From nobody Mon Feb 9 00:53:52 2026 Received: from relay.smtp-ext.broadcom.com (relay.smtp-ext.broadcom.com [192.19.144.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C470C219E98; Fri, 7 Mar 2025 13:10:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=192.19.144.205 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741353004; cv=none; b=E2uHlbcJwS6JWY+LbNCBWMyBxCm/2tS1OV/yfcwdL8LQtWyzAllw4S2jx4+J0mSG6e9TYAwIjBveBCULzLb/xI2LmmsisokGFiNbH1a7FpoGvKCitBoNcGksc660Qg8+89i8+l04TwziywT83Wvw+FaaCmJLU/D/NqUgqtbisTY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741353004; c=relaxed/simple; bh=F0XXb4iUPu1XvvOAobCBy9leql9n9yFjBaF8VWM6p3U=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=boiC93c+IE44UAIui5bFq3kMaarzlBytugrNo2K4bvqGhi4ETuY6DsmK/Fz5Hjo4ADEI3MTf5Q8xuxA4y6wXrqlDXNn2CFcFp0E++XXFEocoWP8yru3o2Lc1R9KEMbXVX7YeLWRXi+uFQeRX37AuiF1s2qah4ExnQgjOmgENl6Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=OlWzZZ71; arc=none smtp.client-ip=192.19.144.205 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="OlWzZZ71" Received: from mail-acc-it-01.broadcom.com (mail-acc-it-01.acc.broadcom.net [10.35.36.83]) by relay.smtp-ext.broadcom.com (Postfix) with ESMTP id B339AC0042EB; Fri, 7 Mar 2025 05:09:56 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 relay.smtp-ext.broadcom.com B339AC0042EB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=broadcom.com; s=dkimrelay; t=1741352996; bh=F0XXb4iUPu1XvvOAobCBy9leql9n9yFjBaF8VWM6p3U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=OlWzZZ71Ll8PI/nRS7cLu2lAeHjRZr2vjwiH4KV1yJJfxUzCptrWFw1SzWyYc+Xi5 i4dDwWbIZhsqEM8R3acDwcKpNtG1iI4+Komw0KSf9xVcTTA6DnaXp42maFDi3jXrTz GXbPKyk4XTbh4000WwHwUJUCzBF4UEzNWb9PdM+c= Received: from stbirv-lnx-1.igp.broadcom.net (stbirv-lnx-1.igp.broadcom.net [10.67.48.32]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail-acc-it-01.broadcom.com (Postfix) with ESMTPSA id 12B0C4003021; Fri, 7 Mar 2025 08:09:56 -0500 (EST) From: Florian Fainelli To: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org, Kees Cook , Rasmus Villemoes , Florian Fainelli , Greg Kroah-Hartman , Keith Busch , "Gustavo A. R. Silva" Subject: [PATCH stable v5.4 v2 1/3] overflow: Add __must_check attribute to check_*() helpers Date: Fri, 7 Mar 2025 05:09:51 -0800 Message-Id: <20250307130953.3427986-2-florian.fainelli@broadcom.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20250307130953.3427986-1-florian.fainelli@broadcom.com> References: <20250307130953.3427986-1-florian.fainelli@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Kees Cook commit 9b80e4c4ddaca3501177ed41e49d0928ba2122a8 upstream Since the destination variable of the check_*_overflow() helpers will contain a wrapped value on failure, it would be best to make sure callers really did check the return result of the helper. Adjust the macros to use a bool-wrapping static inline that is marked with __must_check. This means the macros can continue to have their type-agnostic behavior while gaining the function attribute (that cannot be applied directly to macros). Suggested-by: Rasmus Villemoes Link: https://lore.kernel.org/lkml/202008151007.EF679DF@keescook/ Signed-off-by: Kees Cook Signed-off-by: Florian Fainelli --- include/linux/overflow.h | 39 ++++++++++++++++++++++++--------------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/include/linux/overflow.h b/include/linux/overflow.h index 63e7c77ba942..35af574d006f 100644 --- a/include/linux/overflow.h +++ b/include/linux/overflow.h @@ -44,6 +44,16 @@ #define is_non_negative(a) ((a) > 0 || (a) =3D=3D 0) #define is_negative(a) (!