Re: [PATCH v4 12/18] x86/sgx: Add EPC OOM path to forcefully reclaim EPC
On Wed, 13 Sep 2023 10:34:28 -0500, Jarkko Sakkinen wrote: +++ b/arch/x86/kernel/cpu/sgx/encl.h @@ -39,6 +39,7 @@ enum sgx_encl_flags { SGX_ENCL_DEBUG = BIT(1), SGX_ENCL_CREATED= BIT(2), SGX_ENCL_INITIALIZED= BIT(3), + SGX_ENCL_OOM= BIT(4), Given how the constants are named before maybe SGX_ENCL_NO_MEMORY would be more obvious. Will do. Thanks Haitao
Re: [PATCH v4 15/18] x86/sgx: Prepare for multiple LRUs
On Wed, 13 Sep 2023 10:42:52 -0500, Jarkko Sakkinen wrote: On Wed Sep 13, 2023 at 7:06 AM EEST, Haitao Huang wrote: Add sgx_can_reclaim() wrapper and encapsulate direct references to the global LRU list in the reclaimer functions so that they can be called with an LRU list per EPC cgroup. Signed-off-by: Sean Christopherson Signed-off-by: Kristen Carlson Accardi Signed-off-by: Haitao Huang Cc: Sean Christopherson --- V4: - Re-organized this patch to include all changes related to encapsulation of the global LRU - Moved this patch to precede the EPC cgroup patch --- arch/x86/kernel/cpu/sgx/main.c | 41 +++--- 1 file changed, 28 insertions(+), 13 deletions(-) diff --git a/arch/x86/kernel/cpu/sgx/main.c b/arch/x86/kernel/cpu/sgx/main.c index ce316bd5e5bb..3d396fe5ec09 100644 --- a/arch/x86/kernel/cpu/sgx/main.c +++ b/arch/x86/kernel/cpu/sgx/main.c @@ -34,6 +34,16 @@ static DEFINE_XARRAY(sgx_epc_address_space); */ static struct sgx_epc_lru_lists sgx_global_lru; +static inline struct sgx_epc_lru_lists *sgx_lru_lists(struct sgx_epc_page *epc_page) +{ + return &sgx_global_lru; +} I'd simply export sgx_global_lru. The purpose of this patch to to hide sgx_global_lru so later we can have LRU per cgroup. I'll update the commit message to make it clear this is not just for sgx_can_reclaim +static inline bool sgx_can_reclaim(void) +{ + return !list_empty(&sgx_global_lru.reclaimable); +} Accessors for the object should be named so that this fact is reflected, e.g. sgx_global_lru_can_reclaim() in this case. I would just open code this to the call sites though. ditto Thanks Haitao
Re: [PATCH v4 01/18] cgroup/misc: Add per resource callbacks for CSS events
Hi Jarkko On Wed, 13 Sep 2023 04:39:06 -0500, Jarkko Sakkinen wrote: On Wed Sep 13, 2023 at 7:06 AM EEST, Haitao Huang wrote: From: Kristen Carlson Accardi Consumers of the misc cgroup controller might need to perform separate actions for Cgroups Subsystem State(CSS) events: cgroup alloc and free. nit: s/State(CSS)/State (CSS)/ "cgroup alloc" and "cgroup free" mean absolutely nothing. In addition, writes to the max value may also need separate action. Add What "the max value"? the ability to allow downstream users to setup callbacks for these operations, and call the corresponding per-resource-type callback when appropriate. Who are "the downstream users" and what sort of callbacks they setup? How about this? The misc cgroup controller (subsystem) currently does not perform resource type specific action for Cgroups Subsystem State (CSS) events: the 'css_alloc' event when a cgroup is created and the 'css_free' event when a cgroup is destroyed, or in event of user writing the max value to the misc.max file to set the consumption limit of a specific resource [admin-guide/cgroup-v2.rst, 5-9. Misc]. Define callbacks for those events and allow resource providers to register the callbacks per resource type as needed. This will be utilized later by the EPC misc cgroup support implemented in the SGX driver: - On cgroup alloc, allocate and initialize necessary structures for EPC reclaiming, e.g., LRU list, work queue, etc. - On cgroup free, cleanup and free those structures created in alloc. - On max write, trigger EPC reclaiming if the new limit is at or below current consumption. Thanks Haitao
[PATCH] x86/mm/dump_pagetables: Add SLAB_VIRTUAL knowledge
Add the markings for the SLAB_VIRTUAL area. Cc: Matteo Rizzo Cc: Jann Horn Cc: Dave Hansen Cc: Andy Lutomirski Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: x...@kernel.org Cc: "H. Peter Anvin" Signed-off-by: Kees Cook --- This is on top of the SLAB_VIRTUAL series: https://lore.kernel.org/all/20230915105933.495735-11-matteori...@google.com/ Feel free to collapse this into the x86 patch from the above series. FYI, as expected, the kernel page table entries get way longer with SLAB_VIRTUAL. :) Without SLAB_VIRTUAL: # wc -l /sys/kernel/debug/page_tables/kernel 1501 /sys/kernel/debug/page_tables/kernel With SLAB_VIRTUAL: # wc -l /sys/kernel/debug/page_tables/kernel 7549 /sys/kernel/debug/page_tables/kernel --- arch/x86/mm/dump_pagetables.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/mm/dump_pagetables.c b/arch/x86/mm/dump_pagetables.c index e1b599ecbbc2..b1fa68669e61 100644 --- a/arch/x86/mm/dump_pagetables.c +++ b/arch/x86/mm/dump_pagetables.c @@ -64,6 +64,9 @@ enum address_markers_idx { KASAN_SHADOW_END_NR, #endif CPU_ENTRY_AREA_NR, +#ifdef CONFIG_SLAB_VIRTUAL + SLAB_AREA_NR, +#endif #ifdef CONFIG_X86_ESPFIX64 ESPFIX_START_NR, #endif @@ -95,6 +98,9 @@ static struct addr_marker address_markers[] = { [LDT_NR]= { 0UL,"LDT remap" }, #endif [CPU_ENTRY_AREA_NR] = { CPU_ENTRY_AREA_BASE,"CPU entry Area" }, +#ifdef CONFIG_SLAB_VIRTUAL + [SLAB_AREA_NR] = { SLAB_BASE_ADDR, "Slab Area" }, +#endif #ifdef CONFIG_X86_ESPFIX64 [ESPFIX_START_NR] = { ESPFIX_BASE_ADDR, "ESPfix Area", 16 }, #endif -- 2.34.1
[PATCH 3/9] mm/damon/core: use nr_accesses_bp as a source of damos_before_apply tracepoint
damos_before_apply tracepoint is exposing access rate of DAMON regions using nr_accesses field of regions, which was actually used by DAMOS in the past. However, it has changed to use nr_accesses_bp instead. Update the tracepoint to expose the value that DAMOS is really using. Note that it doesn't expose the value as is in the basis point, but after converting it to the natural number by dividing it by 10,000. Therefore this change doesn't make user-visible behavioral differences. Signed-off-by: SeongJae Park --- include/trace/events/damon.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/trace/events/damon.h b/include/trace/events/damon.h index 19930bb7af9a..23200aabccac 100644 --- a/include/trace/events/damon.h +++ b/include/trace/events/damon.h @@ -36,7 +36,7 @@ TRACE_EVENT_CONDITION(damos_before_apply, __entry->target_idx = target_idx; __entry->start = r->ar.start; __entry->end = r->ar.end; - __entry->nr_accesses = r->nr_accesses; + __entry->nr_accesses = r->nr_accesses_bp / 1; __entry->age = r->age; __entry->nr_regions = nr_regions; ), -- 2.25.1
Re: [PATCH v4 01/18] cgroup/misc: Add per resource callbacks for CSS events
On Fri, 15 Sep 2023 12:58:11 -0500, Tejun Heo wrote: On Fri, Sep 15, 2023 at 07:55:45AM -1000, Tejun Heo wrote: On Tue, Sep 12, 2023 at 09:06:18PM -0700, Haitao Huang wrote: > @@ -37,6 +37,11 @@ struct misc_res { >u64 max; >atomic64_t usage; >atomic64_t events; > + > + /* per resource callback ops */ > + int (*misc_cg_alloc)(struct misc_cg *cg); > + void (*misc_cg_free)(struct misc_cg *cg); > + void (*misc_cg_max_write)(struct misc_cg *cg); A nit about naming. These are already in misc_res and cgroup_ and cgrp_ prefixes are a lot more common. So, maybe go for sth like cgrp_alloc? Ah, never mind about the prefix part. misc is using cg_ prefix widely already. Change them to plain alloc, free, max_write? As they are per resource type, not per cgroup. Also following no-prefix naming scheme like "open" for fops, vma_ops, etc. Thanks for your review. Haitao
Re: [PATCH][next] net: spider_net: Use size_add() in call to struct_size()
On 9/15/23 14:25, Gustavo A. R. Silva wrote: > If, for any reason, the open-coded arithmetic causes a wraparound, > the protection that `struct_size()` adds against potential integer > overflows is defeated. Fix this by hardening call to `struct_size()` > with `size_add()`. > > Fixes: 3f1071ec39f7 ("net: spider_net: Use struct_size() helper") > Signed-off-by: Gustavo A. R. Silva > --- > drivers/net/ethernet/toshiba/spider_net.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/toshiba/spider_net.c > b/drivers/net/ethernet/toshiba/spider_net.c > index 50d7eacfec58..87e67121477c 100644 > --- a/drivers/net/ethernet/toshiba/spider_net.c > +++ b/drivers/net/ethernet/toshiba/spider_net.c > @@ -2332,7 +2332,7 @@ spider_net_alloc_card(void) > struct spider_net_card *card; > > netdev = alloc_etherdev(struct_size(card, darray, > - tx_descriptors + rx_descriptors)); > + size_add(tx_descriptors, > rx_descriptors))); > if (!netdev) > return NULL; > Looks good to me. Thanks for your fix-up. Signed-off-by: Geoff Levand
Re: [PATCH] tracing/timerlat: Hotplug support for the user-space interface
Hi Daniel, kernel test robot noticed the following build warnings: [auto build test WARNING on linus/master] [also build test WARNING on v6.6-rc1 next-20230915] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch#_base_tree_information] url: https://github.com/intel-lab-lkp/linux/commits/Daniel-Bristot-de-Oliveira/tracing-timerlat-Hotplug-support-for-the-user-space-interface/20230915-230157 base: linus/master patch link: https://lore.kernel.org/r/b619d9fd08a3bb47018cf40afa95783844a3c1fd.1694789910.git.bristot%40kernel.org patch subject: [PATCH] tracing/timerlat: Hotplug support for the user-space interface config: um-randconfig-002-20230916 (https://download.01.org/0day-ci/archive/20230916/202309160854.saw0rium-...@intel.com/config) compiler: gcc-12 (Debian 12.2.0-14) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20230916/202309160854.saw0rium-...@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot | Closes: https://lore.kernel.org/oe-kbuild-all/202309160854.saw0rium-...@intel.com/ All warnings (new ones prefixed by >>): >> kernel/trace/trace_osnoise.c:2125:13: warning: >> 'timerlat_rm_per_cpu_interface' defined but not used [-Wunused-function] 2125 | static void timerlat_rm_per_cpu_interface(long cpu) {}; | ^ >> kernel/trace/trace_osnoise.c:2124:12: warning: >> 'timerlat_add_per_cpu_interface' defined but not used [-Wunused-function] 2124 | static int timerlat_add_per_cpu_interface(long cpu) { return 0; }; |^~ vim +/timerlat_rm_per_cpu_interface +2125 kernel/trace/trace_osnoise.c 2112 2113 static void timerlat_rm_per_cpu_interface(long cpu) 2114 { 2115 struct dentry *cpu_dir = per_cpu_ptr(&osnoise_per_cpu_dir, cpu)->root; 2116 2117 if (cpu_dir) { 2118 tracefs_remove(cpu_dir); 2119 per_cpu_ptr(&osnoise_per_cpu_dir, cpu)->root = NULL; 2120 per_cpu_ptr(&osnoise_per_cpu_dir, cpu)->timerlat_fd = NULL; 2121 } 2122 } 2123 #else > 2124 static int timerlat_add_per_cpu_interface(long cpu) { return 0; }; > 2125 static void timerlat_rm_per_cpu_interface(long cpu) {}; 2126 #endif 2127 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki
Re: [PATCH] ocfs2: Annotate struct ocfs2_slot_info with __counted_by
On 9/15/23 14:15, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct ocfs2_slot_info. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: ocfs2-de...@lists.linux.dev Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- fs/ocfs2/slot_map.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ocfs2/slot_map.c b/fs/ocfs2/slot_map.c index da7718cef735..e544c704b583 100644 --- a/fs/ocfs2/slot_map.c +++ b/fs/ocfs2/slot_map.c @@ -37,7 +37,7 @@ struct ocfs2_slot_info { unsigned int si_blocks; struct buffer_head **si_bh; unsigned int si_num_slots; - struct ocfs2_slot si_slots[]; + struct ocfs2_slot si_slots[] __counted_by(si_num_slots); };
Re: [PATCH] afs: Annotate struct afs_permits with __counted_by
On 9/15/23 14:14, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct afs_permits. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: David Howells Cc: Marc Dionne Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- fs/afs/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/afs/internal.h b/fs/afs/internal.h index 07433a5349ca..469a717467a4 100644 --- a/fs/afs/internal.h +++ b/fs/afs/internal.h @@ -705,7 +705,7 @@ struct afs_permits { refcount_t usage; unsigned short nr_permits; /* Number of records */ boolinvalidated;/* Invalidated due to key change */ - struct afs_permit permits[]; /* List of permits sorted by key pointer */ + struct afs_permit permits[] __counted_by(nr_permits); /* List of permits sorted by key pointer */ }; /*
Re: [PATCH] ceph: Annotate struct ceph_osd_request with __counted_by
