1*bbecb9d1SAndroid Build Coastguard Worker /* SPDX-License-Identifier: GPL-2.0 OR MIT */
2*bbecb9d1SAndroid Build Coastguard Worker #ifndef __LINUX_OVERFLOW_H
3*bbecb9d1SAndroid Build Coastguard Worker #define __LINUX_OVERFLOW_H
4*bbecb9d1SAndroid Build Coastguard Worker
5*bbecb9d1SAndroid Build Coastguard Worker #include <stdbool.h>
6*bbecb9d1SAndroid Build Coastguard Worker #include <stdint.h>
7*bbecb9d1SAndroid Build Coastguard Worker
8*bbecb9d1SAndroid Build Coastguard Worker #define likely(x) __builtin_expect(!!(x), 1)
9*bbecb9d1SAndroid Build Coastguard Worker #define unlikely(x) __builtin_expect(!!(x), 0)
10*bbecb9d1SAndroid Build Coastguard Worker
11*bbecb9d1SAndroid Build Coastguard Worker #define __must_check __attribute__((__warn_unused_result__))
12*bbecb9d1SAndroid Build Coastguard Worker
13*bbecb9d1SAndroid Build Coastguard Worker /*
14*bbecb9d1SAndroid Build Coastguard Worker * We need to compute the minimum and maximum values representable in a given
15*bbecb9d1SAndroid Build Coastguard Worker * type. These macros may also be useful elsewhere. It would seem more obvious
16*bbecb9d1SAndroid Build Coastguard Worker * to do something like:
17*bbecb9d1SAndroid Build Coastguard Worker *
18*bbecb9d1SAndroid Build Coastguard Worker * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
19*bbecb9d1SAndroid Build Coastguard Worker * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
20*bbecb9d1SAndroid Build Coastguard Worker *
21*bbecb9d1SAndroid Build Coastguard Worker * Unfortunately, the middle expressions, strictly speaking, have
22*bbecb9d1SAndroid Build Coastguard Worker * undefined behaviour, and at least some versions of gcc warn about
23*bbecb9d1SAndroid Build Coastguard Worker * the type_max expression (but not if -fsanitize=undefined is in
24*bbecb9d1SAndroid Build Coastguard Worker * effect; in that case, the warning is deferred to runtime...).
25*bbecb9d1SAndroid Build Coastguard Worker *
26*bbecb9d1SAndroid Build Coastguard Worker * The slightly excessive casting in type_min is to make sure the
27*bbecb9d1SAndroid Build Coastguard Worker * macros also produce sensible values for the exotic type _Bool. [The
28*bbecb9d1SAndroid Build Coastguard Worker * overflow checkers only almost work for _Bool, but that's
29*bbecb9d1SAndroid Build Coastguard Worker * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
30*bbecb9d1SAndroid Build Coastguard Worker * _Bools. Besides, the gcc builtins don't allow _Bool* as third
31*bbecb9d1SAndroid Build Coastguard Worker * argument.]
32*bbecb9d1SAndroid Build Coastguard Worker *
33*bbecb9d1SAndroid Build Coastguard Worker * Idea stolen from
34*bbecb9d1SAndroid Build Coastguard Worker * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
35*bbecb9d1SAndroid Build Coastguard Worker * credit to Christian Biere.
36*bbecb9d1SAndroid Build Coastguard Worker */
37*bbecb9d1SAndroid Build Coastguard Worker #define is_signed_type(type) (((type)(-1)) < (type)1)
38*bbecb9d1SAndroid Build Coastguard Worker #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
39*bbecb9d1SAndroid Build Coastguard Worker #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
40*bbecb9d1SAndroid Build Coastguard Worker #define type_min(T) ((T)((T)-type_max(T)-(T)1))
41*bbecb9d1SAndroid Build Coastguard Worker
42*bbecb9d1SAndroid Build Coastguard Worker /*
43*bbecb9d1SAndroid Build Coastguard Worker * Avoids triggering -Wtype-limits compilation warning,
44*bbecb9d1SAndroid Build Coastguard Worker * while using unsigned data types to check a < 0.
