tools: bpf: make use of reallocarray

reallocarray() is a safer variant of realloc which checks for multiplication overflow in case of array allocation. Since it's not available in Glibc < 2.26 import kernel's overflow.h and add a static inline implementation when needed. Use feature detection to probe for existence of reallocarray. Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com> Reviewed-by: Jiong Wang <jiong.wang@netronome.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
author: Jakub Kicinski <jakub.kicinski@netronome.com> 2018-07-10 17:43:05 -0400
committer: Daniel Borkmann <daniel@iogearbox.net> 2018-07-11 16:13:34 -0400
commit: 531b014e7a2fedaeff0b19b2934d830cd4b35dc0 (patch)
tree: 0de8355e9d533b4f6f90c3b389f58c992e75bb14 /tools/include
parent: 8d13406c02f9c38f106416e1dbe0e68059b9f59a (diff)
3 files changed, 302 insertions, 0 deletions
diff --git a/tools/include/linux/compiler-gcc.h b/tools/include/linux/compiler-gcc.h
index 70fe61295733..0d35f18006a1 100644
--- a/tools/include/linux/compiler-gcc.h
+++ b/tools/include/linux/compiler-gcc.h
@@ -36,3 +36,7 @@
 #endif
 #define __printf(a, b)  __attribute__((format(printf, a, b)))
 #define __scanf(a, b)   __attribute__((format(scanf, a, b)))
+#if GCC_VERSION >= 50100
+#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
+#endif
diff --git a/tools/include/linux/overflow.h b/tools/include/linux/overflow.h
new file mode 100644
index 000000000000..8712ff70995f
--- /dev/null
+++ b/tools/include/linux/overflow.h
@@ -0,0 +1,278 @@
+/* SPDX-License-Identifier: GPL-2.0 OR MIT */
+#ifndef __LINUX_OVERFLOW_H
+#define __LINUX_OVERFLOW_H
+#include <linux/compiler.h>
+/*
+ * In the fallback code below, we need to compute the minimum and
+ * maximum values representable in a given type. These macros may also
+ * be useful elsewhere, so we provide them outside the
+ * COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block.
+ *
+ * It would seem more obvious to do something like
+ *
+ * #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
+ * #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
+ *
+ * Unfortunately, the middle expressions, strictly speaking, have
+ * undefined behaviour, and at least some versions of gcc warn about
+ * the type_max expression (but not if -fsanitize=undefined is in
+ * effect; in that case, the warning is deferred to runtime...).
+ *
+ * The slightly excessive casting in type_min is to make sure the
+ * macros also produce sensible values for the exotic type _Bool. [The
+ * overflow checkers only almost work for _Bool, but that's
+ * a-feature-not-a-bug, since people shouldn't be doing arithmetic on
+ * _Bools. Besides, the gcc builtins don't allow _Bool* as third
+ * argument.]
+ *
+ * Idea stolen from
+ * https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
+ * credit to Christian Biere.
+ */
+#define is_signed_type(type)       (((type)(-1)) < (type)1)
+#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
+#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
+#define type_min(T) ((T)((T)-type_max(T)-(T)1))
+#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
+/*
+ * For simplicity and code hygiene, the fallback code below insists on
+ * a, b and *d having the same type (similar to the min() and max()
+ * macros), whereas gcc's type-generic overflow checkers accept
+ * different types. Hence we don't just make check_add_overflow an
+ * alias for __builtin_add_overflow, but add type checks similar to
+ * below.
