From: David Laight <david.laight.linux@gmail.com>
min_t() and max_t() are normally used to change the signedness
of a positive value to avoid a signed-v-unsigned compare warning.
However they are used here to convert an unsigned 64bit pattern
to a signed to a 32/64bit signed number.
To avoid any confusion use plain min()/max() and explicitely cast
the u64 expression to the correct signed value.
Use a simple max() for the max_pkt_offset calulation and delete the
comment about why the cast to u32 is safe.
Signed-off-by: David Laight <david.laight.linux@gmail.com>
---
kernel/bpf/verifier.c | 29 +++++++++++------------------
1 file changed, 11 insertions(+), 18 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ff40e5e65c43..22fa9769fbdb 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2319,12 +2319,12 @@ static void __update_reg32_bounds(struct bpf_reg_state *reg)
struct tnum var32_off = tnum_subreg(reg->var_off);
/* min signed is max(sign bit) | min(other bits) */
- reg->s32_min_value = max_t(s32, reg->s32_min_value,
- var32_off.value | (var32_off.mask & S32_MIN));
+ reg->s32_min_value = max(reg->s32_min_value,
+ (s32)(var32_off.value | (var32_off.mask & S32_MIN)));
/* max signed is min(sign bit) | max(other bits) */
- reg->s32_max_value = min_t(s32, reg->s32_max_value,
- var32_off.value | (var32_off.mask & S32_MAX));
- reg->u32_min_value = max_t(u32, reg->u32_min_value, (u32)var32_off.value);
+ reg->s32_max_value = min(reg->s32_max_value,
+ (s32)(var32_off.value | (var32_off.mask & S32_MAX)));
+ reg->u32_min_value = max(reg->u32_min_value, (u32)var32_off.value);
reg->u32_max_value = min(reg->u32_max_value,
(u32)(var32_off.value | var32_off.mask));
}
@@ -2332,11 +2332,11 @@ static void __update_reg32_bounds(struct bpf_reg_state *reg)
static void __update_reg64_bounds(struct bpf_reg_state *reg)
{
/* min signed is max(sign bit) | min(other bits) */
- reg->smin_value = max_t(s64, reg->smin_value,
- reg->var_off.value | (reg->var_off.mask & S64_MIN));
+ reg->smin_value = max(reg->smin_value,
+ (s64)(reg->var_off.value | (reg->var_off.mask & S64_MIN)));
/* max signed is min(sign bit) | max(other bits) */
- reg->smax_value = min_t(s64, reg->smax_value,
- reg->var_off.value | (reg->var_off.mask & S64_MAX));
+ reg->smax_value = min(reg->smax_value,
+ (s64)(reg->var_off.value | (reg->var_off.mask & S64_MAX)));
reg->umin_value = max(reg->umin_value, reg->var_off.value);
reg->umax_value = min(reg->umax_value,
reg->var_off.value | reg->var_off.mask);
@@ -6128,15 +6128,8 @@ static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,
return err;
}
- /* __check_mem_access has made sure "off + size - 1" is within u16.
- * reg->umax_value can't be bigger than MAX_PACKET_OFF which is 0xffff,
- * otherwise find_good_pkt_pointers would have refused to set range info
- * that __check_mem_access would have rejected this pkt access.
- * Therefore, "off + reg->umax_value + size - 1" won't overflow u32.
