Mark the various refcount_t functions with __signed_wrap, as we depend
on the wrapping behavior to detect the overflow and perform saturation.
Silences warnings seen with the LKDTM REFCOUNT_* tests:
UBSAN: signed-integer-overflow in ../include/linux/refcount.h:189:11
2147483647 + 1 cannot be represented in type 'int'
Signed-off-by: Kees Cook <[email protected]>
---
Cc: Miguel Ojeda <[email protected]>
Cc: Will Deacon <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Boqun Feng <[email protected]>
Cc: Mark Rutland <[email protected]>
Cc: "Gustavo A. R. Silva" <[email protected]>
Cc: [email protected]
---
include/linux/refcount.h | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/include/linux/refcount.h b/include/linux/refcount.h
index 85c6df0d1bef..59b3b752394d 100644
--- a/include/linux/refcount.h
+++ b/include/linux/refcount.h
@@ -136,7 +136,8 @@ static inline unsigned int refcount_read(const refcount_t *r)
return atomic_read(&r->refs);
}
-static inline __must_check bool __refcount_add_not_zero(int i, refcount_t *r, int *oldp)
+static inline __must_check __signed_wrap
+bool __refcount_add_not_zero(int i, refcount_t *r, int *oldp)
{
int old = refcount_read(r);
@@ -177,7 +178,8 @@ static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r)
return __refcount_add_not_zero(i, r, NULL);
}
-static inline void __refcount_add(int i, refcount_t *r, int *oldp)
+static inline __signed_wrap
+void __refcount_add(int i, refcount_t *r, int *oldp)
{
int old = atomic_fetch_add_relaxed(i, &r->refs);
@@ -256,7 +258,8 @@ static inline void refcount_inc(refcount_t *r)
__refcount_inc(r, NULL);
}
-static inline __must_check bool __refcount_sub_and_test(int i, refcount_t *r, int *oldp)
+static inline __must_check __signed_wrap
+bool __refcount_sub_and_test(int i, refcount_t *r, int *oldp)
{
int old = atomic_fetch_sub_release(i, &r->refs);
--
2.34.1
On Wed, Feb 21, 2024 at 6:16 AM Kees Cook <[email protected]> wrote:
>
> Mark the various refcount_t functions with __signed_wrap, as we depend
> on the wrapping behavior to detect the overflow and perform saturation.
> Silences warnings seen with the LKDTM REFCOUNT_* tests:
>
> UBSAN: signed-integer-overflow in ../include/linux/refcount.h:189:11
> 2147483647 + 1 cannot be represented in type 'int'
>
> Signed-off-by: Kees Cook <[email protected]>
Not sure why I am the "To:" (i.e. even if it is a change involving
only an addition of an attribute), but it looks good to me (UBSan is
triggering on the few `old + i`s caused by the calls from
`drivers/misc/lkdtm/refcount.c`, right?):
Reviewed-by: Miguel Ojeda <[email protected]>
As usual, thanks Kees for keeping up on getting the kernel (un)signed
UBSan-clean :)
Cheers,
Miguel