From: SeongJae Park <sj@kernel.org>
To: stable@vger.kernel.org, gregkh@linuxfoundation.org
Cc: David Laight <David.Laight@ACULAB.COM>,
linux-kernel@vger.kernel.org,
David Laight <david.laight@aculab.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Christoph Hellwig <hch@infradead.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Matthew Wilcox <willy@infradead.org>,
Andrew Morton <akpm@linux-foundation.org>,
SeongJae Park <sj@kernel.org>
Subject: [PATCH 6.1.y 4/7] minmax: allow min()/max()/clamp() if the arguments have the same signedness.
Date: Tue, 16 Jul 2024 10:52:02 -0700 [thread overview]
Message-ID: <20240716175205.51280-5-sj@kernel.org> (raw)
In-Reply-To: <20240716175205.51280-1-sj@kernel.org>
From: David Laight <David.Laight@ACULAB.COM>
commit d03eba99f5bf7cbc6e2fdde3b6fa36954ad58e09 upstream.
The type-check in min()/max() is there to stop unexpected results if a
negative value gets converted to a large unsigned value. However it also
rejects 'unsigned int' v 'unsigned long' compares which are common and
never problematc.
Replace the 'same type' check with a 'same signedness' check.
The new test isn't itself a compile time error, so use static_assert() to
report the error and give a meaningful error message.
Due to the way builtin_choose_expr() works detecting the error in the
'non-constant' side (where static_assert() can be used) also detects
errors when the arguments are constant.
Link: https://lkml.kernel.org/r/fe7e6c542e094bfca655abcd323c1c98@AcuMS.aculab.com
Signed-off-by: David Laight <david.laight@aculab.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit d03eba99f5bf7cbc6e2fdde3b6fa36954ad58e09)
Signed-off-by: SeongJae Park <sj@kernel.org>
---
include/linux/minmax.h | 60 ++++++++++++++++++++++--------------------
1 file changed, 32 insertions(+), 28 deletions(-)
diff --git a/include/linux/minmax.h b/include/linux/minmax.h
index e8e9642809e0..501fab582d68 100644
--- a/include/linux/minmax.h
+++ b/include/linux/minmax.h
@@ -11,9 +11,8 @@
*
* - avoid multiple evaluations of the arguments (so side-effects like
* "x++" happen only once) when non-constant.
- * - perform strict type-checking (to generate warnings instead of
- * nasty runtime surprises). See the "unnecessary" pointer comparison
- * in __typecheck().
+ * - perform signed v unsigned type-checking (to generate compile
+ * errors instead of nasty runtime surprises).
* - retain result as a constant expressions when called with only
* constant expressions (to avoid tripping VLA warnings in stack
* allocation usage).
@@ -21,23 +20,30 @@
#define __typecheck(x, y) \
(!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
-#define __no_side_effects(x, y) \
- (__is_constexpr(x) && __is_constexpr(y))
+/* is_signed_type() isn't a constexpr for pointer types */
+#define __is_signed(x) \
+ __builtin_choose_expr(__is_constexpr(is_signed_type(typeof(x))), \
+ is_signed_type(typeof(x)), 0)
-#define __safe_cmp(x, y) \
- (__typecheck(x, y) && __no_side_effects(x, y))
+#define __types_ok(x, y) \
+ (__is_signed(x) == __is_signed(y))
-#define __cmp(x, y, op) ((x) op (y) ? (x) : (y))
+#define __cmp_op_min <
+#define __cmp_op_max >
-#define __cmp_once(x, y, unique_x, unique_y, op) ({ \
+#define __cmp(op, x, y) ((x) __cmp_op_##op (y) ? (x) : (y))
+
+#define __cmp_once(op, x, y, unique_x, unique_y) ({ \
typeof(x) unique_x = (x); \
typeof(y) unique_y = (y); \
- __cmp(unique_x, unique_y, op); })
+ static_assert(__types_ok(x, y), \
+ #op "(" #x ", " #y ") signedness error, fix types or consider u" #op "() before " #op "_t()"); \
+ __cmp(op, unique_x, unique_y); })
-#define __careful_cmp(x, y, op) \
- __builtin_choose_expr(__safe_cmp(x, y), \
- __cmp(x, y, op), \
- __cmp_once(x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y), op))
+#define __careful_cmp(op, x, y) \
+ __builtin_choose_expr(__is_constexpr((x) - (y)), \
+ __cmp(op, x, y), \
+ __cmp_once(op, x, y, __UNIQUE_ID(__x), __UNIQUE_ID(__y)))
#define __clamp(val, lo, hi) \
