Some code relies on "negative" (i.e. too big) pointer values being returned by container_of() when its first argument is NULL. But doing so breaks the compiler's assumptions that pointer arithmetic never overflows.
container_of_safe() checks its arguments and returns NULL in the case the member offset within the container is greater than the pointer to the member, otherwise it returns the result of container_of(). Signed-off-by: Alexander Potapenko <[email protected]> --- Note that checkpatch.pl reports whitespace problems in this patch, but the diff is consistent with the rest of the file. --- include/linux/kernel.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/include/linux/kernel.h b/include/linux/kernel.h index d96a611..820b134 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -831,6 +831,21 @@ static inline void ftrace_dump(enum ftrace_dump_mode oops_dump_mode) { } const typeof( ((type *)0)->member ) *__mptr = (ptr); \ (type *)( (char *)__mptr - offsetof(type,member) );}) +/** + * container_of_safe - safe version of container_of + * @ptr: the pointer to the member. + * @type: the type of the container struct this is embedded in. + * @member: the name of the member within the struct. + * + * In the case the value of @ptr is smaller than the offset of @member within + * @type, return 0. + */ +#define container_of_safe(ptr, type, member) ({ \ + const typeof( ((type *)0)->member ) *__mptr = (ptr); \ + (size_t)__mptr >= offsetof(type,member) ? \ + (type *)( (char *)__mptr - offsetof(type,member) ) : (type *)0 ;}) + + /* Rebuild everything on CONFIG_FTRACE_MCOUNT_RECORD */ #ifdef CONFIG_FTRACE_MCOUNT_RECORD # define REBUILD_DUE_TO_FTRACE_MCOUNT_RECORD -- 2.8.0.rc3.226.g39d4020
