wifi: rtw89: coex: add annotation __counted_by() to struct rtw89_btc_btf_set_mon_reg

Prepare for the coming implementation by GCC and Clang of the __counted_by
attribute. Flexible array members annotated with __counted_by can have
their accesses bounds-checked at run-time via CONFIG_UBSAN_BOUNDS (for
array indexing) and CONFIG_FORTIFY_SOURCE (for strcpy/memcpy-family
functions).

Use struct_size() and flex_array_size() helpers to calculate proper sizes
for allocation and memcpy().

Don't change logic at all, and result is identical as before.

Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20231011063725.25276-2-pkshih@realtek.com

diff --git a/drivers/net/wireless/realtek/rtw89/coex.c b/drivers/net/wireless/realtek/rtw89/coex.c
index 9f9da122f3f89f040a8a75b625166a50650598fd..207218cdf2c475dc0a0fec34ebafdea601967086 100644 (file)
--- a/drivers/net/wireless/realtek/rtw89/coex.c
+++ b/drivers/net/wireless/realtek/rtw89/coex.c
@@ -243,7 +243,7 @@ struct rtw89_btc_btf_set_slot_table {
 struct rtw89_btc_btf_set_mon_reg {
        u8 fver;
        u8 reg_num;
-       u8 buf[];
+       struct rtw89_btc_fbtc_mreg regs[] __counted_by(reg_num);
 } __packed;
 
 enum btc_btf_set_cx_policy {
@@ -1843,7 +1843,7 @@ static void btc_fw_set_monreg(struct rtw89_dev *rtwdev)
        const struct rtw89_chip_info *chip = rtwdev->chip;
        const struct rtw89_btc_ver *ver = rtwdev->btc.ver;
        struct rtw89_btc_btf_set_mon_reg *monreg = NULL;
-       u8 n, *ptr = NULL, ulen, cxmreg_max;
+       u8 n, ulen, cxmreg_max;
        u16 sz = 0;
 
        n = chip->mon_reg_num;
@@ -1864,16 +1864,15 @@ static void btc_fw_set_monreg(struct rtw89_dev *rtwdev)
                return;
        }
 
-       ulen = sizeof(struct rtw89_btc_fbtc_mreg);
-       sz = (ulen * n) + sizeof(*monreg);
+       ulen = sizeof(monreg->regs[0]);
+       sz = struct_size(monreg, regs, n);
        monreg = kmalloc(sz, GFP_KERNEL);
        if (!monreg)
                return;
 
        monreg->fver = ver->fcxmreg;
        monreg->reg_num = n;
-       ptr = &monreg->buf[0];
-       memcpy(ptr, chip->mon_reg, n * ulen);
+       memcpy(monreg->regs, chip->mon_reg, flex_array_size(monreg, regs, n));
        rtw89_debug(rtwdev, RTW89_DBG_BTC,
                    "[BTC], %s(): sz=%d ulen=%d n=%d\n",
                    __func__, sz, ulen, n);