85caa95b9f
The CHECK_DATA_CORRUPTION() macro was designed to have callers do something meaningful/protective on failure. However, using "return false" in the macro too strictly limits the design patterns of callers. Instead, let callers handle the logic test directly, but make sure that the result IS checked by forcing __must_check (which appears to not be able to be used directly on macro expressions). Link: http://lkml.kernel.org/r/20170206204547.GA125312@beast Signed-off-by: Kees Cook <keescook@chromium.org> Suggested-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
144 lines
4.5 KiB
C
144 lines
4.5 KiB
C
#ifndef _LINUX_BUG_H
|
|
#define _LINUX_BUG_H
|
|
|
|
#include <asm/bug.h>
|
|
#include <linux/compiler.h>
|
|
|
|
enum bug_trap_type {
|
|
BUG_TRAP_TYPE_NONE = 0,
|
|
BUG_TRAP_TYPE_WARN = 1,
|
|
BUG_TRAP_TYPE_BUG = 2,
|
|
};
|
|
|
|
struct pt_regs;
|
|
|
|
#ifdef __CHECKER__
|
|
#define __BUILD_BUG_ON_NOT_POWER_OF_2(n) (0)
|
|
#define BUILD_BUG_ON_NOT_POWER_OF_2(n) (0)
|
|
#define BUILD_BUG_ON_ZERO(e) (0)
|
|
#define BUILD_BUG_ON_NULL(e) ((void*)0)
|
|
#define BUILD_BUG_ON_INVALID(e) (0)
|
|
#define BUILD_BUG_ON_MSG(cond, msg) (0)
|
|
#define BUILD_BUG_ON(condition) (0)
|
|
#define BUILD_BUG() (0)
|
|
#define MAYBE_BUILD_BUG_ON(cond) (0)
|
|
#else /* __CHECKER__ */
|
|
|
|
/* Force a compilation error if a constant expression is not a power of 2 */
|
|
#define __BUILD_BUG_ON_NOT_POWER_OF_2(n) \
|
|
BUILD_BUG_ON(((n) & ((n) - 1)) != 0)
|
|
#define BUILD_BUG_ON_NOT_POWER_OF_2(n) \
|
|
BUILD_BUG_ON((n) == 0 || (((n) & ((n) - 1)) != 0))
|
|
|
|
/* Force a compilation error if condition is true, but also produce a
|
|
result (of value 0 and type size_t), so the expression can be used
|
|
e.g. in a structure initializer (or where-ever else comma expressions
|
|
aren't permitted). */
|
|
#define BUILD_BUG_ON_ZERO(e) (sizeof(struct { int:-!!(e); }))
|
|
#define BUILD_BUG_ON_NULL(e) ((void *)sizeof(struct { int:-!!(e); }))
|
|
|
|
/*
|
|
* BUILD_BUG_ON_INVALID() permits the compiler to check the validity of the
|
|
* expression but avoids the generation of any code, even if that expression
|
|
* has side-effects.
|
|
*/
|
|
#define BUILD_BUG_ON_INVALID(e) ((void)(sizeof((__force long)(e))))
|
|
|
|
/**
|
|
* BUILD_BUG_ON_MSG - break compile if a condition is true & emit supplied
|
|
* error message.
|
|
* @condition: the condition which the compiler should know is false.
|
|
*
|
|
* See BUILD_BUG_ON for description.
|
|
*/
|
|
#define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
|
|
|
|
/**
|
|
* BUILD_BUG_ON - break compile if a condition is true.
|
|
* @condition: the condition which the compiler should know is false.
|
|
*
|
|
* If you have some code which relies on certain constants being equal, or
|
|
* some other compile-time-evaluated condition, you should use BUILD_BUG_ON to
|
|
* detect if someone changes it.
|
|
*
|
|
* The implementation uses gcc's reluctance to create a negative array, but gcc
|
|
* (as of 4.4) only emits that error for obvious cases (e.g. not arguments to
|
|
* inline functions). Luckily, in 4.3 they added the "error" function
|
|
* attribute just for this type of case. Thus, we use a negative sized array
|
|
* (should always create an error on gcc versions older than 4.4) and then call
|
|
* an undefined function with the error attribute (should always create an
|
|
* error on gcc 4.3 and later). If for some reason, neither creates a
|
|
* compile-time error, we'll still have a link-time error, which is harder to
|
|
* track down.
|
|
*/
|
|
#ifndef __OPTIMIZE__
|
|
#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
|
|
#else
|
|
#define BUILD_BUG_ON(condition) \
|
|
BUILD_BUG_ON_MSG(condition, "BUILD_BUG_ON failed: " #condition)
|
|
#endif
|
|
|
|
/**
|
|
* BUILD_BUG - break compile if used.
|
|
*
|
|
* If you have some code that you expect the compiler to eliminate at
|
|
* build time, you should use BUILD_BUG to detect if it is
|
|
* unexpectedly used.
|
|
*/
|
|
#define BUILD_BUG() BUILD_BUG_ON_MSG(1, "BUILD_BUG failed")
|
|
|
|
#define MAYBE_BUILD_BUG_ON(cond) \
|
|
do { \
|
|
if (__builtin_constant_p((cond))) \
|
|
BUILD_BUG_ON(cond); \
|
|
else \
|
|
BUG_ON(cond); \
|
|
} while (0)
|
|
|
|
#endif /* __CHECKER__ */
|
|
|
|
#ifdef CONFIG_GENERIC_BUG
|
|
#include <asm-generic/bug.h>
|
|
|
|
static inline int is_warning_bug(const struct bug_entry *bug)
|
|
{
|
|
return bug->flags & BUGFLAG_WARNING;
|
|
}
|
|
|
|
const struct bug_entry *find_bug(unsigned long bugaddr);
|
|
|
|
enum bug_trap_type report_bug(unsigned long bug_addr, struct pt_regs *regs);
|
|
|
|
/* These are defined by the architecture */
|
|
int is_valid_bugaddr(unsigned long addr);
|
|
|
|
#else /* !CONFIG_GENERIC_BUG */
|
|
|
|
static inline enum bug_trap_type report_bug(unsigned long bug_addr,
|
|
struct pt_regs *regs)
|
|
{
|
|
return BUG_TRAP_TYPE_BUG;
|
|
}
|
|
|
|
#endif /* CONFIG_GENERIC_BUG */
|
|
|
|
/*
|
|
* Since detected data corruption should stop operation on the affected
|
|
* structures. Return value must be checked and sanely acted on by caller.
|
|
*/
|
|
static inline __must_check bool check_data_corruption(bool v) { return v; }
|
|
#define CHECK_DATA_CORRUPTION(condition, fmt, ...) \
|
|
check_data_corruption(({ \
|
|
bool corruption = unlikely(condition); \
|
|
if (corruption) { \
|
|
if (IS_ENABLED(CONFIG_BUG_ON_DATA_CORRUPTION)) { \
|
|
pr_err(fmt, ##__VA_ARGS__); \
|
|
BUG(); \
|
|
} else \
|
|
WARN(1, fmt, ##__VA_ARGS__); \
|
|
} \
|
|
corruption; \
|
|
}))
|
|
|
|
#endif /* _LINUX_BUG_H */
|