From nobody Mon Feb  9 08:28:08 2026
Received: from mail-wr1-f54.google.com (mail-wr1-f54.google.com
 [209.85.221.54])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 651D835580B
	for <linux-kernel@vger.kernel.org>; Wed, 17 Dec 2025 16:28:07 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.221.54
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1765988890; cv=none;
 b=iYY8v0Fge9yz1TusQdV68wgJyYKVpY4wZ1sFpkOLm57f9rw1Ojur0AlzE+8SAAoYlyLps3X6qHW79zmc9FV15I0F/Iu4V1+YeMfCzRUvLtK3qHMzz0CM3EpUQP2MmIY6SSE89N+RnVHEuoJR53+CRoLfS9OGJz56hQv/haw7BvQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1765988890; c=relaxed/simple;
	bh=EiPp5UR3odiaNu3fVGfrz6bU9tX+nxjcHoSZdd3tcLs=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=U9BEZqrLCmCTkORtd7B9E/TKvGMcRMAyffnhOMQo/eA9aTdrSq6k3YoZNpS/QeoHqGn10bFMR5HEPaTgfuA/g6N91ACw10kzib3hRL91yMAsK4sApWN4J+om8jeJFir+8QT5aT3197C3x4crxLp8xZluYsNhHfQud8d0CoUTMLs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com;
 spf=pass smtp.mailfrom=suse.com;
 dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com
 header.b=JGnvzqj6; arc=none smtp.client-ip=209.85.221.54
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=quarantine dis=none) header.from=suse.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=suse.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com
 header.b="JGnvzqj6"
Received: by mail-wr1-f54.google.com with SMTP id
 ffacd0b85a97d-42f9ece6387so2359759f8f.0
        for <linux-kernel@vger.kernel.org>;
 Wed, 17 Dec 2025 08:28:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=suse.com; s=google; t=1765988886; x=1766593686;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=nfQau0odZ8gUGBEhG5i1wvM039LCZUqSFw7CAdbRE6k=;
        b=JGnvzqj6iCYWKkJNPpK3HGmQrS0fjcwiSI+Vv6QjbjtyBBGiRrOvk0xJq4582XMBFp
         AF5XBJWEyPdY/TFBRUEUnpaZgs4gMigLgvwVUe8KFtMLBG1O8hec9w66FO0VNp4zOc9e
         PHSPcqfBlVF45d33W4IXj8acFy2ZCWV9qdsVS3d/r28BBYZDw6swgAxf9ymC+sN2QDJR
         umKtcGRKZpfUANCVuPyWm9wNAGgYLEvQGoQ/KFkDMpxHRQYasE0P1LC1cKJDdtRek46r
         NVl0k9Ut9nq7MkEhg77shQv5zm3mcEAbUo1yBdqQCmOLJhESqlk4U8iRZuhVQCj79+LQ
         MmgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1765988886; x=1766593686;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=nfQau0odZ8gUGBEhG5i1wvM039LCZUqSFw7CAdbRE6k=;
        b=Uwn7VdpIpoNCAuLF9M+lZqTtAWYFCeGios5zjLLIBT1THNnGX6t18/Dhkt9tGemw5R
         gNxpaoi4S8nd4cddvrTN2D42wPjc9bmmAQpAAVG5hrTjyGk8zOT9vo7LKjCxAI3wr2Vp
         DkVRbUgK28esu3Lz86oXOm8ZB5vwp+iaYf6J4AOA2eKdIU4Nr1EsjfybfH0DXqVawRzt
         db6jFyBjZAJlKzcth/+Ebk/QzUvMNaF5Cs8IeGyMBEUtyaZKpM2lMSytDlozNh2X2k1K
         rSUg4X2vcZboFQV4BnAAov1UBvVYlNXICKbnZ92mIthJIwq1jehcOZPWSXfwaz2ppokz
         v/rQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCWYrEE4OXQxcwZqAizXquRXcgKWCNnIDmNUfitmm+ymHLfG3EUfI5LE3VSmrByY+xlKrTQvlHsN+HnkPUw=@vger.kernel.org
X-Gm-Message-State: AOJu0YzbwzZ0wN3nynFRdnCM5O3fiC4GKoaEpflPLYoPk9TUMWGyRRfh
	vDsBExBG34gYcZnpsBpMrIZeCm+zCaPghFUJbRicAAtbGFpVNhMtlPUabCUOcW1USso=
X-Gm-Gg: AY/fxX6AdHDPwFplQ2777gWLncNgeMjeQzKRpo1VqTtJm+z/68mfy6UD41DFoupCCso
	fzfdVX7DCFcS/osjf+3+oJlV9u3+iQZla9Ge11E6UWGJK1TLPE56/cHhElZBjM0z+qQp2dRHgu/
	CU9gK9rIgbbH+WE0LSPTlwo8WIudEEbzebcH1x2eFdXoKfrWrT6GB7u5sDmnBj0aarIXE3/2mgB
	uy/J1VJUc7kFHs/edcLTVM+FvuRzQwQ5X/3caCFifnbMk3S0iZR/v4f5msB3nzpqDGWgXWzUzQo
	OI2aL+sUzU8p90/hlH7ff+EGq6pGR5d6gWXe8bYSQYqKA8vB1XGFgyCLzFPEuqcsa1uxHCQ7CTP
	uV14dEWy+tzH+meXJqq4ZtRsnZIrSmfjxdS2EhfDFHzQprRDSTRjD+cnV/r/dpaVI9tfFFV/SjH
	B6ZqOMSPVoV4SrrTmhy8d8wdD+63RqOAM=
X-Google-Smtp-Source: 
 AGHT+IEu4DI9WqCByr7rrTwLwlGd6tkHLE9xiBLfLuxbiSgJPjBw/xrcqlQOuJPymNtVyODbYOHj5A==
X-Received: by 2002:a05:6000:26d0:b0:430:f790:99d7 with SMTP id
 ffacd0b85a97d-430f790ae20mr15969150f8f.27.1765988885518;
        Wed, 17 Dec 2025 08:28:05 -0800 (PST)
Received: from blackdock.suse.cz (nat2.prg.suse.com. [195.250.132.146])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-4310adeee0esm5728364f8f.29.2025.12.17.08.28.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 17 Dec 2025 08:28:05 -0800 (PST)
From: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>
