lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1ed83fd2-575b-4b22-9a01-b3a2110af78f@kernel.org>
Date: Wed, 21 Jan 2026 19:43:07 +0100
From: Vincent Mailhol <mailhol@...nel.org>
To: david.laight.linux@...il.com
Cc: Nathan Chancellor <nathan@...nel.org>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Thomas Gleixner <tglx@...utronix.de>, Peter Zijlstra <peterz@...radead.org>,
 Ingo Molnar <mingo@...nel.org>,
 Mathieu Desnoyers <mathieu.desnoyers@...icios.com>,
 Arnd Bergmann <arnd@...db.de>, linux-arch@...r.kernel.org,
 linux-kernel@...r.kernel.org, Yury Norov <yury.norov@...il.com>,
 Lucas De Marchi <lucas.demarchi@...el.com>,
 Jani Nikula <jani.nikula@...el.com>,
 Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
 Kees Cook <keescook@...omium.org>, Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH next 11/14] bit: Strengthen compile-time tests in
 GENMASK() and BIT()

On 21/01/2026 at 15:57, david.laight.linux@...il.com wrote:
> From: David Laight <david.laight.linux@...il.com>
> 
> The current checks in GENMASK/BIT (eg reversed high/low) only work
> for 'integer constant expressions' not 'compile-time constants'.
> This is true for const_true() and -Wshift-count-overflow/negative.
> While compile-time constants may be unusual, they can happen through
> function inlining.

Did those new checks actually found any real problem in the code? This
adds a lot of complexity so I am not sure whether this is a winning
trade-off.

> This isn't too bad with gcc, but if clang detects a negative/over-large
> shift it treats it as 'undefined behaviour' and silently discards all
> code that would use the result, so:
> int f(u32 x) {int n = 32; return x >> n; }
> generates a function that just contains a 'return' instruction.
> If 'n' was a variable that happened to be 32, most modern cpu mask
> the count - so would return 'x', some might return 0.

But then, you only solve that shift problem for GENMASK() and
BIT(). Any other usage of the left/right shifts are not diagnosed
unless your check get copy pasted all over the place.

I think that such a check belongs to a static analyzer. Speaking of
which:

	$ cat test.c
	typedef unsigned int u32;
	static int f(u32 x) {int n = 32; return x >> n; }

	$ sparse test.c
	test.c:2:46: warning: shift too big (32) for type unsigned int$ cat test.c

So here, I would rather keep relying on sparse rather that introducing
the W=c logic and all that macro complexity.


Yours sincerely,
Vincent Mailhol

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