+ */
+#define check_add_overflow(a, b, d) ({          \
+        typeof(a) __a = (a);                    \
+        typeof(b) __b = (b);                    \
+        typeof(d) __d = (d);                    \
+        (void) (&__a == &__b);                  \
+        (void) (&__a == __d);                   \
+        __builtin_add_overflow(__a, __b, __d);  \
+})
+#define check_sub_overflow(a, b, d) ({          \
+        typeof(a) __a = (a);                    \
+        typeof(b) __b = (b);                    \
+        typeof(d) __d = (d);                    \
+        (void) (&__a == &__b);                  \
+        (void) (&__a == __d);                   \
+        __builtin_sub_overflow(__a, __b, __d);  \
+})
+#define check_mul_overflow(a, b, d) ({          \
+        typeof(a) __a = (a);                    \
+        typeof(b) __b = (b);                    \
+        typeof(d) __d = (d);                    \
+        (void) (&__a == &__b);                  \
+        (void) (&__a == __d);                   \
+        __builtin_mul_overflow(__a, __b, __d);  \
+})
+#else
+/* Checking for unsigned overflow is relatively easy without causing UB. */
+#define __unsigned_add_overflow(a, b, d) ({     \
+        typeof(a) __a = (a);                    \
+        typeof(b) __b = (b);                    \
+        typeof(d) __d = (d);                    \
+        (void) (&__a == &__b);                  \
+        (void) (&__a == __d);                   \
+        *__d = __a + __b;                       \
+        *__d < __a;                             \
+})
+#define __unsigned_sub_overflow(a, b, d) ({     \
+        typeof(a) __a = (a);                    \
+        typeof(b) __b = (b);                    \
+        typeof(d) __d = (d);                    \
+        (void) (&__a == &__b);                  \
+        (void) (&__a == __d);                   \
+        *__d = __a - __b;                       \
+        __a < __b;                              \
+})
+/*
+ * If one of a or b is a compile-time constant, this avoids a division.
+ */
+#define __unsigned_mul_overflow(a, b, d) ({             \
+        typeof(a) __a = (a);                            \
+        typeof(b) __b = (b);                            \
+        typeof(d) __d = (d);                            \
+        (void) (&__a == &__b);                          \
+        (void) (&__a == __d);                           \
+        *__d = __a * __b;                               \
+        __builtin_constant_p(__b) ?                     \
+          __b > 0 && __a > type_max(typeof(__a)) / __b : \
+          __a > 0 && __b > type_max(typeof(__b)) / __a;  \
+})
+/*
+ * For signed types, detecting overflow is much harder, especially if
+ * we want to avoid UB. But the interface of these macros is such that
+ * we must provide a result in *d, and in fact we must produce the
+ * result promised by gcc's builtins, which is simply the possibly
+ * wrapped-around value. Fortunately, we can just formally do the
+ * operations in the widest relevant unsigned type (u64) and then
+ * truncate the result - gcc is smart enough to generate the same code
+ * with and without the (u64) casts.
+ */
+/*
+ * Adding two signed integers can overflow only if they have the same
+ * sign, and overflow has happened iff the result has the opposite
+ * sign.
+ */
+#define __signed_add_overflow(a, b, d) ({       \
+        typeof(a) __a = (a);                    \
+        typeof(b) __b = (b);                    \
+        typeof(d) __d = (d);                    \
+        (void) (&__a == &__b);                  \
+        (void) (&__a == __d);                   \
+        *__d = (u64)__a + (u64)__b;             \
+        (((~(__a ^ __b)) & (*__d ^ __a))        \
+                & type_min(typeof(__a))) != 0;  \
+})
+/*
+ * Subtraction is similar, except that overflow can now happen only
+ * when the signs are opposite. In this case, overflow has happened if
+ * the result has the opposite sign of a.
