Patch "minmax: improve macro expansion and type checking" has been added to the 5.15-stable tree
gregkh at linuxfoundation.org
gregkh at linuxfoundation.org
Fri Oct 17 01:16:15 PDT 2025
This is a note to let you know that I've just added the patch titled
minmax: improve macro expansion and type checking
to the 5.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
minmax-improve-macro-expansion-and-type-checking.patch
and it can be found in the queue-5.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.
>From prvs=36971892a=farbere at amazon.com Wed Oct 8 17:33:00 2025
From: Eliav Farber <farbere at amazon.com>
Date: Wed, 8 Oct 2025 15:29:36 +0000
Subject: minmax: improve macro expansion and type checking
To: <gregkh at linuxfoundation.org>, <jdike at addtoit.com>, <richard at nod.at>, <anton.ivanov at cambridgegreys.com>, <dave.hansen at linux.intel.com>, <luto at kernel.org>, <peterz at infradead.org>, <tglx at linutronix.de>, <mingo at redhat.com>, <bp at alien8.de>, <x86 at kernel.org>, <hpa at zytor.com>, <tony.luck at intel.com>, <qiuxu.zhuo at intel.com>, <james.morse at arm.com>, <rric at kernel.org>, <airlied at linux.ie>, <daniel at ffwll.ch>, <maarten.lankhorst at linux.intel.com>, <mripard at kernel.org>, <tzimmermann at suse.de>, <robdclark at gmail.com>, <sean at poorly.run>, <jdelvare at suse.com>, <linux at roeck-us.net>, <linus.walleij at linaro.org>, <dmitry.torokhov at gmail.com>, <maz at kernel.org>, <wens at csie.org>, <jernej.skrabec at gmail.com>, <agk at redhat.com>, <snitzer at redhat.com>, <dm-devel at redhat.com>, <davem at davemloft.net>, <kuba at kernel.org>, <mcoquelin.stm32 at gmail.com>, <krzysztof.kozlowski at canonical.com>, <malattia at linux.it>, <hdegoede at redhat.com>, <mgross at linux.intel.com>, <jejb at linux.ibm.com>, <martin.petersen at oracle.com>, <sakari.ailus at l
inux.intel.com>, <clm at fb.com>, <josef at toxicpanda.com>, <dsterba at suse.com>, <jack at suse.com>, <tytso at mit.edu>, <adilger.kernel at dilger.ca>, <dushistov at mail.ru>, <luc.vanoostenryck at gmail.com>, <rostedt at goodmis.org>, <pmladek at suse.com>, <senozhatsky at chromium.org>, <andriy.shevchenko at linux.intel.com>, <linux at rasmusvillemoes.dk>, <minchan at kernel.org>, <ngupta at vflare.org>, <akpm at linux-foundation.org>, <yoshfuji at linux-ipv6.org>, <dsahern at kernel.org>, <pablo at netfilter.org>, <kadlec at netfilter.org>, <fw at strlen.de>, <jmaloy at redhat.com>, <ying.xue at windriver.com>, <shuah at kernel.org>, <willy at infradead.org>, <farbere at amazon.com>, <sashal at kernel.org>, <quic_akhilpo at quicinc.com>, <ruanjinjie at huawei.com>, <David.Laight at ACULAB.COM>, <herve.codina at bootlin.com>, <linux-arm-kernel at lists.infradead.org>, <linux-kernel at vger.kernel.org>, <linux-um at lists.infradead.org>, <linux-edac at vger.kernel.org>, <amd-gfx at lists.freedesktop.org>, <dri-devel at lists.freedesktop.org>, <linux-arm-msm at vger.kernel.org>, <freedreno at l
ists.freedesktop.org>, <linux-hwmon at vger.kernel.org>, <linux-input at vger.kernel.org>, <linux-sunxi at lists.linux.dev>, <linux-media at vger.kernel.org>, <netdev at vger.kernel.org>, <linux-stm32 at st-md-mailman.stormreply.com>, <platform-driver-x86 at vger.kernel.org>, <linux-scsi at vger.kernel.org>, <linux-staging at lists.linux.dev>, <linux-btrfs at vger.kernel.org>, <linux-ext4 at vger.kernel.org>, <linux-sparse at vger.kernel.org>, <linux-mm at kvack.org>, <netfilter-devel at vger.kernel.org>, <coreteam at netfilter.org>, <tipc-discussion at lists.sourceforge.net>, <linux-kselftest at vger.kernel.org>, <stable at vger.kernel.org>
Cc: Linus Torvalds <torvalds at linux-foundation.org>, Arnd Bergmann <arnd at kernel.org>, David Laight <David.Laight at aculab.com>, Lorenzo Stoakes <lorenzo.stoakes at oracle.com>
Message-ID: <20251008152946.29285-12-farbere at amazon.com>
From: Linus Torvalds <torvalds at linux-foundation.org>
[ Upstream commit 22f5468731491e53356ba7c028f0fdea20b18e2c ]
This clarifies the rules for min()/max()/clamp() type checking and makes
them a much more efficient macro expansion.
In particular, we now look at the type and range of the inputs to see
whether they work together, generating a mask of acceptable comparisons,
and then just verifying that the inputs have a shared case:
- an expression with a signed type can be used for
(1) signed comparisons
(2) unsigned comparisons if it is statically known to have a
non-negative value
- an expression with an unsigned type can be used for
(3) unsigned comparison
(4) signed comparisons if the type is smaller than 'int' and thus
the C integer promotion rules will make it signed anyway
Here rule (1) and (3) are obvious, and rule (2) is important in order to
allow obvious trivial constants to be used together with unsigned
values.
Rule (4) is not necessarily a good idea, but matches what we used to do,
and we have extant cases of this situation in the kernel. Notably with
bcachefs having an expression like
min(bch2_bucket_sectors_dirty(a), ca->mi.bucket_size)
where bch2_bucket_sectors_dirty() returns an 's64', and
'ca->mi.bucket_size' is of type 'u16'.
Technically that bcachefs comparison is clearly sensible on a C type
level, because the 'u16' will go through the normal C integer promotion,
and become 'int', and then we're comparing two signed values and
everything looks sane.
However, it's not entirely clear that a 'min(s64,u16)' operation makes a
lot of conceptual sense, and it's possible that we will remove rule (4).
After all, the _reason_ we have these complicated type checks is exactly
that the C type promotion rules are not very intuitive.
But at least for now the rule is in place for backwards compatibility.
Also note that rule (2) existed before, but is hugely relaxed by this
commit. It used to be true only for the simplest compile-time
non-negative integer constants. The new macro model will allow cases
where the compiler can trivially see that an expression is non-negative
even if it isn't necessarily a constant.
For example, the amdgpu driver does
min_t(size_t, sizeof(fru_info->serial), pia[addr] & 0x3F));
because our old 'min()' macro would see that 'pia[addr] & 0x3F' is of
type 'int' and clearly not a C constant expression, so doing a 'min()'
with a 'size_t' is a signedness violation.
Our new 'min()' macro still sees that 'pia[addr] & 0x3F' is of type
'int', but is smart enough to also see that it is clearly non-negative,
and thus would allow that case without any complaints.
Cc: Arnd Bergmann <arnd at kernel.org>
Cc: David Laight <David.Laight at aculab.com>
Cc: Lorenzo Stoakes <lorenzo.stoakes at oracle.com>
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
Signed-off-by: Eliav Farber <farbere at amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
include/linux/compiler.h | 9 +++++
include/linux/minmax.h | 78 ++++++++++++++++++++++++++++++++++++-----------
2 files changed, 70 insertions(+), 17 deletions(-)
--- a/include/linux/compiler.h
+++ b/include/linux/compiler.h
@@ -259,6 +259,15 @@ static inline void *offset_to_ptr(const
#define is_signed_type(type) (((type)(-1)) < (__force type)1)
/*
+ * Useful shorthand for "is this condition known at compile-time?"
+ *
+ * Note that the condition may involve non-constant values,
+ * but the compiler may know enough about the details of the
+ * values to determine that the condition is statically true.
+ */
+#define statically_true(x) (__builtin_constant_p(x) && (x))
+
+/*
* This is needed in functions which generate the stack canary, see
* arch/x86/kernel/smpboot.c::start_secondary() for an example.
*/
--- a/include/linux/minmax.h
+++ b/include/linux/minmax.h
@@ -26,19 +26,63 @@
#define __typecheck(x, y) \
(!!(sizeof((typeof(x) *)1 == (typeof(y) *)1)))
-/* is_signed_type() isn't a constexpr for pointer types */
-#define __is_signed(x) \
- __builtin_choose_expr(__is_constexpr(is_signed_type(typeof(x))), \
- is_signed_type(typeof(x)), 0)
-
-/* True for a non-negative signed int constant */
-#define __is_noneg_int(x) \
- (__builtin_choose_expr(__is_constexpr(x) && __is_signed(x), x, -1) >= 0)
-
-#define __types_ok(x, y, ux, uy) \
- (__is_signed(ux) == __is_signed(uy) || \
- __is_signed((ux) + 0) == __is_signed((uy) + 0) || \
- __is_noneg_int(x) || __is_noneg_int(y))
+/*
+ * __sign_use for integer expressions:
+ * bit #0 set if ok for unsigned comparisons
+ * bit #1 set if ok for signed comparisons
+ *
+ * In particular, statically non-negative signed integer
+ * expressions are ok for both.
+ *
+ * NOTE! Unsigned types smaller than 'int' are implicitly
+ * converted to 'int' in expressions, and are accepted for
+ * signed conversions for now. This is debatable.
+ *
+ * Note that 'x' is the original expression, and 'ux' is
+ * the unique variable that contains the value.
