[PATCH stable v5.4 v2 0/3] Missing overflow changes

[PATCH stable v5.4 v2 0/3] Missing overflow changes

[Florian Fainelli]

This patch series backports the minimum set of changes in order to fix
this warning that popped up with >= 5.4.284 stable kernels:

In file included from ./include/linux/mm.h:29,
                 from ./include/linux/pagemap.h:8,
                 from ./include/linux/buffer_head.h:14,
                 from fs/udf/udfdecl.h:12,
                 from fs/udf/super.c:41:
fs/udf/super.c: In function 'udf_fill_partdesc_info':
./include/linux/overflow.h:70:15: warning: comparison of distinct pointer types lacks a cast
  (void) (&__a == &__b);   \
               ^~
fs/udf/super.c:1162:7: note: in expansion of macro 'check_add_overflow'
   if (check_add_overflow(map->s_partition_len,
       ^~~~~~~~~~~~~~~~~~

Changes in v2:
- added missing upstream commit ID to the last patch in the series

Kees Cook (2):
  overflow: Add __must_check attribute to check_*() helpers
  overflow: Allow mixed type arguments

Keith Busch (1):
  overflow: Correct check_shl_overflow() comment

 include/linux/overflow.h | 101 +++++++++++++++++++++++----------------
 1 file changed, 60 insertions(+), 41 deletions(-)

-- 
2.34.1

[PATCH stable v5.4 v2 1/3] overflow: Add __must_check attribute to check_*() helpers

[Florian Fainelli]

From: Kees Cook <keescook@chromium.org>

commit 9b80e4c4ddaca3501177ed41e49d0928ba2122a8 upstream

Since the destination variable of the check_*_overflow() helpers will
contain a wrapped value on failure, it would be best to make sure callers
really did check the return result of the helper. Adjust the macros to use
a bool-wrapping static inline that is marked with __must_check. This means
the macros can continue to have their type-agnostic behavior while gaining
the function attribute (that cannot be applied directly to macros).

Suggested-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Link: https://lore.kernel.org/lkml/202008151007.EF679DF@keescook/
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
---
 include/linux/overflow.h | 39 ++++++++++++++++++++++++---------------
 1 file changed, 24 insertions(+), 15 deletions(-)

diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 63e7c77ba942..35af574d006f 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -44,6 +44,16 @@
 #define is_non_negative(a) ((a) > 0 || (a) == 0)
 #define is_negative(a) (!(is_non_negative(a)))
 
+/*
+ * Allows for effectively applying __must_check to a macro so we can have
+ * both the type-agnostic benefits of the macros while also being able to
+ * enforce that the return value is, in fact, checked.
+ */
+static inline bool __must_check __must_check_overflow(bool overflow)
+{
+	return unlikely(overflow);
+}
+
 #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
 /*
  * For simplicity and code hygiene, the fallback code below insists on
@@ -53,32 +63,32 @@
  * alias for __builtin_add_overflow, but add type checks similar to
  * below.
  */
-#define check_add_overflow(a, b, d) ({		\
+#define check_add_overflow(a, b, d) __must_check_overflow(({	\
 	typeof(a) __a = (a);			\
 	typeof(b) __b = (b);			\
 	typeof(d) __d = (d);			\
 	(void) (&__a == &__b);			\
 	(void) (&__a == __d);			\
 	__builtin_add_overflow(__a, __b, __d);	\
-})
+}))
 
-#define check_sub_overflow(a, b, d) ({		\
+#define check_sub_overflow(a, b, d) __must_check_overflow(({	\
 	typeof(a) __a = (a);			\
 	typeof(b) __b = (b);			\
 	typeof(d) __d = (d);			\
 	(void) (&__a == &__b);			\
 	(void) (&__a == __d);			\
 	__builtin_sub_overflow(__a, __b, __d);	\
-})
+}))
 
-#define check_mul_overflow(a, b, d) ({		\
+#define check_mul_overflow(a, b, d) __must_check_overflow(({	\
 	typeof(a) __a = (a);			\
 	typeof(b) __b = (b);			\
 	typeof(d) __d = (d);			\
 	(void) (&__a == &__b);			\
 	(void) (&__a == __d);			\
 	__builtin_mul_overflow(__a, __b, __d);	\
-})
+}))
 
 #else
 
@@ -191,21 +201,20 @@
 })
 