+ */
+#define __signed_sub_overflow(a, b, d) ({       \
+        typeof(a) __a = (a);                    \
+        typeof(b) __b = (b);                    \
+        typeof(d) __d = (d);                    \
+        (void) (&__a == &__b);                  \
+        (void) (&__a == __d);                   \
+        *__d = (u64)__a - (u64)__b;             \
+        ((((__a ^ __b)) & (*__d ^ __a))         \
+                & type_min(typeof(__a))) != 0;  \
+})
+/*
+ * Signed multiplication is rather hard. gcc always follows C99, so
+ * division is truncated towards 0. This means that we can write the
+ * overflow check like this:
+ *
+ * (a > 0 && (b > MAX/a || b < MIN/a)) ||
+ * (a < -1 && (b > MIN/a || b < MAX/a) ||
+ * (a == -1 && b == MIN)
+ *
+ * The redundant casts of -1 are to silence an annoying -Wtype-limits
+ * (included in -Wextra) warning: When the type is u8 or u16, the
+ * __b_c_e in check_mul_overflow obviously selects
+ * __unsigned_mul_overflow, but unfortunately gcc still parses this
+ * code and warns about the limited range of __b.
+ */
+#define __signed_mul_overflow(a, b, d) ({                               \
+        typeof(a) __a = (a);                                            \
+        typeof(b) __b = (b);                                            \
+        typeof(d) __d = (d);                                            \
+        typeof(a) __tmax = type_max(typeof(a));                         \
+        typeof(a) __tmin = type_min(typeof(a));                         \
+        (void) (&__a == &__b);                                          \
+        (void) (&__a == __d);                                           \
+        *__d = (u64)__a * (u64)__b;                                     \
+        (__b > 0   && (__a > __tmax/__b || __a < __tmin/__b)) ||        \
+        (__b < (typeof(__b))-1  && (__a > __tmin/__b || __a < __tmax/__b)) || \
+        (__b == (typeof(__b))-1 && __a == __tmin);                      \
+})
+#define check_add_overflow(a, b, d)                                     \
+        __builtin_choose_expr(is_signed_type(typeof(a)),                \
+                        __signed_add_overflow(a, b, d),                 \
+                        __unsigned_add_overflow(a, b, d))
+#define check_sub_overflow(a, b, d)                                     \
+        __builtin_choose_expr(is_signed_type(typeof(a)),                \
+                        __signed_sub_overflow(a, b, d),                 \
+                        __unsigned_sub_overflow(a, b, d))
+#define check_mul_overflow(a, b, d)                                     \
+        __builtin_choose_expr(is_signed_type(typeof(a)),                \
+                        __signed_mul_overflow(a, b, d),                 \
+                        __unsigned_mul_overflow(a, b, d))
+#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
+/**
+ * array_size() - Calculate size of 2-dimensional array.
+ *
+ * @a: dimension one
+ * @b: dimension two
+ *
+ * Calculates size of 2-dimensional array: @a * @b.
+ *
+ * Returns: number of bytes needed to represent the array or SIZE_MAX on
+ * overflow.
+ */
+static inline __must_check size_t array_size(size_t a, size_t b)
+{
+        size_t bytes;
+        if (check_mul_overflow(a, b, &bytes))
+                return SIZE_MAX;
+        return bytes;
+}
+/**
+ * array3_size() - Calculate size of 3-dimensional array.
+ *
+ * @a: dimension one
+ * @b: dimension two
+ * @c: dimension three
+ *
+ * Calculates size of 3-dimensional array: @a * @b * @c.
+ *
+ * Returns: number of bytes needed to represent the array or SIZE_MAX on
+ * overflow.
+ */
+static inline __must_check size_t array3_size(size_t a, size_t b, size_t c)
+{
+        size_t bytes;
+        if (check_mul_overflow(a, b, &bytes))
+                return SIZE_MAX;
+        if (check_mul_overflow(bytes, c, &bytes))
+                return SIZE_MAX;
+        return bytes;
+}
+static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c)
+{
+        size_t bytes;
+        if (check_mul_overflow(n, size, &bytes))
+                return SIZE_MAX;
+        if (check_add_overflow(bytes, c, &bytes))
+                return SIZE_MAX;
+        return bytes;
+}
+/**
+ * struct_size() - Calculate size of structure with trailing array.
+ * @p: Pointer to the structure.
+ * @member: Name of the array member.
+ * @n: Number of elements in the array.
