From: Kees Cook <kees@kernel.org>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Vincent Mailhol <mailhol@kernel.org>,
Justin Stitt <justinstitt@google.com>,
Marco Elver <elver@google.com>,
Andrey Konovalov <andreyknvl@gmail.com>,
Andrey Ryabinin <ryabinin.a.a@gmail.com>,
Jonathan Corbet <corbet@lwn.net>,
Shuah Khan <skhan@linuxfoundation.org>,
Miguel Ojeda <ojeda@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
kasan-dev@googlegroups.com, linux-doc@vger.kernel.org,
llvm@lists.linux.dev,
Linus Torvalds <torvalds@linux-foundation.org>,
Nicolas Schier <nsc@kernel.org>, Arnd Bergmann <arnd@arndb.de>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org,
linux-kbuild@vger.kernel.org
Subject: Re: [PATCH 3/5] compiler_attributes: Add overflow_behavior macros __ob_trap and __ob_wrap
Date: Wed, 1 Apr 2026 12:43:58 -0700 [thread overview]
Message-ID: <202604011242.3E8F635CD@keescook> (raw)
In-Reply-To: <20260401092027.GW3738786@noisy.programming.kicks-ass.net>
On Wed, Apr 01, 2026 at 11:20:27AM +0200, Peter Zijlstra wrote:
> On Wed, Apr 01, 2026 at 09:19:51AM +0200, Vincent Mailhol wrote:
> > Le 31/03/2026 à 18:37, Kees Cook a écrit :
>
> > > + - Saturate (explicitly hold the maximum or minimum representable value)
> >
> > I just wanted to ask how much consideration was put into this last
> > "saturate" option.
> >
> > When speaking of "safe" as in "functional safety" this seems a good
> > option to me. The best option is of course proper handling, but as
> > discussed, we are speaking of the scenario in which the code is already
> > buggy and which is the fallout option doing the least damage.
> >
> > What I have in mind is a new __ob_saturate type qualifier. Something like:
> >
> > void foo(int num)
> > {
> > int __ob_saturate saturate_var = num;
> >
> > saturate_var += 42;
> > }
> >
> > would just print a warning and continue execution, thus solving the
> > trapping issue. The above code would generate something equivalent to that:
> >
> > void foo(int num)
> > {
> > int __ob_saturate saturate_var = num;
> >
> > if (check_add_overflow(saturate_var, increment,
> > &saturate_var) {
> > WARN(true, "saturation occurred");
> > saturate_var = type_max(saturate_var);
> > }
>
> So I would like to second this option as being interesting.
>
> But while pondering it, I did want to note that all of the options, with
> the exception of __ob_wrap (which is effectively what we have today for
> *everything*), will be 'interesting' to compose with _Atomic, another
> one of these qualifiers.
>
> Now, in the kernel we don't use _Atomic, so strictly speaking I don't
> care ;-) But here goes...
>
> Something like _Atomic int __ob_wrap, is trivial and good.
>
> _Atomic int __ob_trap is either doable or impossible depending on how
> you define the result to be on 'trap'. Specifically, the semantics
> proposed where it keeps the old value makes it impossible.
>
> And _Atomic int __ob_saturate is equally 'challenging', since the
> fundamental thing of 'reset to min/max on under/over-flow' is rather
> a non-atomic kind of thing. Look at the trouble we went through with
> refcount_t to sort of make this work.
Yeah, this is mainly why we didn't spend time working on an
__ob_saturate implementation: the primary place we want it in Linux is
already solved with all the refcount_t work. That said, if the behavior
could be replicated using a future __ob_saturate, that would be very
nice. :)
--
Kees Cook
next prev parent reply other threads:[~2026-04-01 19:43 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-31 16:37 [PATCH 0/5] Introduce Overflow Behavior Types Kees Cook
2026-03-31 16:37 ` [PATCH 1/5] refcount: Remove unused __signed_wrap function annotations Kees Cook
2026-03-31 16:37 ` [PATCH 2/5] hardening: Introduce Overflow Behavior Types support Kees Cook
2026-03-31 16:37 ` [PATCH 3/5] compiler_attributes: Add overflow_behavior macros __ob_trap and __ob_wrap Kees Cook
2026-03-31 17:01 ` Miguel Ojeda
2026-03-31 17:09 ` Miguel Ojeda
2026-03-31 17:09 ` Justin Stitt
2026-03-31 17:14 ` Miguel Ojeda
2026-03-31 17:17 ` Justin Stitt
2026-03-31 19:52 ` Kees Cook
2026-04-01 9:08 ` Peter Zijlstra
2026-04-01 20:21 ` Kees Cook
2026-04-01 20:30 ` Peter Zijlstra
2026-04-01 20:55 ` Kees Cook
2026-04-01 23:42 ` Justin Stitt
2026-04-02 9:13 ` David Laight
2026-03-31 17:16 ` Linus Torvalds
2026-03-31 17:18 ` Linus Torvalds
2026-04-01 7:19 ` Vincent Mailhol
2026-04-01 9:20 ` Peter Zijlstra
2026-04-01 19:43 ` Kees Cook [this message]
2026-04-01 19:42 ` Kees Cook
2026-03-31 16:37 ` [PATCH 4/5] lkdtm/bugs: Add basic Overflow Behavior Types test Kees Cook
2026-03-31 17:16 ` Justin Stitt
2026-03-31 16:37 ` [PATCH 5/5] types: Add standard __ob_trap and __ob_wrap scalar types Kees Cook
2026-03-31 17:10 ` Linus Torvalds
2026-03-31 17:47 ` Miguel Ojeda
2026-03-31 18:02 ` Linus Torvalds
2026-03-31 18:25 ` Linus Torvalds
2026-03-31 18:59 ` Kees Cook
2026-03-31 20:01 ` Linus Torvalds
2026-03-31 18:32 ` Kees Cook
2026-03-31 18:36 ` Linus Torvalds
2026-03-31 18:16 ` Kees Cook
2026-03-31 20:03 ` Kees Cook
2026-03-31 20:11 ` Linus Torvalds
2026-03-31 20:18 ` Linus Torvalds
2026-03-31 20:31 ` Kees Cook
2026-03-31 20:58 ` Linus Torvalds
2026-03-31 21:50 ` Justin Stitt
2026-03-31 23:49 ` Kees Cook
2026-03-31 23:50 ` Linus Torvalds
2026-04-01 8:31 ` Peter Zijlstra
2026-04-01 20:52 ` Kees Cook
2026-04-02 5:38 ` Peter Zijlstra
2026-04-01 8:57 ` Peter Zijlstra
2026-04-01 20:23 ` Kees Cook
2026-04-01 9:38 ` Peter Zijlstra
2026-04-01 21:41 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202604011242.3E8F635CD@keescook \
--to=kees@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=andreyknvl@gmail.com \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=elver@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=justinstitt@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=mailhol@kernel.org \
--cc=nathan@kernel.org \
--cc=nsc@kernel.org \
--cc=ojeda@kernel.org \
--cc=peterz@infradead.org \
--cc=ryabinin.a.a@gmail.com \
--cc=skhan@linuxfoundation.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox