On Tue, Feb 24, 2026 at 10:26:36AM +0000, Lorenzo Stoakes wrote: > Annnd now I typed that I realise that Linus fixed this up in mainline and I > was > working with a stale version of this file :)) > > Anyway, I see that the comment isn't fixed up, so I think that's something we > should patch, like: > > * Returns: true if @COUNT can be represented in the @FAM's counter. When > * @FAM is not annotated with __counted_by(), always returns true. > > -> > > * Returns: true if @COUNT cannot be represented in the @FAM's counter. When > * @FAM is not annotated with __counted_by(), always returns false.
Yeah, I'm working on fixing this up correctly. I think Linux is right that we need to put the overflow checking entirely within the counter setting. That way the checks will only happen for the cases where counted_by is actually in use. I am, however, still pondering that the size check (as I _intended_ it, not as it actually manifested), would catch negative sizes (i.e. negative can't be represented in a size_t -- the default type when the counter type is unknown) and refuse to allocate, though honestly the allocator would probably also refuse to allocate them since they would be very very large when cast back to size_t for the allocation itself. -- Kees Cook