+ *
+ * Calculates size of memory needed for structure @p followed by an
+ * array of @n @member elements.
+ *
+ * Return: number of bytes needed or SIZE_MAX on overflow.
+ */
+#define struct_size(p, member, n)                                       \
+        __ab_c_size(n,                                                  \
+                    sizeof(*(p)->member) + __must_be_array((p)->member),\
+                    sizeof(*(p)))
+#endif /* __LINUX_OVERFLOW_H */
diff --git a/tools/include/tools/libc_compat.h b/tools/include/tools/libc_compat.h
new file mode 100644
index 000000000000..664ced8cb1b0
--- /dev/null
+++ b/tools/include/tools/libc_compat.h
@@ -0,0 +1,20 @@
+// SPDX-License-Identifier: GPL-2.0+
+/* Copyright (C) 2018 Netronome Systems, Inc. */
+#ifndef __TOOLS_LIBC_COMPAT_H
+#define __TOOLS_LIBC_COMPAT_H
+#include <stdlib.h>
+#include <linux/overflow.h>
+#ifdef COMPAT_NEED_REALLOCARRAY
+static inline void *reallocarray(void *ptr, size_t nmemb, size_t size)
+{
+        size_t bytes;
+        if (unlikely(check_mul_overflow(nmemb, size, &bytes)))
+                return NULL;
+        return realloc(ptr, bytes);
+}
+#endif
+#endif
author	Jakub Kicinski <jakub.kicinski@netronome.com>	2018-07-10 17:43:05 -0400
committer	Daniel Borkmann <daniel@iogearbox.net>	2018-07-11 16:13:34 -0400
commit	531b014e7a2fedaeff0b19b2934d830cd4b35dc0 (patch)
tree	0de8355e9d533b4f6f90c3b389f58c992e75bb14 /tools/include
parent	8d13406c02f9c38f106416e1dbe0e68059b9f59a (diff)

diff --git a/tools/include/linux/compiler-gcc.h b/tools/include/linux/compiler-gcc.h index 70fe61295733..0d35f18006a1 100644 --- a/tools/include/linux/compiler-gcc.h +++ b/tools/include/linux/compiler-gcc.h
@@ -36,3 +36,7 @@
36	#endif	36	#endif
37	#define __printf(a, b) __attribute__((format(printf, a, b)))	37	#define __printf(a, b) __attribute__((format(printf, a, b)))
38	#define __scanf(a, b) __attribute__((format(scanf, a, b)))	38	#define __scanf(a, b) __attribute__((format(scanf, a, b)))
		39
		40	#if GCC_VERSION >= 50100
		41	#define COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW 1
		42	#endif


diff --git a/tools/include/linux/overflow.h b/tools/include/linux/overflow.h new file mode 100644 index 000000000000..8712ff70995f --- /dev/null +++ b/tools/include/linux/overflow.h
@@ -0,0 +1,278 @@
		1	/* SPDX-License-Identifier: GPL-2.0 OR MIT */
		2	#ifndef __LINUX_OVERFLOW_H
		3	#define __LINUX_OVERFLOW_H
		4
		5	#include <linux/compiler.h>
		6
		7	/*
		8	* In the fallback code below, we need to compute the minimum and
		9	* maximum values representable in a given type. These macros may also
		10	* be useful elsewhere, so we provide them outside the
		11	* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW block.
		12	*
		13	* It would seem more obvious to do something like
		14	*
		15	* #define type_min(T) (T)(is_signed_type(T) ? (T)1 << (8*sizeof(T)-1) : 0)
		16	* #define type_max(T) (T)(is_signed_type(T) ? ((T)1 << (8*sizeof(T)-1)) - 1 : ~(T)0)
		17	*
		18	* Unfortunately, the middle expressions, strictly speaking, have
		19	* undefined behaviour, and at least some versions of gcc warn about
		20	* the type_max expression (but not if -fsanitize=undefined is in
		21	* effect; in that case, the warning is deferred to runtime...).