+ *
+ * We use 'ux' for pure type checking, and 'x' for when
+ * we need to look at the value (but without evaluating
+ * it for side effects! Careful to only ever evaluate it
+ * with sizeof() or __builtin_constant_p() etc).
+ *
+ * Pointers end up being checked by the normal C type
+ * rules at the actual comparison, and these expressions
+ * only need to be careful to not cause warnings for
+ * pointer use.
+ */
+#define __signed_type_use(x,ux) (2+__is_nonneg(x,ux))
+#define __unsigned_type_use(x,ux) (1+2*(sizeof(ux)<4))
+#define __sign_use(x,ux) (is_signed_type(typeof(ux))? \
+ __signed_type_use(x,ux):__unsigned_type_use(x,ux))
+
+/*
+ * To avoid warnings about casting pointers to integers
+ * of different sizes, we need that special sign type.
+ *
+ * On 64-bit we can just always use 'long', since any
+ * integer or pointer type can just be cast to that.
+ *
+ * This does not work for 128-bit signed integers since
+ * the cast would truncate them, but we do not use s128
+ * types in the kernel (we do use 'u128', but they will
+ * be handled by the !is_signed_type() case).
+ *
+ * NOTE! The cast is there only to avoid any warnings
+ * from when values that aren't signed integer types.
+ */
+#ifdef CONFIG_64BIT
+ #define __signed_type(ux) long
+#else
+ #define __signed_type(ux) typeof(__builtin_choose_expr(sizeof(ux)>4,1LL,1L))
+#endif
+#define __is_nonneg(x,ux) statically_true((__signed_type(ux))(x)>=0)
+
+#define __types_ok(x,y,ux,uy) \
+ (__sign_use(x,ux) & __sign_use(y,uy))
+
+#define __types_ok3(x,y,z,ux,uy,uz) \
+ (__sign_use(x,ux) & __sign_use(y,uy) & __sign_use(z,uz))
#define __cmp_op_min <
#define __cmp_op_max >
@@ -53,8 +97,8 @@
#define __careful_cmp_once(op, x, y, ux, uy) ({ \
__auto_type ux = (x); __auto_type uy = (y); \
- static_assert(__types_ok(x, y, ux, uy), \
- #op "(" #x ", " #y ") signedness error, fix types or consider u" #op "() before " #op "_t()"); \
+ BUILD_BUG_ON_MSG(!__types_ok(x,y,ux,uy), \
+ #op"("#x", "#y") signedness error"); \
__cmp(op, ux, uy); })
#define __careful_cmp(op, x, y) \
@@ -70,8 +114,8 @@
static_assert(__builtin_choose_expr(__is_constexpr((lo) > (hi)), \
(lo) <= (hi), true), \
"clamp() low limit " #lo " greater than high limit " #hi); \
- static_assert(__types_ok(uval, lo, uval, ulo), "clamp() 'lo' signedness error"); \
- static_assert(__types_ok(uval, hi, uval, uhi), "clamp() 'hi' signedness error"); \
+ BUILD_BUG_ON_MSG(!__types_ok3(val,lo,hi,uval,ulo,uhi), \
+ "clamp("#val", "#lo", "#hi") signedness error"); \
__clamp(uval, ulo, uhi); })
#define __careful_clamp(val, lo, hi) \
Patches currently in stable-queue which might be from farbere at amazon.com are
queue-5.15/minmax-add-a-few-more-min_t-max_t-users.patch
queue-5.15/minmax-improve-macro-expansion-and-type-checking.patch
queue-5.15/minmax-fix-indentation-of-__cmp_once-and-__clamp_once.patch
queue-5.15/minmax.h-simplify-the-variants-of-clamp.patch
queue-5.15/minmax-add-in_range-macro.patch
queue-5.15/minmax.h-move-all-the-clamp-definitions-after-the-min-max-ones.patch
queue-5.15/minmax-don-t-use-max-in-situations-that-want-a-c-constant-expression.patch
queue-5.15/minmax.h-remove-some-defines-that-are-only-expanded-once.patch
queue-5.15/minmax.h-use-build_bug_on_msg-for-the-lo-hi-test-in-clamp.patch
queue-5.15/minmax-simplify-min-max-clamp-implementation.patch
queue-5.15/minmax-deduplicate-__unconst_integer_typeof.patch
queue-5.15/minmax-simplify-and-clarify-min_t-max_t-implementation.patch
queue-5.15/minmax.h-add-whitespace-around-operators-and-after-commas.patch
queue-5.15/minmax-avoid-overly-complicated-constant-expressions-in-vm-code.patch
queue-5.15/minmax-make-generic-min-and-max-macros-available-everywhere.patch
queue-5.15/minmax-fix-up-min3-and-max3-too.patch
queue-5.15/minmax.h-reduce-the-define-expansion-of-min-max-and-clamp.patch
queue-5.15/minmax-introduce-min-max-_array.patch
queue-5.15/minmax.h-update-some-comments.patch
More information about the linux-um
mailing list