tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

compiler.h: drop fallback overflow checkers

Once upgrading the minimum supported version of GCC to 5.1, we can drop
the fallback code for !COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW.

This is effectively a revert of commit f0907827a8a9 ("compiler.h: enable
builtin overflow checkers and add fallback code")

Link: https://github.com/ClangBuiltLinux/linux/issues/1438#issuecomment-916745801
Suggested-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Nick Desaulniers and committed by
Linus Torvalds 4eb6bd55 76ae8474

+6 -293
-13
include/linux/compiler-clang.h
··· 62 62 #define __no_sanitize_coverage 63 63 #endif 64 64 65 - /* 66 - * Not all versions of clang implement the type-generic versions 67 - * of the builtin overflow checkers. Fortunately, clang implements 68 - * __has_builtin allowing us to avoid awkward version 69 - * checks. Unfortunately, we don't know which version of gcc clang 70 - * pretends to be, so the macro may or may not be defined. 71 - */ 72 - #if __has_builtin(__builtin_mul_overflow) && \ 73 - __has_builtin(__builtin_add_overflow) && \ 74 - __has_builtin(__builtin_sub_overflow) 75 - #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 76 - #endif 77 - 78 65 #if __has_feature(shadow_call_stack) 79 66 # define __noscs __attribute__((__no_sanitize__("shadow-call-stack"))) 80 67 #endif
-4
include/linux/compiler-gcc.h
··· 128 128 #define __no_sanitize_coverage 129 129 #endif 130 130 131 - #if GCC_VERSION >= 50100 132 - #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 133 - #endif 134 - 135 131 /* 136 132 * Turn individual warnings and errors on and off locally, depending 137 133 * on version.
+3 -135
include/linux/overflow.h
··· 6 6 #include <linux/limits.h> 7 7 8 8 /* 9 - * In the fallback code below, we need to compute the minimum and 10 - * maximum values representable in a given type. These macros may also 11 - * be useful elsewhere, so we provide them outside the 12 - * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block. 13 - * 14 - * It would seem more obvious to do something like 9 + * We need to compute the minimum and maximum values representable in a given 10 + * type. These macros may also be useful elsewhere. It would seem more obvious 11 + * to do something like: 15 12 * 16 13 * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0) 17 14 * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0) ··· 51 54 return unlikely(overflow); 52 55 } 53 56 54 - #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 55 57 /* 56 58 * For simplicity and code hygiene, the fallback code below insists on 57 59 * a, b and *d having the same type (similar to the min() and max() ··· 85 89 (void) (&__a == __d); \ 86 90 __builtin_mul_overflow(__a, __b, __d); \ 87 91 })) 88 - 89 - #else 90 - 91 - 92 - /* Checking for unsigned overflow is relatively easy without causing UB. */ 93 - #define __unsigned_add_overflow(a, b, d) ({ \ 94 - typeof(a) __a = (a); \ 95 - typeof(b) __b = (b); \ 96 - typeof(d) __d = (d); \ 97 - (void) (&__a == &__b); \ 98 - (void) (&__a == __d); \ 99 - *__d = __a + __b; \ 100 - *__d < __a; \ 101 - }) 102 - #define __unsigned_sub_overflow(a, b, d) ({ \ 103 - typeof(a) __a = (a); \ 104 - typeof(b) __b = (b); \ 105 - typeof(d) __d = (d); \ 106 - (void) (&__a == &__b); \ 107 - (void) (&__a == __d); \ 108 - *__d = __a - __b; \ 109 - __a < __b; \ 110 - }) 111 - /* 112 - * If one of a or b is a compile-time constant, this avoids a division. 