		22	*
		23	* The slightly excessive casting in type_min is to make sure the
		24	* macros also produce sensible values for the exotic type _Bool. [The
		25	* overflow checkers only almost work for _Bool, but that's
		26	* a-feature-not-a-bug, since people shouldn't be doing arithmetic on
		27	* _Bools. Besides, the gcc builtins don't allow _Bool* as third
		28	* argument.]
		29	*
		30	* Idea stolen from
		31	* https://mail-index.netbsd.org/tech-misc/2007/02/05/0000.html -
		32	* credit to Christian Biere.
		33	*/
		34	#define is_signed_type(type) (((type)(-1)) < (type)1)
		35	#define __type_half_max(type) ((type)1 << (8*sizeof(type) - 1 - is_signed_type(type)))
		36	#define type_max(T) ((T)((__type_half_max(T) - 1) + __type_half_max(T)))
		37	#define type_min(T) ((T)((T)-type_max(T)-(T)1))
		38
		39
		40	#ifdef COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW
		41	/*
		42	* For simplicity and code hygiene, the fallback code below insists on
		43	* a, b and *d having the same type (similar to the min() and max()
		44	* macros), whereas gcc's type-generic overflow checkers accept
		45	* different types. Hence we don't just make check_add_overflow an
		46	* alias for __builtin_add_overflow, but add type checks similar to
		47	* below.
		48	*/
		49	#define check_add_overflow(a, b, d) ({ \
		50	typeof(a) __a = (a); \
		51	typeof(b) __b = (b); \
		52	typeof(d) __d = (d); \
		53	(void) (&__a == &__b); \
		54	(void) (&__a == __d); \
		55	__builtin_add_overflow(__a, __b, __d); \
		56	})
		57
		58	#define check_sub_overflow(a, b, d) ({ \
		59	typeof(a) __a = (a); \
		60	typeof(b) __b = (b); \
		61	typeof(d) __d = (d); \
		62	(void) (&__a == &__b); \
		63	(void) (&__a == __d); \
		64	__builtin_sub_overflow(__a, __b, __d); \
		65	})
		66
		67	#define check_mul_overflow(a, b, d) ({ \
		68	typeof(a) __a = (a); \
		69	typeof(b) __b = (b); \
		70	typeof(d) __d = (d); \
		71	(void) (&__a == &__b); \
		72	(void) (&__a == __d); \
		73	__builtin_mul_overflow(__a, __b, __d); \
		74	})
		75
		76	#else
		77
		78
		79	/* Checking for unsigned overflow is relatively easy without causing UB. */
		80	#define __unsigned_add_overflow(a, b, d) ({ \
		81	typeof(a) __a = (a); \
		82	typeof(b) __b = (b); \
		83	typeof(d) __d = (d); \
		84	(void) (&__a == &__b); \
		85	(void) (&__a == __d); \
		86	*__d = __a + __b; \
		87	*__d < __a; \
		88	})
		89	#define __unsigned_sub_overflow(a, b, d) ({ \
		90	typeof(a) __a = (a); \
		91	typeof(b) __b = (b); \
		92	typeof(d) __d = (d); \
		93	(void) (&__a == &__b); \
		94	(void) (&__a == __d); \
		95	*__d = __a - __b; \
		96	__a < __b; \
		97	})
		98	/*
		99	* If one of a or b is a compile-time constant, this avoids a division.
