Re: [PATCH] PCI: Test for bit underflow in pcie_set_readrq()

[Kees Cook <kees@kernel.org>]

On Mon, Sep 08, 2025 at 03:53:49PM -0500, Bjorn Helgaas wrote:
> On Thu, Sep 04, 2025 at 10:28:41PM -0700, Kees Cook wrote:
> > After commit cbc654d18d37 ("bitops: Add __attribute_const__ to generic
> > ffs()-family implementations"), which allows GCC's value range tracker
> > to see past ffs(), GCC 8 on ARM thinks that it might be possible that
> > "ffs(rq) - 8" used here:
> > 
> > 	v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8);
> > 
> > could wrap below 0, leading to a very large value, which would be out of
> > range for the FIELD_PREP() usage:
> > 
> > drivers/pci/pci.c: In function 'pcie_set_readrq':
> > include/linux/compiler_types.h:572:38: error: call to '__compiletime_assert_471' declared with attribute error: FIELD_PREP: value too large for the field
> > ...
> > drivers/pci/pci.c:5896:6: note: in expansion of macro 'FIELD_PREP'
> >   v = FIELD_PREP(PCI_EXP_DEVCTL_READRQ, ffs(rq) - 8);
> >       ^~~~~~~~~~
> > 
> > If the result of the ffs() is bounds checked before being used in
> > FIELD_PREP(), the value tracker seems happy again. :)
> > 
> > Fixes: cbc654d18d37 ("bitops: Add __attribute_const__ to generic ffs()-family implementations")
> 
> What's your plan for merging cbc654d18d37?  I suppose it's intended
> for v6.18?  If it will appear in v6.17, let me know so I can merge
> this for it as well.

I had it planned for v6.18.

> Maybe this should go in v6.17 regardless, to avoid a warning
> regression between this patch and cbc654d18d37?

Sure, or I could take it as part of the ffs series?

-Kees

-- 
Kees Cook