 
-#define check_add_overflow(a, b, d)					\
+#define check_add_overflow(a, b, d)	__must_check_overflow(		\
 	__builtin_choose_expr(is_signed_type(typeof(a)),		\
 			__signed_add_overflow(a, b, d),			\
-			__unsigned_add_overflow(a, b, d))
+			__unsigned_add_overflow(a, b, d)))
 
-#define check_sub_overflow(a, b, d)					\
+#define check_sub_overflow(a, b, d)	__must_check_overflow(		\
 	__builtin_choose_expr(is_signed_type(typeof(a)),		\
 			__signed_sub_overflow(a, b, d),			\
-			__unsigned_sub_overflow(a, b, d))
+			__unsigned_sub_overflow(a, b, d)))
 
-#define check_mul_overflow(a, b, d)					\
+#define check_mul_overflow(a, b, d)	__must_check_overflow(		\
 	__builtin_choose_expr(is_signed_type(typeof(a)),		\
 			__signed_mul_overflow(a, b, d),			\
-			__unsigned_mul_overflow(a, b, d))
-
+			__unsigned_mul_overflow(a, b, d)))
 
 #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
 
@@ -228,7 +237,7 @@
  * '*d' will hold the results of the attempted shift, but is not
  * considered "safe for use" if false is returned.
  */
-#define check_shl_overflow(a, s, d) ({					\
+#define check_shl_overflow(a, s, d) __must_check_overflow(({		\
 	typeof(a) _a = a;						\
 	typeof(s) _s = s;						\
 	typeof(d) _d = d;						\
@@ -238,7 +247,7 @@
 	*_d = (_a_full << _to_shift);					\
 	(_to_shift != _s || is_negative(*_d) || is_negative(_a) ||	\
 	(*_d >> _to_shift) != _a);					\
-})
+}))
 
 /**
  * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
-- 
2.34.1

[PATCH stable v5.4 v2 2/3] overflow: Correct check_shl_overflow() comment

[Florian Fainelli]

From: Keith Busch <kbusch@kernel.org>

commit 4578be130a6470d85ff05b13b75a00e6224eeeeb upstream

A 'false' return means the value was safely set, so the comment should
say 'true' for when it is not considered safe.

Cc: Jason Gunthorpe <jgg@ziepe.ca>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Fixes: 0c66847793d1 ("overflow.h: Add arithmetic shift helper")
Link: https://lore.kernel.org/r/20210401160629.1941787-1-kbusch@kernel.org
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
---
 include/linux/overflow.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index 35af574d006f..d1dd039fe1c3 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -235,7 +235,7 @@ static inline bool __must_check __must_check_overflow(bool overflow)
  * - 'a << s' sets the sign bit, if any, in '*d'.
  *
  * '*d' will hold the results of the attempted shift, but is not
- * considered "safe for use" if false is returned.
+ * considered "safe for use" if true is returned.
  */
 #define check_shl_overflow(a, s, d) __must_check_overflow(({		\
 	typeof(a) _a = a;						\
-- 
2.34.1

[PATCH stable v5.4 v2 3/3] overflow: Allow mixed type arguments

[Florian Fainelli]

From: Kees Cook <keescook@chromium.org>

commit d219d2a9a92e39aa92799efe8f2aa21259b6dd82 upstream

When the check_[op]_overflow() helpers were introduced, all arguments
were required to be the same type to make the fallback macros simpler.
However, now that the fallback macros have been removed[1], it is fine
to allow mixed types, which makes using the helpers much more useful,
as they can be used to test for type-based overflows (e.g. adding two
large ints but storing into a u8), as would be handy in the drm core[2].

Remove the restriction, and add additional self-tests that exercise
some of the mixed-type overflow cases, and double-check for accidental
macro side-effects.

