On Wed, Apr 15, 2020 at 07:44:09AM -0400, Sasha Levin wrote:
> From: Rikard Falkeborn <rikard.falkeborn@xxxxxxxxx>
>
> [ Upstream commit 295bcca84916cb5079140a89fccb472bb8d1f6e2 ]
>
> GENMASK() and GENMASK_ULL() are supposed to be called with the high bit as
> the first argument and the low bit as the second argument. Mixing them
> will return a mask with zero bits set.
>
> Recent commits show getting this wrong is not uncommon, see e.g. commit
> aa4c0c9091b0 ("net: stmmac: Fix misuses of GENMASK macro") and commit
> 9bdd7bb3a844 ("clocksource/drivers/npcm: Fix misuse of GENMASK macro").
>
> To prevent such mistakes from appearing again, add compile time sanity
> checking to the arguments of GENMASK() and GENMASK_ULL(). If both
> arguments are known at compile time, and the low bit is higher than the
> high bit, break the build to detect the mistake immediately.
>
> Since GENMASK() is used in declarations, BUILD_BUG_ON_ZERO() must be used
> instead of BUILD_BUG_ON().
>
> __builtin_constant_p does not evaluate is argument, it only checks if it
> is a constant or not at compile time, and __builtin_choose_expr does not
> evaluate the expression that is not chosen. Therefore, GENMASK(x++, 0)
> does only evaluate x++ once.
>
> Commit 95b980d62d52 ("linux/bits.h: make BIT(), GENMASK(), and friends
> available in assembly") made the macros in linux/bits.h available in
> assembly. Since BUILD_BUG_OR_ZERO() is not asm compatible, disable the
> checks if the file is included in an asm file.
>
> Due to bugs in GCC versions before 4.9 [0], disable the check if building
> with a too old GCC compiler.
>
> [0]: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=19449
>
> Signed-off-by: Rikard Falkeborn <rikard.falkeborn@xxxxxxxxx>
> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Reviewed-by: Masahiro Yamada <yamada.masahiro@xxxxxxxxxxxxx>
> Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: Borislav Petkov <bp@xxxxxxxxx>
> Cc: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>
> Cc: Haren Myneni <haren@xxxxxxxxxx>
> Cc: Joe Perches <joe@xxxxxxxxxxx>
> Cc: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
> Cc: lkml <linux-kernel@xxxxxxxxxxxxxxx>
> Cc: Ingo Molnar <mingo@xxxxxxxxxx>
> Cc: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
> Link: http://lkml.kernel.org/r/20200308193954.2372399-1-rikard.falkeborn@xxxxxxxxx
> Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
> include/linux/bits.h | 22 ++++++++++++++++++++--
> 1 file changed, 20 insertions(+), 2 deletions(-)
>
> diff --git a/include/linux/bits.h b/include/linux/bits.h
> index 669d69441a625..f108302a3121c 100644
> --- a/include/linux/bits.h
> +++ b/include/linux/bits.h
> @@ -18,12 +18,30 @@
> * position @h. For example
> * GENMASK_ULL(39, 21) gives us the 64bit vector 0x000000ffffe00000.
> */
> -#define GENMASK(h, l) \
> +#if !defined(__ASSEMBLY__) && \
> + (!defined(CONFIG_CC_IS_GCC) || CONFIG_GCC_VERSION >= 49000)
> +#include <linux/build_bug.h>
> +#define GENMASK_INPUT_CHECK(h, l) \
> + (BUILD_BUG_ON_ZERO(__builtin_choose_expr( \
> + __builtin_constant_p((l) > (h)), (l) > (h), 0)))
> +#else
> +/*
> + * BUILD_BUG_ON_ZERO is not available in h files included from asm files,
> + * disable the input check if that is the case.
> + */
> +#define GENMASK_INPUT_CHECK(h, l) 0
> +#endif
> +
> +#define __GENMASK(h, l) \
> (((~UL(0)) - (UL(1) << (l)) + 1) & \
> (~UL(0) >> (BITS_PER_LONG - 1 - (h))))
> +#define GENMASK(h, l) \
> + (GENMASK_INPUT_CHECK(h, l) + __GENMASK(h, l))
>
> -#define GENMASK_ULL(h, l) \
> +#define __GENMASK_ULL(h, l) \
> (((~ULL(0)) - (ULL(1) << (l)) + 1) & \
> (~ULL(0) >> (BITS_PER_LONG_LONG - 1 - (h))))
> +#define GENMASK_ULL(h, l) \
> + (GENMASK_INPUT_CHECK(h, l) + __GENMASK_ULL(h, l))
>
> #endif /* __LINUX_BITS_H */
> --
> 2.20.1
>
This does not really fix anything, it's compile time prevention, so I
don't know how appropriate this is for stable (it was also picked for
5.5 and 5.6, but I'm just replying here now, I can ping the other
selections if necessary if the patch should be dropped)?
Also, for 5.4, it does somewhat depend on commit 8788994376d8
("linux/build_bug.h: change type to int"). Without it, there may be a
subtle integer promotion issue if sizeof(size_t) > sizeof(unsigned long)
(I don't *think* such platform exists, but I don't have a warm a fuzzy
feeling about it).
Rikard
