On Fri, Sep 15, 2023 at 01:06:12PM -0700, Kees Cook wrote: > Prepare for the coming implementation by GCC and Clang of the __counted_by > attribute. Flexible array members annotated with __counted_by can have > their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS > (for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family > functions). > > As found with Coccinelle[1], add __counted_by for struct mt76_rx_tid. Friendly ping. Can this get picked up by the wifi tree, or should it go via something else? Thanks! -Kees > > [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci > > Cc: Felix Fietkau <nbd@xxxxxxxx> > Cc: Lorenzo Bianconi <lorenzo@xxxxxxxxxx> > Cc: Ryder Lee <ryder.lee@xxxxxxxxxxxx> > Cc: Shayne Chen <shayne.chen@xxxxxxxxxxxx> > Cc: Sean Wang <sean.wang@xxxxxxxxxxxx> > Cc: Kalle Valo <kvalo@xxxxxxxxxx> > Cc: Matthias Brugger <matthias.bgg@xxxxxxxxx> > Cc: AngeloGioacchino Del Regno <angelogioacchino.delregno@xxxxxxxxxxxxx> > Cc: linux-wireless@xxxxxxxxxxxxxxx > Cc: linux-arm-kernel@xxxxxxxxxxxxxxxxxxx > Cc: linux-mediatek@xxxxxxxxxxxxxxxxxxx > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > --- > drivers/net/wireless/mediatek/mt76/mt76.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h > index e8757865a3d0..03ef617b1527 100644 > --- a/drivers/net/wireless/mediatek/mt76/mt76.h > +++ b/drivers/net/wireless/mediatek/mt76/mt76.h > @@ -376,7 +376,7 @@ struct mt76_rx_tid { > > u8 started:1, stopped:1, timer_pending:1; > > - struct sk_buff *reorder_buf[]; > + struct sk_buff *reorder_buf[] __counted_by(size); > }; > > #define MT_TX_CB_DMA_DONE BIT(0) > -- > 2.34.1 > -- Kees Cook