[1] https://git.kernel.org/linus/4eb6bd55cfb22ffc20652732340c4962f3ac9a91
[2] https://lore.kernel.org/lkml/20220824084514.2261614-2-gwan-gyeong.mun@intel.com

Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: linux-hardening@vger.kernel.org
Reviewed-by: Andrzej Hajda <andrzej.hajda@intel.com>
Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Tested-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
[florian: Drop changes to lib/test_overflow.c]
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
---
 include/linux/overflow.h | 72 +++++++++++++++++++++++-----------------
 1 file changed, 41 insertions(+), 31 deletions(-)

diff --git a/include/linux/overflow.h b/include/linux/overflow.h
index d1dd039fe1c3..54788a3cdcf5 100644
--- a/include/linux/overflow.h
+++ b/include/linux/overflow.h
@@ -55,40 +55,50 @@ static inline bool __must_check __must_check_overflow(bool overflow)
 }
 
 #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
-/*
- * For simplicity and code hygiene, the fallback code below insists on
- * a, b and *d having the same type (similar to the min() and max()
- * macros), whereas gcc's type-generic overflow checkers accept
- * different types. Hence we don't just make check_add_overflow an
- * alias for __builtin_add_overflow, but add type checks similar to
- * below.
+/** check_add_overflow() - Calculate addition with overflow checking
+ *
+ * @a: first addend
+ * @b: second addend
+ * @d: pointer to store sum
+ *
+ * Returns 0 on success.
+ *
+ * *@d holds the results of the attempted addition, but is not considered
+ * "safe for use" on a non-zero return value, which indicates that the
+ * sum has overflowed or been truncated.
  */
-#define check_add_overflow(a, b, d) __must_check_overflow(({	\
-	typeof(a) __a = (a);			\
-	typeof(b) __b = (b);			\
-	typeof(d) __d = (d);			\
-	(void) (&__a == &__b);			\
-	(void) (&__a == __d);			\
-	__builtin_add_overflow(__a, __b, __d);	\
-}))
+#define check_add_overflow(a, b, d)	\
+	__must_check_overflow(__builtin_add_overflow(a, b, d))
 
-#define check_sub_overflow(a, b, d) __must_check_overflow(({	\
-	typeof(a) __a = (a);			\
-	typeof(b) __b = (b);			\
-	typeof(d) __d = (d);			\
-	(void) (&__a == &__b);			\
-	(void) (&__a == __d);			\
-	__builtin_sub_overflow(__a, __b, __d);	\
-}))
+/** check_sub_overflow() - Calculate subtraction with overflow checking
+ *
+ * @a: minuend; value to subtract from
+ * @b: subtrahend; value to subtract from @a
+ * @d: pointer to store difference
+ *
+ * Returns 0 on success.
+ *
+ * *@d holds the results of the attempted subtraction, but is not considered
+ * "safe for use" on a non-zero return value, which indicates that the
+ * difference has underflowed or been truncated.
+ */
+#define check_sub_overflow(a, b, d)	\
+	__must_check_overflow(__builtin_sub_overflow(a, b, d))
 
-#define check_mul_overflow(a, b, d) __must_check_overflow(({	\
-	typeof(a) __a = (a);			\
-	typeof(b) __b = (b);			\
-	typeof(d) __d = (d);			\
-	(void) (&__a == &__b);			\
-	(void) (&__a == __d);			\
-	__builtin_mul_overflow(__a, __b, __d);	\
-}))
+/** check_mul_overflow() - Calculate multiplication with overflow checking
+ *
+ * @a: first factor
+ * @b: second factor
+ * @d: pointer to store product
+ *
+ * Returns 0 on success.
+ *
+ * *@d holds the results of the attempted multiplication, but is not
+ * considered "safe for use" on a non-zero return value, which indicates
+ * that the product has overflowed or been truncated.
+ */
+#define check_mul_overflow(a, b, d)	\
+	__must_check_overflow(__builtin_mul_overflow(a, b, d))
 
 #else
 
-- 
2.34.1

Re: [PATCH stable v5.4 v2 2/3] overflow: Correct check_shl_overflow() comment

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 4578be130a6470d85ff05b13b75a00e6224eeeeb

WARNING: Author mismatch between patch and upstream commit:
Backport author: Florian Fainelli<florian.fainelli@broadcom.com>
Commit author: Keith Busch<kbusch@kernel.org>

Status in newer kernel trees:
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (exact SHA1)

Note: The patch differs from the upstream commit:
---
1:  4578be130a647 ! 1:  a99708e5c1aad overflow: Correct check_shl_overflow() comment
    @@ Metadata
      ## Commit message ##
         overflow: Correct check_shl_overflow() comment
     
    +    commit 4578be130a6470d85ff05b13b75a00e6224eeeeb upstream
    +
         A 'false' return means the value was safely set, so the comment should
         say 'true' for when it is not considered safe.
     
