include/linux/overflow.h

0001 /* SPDX-License-Identifier: GPL-2.0 OR MIT */
0002 #ifndef __LINUX_OVERFLOW_H
0003 #define __LINUX_OVERFLOW_H
0004
0005 #include <linux/compiler.h>
0006
0007 /*
0008  * We need to compute the minimum and maximum values representable in a given
0009  * type. These macros may also be useful elsewhere. It would seem more obvious
0010  * to do something like:
0011  *
0012  * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
0013  * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
0014  *
0015  * Unfortunately, the middle expressions, strictly speaking, have
0016  * undefined behaviour, and at least some versions of gcc warn about
0017  * the type_max expression (but not if -fsanitize=undefined is in
0018  * effect; in that case, the warning is deferred to runtime...).
0019  *
0020  * The slightly excessive casting in type_min is to make sure the
0021  * macros also produce sensible values for the exotic type _Bool. [The
0022  * overflow checkers only almost work for _Bool, but that's
0023  * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
0024  * _Bools. Besides, the gcc builtins don't allow _Bool* as third
0025  * argument.]
0026  *
0027  * Idea stolen from
0028  * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
0029  * credit to Christian Biere.
0030  */
0031 #define is_signed_type(type)       (((type)(-1)) < (type)1)
0032 #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
0033 #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
0034 #define type_min(T) ((T)((T)-type_max(T)-(T)1))
0035
0036 /*
0037  * For simplicity and code hygiene, the fallback code below insists on
0038  * a, b and *d having the same type (similar to the min() and max()
0039  * macros), whereas gcc's type-generic overflow checkers accept
0040  * different types. Hence we don't just make check_add_overflow an
0041  * alias for __builtin_add_overflow, but add type checks similar to
0042  * below.
0043  */
0044 #define check_add_overflow(a, b, d) ({      \
0045     typeof(a) __a = (a);            \
0046     typeof(b) __b = (b);            \
0047     typeof(d) __d = (d);            \
0048     (void) (&__a == &__b);          \
0049     (void) (&__a == __d);           \
0050     __builtin_add_overflow(__a, __b, __d);  \
0051 })
0052
0053 #define check_sub_overflow(a, b, d) ({      \
0054     typeof(a) __a = (a);            \
0055     typeof(b) __b = (b);            \
0056     typeof(d) __d = (d);            \
0057     (void) (&__a == &__b);          \
0058     (void) (&__a == __d);           \
0059     __builtin_sub_overflow(__a, __b, __d);  \
0060 })
0061
0062 #define check_mul_overflow(a, b, d) ({      \
0063     typeof(a) __a = (a);            \
0064     typeof(b) __b = (b);            \
0065     typeof(d) __d = (d);            \
0066     (void) (&__a == &__b);          \
0067     (void) (&__a == __d);           \
0068     __builtin_mul_overflow(__a, __b, __d);  \
0069 })
0070
0071 /**
0072  * array_size() - Calculate size of 2-dimensional array.
0073  *
0074  * @a: dimension one
0075  * @b: dimension two
0076  *
0077  * Calculates size of 2-dimensional array: @a * @b.
0078  *
0079  * Returns: number of bytes needed to represent the array or SIZE_MAX on
0080  * overflow.
0081  */
0082 static inline __must_check size_t array_size(size_t a, size_t b)
0083 {
0084     size_t bytes;
0085
0086     if (check_mul_overflow(a, b, &bytes))
0087         return SIZE_MAX;
0088
0089     return bytes;
0090 }
0091
0092 /**
0093  * array3_size() - Calculate size of 3-dimensional array.
0094  *
0095  * @a: dimension one
0096  * @b: dimension two
0097  * @c: dimension three
0098  *
0099  * Calculates size of 3-dimensional array: @a * @b * @c.
0100  *
0101  * Returns: number of bytes needed to represent the array or SIZE_MAX on
0102  * overflow.
0103  */
0104 static inline __must_check size_t array3_size(size_t a, size_t b, size_t c)
0105 {
0106     size_t bytes;
0107
0108     if (check_mul_overflow(a, b, &bytes))
0109         return SIZE_MAX;
0110     if (check_mul_overflow(bytes, c, &bytes))
0111         return SIZE_MAX;
0112
0113     return bytes;
0114 }
0115
0116 static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c)
0117 {
0118     size_t bytes;
0119
0120     if (check_mul_overflow(n, size, &bytes))
0121         return SIZE_MAX;
0122     if (check_add_overflow(bytes, c, &bytes))
0123         return SIZE_MAX;
0124
0125     return bytes;
0126 }
0127
0128 /**
0129  * struct_size() - Calculate size of structure with trailing array.
0130  * @p: Pointer to the structure.
0131  * @member: Name of the array member.
0132  * @n: Number of elements in the array.
0133  *
0134  * Calculates size of memory needed for structure @p followed by an
0135  * array of @n @member elements.
0136  *
0137  * Return: number of bytes needed or SIZE_MAX on overflow.
0138  */
0139 #define struct_size(p, member, n)                   \
0140     __ab_c_size(n,                          \
0141             sizeof(*(p)->member) + __must_be_array((p)->member),\
0142             sizeof(*(p)))
0143
0144 #endif /* __LINUX_OVERFLOW_H */