		100	*/
		101	#define __unsigned_mul_overflow(a, b, d) ({ \
		102	typeof(a) __a = (a); \
		103	typeof(b) __b = (b); \
		104	typeof(d) __d = (d); \
		105	(void) (&__a == &__b); \
		106	(void) (&__a == __d); \
		107	__d = __a __b; \
		108	__builtin_constant_p(__b) ? \
		109	__b > 0 && __a > type_max(typeof(__a)) / __b : \
		110	__a > 0 && __b > type_max(typeof(__b)) / __a; \
		111	})
		112
		113	/*
		114	* For signed types, detecting overflow is much harder, especially if
		115	* we want to avoid UB. But the interface of these macros is such that
		116	* we must provide a result in *d, and in fact we must produce the
		117	* result promised by gcc's builtins, which is simply the possibly
		118	* wrapped-around value. Fortunately, we can just formally do the
		119	* operations in the widest relevant unsigned type (u64) and then
		120	* truncate the result - gcc is smart enough to generate the same code
		121	* with and without the (u64) casts.
		122	*/
		123
		124	/*
		125	* Adding two signed integers can overflow only if they have the same
		126	* sign, and overflow has happened iff the result has the opposite
		127	* sign.
		128	*/
		129	#define __signed_add_overflow(a, b, d) ({ \
		130	typeof(a) __a = (a); \
		131	typeof(b) __b = (b); \
		132	typeof(d) __d = (d); \
		133	(void) (&__a == &__b); \
		134	(void) (&__a == __d); \
		135	*__d = (u64)__a + (u64)__b; \
		136	(((~(__a ^ __b)) & (*__d ^ __a)) \
		137	& type_min(typeof(__a))) != 0; \
		138	})
		139
		140	/*
		141	* Subtraction is similar, except that overflow can now happen only
		142	* when the signs are opposite. In this case, overflow has happened if
		143	* the result has the opposite sign of a.
		144	*/
		145	#define __signed_sub_overflow(a, b, d) ({ \
		146	typeof(a) __a = (a); \
		147	typeof(b) __b = (b); \
		148	typeof(d) __d = (d); \
		149	(void) (&__a == &__b); \
		150	(void) (&__a == __d); \
		151	*__d = (u64)__a - (u64)__b; \
		152	((((__a ^ __b)) & (*__d ^ __a)) \
		153	& type_min(typeof(__a))) != 0; \
		154	})
		155
		156	/*
		157	* Signed multiplication is rather hard. gcc always follows C99, so
		158	* division is truncated towards 0. This means that we can write the
		159	* overflow check like this:
		160	*
		161	* (a > 0 && (b > MAX/a \|\| b < MIN/a)) \|\|
		162	* (a < -1 && (b > MIN/a \|\| b < MAX/a) \|\|
		163	* (a == -1 && b == MIN)
		164	*
		165	* The redundant casts of -1 are to silence an annoying -Wtype-limits
		166	* (included in -Wextra) warning: When the type is u8 or u16, the
		167	* __b_c_e in check_mul_overflow obviously selects
		168	* __unsigned_mul_overflow, but unfortunately gcc still parses this
		169	* code and warns about the limited range of __b.
		170	*/
		171
		172	#define __signed_mul_overflow(a, b, d) ({ \
		173	typeof(a) __a = (a); \
		174	typeof(b) __b = (b); \
		175	typeof(d) __d = (d); \
		176	typeof(a) __tmax = type_max(typeof(a)); \
		177	typeof(a) __tmin = type_min(typeof(a)); \
		178	(void) (&__a == &__b); \
		179	(void) (&__a == __d); \
		180	__d = (u64)__a (u64)__b; \
		181	(__b > 0 && (__a > __tmax/__b \|\| __a < __tmin/__b)) \|\| \
		182	(__b < (typeof(__b))-1 && (__a > __tmin/__b \|\| __a < __tmax/__b)) \|\| \
		183	(__b == (typeof(__b))-1 && __a == __tmin); \
		184	})
		185
		186
		187	#define check_add_overflow(a, b, d) \
		188	__builtin_choose_expr(is_signed_type(typeof(a)), \
		189	__signed_add_overflow(a, b, d), \
		190	__unsigned_add_overflow(a, b, d))
		191
		192	#define check_sub_overflow(a, b, d) \
		193	__builtin_choose_expr(is_signed_type(typeof(a)), \
		194	__signed_sub_overflow(a, b, d), \
		195	__unsigned_sub_overflow(a, b, d))
		196
		197	#define check_mul_overflow(a, b, d) \
		198	__builtin_choose_expr(is_signed_type(typeof(a)), \
		199	__signed_mul_overflow(a, b, d), \
		200	__unsigned_mul_overflow(a, b, d))
		201
		202
		203	#endif /* COMPILER_HAS_GENERIC_BUILTIN_OVERFLOW */
		204
		205	/**
		206	* array_size() - Calculate size of 2-dimensional array.