- */
- env->prog->aux->max_pkt_offset =
- max_t(u32, env->prog->aux->max_pkt_offset,
- off + reg->umax_value + size - 1);
+ env->prog->aux->max_pkt_offset = max(env->prog->aux->max_pkt_offset,
+ off + reg->umax_value + size - 1);
return err;
}
--
2.39.5On Wed, Nov 19, 2025 at 2:42 PM <david.laight.linux@gmail.com> wrote: > > From: David Laight <david.laight.linux@gmail.com> > > min_t() and max_t() are normally used to change the signedness > of a positive value to avoid a signed-v-unsigned compare warning. > > However they are used here to convert an unsigned 64bit pattern > to a signed to a 32/64bit signed number. > To avoid any confusion use plain min()/max() and explicitely cast > the u64 expression to the correct signed value. > > Use a simple max() for the max_pkt_offset calulation and delete the > comment about why the cast to u32 is safe. > > Signed-off-by: David Laight <david.laight.linux@gmail.com> > --- > kernel/bpf/verifier.c | 29 +++++++++++------------------ > 1 file changed, 11 insertions(+), 18 deletions(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index ff40e5e65c43..22fa9769fbdb 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -2319,12 +2319,12 @@ static void __update_reg32_bounds(struct bpf_reg_state *reg) > struct tnum var32_off = tnum_subreg(reg->var_off); > > /* min signed is max(sign bit) | min(other bits) */ > - reg->s32_min_value = max_t(s32, reg->s32_min_value, > - var32_off.value | (var32_off.mask & S32_MIN)); > + reg->s32_min_value = max(reg->s32_min_value, > + (s32)(var32_off.value | (var32_off.mask & S32_MIN))); > /* max signed is min(sign bit) | max(other bits) */ > - reg->s32_max_value = min_t(s32, reg->s32_max_value, > - var32_off.value | (var32_off.mask & S32_MAX)); > - reg->u32_min_value = max_t(u32, reg->u32_min_value, (u32)var32_off.value); > + reg->s32_max_value = min(reg->s32_max_value, > + (s32)(var32_off.value | (var32_off.mask & S32_MAX))); Nack. This is plain ugly for no good reason. Leave the code as-is. pw-bot: cr
On Fri, 21 Nov 2025 13:40:36 -0800 Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > On Wed, Nov 19, 2025 at 2:42 PM <david.laight.linux@gmail.com> wrote: > > > > From: David Laight <david.laight.linux@gmail.com> > > > > min_t() and max_t() are normally used to change the signedness > > of a positive value to avoid a signed-v-unsigned compare warning. > > > > However they are used here to convert an unsigned 64bit pattern > > to a signed to a 32/64bit signed number. > > To avoid any confusion use plain min()/max() and explicitely cast > > the u64 expression to the correct signed value. > > > > Use a simple max() for the max_pkt_offset calulation and delete the > > comment about why the cast to u32 is safe. > > > > Signed-off-by: David Laight <david.laight.linux@gmail.com> > > --- > > kernel/bpf/verifier.c | 29 +++++++++++------------------ > > 1 file changed, 11 insertions(+), 18 deletions(-) > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > index ff40e5e65c43..22fa9769fbdb 100644 > > --- a/kernel/bpf/verifier.c > > +++ b/kernel/bpf/verifier.c > > @@ -2319,12 +2319,12 @@ static void __update_reg32_bounds(struct bpf_reg_state *reg) > > struct tnum var32_off = tnum_subreg(reg->var_off); > > > > /* min signed is max(sign bit) | min(other bits) */ > > - reg->s32_min_value = max_t(s32, reg->s32_min_value, > > - var32_off.value | (var32_off.mask & S32_MIN)); > > + reg->s32_min_value = max(reg->s32_min_value, > > + (s32)(var32_off.value | (var32_off.mask & S32_MIN))); > > /* max signed is min(sign bit) | max(other bits) */ > > - reg->s32_max_value = min_t(s32, reg->s32_max_value, > > - var32_off.value | (var32_off.mask & S32_MAX)); > > - reg->u32_min_value = max_t(u32, reg->u32_min_value, (u32)var32_off.value); > > + reg->s32_max_value = min(reg->s32_max_value, > > + (s32)(var32_off.value | (var32_off.mask & S32_MAX))); > > Nack. > This is plain ugly for no good reason. > Leave the code as-is. It is really horrid before. From what i remember var32_off.value (and .mask) are both u64. The pattern actually patches that used a few lines down the file. I've been trying to build allmodconfig with the size test added to min_t() and max_t(). The number of