^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) /* SPDX-License-Identifier: GPL-2.0 OR MIT */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) #ifndef __LINUX_OVERFLOW_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) #define __LINUX_OVERFLOW_H
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) #include <linux/compiler.h>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) * In the fallback code below, we need to compute the minimum and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) * maximum values representable in a given type. These macros may also
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) * be useful elsewhere, so we provide them outside the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) * It would seem more obvious to do something like
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) * Unfortunately, the middle expressions, strictly speaking, have
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) * undefined behaviour, and at least some versions of gcc warn about
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) * the type_max expression (but not if -fsanitize=undefined is in
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) * effect; in that case, the warning is deferred to runtime...).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) * The slightly excessive casting in type_min is to make sure the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) * macros also produce sensible values for the exotic type _Bool. [The
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) * overflow checkers only almost work for _Bool, but that's
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26) * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) * _Bools. Besides, the gcc builtins don't allow _Bool* as third
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) * argument.]
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) * Idea stolen from
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) * credit to Christian Biere.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) #define is_signed_type(type) (((type)(-1)) < (type)1)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) #define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) #define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) #define type_min(T) ((T)((T)-type_max(T)-(T)1))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) #ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) * For simplicity and code hygiene, the fallback code below insists on
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) * a, b and *d having the same type (similar to the min() and max()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) * macros), whereas gcc's type-generic overflow checkers accept
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) * different types. Hence we don't just make check_add_overflow an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) * alias for __builtin_add_overflow, but add type checks similar to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) * below.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) #define check_add_overflow(a, b, d) ({ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) typeof(a) __a = (a); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) typeof(b) __b = (b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) typeof(d) __d = (d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) (void) (&__a == &__b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) (void) (&__a == __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) __builtin_add_overflow(__a, __b, __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) })
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) #define check_sub_overflow(a, b, d) ({ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) typeof(a) __a = (a); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) typeof(b) __b = (b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) typeof(d) __d = (d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) (void) (&__a == &__b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) (void) (&__a == __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) __builtin_sub_overflow(__a, __b, __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) })
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) #define check_mul_overflow(a, b, d) ({ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) typeof(a) __a = (a); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) typeof(b) __b = (b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70) typeof(d) __d = (d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) (void) (&__a == &__b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72) (void) (&__a == __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) __builtin_mul_overflow(__a, __b, __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) })
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) #else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) /* Checking for unsigned overflow is relatively easy without causing UB. */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) #define __unsigned_add_overflow(a, b, d) ({ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) typeof(a) __a = (a); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) typeof(b) __b = (b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) typeof(d) __d = (d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) (void) (&__a == &__b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) (void) (&__a == __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) *__d = __a + __b; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) *__d < __a; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) })
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) #define __unsigned_sub_overflow(a, b, d) ({ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) typeof(a) __a = (a); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) typeof(b) __b = (b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) typeof(d) __d = (d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93) (void) (&__a == &__b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) (void) (&__a == __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) *__d = __a - __b; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) __a < __b; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) })
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) * If one of a or b is a compile-time constant, this avoids a division.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) #define __unsigned_mul_overflow(a, b, d) ({ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) typeof(a) __a = (a); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) typeof(b) __b = (b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) typeof(d) __d = (d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) (void) (&__a == &__b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) (void) (&__a == __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) *__d = __a * __b; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) __builtin_constant_p(__b) ? \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) __b > 0 && __a > type_max(typeof(__a)) / __b : \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) __a > 0 && __b > type_max(typeof(__b)) / __a; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) })
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) * For signed types, detecting overflow is much harder, especially if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) * we want to avoid UB. But the interface of these macros is such that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) * we must provide a result in *d, and in fact we must produce the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) * result promised by gcc's builtins, which is simply the possibly
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) * wrapped-around value. Fortunately, we can just formally do the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) * operations in the widest relevant unsigned type (u64) and then
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) * truncate the result - gcc is smart enough to generate the same code
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) * with and without the (u64) casts.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) * Adding two signed integers can overflow only if they have the same
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) * sign, and overflow has happened iff the result has the opposite
