--- /dev/null
+From 9b80e4c4ddaca3501177ed41e49d0928ba2122a8 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 12 Aug 2020 14:47:03 -0700
+Subject: overflow: Add __must_check attribute to check_*() helpers
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 9b80e4c4ddaca3501177ed41e49d0928ba2122a8 upstream.
+
+Since the destination variable of the check_*_overflow() helpers will
+contain a wrapped value on failure, it would be best to make sure callers
+really did check the return result of the helper. Adjust the macros to use
+a bool-wrapping static inline that is marked with __must_check. This means
+the macros can continue to have their type-agnostic behavior while gaining
+the function attribute (that cannot be applied directly to macros).
+
+Suggested-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Link: https://lore.kernel.org/lkml/202008151007.EF679DF@keescook/
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/overflow.h | 39 ++++++++++++++++++++++++---------------
+ 1 file changed, 24 insertions(+), 15 deletions(-)
+
+--- a/include/linux/overflow.h
++++ b/include/linux/overflow.h
+@@ -44,6 +44,16 @@
+ #define is_non_negative(a) ((a) > 0 || (a) == 0)
+ #define is_negative(a) (!(is_non_negative(a)))
+
++/*
++ * Allows for effectively applying __must_check to a macro so we can have
++ * both the type-agnostic benefits of the macros while also being able to
++ * enforce that the return value is, in fact, checked.
++ */
++static inline bool __must_check __must_check_overflow(bool overflow)
++{
++ return unlikely(overflow);
++}
++
+ #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
+ /*
+ * For simplicity and code hygiene, the fallback code below insists on
+@@ -53,32 +63,32 @@
+ * alias for __builtin_add_overflow, but add type checks similar to
+ * below.
+ */
+-#define check_add_overflow(a, b, d) ({ \
++#define check_add_overflow(a, b, d) __must_check_overflow(({ \
+ typeof(a) __a = (a); \
+ typeof(b) __b = (b); \
+ typeof(d) __d = (d); \
+ (void) (&__a == &__b); \
+ (void) (&__a == __d); \
+ __builtin_add_overflow(__a, __b, __d); \
+-})
++}))
+
+-#define check_sub_overflow(a, b, d) ({ \
++#define check_sub_overflow(a, b, d) __must_check_overflow(({ \
+ typeof(a) __a = (a); \
+ typeof(b) __b = (b); \
+ typeof(d) __d = (d); \
+ (void) (&__a == &__b); \
+ (void) (&__a == __d); \
+ __builtin_sub_overflow(__a, __b, __d); \
+-})
++}))
+
+-#define check_mul_overflow(a, b, d) ({ \
++#define check_mul_overflow(a, b, d) __must_check_overflow(({ \
+ typeof(a) __a = (a); \
+ typeof(b) __b = (b); \
+ typeof(d) __d = (d); \
+ (void) (&__a == &__b); \
+ (void) (&__a == __d); \
+ __builtin_mul_overflow(__a, __b, __d); \
+-})
++}))
+
+ #else
+
+@@ -191,21 +201,20 @@
+ })
+
+
+-#define check_add_overflow(a, b, d) \
++#define check_add_overflow(a, b, d) __must_check_overflow( \
+ __builtin_choose_expr(is_signed_type(typeof(a)), \
+ __signed_add_overflow(a, b, d), \
+- __unsigned_add_overflow(a, b, d))
++ __unsigned_add_overflow(a, b, d)))
+
+-#define check_sub_overflow(a, b, d) \
++#define check_sub_overflow(a, b, d) __must_check_overflow( \
+ __builtin_choose_expr(is_signed_type(typeof(a)), \
+ __signed_sub_overflow(a, b, d), \
+- __unsigned_sub_overflow(a, b, d))
++ __unsigned_sub_overflow(a, b, d)))
+
+-#define check_mul_overflow(a, b, d) \
++#define check_mul_overflow(a, b, d) __must_check_overflow( \
+ __builtin_choose_expr(is_signed_type(typeof(a)), \
+ __signed_mul_overflow(a, b, d), \
+- __unsigned_mul_overflow(a, b, d))
+-
++ __unsigned_mul_overflow(a, b, d)))
+
+ #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
+
+@@ -228,7 +237,7 @@
+ * '*d' will hold the results of the attempted shift, but is not
+ * considered "safe for use" if false is returned.
+ */
+-#define check_shl_overflow(a, s, d) ({ \
++#define check_shl_overflow(a, s, d) __must_check_overflow(({ \
+ typeof(a) _a = a; \
+ typeof(s) _s = s; \
+ typeof(d) _d = d; \
+@@ -238,7 +247,7 @@
+ *_d = (_a_full << _to_shift); \
+ (_to_shift != _s || is_negative(*_d) || is_negative(_a) || \
+ (*_d >> _to_shift) != _a); \
+-})
++}))
+
+ /**
+ * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
--- /dev/null
+From d219d2a9a92e39aa92799efe8f2aa21259b6dd82 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 29 Aug 2022 13:37:17 -0700
+Subject: overflow: Allow mixed type arguments
+
+From: Kees Cook <keescook@chromium.org>
+
+commit d219d2a9a92e39aa92799efe8f2aa21259b6dd82 upstream.
+
+When the check_[op]_overflow() helpers were introduced, all arguments
+were required to be the same type to make the fallback macros simpler.
+However, now that the fallback macros have been removed[1], it is fine
+to allow mixed types, which makes using the helpers much more useful,
+as they can be used to test for type-based overflows (e.g. adding two
+large ints but storing into a u8), as would be handy in the drm core[2].
+
+Remove the restriction, and add additional self-tests that exercise
+some of the mixed-type overflow cases, and double-check for accidental
+macro side-effects.