real (or potentially real) bugs I've found is stunning. The only fix is to nuke min_t() and max_t() to they can't be used. The basic problem is the people have used the type of the target not that of the largest parameter. The might be ok for ulong v uint (on 64bit), but there are plenty of places where u16 and u8 are used - a lot are pretty much buggy. Perhaps the worst ones I've found are with clamp_t(), this is from 2/44: - (raw_inode)->xtime = cpu_to_le32(clamp_t(int32_t, (ts).tv_sec, S32_MIN, S32_MAX)); \ + (raw_inode)->xtime = cpu_to_le32(clamp((ts).tv_sec, S32_MIN, S32_MAX)); \ If also found clamp_t(u8, xxx, 0, 255). There are just so many broken examples. David > > pw-bot: cr
On Fri, Nov 21, 2025 at 2:21 PM David Laight <david.laight.linux@gmail.com> wrote: > > On Fri, 21 Nov 2025 13:40:36 -0800 > Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > > On Wed, Nov 19, 2025 at 2:42 PM <david.laight.linux@gmail.com> wrote: > > > > > > From: David Laight <david.laight.linux@gmail.com> > > > > > > min_t() and max_t() are normally used to change the signedness > > > of a positive value to avoid a signed-v-unsigned compare warning. > > > > > > However they are used here to convert an unsigned 64bit pattern > > > to a signed to a 32/64bit signed number. > > > To avoid any confusion use plain min()/max() and explicitely cast > > > the u64 expression to the correct signed value. > > > > > > Use a simple max() for the max_pkt_offset calulation and delete the > > > comment about why the cast to u32 is safe. > > > > > > Signed-off-by: David Laight <david.laight.linux@gmail.com> > > > --- > > > kernel/bpf/verifier.c | 29 +++++++++++------------------ > > > 1 file changed, 11 insertions(+), 18 deletions(-) > > > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > > index ff40e5e65c43..22fa9769fbdb 100644 > > > --- a/kernel/bpf/verifier.c > > > +++ b/kernel/bpf/verifier.c > > > @@ -2319,12 +2319,12 @@ static void __update_reg32_bounds(struct bpf_reg_state *reg) > > > struct tnum var32_off = tnum_subreg(reg->var_off); > > > > > > /* min signed is max(sign bit) | min(other bits) */ > > > - reg->s32_min_value = max_t(s32, reg->s32_min_value, > > > - var32_off.value | (var32_off.mask & S32_MIN)); > > > + reg->s32_min_value = max(reg->s32_min_value, > > > + (s32)(var32_off.value | (var32_off.mask & S32_MIN))); > > > /* max signed is min(sign bit) | max(other bits) */ > > > - reg->s32_max_value = min_t(s32, reg->s32_max_value, > > > - var32_off.value | (var32_off.mask & S32_MAX)); > > > - reg->u32_min_value = max_t(u32, reg->u32_min_value, (u32)var32_off.value); > > > + reg->s32_max_value = min(reg->s32_max_value, > > > + (s32)(var32_off.value | (var32_off.mask & S32_MAX))); > > > > Nack. > > This is plain ugly for no good reason. > > Leave the code as-is. > > It is really horrid before. > From what i remember var32_off.value (and .mask) are both u64. > The pattern actually patches that used a few lines down the file. > > I've been trying to build allmodconfig with the size test added to min_t() > and max_t(). > The number of real (or potentially real) bugs I've found is stunning. > The only fix is to nuke min_t() and max_t() to they can't be used. No. min_t() is going to stay. It's not broken and this crusade against it is inappropriate. > The basic problem is the people have used the type of the target not that > of the largest parameter. > The might be ok for ulong v uint (on 64bit), but there are plenty of places > where u16 and u8 are used - a lot are pretty much buggy. > > Perhaps the worst ones I've found are with clamp_t(), > this is from 2/44: > - (raw_inode)->xtime = cpu_to_le32(clamp_t(int32_t, (ts).tv_sec, S32_MIN, S32_MAX)); \ > + (raw_inode)->xtime = cpu_to_le32(clamp((ts).tv_sec, S32_MIN, S32_MAX)); \ > If also found clamp_t(u8, xxx, 0, 255). > > There are just so many broken examples. clamp_t(u8, xxx, 0, 255) is not wrong. It's silly, but it's doing the right thing and one can argue and explicit clamp values serve as a documentation. clamp_t(int32_t, (ts).tv_sec, S32_MIN, S32_MAX)) is indeed incorrect, but it's a bug in the implementation of __clamp_once(). Fix it, instead of spamming people with "_t" removal.