(is_non_negative(a))) =20 +/* + * Allows for effectively applying __must_check to a macro so we can have + * both the type-agnostic benefits of the macros while also being able to + * enforce that the return value is, in fact, checked. + */ +static inline bool __must_check __must_check_overflow(bool overflow) +{ + return unlikely(overflow); +} + #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW /* * For simplicity and code hygiene, the fallback code below insists on @@ -53,32 +63,32 @@ * alias for __builtin_add_overflow, but add type checks similar to * below. */ -#define check_add_overflow(a, b, d) ({ \ +#define check_add_overflow(a, b, d) __must_check_overflow(({ \ typeof(a) __a =3D (a); \ typeof(b) __b =3D (b); \ typeof(d) __d =3D (d); \ (void) (&__a =3D=3D &__b); \ (void) (&__a =3D=3D __d); \ __builtin_add_overflow(__a, __b, __d); \ -}) +})) =20 -#define check_sub_overflow(a, b, d) ({ \ +#define check_sub_overflow(a, b, d) __must_check_overflow(({ \ typeof(a) __a =3D (a); \ typeof(b) __b =3D (b); \ typeof(d) __d =3D (d); \ (void) (&__a =3D=3D &__b); \ (void) (&__a =3D=3D __d); \ __builtin_sub_overflow(__a, __b, __d); \ -}) +})) =20 -#define check_mul_overflow(a, b, d) ({ \ +#define check_mul_overflow(a, b, d) __must_check_overflow(({ \ typeof(a) __a =3D (a); \ typeof(b) __b =3D (b); \ typeof(d) __d =3D (d); \ (void) (&__a =3D=3D &__b); \ (void) (&__a =3D=3D __d); \ __builtin_mul_overflow(__a, __b, __d); \ -}) +})) =20 #else =20 @@ -191,21 +201,20 @@ }) =20 =20 -#define check_add_overflow(a, b, d) \ +#define check_add_overflow(a, b, d) __must_check_overflow( \ __builtin_choose_expr(is_signed_type(typeof(a)), \ __signed_add_overflow(a, b, d), \ - __unsigned_add_overflow(a, b, d)) + __unsigned_add_overflow(a, b, d))) =20 -#define check_sub_overflow(a, b, d) \ +#define check_sub_overflow(a, b, d) __must_check_overflow( \ __builtin_choose_expr(is_signed_type(typeof(a)), \ __signed_sub_overflow(a, b, d), \ - __unsigned_sub_overflow(a, b, d)) + __unsigned_sub_overflow(a, b, d))) =20 -#define check_mul_overflow(a, b, d) \ +#define check_mul_overflow(a, b, d) __must_check_overflow( \ __builtin_choose_expr(is_signed_type(typeof(a)), \ __signed_mul_overflow(a, b, d), \ - __unsigned_mul_overflow(a, b, d)) - + __unsigned_mul_overflow(a, b, d))) =20 #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */ =20 @@ -228,7 +237,7 @@ * '*d' will hold the results of the attempted shift, but is not * considered "safe for use" if false is returned. */ -#define check_shl_overflow(a, s, d) ({ \ +#define check_shl_overflow(a, s, d) __must_check_overflow(({ \ typeof(a) _a =3D a; \ typeof(s) _s =3D s; \ typeof(d) _d =3D d; \ @@ -238,7 +247,7 @@ *_d =3D (_a_full << _to_shift); \ (_to_shift !=3D _s || is_negative(*_d) || is_negative(_a) || \ (*_d >> _to_shift) !=3D _a); \ -}) +})) =20 /** * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX --=20 2.34.1