On 9/15/23 14:15, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct ceph_osd_request. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Ilya Dryomov Cc: Xiubo Li Cc: Jeff Layton Cc: ceph-de...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- include/linux/ceph/osd_client.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/ceph/osd_client.h b/include/linux/ceph/osd_client.h index bf9823956758..b8610e9d2471 100644 --- a/include/linux/ceph/osd_client.h +++ b/include/linux/ceph/osd_client.h @@ -278,7 +278,7 @@ struct ceph_osd_request { int r_attempts; u32 r_map_dne_bound; - struct ceph_osd_req_op r_ops[]; + struct ceph_osd_req_op r_ops[] __counted_by(r_num_ops); }; struct ceph_request_redirect {
Re: [PATCH] ceph: Annotate struct ceph_monmap with __counted_by
On 9/15/23 14:15, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct ceph_monmap. Additionally, since the element count member must be set before accessing the annotated flexible array member, move its initialization earlier. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Ilya Dryomov Cc: Xiubo Li Cc: Jeff Layton Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: ceph-de...@vger.kernel.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- include/linux/ceph/mon_client.h | 2 +- net/ceph/mon_client.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/ceph/mon_client.h b/include/linux/ceph/mon_client.h index b658961156a0..7a9a40163c0f 100644 --- a/include/linux/ceph/mon_client.h +++ b/include/linux/ceph/mon_client.h @@ -19,7 +19,7 @@ struct ceph_monmap { struct ceph_fsid fsid; u32 epoch; u32 num_mon; - struct ceph_entity_inst mon_inst[]; + struct ceph_entity_inst mon_inst[] __counted_by(num_mon); }; struct ceph_mon_client; diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c index faabad6603db..f263f7e91a21 100644 --- a/net/ceph/mon_client.c +++ b/net/ceph/mon_client.c @@ -1136,6 +1136,7 @@ static int build_initial_monmap(struct ceph_mon_client *monc) GFP_KERNEL); if (!monc->monmap) return -ENOMEM; + monc->monmap->num_mon = num_mon; for (i = 0; i < num_mon; i++) { struct ceph_entity_inst *inst = &monc->monmap->mon_inst[i]; @@ -1147,7 +1148,6 @@ static int build_initial_monmap(struct ceph_mon_client *monc) inst->name.type = CEPH_ENTITY_TYPE_MON; inst->name.num = cpu_to_le64(i); } - monc->monmap->num_mon = num_mon; return 0; }
Re: [PATCH] NFS/flexfiles: Annotate struct nfs4_ff_layout_segment with __counted_by
On 9/15/23 14:14, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct nfs4_ff_layout_segment. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Trond Myklebust Cc: Anna Schumaker Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- fs/nfs/flexfilelayout/flexfilelayout.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfs/flexfilelayout/flexfilelayout.h b/fs/nfs/flexfilelayout/flexfilelayout.h index 354a031c69b1..f84b3fb0 100644 --- a/fs/nfs/flexfilelayout/flexfilelayout.h +++ b/fs/nfs/flexfilelayout/flexfilelayout.h @@ -99,7 +99,7 @@ struct nfs4_ff_layout_segment { u64 stripe_unit; u32 flags; u32 mirror_array_cnt; - struct nfs4_ff_layout_mirror*mirror_array[]; + struct nfs4_ff_layout_mirror*mirror_array[] __counted_by(mirror_array_cnt); }; struct nfs4_flexfile_layout {
Re: [PATCH] afs: Annotate struct afs_addr_list with __counted_by
On 9/15/23 14:14, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct afs_addr_list. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: David Howells Cc: Marc Dionne Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- fs/afs/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/afs/internal.h b/fs/afs/internal.h index da73b97e19a9..07433a5349ca 100644 --- a/fs/afs/internal.h +++ b/fs/afs/internal.h @@ -87,7 +87,7 @@ struct afs_addr_list { enum dns_lookup_status status:8; unsigned long failed; /* Mask of addrs that failed locally/ICMP */ unsigned long responded; /* Mask of addrs that responded */ - struct sockaddr_rxrpc addrs[]; + struct sockaddr_rxrpc addrs[] __counted_by(max_addrs); #define AFS_MAX_ADDRESSES ((unsigned int)(sizeof(unsigned long) * 8)) };
Re: [PATCH] aio: Annotate struct kioctx_table with __counted_by
On 9/15/23 14:14, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct kioctx_table. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Benjamin LaHaise Cc: Alexander Viro Cc: Christian Brauner Cc: linux-...@kvack.org Cc: linux-fsde...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- fs/aio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/aio.c b/fs/aio.c index a4c2a6bac72c..f8589caef9c1 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -80,7 +80,7 @@ struct aio_ring { struct kioctx_table { struct rcu_head rcu; unsignednr; - struct kioctx __rcu *table[]; + struct kioctx __rcu *table[] __counted_by(nr); }; struct kioctx_cpu {
Re: [PATCH] udf: Annotate struct udf_bitmap with __counted_by
On 9/15/23 14:14, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct udf_bitmap. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Jan Kara Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- fs/udf/udf_sb.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h index 9af6ff7f9747..f9a60bc1abcf 100644 --- a/fs/udf/udf_sb.h +++ b/fs/udf/udf_sb.h @@ -86,7 +86,7 @@ struct udf_virtual_data { struct udf_bitmap { __u32 s_extPosition; int s_nr_groups; - struct buffer_head *s_block_bitmap[]; + struct buffer_head *s_block_bitmap[] __counted_by(s_nr_groups); }; struct udf_part_map {
Re: [PATCH] mtd: rawnand: renesas: Annotate struct rnand_chip with __counted_by
On 9/15/23 14:12, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct rnand_chip. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-...@lists.infradead.org Cc: linux-renesas-...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/mtd/nand/raw/renesas-nand-controller.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/renesas-nand-controller.c b/drivers/mtd/nand/raw/renesas-nand-controller.c index 589021ea9eb2..c9a01feff8df 100644 --- a/drivers/mtd/nand/raw/renesas-nand-controller.c +++ b/drivers/mtd/nand/raw/renesas-nand-controller.c @@ -210,7 +210,7 @@ struct rnand_chip { u32 tim_gen_seq1; u32 tim_gen_seq2; u32 tim_gen_seq3; - struct rnand_chip_sel sels[]; + struct rnand_chip_sel sels[] __counted_by(nsels); }; struct rnandc {
Re: [PATCH] mtd: rawnand: sunxi: Annotate struct sunxi_nand_chip with __counted_by
On 9/15/23 14:13, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct sunxi_nand_chip. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: Chen-Yu Tsai Cc: Jernej Skrabec Cc: Samuel Holland Cc: Manuel Dipolt Cc: linux-...@lists.infradead.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-su...@lists.linux.dev Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/mtd/nand/raw/sunxi_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/sunxi_nand.c b/drivers/mtd/nand/raw/sunxi_nand.c index 9abf38049d35..4ec17c8bce5a 100644 --- a/drivers/mtd/nand/raw/sunxi_nand.c +++ b/drivers/mtd/nand/raw/sunxi_nand.c @@ -197,7 +197,7 @@ struct sunxi_nand_chip { u32 timing_cfg; u32 timing_ctl; int nsels; - struct sunxi_nand_chip_sel sels[]; + struct sunxi_nand_chip_sel sels[] __counted_by(nsels); }; static inline struct sunxi_nand_chip *to_sunxi_nand(struct nand_chip *nand)
Re: [PATCH] mtd: rawnand: marvell: Annotate struct marvell_nand_chip with __counted_by
On 9/15/23 14:12, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct marvell_nand_chip. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/mtd/nand/raw/marvell_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c index b841a81cb128..a46698744850 100644 --- a/drivers/mtd/nand/raw/marvell_nand.c +++ b/drivers/mtd/nand/raw/marvell_nand.c @@ -348,7 +348,7 @@ struct marvell_nand_chip { int addr_cyc; int selected_die; unsigned int nsels; - struct marvell_nand_chip_sel sels[]; + struct marvell_nand_chip_sel sels[] __counted_by(nsels); }; static inline struct marvell_nand_chip *to_marvell_nand(struct nand_chip *chip)
Re: [PATCH] mtd: rawnand: meson: Annotate struct meson_nfc_nand_chip with __counted_by
On 9/15/23 14:12, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct meson_nfc_nand_chip. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Liang Yang Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: Neil Armstrong Cc: Kevin Hilman Cc: Jerome Brunet Cc: Martin Blumenstingl Cc: linux-...@lists.infradead.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-amlo...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/mtd/nand/raw/meson_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c index 25e3c1cb605e..378f28ce6a74 100644 --- a/drivers/mtd/nand/raw/meson_nand.c +++ b/drivers/mtd/nand/raw/meson_nand.c @@ -128,7 +128,7 @@ struct meson_nfc_nand_chip { u8 *data_buf; __le64 *info_buf; u32 nsels; - u8 sels[]; + u8 sels[] __counted_by(nsels); }; struct meson_nand_ecc {
Re: [PATCH] mtd: rawnand: ingenic: Annotate struct ingenic_nfc with __counted_by
On 9/15/23 14:12, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct ingenic_nfc. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Paul Cercueil Cc: Harvey Hunt Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-m...@vger.kernel.org Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/mtd/nand/raw/ingenic/ingenic_nand_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/ingenic/ingenic_nand_drv.c b/drivers/mtd/nand/raw/ingenic/ingenic_nand_drv.c index 6748226b8bd1..ce9ef4e65597 100644 --- a/drivers/mtd/nand/raw/ingenic/ingenic_nand_drv.c +++ b/drivers/mtd/nand/raw/ingenic/ingenic_nand_drv.c @@ -46,7 +46,7 @@ struct ingenic_nfc { struct nand_controller controller; unsigned int num_banks; struct list_head chips; - struct ingenic_nand_cs cs[]; + struct ingenic_nand_cs cs[] __counted_by(num_banks); }; struct ingenic_nand {
Re: [PATCH] mtd: rawnand: denali: Annotate struct denali_chip with __counted_by
On 9/15/23 14:12, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct denali_chip. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/mtd/nand/raw/denali.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/denali.h b/drivers/mtd/nand/raw/denali.h index ac46eb7956ce..5f2fab022fc5 100644 --- a/drivers/mtd/nand/raw/denali.h +++ b/drivers/mtd/nand/raw/denali.h @@ -328,7 +328,7 @@ struct denali_chip { struct nand_chip chip; struct list_head node; unsigned int nsels; - struct denali_chip_sel sels[]; + struct denali_chip_sel sels[] __counted_by(nsels); }; /**
Re: [PATCH] HID: uhid: refactor deprecated strncpy
On Fri, Sep 15, 2023 at 09:36:23AM +0200, David Rheinsberg wrote: > Hi > > On Fri, Sep 15, 2023, at 7:13 AM, Kees Cook wrote: > >> - /* @hid is zero-initialized, strncpy() is correct, strlcpy() not */ > >> - len = min(sizeof(hid->name), sizeof(ev->u.create2.name)) - 1; > >> - strncpy(hid->name, ev->u.create2.name, len); > >> - len = min(sizeof(hid->phys), sizeof(ev->u.create2.phys)) - 1; > >> - strncpy(hid->phys, ev->u.create2.phys, len); > >> - len = min(sizeof(hid->uniq), sizeof(ev->u.create2.uniq)) - 1; > >> - strncpy(hid->uniq, ev->u.create2.uniq, len); > > > > ev->u.create2 is: > > struct uhid_create2_req { > > __u8 name[128]; > > __u8 phys[64]; > > __u8 uniq[64]; > > ... > > > > hid is: > > struct hid_device { /* device report descriptor */ > > ... > > char name[128]; /* Device name */ > > char phys[64]; /* Device physical location */ > > char uniq[64]; /* Device unique identifier (serial #) */ > > > > So these "min" calls are redundant -- it wants to copy at most 1 less so > > it can be %NUL terminated. Which is what strscpy() already does. And > > source and dest are the same size, so we can't over-read source if it > > weren't terminated (since strscpy won't overread like strlcpy). > > I *really* think we should keep the `min` calls. The compiler > should already optimize them away, as both arguments are compile-time > constants. There is no inherent reason why source and target are equal in > size. Yes, it is unlikely to change, but I don't understand why we would > want to implicitly rely on it, rather than make the compiler verify it for > us. And `struct hid_device` is very much allowed to change in the future. > > As an alternative, you can use BUILD_BUG_ON() and verify both are equal in > length. If we can't depend on ev->u.create2.name/phys/uniq being %NUL-terminated, we've already done the "min" calculations, and we've already got the dest zeroed, then I suspect the thing to do is just use memcpy instead of strncpy (or strscpy). -- Kees Cook
Re: [PATCH] mtd: cfi: Annotate struct cfi_private with __counted_by