On Sun, 23 Nov 2025 08:39:51 -0800 Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > On Fri, Nov 21, 2025 at 2:21 PM David Laight > <david.laight.linux@gmail.com> wrote: > > > > On Fri, 21 Nov 2025 13:40:36 -0800 > > Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > > > > On Wed, Nov 19, 2025 at 2:42 PM <david.laight.linux@gmail.com> wrote: > > > > > > > > From: David Laight <david.laight.linux@gmail.com> > > > > > > > > min_t() and max_t() are normally used to change the signedness > > > > of a positive value to avoid a signed-v-unsigned compare warning. > > > > > > > > However they are used here to convert an unsigned 64bit pattern > > > > to a signed to a 32/64bit signed number. > > > > To avoid any confusion use plain min()/max() and explicitely cast > > > > the u64 expression to the correct signed value. > > > > > > > > Use a simple max() for the max_pkt_offset calulation and delete the > > > > comment about why the cast to u32 is safe. > > > > > > > > Signed-off-by: David Laight <david.laight.linux@gmail.com> > > > > --- > > > > kernel/bpf/verifier.c | 29 +++++++++++------------------ > > > > 1 file changed, 11 insertions(+), 18 deletions(-) > > > > > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > > > index ff40e5e65c43..22fa9769fbdb 100644 > > > > --- a/kernel/bpf/verifier.c > > > > +++ b/kernel/bpf/verifier.c > > > > @@ -2319,12 +2319,12 @@ static void __update_reg32_bounds(struct bpf_reg_state *reg) > > > > struct tnum var32_off = tnum_subreg(reg->var_off); > > > > > > > > /* min signed is max(sign bit) | min(other bits) */ > > > > - reg->s32_min_value = max_t(s32, reg->s32_min_value, > > > > - var32_off.value | (var32_off.mask & S32_MIN)); > > > > + reg->s32_min_value = max(reg->s32_min_value, > > > > + (s32)(var32_off.value | (var32_off.mask & S32_MIN))); > > > > /* max signed is min(sign bit) | max(other bits) */ > > > > - reg->s32_max_value = min_t(s32, reg->s32_max_value, > > > > - var32_off.value | (var32_off.mask & S32_MAX)); > > > > - reg->u32_min_value = max_t(u32, reg->u32_min_value, (u32)var32_off.value); > > > > + reg->s32_max_value = min(reg->s32_max_value, > > > > + (s32)(var32_off.value | (var32_off.mask & S32_MAX))); > > > > > > Nack. > > > This is plain ugly for no good reason. > > > Leave the code as-is. > > > > It is really horrid before. > > From what i remember var32_off.value (and .mask) are both u64. > > The pattern actually patches that used a few lines down the file. > > > > I've been trying to build allmodconfig with the size test added to min_t() > > and max_t(). > > The number of real (or potentially real) bugs I've found is stunning. > > The only fix is to nuke min_t() and max_t() to they can't be used. > > No. min_t() is going to stay. It's not broken and > this crusade against it is inappropriate. I bet to differ... > > The basic problem is the people have used the type of the target not that > > of the largest parameter. > > The might be ok for ulong v uint (on 64bit), but there are plenty of places > > where u16 and u8 are used - a lot are pretty much buggy. > > > > Perhaps the worst ones I've found are with clamp_t(), > > this is from 2/44: > > - (raw_inode)->xtime = cpu_to_le32(clamp_t(int32_t, (ts).tv_sec, S32_MIN, S32_MAX)); \ > > + (raw_inode)->xtime = cpu_to_le32(clamp((ts).tv_sec, S32_MIN, S32_MAX)); \ > > If also found clamp_t(u8, xxx, 0, 255). > > > > There are just so many broken examples. > > clamp_t(u8, xxx, 0, 255) is not wrong. It's silly, but > it's doing the right thing and one can argue and explicit > clamp values serve as a documentation. Not when you look at some of the code that uses it. The clear intention is to saturate a large value - which isn't what it does. > clamp_t(int32_t, (ts).tv_sec, S32_MIN, S32_MAX)) is indeed incorrect, > but it's a bug in the implementation of __clamp_once(). > Fix it, instead of spamming people with "_t" removal. It is too late by the time you get to clamp_once(). The 'type' for all the xxx_t() functions is an input cast, not the type for the result. clamp_t(type, v, lo, hi) has always been clamp((type)v, (type)lo, type(hi)). From a code correctness point of view you pretty much never want those casts. I've already fixed clamp() so it doesn't complain about comparing s64 against s32. The next stage is to change pretty much all the xxx_t() to plain xxx(). If you've got some spare time try issuing read calls with a 4GB buffer to all the subsystems you can find - and see how many loop for ever. (I think you can do that with readv() and a single buffer.) The issue there is that a lot use min_t(u32, max_frag_size, xfer_size) to split operations - and xfer_size is size_t (so I'm pretty sure there are ways to get 4GB in there). David
