src/nvidia: support mangling sources with coccinelle

minipli-oss · minipli-oss · commit 5f55948cb3ad · 2026-03-19T07:13:39.000-04:00
The sources below src/nvidia/generated/ violate type constraints
enforced by grsecurity's RANDSTRUCT or PaX's RAP. Support preprocessing
these via coccinelle scripts to fix these prior to compiling them.

Signed-off-by: Mathias Krause &lt;minipli@grsecurity.net&gt;
diff --git a/src/nvidia/cocci.sh b/src/nvidia/cocci.sh
@@ -0,0 +1,53 @@
+#!/bin/sh
+#
+# Helper to invoke spatch with optional pre- and post-processing filters and
+# optional additional arguments..
+#
+# Not meant to be used directly but invoked via Kbuild!
+#
+# (c) 2025,2026 Open Source Security, Inc. All Rights Reserved.
+
+null_filter() {
+	case "$1" in
+		pre)	;;
+		diff)	cat; ;;
+		post)	;;
+	esac
+}
+
+filter() {
+	${1:-null}_filter "$2"
+}
+
+check_prog() {
+	BIN="$1"
+	PKG="$2"
+
+	if [ -z "$(command -v $BIN 2>/dev/null)" ]; then
+		echo >&2 "error: $BIN not found, please install $PKG!"
+		return 1
+	fi
+
+	return 0
+}
+
+if [ $# -lt 2 ]; then
+	echo >&2 "error: spatch file and program missing!"
+	exit 1
+fi
+
+SCRIPT=$1; shift
+SPATCH=$1; shift
+
+if ! check_prog "$SPATCH" coccinelle; then
+	echo >&2 "error: missing required programs!"
+	exit 2
+fi
+
+FILTER=$(echo "$SCRIPT" | sed -n 's|.*:||p')
+SCRIPT=${SCRIPT%:*}
+EXTRA_ARGS=$(sed -n 's|// options: ||p' $SCRIPT)
+
+filter "$FILTER" pre
+$SPATCH --sp-file "$SCRIPT" "$@" $EXTRA_ARGS | filter "$FILTER" diff
+filter "$FILTER" post
diff --git a/src/nvidia/nvidia.Kbuild b/src/nvidia/nvidia.Kbuild
@@ -20,6 +20,48 @@ SRCS := $(filter-out %/gcc_helper.c,$(SRCS))
 SRCS := $(addprefix $(nvidia_src)/,$(SRCS))
 SRCS_CXX := $(addprefix $(nvidia_src)/,$(SRCS_CXX))
 NVIDSTRING := $(addprefix $(nvidia_src)/,g_nvid_string.c)
+ALL_SRCS := $(SRCS) $(SRCS_CXX) $(NVIDSTRING)
+
+COCCI  := $(SHELL) cocci.sh
+PATCH  ?= patch
+SPATCH ?= spatch
+SPATCH_OPTS := --dir generated/		# mostly generated/ is interesting to us
+SPATCH_OPTS += -I generated/
+SPATCH_OPTS += --include-headers	# headers should be processed (patched) too
+SPATCH_OPTS += --patch .		# for 'patch -p1 …'
+SPATCH_OPTS += --smpl-spacing		# don't mess with spacing too much to keep diffs small
+SPATCH_OPTS += --very-quiet
+
+# order here is important and defines patch order too!
+COCCI_SCRIPTS_ARGS :=
+
+COCCI_SCRIPTS := $(filter %.cocci,$(subst :, ,$(COCCI_SCRIPTS_ARGS)))
+COCCI_PATCHES  = $(addprefix 0???-,$(COCCI_SCRIPTS:.cocci=.diff))
+COCCI_PATCH_MARKER := .cocci_patched
+
+PATCH_CANDIDATES := $(filter $(nvidia_src)/generated/%,$(ALL_SRCS))
+$(addprefix $(obj)/,$(PATCH_CANDIDATES)): $(obj)/$(nvidia_src)/$(COCCI_PATCH_MARKER)
+
+$(obj)/$(nvidia_src)/$(COCCI_PATCH_MARKER): $(addprefix $(obj)/$(nvidia_src)/,$(COCCI_SCRIPTS))
+	@echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'
+	@echo '!!! Generating cocci patches, this may take a while. !!!'
+	@echo '!!! DO NOT INTERRUPT, OR SOURCES WILL BE MESSED UP!  !!!'
+	@echo '!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!'
+	@cd $(src)/$(nvidia_src) && i=1 && \
+	 for s in $(COCCI_SCRIPTS_ARGS); do \
+		c=$${s%:*}; \
+		p=$$(printf "%04d-%s" $$i "$${c%.cocci}.diff"); \
+		i=$$((i+1)); \
+		echo "  COCCI $$c"; \
+		$(COCCI) "$$s" "$(SPATCH)" $(SPATCH_OPTS) > $$p || exit 1; \
+		echo "  PATCH $$p"; \
+		$(PATCH) -p1 <$$p; \
+	 done
+	@touch $@
+
+# XXX: better reverse apply the patches on clean
+#clean-files += $(addprefix $(nvidia_src)/,$(COCCI_PATCH_MARKER) $(COCCI_PATCHES))
+clean-files += $(addprefix $(nvidia_src)/,pfunc.list)
 
 nv-kernel-objs := $(SRCS:.c=.o)
 nv-kernel-objs += $(SRCS_CXX:.cpp=.o)