    @@ Commit message
         Signed-off-by: Kees Cook <keescook@chromium.org>
         Fixes: 0c66847793d1 ("overflow.h: Add arithmetic shift helper")
         Link: https://lore.kernel.org/r/20210401160629.1941787-1-kbusch@kernel.org
    +    Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
     
      ## include/linux/overflow.h ##
     @@ include/linux/overflow.h: static inline bool __must_check __must_check_overflow(bool overflow)
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y        |  Success    |  Success   |

Re: [PATCH stable v5.4 v2 3/3] overflow: Allow mixed type arguments

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: d219d2a9a92e39aa92799efe8f2aa21259b6dd82

WARNING: Author mismatch between patch and upstream commit:
Backport author: Florian Fainelli<florian.fainelli@broadcom.com>
Commit author: Kees Cook<keescook@chromium.org>

Status in newer kernel trees:
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (exact SHA1)

Note: The patch differs from the upstream commit:
---
1:  d219d2a9a92e3 ! 1:  060e28cfd618f overflow: Allow mixed type arguments
    @@ Metadata
      ## Commit message ##
         overflow: Allow mixed type arguments
     
    +    commit d219d2a9a92e39aa92799efe8f2aa21259b6dd82 upstream
    +
         When the check_[op]_overflow() helpers were introduced, all arguments
         were required to be the same type to make the fallback macros simpler.
         However, now that the fallback macros have been removed[1], it is fine
    @@ Commit message
         Reviewed-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
         Tested-by: Gwan-gyeong Mun <gwan-gyeong.mun@intel.com>
         Signed-off-by: Kees Cook <keescook@chromium.org>
    +    [florian: Drop changes to lib/test_overflow.c]
    +    Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
     
      ## include/linux/overflow.h ##
     @@ include/linux/overflow.h: static inline bool __must_check __must_check_overflow(bool overflow)
    - 	return unlikely(overflow);
      }
      
    + #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
     -/*
     - * For simplicity and code hygiene, the fallback code below insists on
     - * a, b and *d having the same type (similar to the min() and max()
    @@ include/linux/overflow.h: static inline bool __must_check __must_check_overflow(
     +#define check_mul_overflow(a, b, d)	\
     +	__must_check_overflow(__builtin_mul_overflow(a, b, d))
      