45*bbecb9d1SAndroid Build Coastguard Worker */
46*bbecb9d1SAndroid Build Coastguard Worker #define is_non_negative(a) ((a) > 0 || (a) == 0)
47*bbecb9d1SAndroid Build Coastguard Worker #define is_negative(a) (!(is_non_negative(a)))
48*bbecb9d1SAndroid Build Coastguard Worker
49*bbecb9d1SAndroid Build Coastguard Worker /*
50*bbecb9d1SAndroid Build Coastguard Worker * Allows for effectively applying __must_check to a macro so we can have
51*bbecb9d1SAndroid Build Coastguard Worker * both the type-agnostic benefits of the macros while also being able to
52*bbecb9d1SAndroid Build Coastguard Worker * enforce that the return value is, in fact, checked.
53*bbecb9d1SAndroid Build Coastguard Worker */
__must_check_overflow(bool overflow)54*bbecb9d1SAndroid Build Coastguard Worker static inline bool __must_check __must_check_overflow(bool overflow)
55*bbecb9d1SAndroid Build Coastguard Worker {
56*bbecb9d1SAndroid Build Coastguard Worker return unlikely(overflow);
57*bbecb9d1SAndroid Build Coastguard Worker }
58*bbecb9d1SAndroid Build Coastguard Worker
59*bbecb9d1SAndroid Build Coastguard Worker /*
60*bbecb9d1SAndroid Build Coastguard Worker * For simplicity and code hygiene, the fallback code below insists on
61*bbecb9d1SAndroid Build Coastguard Worker * a, b and *d having the same type (similar to the min() and max()
62*bbecb9d1SAndroid Build Coastguard Worker * macros), whereas gcc's type-generic overflow checkers accept
63*bbecb9d1SAndroid Build Coastguard Worker * different types. Hence we don't just make check_add_overflow an
64*bbecb9d1SAndroid Build Coastguard Worker * alias for __builtin_add_overflow, but add type checks similar to
65*bbecb9d1SAndroid Build Coastguard Worker * below.
66*bbecb9d1SAndroid Build Coastguard Worker */
67*bbecb9d1SAndroid Build Coastguard Worker #define check_add_overflow(a, b, d) __must_check_overflow(({ \
68*bbecb9d1SAndroid Build Coastguard Worker typeof(a) __a = (a); \
69*bbecb9d1SAndroid Build Coastguard Worker typeof(b) __b = (b); \
70*bbecb9d1SAndroid Build Coastguard Worker typeof(d) __d = (d); \
71*bbecb9d1SAndroid Build Coastguard Worker (void) (&__a == &__b); \
72*bbecb9d1SAndroid Build Coastguard Worker (void) (&__a == __d); \
73*bbecb9d1SAndroid Build Coastguard Worker __builtin_add_overflow(__a, __b, __d); \
74*bbecb9d1SAndroid Build Coastguard Worker }))
75*bbecb9d1SAndroid Build Coastguard Worker
76*bbecb9d1SAndroid Build Coastguard Worker #define check_sub_overflow(a, b, d) __must_check_overflow(({ \
77*bbecb9d1SAndroid Build Coastguard Worker typeof(a) __a = (a); \
78*bbecb9d1SAndroid Build Coastguard Worker typeof(b) __b = (b); \
79*bbecb9d1SAndroid Build Coastguard Worker typeof(d) __d = (d); \
80*bbecb9d1SAndroid Build Coastguard Worker (void) (&__a == &__b); \
81*bbecb9d1SAndroid Build Coastguard Worker (void) (&__a == __d); \
82*bbecb9d1SAndroid Build Coastguard Worker __builtin_sub_overflow(__a, __b, __d); \
83*bbecb9d1SAndroid Build Coastguard Worker }))
84*bbecb9d1SAndroid Build Coastguard Worker
85*bbecb9d1SAndroid Build Coastguard Worker #define check_mul_overflow(a, b, d) __must_check_overflow(({ \
86*bbecb9d1SAndroid Build Coastguard Worker typeof(a) __a = (a); \
87*bbecb9d1SAndroid Build Coastguard Worker typeof(b) __b = (b); \
88*bbecb9d1SAndroid Build Coastguard Worker typeof(d) __d = (d); \
89*bbecb9d1SAndroid Build Coastguard Worker (void) (&__a == &__b); \