On 9/15/23 14:12, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct cfi_private. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- include/linux/mtd/cfi.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mtd/cfi.h b/include/linux/mtd/cfi.h index d88bb56c18e2..947410faf9e2 100644 --- a/include/linux/mtd/cfi.h +++ b/include/linux/mtd/cfi.h @@ -287,7 +287,7 @@ struct cfi_private { unsigned long chipshift; /* Because they're of the same type */ const char *im_name; /* inter_module name for cmdset_setup */ unsigned long quirks; - struct flchip chips[]; /* per-chip data structure for each chip */ + struct flchip chips[] __counted_by(numchips); /* per-chip data structure for each chip */ }; uint32_t cfi_build_cmd_addr(uint32_t cmd_ofs,
Re: [PATCH] mtd: rawnand: atmel: Annotate struct atmel_nand with __counted_by
On 9/15/23 14:12, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct atmel_nand. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Tudor Ambarus Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: Nicolas Ferre Cc: Alexandre Belloni Cc: Claudiu Beznea Cc: linux-...@lists.infradead.org Cc: linux-arm-ker...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c index 3f494f7c7ecb..4cb478bbee4a 100644 --- a/drivers/mtd/nand/raw/atmel/nand-controller.c +++ b/drivers/mtd/nand/raw/atmel/nand-controller.c @@ -165,7 +165,7 @@ struct atmel_nand { struct atmel_pmecc_user *pmecc; struct gpio_desc *cdgpio; int numcs; - struct atmel_nand_cs cs[]; + struct atmel_nand_cs cs[] __counted_by(numcs); }; static inline struct atmel_nand *to_atmel_nand(struct nand_chip *chip)
Re: [PATCH] leds: qcom-lpg: Annotate struct lpg_led with __counted_by
On 9/15/23 14:11, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct lpg_led. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: Bjorn Andersson Cc: "Uwe Kleine-König" Cc: Douglas Anderson Cc: Anjelique Melendez Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/leds/rgb/leds-qcom-lpg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/rgb/leds-qcom-lpg.c b/drivers/leds/rgb/leds-qcom-lpg.c index df469aaa7e6e..7d93e02a030a 100644 --- a/drivers/leds/rgb/leds-qcom-lpg.c +++ b/drivers/leds/rgb/leds-qcom-lpg.c @@ -173,7 +173,7 @@ struct lpg_led { struct led_classdev_mc mcdev; unsigned int num_channels; - struct lpg_channel *channels[]; + struct lpg_channel *channels[] __counted_by(num_channels); }; /**
Re: [PATCH] leds: mt6370: Annotate struct mt6370_priv with __counted_by
On 9/15/23 14:10, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct mt6370_priv. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: Matthias Brugger Cc: AngeloGioacchino Del Regno Cc: Alice Chen Cc: Jacek Anaszewski Cc: ChiYuan Huang Cc: ChiaEn Wu Cc: kernel test robot Cc: linux-l...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-media...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/leds/flash/leds-mt6370-flash.c | 2 +- drivers/leds/rgb/leds-mt6370-rgb.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/leds/flash/leds-mt6370-flash.c b/drivers/leds/flash/leds-mt6370-flash.c index 931067c8a75f..912d9d622320 100644 --- a/drivers/leds/flash/leds-mt6370-flash.c +++ b/drivers/leds/flash/leds-mt6370-flash.c @@ -81,7 +81,7 @@ struct mt6370_priv { unsigned int fled_torch_used; unsigned int leds_active; unsigned int leds_count; - struct mt6370_led leds[]; + struct mt6370_led leds[] __counted_by(leds_count); }; static int mt6370_torch_brightness_set(struct led_classdev *lcdev, enum led_brightness level) diff --git a/drivers/leds/rgb/leds-mt6370-rgb.c b/drivers/leds/rgb/leds-mt6370-rgb.c index bb62431efe83..448d0da11848 100644 --- a/drivers/leds/rgb/leds-mt6370-rgb.c +++ b/drivers/leds/rgb/leds-mt6370-rgb.c @@ -153,7 +153,7 @@ struct mt6370_priv { const struct mt6370_pdata *pdata; unsigned int leds_count; unsigned int leds_active; - struct mt6370_led leds[]; + struct mt6370_led leds[] __counted_by(leds_count); }; static const struct reg_field common_reg_fields[F_MAX_FIELDS] = {
Re: [PATCH] mtd: Annotate struct lpddr_private with __counted_by
On 9/15/23 14:12, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct lpddr_private. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- include/linux/mtd/qinfo.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mtd/qinfo.h b/include/linux/mtd/qinfo.h index 2e3f43788d48..0421f12156b5 100644 --- a/include/linux/mtd/qinfo.h +++ b/include/linux/mtd/qinfo.h @@ -24,7 +24,7 @@ struct lpddr_private { struct qinfo_chip *qinfo; int numchips; unsigned long chipshift; - struct flchip chips[]; + struct flchip chips[] __counted_by(numchips); }; /* qinfo_query_info structure contains request information for
Re: [PATCH] leds: mt6360: Annotate struct mt6360_priv with __counted_by
On 9/15/23 14:10, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct mt6360_priv. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: Matthias Brugger Cc: AngeloGioacchino Del Regno Cc: Gene Chen Cc: Jacek Anaszewski Cc: Andy Shevchenko Cc: linux-l...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-media...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/leds/flash/leds-mt6360.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/flash/leds-mt6360.c b/drivers/leds/flash/leds-mt6360.c index 1af6c5898343..b70dc689b33f 100644 --- a/drivers/leds/flash/leds-mt6360.c +++ b/drivers/leds/flash/leds-mt6360.c @@ -91,7 +91,7 @@ struct mt6360_priv { unsigned int fled_torch_used; unsigned int leds_active; unsigned int leds_count; - struct mt6360_led leds[]; + struct mt6360_led leds[] __counted_by(leds_count); }; static int mt6360_mc_brightness_set(struct led_classdev *lcdev,
Re: [PATCH] leds: lm3697: Annotate struct lm3697 with __counted_by
On 9/15/23 14:10, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct lm3697. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/leds/leds-lm3697.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-lm3697.c b/drivers/leds/leds-lm3697.c index cfb8ac220db6..380d17a58fe9 100644 --- a/drivers/leds/leds-lm3697.c +++ b/drivers/leds/leds-lm3697.c @@ -89,7 +89,7 @@ struct lm3697 { int bank_cfg; int num_banks; - struct lm3697_led leds[]; + struct lm3697_led leds[] __counted_by(num_banks); }; static const struct reg_default lm3697_reg_defs[] = {
Re: [PATCH] leds: gpio: Annotate struct gpio_leds_priv with __counted_by
On 9/15/23 14:10, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct gpio_leds_priv. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/leds/leds-gpio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-gpio.c b/drivers/leds/leds-gpio.c index 7bfe40a6bfdd..a6597f0f3eb4 100644 --- a/drivers/leds/leds-gpio.c +++ b/drivers/leds/leds-gpio.c @@ -142,7 +142,7 @@ static int create_gpio_led(const struct gpio_led *template, struct gpio_leds_priv { int num_leds; - struct gpio_led_data leds[]; + struct gpio_led_data leds[] __counted_by(num_leds); }; static struct gpio_leds_priv *gpio_leds_create(struct platform_device *pdev)
Re: [PATCH] leds: cr0014114: Annotate struct cr0014114 with __counted_by
On 9/15/23 14:09, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct cr0014114. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/leds/leds-cr0014114.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-cr0014114.c b/drivers/leds/leds-cr0014114.c index b33bca397ea6..c9914fc51f20 100644 --- a/drivers/leds/leds-cr0014114.c +++ b/drivers/leds/leds-cr0014114.c @@ -56,7 +56,7 @@ struct cr0014114 { struct spi_device *spi; u8 *buf; unsigned long delay; - struct cr0014114_ledleds[]; + struct cr0014114_ledleds[] __counted_by(count); }; static void cr0014114_calc_crc(u8 *buf, const size_t len)
Re: [PATCH] leds: el15203000: Annotate struct el15203000 with __counted_by
On 9/15/23 14:09, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct el15203000. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/leds/leds-el15203000.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-el15203000.c b/drivers/leds/leds-el15203000.c index 7e7b617bcd56..d40194a3029f 100644 --- a/drivers/leds/leds-el15203000.c +++ b/drivers/leds/leds-el15203000.c @@ -80,7 +80,7 @@ struct el15203000 { struct spi_device *spi; unsigned long delay; size_t count; - struct el15203000_led leds[]; + struct el15203000_led leds[] __counted_by(count); }; #define to_el15203000_led(d) container_of(d, struct el15203000_led, ldev)
Re: [PATCH] leds: aw200xx: Annotate struct aw200xx with __counted_by
On 9/15/23 14:09, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct aw200xx. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/leds/leds-aw200xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-aw200xx.c b/drivers/leds/leds-aw200xx.c index 691a743cc9b0..4d517cace3e7 100644 --- a/drivers/leds/leds-aw200xx.c +++ b/drivers/leds/leds-aw200xx.c @@ -112,7 +112,7 @@ struct aw200xx { struct mutex mutex; u32 num_leds; u32 display_rows; - struct aw200xx_led leds[]; + struct aw200xx_led leds[] __counted_by(num_leds); }; static ssize_t dim_show(struct device *dev, struct device_attribute *devattr,
Re: [PATCH] wifi: mt76: Annotate struct mt76_rx_tid with __counted_by
On 9/15/23 14:06, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct mt76_rx_tid. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Felix Fietkau Cc: Lorenzo Bianconi Cc: Ryder Lee Cc: Shayne Chen Cc: Sean Wang Cc: Kalle Valo Cc: Matthias Brugger Cc: AngeloGioacchino Del Regno Cc: linux-wirel...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-media...@lists.infradead.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/net/wireless/mediatek/mt76/mt76.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h index e8757865a3d0..03ef617b1527 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76.h +++ b/drivers/net/wireless/mediatek/mt76/mt76.h @@ -376,7 +376,7 @@ struct mt76_rx_tid { u8 started:1, stopped:1, timer_pending:1; - struct sk_buff *reorder_buf[]; + struct sk_buff *reorder_buf[] __counted_by(size); }; #define MT_TX_CB_DMA_DONE BIT(0)
Re: [PATCH] wifi: wcn36xx: Annotate struct wcn36xx_hal_ind_msg with __counted_by
On 9/15/23 14:06, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct wcn36xx_hal_ind_msg. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Loic Poulain Cc: Kalle Valo Cc: wcn3...@lists.infradead.org Cc: linux-wirel...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/net/wireless/ath/wcn36xx/smd.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/wcn36xx/smd.h b/drivers/net/wireless/ath/wcn36xx/smd.h index cf15cde2a364..2c1ed9e570bf 100644 --- a/drivers/net/wireless/ath/wcn36xx/smd.h +++ b/drivers/net/wireless/ath/wcn36xx/smd.h @@ -47,7 +47,7 @@ struct wcn36xx_fw_msg_status_rsp { struct wcn36xx_hal_ind_msg { struct list_head list; size_t msg_len; - u8 msg[]; + u8 msg[] __counted_by(msg_len); }; struct wcn36xx;
Re: [PATCH] wifi: ipw2x00: Annotate struct libipw_txb with __counted_by
On 9/15/23 14:06, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct libipw_txb. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Stanislav Yakovlev Cc: Kalle Valo Cc: linux-wirel...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/net/wireless/intel/ipw2x00/libipw.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/ipw2x00/libipw.h b/drivers/net/wireless/intel/ipw2x00/libipw.h index bec7bc273748..9065ca5b0208 100644 --- a/drivers/net/wireless/intel/ipw2x00/libipw.h +++ b/drivers/net/wireless/intel/ipw2x00/libipw.h @@ -488,7 +488,7 @@ struct libipw_txb { u8 reserved; u16 frag_size; u16 payload_size; - struct sk_buff *fragments[]; + struct sk_buff *fragments[] __counted_by(nr_frags); }; /* SWEEP TABLE ENTRIES NUMBER */
Re: [PATCH] wifi: brcmfmac: firmware: Annotate struct brcmf_fw_request with __counted_by
On 9/15/23 14:05, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct brcmf_fw_request. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Arend van Spriel Cc: Franky Lin Cc: Hante Meuleman Cc: Kalle Valo Cc: Matthias Brugger Cc: Hector Martin Cc: "Alvin Šipraga" Cc: Hans de Goede Cc: linux-wirel...@vger.kernel.org Cc: brcm80211-dev-list@broadcom.com Cc: sha-cyfmac-dev-l...@infineon.com Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h index 1266cbaee072..4002d326fd21 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h @@ -69,7 +69,7 @@ struct brcmf_fw_request { u16 bus_nr; u32 n_items; const char *board_types[BRCMF_FW_MAX_BOARD_TYPES]; - struct brcmf_fw_item items[]; + struct brcmf_fw_item items[] __counted_by(n_items); }; struct brcmf_fw_name {
Re: [PATCH] md/md-linear: Annotate struct linear_conf with __counted_by