    - /** check_shl_overflow() - Calculate a left-shifted value and check overflow
    -  *
    -
    - ## lib/overflow_kunit.c ##
    -@@
    - #include <linux/types.h>
    - #include <linux/vmalloc.h>
    - 
    --#define DEFINE_TEST_ARRAY(t)			\
    --	static const struct test_ ## t {	\
    --		t a, b;				\
    --		t sum, diff, prod;		\
    --		bool s_of, d_of, p_of;		\
    --	} t ## _tests[]
    -+#define DEFINE_TEST_ARRAY_TYPED(t1, t2, t)			\
    -+	static const struct test_ ## t1 ## _ ## t2 ## __ ## t {	\
    -+		t1 a;						\
    -+		t2 b;						\
    -+		t sum, diff, prod;				\
    -+		bool s_of, d_of, p_of;				\
    -+	} t1 ## _ ## t2 ## __ ## t ## _tests[]
    -+
    -+#define DEFINE_TEST_ARRAY(t)	DEFINE_TEST_ARRAY_TYPED(t, t, t)
    - 
    - DEFINE_TEST_ARRAY(u8) = {
    - 	{0, 0, 0, 0, 0, false, false, false},
    -@@ lib/overflow_kunit.c: DEFINE_TEST_ARRAY(s64) = {
    - };
    - #endif
    - 
    --#define check_one_op(t, fmt, op, sym, a, b, r, of) do {		\
    --	t _r;							\
    --	bool _of;						\
    --								\
    --	_of = check_ ## op ## _overflow(a, b, &_r);		\
    --	KUNIT_EXPECT_EQ_MSG(test, _of, of,			\
    -+#define check_one_op(t, fmt, op, sym, a, b, r, of) do {			\
    -+	int _a_orig = a, _a_bump = a + 1;				\
    -+	int _b_orig = b, _b_bump = b + 1;				\
    -+	bool _of;							\
    -+	t _r;								\
    -+									\
    -+	_of = check_ ## op ## _overflow(a, b, &_r);			\
    -+	KUNIT_EXPECT_EQ_MSG(test, _of, of,				\
    - 		"expected "fmt" "sym" "fmt" to%s overflow (type %s)\n",	\
    --		a, b, of ? "" : " not", #t);			\
    --	KUNIT_EXPECT_EQ_MSG(test, _r, r,			\
    -+		a, b, of ? "" : " not", #t);				\
    -+	KUNIT_EXPECT_EQ_MSG(test, _r, r,				\
    - 		"expected "fmt" "sym" "fmt" == "fmt", got "fmt" (type %s)\n", \
    --		a, b, r, _r, #t);				\
    -+		a, b, r, _r, #t);					\
    -+	/* Check for internal macro side-effects. */			\
    -+	_of = check_ ## op ## _overflow(_a_orig++, _b_orig++, &_r);	\
    -+	KUNIT_EXPECT_EQ_MSG(test, _a_orig, _a_bump, "Unexpected " #op " macro side-effect!\n"); \
    -+	KUNIT_EXPECT_EQ_MSG(test, _b_orig, _b_bump, "Unexpected " #op " macro side-effect!\n"); \
    - } while (0)
    - 
    --#define DEFINE_TEST_FUNC(t, fmt)					\
    --static void do_test_ ## t(struct kunit *test, const struct test_ ## t *p) \
    -+#define DEFINE_TEST_FUNC_TYPED(n, t, fmt)				\
    -+static void do_test_ ## n(struct kunit *test, const struct test_ ## n *p) \
    - {							   		\
    - 	check_one_op(t, fmt, add, "+", p->a, p->b, p->sum, p->s_of);	\
    - 	check_one_op(t, fmt, add, "+", p->b, p->a, p->sum, p->s_of);	\
    -@@ lib/overflow_kunit.c: static void do_test_ ## t(struct kunit *test, const struct test_ ## t *p) \
    - 	check_one_op(t, fmt, mul, "*", p->b, p->a, p->prod, p->p_of);	\
    - }									\
    - 									\
    --static void t ## _overflow_test(struct kunit *test) {			\
    -+static void n ## _overflow_test(struct kunit *test) {			\
    - 	unsigned i;							\
    - 									\
    --	for (i = 0; i < ARRAY_SIZE(t ## _tests); ++i)			\
    --		do_test_ ## t(test, &t ## _tests[i]);			\
    -+	for (i = 0; i < ARRAY_SIZE(n ## _tests); ++i)			\
    -+		do_test_ ## n(test, &n ## _tests[i]);			\
    - 	kunit_info(test, "%zu %s arithmetic tests finished\n",		\
    --		ARRAY_SIZE(t ## _tests), #t);				\
    -+		ARRAY_SIZE(n ## _tests), #n);				\
    - }
    - 
    -+#define DEFINE_TEST_FUNC(t, fmt)					\
    -+	DEFINE_TEST_FUNC_TYPED(t ## _ ## t ## __ ## t, t, fmt)
    -+
    - DEFINE_TEST_FUNC(u8, "%d");
    - DEFINE_TEST_FUNC(s8, "%d");
    - DEFINE_TEST_FUNC(u16, "%d");
    -@@ lib/overflow_kunit.c: DEFINE_TEST_FUNC(u64, "%llu");
    - DEFINE_TEST_FUNC(s64, "%lld");
    - #endif
    - 
    -+DEFINE_TEST_ARRAY_TYPED(u32, u32, u8) = {
    -+	{0, 0, 0, 0, 0, false, false, false},
    -+	{U8_MAX, 2, 1, U8_MAX - 2, U8_MAX - 1, true, false, true},
    -+	{U8_MAX + 1, 0, 0, 0, 0, true, true, false},
    -+};
    -+DEFINE_TEST_FUNC_TYPED(u32_u32__u8, u8, "%d");
    -+
    -+DEFINE_TEST_ARRAY_TYPED(u32, u32, int) = {
    -+	{0, 0, 0, 0, 0, false, false, false},
    -+	{U32_MAX, 0, -1, -1, 0, true, true, false},
    -+};
    -+DEFINE_TEST_FUNC_TYPED(u32_u32__int, int, "%d");
    -+
    -+DEFINE_TEST_ARRAY_TYPED(u8, u8, int) = {
    -+	{0, 0, 0, 0, 0, false, false, false},
    -+	{U8_MAX, U8_MAX, 2 * U8_MAX, 0, U8_MAX * U8_MAX, false, false, false},
    -+	{1, 2, 3, -1, 2, false, false, false},
    -+};
    -+DEFINE_TEST_FUNC_TYPED(u8_u8__int, int, "%d");
    -+
    -+DEFINE_TEST_ARRAY_TYPED(int, int, u8) = {
    -+	{0, 0, 0, 0, 0, false, false, false},
    -+	{1, 2, 3, U8_MAX, 2, false, true, false},
    -+	{-1, 0, U8_MAX, U8_MAX, 0, true, true, false},
    -+};
    -+DEFINE_TEST_FUNC_TYPED(int_int__u8, u8, "%d");
    -+
    - static void overflow_shift_test(struct kunit *test)
    - {
    - 	int count = 0;
    -@@ lib/overflow_kunit.c: static void overflow_size_helpers_test(struct kunit *test)
    - }
    + #else
      
