sysmacros: Make P2ROUNDUP not trigger int overflow

The original P2ROUNDUP and P2ROUNDUP_TYPED macros contain -x which
triggers PaX's integer overflow detection for unsigned integers.
Replace the macros with an equivalent version that does not trigger
the overflow.

Axioms:
A. (-(x)) === (~((x) - 1)) === (~(x) + 1) under two's complement.
B. ~(x & y) === ((~(x)) | (~(y))) under De Morgan's law.
C. ~(~x) === x under the law of excluded middle.

Proof:
0. (-(-(x) & -(align))) original
1. (~(-(x) & -(align)) + 1) by A
2. (((~(-(x))) | (~(-(align)))) + 1) by B
3. (((~(~((x) - 1))) | (~(~((align) - 1)))) + 1) by A
4. (((((x) - 1)) | (((align) - 1))) + 1) by C
Q.E.D.

Signed-off-by: Jason Zaman <jason@perfinion.com>
Reviewed-by: Chris Dunlop <chris@onthe.net.au>
Reviewed-by: Richard Yao <ryao@gentoo.org>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes zfsonlinux/zfs#2505
Closes #488

diff --git a/include/sys/sysmacros.h b/include/sys/sysmacros.h
index 4dc7cd8585619a77d4405ab15724bb30769e3ce6..4a96e075ff3fc51c7f9b0b3bccf3f8a07c02ee5e 100644 (file)
--- a/include/sys/sysmacros.h
+++ b/include/sys/sysmacros.h
@@ -186,7 +186,7 @@ extern void spl_cleanup(void);
  */
 #define P2ALIGN(x, align)      ((x) & -(align))
 #define P2CROSS(x, y, align)   (((x) ^ (y)) > (align) - 1)
-#define P2ROUNDUP(x, align)    (-(-(x) & -(align)))
+#define P2ROUNDUP(x, align)    ((((x) - 1) | ((align) - 1)) + 1)
 #define P2PHASE(x, align)      ((x) & ((align) - 1))
 #define P2NPHASE(x, align)     (-(x) & ((align) - 1))
 #define ISP2(x)                        (((x) & ((x) - 1)) == 0)
@@ -213,7 +213,7 @@ extern void spl_cleanup(void);
 #define P2NPHASE_TYPED(x, align, type)  \
         (-(type)(x) & ((type)(align) - 1))
 #define P2ROUNDUP_TYPED(x, align, type) \
-        (-(-(type)(x) & -(type)(align)))
+        ((((type)(x) - 1) | ((type)(align) - 1)) + 1)
 #define P2END_TYPED(x, align, type)     \
         (-(~(type)(x) & -(type)(align)))
 #define P2PHASEUP_TYPED(x, align, phase, type)  \