Some structures contain flexible arrays at the end and the counter for
them, but the counter has explicit Endianness and thus __counted_by()
can't be used directly.
To increase test coverage for potential problems without breaking
anything, introduce __counted_by_{le,be}() defined depending on
platform's Endianness to either __counted_by() when applicable or noop
otherwise.
Maybe it would be a good idea to introduce such attributes on compiler
level if possible, but for now let's stop on what we have.
Acked-by: Kees Cook <[email protected]>
Signed-off-by: Alexander Lobakin <[email protected]>
---
Documentation/conf.py | 2 ++
scripts/kernel-doc | 1 +
include/linux/compiler_types.h | 11 +++++++++++
3 files changed, 14 insertions(+)
diff --git a/Documentation/conf.py b/Documentation/conf.py
index d148f3e8dd57..0c2205d536b3 100644
--- a/Documentation/conf.py
+++ b/Documentation/conf.py
@@ -75,6 +75,8 @@ if major >= 3:
"__rcu",
"__user",
"__force",
+ "__counted_by_le",
+ "__counted_by_be",
# include/linux/compiler_attributes.h:
"__alias",
diff --git a/scripts/kernel-doc b/scripts/kernel-doc
index 967f1abb0edb..1474e95dbe4f 100755
--- a/scripts/kernel-doc
+++ b/scripts/kernel-doc
@@ -1143,6 +1143,7 @@ sub dump_struct($$) {
$members =~ s/\s*$attribute/ /gi;
$members =~ s/\s*__aligned\s*\([^;]*\)/ /gos;
$members =~ s/\s*__counted_by\s*\([^;]*\)/ /gos;
+ $members =~ s/\s*__counted_by_(le|be)\s*\([^;]*\)/ /gos;
$members =~ s/\s*__packed\s*/ /gos;
$members =~ s/\s*CRYPTO_MINALIGN_ATTR/ /gos;
$members =~ s/\s*____cacheline_aligned_in_smp/ /gos;
diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
index 2abaa3a825a9..a29ba6ef1e27 100644
--- a/include/linux/compiler_types.h
+++ b/include/linux/compiler_types.h
@@ -282,6 +282,17 @@ struct ftrace_likely_data {
#define __no_sanitize_or_inline __always_inline
#endif
+/*
+ * Apply __counted_by() when the Endianness matches to increase test coverage.
+ */
+#ifdef __LITTLE_ENDIAN
+#define __counted_by_le(member) __counted_by(member)
+#define __counted_by_be(member)
+#else
+#define __counted_by_le(member)
+#define __counted_by_be(member) __counted_by(member)
+#endif
+
/* Do not trap wrapping arithmetic within an annotated function. */
#ifdef CONFIG_UBSAN_SIGNED_WRAP
# define __signed_wrap __attribute__((no_sanitize("signed-integer-overflow")))
--
2.44.0
On 3/26/24 10:41, Alexander Lobakin wrote:
> Some structures contain flexible arrays at the end and the counter for
> them, but the counter has explicit Endianness and thus __counted_by()
> can't be used directly.
>
> To increase test coverage for potential problems without breaking
> anything, introduce __counted_by_{le,be}() defined depending on
> platform's Endianness to either __counted_by() when applicable or noop
> otherwise.
> Maybe it would be a good idea to introduce such attributes on compiler
> level if possible, but for now let's stop on what we have.
>
> Acked-by: Kees Cook <[email protected]>
> Signed-off-by: Alexander Lobakin <[email protected]>
LGTM:
Acked-by: Gustavo A. R. Silva <[email protected]>
Thanks
--
Gustavo
> ---
> Documentation/conf.py | 2 ++
> scripts/kernel-doc | 1 +
> include/linux/compiler_types.h | 11 +++++++++++
> 3 files changed, 14 insertions(+)
>
> diff --git a/Documentation/conf.py b/Documentation/conf.py
> index d148f3e8dd57..0c2205d536b3 100644
> --- a/Documentation/conf.py
> +++ b/Documentation/conf.py
> @@ -75,6 +75,8 @@ if major >= 3:
> "__rcu",
> "__user",
> "__force",
> + "__counted_by_le",
> + "__counted_by_be",
>
> # include/linux/compiler_attributes.h:
> "__alias",
> diff --git a/scripts/kernel-doc b/scripts/kernel-doc
> index 967f1abb0edb..1474e95dbe4f 100755
> --- a/scripts/kernel-doc
> +++ b/scripts/kernel-doc
> @@ -1143,6 +1143,7 @@ sub dump_struct($$) {
> $members =~ s/\s*$attribute/ /gi;
> $members =~ s/\s*__aligned\s*\([^;]*\)/ /gos;
> $members =~ s/\s*__counted_by\s*\([^;]*\)/ /gos;
> + $members =~ s/\s*__counted_by_(le|be)\s*\([^;]*\)/ /gos;
> $members =~ s/\s*__packed\s*/ /gos;
> $members =~ s/\s*CRYPTO_MINALIGN_ATTR/ /gos;
> $members =~ s/\s*____cacheline_aligned_in_smp/ /gos;
> diff --git a/include/linux/compiler_types.h b/include/linux/compiler_types.h
> index 2abaa3a825a9..a29ba6ef1e27 100644
> --- a/include/linux/compiler_types.h
> +++ b/include/linux/compiler_types.h
> @@ -282,6 +282,17 @@ struct ftrace_likely_data {
> #define __no_sanitize_or_inline __always_inline
> #endif
>
> +/*
> + * Apply __counted_by() when the Endianness matches to increase test coverage.
> + */
> +#ifdef __LITTLE_ENDIAN
> +#define __counted_by_le(member) __counted_by(member)
> +#define __counted_by_be(member)
> +#else
> +#define __counted_by_le(member)
> +#define __counted_by_be(member) __counted_by(member)
> +#endif
> +
> /* Do not trap wrapping arithmetic within an annotated function. */
> #ifdef CONFIG_UBSAN_SIGNED_WRAP
> # define __signed_wrap __attribute__((no_sanitize("signed-integer-overflow")))