From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Florian Weimer <fweimer@redhat.com>,
Kees Cook <keescook@chromium.org>,
Andrew Morton <akpm@linux-foundation.org>,
Josh Poimboeuf <jpoimboe@redhat.com>,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Randy Dunlap <rdunlap@infradead.org>,
Ingo Molnar <mingo@kernel.org>,
David Laight <David.Laight@aculab.com>,
Ian Abbott <abbotti@mev.co.uk>,
linux-input <linux-input@vger.kernel.org>,
linux-btrfs <linux-btrfs@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>
Subject: Re: [PATCH v5 0/2] Remove false-positive VLAs when using max()
Date: Sat, 17 Mar 2018 02:49:27 +0100 [thread overview]
Message-ID: <CANiq72kNgO7indoEsVqZX8GuM9TyyiuVaS1OgFzvTVMX=5P-XA@mail.gmail.com> (raw)
In-Reply-To: <CA+55aFxLpdfyfTqhkHQoedQuqTcLRw3bYOgyz1s0eRW6cBmFTA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1815 bytes --]
On Fri, Mar 16, 2018 at 9:14 PM, Linus Torvalds
<torvalds@linux-foundation.org> wrote:
> On Fri, Mar 16, 2018 at 1:03 PM, Miguel Ojeda
> <miguel.ojeda.sandonis@gmail.com> wrote:
>>>
>>> Kees - is there some online "gcc-4.4 checker" somewhere? This does
>>> seem to work with my gcc. I actually tested some of those files you
>>> pointed at now.
>>
>> I use this one:
>>
>> https://godbolt.org/
>
> Well, my *test* code works on that one and -Wvla -Werror.
>
> It does not work with gcc-4.1.x, but works with gcc-4.4.x.
>
> I can't seem to see the errors any way, I wonder if
> __builtin_choose_expr() simply didn't exist back then.
>
> Odd that you can't view warnings/errors with it.
>
> But it's possible that it fails on more complex stuff in the kernel.
>
> I've done a "allmodconfig" build with that patch, and the only issue
> it found was that (real) type issue in tpm_tis_core.h.
Just tested your max() with a Python script I wrote yesterday to try a
lot of combinations for this thing. Your version gives some warnings
in some cases, like:
warning: signed and unsigned type in conditional expression [-Wsign-compare]
#define __cmp(a,b,op) ((a)op(b)?(a):(b))
warning: comparison between signed and unsigned integer expressions
[-Wsign-compare]
#define const_max(a,b) __careful_cmp(a,b,>)
warning: comparison of distinct pointer types lacks a cast
(!!(sizeof((typeof(a)*)1==(typeof(b)*)1)))
But it fails on something like (with warnings):
int a[const_max(-30, 60u)];
Sorry... :-(
Has anyone taken a look at the last one I sent? Patch attached with
the draft changes on the kernel. It compiles fine the cases Kees
cleaned up in the other patch, but also works without a explicit type,
for mixed types, and for both positive and negative values.
Cheers,
Miguel
[-- Attachment #2: patch.diff --]
[-- Type: text/x-patch, Size: 2260 bytes --]
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 3fd291503576..f83658a4f15d 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -819,6 +819,49 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { }
__UNIQUE_ID(max1_), __UNIQUE_ID(max2_), \
x, y)
+size_t __error_not_const_arg(void) \
+__compiletime_error("const_max() used with non-compile-time constant arg");
+size_t __error_too_big(void) \
+__compiletime_error("const_max() used with an arg too big");
+
+#define INTMAXT_MAX LLONG_MAX
+typedef int64_t intmax_t;
+
+#define const_cmp(x, y, op) \
+ __builtin_choose_expr( \
+ !__builtin_constant_p(x) || !__builtin_constant_p(y), \
+ __error_not_const_arg(), \
+ __builtin_choose_expr( \
+ (x) > INTMAXT_MAX || (y) > INTMAXT_MAX, \
+ __error_too_big(), \
+ __builtin_choose_expr( \
+ (intmax_t)(x) op (intmax_t)(y), \
+ (x), \
+ (y) \
+ ) \
+ ) \
+ )
+
+/**
+ * const_min - returns minimum of two compile-time constant values
+ * @x: first compile-time constant value
+ * @y: second compile-time constant value
+ *
+ * The result has the type of the winner of the comparison. Works for any
+ * value up to LLONG_MAX.
+ */
+#define const_min(x, y) const_cmp((x), (y), <=)
+
+/**
+ * const_max - returns maximum of two compile-time constant values
+ * @x: first compile-time constant value
+ * @y: second compile-time constant value
+ *
+ * The result has the type of the winner of the comparison. Works for any
+ * value up to LLONG_MAX.
+ */
+#define const_max(x, y) const_cmp((x), (y), >=)
+
/**
* min3 - return minimum of three values
* @x: first value
next prev parent reply other threads:[~2018-03-17 1:49 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 4:25 [PATCH v5 0/2] Remove false-positive VLAs when using max() Kees Cook
2018-03-16 4:25 ` [PATCH v5 1/2] kernel.h: Introduce const_max_t() for VLA removal Kees Cook
2018-03-16 4:25 ` [PATCH v5 2/2] Remove false-positive VLAs when using max() Kees Cook
2018-03-19 10:45 ` Andrey Ryabinin
2018-03-16 11:47 ` [PATCH v5 0/2] " Florian Weimer
2018-03-16 17:29 ` Linus Torvalds
2018-03-16 17:32 ` Florian Weimer
2018-03-16 17:44 ` David Laight
2018-03-16 20:25 ` Linus Torvalds
2018-03-16 17:55 ` Al Viro
2018-03-16 18:14 ` Al Viro
2018-03-16 19:27 ` Linus Torvalds
2018-03-16 20:03 ` Miguel Ojeda
2018-03-16 20:14 ` Linus Torvalds
2018-03-16 20:19 ` Linus Torvalds
2018-03-17 0:48 ` Miguel Ojeda
2018-03-17 1:49 ` Miguel Ojeda [this message]
2018-03-16 20:12 ` Al Viro
2018-03-16 20:15 ` Linus Torvalds
2018-03-16 20:18 ` Al Viro
2018-03-17 7:27 ` Kees Cook
2018-03-17 18:52 ` Linus Torvalds
2018-03-17 20:07 ` Kees Cook
2018-03-17 22:55 ` Josh Poimboeuf
2018-03-20 23:23 ` Linus Torvalds
2018-03-20 23:26 ` Linus Torvalds
2018-03-21 0:05 ` Al Viro
2018-03-22 15:01 ` Kees Cook
2018-03-22 15:13 ` David Laight
2018-03-22 17:04 ` Linus Torvalds
2018-03-18 21:13 ` Rasmus Villemoes
2018-03-18 21:33 ` Linus Torvalds
2018-03-18 22:59 ` Rasmus Villemoes
2018-03-18 23:36 ` Linus Torvalds
2018-03-19 9:43 ` David Laight
2018-03-19 23:29 ` Linus Torvalds
2018-03-20 3:10 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANiq72kNgO7indoEsVqZX8GuM9TyyiuVaS1OgFzvTVMX=5P-XA@mail.gmail.com' \
--to=miguel.ojeda.sandonis@gmail.com \
--cc=David.Laight@aculab.com \
--cc=abbotti@mev.co.uk \
--cc=akpm@linux-foundation.org \
--cc=fweimer@redhat.com \
--cc=jpoimboe@redhat.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=mingo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=rdunlap@infradead.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.