90*bbecb9d1SAndroid Build Coastguard Worker (void) (&__a == __d); \
91*bbecb9d1SAndroid Build Coastguard Worker __builtin_mul_overflow(__a, __b, __d); \
92*bbecb9d1SAndroid Build Coastguard Worker }))
93*bbecb9d1SAndroid Build Coastguard Worker
94*bbecb9d1SAndroid Build Coastguard Worker /** check_shl_overflow() - Calculate a left-shifted value and check overflow
95*bbecb9d1SAndroid Build Coastguard Worker *
96*bbecb9d1SAndroid Build Coastguard Worker * @a: Value to be shifted
97*bbecb9d1SAndroid Build Coastguard Worker * @s: How many bits left to shift
98*bbecb9d1SAndroid Build Coastguard Worker * @d: Pointer to where to store the result
99*bbecb9d1SAndroid Build Coastguard Worker *
100*bbecb9d1SAndroid Build Coastguard Worker * Computes *@d = (@a << @s)
101*bbecb9d1SAndroid Build Coastguard Worker *
102*bbecb9d1SAndroid Build Coastguard Worker * Returns true if '*d' cannot hold the result or when 'a << s' doesn't
103*bbecb9d1SAndroid Build Coastguard Worker * make sense. Example conditions:
104*bbecb9d1SAndroid Build Coastguard Worker * - 'a << s' causes bits to be lost when stored in *d.
105*bbecb9d1SAndroid Build Coastguard Worker * - 's' is garbage (e.g. negative) or so large that the result of
106*bbecb9d1SAndroid Build Coastguard Worker * 'a << s' is guaranteed to be 0.
107*bbecb9d1SAndroid Build Coastguard Worker * - 'a' is negative.
108*bbecb9d1SAndroid Build Coastguard Worker * - 'a << s' sets the sign bit, if any, in '*d'.
109*bbecb9d1SAndroid Build Coastguard Worker *
110*bbecb9d1SAndroid Build Coastguard Worker * '*d' will hold the results of the attempted shift, but is not
111*bbecb9d1SAndroid Build Coastguard Worker * considered "safe for use" if true is returned.
112*bbecb9d1SAndroid Build Coastguard Worker */
113*bbecb9d1SAndroid Build Coastguard Worker #define check_shl_overflow(a, s, d) __must_check_overflow(({ \
114*bbecb9d1SAndroid Build Coastguard Worker typeof(a) _a = a; \
115*bbecb9d1SAndroid Build Coastguard Worker typeof(s) _s = s; \
116*bbecb9d1SAndroid Build Coastguard Worker typeof(d) _d = d; \
117*bbecb9d1SAndroid Build Coastguard Worker u64 _a_full = _a; \
118*bbecb9d1SAndroid Build Coastguard Worker unsigned int _to_shift = \
119*bbecb9d1SAndroid Build Coastguard Worker is_non_negative(_s) && _s < 8 * sizeof(*d) ? _s : 0; \
120*bbecb9d1SAndroid Build Coastguard Worker *_d = (_a_full << _to_shift); \
121*bbecb9d1SAndroid Build Coastguard Worker (_to_shift != _s || is_negative(*_d) || is_negative(_a) || \
122*bbecb9d1SAndroid Build Coastguard Worker (*_d >> _to_shift) != _a); \
123*bbecb9d1SAndroid Build Coastguard Worker }))
124*bbecb9d1SAndroid Build Coastguard Worker
125*bbecb9d1SAndroid Build Coastguard Worker /**
126*bbecb9d1SAndroid Build Coastguard Worker * size_mul() - Calculate size_t multiplication with saturation at SIZE_MAX
127*bbecb9d1SAndroid Build Coastguard Worker *
128*bbecb9d1SAndroid Build Coastguard Worker * @factor1: first factor
129*bbecb9d1SAndroid Build Coastguard Worker * @factor2: second factor
130*bbecb9d1SAndroid Build Coastguard Worker *
131*bbecb9d1SAndroid Build Coastguard Worker * Returns: calculate @factor1 * @factor2, both promoted to size_t,
132*bbecb9d1SAndroid Build Coastguard Worker * with any overflow causing the return value to be SIZE_MAX. The
133*bbecb9d1SAndroid Build Coastguard Worker * lvalue must be size_t to avoid implicit type conversion.
