Received: by 10.213.65.68 with SMTP id h4csp155808imn;
        Thu, 15 Mar 2018 21:28:00 -0700 (PDT)
X-Google-Smtp-Source: AG47ELveckAHRh01gdsyd0Vo3sgT06AmB5W3rbGFSLVoOWrmyk9FiqX+jSdqZPL1VbtxkK1VV6xT
X-Received: by 2002:a17:902:468:: with SMTP id 95-v6mr505840ple.360.1521174480768;
        Thu, 15 Mar 2018 21:28:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521174480; cv=none;
        d=google.com; s=arc-20160816;
        b=OmkPvyRaJLIR9nlfM8+arQsRe3ufcPcSFNT49aqPo7UggIDn44hxcrk79FpGOcy7Kc
         pUqLZBOotI1u8sZLqz+En2JicTlL/ihfegaFIo6C3nIjbgwQYDwIz1MAv5Sg3WY7gjO9
         WlJVFpQzTtLt/Hj2SCY32nW6sXCs5thSlr4LbTz70dQfb8bDmQs2GmEOweV08wv75G9g
         2HMZGsw1aWdIe/yCwH2g3CxlifH0oG5uG+o7DxcmFNsDhGNwxTKAY5cC4ySKNwEhR2lt
         QpoM9LfGmN26vhR4rZWpNph70aQj4gcGrRHEo5N9ZvDBvkk5CfmiUhsraZan1ZOf2p1N
         Qgxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=g16ym/nd7GNeGq39SRZ3sMEIfgv0YoIJRI/vc2tPF8Q=;
        b=WUU/hfX3NvUXJ0vpIyu9YoJnHGJ3UBFAj+pfdUuOu13yqvyKB075VARg7a3BhAovn0
         TMOZtMzvsxMsoFHybx6Mos733g5OnE8tnYBd7wmuEVKV9IC7WBJ5fHwkvHaReLnjY1gV
         g7O0NDwh3mNHwZRtlrdu2GJlf8hJZYmbJ+mWl6HQi8njnqM5GnQaKz6WvZxcanOlD2s9
         ybJvLeQNNi2RqA511vsuxpsl6z4Hj5b6P7s3nHxnjXqqi1T3wIUcTM9iGnjJ4XHcTqF0
         QaUvcIWaqxzJygxu53DUwrKFUfsWKmIvf9q4DdhsLlwyMlX3lQgdVhNjKv8bfjejdhs4
         Qm9Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=LCtqeYCQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b1-v6si5401227plc.679.2018.03.15.21.27.46;
        Thu, 15 Mar 2018 21:28:00 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@chromium.org header.s=google header.b=LCtqeYCQ;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=chromium.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751569AbeCPE0I (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Fri, 16 Mar 2018 00:26:08 -0400
Received: from mail-pg0-f67.google.com ([74.125.83.67]:39264 "EHLO
        mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750767AbeCPE0F (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 16 Mar 2018 00:26:05 -0400
Received: by mail-pg0-f67.google.com with SMTP id e3so3645399pga.6
        for <linux-kernel@vger.kernel.org>; Thu, 15 Mar 2018 21:26:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=chromium.org; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=g16ym/nd7GNeGq39SRZ3sMEIfgv0YoIJRI/vc2tPF8Q=;
        b=LCtqeYCQ3ljLRv/BhLHZFKiC2LyCzeAmdOPPgeIr7LPRJDajiljwh3dUjZK4nzz8f9
         HtKmfScXd3XKqq6V00RIrgFsdP8KFvfyPvTduNyaCrBBTVYw+1uRZU2GxjHRid0O/YKn
         r9C9RF2NnpXIwgtwXB+cm0elqRwPkps+q84Vw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=g16ym/nd7GNeGq39SRZ3sMEIfgv0YoIJRI/vc2tPF8Q=;
        b=mzug7EZ7P+VJb/EXNVCie3YW0TmujcIs0y/uQk2Dyal6zWHZHz9M4Tt9hCvzZudh9I
         fqm2rADfXPaKdJ26oPZ9EMI8tN9JIvOED/fn6MD+WeZrxTlFrmNOXRmmaJK0Aq1StMgV
         6vuRV9oLknIwh0eeflF7cTaKBu1LDMdYfhzDVXu8WNMe5UCcGmSS9jlcSRwDvIVp7Wn0
         3V1ljlpKAZyvjtgv6MiUIUSdfNlAl5GncqP4YqWwZ+Ifvx2so7YRjsJkcuIXDq/tBDln
         NPgHSWHkeBw3KpEEKalUnGKzCJr6sPYQ5NnnBSh4UG6ttrj1buB58sXd+BScCfgWIWmV
         Klpg==
X-Gm-Message-State: AElRT7E1Yk0olKShlpV4+GUe0/4bTjbSqtvbaE4TkMPYo1ubqZsVOjVg
        /QORM/f7oPkiREuKWmJk3BH9qw==
X-Received: by 10.99.66.65 with SMTP id p62mr331946pga.378.1521174365196;
        Thu, 15 Mar 2018 21:26:05 -0700 (PDT)
Received: from www.outflux.net (173-164-112-133-Oregon.hfc.comcastbusiness.net. [173.164.112.133])
        by smtp.gmail.com with ESMTPSA id j19sm12368171pfh.26.2018.03.15.21.26.03
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 15 Mar 2018 21:26:03 -0700 (PDT)
From:   Kees Cook <keescook@chromium.org>
To:     Andrew Morton <akpm@linux-foundation.org>
Cc:     Kees Cook <keescook@chromium.org>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Josh Poimboeuf <jpoimboe@redhat.com>,
        Rasmus Villemoes <linux@rasmusvillemoes.dk>,
        Randy Dunlap <rdunlap@infradead.org>,
        Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>,
        Ingo Molnar <mingo@kernel.org>,
        David Laight <David.Laight@aculab.com>,
        Ian Abbott <abbotti@mev.co.uk>, linux-input@vger.kernel.org,
        linux-btrfs@vger.kernel.org, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com
Subject: [PATCH v5 0/2] Remove false-positive VLAs when using max()
Date:   Thu, 15 Mar 2018 21:25:57 -0700
Message-Id: <1521174359-46392-1-git-send-email-keescook@chromium.org>
X-Mailer: git-send-email 2.7.4
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Patch 1 adds const_max_t(), patch 2 uses it in all the places max()
was used for stack arrays. Commit log from patch 1:

