Re: [for-linus][PATCH 01/10] tracing: Suppress sparse warnings triggered by is_signed_type()

From: Kees Cook
Date: Thu Aug 25 2022 - 14:18:46 EST


On Thu, Aug 25, 2022 at 10:39:02AM -0700, Bart Van Assche wrote:
> On 8/24/22 17:40, Linus Torvalds wrote:
> > Actually, thinking about it, that was simple enough.
> >
> > -#define is_signed_type(type) (((type)(-1)) < (type)1)
> > +#define is_signed_type(type) (((type)(-1)) < (__force type)1)
> >
> > should work.
> >
> > It looks a bit odd, because we only force one side.
> >
> > But we only need to force one side, because the '-1' doesn't have any
> > issues with bitwise types, the same way 0 doesn't.
> >
> > So only '1' needs to be force-cast to avoid a warning about casting an
> > integer to a bitwise type.
> >
> > And since that -1 counts as an unrestricted value after a cast, now
> > the ordered comparison doesn't warn either.
> >
> > Now, admittedly I think sparse should also allow a forced cast of an
> > unrestricted value to be unrestricted, so I think I should do this
> >
> > static int restricted_value(struct expression *v, struct symbol *type)
> > {
> > - if (v->type == EXPR_CAST)
> > + if (v->type == EXPR_CAST || v->type = EXPR_FORCE_CAST)
> > v = v->cast_expression;
> >
> > in sparse, but even without that the above "is_signed_type()" macro
> > should make sparse happy (with that current tree of mine).
> >
> > And since we don't now need to cast 0, gcc won't complain about that
> > NULL pointer comparison.
> >
> > Does that solve things for you?
>
> Yes, thank you! No sparse warnings are triggered by the is_signed_type()
> macro and the gcc warning about ordered comparison of a pointer with the
> null pointer is gone.
>
> The patch I came up with is available below. If nobody picks it up from
> this email I will try to find an appropriate kernel maintainer to send
> this kernel patch to.
>
> Thanks,
>
> Bart.
>
>
> From: Bart Van Assche <bvanassche@xxxxxxx>
> Date: Tue, 23 Aug 2022 12:59:25 -0700
> Subject: [PATCH] tracing: Define the is_signed_type() macro once
>
> There are two definitions of the is_signed_type() macro: one in
> <linux/overflow.h> and a second definition in <linux/trace_events.h>.
>
> As suggested by Linus Torvalds, move the definition of the
> is_signed_type() macro into the <linux/compiler.h> header file. Change
> the definition of the is_signed_type() macro to make sure that it does
> not trigger any sparse warnings with future versions of sparse for
> bitwise types. See also:
> https://lore.kernel.org/all/CAHk-=whjH6p+qzwUdx5SOVVHjS3WvzJQr6mDUwhEyTf6pJWzaQ@xxxxxxxxxxxxxx/
> https://lore.kernel.org/all/CAHk-=wjQGnVfb4jehFR0XyZikdQvCZouE96xR_nnf5kqaM5qqQ@xxxxxxxxxxxxxx/
>
> Cc: Rasmus Villemoes <linux@xxxxxxxxxxxxxxxxxx>
> Cc: Steven Rostedt <rostedt@xxxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Signed-off-by: Bart Van Assche <bvanassche@xxxxxxx>

Looks good to me; thanks!

Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>

--
Kees Cook