| Message ID | 20240221051634.work.287-kees@kernel.org (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 99db710f768e988e70f1164537bf533a017be24d |
| Headers | show |
| Series | refcount: Annotated intentional signed integer wrap-around | expand |
On Wed, Feb 21, 2024 at 6:16 AM Kees Cook <keescook@chromium.org> wrote: > > Mark the various refcount_t functions with __signed_wrap, as we depend > on the wrapping behavior to detect the overflow and perform saturation. > Silences warnings seen with the LKDTM REFCOUNT_* tests: > > UBSAN: signed-integer-overflow in ../include/linux/refcount.h:189:11 > 2147483647 + 1 cannot be represented in type 'int' > > Signed-off-by: Kees Cook <keescook@chromium.org> Not sure why I am the "To:" (i.e. even if it is a change involving only an addition of an attribute), but it looks good to me (UBSan is triggering on the few `old + i`s caused by the calls from `drivers/misc/lkdtm/refcount.c`, right?): Reviewed-by: Miguel Ojeda <ojeda@kernel.org> As usual, thanks Kees for keeping up on getting the kernel (un)signed UBSan-clean :) Cheers, Miguel
diff --git a/include/linux/refcount.h b/include/linux/refcount.h index 85c6df0d1bef..59b3b752394d 100644 --- a/include/linux/refcount.h +++ b/include/linux/refcount.h @@ -136,7 +136,8 @@ static inline unsigned int refcount_read(const refcount_t *r) return atomic_read(&r->refs); } -static inline __must_check bool __refcount_add_not_zero(int i, refcount_t *r, int *oldp) +static inline __must_check __signed_wrap +bool __refcount_add_not_zero(int i, refcount_t *r, int *oldp) { int old = refcount_read(r); @@ -177,7 +178,8 @@ static inline __must_check bool refcount_add_not_zero(int i, refcount_t *r) return __refcount_add_not_zero(i, r, NULL); } -static inline void __refcount_add(int i, refcount_t *r, int *oldp) +static inline __signed_wrap +void __refcount_add(int i, refcount_t *r, int *oldp) { int old = atomic_fetch_add_relaxed(i, &r->refs); @@ -256,7 +258,8 @@ static inline void refcount_inc(refcount_t *r) __refcount_inc(r, NULL); } -static inline __must_check bool __refcount_sub_and_test(int i, refcount_t *r, int *oldp) +static inline __must_check __signed_wrap +bool __refcount_sub_and_test(int i, refcount_t *r, int *oldp) { int old = atomic_fetch_sub_release(i, &r->refs);
Mark the various refcount_t functions with __signed_wrap, as we depend on the wrapping behavior to detect the overflow and perform saturation. Silences warnings seen with the LKDTM REFCOUNT_* tests: UBSAN: signed-integer-overflow in ../include/linux/refcount.h:189:11 2147483647 + 1 cannot be represented in type 'int' Signed-off-by: Kees Cook <keescook@chromium.org> --- Cc: Miguel Ojeda <ojeda@kernel.org> Cc: Will Deacon <will@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Boqun Feng <boqun.feng@gmail.com> Cc: Mark Rutland <mark.rutland@arm.com> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Cc: linux-hardening@vger.kernel.org --- include/linux/refcount.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)