((val) >= (hi) ? (hi) : ((val) <= (lo) ? (lo) : (val)))
@@ -46,17 +52,15 @@
typeof(val) unique_val = (val); \
typeof(lo) unique_lo = (lo); \
typeof(hi) unique_hi = (hi); \
+ static_assert(__builtin_choose_expr(__is_constexpr((lo) > (hi)), \
+ (lo) <= (hi), true), \
+ "clamp() low limit " #lo " greater than high limit " #hi); \
+ static_assert(__types_ok(val, lo), "clamp() 'lo' signedness error"); \
+ static_assert(__types_ok(val, hi), "clamp() 'hi' signedness error"); \
__clamp(unique_val, unique_lo, unique_hi); })
-#define __clamp_input_check(lo, hi) \
- (BUILD_BUG_ON_ZERO(__builtin_choose_expr( \
- __is_constexpr((lo) > (hi)), (lo) > (hi), false)))
-
#define __careful_clamp(val, lo, hi) ({ \
- __clamp_input_check(lo, hi) + \
- __builtin_choose_expr(__typecheck(val, lo) && __typecheck(val, hi) && \
- __typecheck(hi, lo) && __is_constexpr(val) && \
- __is_constexpr(lo) && __is_constexpr(hi), \
+ __builtin_choose_expr(__is_constexpr((val) - (lo) + (hi)), \
__clamp(val, lo, hi), \
__clamp_once(val, lo, hi, __UNIQUE_ID(__val), \
__UNIQUE_ID(__lo), __UNIQUE_ID(__hi))); })
@@ -66,14 +70,14 @@
* @x: first value
* @y: second value
*/
-#define min(x, y) __careful_cmp(x, y, <)
+#define min(x, y) __careful_cmp(min, x, y)
/**
* max - return maximum of two values of the same or compatible types
* @x: first value
* @y: second value
*/
-#define max(x, y) __careful_cmp(x, y, >)
+#define max(x, y) __careful_cmp(max, x, y)
/**
* umin - return minimum of two non-negative values
@@ -82,7 +86,7 @@
* @y: second value
*/
#define umin(x, y) \
- __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, <)
+ __careful_cmp(min, (x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull)
/**
* umax - return maximum of two non-negative values
@@ -90,7 +94,7 @@
* @y: second value
*/
#define umax(x, y) \
- __careful_cmp((x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull, >)
+ __careful_cmp(max, (x) + 0u + 0ul + 0ull, (y) + 0u + 0ul + 0ull)
/**
* min3 - return minimum of three values
@@ -142,7 +146,7 @@
* @x: first value
* @y: second value
*/
-#define min_t(type, x, y) __careful_cmp((type)(x), (type)(y), <)
+#define min_t(type, x, y) __careful_cmp(min, (type)(x), (type)(y))
/**
* max_t - return maximum of two values, using the specified type
@@ -150,7 +154,7 @@
* @x: first value
* @y: second value
*/
-#define max_t(type, x, y) __careful_cmp((type)(x), (type)(y), >)
+#define max_t(type, x, y) __careful_cmp(max, (type)(x), (type)(y))
/**
* clamp_t - return a value clamped to a given range using a given type
--
2.39.2
next prev parent reply other threads:[~2024-07-16 17:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-16 17:51 [PATCH 6.1.y 0/7] Backport patches for DAMON merge regions fix SeongJae Park
2024-07-16 17:51 ` [PATCH 6.1.y 1/7] minmax: sanity check constant bounds when clamping SeongJae Park
2024-07-16 17:52 ` [PATCH 6.1.y 2/7] minmax: clamp more efficiently by avoiding extra comparison SeongJae Park
2024-07-16 17:52 ` [PATCH 6.1.y 3/7] minmax: fix header inclusions SeongJae Park
2024-07-16 17:52 ` SeongJae Park [this message]
2024-07-16 17:52 ` [PATCH 6.1.y 5/7] minmax: allow comparisons of 'int' against 'unsigned char/short' SeongJae Park
2024-07-16 17:52 ` [PATCH 6.1.y 6/7] minmax: relax check to allow comparison between unsigned arguments and signed constants SeongJae Park
2024-07-16 17:52 ` [PATCH 6.1.y 7/7] mm/damon/core: merge regions aggressively when max_nr_regions is unmet SeongJae Park
2024-07-23 12:09 ` Patch "mm/damon/core: merge regions aggressively when max_nr_regions is unmet" has been added to the 6.1-stable tree gregkh
2024-07-16 18:23 ` [PATCH 6.1.y 0/7] Backport patches for DAMON merge regions fix Greg KH
2024-07-23 12:10 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240716175205.51280-5-sj@kernel.org \
--to=sj@kernel.org \
--cc=David.Laight@ACULAB.COM \
--cc=Jason@zx2c4.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=gregkh@linuxfoundation.org \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.