    - static struct kunit_case overflow_test_cases[] = {
    --	KUNIT_CASE(u8_overflow_test),
    --	KUNIT_CASE(s8_overflow_test),
    --	KUNIT_CASE(u16_overflow_test),
    --	KUNIT_CASE(s16_overflow_test),
    --	KUNIT_CASE(u32_overflow_test),
    --	KUNIT_CASE(s32_overflow_test),
    -+	KUNIT_CASE(u8_u8__u8_overflow_test),
    -+	KUNIT_CASE(s8_s8__s8_overflow_test),
    -+	KUNIT_CASE(u16_u16__u16_overflow_test),
    -+	KUNIT_CASE(s16_s16__s16_overflow_test),
    -+	KUNIT_CASE(u32_u32__u32_overflow_test),
    -+	KUNIT_CASE(s32_s32__s32_overflow_test),
    - /* Clang 13 and earlier generate unwanted libcalls on 32-bit. */
    - #if BITS_PER_LONG == 64
    --	KUNIT_CASE(u64_overflow_test),
    --	KUNIT_CASE(s64_overflow_test),
    -+	KUNIT_CASE(u64_u64__u64_overflow_test),
    -+	KUNIT_CASE(s64_s64__s64_overflow_test),
    - #endif
    -+	KUNIT_CASE(u32_u32__u8_overflow_test),
    -+	KUNIT_CASE(u32_u32__int_overflow_test),
    -+	KUNIT_CASE(u8_u8__int_overflow_test),
    -+	KUNIT_CASE(int_int__u8_overflow_test),
    - 	KUNIT_CASE(overflow_shift_test),
    - 	KUNIT_CASE(overflow_allocation_test),
    - 	KUNIT_CASE(overflow_size_helpers_test),
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y        |  Success    |  Success   |

Re: [PATCH stable v5.4 v2 1/3] overflow: Add __must_check attribute to check_*() helpers

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 9b80e4c4ddaca3501177ed41e49d0928ba2122a8

WARNING: Author mismatch between patch and upstream commit:
Backport author: Florian Fainelli<florian.fainelli@broadcom.com>
Commit author: Kees Cook<keescook@chromium.org>

Status in newer kernel trees:
6.13.y | Present (exact SHA1)
6.12.y | Present (exact SHA1)
6.6.y | Present (exact SHA1)
6.1.y | Present (exact SHA1)

Note: The patch differs from the upstream commit:
---
1:  9b80e4c4ddaca ! 1:  0aad002281c33 overflow: Add __must_check attribute to check_*() helpers
    @@ Metadata
      ## Commit message ##
         overflow: Add __must_check attribute to check_*() helpers
     
    +    commit 9b80e4c4ddaca3501177ed41e49d0928ba2122a8 upstream
    +
         Since the destination variable of the check_*_overflow() helpers will
         contain a wrapped value on failure, it would be best to make sure callers
         really did check the return result of the helper. Adjust the macros to use
    @@ Commit message
         Suggested-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
         Link: https://lore.kernel.org/lkml/202008151007.EF679DF@keescook/
         Signed-off-by: Kees Cook <keescook@chromium.org>
    +    Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
     
      ## include/linux/overflow.h ##
     @@
    @@ include/linux/overflow.h
     +}))
      
      /**
    -  * array_size() - Calculate size of 2-dimensional array.
    +  * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y        |  Success    |  Success   |