On Sun, Nov 23, 2025 at 10:07 AM David Laight <david.laight.linux@gmail.com> wrote: > > On Sun, 23 Nov 2025 08:39:51 -0800 > Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > > On Fri, Nov 21, 2025 at 2:21 PM David Laight > > <david.laight.linux@gmail.com> wrote: > > > > > > On Fri, 21 Nov 2025 13:40:36 -0800 > > > Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > > > > > > On Wed, Nov 19, 2025 at 2:42 PM <david.laight.linux@gmail.com> wrote: > > > > > > > > > > From: David Laight <david.laight.linux@gmail.com> > > > > > > > > > > min_t() and max_t() are normally used to change the signedness > > > > > of a positive value to avoid a signed-v-unsigned compare warning. > > > > > > > > > > However they are used here to convert an unsigned 64bit pattern > > > > > to a signed to a 32/64bit signed number. > > > > > To avoid any confusion use plain min()/max() and explicitely cast > > > > > the u64 expression to the correct signed value. > > > > > > > > > > Use a simple max() for the max_pkt_offset calulation and delete the > > > > > comment about why the cast to u32 is safe. > > > > > > > > > > Signed-off-by: David Laight <david.laight.linux@gmail.com> > > > > > --- > > > > > kernel/bpf/verifier.c | 29 +++++++++++------------------ > > > > > 1 file changed, 11 insertions(+), 18 deletions(-) > > > > > > > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > > > > index ff40e5e65c43..22fa9769fbdb 100644 > > > > > --- a/kernel/bpf/verifier.c > > > > > +++ b/kernel/bpf/verifier.c > > > > > @@ -2319,12 +2319,12 @@ static void __update_reg32_bounds(struct bpf_reg_state *reg) > > > > > struct tnum var32_off = tnum_subreg(reg->var_off); > > > > > > > > > > /* min signed is max(sign bit) | min(other bits) */ > > > > > - reg->s32_min_value = max_t(s32, reg->s32_min_value, > > > > > - var32_off.value | (var32_off.mask & S32_MIN)); > > > > > + reg->s32_min_value = max(reg->s32_min_value, > > > > > + (s32)(var32_off.value | (var32_off.mask & S32_MIN))); > > > > > /* max signed is min(sign bit) | max(other bits) */ > > > > > - reg->s32_max_value = min_t(s32, reg->s32_max_value, > > > > > - var32_off.value | (var32_off.mask & S32_MAX)); > > > > > - reg->u32_min_value = max_t(u32, reg->u32_min_value, (u32)var32_off.value); > > > > > + reg->s32_max_value = min(reg->s32_max_value, > > > > > + (s32)(var32_off.value | (var32_off.mask & S32_MAX))); > > > > > > > > Nack. > > > > This is plain ugly for no good reason. > > > > Leave the code as-is. > > > > > > It is really horrid before. > > > From what i remember var32_off.value (and .mask) are both u64. > > > The pattern actually patches that used a few lines down the file. > > > > > > I've been trying to build allmodconfig with the size test added to min_t() > > > and max_t(). > > > The number of real (or potentially real) bugs I've found is stunning. > > > The only fix is to nuke min_t() and max_t() to they can't be used. > > > > No. min_t() is going to stay. It's not broken and > > this crusade against it is inappropriate. > > I bet to differ... > > > > The basic problem is the people have used the type of the target not that > > > of the largest parameter. > > > The might be ok for ulong v uint (on 64bit), but there are plenty of places > > > where u16 and u8 are used - a lot are pretty much buggy. > > > > > > Perhaps the worst ones I've found are with clamp_t(), > > > this is from 2/44: > > > - (raw_inode)->xtime = cpu_to_le32(clamp_t(int32_t, (ts).tv_sec, S32_MIN, S32_MAX)); \ > > > + (raw_inode)->xtime = cpu_to_le32(clamp((ts).tv_sec, S32_MIN, S32_MAX)); \ > > > If also found clamp_t(u8, xxx, 0, 255). > > > > > > There are just so many broken examples. > > > > clamp_t(u8, xxx, 0, 255) is not wrong. It's silly, but > > it's doing the right thing and one can argue and explicit > > clamp values serve as a documentation. > > Not when you look at some of the code that uses it. > The clear intention is to saturate a large value - which isn't what it does. > > > clamp_t(int32_t, (ts).tv_sec, S32_MIN, S32_MAX)) is indeed incorrect, > > but it's a bug in the implementation of __clamp_once(). > > Fix it, instead of spamming people with "_t" removal. > > It is too late by the time you get to clamp_once(). > The 'type' for all the xxx_t() functions is an input cast, not the type > for the result. > clamp_t(type, v, lo, hi) has always been clamp((type)v, (type)lo, type(hi)). > From a code correctness point of view you pretty much never want those casts. Historical behavior doesn't justify a footgun. You definitely can make clampt_t() to behave like clamp_val() plus the final cast. Also note: git grep -w clamp_val|wc -l 818 git grep -w clamp_t|wc -l 494 a safer macro is already used more often. > I've already fixed clamp() so it doesn't complain about comparing s64 against s32. > The next stage is to change pretty much all the xxx_t() to plain xxx(). Nack to that. Fix the problem. Not the symptom.