+
+[1] https://git.kernel.org/linus/4eb6bd55cfb22ffc20652732340c4962f3ac9a91
+[2] https://lore.kernel.org/lkml/20220824084514.2261614-2-gwan-gyeong.mun@intel.com
+
+Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
+Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Cc: linux-hardening@vger.kernel.org
+Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
+Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Tested-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+[florian: Drop changes to lib/test_overflow.c]
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/overflow.h | 72 ++++++++++++++++++++++++++---------------------
+ 1 file changed, 41 insertions(+), 31 deletions(-)
+
+--- a/include/linux/overflow.h
++++ b/include/linux/overflow.h
+@@ -55,40 +55,50 @@ static inline bool __must_check __must_c
+ }
+
+ #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
+-/*
+- * For simplicity and code hygiene, the fallback code below insists on
+- * a, b and *d having the same type (similar to the min() and max()
+- * macros), whereas gcc's type-generic overflow checkers accept
+- * different types. Hence we don't just make check_add_overflow an
+- * alias for __builtin_add_overflow, but add type checks similar to
+- * below.
++/** check_add_overflow() - Calculate addition with overflow checking
++ *
++ * @a: first addend
++ * @b: second addend
++ * @d: pointer to store sum
++ *
++ * Returns 0 on success.
++ *
++ * *@d holds the results of the attempted addition, but is not considered
++ * "safe for use" on a non-zero return value, which indicates that the
++ * sum has overflowed or been truncated.
+ */
+-#define check_add_overflow(a, b, d) __must_check_overflow(({ \
+- typeof(a) __a = (a); \
+- typeof(b) __b = (b); \
+- typeof(d) __d = (d); \
+- (void) (&__a == &__b); \
+- (void) (&__a == __d); \
+- __builtin_add_overflow(__a, __b, __d); \
+-}))
++#define check_add_overflow(a, b, d) \
++ __must_check_overflow(__builtin_add_overflow(a, b, d))
+
+-#define check_sub_overflow(a, b, d) __must_check_overflow(({ \
+- typeof(a) __a = (a); \
+- typeof(b) __b = (b); \
+- typeof(d) __d = (d); \
+- (void) (&__a == &__b); \
+- (void) (&__a == __d); \
+- __builtin_sub_overflow(__a, __b, __d); \
+-}))
++/** check_sub_overflow() - Calculate subtraction with overflow checking
++ *
++ * @a: minuend; value to subtract from
++ * @b: subtrahend; value to subtract from @a
++ * @d: pointer to store difference
++ *
++ * Returns 0 on success.
++ *
++ * *@d holds the results of the attempted subtraction, but is not considered
++ * "safe for use" on a non-zero return value, which indicates that the
++ * difference has underflowed or been truncated.
++ */
++#define check_sub_overflow(a, b, d) \
++ __must_check_overflow(__builtin_sub_overflow(a, b, d))
+
+-#define check_mul_overflow(a, b, d) __must_check_overflow(({ \
+- typeof(a) __a = (a); \
+- typeof(b) __b = (b); \
+- typeof(d) __d = (d); \
+- (void) (&__a == &__b); \
+- (void) (&__a == __d); \
+- __builtin_mul_overflow(__a, __b, __d); \
+-}))
++/** check_mul_overflow() - Calculate multiplication with overflow checking
++ *
++ * @a: first factor
++ * @b: second factor
++ * @d: pointer to store product
++ *
++ * Returns 0 on success.
++ *
++ * *@d holds the results of the attempted multiplication, but is not
++ * considered "safe for use" on a non-zero return value, which indicates
++ * that the product has overflowed or been truncated.
++ */
++#define check_mul_overflow(a, b, d) \
++ __must_check_overflow(__builtin_mul_overflow(a, b, d))
+
+ #else
+
--- /dev/null
+From 4578be130a6470d85ff05b13b75a00e6224eeeeb Mon Sep 17 00:00:00 2001
+From: Keith Busch <kbusch@kernel.org>
+Date: Thu, 1 Apr 2021 09:06:29 -0700
+Subject: overflow: Correct check_shl_overflow() comment
+
+From: Keith Busch <kbusch@kernel.org>
+
+commit 4578be130a6470d85ff05b13b75a00e6224eeeeb upstream.
+
+A 'false' return means the value was safely set, so the comment should
+say 'true' for when it is not considered safe.
+
+Cc: Jason Gunthorpe <jgg@ziepe.ca>
+Signed-off-by: Keith Busch <kbusch@kernel.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Fixes: 0c66847793d1 ("overflow.h: Add arithmetic shift helper")
+Link: https://lore.kernel.org/r/20210401160629.1941787-1-kbusch@kernel.org
+Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/overflow.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/overflow.h
++++ b/include/linux/overflow.h
+@@ -235,7 +235,7 @@ static inline bool __must_check __must_c
+ * - 'a << s' sets the sign bit, if any, in '*d'.
+ *
+ * '*d' will hold the results of the attempted shift, but is not
+- * considered "safe for use" if false is returned.
++ * considered "safe for use" if true is returned.
+ */
+ #define check_shl_overflow(a, s, d) __must_check_overflow(({ \
+ typeof(a) _a = a; \
perf-cs-etm-add-missing-variable-in-cs_etm__process_queues.patch
udf-fix-use-of-check_add_overflow-with-mixed-type-arguments.patch
+overflow-add-__must_check-attribute-to-check_-helpers.patch
+overflow-correct-check_shl_overflow-comment.patch
+overflow-allow-mixed-type-arguments.patch
afs-fix-directory-format-encoding-struct.patch
nbd-don-t-allow-reconnect-after-disconnect.patch
partitions-ldm-remove-the-initial-kernel-doc-notatio.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
