media: v4l2-event: Annotate struct v4l2_subscribed_event with __counted_by

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
(for array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).

As found with Coccinelle[1], add __counted_by for
struct v4l2_subscribed_event.
Additionally, since the element count member must be set before accessing
the annotated flexible array member, move its initialization earlier.

[1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci

Cc: lijian <lijian@yulong.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>

authored by

Kees Cook and committed by

Hans Verkuil 2 years ago 54b6b605 d4255578

+2 -2

2 changed files

expand all

drivers

media

v4l2-core

v4l2-event.c

include

media

v4l2-event.h

+1 -1

drivers/media/v4l2-core/v4l2-event.c

··· 238 238 sev = kvzalloc(struct_size(sev, events, elems), GFP_KERNEL); 239 239 if (!sev) 240 240 return -ENOMEM; 241 + sev->elems = elems; 241 242 for (i = 0; i < elems; i++) 242 243 sev->events[i].sev = sev; 243 244 sev->type = sub->type; ··· 246 245 sev->flags = sub->flags; 247 246 sev->fh = fh; 248 247 sev->ops = ops; 249 - sev->elems = elems; 250 248 251 249 mutex_lock(&fh->subscribe_lock); 252 250

+1 -1

include/media/v4l2-event.h

··· 78 78 unsigned int elems; 79 79 unsigned int first; 80 80 unsigned int in_use; 81 - struct v4l2_kevent events[]; 81 + struct v4l2_kevent events[] __counted_by(elems); 82 82 }; 83 83 84 84 /**