On Sun, 23 Nov 2025 11:20:03 -0800 Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > On Sun, Nov 23, 2025 at 10:07 AM David Laight > <david.laight.linux@gmail.com> wrote: > > > > On Sun, 23 Nov 2025 08:39:51 -0800 > > Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > > > > On Fri, Nov 21, 2025 at 2:21 PM David Laight > > > <david.laight.linux@gmail.com> wrote: > > > > > > > > On Fri, 21 Nov 2025 13:40:36 -0800 > > > > Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > > > > > > > > > On Wed, Nov 19, 2025 at 2:42 PM <david.laight.linux@gmail.com> wrote: > > > > > > > > > > > > From: David Laight <david.laight.linux@gmail.com> > > > > > > > > > > > > min_t() and max_t() are normally used to change the signedness > > > > > > of a positive value to avoid a signed-v-unsigned compare warning. > > > > > > > > > > > > However they are used here to convert an unsigned 64bit pattern > > > > > > to a signed to a 32/64bit signed number. > > > > > > To avoid any confusion use plain min()/max() and explicitely cast > > > > > > the u64 expression to the correct signed value. > > > > > > > > > > > > Use a simple max() for the max_pkt_offset calulation and delete the > > > > > > comment about why the cast to u32 is safe. > > > > > > > > > > > > Signed-off-by: David Laight <david.laight.linux@gmail.com> > > > > > > --- > > > > > > kernel/bpf/verifier.c | 29 +++++++++++------------------ > > > > > > 1 file changed, 11 insertions(+), 18 deletions(-) > > > > > > > > > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > > > > > index ff40e5e65c43..22fa9769fbdb 100644 > > > > > > --- a/kernel/bpf/verifier.c > > > > > > +++ b/kernel/bpf/verifier.c > > > > > > @@ -2319,12 +2319,12 @@ static void __update_reg32_bounds(struct bpf_reg_state *reg) > > > > > > struct tnum var32_off = tnum_subreg(reg->var_off); > > > > > > > > > > > > /* min signed is max(sign bit) | min(other bits) */ > > > > > > - reg->s32_min_value = max_t(s32, reg->s32_min_value, > > > > > > - var32_off.value | (var32_off.mask & S32_MIN)); > > > > > > + reg->s32_min_value = max(reg->s32_min_value, > > > > > > + (s32)(var32_off.value | (var32_off.mask & S32_MIN))); > > > > > > /* max signed is min(sign bit) | max(other bits) */ > > > > > > - reg->s32_max_value = min_t(s32, reg->s32_max_value, > > > > > > - var32_off.value | (var32_off.mask & S32_MAX)); > > > > > > - reg->u32_min_value = max_t(u32, reg->u32_min_value, (u32)var32_off.value); > > > > > > + reg->s32_max_value = min(reg->s32_max_value, > > > > > > + (s32)(var32_off.value | (var32_off.mask & S32_MAX))); > > > > > > > > > > Nack. > > > > > This is plain ugly for no good reason. > > > > > Leave the code as-is. > > > > > > > > It is really horrid before. > > > > From what i remember var32_off.value (and .mask) are both u64. > > > > The pattern actually patches that used a few lines down the file. > > > > > > > > I've been trying to build allmodconfig with the size test added to min_t() > > > > and max_t(). > > > > The number of real (or potentially real) bugs I've found is stunning. > > > > The only fix is to nuke min_t() and max_t() to they can't be used. > > > > > > No. min_t() is going to stay. It's not broken and > > > this crusade against it is inappropriate. > > > > I bet to differ... > > > > > > The basic problem is the people have used the type of the target not that > > > > of the largest parameter. > > > > The might be ok for ulong v uint (on 64bit), but there are plenty of places > > > > where u16 and u8 are used - a lot are pretty much buggy. > > > > > > > > Perhaps the worst ones I've found are with clamp_t(), > > > > this is from 2/44: > > > > - (raw_inode)->xtime = cpu_to_le32(clamp_t(int32_t, (ts).tv_sec, S32_MIN, S32_MAX)); \ > > > > + (raw_inode)->xtime = cpu_to_le32(clamp((ts).tv_sec, S32_MIN, S32_MAX)); \ > > > > If also found clamp_t(u8, xxx, 0, 255). > > > > > > > > There are just so many broken examples. > > > > > > clamp_t(u8, xxx, 0, 255) is not wrong. It's silly, but > > > it's doing