134*bbecb9d1SAndroid Build Coastguard Worker */
size_mul(size_t factor1,size_t factor2)135*bbecb9d1SAndroid Build Coastguard Worker static inline size_t __must_check size_mul(size_t factor1, size_t factor2)
136*bbecb9d1SAndroid Build Coastguard Worker {
137*bbecb9d1SAndroid Build Coastguard Worker size_t bytes;
138*bbecb9d1SAndroid Build Coastguard Worker
139*bbecb9d1SAndroid Build Coastguard Worker if (check_mul_overflow(factor1, factor2, &bytes))
140*bbecb9d1SAndroid Build Coastguard Worker return SIZE_MAX;
141*bbecb9d1SAndroid Build Coastguard Worker
142*bbecb9d1SAndroid Build Coastguard Worker return bytes;
143*bbecb9d1SAndroid Build Coastguard Worker }
144*bbecb9d1SAndroid Build Coastguard Worker
145*bbecb9d1SAndroid Build Coastguard Worker /**
146*bbecb9d1SAndroid Build Coastguard Worker * size_add() - Calculate size_t addition with saturation at SIZE_MAX
147*bbecb9d1SAndroid Build Coastguard Worker *
148*bbecb9d1SAndroid Build Coastguard Worker * @addend1: first addend
149*bbecb9d1SAndroid Build Coastguard Worker * @addend2: second addend
150*bbecb9d1SAndroid Build Coastguard Worker *
151*bbecb9d1SAndroid Build Coastguard Worker * Returns: calculate @addend1 + @addend2, both promoted to size_t,
152*bbecb9d1SAndroid Build Coastguard Worker * with any overflow causing the return value to be SIZE_MAX. The
153*bbecb9d1SAndroid Build Coastguard Worker * lvalue must be size_t to avoid implicit type conversion.
154*bbecb9d1SAndroid Build Coastguard Worker */
size_add(size_t addend1,size_t addend2)155*bbecb9d1SAndroid Build Coastguard Worker static inline size_t __must_check size_add(size_t addend1, size_t addend2)
156*bbecb9d1SAndroid Build Coastguard Worker {
157*bbecb9d1SAndroid Build Coastguard Worker size_t bytes;
158*bbecb9d1SAndroid Build Coastguard Worker
159*bbecb9d1SAndroid Build Coastguard Worker if (check_add_overflow(addend1, addend2, &bytes))
160*bbecb9d1SAndroid Build Coastguard Worker return SIZE_MAX;
161*bbecb9d1SAndroid Build Coastguard Worker
162*bbecb9d1SAndroid Build Coastguard Worker return bytes;
163*bbecb9d1SAndroid Build Coastguard Worker }
164*bbecb9d1SAndroid Build Coastguard Worker
165*bbecb9d1SAndroid Build Coastguard Worker /**
166*bbecb9d1SAndroid Build Coastguard Worker * size_sub() - Calculate size_t subtraction with saturation at SIZE_MAX
167*bbecb9d1SAndroid Build Coastguard Worker *
168*bbecb9d1SAndroid Build Coastguard Worker * @minuend: value to subtract from
169*bbecb9d1SAndroid Build Coastguard Worker * @subtrahend: value to subtract from @minuend
170*bbecb9d1SAndroid Build Coastguard Worker *
171*bbecb9d1SAndroid Build Coastguard Worker * Returns: calculate @minuend - @subtrahend, both promoted to size_t,
172*bbecb9d1SAndroid Build Coastguard Worker * with any overflow causing the return value to be SIZE_MAX. For
173*bbecb9d1SAndroid Build Coastguard Worker * composition with the size_add() and size_mul() helpers, neither
174*bbecb9d1SAndroid Build Coastguard Worker * argument may be SIZE_MAX (or the result with be forced to SIZE_MAX).
