All of lore.kernel.org
 help / color / mirror / Atom feed
From: Kees Cook <kees@kernel.org>
To: Bill Wendling <morbo@google.com>
Cc: linux-kernel@vger.kernel.org,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>,
	"Nathan Chancellor" <nathan@kernel.org>,
	"Nick Desaulniers" <nick.desaulniers+lkml@gmail.com>,
	"Justin Stitt" <justinstitt@google.com>,
	"Miguel Ojeda" <ojeda@kernel.org>,
	"Peter Zijlstra" <peterz@infradead.org>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Heiko Carstens" <hca@linux.ibm.com>,
	"Marc Herbert" <Marc.Herbert@linux.intel.com>,
	"Uros Bizjak" <ubizjak@gmail.com>, "Tejun Heo" <tj@kernel.org>,
	"Jeff Xu" <jeffxu@chromium.org>,
	"Michal Koutný" <mkoutny@suse.com>,
	"Shakeel Butt" <shakeel.butt@linux.dev>,
	"Thomas Weißschuh" <thomas.weissschuh@linutronix.de>,
	"John Stultz" <jstultz@google.com>,
	"Christian Brauner" <brauner@kernel.org>,
	"Randy Dunlap" <rdunlap@infradead.org>,
	"Brian Gerst" <brgerst@gmail.com>,
	"Masahiro Yamada" <masahiroy@kernel.org>,
	"Mike Rapoport" <rppt@kernel.org>,
	linux-mm@kvack.org, linux-hardening@vger.kernel.org,
	llvm@lists.linux.dev
Subject: Re: [PATCH 2/2] memblock: annotate struct memblock_type with __counted_by_ptr
Date: Fri, 21 Nov 2025 16:30:43 -0800	[thread overview]
Message-ID: <202511211525.05CB7E1AEC@keescook> (raw)
In-Reply-To: <20251121193957.1655580-3-morbo@google.com>

On Fri, Nov 21, 2025 at 07:39:44PM +0000, Bill Wendling wrote:
> Add the '__counted_by_ptr' attribute to the 'regions' field of 'struct
> memblock_type'. The 'regions' field is an array of 'struct
> memblock_region' and its size is tracked by the 'max' field, which
> represents the total number of allocated regions.

As part of any counted_by annotation patch, there needs to be discussion
in the commit log about how it's been shown to be a safe annotation
to make. e.g. in this case, if all allocations of "regions" have a
corresponding "max" assignment, etc. If just "git grep" can't find them
all, using something like Coccinelle or CodeQL to search for struct
memblock_type::regions assignments can work.

Here's what I used in the past for flexible arrays, but it was slow
due to Coccinelle needing --recursive-includes to see the structs,
but should be adaptable for counted_by on pointers:

@flex_match@
identifier STRUCT, COUNTED, ARRAY;
type COUNTED_TYPE, ARRAY_TYPE;
attribute name __counted_by;
@@

        struct STRUCT {
                ...
                COUNTED_TYPE COUNTED;
                ...
                ARRAY_TYPE ARRAY[] __counted_by(COUNTED);
        };

@missed_counted_assignment@
identifier flex_match.STRUCT;
struct STRUCT *P;
identifier flex_match.COUNTED;
identifier flex_match.ARRAY;
identifier ALLOC =~ ".*alloc.*";
@@

        P = ALLOC(...);
        ... when != P->COUNTED
*       P->ARRAY


> This annotation allows the Kernel Address Sanitizer (KASAN) to detect
> out-of-bounds accesses to the 'regions' array.

I think you mean UBSan here (and CONFIG_FORTIFY_SOURCE)?

> ---
>  include/linux/memblock.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/linux/memblock.h b/include/linux/memblock.h
> index 221118b5a16e..ba7f7c999a45 100644
> --- a/include/linux/memblock.h
> +++ b/include/linux/memblock.h
> @@ -91,7 +91,7 @@ struct memblock_type {
>  	unsigned long cnt;
>  	unsigned long max;
>  	phys_addr_t total_size;
> -	struct memblock_region *regions;
> +	struct memblock_region *regions __counted_by_ptr(max);
>  	char *name;
>  };

For the handful of places I spot checked, yeah, it looks like a nice
annotation.

-Kees

-- 
Kees Cook

  reply	other threads:[~2025-11-22  0:30 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-21 19:39 [PATCH 0/2] Add __counted_by_ptr macro Bill Wendling
2025-11-21 19:39 ` [PATCH 1/2] Compiler Attributes: " Bill Wendling
2025-11-21 19:46   ` Bill Wendling
2025-11-21 19:54   ` [PATCH v2 " Bill Wendling
2025-11-21 21:47     ` Miguel Ojeda
2025-11-24 20:01       ` Bill Wendling
2026-01-16  8:35       ` Peter Zijlstra
2026-01-17 19:05         ` Kees Cook
2026-01-17 19:18         ` Miguel Ojeda
2026-01-14 19:36     ` [PATCH " Bill Wendling
2026-01-15  4:00       ` Kees Cook
2026-01-16  0:59         ` Bill Wendling
2026-01-16  8:36         ` Peter Zijlstra
2026-01-17 19:06           ` Kees Cook
2026-01-16  0:57       ` [PATCH v4 " Bill Wendling
2026-01-16  9:53         ` David Laight
2026-01-17 19:07           ` Kees Cook
2026-01-20 18:12             ` Bill Wendling
2026-01-20 19:15               ` David Laight
2026-01-20 18:11           ` Bill Wendling
2026-01-17 19:01         ` Kees Cook
2026-02-10  8:41   ` [PATCH " Arnd Bergmann
2026-02-10 11:00     ` Bill Wendling
2026-02-10 11:28       ` Arnd Bergmann
2026-02-10 11:29         ` Bill Wendling
2025-11-21 19:39 ` [PATCH 2/2] memblock: annotate struct memblock_type with __counted_by_ptr Bill Wendling
2025-11-22  0:30   ` Kees Cook [this message]
2025-11-22 22:16     ` Andrew Morton
2025-11-24 19:19       ` Kees Cook
2025-11-24 20:15         ` Bill Wendling
2026-01-16  8:42       ` Peter Zijlstra
2026-01-20 21:06         ` Bill Wendling
2025-11-25 12:08   ` Mike Rapoport
2025-11-21 23:25 ` [PATCH 0/2] Add __counted_by_ptr macro Kees Cook
2025-11-24 20:05   ` Bill Wendling

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202511211525.05CB7E1AEC@keescook \
    --to=kees@kernel.org \
    --cc=Marc.Herbert@linux.intel.com \
    --cc=akpm@linux-foundation.org \
    --cc=brauner@kernel.org \
    --cc=brgerst@gmail.com \
    --cc=gustavoars@kernel.org \
    --cc=hca@linux.ibm.com \
    --cc=jeffxu@chromium.org \
    --cc=jstultz@google.com \
    --cc=justinstitt@google.com \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=llvm@lists.linux.dev \
    --cc=masahiroy@kernel.org \
    --cc=mkoutny@suse.com \
    --cc=morbo@google.com \
    --cc=nathan@kernel.org \
    --cc=nick.desaulniers+lkml@gmail.com \
    --cc=ojeda@kernel.org \
    --cc=peterz@infradead.org \
    --cc=rdunlap@infradead.org \
    --cc=rppt@kernel.org \
    --cc=shakeel.butt@linux.dev \
    --cc=thomas.weissschuh@linutronix.de \
    --cc=tj@kernel.org \
    --cc=ubizjak@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.