113 - */ 114 - #define __unsigned_mul_overflow(a, b, d) ({ \ 115 - typeof(a) __a = (a); \ 116 - typeof(b) __b = (b); \ 117 - typeof(d) __d = (d); \ 118 - (void) (&__a == &__b); \ 119 - (void) (&__a == __d); \ 120 - *__d = __a * __b; \ 121 - __builtin_constant_p(__b) ? \ 122 - __b > 0 && __a > type_max(typeof(__a)) / __b : \ 123 - __a > 0 && __b > type_max(typeof(__b)) / __a; \ 124 - }) 125 - 126 - /* 127 - * For signed types, detecting overflow is much harder, especially if 128 - * we want to avoid UB. But the interface of these macros is such that 129 - * we must provide a result in *d, and in fact we must produce the 130 - * result promised by gcc's builtins, which is simply the possibly 131 - * wrapped-around value. Fortunately, we can just formally do the 132 - * operations in the widest relevant unsigned type (u64) and then 133 - * truncate the result - gcc is smart enough to generate the same code 134 - * with and without the (u64) casts. 135 - */ 136 - 137 - /* 138 - * Adding two signed integers can overflow only if they have the same 139 - * sign, and overflow has happened iff the result has the opposite 140 - * sign. 141 - */ 142 - #define __signed_add_overflow(a, b, d) ({ \ 143 - typeof(a) __a = (a); \ 144 - typeof(b) __b = (b); \ 145 - typeof(d) __d = (d); \ 146 - (void) (&__a == &__b); \ 147 - (void) (&__a == __d); \ 148 - *__d = (u64)__a + (u64)__b; \ 149 - (((~(__a ^ __b)) & (*__d ^ __a)) \ 150 - & type_min(typeof(__a))) != 0; \ 151 - }) 152 - 153 - /* 154 - * Subtraction is similar, except that overflow can now happen only 155 - * when the signs are opposite. In this case, overflow has happened if 156 - * the result has the opposite sign of a. 157 - */ 158 - #define __signed_sub_overflow(a, b, d) ({ \ 159 - typeof(a) __a = (a); \ 160 - typeof(b) __b = (b); \ 161 - typeof(d) __d = (d); \ 162 - (void) (&__a == &__b); \ 163 - (void) (&__a == __d); \ 164 - *__d = (u64)__a - (u64)__b; \ 165 - ((((__a ^ __b)) & (*__d ^ __a)) \ 166 - & type_min(typeof(__a))) != 0; \ 167 - }) 168 - 169 - /* 170 - * Signed multiplication is rather hard. gcc always follows C99, so 171 - * division is truncated towards 0. This means that we can write the 172 - * overflow check like this: 173 - * 174 - * (a > 0 && (b > MAX/a || b < MIN/a)) || 175 - * (a < -1 && (b > MIN/a || b < MAX/a) || 176 - * (a == -1 && b == MIN) 177 - * 178 - * The redundant casts of -1 are to silence an annoying -Wtype-limits 179 - * (included in -Wextra) warning: When the type is u8 or u16, the 180 - * __b_c_e in check_mul_overflow obviously selects 181 - * __unsigned_mul_overflow, but unfortunately gcc still parses this 182 - * code and warns about the limited range of __b. 183 - */ 184 - 185 - #define __signed_mul_overflow(a, b, d) ({ \ 186 - typeof(a) __a = (a); \ 187 - typeof(b) __b = (b); \ 188 - typeof(d) __d = (d); \ 189 - typeof(a) __tmax = type_max(typeof(a)); \ 190 - typeof(a) __tmin = type_min(typeof(a)); \ 191 - (void) (&__a == &__b); \ 192 - (void) (&__a == __d); \ 193 - *__d = (u64)__a * (u64)__b; \ 194 - (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \ 195 - (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \ 196 - (__b == (typeof(__b))-1 && __a == __tmin); \ 197 - }) 198 - 199 - 200 - #define check_add_overflow(a, b, d) __must_check_overflow( \ 201 - __builtin_choose_expr(is_signed_type(typeof(a)), \ 202 - __signed_add_overflow(a, b, d), \ 203 - __unsigned_add_overflow(a, b, d))) 204 - 205 - #define check_sub_overflow(a, b, d) __must_check_overflow( \ 206 - __builtin_choose_expr(is_signed_type(typeof(a)), \ 207 - __signed_sub_overflow(a, b, d), \ 208 - __unsigned_sub_overflow(a, b, d))) 209 - 210 - #define check_mul_overflow(a, b, d) __must_check_overflow( \ 211 - __builtin_choose_expr(is_signed_type(typeof(a)), \ 212 - __signed_mul_overflow(a, b, d), \ 213 - __unsigned_mul_overflow(a, b, d))) 214 - 215 - #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ 216 92 217 93 /** check_shl_overflow() - Calculate a left-shifted value and check overflow 218 94 *
-4
tools/include/linux/compiler-gcc.h
··· 38 38 #endif 39 39 #define __printf(a, b) __attribute__((format(printf, a, b))) 40 40 #define __scanf(a, b) __attribute__((format(scanf, a, b))) 41 - 42 - #if GCC_VERSION >= 50100 43 - #define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1 44 - #endif
+3 -137
tools/include/linux/overflow.h
··· 5 5 #include <linux/compiler.h> 6 6 7 7 /* 8 - * In the fallback code below, we need to compute the minimum and 9 - * maximum values representable in a given type. These macros may also 10 - * be useful elsewhere, so we provide them outside the 11 - * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block. 12 - * 13 - * It would seem more obvious to do something like 8 + * We need to compute the minimum and maximum values representable in a given 9 + * type. These macros may also be useful elsewhere. It would seem more obvious 10 + * to do something like: 14 11 * 15 12 * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0) 16 13 * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0) ··· 33 36 #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T))) 34 37 #define type_min(T) ((T)((T)-type_max(T)-(T)1)) 35 38 36 - 37 - #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 38 39 /* 39 40 * For simplicity and code hygiene, the fallback code below insists on 40 41 * a, b and *d having the same type (similar to the min() and max() ··· 67 72 (void) (&__a == __d); \ 68 73 __builtin_mul_overflow(__a, __b, __d); \ 69 74 }) 70 - 71 - #else 72 - 73 - 74 - /* Checking for unsigned overflow is relatively easy without causing UB. */ 75 - #define __unsigned_add_overflow(a, b, d) ({ \ 76 - typeof(a) __a = (a); \ 77 - typeof(b) __b = (b); \ 78 - typeof(d) __d = (d); \ 79 - (void) (&__a == &__b); \ 80 - (void) (&__a == __d); \ 81 - *__d = __a + __b; \ 82 - *__d < __a; \ 83 - }) 84 - #define __unsigned_sub_overflow(a, b, d) ({ \ 85 - typeof(a) __a = (a); \ 86 - typeof(b) __b = (b); \ 87 - typeof(d) __d = (d); \ 88 - (void) (&__a == &__b); \ 89 - (void) (&__a == __d); \ 90 - *__d = __a - __b; \ 91 - __a < __b; \ 92 - }) 93 - /* 94 - * If one of a or b is a compile-time constant, this avoids a division. 95 - */ 96 - #define __unsigned_mul_overflow(a, b, d) ({ \ 97 - typeof(a) __a = (a); \ 98 - typeof(b) __b = (b); \ 99 - typeof(d) __d = (d); \ 100 - (void) (&__a == &__b); \ 101 - (void) (&__a == __d); \ 102 - *__d = __a * __b; \ 103 - __builtin_constant_p(__b) ? \ 104 - __b > 0 && __a > type_max(typeof(__a)) / __b : \ 105 - __a > 0 && __b > type_max(typeof(__b)) / __a; \ 106 - }) 107 - 108 - /* 109 - * For signed types, detecting overflow is much harder, especially if 110 - * we want to avoid UB. But the interface of these macros is such that 111 - * we must provide a result in *d, and in fact we must produce the 112 - * result promised by gcc's builtins, which is simply the possibly 113 - * wrapped-around value. Fortunately, we can just formally do the 114 - * operations in the widest relevant unsigned type (u64) and then 115 - * truncate the result - gcc is smart enough to generate the same code 116 - * with and without the (u64) casts. 