On 9/15/23 14:03, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct linear_conf. Additionally, since the element count member must be set before accessing the annotated flexible array member, move its initialization earlier. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Song Liu Cc: linux-r...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/md/md-linear.c | 26 +- drivers/md/md-linear.h | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/drivers/md/md-linear.c b/drivers/md/md-linear.c index 71ac99646827..ae2826e9645b 100644 --- a/drivers/md/md-linear.c +++ b/drivers/md/md-linear.c @@ -69,6 +69,19 @@ static struct linear_conf *linear_conf(struct mddev *mddev, int raid_disks) if (!conf) return NULL; + /* +* conf->raid_disks is copy of mddev->raid_disks. The reason to +* keep a copy of mddev->raid_disks in struct linear_conf is, +* mddev->raid_disks may not be consistent with pointers number of +* conf->disks[] when it is updated in linear_add() and used to +* iterate old conf->disks[] earray in linear_congested(). +* Here conf->raid_disks is always consitent with number of +* pointers in conf->disks[] array, and mddev->private is updated +* with rcu_assign_pointer() in linear_addr(), such race can be +* avoided. +*/ + conf->raid_disks = raid_disks; + cnt = 0; conf->array_sectors = 0; @@ -112,19 +125,6 @@ static struct linear_conf *linear_conf(struct mddev *mddev, int raid_disks) conf->disks[i-1].end_sector + conf->disks[i].rdev->sectors; - /* -* conf->raid_disks is copy of mddev->raid_disks. The reason to -* keep a copy of mddev->raid_disks in struct linear_conf is, -* mddev->raid_disks may not be consistent with pointers number of -* conf->disks[] when it is updated in linear_add() and used to -* iterate old conf->disks[] earray in linear_congested(). -* Here conf->raid_disks is always consitent with number of -* pointers in conf->disks[] array, and mddev->private is updated -* with rcu_assign_pointer() in linear_addr(), such race can be -* avoided. -*/ - conf->raid_disks = raid_disks; - return conf; out: diff --git a/drivers/md/md-linear.h b/drivers/md/md-linear.h index 24e97db50ebb..5587eeedb882 100644 --- a/drivers/md/md-linear.h +++ b/drivers/md/md-linear.h @@ -12,6 +12,6 @@ struct linear_conf struct rcu_head rcu; sector_tarray_sectors; int raid_disks; /* a copy of mddev->raid_disks */ - struct dev_info disks[]; + struct dev_info disks[] __counted_by(raid_disks); }; #endif
Re: [PATCH] usb: gadget: f_midi: Annotate struct f_midi with __counted_by
On 9/15/23 13:59, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct f_midi. Additionally, since the element count member must be set before accessing the annotated flexible array member, move its initialization earlier. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Greg Kroah-Hartman Cc: John Keeping Cc: Peter Chen Cc: Hulk Robot Cc: Allen Pais Cc: Will McVicker Cc: Davidlohr Bueso Cc: Zhang Qilong Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/usb/gadget/function/f_midi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c index 2d02f25f9597..033e347554db 100644 --- a/drivers/usb/gadget/function/f_midi.c +++ b/drivers/usb/gadget/function/f_midi.c @@ -99,7 +99,7 @@ struct f_midi { unsigned int in_last_port; unsigned char free_ref; - struct gmidi_in_port in_ports_array[/* in_ports */]; + struct gmidi_in_portin_ports_array[] __counted_by(in_ports); }; static inline struct f_midi *func_to_midi(struct usb_function *f) @@ -1349,6 +1349,7 @@ static struct usb_function *f_midi_alloc(struct usb_function_instance *fi) status = -ENOMEM; goto setup_fail; } + midi->in_ports = opts->in_ports; for (i = 0; i < opts->in_ports; i++) midi->in_ports_array[i].cable = i; @@ -1359,7 +1360,6 @@ static struct usb_function *f_midi_alloc(struct usb_function_instance *fi) status = -ENOMEM; goto midi_free; } - midi->in_ports = opts->in_ports; midi->out_ports = opts->out_ports; midi->index = opts->index; midi->buflen = opts->buflen;
Re: [PATCH] usb: gadget: f_fs: Annotate struct ffs_buffer with __counted_by
On 9/15/23 13:58, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct ffs_buffer. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Greg Kroah-Hartman Cc: John Keeping Cc: Udipto Goswami Cc: Linyu Yuan Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 6e9ef35a43a7..af400d083777 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -202,7 +202,7 @@ struct ffs_epfile { struct ffs_buffer { size_t length; char *data; - char storage[]; + char storage[] __counted_by(length); }; /* ffs_io_data structure ***/
Re: [PATCH] wifi: brcmfmac: Annotate struct brcmf_gscan_config with __counted_by
On 9/15/23 14:05, Kees Cook wrote: Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct brcmf_gscan_config. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Arend van Spriel Cc: Franky Lin Cc: Hante Meuleman Cc: Kalle Valo Cc: "Gustavo A. R. Silva" Cc: Hector Martin Cc: Ryohei Kondo Cc: Hans de Goede Cc: linux-wirel...@vger.kernel.org Cc: brcm80211-dev-list@broadcom.com Cc: sha-cyfmac-dev-l...@infineon.com Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Thanks -- Gustavo --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h index bece26741d3a..6eef6bc430e2 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h @@ -1209,7 +1209,7 @@ struct brcmf_gscan_config { u8 count_of_channel_buckets; u8 retry_threshold; __le16 lost_ap_window; - struct brcmf_gscan_bucket_config bucket[]; + struct brcmf_gscan_bucket_config bucket[] __counted_by(count_of_channel_buckets); }; /**
[PATCH] ceph: Annotate struct ceph_osd_request with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct ceph_osd_request. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Ilya Dryomov Cc: Xiubo Li Cc: Jeff Layton Cc: ceph-de...@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/ceph/osd_client.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/ceph/osd_client.h b/include/linux/ceph/osd_client.h index bf9823956758..b8610e9d2471 100644 --- a/include/linux/ceph/osd_client.h +++ b/include/linux/ceph/osd_client.h @@ -278,7 +278,7 @@ struct ceph_osd_request { int r_attempts; u32 r_map_dne_bound; - struct ceph_osd_req_op r_ops[]; + struct ceph_osd_req_op r_ops[] __counted_by(r_num_ops); }; struct ceph_request_redirect { -- 2.34.1
[PATCH] afs: Annotate struct afs_permits with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct afs_permits. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: David Howells Cc: Marc Dionne Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook --- fs/afs/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/afs/internal.h b/fs/afs/internal.h index 07433a5349ca..469a717467a4 100644 --- a/fs/afs/internal.h +++ b/fs/afs/internal.h @@ -705,7 +705,7 @@ struct afs_permits { refcount_t usage; unsigned short nr_permits; /* Number of records */ boolinvalidated;/* Invalidated due to key change */ - struct afs_permit permits[]; /* List of permits sorted by key pointer */ + struct afs_permit permits[] __counted_by(nr_permits); /* List of permits sorted by key pointer */ }; /* -- 2.34.1
[PATCH] ceph: Annotate struct ceph_monmap with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct ceph_monmap. Additionally, since the element count member must be set before accessing the annotated flexible array member, move its initialization earlier. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Ilya Dryomov Cc: Xiubo Li Cc: Jeff Layton Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: ceph-de...@vger.kernel.org Cc: net...@vger.kernel.org Signed-off-by: Kees Cook --- include/linux/ceph/mon_client.h | 2 +- net/ceph/mon_client.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/ceph/mon_client.h b/include/linux/ceph/mon_client.h index b658961156a0..7a9a40163c0f 100644 --- a/include/linux/ceph/mon_client.h +++ b/include/linux/ceph/mon_client.h @@ -19,7 +19,7 @@ struct ceph_monmap { struct ceph_fsid fsid; u32 epoch; u32 num_mon; - struct ceph_entity_inst mon_inst[]; + struct ceph_entity_inst mon_inst[] __counted_by(num_mon); }; struct ceph_mon_client; diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c index faabad6603db..f263f7e91a21 100644 --- a/net/ceph/mon_client.c +++ b/net/ceph/mon_client.c @@ -1136,6 +1136,7 @@ static int build_initial_monmap(struct ceph_mon_client *monc) GFP_KERNEL); if (!monc->monmap) return -ENOMEM; + monc->monmap->num_mon = num_mon; for (i = 0; i < num_mon; i++) { struct ceph_entity_inst *inst = &monc->monmap->mon_inst[i]; @@ -1147,7 +1148,6 @@ static int build_initial_monmap(struct ceph_mon_client *monc) inst->name.type = CEPH_ENTITY_TYPE_MON; inst->name.num = cpu_to_le64(i); } - monc->monmap->num_mon = num_mon; return 0; } -- 2.34.1
[PATCH] ocfs2: Annotate struct ocfs2_slot_info with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct ocfs2_slot_info. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: ocfs2-de...@lists.linux.dev Signed-off-by: Kees Cook --- fs/ocfs2/slot_map.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/ocfs2/slot_map.c b/fs/ocfs2/slot_map.c index da7718cef735..e544c704b583 100644 --- a/fs/ocfs2/slot_map.c +++ b/fs/ocfs2/slot_map.c @@ -37,7 +37,7 @@ struct ocfs2_slot_info { unsigned int si_blocks; struct buffer_head **si_bh; unsigned int si_num_slots; - struct ocfs2_slot si_slots[]; + struct ocfs2_slot si_slots[] __counted_by(si_num_slots); }; -- 2.34.1
[PATCH] afs: Annotate struct afs_addr_list with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct afs_addr_list. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: David Howells Cc: Marc Dionne Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook --- fs/afs/internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/afs/internal.h b/fs/afs/internal.h index da73b97e19a9..07433a5349ca 100644 --- a/fs/afs/internal.h +++ b/fs/afs/internal.h @@ -87,7 +87,7 @@ struct afs_addr_list { enum dns_lookup_status status:8; unsigned long failed; /* Mask of addrs that failed locally/ICMP */ unsigned long responded; /* Mask of addrs that responded */ - struct sockaddr_rxrpc addrs[]; + struct sockaddr_rxrpc addrs[] __counted_by(max_addrs); #define AFS_MAX_ADDRESSES ((unsigned int)(sizeof(unsigned long) * 8)) }; -- 2.34.1
[PATCH] NFS/flexfiles: Annotate struct nfs4_ff_layout_segment with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct nfs4_ff_layout_segment. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Trond Myklebust Cc: Anna Schumaker Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook --- fs/nfs/flexfilelayout/flexfilelayout.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfs/flexfilelayout/flexfilelayout.h b/fs/nfs/flexfilelayout/flexfilelayout.h index 354a031c69b1..f84b3fb0 100644 --- a/fs/nfs/flexfilelayout/flexfilelayout.h +++ b/fs/nfs/flexfilelayout/flexfilelayout.h @@ -99,7 +99,7 @@ struct nfs4_ff_layout_segment { u64 stripe_unit; u32 flags; u32 mirror_array_cnt; - struct nfs4_ff_layout_mirror*mirror_array[]; + struct nfs4_ff_layout_mirror*mirror_array[] __counted_by(mirror_array_cnt); }; struct nfs4_flexfile_layout { -- 2.34.1
[PATCH] nfs41: Annotate struct nfs4_file_layout_dsaddr with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct nfs4_file_layout_dsaddr. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Trond Myklebust Cc: Anna Schumaker Cc: "Gustavo A. R. Silva" Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook --- fs/nfs/filelayout/filelayout.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nfs/filelayout/filelayout.h b/fs/nfs/filelayout/filelayout.h index aed0748fd6ec..c7bb5da93307 100644 --- a/fs/nfs/filelayout/filelayout.h +++ b/fs/nfs/filelayout/filelayout.h @@ -51,7 +51,7 @@ struct nfs4_file_layout_dsaddr { u32 stripe_count; u8 *stripe_indices; u32 ds_num; - struct nfs4_pnfs_ds *ds_list[]; + struct nfs4_pnfs_ds *ds_list[] __counted_by(ds_num); }; struct nfs4_filelayout_segment { -- 2.34.1
[PATCH] aio: Annotate struct kioctx_table with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct kioctx_table. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Benjamin LaHaise Cc: Alexander Viro Cc: Christian Brauner Cc: linux-...@kvack.org Cc: linux-fsde...@vger.kernel.org Signed-off-by: Kees Cook --- fs/aio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/aio.c b/fs/aio.c index a4c2a6bac72c..f8589caef9c1 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -80,7 +80,7 @@ struct aio_ring { struct kioctx_table { struct rcu_head rcu; unsignednr; - struct kioctx __rcu *table[]; + struct kioctx __rcu *table[] __counted_by(nr); }; struct kioctx_cpu { -- 2.34.1
