| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aPj9Tu75OFenm7U0@yury>
Date: Wed, 22 Oct 2025 11:50:46 -0400
From: Yury Norov <yury.norov@...il.com>
To: Geert Uytterhoeven <geert@...ux-m68k.org>
Cc: Michael Turquette <mturquette@...libre.com>,
Stephen Boyd <sboyd@...nel.org>,
Nicolas Ferre <nicolas.ferre@...rochip.com>,
Alexandre Belloni <alexandre.belloni@...tlin.com>,
Claudiu Beznea <claudiu.beznea@...on.dev>,
Giovanni Cabiddu <giovanni.cabiddu@...el.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
David Miller <davem@...emloft.net>,
Linus Walleij <linus.walleij@...aro.org>,
Bartosz Golaszewski <brgl@...ev.pl>, Joel Stanley <joel@....id.au>,
Andrew Jeffery <andrew@...econstruct.com.au>,
Crt Mori <cmo@...exis.com>, Jonathan Cameron <jic23@...nel.org>,
Lars-Peter Clausen <lars@...afoo.de>,
Jacky Huang <ychuang3@...oton.com>,
Shan-Chun Hung <schung@...oton.com>,
Rasmus Villemoes <linux@...musvillemoes.dk>,
Jaroslav Kysela <perex@...ex.cz>, Takashi Iwai <tiwai@...e.com>,
Johannes Berg <johannes@...solutions.net>,
Jakub Kicinski <kuba@...nel.org>, Alex Elder <elder@...e.org>,
David Laight <david.laight.linux@...il.com>,
Vincent Mailhol <mailhol.vincent@...adoo.fr>,
Jason Baron <jbaron@...mai.com>, Borislav Petkov <bp@...en8.de>,
Tony Luck <tony.luck@...el.com>,
Michael Hennerich <Michael.Hennerich@...log.com>,
Kim Seer Paller <kimseer.paller@...log.com>,
David Lechner <dlechner@...libre.com>,
Nuno Sá <nuno.sa@...log.com>,
Andy Shevchenko <andy@...nel.org>,
Richard Genoud <richard.genoud@...tlin.com>,
Cosmin Tanislav <demonsingur@...il.com>,
Biju Das <biju.das.jz@...renesas.com>,
Jianping Shen <Jianping.Shen@...bosch.com>,
linux-clk@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
linux-renesas-soc@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-edac@...r.kernel.org, qat-linux@...el.com,
linux-gpio@...r.kernel.org, linux-aspeed@...ts.ozlabs.org,
linux-iio@...r.kernel.org, linux-sound@...r.kernel.org,
linux-kernel@...r.kernel.org,
Jonathan Cameron <Jonathan.Cameron@...wei.com>
Subject: Re: [PATCH v4 2/4] bitfield: Add non-constant field_{prep,get}()
helpers
On Wed, Oct 22, 2025 at 12:01:37PM +0200, Geert Uytterhoeven wrote:
> Hi Yury,
>
> On Wed, 22 Oct 2025 at 06:20, Yury Norov <yury.norov@...il.com> wrote:
> > On Mon, Oct 20, 2025 at 03:00:24PM +0200, Geert Uytterhoeven wrote:
> > > On Fri, 17 Oct 2025 at 20:51, Yury Norov <yury.norov@...il.com> wrote:
> > > > On Fri, Oct 17, 2025 at 12:54:10PM +0200, Geert Uytterhoeven wrote:
> > > > > The existing FIELD_{GET,PREP}() macros are limited to compile-time
> > > > > constants. However, it is very common to prepare or extract bitfield
> > > > > elements where the bitfield mask is not a compile-time constant.
> > > > >
> > > > > To avoid this limitation, the AT91 clock driver and several other
> > > > > drivers already have their own non-const field_{prep,get}() macros.
> > > > > Make them available for general use by consolidating them in
> > > > > <linux/bitfield.h>, and improve them slightly:
> > > > > 1. Avoid evaluating macro parameters more than once,
> > > > > 2. Replace "ffs() - 1" by "__ffs()",
> > > > > 3. Support 64-bit use on 32-bit architectures.
> > > > >
> > > > > This is deliberately not merged into the existing FIELD_{GET,PREP}()
> > > > > macros, as people expressed the desire to keep stricter variants for
> > > > > increased safety, or for performance critical paths.
> > > > >
> > > > > Signed-off-by: Geert Uytterhoeven <geert+renesas@...der.be>
> > > > > Acked-by: Alexandre Belloni <alexandre.belloni@...tlin.com>
> > > > > Acked-by: Jonathan Cameron <Jonathan.Cameron@...wei.com>
> > > > > Acked-by: Crt Mori <cmo@...exis.com>
> > > > > ---
> > > > > v4:
> > > > > - Add Acked-by,
> > > > > - Rebase on top of commit 7c68005a46108ffa ("crypto: qat - relocate
> > > > > power management debugfs helper APIs") in v6.17-rc1,
> > > > > - Convert more recently introduced upstream copies:
> > > > > - drivers/edac/ie31200_edac.c
> > > > > - drivers/iio/dac/ad3530r.c
> > > >
> > > > Can you split out the part that actually introduces the new API?
> > >
> > > Unfortunately not, as that would cause build warnings/failures due
> > > to conflicting redefinitions.
> > > That is a reason why I want to apply this patch ASAP: new copies show
> > > up all the time.
