posix: Fix -Warray-bounds instances building timer_create [BZ #26687]

GCC 11 -Warray-bounds triggers invalid warnings when building
Linux timer_create.c:

../sysdeps/unix/sysv/linux/timer_create.c: In function '__timer_create_new':
../sysdeps/unix/sysv/linux/timer_create.c:83:17: warning: array subscript 'struct timer[0]' is partly outside array bounds of 'unsigned char[8]' [-Warray-bounds]
   83 |             newp->sigev_notify = (evp != NULL
      |                 ^~
../sysdeps/unix/sysv/linux/timer_create.c:59:47: note: referencing an object of size 8 allocated by 'malloc'
   59 |         struct timer *newp = (struct timer *) malloc (offsetof (struct timer,
      |                                               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   60 |                                                                 thrfunc));
      |                                                                 ~~~~~~~~~

The struct allocated for !SIGEV_THREAD timers only requires two 'int'
fields (sigev_notify and ktimerid) and the offsetof trick tries minimize
the memory usage by only allocation the required size.  However,
although the resulting size is suffice for !SIGEV_THREAD time, accessing
the partially allocated object is error-prone and UB.

This patch fixes both issues by embedding the information whether
the timer if a SIGEV_THREAD in the returned 'timer_t'.  For
!SIGEV_THREAD, the resulting 'timer_t' is the returned kernel timer
identifer (kernel_timer_t), while for SIGEV_THREAD it uses the fact
malloc returns at least _Alignof (max_align_t) pointers plus that
valid kernel_timer_t are always positive to set MSB bit of the returned
'timer_t' to indicate the timer handles a SIGEV_THREAD.

It allows to remove the memory allocation for !SIGEV_THREAD and also
remove the 'sigev_notify' field from 'struct timer'.

Checked on x86_64-linux-gnu and i686-linux-gnu.

1 files changed, 22 insertions, 52 deletions

diff --git a/sysdeps/unix/sysv/linux/timer_create.c b/sysdeps/unix/sysv/linux/timer_create.c
index 370c99a517..18fb00c6e6 100644
--- a/sysdeps/unix/sysv/linux/timer_create.c
+++ b/sysdeps/unix/sysv/linux/timer_create.c
@@ -52,16 +52,6 @@ timer_create (clockid_t clock_id, struct sigevent *evp, timer_t *timerid)
       {
 	struct sigevent local_evp;
 
-	/* We avoid allocating too much memory by basically
-	   using struct timer as a derived class with the
-	   first two elements being in the superclass.  We only
-	   need these two elements here.  */
-	struct timer *newp = (struct timer *) malloc (offsetof (struct timer,
-								thrfunc));
-	if (newp == NULL)
-	  /* No more memory.  */
-	  return -1;
-
 	if (evp == NULL)
 	  {
 	    /* The kernel has to pass up the timer ID which is a
@@ -69,31 +59,17 @@ timer_create (clockid_t clock_id, struct sigevent *evp, timer_t *timerid)
 	       the kernel to determine it.  */
 	    local_evp.sigev_notify = SIGEV_SIGNAL;
 	    local_evp.sigev_signo = SIGALRM;
-	    local_evp.sigev_value.sival_ptr = newp;
+	    local_evp.sigev_value.sival_ptr = NULL;
 
 	    evp = &local_evp;
 	  }
 
 	kernel_timer_t ktimerid;
-	int retval = INLINE_SYSCALL (timer_create, 3, syscall_clockid, evp,
-				     &ktimerid);
-
-	if (retval != -1)
-	  {
-	    newp->sigev_notify = (evp != NULL
-				  ? evp->sigev_notify : SIGEV_SIGNAL);
-	    newp->ktimerid = ktimerid;
-
-	    *timerid = (timer_t) newp;
-	  }
-	else
-	  {
-	    /* Cannot allocate the timer, fail.  */
-	    free (newp);
-	    retval = -1;
-	  }
+	if (INLINE_SYSCALL_CALL (timer_create, syscall_clockid, evp,
+				 &ktimerid) == -1)
+	  return -1;
 
-	return retval;
+	*timerid = kernel_timer_to_timerid (ktimerid);
       }
     else
       {
@@ -106,20 +82,18 @@ timer_create (clockid_t clock_id, struct sigevent *evp, timer_t *timerid)
 	    return -1;
 	  }
 
-	struct timer *newp;
-	newp = (struct timer *) malloc (sizeof (struct timer));
+	struct timer *newp = malloc (sizeof (struct timer));
 	if (newp == NULL)
 	  return -1;
 
 	/* Copy the thread parameters the user provided.  */
 	newp->sival = evp->sigev_value;
 	newp->thrfunc = evp->sigev_notify_function;
-	newp->sigev_notify = SIGEV_THREAD;
 
 	/* We cannot simply copy the thread attributes since the
 	   implementation might keep internal information for
 	   each instance.  */
-	(void) pthread_attr_init (&newp->attr);
+	pthread_attr_init (&newp->attr);
 	if (evp->sigev_notify_attributes != NULL)
 	  {
 	    struct pthread_attr *nattr;
@@ -137,8 +111,7 @@ timer_create (clockid_t clock_id, struct sigevent *evp, timer_t *timerid)
 	  }
 
 	/* In any case set the detach flag.  */
-	(void) pthread_attr_setdetachstate (&newp->attr,
-					    PTHREAD_CREATE_DETACHED);
+	pthread_attr_setdetachstate (&newp->attr, PTHREAD_CREATE_DETACHED);
 
 	/* Create the event structure for the kernel timer.  */
 	struct sigevent sev =
@@ -149,27 +122,24 @@ timer_create (clockid_t clock_id, struct sigevent *evp, timer_t *timerid)
 
 	/* Create the timer.  */
 	int res;
-	res = INTERNAL_SYSCALL_CALL (timer_create,
-				     syscall_clockid, &sev, &newp->ktimerid);
-	if (! INTERNAL_SYSCALL_ERROR_P (res))
+	res = INTERNAL_SYSCALL_CALL (timer_create, syscall_clockid, &sev,
+				     &newp->ktimerid);
+	if (INTERNAL_SYSCALL_ERROR_P (res))
 	  {
-	    /* Add to the queue of active timers with thread
-	       delivery.  */
-	    pthread_mutex_lock (&__active_timer_sigev_thread_lock);
-	    newp->next = __active_timer_sigev_thread;
-	    __active_timer_sigev_thread = newp;
-	    pthread_mutex_unlock (&__active_timer_sigev_thread_lock);
-
-	    *timerid = (timer_t) newp;
-	    return 0;
+	    free (newp);
+	    __set_errno (INTERNAL_SYSCALL_ERRNO (res));
+	    return -1;
 	  }
 
-	/* Free the resources.  */
-	free (newp);
-
-	__set_errno (INTERNAL_SYSCALL_ERRNO (res));
+	/* Add to the queue of active timers with thread delivery.  */
+	pthread_mutex_lock (&__active_timer_sigev_thread_lock);
+	newp->next = __active_timer_sigev_thread;
+	__active_timer_sigev_thread = newp;
+	pthread_mutex_unlock (&__active_timer_sigev_thread_lock);
 
-	return -1;
+	*timerid = timer_to_timerid (newp);
       }
   }
+
+  return 0;
 }