[PATCH] mtd: rawnand: ingenic: Annotate struct ingenic_nfc with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct ingenic_nfc. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Paul Cercueil Cc: Harvey Hunt Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-m...@vger.kernel.org Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook --- drivers/mtd/nand/raw/ingenic/ingenic_nand_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/ingenic/ingenic_nand_drv.c b/drivers/mtd/nand/raw/ingenic/ingenic_nand_drv.c index 6748226b8bd1..ce9ef4e65597 100644 --- a/drivers/mtd/nand/raw/ingenic/ingenic_nand_drv.c +++ b/drivers/mtd/nand/raw/ingenic/ingenic_nand_drv.c @@ -46,7 +46,7 @@ struct ingenic_nfc { struct nand_controller controller; unsigned int num_banks; struct list_head chips; - struct ingenic_nand_cs cs[]; + struct ingenic_nand_cs cs[] __counted_by(num_banks); }; struct ingenic_nand { -- 2.34.1
[PATCH] udf: Annotate struct udf_bitmap with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct udf_bitmap. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Jan Kara Signed-off-by: Kees Cook --- fs/udf/udf_sb.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h index 9af6ff7f9747..f9a60bc1abcf 100644 --- a/fs/udf/udf_sb.h +++ b/fs/udf/udf_sb.h @@ -86,7 +86,7 @@ struct udf_virtual_data { struct udf_bitmap { __u32 s_extPosition; int s_nr_groups; - struct buffer_head *s_block_bitmap[]; + struct buffer_head *s_block_bitmap[] __counted_by(s_nr_groups); }; struct udf_part_map { -- 2.34.1
[PATCH] mtd: rawnand: sunxi: Annotate struct sunxi_nand_chip with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct sunxi_nand_chip. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: Chen-Yu Tsai Cc: Jernej Skrabec Cc: Samuel Holland Cc: Manuel Dipolt Cc: linux-...@lists.infradead.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-su...@lists.linux.dev Signed-off-by: Kees Cook --- drivers/mtd/nand/raw/sunxi_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/sunxi_nand.c b/drivers/mtd/nand/raw/sunxi_nand.c index 9abf38049d35..4ec17c8bce5a 100644 --- a/drivers/mtd/nand/raw/sunxi_nand.c +++ b/drivers/mtd/nand/raw/sunxi_nand.c @@ -197,7 +197,7 @@ struct sunxi_nand_chip { u32 timing_cfg; u32 timing_ctl; int nsels; - struct sunxi_nand_chip_sel sels[]; + struct sunxi_nand_chip_sel sels[] __counted_by(nsels); }; static inline struct sunxi_nand_chip *to_sunxi_nand(struct nand_chip *nand) -- 2.34.1
[PATCH] mtd: rawnand: marvell: Annotate struct marvell_nand_chip with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct marvell_nand_chip. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook --- drivers/mtd/nand/raw/marvell_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c index b841a81cb128..a46698744850 100644 --- a/drivers/mtd/nand/raw/marvell_nand.c +++ b/drivers/mtd/nand/raw/marvell_nand.c @@ -348,7 +348,7 @@ struct marvell_nand_chip { int addr_cyc; int selected_die; unsigned int nsels; - struct marvell_nand_chip_sel sels[]; + struct marvell_nand_chip_sel sels[] __counted_by(nsels); }; static inline struct marvell_nand_chip *to_marvell_nand(struct nand_chip *chip) -- 2.34.1
[PATCH] mtd: cfi: Annotate struct cfi_private with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct cfi_private. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook --- include/linux/mtd/cfi.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mtd/cfi.h b/include/linux/mtd/cfi.h index d88bb56c18e2..947410faf9e2 100644 --- a/include/linux/mtd/cfi.h +++ b/include/linux/mtd/cfi.h @@ -287,7 +287,7 @@ struct cfi_private { unsigned long chipshift; /* Because they're of the same type */ const char *im_name; /* inter_module name for cmdset_setup */ unsigned long quirks; - struct flchip chips[]; /* per-chip data structure for each chip */ + struct flchip chips[] __counted_by(numchips); /* per-chip data structure for each chip */ }; uint32_t cfi_build_cmd_addr(uint32_t cmd_ofs, -- 2.34.1
[PATCH] mtd: rawnand: meson: Annotate struct meson_nfc_nand_chip with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct meson_nfc_nand_chip. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Liang Yang Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: Neil Armstrong Cc: Kevin Hilman Cc: Jerome Brunet Cc: Martin Blumenstingl Cc: linux-...@lists.infradead.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-amlo...@lists.infradead.org Signed-off-by: Kees Cook --- drivers/mtd/nand/raw/meson_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c index 25e3c1cb605e..378f28ce6a74 100644 --- a/drivers/mtd/nand/raw/meson_nand.c +++ b/drivers/mtd/nand/raw/meson_nand.c @@ -128,7 +128,7 @@ struct meson_nfc_nand_chip { u8 *data_buf; __le64 *info_buf; u32 nsels; - u8 sels[]; + u8 sels[] __counted_by(nsels); }; struct meson_nand_ecc { -- 2.34.1
[PATCH] mtd: rawnand: renesas: Annotate struct rnand_chip with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct rnand_chip. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-...@lists.infradead.org Cc: linux-renesas-...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/mtd/nand/raw/renesas-nand-controller.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/renesas-nand-controller.c b/drivers/mtd/nand/raw/renesas-nand-controller.c index 589021ea9eb2..c9a01feff8df 100644 --- a/drivers/mtd/nand/raw/renesas-nand-controller.c +++ b/drivers/mtd/nand/raw/renesas-nand-controller.c @@ -210,7 +210,7 @@ struct rnand_chip { u32 tim_gen_seq1; u32 tim_gen_seq2; u32 tim_gen_seq3; - struct rnand_chip_sel sels[]; + struct rnand_chip_sel sels[] __counted_by(nsels); }; struct rnandc { -- 2.34.1
[PATCH] mtd: rawnand: atmel: Annotate struct atmel_nand with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct atmel_nand. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Tudor Ambarus Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: Nicolas Ferre Cc: Alexandre Belloni Cc: Claudiu Beznea Cc: linux-...@lists.infradead.org Cc: linux-arm-ker...@lists.infradead.org Signed-off-by: Kees Cook --- drivers/mtd/nand/raw/atmel/nand-controller.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/atmel/nand-controller.c b/drivers/mtd/nand/raw/atmel/nand-controller.c index 3f494f7c7ecb..4cb478bbee4a 100644 --- a/drivers/mtd/nand/raw/atmel/nand-controller.c +++ b/drivers/mtd/nand/raw/atmel/nand-controller.c @@ -165,7 +165,7 @@ struct atmel_nand { struct atmel_pmecc_user *pmecc; struct gpio_desc *cdgpio; int numcs; - struct atmel_nand_cs cs[]; + struct atmel_nand_cs cs[] __counted_by(numcs); }; static inline struct atmel_nand *to_atmel_nand(struct nand_chip *chip) -- 2.34.1
[PATCH] mtd: rawnand: denali: Annotate struct denali_chip with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct denali_chip. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook --- drivers/mtd/nand/raw/denali.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/denali.h b/drivers/mtd/nand/raw/denali.h index ac46eb7956ce..5f2fab022fc5 100644 --- a/drivers/mtd/nand/raw/denali.h +++ b/drivers/mtd/nand/raw/denali.h @@ -328,7 +328,7 @@ struct denali_chip { struct nand_chip chip; struct list_head node; unsigned int nsels; - struct denali_chip_sel sels[]; + struct denali_chip_sel sels[] __counted_by(nsels); }; /** -- 2.34.1
[PATCH] mtd: Annotate struct lpddr_private with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct lpddr_private. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Miquel Raynal Cc: Richard Weinberger Cc: Vignesh Raghavendra Cc: linux-...@lists.infradead.org Signed-off-by: Kees Cook --- include/linux/mtd/qinfo.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/mtd/qinfo.h b/include/linux/mtd/qinfo.h index 2e3f43788d48..0421f12156b5 100644 --- a/include/linux/mtd/qinfo.h +++ b/include/linux/mtd/qinfo.h @@ -24,7 +24,7 @@ struct lpddr_private { struct qinfo_chip *qinfo; int numchips; unsigned long chipshift; - struct flchip chips[]; + struct flchip chips[] __counted_by(numchips); }; /* qinfo_query_info structure contains request information for -- 2.34.1
[PATCH] leds: qcom-lpg: Annotate struct lpg_led with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct lpg_led. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: Bjorn Andersson Cc: "Uwe Kleine-König" Cc: Douglas Anderson Cc: Anjelique Melendez Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/leds/rgb/leds-qcom-lpg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/rgb/leds-qcom-lpg.c b/drivers/leds/rgb/leds-qcom-lpg.c index df469aaa7e6e..7d93e02a030a 100644 --- a/drivers/leds/rgb/leds-qcom-lpg.c +++ b/drivers/leds/rgb/leds-qcom-lpg.c @@ -173,7 +173,7 @@ struct lpg_led { struct led_classdev_mc mcdev; unsigned int num_channels; - struct lpg_channel *channels[]; + struct lpg_channel *channels[] __counted_by(num_channels); }; /** -- 2.34.1
[PATCH] leds: mt6370: Annotate struct mt6370_priv with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct mt6370_priv. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: Matthias Brugger Cc: AngeloGioacchino Del Regno Cc: Alice Chen Cc: Jacek Anaszewski Cc: ChiYuan Huang Cc: ChiaEn Wu Cc: kernel test robot Cc: linux-l...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-media...@lists.infradead.org Signed-off-by: Kees Cook --- drivers/leds/flash/leds-mt6370-flash.c | 2 +- drivers/leds/rgb/leds-mt6370-rgb.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/leds/flash/leds-mt6370-flash.c b/drivers/leds/flash/leds-mt6370-flash.c index 931067c8a75f..912d9d622320 100644 --- a/drivers/leds/flash/leds-mt6370-flash.c +++ b/drivers/leds/flash/leds-mt6370-flash.c @@ -81,7 +81,7 @@ struct mt6370_priv { unsigned int fled_torch_used; unsigned int leds_active; unsigned int leds_count; - struct mt6370_led leds[]; + struct mt6370_led leds[] __counted_by(leds_count); }; static int mt6370_torch_brightness_set(struct led_classdev *lcdev, enum led_brightness level) diff --git a/drivers/leds/rgb/leds-mt6370-rgb.c b/drivers/leds/rgb/leds-mt6370-rgb.c index bb62431efe83..448d0da11848 100644 --- a/drivers/leds/rgb/leds-mt6370-rgb.c +++ b/drivers/leds/rgb/leds-mt6370-rgb.c @@ -153,7 +153,7 @@ struct mt6370_priv { const struct mt6370_pdata *pdata; unsigned int leds_count; unsigned int leds_active; - struct mt6370_led leds[]; + struct mt6370_led leds[] __counted_by(leds_count); }; static const struct reg_field common_reg_fields[F_MAX_FIELDS] = { -- 2.34.1
[PATCH] leds: lm3697: Annotate struct lm3697 with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct lm3697. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/leds/leds-lm3697.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-lm3697.c b/drivers/leds/leds-lm3697.c index cfb8ac220db6..380d17a58fe9 100644 --- a/drivers/leds/leds-lm3697.c +++ b/drivers/leds/leds-lm3697.c @@ -89,7 +89,7 @@ struct lm3697 { int bank_cfg; int num_banks; - struct lm3697_led leds[]; + struct lm3697_led leds[] __counted_by(num_banks); }; static const struct reg_default lm3697_reg_defs[] = { -- 2.34.1
[PATCH] leds: mt6360: Annotate struct mt6360_priv with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct mt6360_priv. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: Matthias Brugger Cc: AngeloGioacchino Del Regno Cc: Gene Chen Cc: Jacek Anaszewski Cc: Andy Shevchenko Cc: linux-l...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-media...@lists.infradead.org Signed-off-by: Kees Cook --- drivers/leds/flash/leds-mt6360.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/flash/leds-mt6360.c b/drivers/leds/flash/leds-mt6360.c index 1af6c5898343..b70dc689b33f 100644 --- a/drivers/leds/flash/leds-mt6360.c +++ b/drivers/leds/flash/leds-mt6360.c @@ -91,7 +91,7 @@ struct mt6360_priv { unsigned int fled_torch_used; unsigned int leds_active; unsigned int leds_count; - struct mt6360_led leds[]; + struct mt6360_led leds[] __counted_by(leds_count); }; static int mt6360_mc_brightness_set(struct led_classdev *lcdev, -- 2.34.1
[PATCH] leds: gpio: Annotate struct gpio_leds_priv with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct gpio_leds_priv. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/leds/leds-gpio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-gpio.c b/drivers/leds/leds-gpio.c index 7bfe40a6bfdd..a6597f0f3eb4 100644 --- a/drivers/leds/leds-gpio.c +++ b/drivers/leds/leds-gpio.c @@ -142,7 +142,7 @@ static int create_gpio_led(const struct gpio_led *template, struct gpio_leds_priv { int num_leds; - struct gpio_led_data leds[]; + struct gpio_led_data leds[] __counted_by(num_leds); }; static struct gpio_leds_priv *gpio_leds_create(struct platform_device *pdev) -- 2.34.1