> >
> > In a preparation patch, for each driver:
> >
> > +#ifndef field_prep
> > #define field_prep() ...
> > +#endif
> >
> > Or simply
> >
> > +#undef field_prep
> > #define field_prep() ...
> >
> > Then add the generic field_prep() in a separate patch. Then you can drop
> > ifdefery in the drivers.
> >
> > Yeah, more patches, but the result is cleaner.
>
> And we need 3 kernel releases, as the addition of the macros to
> the header file now has a hard dependency on adding the #undefs?
> Unless I still apply all of them to an immutable branch, but then what
> is the point?
Not sure what do you mean. You can do it in a single series, and you
don't need and should not split the series across releases. Consider
my recent cpumask_next_wrap() rework as an example:
https://lore.kernel.org/all/20250128164646.4009-1-yury.norov@gmail.com/
1. #1-4 switch kernel users to alternative functions;
2. #5 deprecates cpumask_next_wrap(), making sure it's a pure renaming,
i.e. no-op.
3. #6 introduces the new nice implementation. It's the core-only patch,
no drivers are touched.
4. #7-12 switch the rest of codebase from old version to new.
5. #13 drops deprecated old function.
This is the most common scheme. In you case you can cut the corners.
The goals here are:
- keep core patches free of non-core code;
- switch drivers to the new functionality one-by-one in sake of
bisectability.
> > > > > --- a/include/linux/bitfield.h
> > > > > +++ b/include/linux/bitfield.h
> > > > > @@ -220,4 +220,40 @@ __MAKE_OP(64)
> > > > > #undef __MAKE_OP
> > > > > #undef ____MAKE_OP
> > > > >
> > > > > +/**
> > > > > + * field_prep() - prepare a bitfield element
> > > > > + * @mask: shifted mask defining the field's length and position
> > > > > + * @val: value to put in the field
> > > > > + *
> > > > > + * field_prep() masks and shifts up the value. The result should be
> > > > > + * combined with other fields of the bitfield using logical OR.
> > > > > + * Unlike FIELD_PREP(), @mask is not limited to a compile-time constant.
> > > > > + */
> > > > > +#define field_prep(mask, val) \
> > > > > + ({ \
> > > > > + __auto_type __mask = (mask); \
> > > > > + typeof(mask) __val = (val); \
> > > > > + unsigned int __shift = sizeof(mask) <= 4 ? \
> > > > > + __ffs(__mask) : __ffs64(__mask); \
> > > > > + (__val << __shift) & __mask; \
> > > >
> > > > __ffs(0) is undef. The corresponding comment in
> > > > include/asm-generic/bitops/__ffs.h explicitly says: "code should check
> > > > against 0 first".
> > >
> > > An all zeroes mask is a bug in the code that calls field_{get,prep}().
> >
> > It's a bug in FIELD_GET() - for sure. Because it's enforced in
> > __BF_FIELD_CHECK(). field_get() doesn't enforce it, doesn't even
> > mention that in the comment.
> >
> > I'm not fully convinced that empty runtime mask should be a bug.
>
> Getting (and using) data from nowhere is a bug.
> Storing data where there is no space to store is also a bug.
>
> I will add a comment.
>
> > Consider memcpy(dst, src, 0). This is a no-op, but not a bug as
> > soon as the pointers are valid. If you _think_ it's a bug - please
> > enforce it.
>
> memcpy() with a fixed size of zero is probably a bug.
> memcpy() with a variable size is usually used to copy "as much as is
> needed", so zero is usually not a bug.
5 lines above you say: "Getting (and using) data from nowhere is a bug".
Now you're saying: "so zero is usually not a bug". So, is it a bug or
not?
Consider this example:
unsigned a = field_get(mask, get_user(ptr));
Conceptually it's the same as per-bit copy_from_user().
The copy_from_user
1. allows size == 0;
2. does not dereference pointers in that case, i.e. doesn't call
get_user().
Can we make sure that field_get() provides the same guarantees?
> > > > I think mask = 0 is a sign of error here. Can you add a code catching
> > > > it at compile time, and maybe at runtime too? Something like:
> > > >
> > > > #define __field_prep(mask, val)
> > > > ({
> > > > unsigned __shift = sizeof(mask) <= 4 ? __ffs(mask) : __ffs64(mask);
> > > > (val << __shift) & mask;
> > > > })
> > > >
> > > > #define field_prep(mask, val)
> > > > ({
> > > > unsigned int __shift;
> > > > __auto_type __mask = (mask), __ret = 0;
> > > > typeof(mask) __val = (val);
> > > >
> > > > BUILD_BUG_ON_ZERO(const_true(mask == 0));
> > >
> > > Futile, as code with a constant mask should use FIELD_PREP() instead.
> >
> > It's a weak argument. Sometimes compiler is smart enough to realize
> > that something is a constant, while people won't. Sometimes code gets
> > refactored. Sometimes people build complex expressions that should
> > work both in run-time and compile time cases. Sometimes variables are
> > compile- or run-time depending on config (nr_cpu_ids is an example).
> >
> > The field_prep() must handle const case just as good as capitalized
> > version does.
>
> OK, I will add the (build-time) check.
If mask is compile-time, you can wire field_prep() to FIELD_PREP(), so
it will do the work for you.
Thanks,
Yury
Powered by blists - more mailing lists