asm-generic: avoid sparse {get,put}_unaligned warning

  Sparse will try to check casting of simple integer types which are marked
as __bitwise. This for example "disallows" simple casting of __be{16,32,64}
or __le{16,32,64} to other types. This is also true for pointers to
variables with this type.

But the new generic {get,put}_unaligned is doing that by (reinterpret)
casting the original pointer to a new (anonymous) struct pointer. This will
then create warnings like:

  net/batman-adv/distributed-arp-table.c:1461:19: warning: cast from restricted __be32 *
  net/batman-adv/distributed-arp-table.c:1510:23: warning: cast from restricted __be32 [usertype] *[assigned] magic
  net/batman-adv/distributed-arp-table.c:1588:24: warning: cast from restricted __be32 [usertype] *[assigned] yiaddr

The special attribute force must be used in such statements when the cast
is known to be safe to avoid these warnings.

Fixes: 803f4e1eab7a ("asm-generic: simplify asm/unaligned.h")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
---
 include/asm-generic/unaligned.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
  

On Sat, Jul 24, 2021 at 06:24:29PM +0200, Sven Eckelmann wrote:

> The special attribute force must be used in such statements when the cast
> is known to be safe to avoid these warnings.

	How about container_of(ptr, typeof(*__pptr), x) instead of a cast?
Would be easier to follow...
  

On Sat, Jul 24, 2021 at 7:01 PM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Sat, Jul 24, 2021 at 06:24:29PM +0200, Sven Eckelmann wrote:
>
> > The special attribute force must be used in such statements when the cast
> > is known to be safe to avoid these warnings.

I can see why this would warn, but I'm having trouble reproducing the
warning on linux-next.

>         How about container_of(ptr, typeof(*__pptr), x) instead of a cast?
> Would be easier to follow...

If both work equally well, I'd prefer Sven's patch since that only
expands 'type'
once, while container_of() expands it three more times. This may not make
much of a difference, but I've seen a number of cases where nested macros
can explode the preprocessed code size enough to slow down kernel compilation
over all, and it's quite possible to have get_unaligned()/put_unaligned in
the middle of that, with a complex expression passed into that.

      Arnd
  

On Monday, 26 July 2021 14:57:31 CEST Arnd Bergmann wrote:
> >
> > > The special attribute force must be used in such statements when the cast
> > > is known to be safe to avoid these warnings.
> 
> I can see why this would warn, but I'm having trouble reproducing the
> warning on linux-next.

I have sparse 0.6.3 on an Debian bullseye amd64 system. Sources are from 
linux-next next-20210723

    make allnoconfig
    cat >> .config << "EOF"
    CONFIG_NET=y
    CONFIG_INET=y
    CONFIG_BATMAN_ADV=y
    CONFIG_BATMAN_ADV_DAT=y
    EOF
    make olddefconfig
    make CHECK="sparse -Wbitwise-pointer" C=1

I should maybe have made this clearer in the last sentence of the first 
paragraph: "This is also true for pointers to variables with this type when
-Wbitwise-pointer is activated."

Kind regards,
	Sven
  

On Mon, Jul 26, 2021 at 5:04 PM Sven Eckelmann <sven@narfation.org> wrote:
>
> On Monday, 26 July 2021 14:57:31 CEST Arnd Bergmann wrote:
> > >
> > > > The special attribute force must be used in such statements when the cast
> > > > is known to be safe to avoid these warnings.
> >
> > I can see why this would warn, but I'm having trouble reproducing the
> > warning on linux-next.
>
> I have sparse 0.6.3 on an Debian bullseye amd64 system. Sources are from
> linux-next next-20210723
>
>     make allnoconfig
>     cat >> .config << "EOF"
>     CONFIG_NET=y
>     CONFIG_INET=y
>     CONFIG_BATMAN_ADV=y
>     CONFIG_BATMAN_ADV_DAT=y
>     EOF
>     make olddefconfig
>     make CHECK="sparse -Wbitwise-pointer" C=1
>
> I should maybe have made this clearer in the last sentence of the first
> paragraph: "This is also true for pointers to variables with this type when
> -Wbitwise-pointer is activated."

Ok, got it. I assumed this would be turned on by an 'allmodconfig' build.

> > If both work equally well, I'd prefer Sven's patch since that only
> > expands 'type' once, while container_of() expands it three more times

Not sure what I was thinking here, as it's not 'type' that gets expanded
here but 'ptr'. We could do Al's suggestion to avoid the __force without
multiple expansions, using

diff --git a/include/asm-generic/unaligned.h b/include/asm-generic/unaligned.h
index 1c4242416c9f..d138dc5fd8e3 100644
--- a/include/asm-generic/unaligned.h
+++ b/include/asm-generic/unaligned.h
@@ -10,17 +10,25 @@
 #include <asm/byteorder.h>

 #define __get_unaligned_t(type, ptr) ({
                 \
-       const struct { type x; } __packed *__pptr =
(typeof(__pptr))(ptr);      \
+       const struct { type x; } __packed *__pptr =
         \
+                               container_of(ptr, typeof(*__pptr), x);
         \
        __pptr->x;
         \
 })

 #define __put_unaligned_t(type, val, ptr) do {
         \
-       struct { type x; } __packed *__pptr = (typeof(__pptr))(ptr);
         \
+       struct { type x; } __packed *__pptr =
         \
+                               container_of(ptr, typeof(*__pptr), x);
         \
        __pptr->x = (val);
         \
 } while (0)

-#define get_unaligned(ptr)     __get_unaligned_t(typeof(*(ptr)), (ptr))
-#define put_unaligned(val, ptr) __put_unaligned_t(typeof(*(ptr)), (val), (ptr))
+#define get_unaligned(ptr)     ({
         \
+       __auto_type _ptr = (ptr);
         \
+       __get_unaligned_t(typeof(*(_ptr)), (_ptr));
         \
+})
+#define put_unaligned(val, ptr)        ({
                 \
+       __auto_type _ptr = (ptr);
         \
+       __put_unaligned_t(typeof(*(_ptr)), (val), (_ptr));
         \
+})

 static inline u16 get_unaligned_le16(const void *p)
 {

Not sure if this is any better.

        Arnd
  

From: Sven Eckelmann
> Sent: 24 July 2021 17:24
> 
> Sparse will try to check casting of simple integer types which are marked
> as __bitwise. This for example "disallows" simple casting of __be{16,32,64}
> or __le{16,32,64} to other types. This is also true for pointers to
> variables with this type.
> 
> But the new generic {get,put}_unaligned is doing that by (reinterpret)
> casting the original pointer to a new (anonymous) struct pointer. This will
> then create warnings like:
> 
>   net/batman-adv/distributed-arp-table.c:1461:19: warning: cast from restricted __be32 *
>   net/batman-adv/distributed-arp-table.c:1510:23: warning: cast from restricted __be32 [usertype]
> *[assigned] magic
>   net/batman-adv/distributed-arp-table.c:1588:24: warning: cast from restricted __be32 [usertype]
> *[assigned] yiaddr
> 
> The special attribute force must be used in such statements when the cast
> is known to be safe to avoid these warnings.

At least the __force is being added to an existing cast.

The real problems are when a (__force __le32)value cast is used
to silence sparse.
These should really be something like:
	__tell_sparce(__le32, value)
so that the whole thing can be removed by the preprocessor when
compiling the code.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)