[PATCH] leds: el15203000: Annotate struct el15203000 with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct el15203000. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/leds/leds-el15203000.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-el15203000.c b/drivers/leds/leds-el15203000.c index 7e7b617bcd56..d40194a3029f 100644 --- a/drivers/leds/leds-el15203000.c +++ b/drivers/leds/leds-el15203000.c @@ -80,7 +80,7 @@ struct el15203000 { struct spi_device *spi; unsigned long delay; size_t count; - struct el15203000_led leds[]; + struct el15203000_led leds[] __counted_by(count); }; #define to_el15203000_led(d) container_of(d, struct el15203000_led, ldev) -- 2.34.1
[PATCH] leds: cr0014114: Annotate struct cr0014114 with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct cr0014114. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/leds/leds-cr0014114.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-cr0014114.c b/drivers/leds/leds-cr0014114.c index b33bca397ea6..c9914fc51f20 100644 --- a/drivers/leds/leds-cr0014114.c +++ b/drivers/leds/leds-cr0014114.c @@ -56,7 +56,7 @@ struct cr0014114 { struct spi_device *spi; u8 *buf; unsigned long delay; - struct cr0014114_ledleds[]; + struct cr0014114_ledleds[] __counted_by(count); }; static void cr0014114_calc_crc(u8 *buf, const size_t len) -- 2.34.1
[PATCH] leds: aw200xx: Annotate struct aw200xx with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct aw200xx. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Pavel Machek Cc: Lee Jones Cc: linux-l...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/leds/leds-aw200xx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/leds/leds-aw200xx.c b/drivers/leds/leds-aw200xx.c index 691a743cc9b0..4d517cace3e7 100644 --- a/drivers/leds/leds-aw200xx.c +++ b/drivers/leds/leds-aw200xx.c @@ -112,7 +112,7 @@ struct aw200xx { struct mutex mutex; u32 num_leds; u32 display_rows; - struct aw200xx_led leds[]; + struct aw200xx_led leds[] __counted_by(num_leds); }; static ssize_t dim_show(struct device *dev, struct device_attribute *devattr, -- 2.34.1
Re: [PATCH 00/21] dmaengine: Annotate with __counted_by
Hi, Just a ping on the series... how do these look to you, Vinod? If you want I can carry them in my tree. Please let me know. Thanks! -Kees On Thu, Aug 17, 2023 at 04:58:37PM -0700, Kees Cook wrote: > Hi, > > This annotates several structures with the coming __counted_by attribute > for bounds checking of flexible arrays at run-time. For more details, see > commit dd06e72e68bc ("Compiler Attributes: Add __counted_by macro"). > > Thanks! > > -Kees > > Kees Cook (21): > dmaengine: apple-admac: Annotate struct admac_data with __counted_by > dmaengine: at_hdmac: Annotate struct at_desc with __counted_by > dmaengine: axi-dmac: Annotate struct axi_dmac_desc with __counted_by > dmaengine: fsl-edma: Annotate struct fsl_edma_desc with __counted_by > dmaengine: hisilicon: Annotate struct hisi_dma_dev with __counted_by > dmaengine: moxart-dma: Annotate struct moxart_desc with __counted_by > dmaengine: qcom: bam_dma: Annotate struct bam_async_desc with > __counted_by > dmaengine: sa11x0: Annotate struct sa11x0_dma_desc with __counted_by > dmaengine: sf-pdma: Annotate struct sf_pdma with __counted_by > dmaengine: sprd: Annotate struct sprd_dma_dev with __counted_by > dmaengine: st_fdma: Annotate struct st_fdma_desc with __counted_by > dmaengine: stm32-dma: Annotate struct stm32_dma_desc with __counted_by > dmaengine: stm32-mdma: Annotate struct stm32_mdma_desc with > __counted_by > dmaengine: stm32-mdma: Annotate struct stm32_mdma_device with > __counted_by > dmaengine: tegra: Annotate struct tegra_dma_desc with __counted_by > dmaengine: tegra210-adma: Annotate struct tegra_adma with __counted_by > dmaengine: ti: edma: Annotate struct edma_desc with __counted_by > dmaengine: ti: omap-dma: Annotate struct omap_desc with __counted_by > dmaengine: uniphier-xdmac: Annotate struct uniphier_xdmac_desc with > __counted_by > dmaengine: uniphier-xdmac: Annotate struct uniphier_xdmac_device with > __counted_by > dmaengine: usb-dmac: Annotate struct usb_dmac_desc with __counted_by > > drivers/dma/apple-admac.c | 2 +- > drivers/dma/at_hdmac.c | 2 +- > drivers/dma/dma-axi-dmac.c | 5 ++--- > drivers/dma/fsl-edma-common.h | 2 +- > drivers/dma/hisi_dma.c | 2 +- > drivers/dma/moxart-dma.c | 5 ++--- > drivers/dma/qcom/bam_dma.c | 2 +- > drivers/dma/sa11x0-dma.c | 6 +++--- > drivers/dma/sf-pdma/sf-pdma.h | 2 +- > drivers/dma/sh/usb-dmac.c | 2 +- > drivers/dma/sprd-dma.c | 2 +- > drivers/dma/st_fdma.h | 2 +- > drivers/dma/stm32-dma.c| 11 --- > drivers/dma/stm32-mdma.c | 9 - > drivers/dma/tegra186-gpc-dma.c | 2 +- > drivers/dma/tegra210-adma.c| 2 +- > drivers/dma/ti/edma.c | 2 +- > drivers/dma/ti/omap-dma.c | 5 ++--- > drivers/dma/uniphier-xdmac.c | 8 > 19 files changed, 33 insertions(+), 40 deletions(-) > > -- > 2.34.1 > -- Kees Cook
[PATCH] wifi: brcmfmac: Annotate struct brcmf_gscan_config with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct brcmf_gscan_config. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Arend van Spriel Cc: Franky Lin Cc: Hante Meuleman Cc: Kalle Valo Cc: "Gustavo A. R. Silva" Cc: Hector Martin Cc: Ryohei Kondo Cc: Hans de Goede Cc: linux-wirel...@vger.kernel.org Cc: brcm80211-dev-list@broadcom.com Cc: sha-cyfmac-dev-l...@infineon.com Signed-off-by: Kees Cook --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h index bece26741d3a..6eef6bc430e2 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h @@ -1209,7 +1209,7 @@ struct brcmf_gscan_config { u8 count_of_channel_buckets; u8 retry_threshold; __le16 lost_ap_window; - struct brcmf_gscan_bucket_config bucket[]; + struct brcmf_gscan_bucket_config bucket[] __counted_by(count_of_channel_buckets); }; /** -- 2.34.1
[PATCH] wifi: ipw2x00: Annotate struct libipw_txb with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct libipw_txb. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Stanislav Yakovlev Cc: Kalle Valo Cc: linux-wirel...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/intel/ipw2x00/libipw.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/ipw2x00/libipw.h b/drivers/net/wireless/intel/ipw2x00/libipw.h index bec7bc273748..9065ca5b0208 100644 --- a/drivers/net/wireless/intel/ipw2x00/libipw.h +++ b/drivers/net/wireless/intel/ipw2x00/libipw.h @@ -488,7 +488,7 @@ struct libipw_txb { u8 reserved; u16 frag_size; u16 payload_size; - struct sk_buff *fragments[]; + struct sk_buff *fragments[] __counted_by(nr_frags); }; /* SWEEP TABLE ENTRIES NUMBER */ -- 2.34.1
[PATCH] wifi: brcmfmac: firmware: Annotate struct brcmf_fw_request with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct brcmf_fw_request. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Arend van Spriel Cc: Franky Lin Cc: Hante Meuleman Cc: Kalle Valo Cc: Matthias Brugger Cc: Hector Martin Cc: "Alvin Šipraga" Cc: Hans de Goede Cc: linux-wirel...@vger.kernel.org Cc: brcm80211-dev-list@broadcom.com Cc: sha-cyfmac-dev-l...@infineon.com Signed-off-by: Kees Cook --- drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h index 1266cbaee072..4002d326fd21 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.h @@ -69,7 +69,7 @@ struct brcmf_fw_request { u16 bus_nr; u32 n_items; const char *board_types[BRCMF_FW_MAX_BOARD_TYPES]; - struct brcmf_fw_item items[]; + struct brcmf_fw_item items[] __counted_by(n_items); }; struct brcmf_fw_name { -- 2.34.1
[PATCH] wifi: mt76: Annotate struct mt76_rx_tid with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct mt76_rx_tid. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Felix Fietkau Cc: Lorenzo Bianconi Cc: Ryder Lee Cc: Shayne Chen Cc: Sean Wang Cc: Kalle Valo Cc: Matthias Brugger Cc: AngeloGioacchino Del Regno Cc: linux-wirel...@vger.kernel.org Cc: linux-arm-ker...@lists.infradead.org Cc: linux-media...@lists.infradead.org Signed-off-by: Kees Cook --- drivers/net/wireless/mediatek/mt76/mt76.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h index e8757865a3d0..03ef617b1527 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76.h +++ b/drivers/net/wireless/mediatek/mt76/mt76.h @@ -376,7 +376,7 @@ struct mt76_rx_tid { u8 started:1, stopped:1, timer_pending:1; - struct sk_buff *reorder_buf[]; + struct sk_buff *reorder_buf[] __counted_by(size); }; #define MT_TX_CB_DMA_DONE BIT(0) -- 2.34.1
[PATCH] wifi: wcn36xx: Annotate struct wcn36xx_hal_ind_msg with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct wcn36xx_hal_ind_msg. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Loic Poulain Cc: Kalle Valo Cc: wcn3...@lists.infradead.org Cc: linux-wirel...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/net/wireless/ath/wcn36xx/smd.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/wcn36xx/smd.h b/drivers/net/wireless/ath/wcn36xx/smd.h index cf15cde2a364..2c1ed9e570bf 100644 --- a/drivers/net/wireless/ath/wcn36xx/smd.h +++ b/drivers/net/wireless/ath/wcn36xx/smd.h @@ -47,7 +47,7 @@ struct wcn36xx_fw_msg_status_rsp { struct wcn36xx_hal_ind_msg { struct list_head list; size_t msg_len; - u8 msg[]; + u8 msg[] __counted_by(msg_len); }; struct wcn36xx; -- 2.34.1
[PATCH] md/md-linear: Annotate struct linear_conf with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct linear_conf. Additionally, since the element count member must be set before accessing the annotated flexible array member, move its initialization earlier. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Song Liu Cc: linux-r...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/md/md-linear.c | 26 +- drivers/md/md-linear.h | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/drivers/md/md-linear.c b/drivers/md/md-linear.c index 71ac99646827..ae2826e9645b 100644 --- a/drivers/md/md-linear.c +++ b/drivers/md/md-linear.c @@ -69,6 +69,19 @@ static struct linear_conf *linear_conf(struct mddev *mddev, int raid_disks) if (!conf) return NULL; + /* +* conf->raid_disks is copy of mddev->raid_disks. The reason to +* keep a copy of mddev->raid_disks in struct linear_conf is, +* mddev->raid_disks may not be consistent with pointers number of +* conf->disks[] when it is updated in linear_add() and used to +* iterate old conf->disks[] earray in linear_congested(). +* Here conf->raid_disks is always consitent with number of +* pointers in conf->disks[] array, and mddev->private is updated +* with rcu_assign_pointer() in linear_addr(), such race can be +* avoided. +*/ + conf->raid_disks = raid_disks; + cnt = 0; conf->array_sectors = 0; @@ -112,19 +125,6 @@ static struct linear_conf *linear_conf(struct mddev *mddev, int raid_disks) conf->disks[i-1].end_sector + conf->disks[i].rdev->sectors; - /* -* conf->raid_disks is copy of mddev->raid_disks. The reason to -* keep a copy of mddev->raid_disks in struct linear_conf is, -* mddev->raid_disks may not be consistent with pointers number of -* conf->disks[] when it is updated in linear_add() and used to -* iterate old conf->disks[] earray in linear_congested(). -* Here conf->raid_disks is always consitent with number of -* pointers in conf->disks[] array, and mddev->private is updated -* with rcu_assign_pointer() in linear_addr(), such race can be -* avoided. -*/ - conf->raid_disks = raid_disks; - return conf; out: diff --git a/drivers/md/md-linear.h b/drivers/md/md-linear.h index 24e97db50ebb..5587eeedb882 100644 --- a/drivers/md/md-linear.h +++ b/drivers/md/md-linear.h @@ -12,6 +12,6 @@ struct linear_conf struct rcu_head rcu; sector_tarray_sectors; int raid_disks; /* a copy of mddev->raid_disks */ - struct dev_info disks[]; + struct dev_info disks[] __counted_by(raid_disks); }; #endif -- 2.34.1
[PATCH] usb: gadget: f_midi: Annotate struct f_midi with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct f_midi. Additionally, since the element count member must be set before accessing the annotated flexible array member, move its initialization earlier. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Greg Kroah-Hartman Cc: John Keeping Cc: Peter Chen Cc: Hulk Robot Cc: Allen Pais Cc: Will McVicker Cc: Davidlohr Bueso Cc: Zhang Qilong Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/usb/gadget/function/f_midi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c index 2d02f25f9597..033e347554db 100644 --- a/drivers/usb/gadget/function/f_midi.c +++ b/drivers/usb/gadget/function/f_midi.c @@ -99,7 +99,7 @@ struct f_midi { unsigned int in_last_port; unsigned char free_ref; - struct gmidi_in_portin_ports_array[/* in_ports */]; + struct gmidi_in_portin_ports_array[] __counted_by(in_ports); }; static inline struct f_midi *func_to_midi(struct usb_function *f) @@ -1349,6 +1349,7 @@ static struct usb_function *f_midi_alloc(struct usb_function_instance *fi) status = -ENOMEM; goto setup_fail; } + midi->in_ports = opts->in_ports; for (i = 0; i < opts->in_ports; i++) midi->in_ports_array[i].cable = i; @@ -1359,7 +1360,6 @@ static struct usb_function *f_midi_alloc(struct usb_function_instance *fi) status = -ENOMEM; goto midi_free; } - midi->in_ports = opts->in_ports; midi->out_ports = opts->out_ports; midi->index = opts->index; midi->buflen = opts->buflen; -- 2.34.1