		207	*
		208	* @a: dimension one
		209	* @b: dimension two
		210	*
		211	* Calculates size of 2-dimensional array: @a * @b.
		212	*
		213	* Returns: number of bytes needed to represent the array or SIZE_MAX on
		214	* overflow.
		215	*/
		216	static inline __must_check size_t array_size(size_t a, size_t b)
		217	{
		218	size_t bytes;
		219
		220	if (check_mul_overflow(a, b, &bytes))
		221	return SIZE_MAX;
		222
		223	return bytes;
		224	}
		225
		226	/**
		227	* array3_size() - Calculate size of 3-dimensional array.
		228	*
		229	* @a: dimension one
		230	* @b: dimension two
		231	* @c: dimension three
		232	*
		233	* Calculates size of 3-dimensional array: @a * @b * @c.
		234	*
		235	* Returns: number of bytes needed to represent the array or SIZE_MAX on
		236	* overflow.
		237	*/
		238	static inline __must_check size_t array3_size(size_t a, size_t b, size_t c)
		239	{
		240	size_t bytes;
		241
		242	if (check_mul_overflow(a, b, &bytes))
		243	return SIZE_MAX;
		244	if (check_mul_overflow(bytes, c, &bytes))
		245	return SIZE_MAX;
		246
		247	return bytes;
		248	}
		249
		250	static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c)
		251	{
		252	size_t bytes;
		253
		254	if (check_mul_overflow(n, size, &bytes))
		255	return SIZE_MAX;
		256	if (check_add_overflow(bytes, c, &bytes))
		257	return SIZE_MAX;
		258
		259	return bytes;
		260	}
		261
		262	/**
		263	* struct_size() - Calculate size of structure with trailing array.
		264	* @p: Pointer to the structure.
		265	* @member: Name of the array member.
		266	* @n: Number of elements in the array.
		267	*
		268	* Calculates size of memory needed for structure @p followed by an
		269	* array of @n @member elements.
		270	*
		271	* Return: number of bytes needed or SIZE_MAX on overflow.
		272	*/
		273	#define struct_size(p, member, n) \
		274	__ab_c_size(n, \
		275	sizeof(*(p)->member) + __must_be_array((p)->member),\
		276	sizeof(*(p)))
		277
		278	#endif /* __LINUX_OVERFLOW_H */


diff --git a/tools/include/tools/libc_compat.h b/tools/include/tools/libc_compat.h new file mode 100644 index 000000000000..664ced8cb1b0 --- /dev/null +++ b/tools/include/tools/libc_compat.h
@@ -0,0 +1,20 @@
		1	// SPDX-License-Identifier: GPL-2.0+
		2	/* Copyright (C) 2018 Netronome Systems, Inc. */
		3
		4	#ifndef __TOOLS_LIBC_COMPAT_H
		5	#define __TOOLS_LIBC_COMPAT_H
		6
		7	#include <stdlib.h>
		8	#include <linux/overflow.h>
		9
		10	#ifdef COMPAT_NEED_REALLOCARRAY
		11	static inline void reallocarray(void ptr, size_t nmemb, size_t size)
		12	{
		13	size_t bytes;
		14
		15	if (unlikely(check_mul_overflow(nmemb, size, &bytes)))
		16	return NULL;
		17	return realloc(ptr, bytes);
		18	}
		19	#endif
		20	#endif