the right thing and one can argue and explicit > > > clamp values serve as a documentation. > > > > Not when you look at some of the code that uses it. > > The clear intention is to saturate a large value - which isn't what it does. > > > > > clamp_t(int32_t, (ts).tv_sec, S32_MIN, S32_MAX)) is indeed incorrect, > > > but it's a bug in the implementation of __clamp_once(). > > > Fix it, instead of spamming people with "_t" removal. > > > > It is too late by the time you get to clamp_once(). > > The 'type' for all the xxx_t() functions is an input cast, not the type > > for the result. > > clamp_t(type, v, lo, hi) has always been clamp((type)v, (type)lo, type(hi)). > > From a code correctness point of view you pretty much never want those casts. > > Historical behavior doesn't justify a footgun. > You definitely can make clampt_t() to behave like clamp_val() plus > the final cast. clamp_val() is actually the worst of the lot. > Also note: > git grep -w clamp_val|wc -l > 818 > git grep -w clamp_t|wc -l > 494 > > a safer macro is already used more often. clamp_val() is worse than clamp_t() ... Nope... The problem is that clamp() requires all three parameters have the same type. Coders are lazy and want to write clamp(variable, 1, 10). This was fine if 'variable' had type 'int', but if it was 'unsigned int' you had to write clamp(variable, 1u, 10u), worse if it is 'u8' you to either cast both constants clamp(variable, (u8)1, (u8)10) or the variable clamp((int)variable, 1, 10). It the types/values aren't immediately obvious then any of those casts can discard high bits. A lot of the clamp_val() are actually for u8 structure members. One thing to remember about C is it doesn't have any maths operators for u8, the values are always promoted to 'int' before anything happens. So if you write (foo->u8_member > 4 ? foo->u8_member : 4) the comparison is done as an integer one. Add some casts ((u8)f->m > (u8)x ? (u8)f->m : (u8)x) then the values are all masked to 8 bits, promoted to 32 and then compared. Even the ?: operator promotes its arguments and has a result type of 'int'. Consider clamp_val(f->u8_m, LO, HI); If HI is 255 it is fine, make HI 256 (perhaps it is sizeof() and something got changed) and you suddenly have clamp(f->u8_m, LO, 0). It is all just so fragile. Maybe you are trying to find the 'chunk size' for a transfer of some kind. If the transfer size is 'small' it might be in a 'u32', you want to limit it to the size of the hardware's PCIe window - so do: copy_size = min(transfer_size, hardware_window_size); But the hardware_window_size is a size_t (so 64bit). The old min() would complain about the type mismatch, since the hardware_window_size might actually be 4GB (that is true) casting to u32 is broken - you have to use the larger type. But it might be the other way around, transfer_size is u64 and hardware_window_size is u32, you still have to cast to u64 - but this time it is the size of the other parameter. The trouble is people have a habit of using the type they want for the result, u32 in both the above and wrong twice. But it was only the type check in min() that caused a problem. Without the casts the compiler generates the right code, the only problem is when a signed variable might contain a negative value that gets promoted to a large negative value. The current implementations of min/max/clamp only generate an error if they can't prove that negative values won't be promoted to large unsigned values. This is all fine provided the variable/expressions have the correct type for the value they contain - and they usually do. But for this bpf code the type of 'var32_off.value | (var32_off.mask & S32_MIN)' is actually u64, it really does need an explicit cast to s32. David > > > I've already fixed clamp() so it doesn't complain about comparing s64 against s32. > > The next stage is to change pretty much all the xxx_t() to plain xxx(). > > Nack to that. Fix the problem. Not the symptom.
© 2016 - 2025 Red Hat, Inc.