[PATCH] usb: gadget: f_fs: Annotate struct ffs_buffer with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct ffs_buffer. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Greg Kroah-Hartman Cc: John Keeping Cc: Udipto Goswami Cc: Linyu Yuan Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/usb/gadget/function/f_fs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 6e9ef35a43a7..af400d083777 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -202,7 +202,7 @@ struct ffs_epfile { struct ffs_buffer { size_t length; char *data; - char storage[]; + char storage[] __counted_by(length); }; /* ffs_io_data structure ***/ -- 2.34.1
[PATCH] usb: Annotate struct urb_priv with __counted_by
Prepare for the coming implementation by GCC and Clang of the __counted_by attribute. Flexible array members annotated with __counted_by can have their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family functions). As found with Coccinelle[1], add __counted_by for struct urb_priv. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Alan Stern Cc: Greg Kroah-Hartman Cc: Mathias Nyman Cc: linux-...@vger.kernel.org Signed-off-by: Kees Cook --- drivers/usb/host/ohci.h | 2 +- drivers/usb/host/xhci.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/usb/host/ohci.h b/drivers/usb/host/ohci.h index aac6285b37f8..1aba22784e05 100644 --- a/drivers/usb/host/ohci.h +++ b/drivers/usb/host/ohci.h @@ -337,7 +337,7 @@ typedef struct urb_priv { u16 length; // # tds in this request u16 td_cnt; // tds already serviced struct list_headpending; - struct td *td[]; // all TDs in this request + struct td *td[] __counted_by(length); // all TDs in this request } urb_priv_t; diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 7e282b4522c0..2f21c3a8565c 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1666,7 +1666,7 @@ struct xhci_scratchpad { struct urb_priv { int num_tds; int num_tds_done; - struct xhci_td td[]; + struct xhci_td td[] __counted_by(num_tds); }; /* -- 2.34.1
Re: [PATCH][next] net: spider_net: Use size_add() in call to struct_size()
On Fri, Sep 15, 2023 at 01:25:36PM -0600, Gustavo A. R. Silva wrote: > If, for any reason, the open-coded arithmetic causes a wraparound, > the protection that `struct_size()` adds against potential integer > overflows is defeated. Fix this by hardening call to `struct_size()` > with `size_add()`. > > Fixes: 3f1071ec39f7 ("net: spider_net: Use struct_size() helper") > Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH][next] tipc: Use size_add() in calls to struct_size()
On Fri, Sep 15, 2023 at 01:16:26PM -0600, Gustavo A. R. Silva wrote: > If, for any reason, the open-coded arithmetic causes a wraparound, > the protection that `struct_size()` adds against potential integer > overflows is defeated. Fix this by hardening call to `struct_size()` > with `size_add()`. > > Fixes: e034c6d23bc4 ("tipc: Use struct_size() helper") > Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH][next] usb: atm: Use size_add() in call to struct_size()
On Fri, Sep 15, 2023 at 01:20:14PM -0600, Gustavo A. R. Silva wrote: > If, for any reason, the open-coded arithmetic causes a wraparound, > the protection that `struct_size()` adds against potential integer > overflows is defeated. Fix this by hardening call to `struct_size()` > with `size_add()`. > > Fixes: b626871a7cda ("usb: atm: Use struct_size() helper") > Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH][next] tls: Use size_add() in call to struct_size()
On Fri, Sep 15, 2023 at 01:12:38PM -0600, Gustavo A. R. Silva wrote: > If, for any reason, the open-coded arithmetic causes a wraparound, > the protection that `struct_size()` adds against potential integer > overflows is defeated. Fix this by hardening call to `struct_size()` > with `size_add()`. > > Fixes: b89fec54fd61 ("tls: rx: wrap decrypt params in a struct") > Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH][next] mlxsw: Use size_mul() in call to struct_size()
On Fri, Sep 15, 2023 at 01:01:23PM -0600, Gustavo A. R. Silva wrote: > If, for any reason, the open-coded arithmetic causes a wraparound, the > protection that `struct_size()` adds against potential integer overflows > is defeated. Fix this by hardening call to `struct_size()` with `size_mul()`. > > Fixes: 2285ec872d9d ("mlxsw: spectrum_acl_bloom_filter: use struct_size() in > kzalloc()") > Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook -- Kees Cook
[PATCH][next] net: spider_net: Use size_add() in call to struct_size()
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. Fixes: 3f1071ec39f7 ("net: spider_net: Use struct_size() helper") Signed-off-by: Gustavo A. R. Silva --- drivers/net/ethernet/toshiba/spider_net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/toshiba/spider_net.c b/drivers/net/ethernet/toshiba/spider_net.c index 50d7eacfec58..87e67121477c 100644 --- a/drivers/net/ethernet/toshiba/spider_net.c +++ b/drivers/net/ethernet/toshiba/spider_net.c @@ -2332,7 +2332,7 @@ spider_net_alloc_card(void) struct spider_net_card *card; netdev = alloc_etherdev(struct_size(card, darray, - tx_descriptors + rx_descriptors)); + size_add(tx_descriptors, rx_descriptors))); if (!netdev) return NULL; -- 2.34.1
[PATCH][next] usb: atm: Use size_add() in call to struct_size()
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. Fixes: b626871a7cda ("usb: atm: Use struct_size() helper") Signed-off-by: Gustavo A. R. Silva --- drivers/usb/atm/usbatm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c index 1cdb8758ae01..2da6615fbb6f 100644 --- a/drivers/usb/atm/usbatm.c +++ b/drivers/usb/atm/usbatm.c @@ -1018,7 +1018,8 @@ int usbatm_usb_probe(struct usb_interface *intf, const struct usb_device_id *id, size_t size; /* instance init */ - size = struct_size(instance, urbs, num_rcv_urbs + num_snd_urbs); + size = struct_size(instance, urbs, + size_add(num_rcv_urbs, num_snd_urbs)); instance = kzalloc(size, GFP_KERNEL); if (!instance) return -ENOMEM; -- 2.34.1
[PATCH][next] tipc: Use size_add() in calls to struct_size()
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. Fixes: e034c6d23bc4 ("tipc: Use struct_size() helper") Signed-off-by: Gustavo A. R. Silva --- net/tipc/link.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/tipc/link.c b/net/tipc/link.c index e33b4f29f77c..d0143823658d 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c @@ -1446,7 +1446,7 @@ u16 tipc_get_gap_ack_blks(struct tipc_gap_ack_blks **ga, struct tipc_link *l, p = (struct tipc_gap_ack_blks *)msg_data(hdr); sz = ntohs(p->len); /* Sanity check */ - if (sz == struct_size(p, gacks, p->ugack_cnt + p->bgack_cnt)) { + if (sz == struct_size(p, gacks, size_add(p->ugack_cnt, p->bgack_cnt))) { /* Good, check if the desired type exists */ if ((uc && p->ugack_cnt) || (!uc && p->bgack_cnt)) goto ok; @@ -1533,7 +1533,7 @@ static u16 tipc_build_gap_ack_blks(struct tipc_link *l, struct tipc_msg *hdr) __tipc_build_gap_ack_blks(ga, l, ga->bgack_cnt) : 0; /* Total len */ - len = struct_size(ga, gacks, ga->bgack_cnt + ga->ugack_cnt); + len = struct_size(ga, gacks, size_add(ga->bgack_cnt, ga->ugack_cnt)); ga->len = htons(len); return len; } -- 2.34.1
Re: [PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
On Fri, Sep 15, 2023 at 01:09:11PM -0600, Gustavo A. R. Silva wrote: > If, for any reason, the open-coded arithmetic causes a wraparound, > the protection that `struct_size()` adds against potential integer > overflows is defeated. Fix this by hardening call to `struct_size()` > with `size_add()`. > > Fixes: f9efae954905 ("ASoC: SOF: ipc4-topology: Add support for base config > extension") > Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH v3 1/2] uapi: fix __DECLARE_FLEX_ARRAY for C++
On Tue, Sep 12, 2023 at 07:22:24PM +0300, Alexey Dobriyan wrote: > __DECLARE_FLEX_ARRAY(T, member) macro expands to > > struct { > struct {} __empty_member; > T member[]; > }; > > which is subtly wrong in C++ because sizeof(struct{}) is 1 not 0, > changing UAPI structures layouts. Looking at this again just now, what about using a 0-length array instead of an anonymous struct? https://godbolt.org/z/rGaxPWjef Then we don't need an #ifdef at all... struct { int __empty_member[0]; T member[]; }; -Kees -- Kees Cook
[PATCH][next] tls: Use size_add() in call to struct_size()
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. Fixes: b89fec54fd61 ("tls: rx: wrap decrypt params in a struct") Signed-off-by: Gustavo A. R. Silva --- net/tls/tls_sw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index d1fc295b83b5..270712b8d391 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1487,7 +1487,7 @@ static int tls_decrypt_sg(struct sock *sk, struct iov_iter *out_iov, */ aead_size = sizeof(*aead_req) + crypto_aead_reqsize(ctx->aead_recv); aead_size = ALIGN(aead_size, __alignof__(*dctx)); - mem = kmalloc(aead_size + struct_size(dctx, sg, n_sgin + n_sgout), + mem = kmalloc(aead_size + struct_size(dctx, sg, size_add(n_sgin, n_sgout)), sk->sk_allocation); if (!mem) { err = -ENOMEM; -- 2.34.1
[PATCH][next] ASoC: SOF: ipc4-topology: Use size_add() in call to struct_size()
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_add()`. Fixes: f9efae954905 ("ASoC: SOF: ipc4-topology: Add support for base config extension") Signed-off-by: Gustavo A. R. Silva --- sound/soc/sof/ipc4-topology.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/soc/sof/ipc4-topology.c b/sound/soc/sof/ipc4-topology.c index f2a30cd31378..2a19dd022aaf 100644 --- a/sound/soc/sof/ipc4-topology.c +++ b/sound/soc/sof/ipc4-topology.c @@ -895,7 +895,8 @@ static int sof_ipc4_widget_setup_comp_process(struct snd_sof_widget *swidget) if (process->init_config == SOF_IPC4_MODULE_INIT_CONFIG_TYPE_BASE_CFG_WITH_EXT) { struct sof_ipc4_base_module_cfg_ext *base_cfg_ext; u32 ext_size = struct_size(base_cfg_ext, pin_formats, - swidget->num_input_pins + swidget->num_output_pins); + size_add(swidget->num_input_pins, + swidget->num_output_pins)); base_cfg_ext = kzalloc(ext_size, GFP_KERNEL); if (!base_cfg_ext) { -- 2.34.1
[PATCH][next] mlxsw: Use size_mul() in call to struct_size()
If, for any reason, the open-coded arithmetic causes a wraparound, the protection that `struct_size()` adds against potential integer overflows is defeated. Fix this by hardening call to `struct_size()` with `size_mul()`. Fixes: 2285ec872d9d ("mlxsw: spectrum_acl_bloom_filter: use struct_size() in kzalloc()") Signed-off-by: Gustavo A. R. Silva --- drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_bloom_filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_bloom_filter.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_bloom_filter.c index e2aced7ab454..95f63fcf4ba1 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_bloom_filter.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl_bloom_filter.c @@ -496,7 +496,7 @@ mlxsw_sp_acl_bf_init(struct mlxsw_sp *mlxsw_sp, unsigned int num_erp_banks) * is 2^ACL_MAX_BF_LOG */ bf_bank_size = 1 << MLXSW_CORE_RES_GET(mlxsw_sp->core, ACL_MAX_BF_LOG); - bf = kzalloc(struct_size(bf, refcnt, bf_bank_size * num_erp_banks), + bf = kzalloc(struct_size(bf, refcnt, size_mul(bf_bank_size, num_erp_banks)), GFP_KERNEL); if (!bf) return ERR_PTR(-ENOMEM); -- 2.34.1
Re: [PATCH][next] gve: Use size_add() in call to struct_size()
On Fri, Sep 15, 2023 at 12:17:49PM -0600, Gustavo A. R. Silva wrote: > If, for any reason, `tx_stats_num + rx_stats_num` wraps around, the > protection that struct_size() adds against potential integer overflows > is defeated. Fix this by hardening call to struct_size() with size_add(). > > Fixes: 691f4077d560 ("gve: Replace zero-length array with flexible-array > member") > Signed-off-by: Gustavo A. R. Silva Thanks, yes, this will maintain SIZE_MAX saturation if it happens. Reviewed-by: Kees Cook -- Kees Cook
Re: [PATCH v4 00/18] Add Cgroup support for SGX EPC memory