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) * sign.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) #define __signed_add_overflow(a, b, d) ({ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) typeof(a) __a = (a); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) typeof(b) __b = (b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) typeof(d) __d = (d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) (void) (&__a == &__b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) (void) (&__a == __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) *__d = (u64)__a + (u64)__b; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) (((~(__a ^ __b)) & (*__d ^ __a)) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) & type_min(typeof(__a))) != 0; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) })
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) * Subtraction is similar, except that overflow can now happen only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) * when the signs are opposite. In this case, overflow has happened if
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) * the result has the opposite sign of a.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) #define __signed_sub_overflow(a, b, d) ({ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) typeof(a) __a = (a); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) typeof(b) __b = (b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) typeof(d) __d = (d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) (void) (&__a == &__b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) (void) (&__a == __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) *__d = (u64)__a - (u64)__b; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) ((((__a ^ __b)) & (*__d ^ __a)) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) & type_min(typeof(__a))) != 0; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) })
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) * Signed multiplication is rather hard. gcc always follows C99, so
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) * division is truncated towards 0. This means that we can write the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) * overflow check like this:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) * (a > 0 && (b > MAX/a || b < MIN/a)) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) * (a < -1 && (b > MIN/a || b < MAX/a) ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) * (a == -1 && b == MIN)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) * The redundant casts of -1 are to silence an annoying -Wtype-limits
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) * (included in -Wextra) warning: When the type is u8 or u16, the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) * __b_c_e in check_mul_overflow obviously selects
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) * __unsigned_mul_overflow, but unfortunately gcc still parses this
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) * code and warns about the limited range of __b.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) #define __signed_mul_overflow(a, b, d) ({ \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) typeof(a) __a = (a); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) typeof(b) __b = (b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) typeof(d) __d = (d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) typeof(a) __tmax = type_max(typeof(a)); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) typeof(a) __tmin = type_min(typeof(a)); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) (void) (&__a == &__b); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) (void) (&__a == __d); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) *__d = (u64)__a * (u64)__b; \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) (__b > 0 && (__a > __tmax/__b || __a < __tmin/__b)) || \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) (__b < (typeof(__b))-1 && (__a > __tmin/__b || __a < __tmax/__b)) || \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) (__b == (typeof(__b))-1 && __a == __tmin); \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) })
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) #define check_add_overflow(a, b, d) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) __builtin_choose_expr(is_signed_type(typeof(a)), \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) __signed_add_overflow(a, b, d), \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) __unsigned_add_overflow(a, b, d))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) #define check_sub_overflow(a, b, d) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) __builtin_choose_expr(is_signed_type(typeof(a)), \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) __signed_sub_overflow(a, b, d), \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) __unsigned_sub_overflow(a, b, d))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) #define check_mul_overflow(a, b, d) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) __builtin_choose_expr(is_signed_type(typeof(a)), \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) __signed_mul_overflow(a, b, d), \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) __unsigned_mul_overflow(a, b, d))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) #endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) * array_size() - Calculate size of 2-dimensional array.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) * @a: dimension one
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) * @b: dimension two
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) * Calculates size of 2-dimensional array: @a * @b.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) * Returns: number of bytes needed to represent the array or SIZE_MAX on
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) * overflow.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) static inline __must_check size_t array_size(size_t a, size_t b)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) size_t bytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) if (check_mul_overflow(a, b, &bytes))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) return SIZE_MAX;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) return bytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) * array3_size() - Calculate size of 3-dimensional array.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) * @a: dimension one
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) * @b: dimension two
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) * @c: dimension three
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) * Calculates size of 3-dimensional array: @a * @b * @c.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) * Returns: number of bytes needed to represent the array or SIZE_MAX on
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) * overflow.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) static inline __must_check size_t array3_size(size_t a, size_t b, size_t c)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) size_t bytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) if (check_mul_overflow(a, b, &bytes))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) return SIZE_MAX;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) if (check_mul_overflow(bytes, c, &bytes))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) return SIZE_MAX;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) return bytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) size_t bytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) if (check_mul_overflow(n, size, &bytes))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) return SIZE_MAX;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) if (check_add_overflow(bytes, c, &bytes))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) return SIZE_MAX;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) return bytes;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) /**
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) * struct_size() - Calculate size of structure with trailing array.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) * @p: Pointer to the structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265) * @member: Name of the array member.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) * @n: Number of elements in the array.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) * Calculates size of memory needed for structure @p followed by an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269) * array of @n @member elements.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270) *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) * Return: number of bytes needed or SIZE_MAX on overflow.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) #define struct_size(p, member, n) \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) __ab_c_size(n, \
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275) sizeof(*(p)->member) + __must_be_array((p)->member),\
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) sizeof(*(p)))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278) #endif /* __LINUX_OVERFLOW_H */
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags