel.org>,
	<linux-mm@...ck.org>, <netfilter-devel@...r.kernel.org>,
	<coreteam@...filter.org>, <tipc-discussion@...ts.sourceforge.net>,
	<stable@...r.kernel.org>
CC: <jonnyc@...zon.com>, Linus Torvalds <torvalds@...ux-foundation.org>, "Arnd
 Bergmann" <arnd@...nel.org>, David Laight <David.Laight@...lab.com>, "Lorenzo
 Stoakes" <lorenzo.stoakes@...cle.com>
Subject: [PATCH 19/27 5.10.y] minmax: improve macro expansion and type checking

From: Linus Torvalds <torvalds@...ux-foundation.org>

[ Upstream commit 22f5468731491e53356ba7c028f0fdea20b18e2c ]

This clarifies the rules for min()/max()/clamp() type checking and makes
them a much more efficient macro expansion.

In particular, we now look at the type and range of the inputs to see
whether they work together, generating a mask of acceptable comparisons,
and then just verifying that the inputs have a shared case:

 - an expression with a signed type can be used for
    (1) signed comparisons
    (2) unsigned comparisons if it is statically known to have a
        non-negative value

 - an expression with an unsigned type can be used for
    (3) unsigned comparison
    (4) signed comparisons if the type is smaller than 'int' and thus
        the C integer promotion rules will make it signed anyway

Here rule (1) and (3) are obvious, and rule (2) is important in order to
allow obvious trivial constants to be used together with unsigned
values.

Rule (4) is not necessarily a good idea, but matches what we used to do,
and we have extant cases of this situation in the kernel.  Notably with
bcachefs having an expression like

	min(bch2_bucket_sectors_dirty(a), ca->mi.bucket_size)

where bch2_bucket_sectors_dirty() returns an 's64', and
'ca->mi.bucket_size' is of type 'u16'.

Technically that bcachefs comparison is clearly sensible on a C type
level, because the 'u16' will go through the normal C integer promotion,
and become 'int', and then we're comparing two signed values and
everything looks sane.

However, it's not entirely clear that a 'min(s64,u16)' operation makes a
lot of conceptual sense, and it's possible that we will remove rule (4).
After all, the _reason_ we have these complicated type checks is exactly
that the C type promotion rules are not very intuitive.

But at least for now the rule is in place for backwards compatibility.

Also note that rule (2) existed before, but is hugely relaxed by this
commit.  It used to be true only for the simplest compile-time
non-negative integer constants.  The new macro model will allow cases
where the compiler can trivially see that an expression is non-negative
even if it isn't necessarily a constant.

For example, the amdgpu driver does

	min_t(size_t, sizeof(fru_info->serial), pia[addr] & 0x3F));

because our old 'min()' macro would see that 'pia[addr] & 0x3F' is of
type 'int' and clearly not a C constant expression, so doing a 'min()'
with a 'size_t' is a signedness violation.

Our new 'min()' macro still sees that 'pia[addr] & 0x3F' is of type
'int', but is smart enough to also see that it is clearly non-negative,
and thus would allow that case without any complaints.

Cc: Arnd Bergmann <arnd@...nel.org>
Cc: David Laight <David.Laight@...lab.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes@...cle.com>
Signed-off-by: Linus Torvalds <torvalds@...ux-foundation.org>
Signed-off-by: Eliav Farber <farbere@...zon.com>
---
 include/linux/compiler.h |  9 +++++
 include/linux/minmax.h   | 74 ++++++++++++++++++++++++++++++++--------
 2 files changed, 68 insertions(+), 15 deletions(-)

diff --git a/include/linux/compiler.h b/include/linux/compiler.h
index 004a030d5ad2..28b21e372751 100644
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -251,6 +251,15 @@ static inline void *offset_to_ptr(const int *off)
  */
 #define is_signed_type(type) (((type)(-1)) < (__force type)1)
 
+/*
+ * Useful shorthand for "is this condition known at compile-time?"
+ *
+ * Note that the condition may involve non-constant values,
+ * but the compiler may know enough about the details of the
+ * values to determine that the condition is statically true.
+ */
+#define statically_true(x) (__builtin_constant_p(x) && (x))
+
 /*
  * This is needed in functions which generate the stack canary, see
  * arch/x86/kernel/smpboot.c::start_secondary() for an example.
diff --git a/include/linux/minmax.h b/include/linux/minmax.h
index e3e4353df983..41da6f85a407 100644
--- a/include/linux/minmax.h
+++ b/include/linux/minmax.h
@@ -26,19 +26,63 @@
 #define __typecheck(x, y) \
 	(!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
 