117 - */ 118 - 119 - /* 120 - * Adding two signed integers can overflow only if they have the same 121 - * sign, and overflow has happened iff the result has the opposite 122 - * sign. 123 - */ 124 - #define __signed_add_overflow(a, b, d) ({ \ 125 - typeof(a) __a = (a); \ 126 - typeof(b) __b = (b); \ 127 - typeof(d) __d = (d); \ 128 - (void) (&__a == &__b); \ 129 - (void) (&__a == __d); \ 130 - *__d = (u64)__a + (u64)__b; \ 131 - (((~(__a ^ __b)) & (*__d ^ __a)) \ 132 - & type_min(typeof(__a))) != 0; \ 133 - }) 134 - 135 - /* 136 - * Subtraction is similar, except that overflow can now happen only 137 - * when the signs are opposite. In this case, overflow has happened if 138 - * the result has the opposite sign of a. 139 - */ 140 - #define __signed_sub_overflow(a, b, d) ({ \ 141 - typeof(a) __a = (a); \ 142 - typeof(b) __b = (b); \ 143 - typeof(d) __d = (d); \ 144 - (void) (&__a == &__b); \ 145 - (void) (&__a == __d); \ 146 - *__d = (u64)__a - (u64)__b; \ 147 - ((((__a ^ __b)) & (*__d ^ __a)) \ 148 - & type_min(typeof(__a))) != 0; \ 149 - }) 150 - 151 - /* 152 - * Signed multiplication is rather hard. gcc always follows C99, so 153 - * division is truncated towards 0. This means that we can write the 154 - * overflow check like this: 155 - * 156 - * (a > 0 && (b > MAX/a || b < MIN/a)) || 157 - * (a < -1 && (b > MIN/a || b < MAX/a) || 158 - * (a == -1 && b == MIN) 159 - * 160 - * The redundant casts of -1 are to silence an annoying -Wtype-limits 161 - * (included in -Wextra) warning: When the type is u8 or u16, the 162 - * __b_c_e in check_mul_overflow obviously selects 163 - * __unsigned_mul_overflow, but unfortunately gcc still parses this 164 - * code and warns about the limited range of __b. 165 - */ 166 - 167 - #define __signed_mul_overflow(a, b, d) ({ \ 168 - typeof(a) __a = (a); \ 169 - typeof(b) __b = (b); \ 170 - typeof(d) __d = (d); \ 171 - typeof(a) __tmax = type_max(typeof(a)); \ 172 - typeof(a) __tmin = type_min(typeof(a)); \ 173 - (void) (&__a == &__b); \ 174 - (void) (&__a == __d); \ 175 - *__d = (u64)__a * (u64)__b; \ 176 - (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \ 177 - (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \ 178 - (__b == (typeof(__b))-1 && __a == __tmin); \ 179 - }) 180 - 181 - 182 - #define check_add_overflow(a, b, d) \ 183 - __builtin_choose_expr(is_signed_type(typeof(a)), \ 184 - __signed_add_overflow(a, b, d), \ 185 - __unsigned_add_overflow(a, b, d)) 186 - 187 - #define check_sub_overflow(a, b, d) \ 188 - __builtin_choose_expr(is_signed_type(typeof(a)), \ 189 - __signed_sub_overflow(a, b, d), \ 190 - __unsigned_sub_overflow(a, b, d)) 191 - 192 - #define check_mul_overflow(a, b, d) \ 193 - __builtin_choose_expr(is_signed_type(typeof(a)), \ 194 - __signed_mul_overflow(a, b, d), \ 195 - __unsigned_mul_overflow(a, b, d)) 196 - 197 - 198 - #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ 199 75 200 76 /** 201 77 * array_size() - Calculate size of 2-dimensional array.