175*bbecb9d1SAndroid Build Coastguard Worker * The lvalue must be size_t to avoid implicit type conversion.
176*bbecb9d1SAndroid Build Coastguard Worker */
size_sub(size_t minuend,size_t subtrahend)177*bbecb9d1SAndroid Build Coastguard Worker static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend)
178*bbecb9d1SAndroid Build Coastguard Worker {
179*bbecb9d1SAndroid Build Coastguard Worker size_t bytes;
180*bbecb9d1SAndroid Build Coastguard Worker
181*bbecb9d1SAndroid Build Coastguard Worker if (minuend == SIZE_MAX || subtrahend == SIZE_MAX ||
182*bbecb9d1SAndroid Build Coastguard Worker check_sub_overflow(minuend, subtrahend, &bytes))
183*bbecb9d1SAndroid Build Coastguard Worker return SIZE_MAX;
184*bbecb9d1SAndroid Build Coastguard Worker
185*bbecb9d1SAndroid Build Coastguard Worker return bytes;
186*bbecb9d1SAndroid Build Coastguard Worker }
187*bbecb9d1SAndroid Build Coastguard Worker
188*bbecb9d1SAndroid Build Coastguard Worker /**
189*bbecb9d1SAndroid Build Coastguard Worker * array_size() - Calculate size of 2-dimensional array.
190*bbecb9d1SAndroid Build Coastguard Worker *
191*bbecb9d1SAndroid Build Coastguard Worker * @a: dimension one
192*bbecb9d1SAndroid Build Coastguard Worker * @b: dimension two
193*bbecb9d1SAndroid Build Coastguard Worker *
194*bbecb9d1SAndroid Build Coastguard Worker * Calculates size of 2-dimensional array: @a * @b.
195*bbecb9d1SAndroid Build Coastguard Worker *
196*bbecb9d1SAndroid Build Coastguard Worker * Returns: number of bytes needed to represent the array or SIZE_MAX on
197*bbecb9d1SAndroid Build Coastguard Worker * overflow.
198*bbecb9d1SAndroid Build Coastguard Worker */
199*bbecb9d1SAndroid Build Coastguard Worker #define array_size(a, b) size_mul(a, b)
200*bbecb9d1SAndroid Build Coastguard Worker
201*bbecb9d1SAndroid Build Coastguard Worker /**
202*bbecb9d1SAndroid Build Coastguard Worker * array3_size() - Calculate size of 3-dimensional array.
203*bbecb9d1SAndroid Build Coastguard Worker *
204*bbecb9d1SAndroid Build Coastguard Worker * @a: dimension one
205*bbecb9d1SAndroid Build Coastguard Worker * @b: dimension two
206*bbecb9d1SAndroid Build Coastguard Worker * @c: dimension three
207*bbecb9d1SAndroid Build Coastguard Worker *
208*bbecb9d1SAndroid Build Coastguard Worker * Calculates size of 3-dimensional array: @a * @b * @c.
