On Thu, Jan 08, 2026 at 03:06:31PM +0100, Vlastimil Babka wrote:
> On 12/4/25 00:30, Kees Cook wrote:
> > As done for kmalloc_obj*(), introduce a type-aware allocator for flexible
> > arrays, which may also have "counted_by" annotations:
> >
> > ptr = kmalloc(struct_size(ptr, flex_member, count), gfp);
> >
> > becomes:
> >
> > ptr = kmalloc_flex(*ptr, flex_member, count, gfp);
> >
> > The internal use of __flex_counter() allows for automatically setting
> > the counter member of a struct's flexible array member when it has
> > been annotated with __counted_by(), avoiding any missed early size
> > initializations while __counted_by() annotations are added to the
> > kernel. Additionally, this also checks for "too large" allocations based
> > on the type size of the counter variable. For example:
> >
> > if (count > type_max(ptr->flex_counter))
> > fail...;
> > size = struct_size(ptr, flex_member, count);
> > ptr = kmalloc(size, gfp);
> > ptr->flex_counter = count;
> >
> > becomes (n.b. unchanged from earlier example):
> >
> > ptr = kmalloc_flex(*ptr, flex_member, count, gfp);
> > ptr->flex_count = count;
>
> ^ flex_counter ?
>
> But if it was "too large", ptr is NULL so this will oops?
I've changed this to:
...
based on the type size of the counter variable. For example:
if (count > type_max(ptr->flex_counter))
fail...;
size = struct_size(ptr, flex_member, count);
ptr = kmalloc(size, gfp);
if (!ptr)
fail...;
ptr->flex_counter = count;
becomes (n.b. unchanged from earlier example):
ptr = kmalloc_flex(*ptr, flex_member, count, gfp);
if (!ptr)
fail...;
ptr->flex_counter = count;
May I add your Acked-by for this 4/5 patch?
--
Kees Cook