---snip---
kernel.h: Introduce const_max_t() for VLA removal

In the effort to remove all VLAs from the kernel[1], it is desirable to
build with -Wvla. However, this warning is overly pessimistic, in that
it is only happy with stack array sizes that are declared as constant
expressions, and not constant values. One case of this is the evaluation
of the max() macro which, due to its construction, ends up converting
constant expression arguments into a constant value result. Attempts
to adjust the behavior of max() ran afoul of version-dependent compiler
behavior[2].

To work around this and still gain -Wvla coverage, this patch introduces
a new macro, const_max_t(), for use in these cases of stack array size
declaration, where the constant expressions are retained. Since this means
losing the double-evaluation protections of the max() macro, this macro is
designed to explicitly fail if used on non-constant arguments.

Older compilers will fail with the unhelpful message:

    error: first argument to ‘__builtin_choose_expr’ not a constant

Newer compilers will fail with a hopefully more helpful message:

    error: call to ‘__error_non_const_arg’ declared with attribute error: const_max_t() used with non-constant expression

To gain the ability to compare differing types, the desired type must
be explicitly declared, as with the existing max_t() macro. This is
needed when comparing different enum types and to allow things like:

    int foo[const_max_t(size_t, 6, sizeof(something))];

[1] https://lkml.org/lkml/2018/3/7/621
[2] https://lkml.org/lkml/2018/3/10/170
---eol---

Hopefully this reads well as a summary from all the things that got tried.
I've tested this on allmodconfig builds with gcc 4.4.4 and 6.3.0, with and
without -Wvla.

-Kees

v5: explicit type argument
v4: forced size_t type