To: cgroups@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-hardening@vger.kernel.org
Cc: =?UTF-8?q?Michal=20Koutn=C3=BD?= <mkoutny@suse.com>,
	"Gustavo A. R. Silva" <gustavo@embeddedor.com>,
	Tejun Heo <tj@kernel.org>,
	Johannes Weiner <hannes@cmpxchg.org>,
	Kees Cook <kees@kernel.org>,
	"Gustavo A. R. Silva" <gustavoars@kernel.org>
Subject: [PATCH 3/4] cgroup: Use __counted_by for cgroup::ancestors
Date: Wed, 17 Dec 2025 17:27:35 +0100
Message-ID: <20251217162744.352391-4-mkoutny@suse.com>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20251217162744.352391-1-mkoutny@suse.com>
References: <20251217162744.352391-1-mkoutny@suse.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

cgroup::ancestors includes self, i.e. root cgroups have one ancestor but
their level is 0. Change the value that we store inside struct cgroup
and use an inlined helper where we need to know the level. This way we
preserve the concept of 0-based levels and we can utilize __counted_by
constraint to guard ancestors access. (We could've used level value as a
counter for _low_ancestors but that would have no benefit since we never
access data through this flexible array alias.)

Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Signed-off-by: Michal Koutn=C3=BD <mkoutny@suse.com>
---
 include/linux/cgroup-defs.h | 19 ++++++++-----------
 include/linux/cgroup.h      |  2 +-
 kernel/cgroup/cgroup.c      |  3 ++-
 3 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/include/linux/cgroup-defs.h b/include/linux/cgroup-defs.h
index 9247e437da5ce..8ce1ae9bea909 100644
--- a/include/linux/cgroup-defs.h
+++ b/include/linux/cgroup-defs.h
@@ -475,14 +475,6 @@ struct cgroup {
=20
 	unsigned long flags;		/* "unsigned long" so bitops work */
=20
-	/*
-	 * The depth this cgroup is at.  The root is at depth zero and each
-	 * step down the hierarchy increments the level.  This along with
-	 * ancestors[] can determine whether a given cgroup is a
-	 * descendant of another without traversing the hierarchy.
-	 */
-	int level;
-
 	/* Maximum allowed descent tree depth */
 	int max_depth;
=20
@@ -625,13 +617,18 @@ struct cgroup {
 	struct bpf_local_storage __rcu  *bpf_cgrp_storage;
 #endif
=20
-	/* All ancestors including self */
 	union {
 		struct {
-			void *_sentinel[0]; /* XXX to avoid 'flexible array member in a struct =
with no named members' */
-			struct cgroup *ancestors[];
+			int nr_ancestors;	/* do not use directly but via cgroup_level() */
+			/*
+			 * All ancestors including self.
+			 * ancestors[] can determine whether a given cgroup is a
+			 * descendant of another without traversing the hierarchy.
+			 */
+			struct cgroup *ancestors[] __counted_by(nr_ancestors);
 		};
 		struct {
+			int _nr_ancestors;	/* auxiliary padding, see nr_ancestors above */
 			struct cgroup *_root_ancestor;
 			struct cgroup *_low_ancestors[];
 		};
diff --git a/include/linux/cgroup.h b/include/linux/cgroup.h
index 0290878ebad26..45f720b9ecedd 100644
--- a/include/linux/cgroup.h
+++ b/include/linux/cgroup.h
@@ -534,7 +534,7 @@ static inline struct cgroup *cgroup_parent(struct cgrou=
p *cgrp)
  */
 static inline int cgroup_level(struct cgroup *cgrp)
 {
-	return cgrp->level;
+	return cgrp->nr_ancestors - 1;
 }
=20
 /**
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index e011f1dd6d87f..5110d3e13d125 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -2197,6 +2197,7 @@ int cgroup_setup_root(struct cgroup_root *root, u16 s=
s_mask)
 	}
 	root_cgrp->kn =3D kernfs_root_to_node(root->kf_root);
 	WARN_ON_ONCE(cgroup_ino(root_cgrp) !=3D 1);
+	root_cgrp->nr_ancestors =3D 1; /* stored in _root_ancestor */
 	root_cgrp->ancestors[0] =3D root_cgrp;
=20
 	ret =3D css_populate_dir(&root_cgrp->self);
@@ -5869,7 +5870,7 @@ static struct cgroup *cgroup_create(struct cgroup *pa=
rent, const char *name,
=20
 	cgrp->self.parent =3D &parent->self;
 	cgrp->root =3D root;
-	cgrp->level =3D level;
+	cgrp->nr_ancestors =3D parent->nr_ancestors + 1;
=20
 	/*
 	 * Now that init_cgroup_housekeeping() has been called and cgrp->self
--=20
2.52.0