On Tue, Mar 17, 2026 at 9:49 AM Viresh Kumar <[email protected]> wrote: > On 16-03-26, 15:00, Linus Walleij wrote: > > On Fri, Mar 13, 2026 at 7:09 AM Viresh Kumar <[email protected]> > > wrote: > > > > > I wonder if it is worth it anymore. Why combining allocations is better > > > when we > > > are ending up using more memory ? > > > > For the same reason we are starting to use Rust in the kernel, despite > > it sometimes will take more memory essentially. __counted_by() enforce > > the same type of runtime size checks as Rust do on arrays. > > Right. I don't have any issue with __counted_by(). It does the right thing for > flexible length arrays. But we don't need a flexible length array here and so > my > question.
So why check for something that "can't go wrong". IIUC it still removes undefined behaviour from the object code. If someone managed to compromise the kernel using return-oriented programming they cannot call back into this function to overwrite the memory beyond where the array is stored, because the runtime checks will block this. But Kees & Gustavo can tell if I understand this correctly. Yours, Linus Walleij
