The patch titled
Subject: kernel.h: introduce const_max() for VLA removal
has been added to the -mm tree. Its filename is
kernelh-introduce-const_max-for-vla-removal.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/kernelh-introduce-const_max-for-vla-removal.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/kernelh-introduce-const_max-for-vla-removal.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/process/submit-checklist.rst when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Kees Cook <keescook@xxxxxxxxxxxx>
Subject: kernel.h: introduce const_max() for VLA removal
In the effort to remove all VLAs from the kernel[1], it is desirable to
build with -Wvla. However, this warning is overly pessimistic, in that it
is only happy with stack array sizes that are declared as constant
expressions, and not constant values. One case of this is the evaluation
of the max() macro which, due to its construction, ends up converting
constant expression arguments into a constant value result. Attempts to
adjust the behavior of max() ran afoul of version-dependent compiler
behavior[2].
To work around this and still gain -Wvla coverage, this patch introduces a
new macro, const_max(), for use in these cases of stack array size
declaration, where the constant expressions are retained. Since this
means losing the double-evaluation protections of the max() macro, this
macro is designed to explicitly fail if used on non-constant arguments.
Older compilers will fail with the unhelpful message:
error: first argument to `__builtin_choose_expr' not a constant
Newer compilers will fail with a hopefully more helpful message:
error: call to `__error_not_const_arg' declared with attribute error: const_max() used with non-compile-time constant arg
To gain the ability to compare differing types, the arguments are
explicitly cast to size_t. Without this, some compiler versions will fail
when comparing different enum types or similar constant expression cases.
With the casting, it's possible to do things like:
int foo[const_max(6, sizeof(something))];
[1] https://lkml.org/lkml/2018/3/7/621
[2] https://lkml.org/lkml/2018/3/10/170
Link: http://lkml.kernel.org/r/1521143266-31350-2-git-send-email-keescook@xxxxxxxxxxxx
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Josh Poimboeuf <jpoimboe@xxxxxxxxxx>
Cc: Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx>
Cc: Randy Dunlap <rdunlap@xxxxxxxxxxxxx>
Cc: Miguel Ojeda <miguel.ojeda.sandonis@xxxxxxxxx>
Cc: Ingo Molnar <mingo@xxxxxxxxxx>
Cc: David Laight <David.Laight@xxxxxxxxxx>
Cc: Ian Abbott <abbotti@xxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
include/linux/kernel.h | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff -puN include/linux/kernel.h~kernelh-introduce-const_max-for-vla-removal include/linux/kernel.h
--- a/include/linux/kernel.h~kernelh-introduce-const_max-for-vla-removal
+++ a/include/linux/kernel.h
@@ -823,6 +823,25 @@ static inline void ftrace_dump(enum ftra
x, y)
/**
+ * const_max - return maximum of two positive compile-time constant values
+ * @x: first compile-time constant value
+ * @y: second compile-time constant value
+ *
+ * This has no type checking nor multi-evaluation defenses, and must
+ * only ever be used with positive compile-time constant values (for
+ * example when calculating a stack array size).
+ */
+size_t __error_not_const_arg(void) \
+__compiletime_error("const_max() used with non-compile-time constant arg");
+#define const_max(x, y) \
+ __builtin_choose_expr(__builtin_constant_p(x) && \
+ __builtin_constant_p(y), \
+ (size_t)(x) > (size_t)(y) ? \
+ (size_t)(x) : \
+ (size_t)(y), \
+ __error_not_const_arg())
+
+/**
* min3 - return minimum of three values
* @x: first value
* @y: second value
_
Patches currently in -mm which might be from keescook@xxxxxxxxxxxx are
taint-convert-to-indexed-initialization.patch
taint-consolidate-documentation.patch
taint-add-taint-for-randstruct.patch
kernelh-introduce-const_max-for-vla-removal.patch
remove-false-positive-vlas-when-using-max.patch
test_bitmap-do-not-accidentally-use-stack-vla.patch
fork-unconditionally-clear-stack-on-fork.patch
exec-pass-stack-rlimit-into-mm-layout-functions.patch
exec-introduce-finalize_exec-before-start_thread.patch
exec-pin-stack-limit-during-exec.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