209*bbecb9d1SAndroid Build Coastguard Worker *
210*bbecb9d1SAndroid Build Coastguard Worker * Returns: number of bytes needed to represent the array or SIZE_MAX on
211*bbecb9d1SAndroid Build Coastguard Worker * overflow.
212*bbecb9d1SAndroid Build Coastguard Worker */
213*bbecb9d1SAndroid Build Coastguard Worker #define array3_size(a, b, c) size_mul(size_mul(a, b), c)
214*bbecb9d1SAndroid Build Coastguard Worker
215*bbecb9d1SAndroid Build Coastguard Worker /**
216*bbecb9d1SAndroid Build Coastguard Worker * flex_array_size() - Calculate size of a flexible array member
217*bbecb9d1SAndroid Build Coastguard Worker * within an enclosing structure.
218*bbecb9d1SAndroid Build Coastguard Worker *
219*bbecb9d1SAndroid Build Coastguard Worker * @p: Pointer to the structure.
220*bbecb9d1SAndroid Build Coastguard Worker * @member: Name of the flexible array member.
221*bbecb9d1SAndroid Build Coastguard Worker * @count: Number of elements in the array.
222*bbecb9d1SAndroid Build Coastguard Worker *
223*bbecb9d1SAndroid Build Coastguard Worker * Calculates size of a flexible array of @count number of @member
224*bbecb9d1SAndroid Build Coastguard Worker * elements, at the end of structure @p.
225*bbecb9d1SAndroid Build Coastguard Worker *
226*bbecb9d1SAndroid Build Coastguard Worker * Return: number of bytes needed or SIZE_MAX on overflow.
227*bbecb9d1SAndroid Build Coastguard Worker */
228*bbecb9d1SAndroid Build Coastguard Worker #define flex_array_size(p, member, count) \
229*bbecb9d1SAndroid Build Coastguard Worker __builtin_choose_expr(__is_constexpr(count), \
230*bbecb9d1SAndroid Build Coastguard Worker (count) * sizeof(*(p)->member) + __must_be_array((p)->member), \
231*bbecb9d1SAndroid Build Coastguard Worker size_mul(count, sizeof(*(p)->member) + __must_be_array((p)->member)))
232*bbecb9d1SAndroid Build Coastguard Worker
233*bbecb9d1SAndroid Build Coastguard Worker /**
234*bbecb9d1SAndroid Build Coastguard Worker * struct_size() - Calculate size of structure with trailing flexible array.
235*bbecb9d1SAndroid Build Coastguard Worker *
236*bbecb9d1SAndroid Build Coastguard Worker * @p: Pointer to the structure.
237*bbecb9d1SAndroid Build Coastguard Worker * @member: Name of the array member.
238*bbecb9d1SAndroid Build Coastguard Worker * @count: Number of elements in the array.
239*bbecb9d1SAndroid Build Coastguard Worker *
240*bbecb9d1SAndroid Build Coastguard Worker * Calculates size of memory needed for structure @p followed by an
241*bbecb9d1SAndroid Build Coastguard Worker * array of @count number of @member elements.
242*bbecb9d1SAndroid Build Coastguard Worker *
243*bbecb9d1SAndroid Build Coastguard Worker * Return: number of bytes needed or SIZE_MAX on overflow.
244*bbecb9d1SAndroid Build Coastguard Worker */
245*bbecb9d1SAndroid Build Coastguard Worker #define struct_size(p, member, count) \
246*bbecb9d1SAndroid Build Coastguard Worker __builtin_choose_expr(__is_constexpr(count), \
247*bbecb9d1SAndroid Build Coastguard Worker sizeof(*(p)) + flex_array_size(p, member, count), \
248*bbecb9d1SAndroid Build Coastguard Worker size_add(sizeof(*(p)), flex_array_size(p, member, count)))
249*bbecb9d1SAndroid Build Coastguard Worker
250*bbecb9d1SAndroid Build Coastguard Worker #endif /* __LINUX_OVERFLOW_H */
251