-/* is_signed_type() isn't a constexpr for pointer types */
-#define __is_signed(x) 								\
-	__builtin_choose_expr(__is_constexpr(is_signed_type(typeof(x))),	\
-		is_signed_type(typeof(x)), 0)
+/*
+ * __sign_use for integer expressions:
+ *   bit #0 set if ok for unsigned comparisons
+ *   bit #1 set if ok for signed comparisons
+ *
+ * In particular, statically non-negative signed integer
+ * expressions are ok for both.
+ *
+ * NOTE! Unsigned types smaller than 'int' are implicitly
+ * converted to 'int' in expressions, and are accepted for
+ * signed conversions for now. This is debatable.
+ *
+ * Note that 'x' is the original expression, and 'ux' is
+ * the unique variable that contains the value.
+ *
+ * We use 'ux' for pure type checking, and 'x' for when
+ * we need to look at the value (but without evaluating
+ * it for side effects! Careful to only ever evaluate it
+ * with sizeof() or __builtin_constant_p() etc).
+ *
+ * Pointers end up being checked by the normal C type
+ * rules at the actual comparison, and these expressions
+ * only need to be careful to not cause warnings for
+ * pointer use.
+ */
+#define __signed_type_use(x,ux) (2+__is_nonneg(x,ux))
+#define __unsigned_type_use(x,ux) (1+2*(sizeof(ux)<4))
+#define __sign_use(x,ux) (is_signed_type(typeof(ux))? \
+	__signed_type_use(x,ux):__unsigned_type_use(x,ux))
+
+/*
+ * To avoid warnings about casting pointers to integers
+ * of different sizes, we need that special sign type.
+ *
+ * On 64-bit we can just always use 'long', since any
+ * integer or pointer type can just be cast to that.
+ *
+ * This does not work for 128-bit signed integers since
+ * the cast would truncate them, but we do not use s128
+ * types in the kernel (we do use 'u128', but they will
+ * be handled by the !is_signed_type() case).
+ *
+ * NOTE! The cast is there only to avoid any warnings
+ * from when values that aren't signed integer types.
+ */
+#ifdef CONFIG_64BIT
+  #define __signed_type(ux) long
+#else
+  #define __signed_type(ux) typeof(__builtin_choose_expr(sizeof(ux)>4,1LL,1L))
+#endif
+#define __is_nonneg(x,ux) statically_true((__signed_type(ux))(x)>=0)
 
-/* True for a non-negative signed int constant */
-#define __is_noneg_int(x)	\
-	(__builtin_choose_expr(__is_constexpr(x) && __is_signed(x), x, -1) >= 0)
+#define __types_ok(x,y,ux,uy) \
+	(__sign_use(x,ux) & __sign_use(y,uy))
 
-#define __types_ok(x, y, ux, uy) 				\
-	(__is_signed(ux) == __is_signed(uy) ||			\
-	 __is_signed((ux) + 0) == __is_signed((uy) + 0) ||	\
-	 __is_noneg_int(x) || __is_noneg_int(y))
+#define __types_ok3(x,y,z,ux,uy,uz) \
+	(__sign_use(x,ux) & __sign_use(y,uy) & __sign_use(z,uz))
 
 #define __cmp_op_min <
 #define __cmp_op_max >
@@ -53,8 +97,8 @@
 
 #define __careful_cmp_once(op, x, y, ux, uy) ({		\
 	__auto_type ux = (x); __auto_type uy = (y);	\
-	static_assert(__types_ok(x, y, ux, uy),		\
-		#op "(" #x ", " #y ") signedness error, fix types or consider u" #op "() before " #op "_t()"); \
+	BUILD_BUG_ON_MSG(!__types_ok(x,y,ux,uy),	\
+		#op"("#x", "#y") signedness error");	\
 	__cmp(op, ux, uy); })
 
 #define __careful_cmp(op, x, y) \
@@ -70,8 +114,8 @@
 	static_assert(__builtin_choose_expr(__is_constexpr((lo) > (hi)), 	\
 			(lo) <= (hi), true),					\
 		"clamp() low limit " #lo " greater than high limit " #hi);	\
-	static_assert(__types_ok(uval, lo, uval, ulo), "clamp() 'lo' signedness error");	\
-	static_assert(__types_ok(uval, hi, uval, uhi), "clamp() 'hi' signedness error");	\
+	BUILD_BUG_ON_MSG(!__types_ok3(val,lo,hi,uval,ulo,uhi),			\
+		"clamp("#val", "#lo", "#hi") signedness error");		\
 	__clamp(uval, ulo, uhi); })
 
 #define __careful_clamp(val, lo, hi) \
-- 
2.47.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