tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

wifi: rtw89: coex: add annotation __counted_by() to struct rtw89_btc_btf_set_mon_reg

Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).

Use struct_size() and flex_array_size() helpers to calculate proper sizes
for allocation and memcpy().

Don't change logic at all, and result is identical as before.

Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20231011063725.25276-2-pkshih@realtek.com

authored by

Ping-Ke Shih and committed by
Kalle Valo 618071ae 07202dc1

+5 -6
+5 -6
drivers/net/wireless/realtek/rtw89/coex.c
··· 243 243 struct rtw89_btc_btf_set_mon_reg { 244 244 u8 fver; 245 245 u8 reg_num; 246 - u8 buf[]; 246 + struct rtw89_btc_fbtc_mreg regs[] __counted_by(reg_num); 247 247 } __packed; 248 248 249 249 enum btc_btf_set_cx_policy { ··· 1843 1843 const struct rtw89_chip_info *chip = rtwdev->chip; 1844 1844 const struct rtw89_btc_ver *ver = rtwdev->btc.ver; 1845 1845 struct rtw89_btc_btf_set_mon_reg *monreg = NULL; 1846 - u8 n, *ptr = NULL, ulen, cxmreg_max; 1846 + u8 n, ulen, cxmreg_max; 1847 1847 u16 sz = 0; 1848 1848 1849 1849 n = chip->mon_reg_num; ··· 1864 1864 return; 1865 1865 } 1866 1866 1867 - ulen = sizeof(struct rtw89_btc_fbtc_mreg); 1868 - sz = (ulen * n) + sizeof(*monreg); 1867 + ulen = sizeof(monreg->regs[0]); 1868 + sz = struct_size(monreg, regs, n); 1869 1869 monreg = kmalloc(sz, GFP_KERNEL); 1870 1870 if (!monreg) 1871 1871 return; 1872 1872 1873 1873 monreg->fver = ver->fcxmreg; 1874 1874 monreg->reg_num = n; 1875 - ptr = &monreg->buf[0]; 1876 - memcpy(ptr, chip->mon_reg, n * ulen); 1875 + memcpy(monreg->regs, chip->mon_reg, flex_array_size(monreg, regs, n)); 1877 1876 rtw89_debug(rtwdev, RTW89_DBG_BTC, 1878 1877 "[BTC], %s(): sz=%d ulen=%d n=%d\n", 1879 1878 __func__, sz, ulen, n);