On Tue, Sep 12, 2023 at 09:06:17PM -0700, Haitao Huang wrote: > SGX EPC memory allocations are separate from normal RAM allocations, and > are managed solely by the SGX subsystem. The existing cgroup memory > controller cannot be used to limit or account for SGX EPC memory, which is > a desirable feature in some environments, e.g., support for pod level > control in a Kubernates cluster on a VM or baremetal host [1,2]. > > This patchset implements the support for sgx_epc memory within the misc > cgroup controller. The user can use the misc cgroup controller to set and > enforce a max limit on total EPC usage per cgroup. The implementation > reports current usage and events of reaching the limit per cgroup as well > as the total system capacity. Minor nit aside, it looks fine from cgroup side. Thanks. -- tejun
[PATCH][next] gve: Use size_add() in call to struct_size()
If, for any reason, `tx_stats_num + rx_stats_num` wraps around, the protection that struct_size() adds against potential integer overflows is defeated. Fix this by hardening call to struct_size() with size_add(). Fixes: 691f4077d560 ("gve: Replace zero-length array with flexible-array member") Signed-off-by: Gustavo A. R. Silva --- drivers/net/ethernet/google/gve/gve_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/google/gve/gve_main.c b/drivers/net/ethernet/google/gve/gve_main.c index 5704b5f57cd0..83b09dcfafc4 100644 --- a/drivers/net/ethernet/google/gve/gve_main.c +++ b/drivers/net/ethernet/google/gve/gve_main.c @@ -190,7 +190,7 @@ static int gve_alloc_stats_report(struct gve_priv *priv) rx_stats_num = (GVE_RX_STATS_REPORT_NUM + NIC_RX_STATS_REPORT_NUM) * priv->rx_cfg.num_queues; priv->stats_report_len = struct_size(priv->stats_report, stats, -tx_stats_num + rx_stats_num); +size_add(tx_stats_num, rx_stats_num)); priv->stats_report = dma_alloc_coherent(&priv->pdev->dev, priv->stats_report_len, &priv->stats_report_bus, GFP_KERNEL); -- 2.34.1
Re: [PATCH v2][next] RDMA/core: Use size_{add,mul}() in calls to struct_size()
On 9/14/23 21:29, Kees Cook wrote: On Mon, Sep 11, 2023 at 05:27:59PM -0600, Gustavo A. R. Silva wrote: Harden calls to struct_size() with size_add() and size_mul(). Specifically, make sure that open-coded arithmetic cannot cause an overflow/wraparound. (i.e. it will stay saturated at SIZE_MAX.) Yep; I have another patch where I explain this in similar terms. I'll send it, shortly. Fixes: 467f432a521a ("RDMA/core: Split port and device counter sysfs attributes") Fixes: a4676388e2e2 ("RDMA/core: Simplify how the gid_attrs sysfs is created") Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook Thanks! -- Gustavo -Kees --- Changes in v2: - Update changelog text: remove the part about binary differences (it was added by mistake). drivers/infiniband/core/sysfs.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c index ee59d7391568..ec5efdc16660 100644 --- a/drivers/infiniband/core/sysfs.c +++ b/drivers/infiniband/core/sysfs.c @@ -903,7 +903,7 @@ alloc_hw_stats_device(struct ib_device *ibdev) * Two extra attribue elements here, one for the lifespan entry and * one to NULL terminate the list for the sysfs core code */ - data = kzalloc(struct_size(data, attrs, stats->num_counters + 1), + data = kzalloc(struct_size(data, attrs, size_add(stats->num_counters, 1)), GFP_KERNEL); if (!data) goto err_free_stats; @@ -1009,7 +1009,7 @@ alloc_hw_stats_port(struct ib_port *port, struct attribute_group *group) * Two extra attribue elements here, one for the lifespan entry and * one to NULL terminate the list for the sysfs core code */ - data = kzalloc(struct_size(data, attrs, stats->num_counters + 1), + data = kzalloc(struct_size(data, attrs, size_add(stats->num_counters, 1)), GFP_KERNEL); if (!data) goto err_free_stats; @@ -1140,7 +1140,7 @@ static int setup_gid_attrs(struct ib_port *port, int ret; gid_attr_group = kzalloc(struct_size(gid_attr_group, attrs_list, -attr->gid_tbl_len * 2), +size_mul(attr->gid_tbl_len, 2)), GFP_KERNEL); if (!gid_attr_group) return -ENOMEM; @@ -1205,8 +1205,8 @@ static struct ib_port *setup_port(struct ib_core_device *coredev, int port_num, int ret; p = kvzalloc(struct_size(p, attrs_list, - attr->gid_tbl_len + attr->pkey_tbl_len), - GFP_KERNEL); + size_add(attr->gid_tbl_len, attr->pkey_tbl_len)), +GFP_KERNEL); if (!p) return ERR_PTR(-ENOMEM); p->ibdev = device; -- 2.34.1
Re: [PATCH v4 01/18] cgroup/misc: Add per resource callbacks for CSS events
On Fri, Sep 15, 2023 at 07:55:45AM -1000, Tejun Heo wrote: > On Tue, Sep 12, 2023 at 09:06:18PM -0700, Haitao Huang wrote: > > @@ -37,6 +37,11 @@ struct misc_res { > > u64 max; > > atomic64_t usage; > > atomic64_t events; > > + > > + /* per resource callback ops */ > > + int (*misc_cg_alloc)(struct misc_cg *cg); > > + void (*misc_cg_free)(struct misc_cg *cg); > > + void (*misc_cg_max_write)(struct misc_cg *cg); > > A nit about naming. These are already in misc_res and cgroup_ and cgrp_ > prefixes are a lot more common. So, maybe go for sth like cgrp_alloc? Ah, never mind about the prefix part. misc is using cg_ prefix widely already. Thanks. -- tejun
Re: [PATCH v4 01/18] cgroup/misc: Add per resource callbacks for CSS events
On Tue, Sep 12, 2023 at 09:06:18PM -0700, Haitao Huang wrote: > @@ -37,6 +37,11 @@ struct misc_res { > u64 max; > atomic64_t usage; > atomic64_t events; > + > + /* per resource callback ops */ > + int (*misc_cg_alloc)(struct misc_cg *cg); > + void (*misc_cg_free)(struct misc_cg *cg); > + void (*misc_cg_max_write)(struct misc_cg *cg); A nit about naming. These are already in misc_res and cgroup_ and cgrp_ prefixes are a lot more common. So, maybe go for sth like cgrp_alloc? Thanks. -- tejun
Re: [PATCH] firmware: ti_sci: refactor deprecated strncpy
On Fri, Sep 15, 2023 at 07:40:38AM -0500, Nishanth Menon wrote: > On 21:03-20230914, Kees Cook wrote: > > On Wed, Sep 13, 2023 at 08:23:02PM +, Justin Stitt wrote: > > > `strncpy` is deprecated for use on NUL-terminated destination strings [1]. > > > > > > We should prefer more robust and less ambiguous string interfaces. > > > > > > A suitable replacement is `strscpy` [2] due to the fact that it guarantees > > > NUL-termination on the destination buffer. > > > > > > It does not seem like `ver->firmware_description` requires NUL-padding > > > (which is a behavior that strncpy provides) but if it does let's opt for > > > `strscpy_pad()`. > > > > > > Link: > > > https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings > > > [1] > > > Link: > > > https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html [2] > > > Link: https://github.com/KSPP/linux/issues/90 > > > Cc: linux-harden...@vger.kernel.org > > > Signed-off-by: Justin Stitt > > > > Looks right to me. > > > > Reviewed-by: Kees Cook > > Does this belong to stable as well? If so, please add appropriate stable > process. No need. This is a refactoring only. :) -- Kees Cook
Re: [PATCH v3] libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value
Chen Ni wrote: > Use devm_kstrdup() instead of kstrdup() and check its return value to > avoid memory leak. > > Fixes: 49bddc73d15c ("libnvdimm/of_pmem: Provide a unique name for bus > provider") > Signed-off-by: Chen Ni Reviewed-by: Ira Weiny > --- > Changelog: > > v2 -> v3: > > 1. Use devm_kstrdup() instead of kstrdup() > > v1 -> v2: > > 1. Add a fixes tag. > 2. Update commit message. > --- > drivers/nvdimm/of_pmem.c | 8 +++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/nvdimm/of_pmem.c b/drivers/nvdimm/of_pmem.c > index 1b9f5b8a6167..5765674b36f2 100644 > --- a/drivers/nvdimm/of_pmem.c > +++ b/drivers/nvdimm/of_pmem.c > @@ -30,7 +30,13 @@ static int of_pmem_region_probe(struct platform_device > *pdev) > if (!priv) > return -ENOMEM; > > - priv->bus_desc.provider_name = kstrdup(pdev->name, GFP_KERNEL); > + priv->bus_desc.provider_name = devm_kstrdup(&pdev->dev, pdev->name, > + GFP_KERNEL); > + if (!priv->bus_desc.provider_name) { > + kfree(priv); > + return -ENOMEM; > + } > + > priv->bus_desc.module = THIS_MODULE; > priv->bus_desc.of_node = np; > > -- > 2.25.1 >
Re: [PATCH] printk: add cpu id information to printk() output
On Fri 2023-09-15 11:53:13, Greg KH wrote: > On Fri, Sep 15, 2023 at 04:46:02PM +0800, Enlin Mu wrote: > > John Ogness 于2023年9月15日周五 16:34写道: > > > > > > On 2023-09-15, Enlin Mu wrote: > > > > Sometimes we want to print cpu id of printk() messages to consoles > > > > > > > > diff --git a/include/linux/threads.h b/include/linux/threads.h > > > > index c34173e6c5f1..6700bd9a174f 100644 > > > > --- a/include/linux/threads.h > > > > +++ b/include/linux/threads.h > > > > @@ -34,6 +34,9 @@ > > > > #define PID_MAX_LIMIT (CONFIG_BASE_SMALL ? PAGE_SIZE * 8 : \ > > > > (sizeof(long) > 4 ? 4 * 1024 * 1024 : PID_MAX_DEFAULT)) > > > > > > > > +#define CPU_ID_SHIFT 23 > > > > +#define CPU_ID_MASK 0xff80 > > > > > > This only supports 256 CPUs. I think it doesn't make sense to try to > > > squish CPU and Task IDs into 32 bits. > > Yes, it is not good way, > > > > > > What about introducing a caller_id option to always only print the CPU > > > ID? Or do you really need Task _and_ CPU? > >Yes, I need it.Because I need to know which CPU is printing the > > log, so that I can identify the current system operation, such as load > > situation and CPU busy/idle status > > The cpu that is printing the log isn't the one that added the log > message, so I think you will have incorrect data here, right? We already store some metadata about the caller: * All fields are set by the printk code except for @seq, which is * set by the ringbuffer code. */ struct printk_info { u64 seq;/* sequence number */ u64 ts_nsec;/* timestamp in nanoseconds */ u16 text_len; /* length of text message */ u8 facility; /* syslog facility */ u8 flags:5;/* internal record flags */ u8 level:3;/* syslog level */ u32 caller_id; /* thread id or processor id */ struct dev_printk_info dev_info; }; The 32-bit caller ID is generated using: static inline u32 printk_caller_id(void) { return in_task() ? task_pid_nr(current) : 0x8000 + smp_processor_id(); } We could add more metadata and always store the CPU ID and something like: [CTXT][ Tpid][ Ccpu] for example [TASK][ T234][C4] [ IRQ][ T4567][ C17] [SIRQ][T5][C0] [ NMI][ T356][ C128] The biggest problem is that it would change the format of the ringbuffer so that it would require updating external tools, working with crashdump, especially crash but there are also alternative python extensions for gdb. See below POC of the kernel part. It is not even compile tested. The size of the buffers is updated by a guess. Comments are not updated, ... diff --git a/kernel/printk/internal.h b/kernel/printk/internal.h index 7d4979d5c3ce..e3e0a9fdc0cf 100644 --- a/kernel/printk/internal.h +++ b/kernel/printk/internal.h @@ -15,7 +15,7 @@ int devkmsg_sysctl_set_loglvl(struct ctl_table *table, int write, #ifdef CONFIG_PRINTK #ifdef CONFIG_PRINTK_CALLER -#define PRINTK_PREFIX_MAX 48 +#define PRINTK_PREFIX_MAX 64 #else #define PRINTK_PREFIX_MAX 32 #endif diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c index 7e0b4dd02398..bb393ccbd5e9 100644 --- a/kernel/printk/printk.c +++ b/kernel/printk/printk.c @@ -621,16 +621,20 @@ static void append_char(char **pp, char *e, char c) *(*pp)++ = c; } +char printk_caller_ctxt_txt[][] = { "TSK", "IRQ", "SIRQ", "NMI"' }; + static ssize_t info_print_ext_header(char *buf, size_t size, struct printk_info *info) { u64 ts_usec = info->ts_nsec; - char caller[20]; + char caller[40]; #ifdef CONFIG_PRINTK_CALLER - u32 id = info->caller_id; + struct printk_caller_info *ci = info->caller_info; - snprintf(caller, sizeof(caller), ",caller=%c%u", -id & 0x8000 ? 'C' : 'T', id & ~0x8000); + snprintf(caller, sizeof(caller), +",caller.ctxt=%s,caller.pid=%d,caller.cpu=%d", +printk_caller_ctxt_txt[ci->ctxt], +ci->pid,ci->cpu); #else caller[0] = '\0'; #endif @@ -996,11 +1000,16 @@ void log_buf_vmcoreinfo_setup(void) VMCOREINFO_OFFSET(prb_data_blk_lpos, begin); VMCOREINFO_OFFSET(prb_data_blk_lpos, next); + VMCOREINFO_STRUCT_SIZE(printk_caller_info); + VMCOREINFO_OFFSET(printk_caller_info, ctxt); + VMCOREINFO_OFFSET(printk_caller_info, cpu); + VMCOREINFO_OFFSET(printk_caller_info, pid); + VMCOREINFO_STRUCT_SIZE(printk_info); VMCOREINFO_OFFSET(printk_info, seq); VMCOREINFO_OFFSET(printk_info, ts_nsec); VMCOREINFO_OFFSET(printk_info, text_len); - VMCOREINFO_OFFSET(printk_info, caller_id); + VMCOREINFO_OFFSET(printk_info, caller_info); VMCOREINFO_OFFSET(printk_info, dev_info); VMCOREINFO_STRUCT_SIZE(dev_printk_info); @@ -,7 +1120,7 @@ static unsigned int __init a