On Wed, Aug 28, 2024 at 05:09:08PM +0200, Alejandro Colomar wrote:
> Hi Kees,
>
> On Wed, Aug 28, 2024 at 06:48:39AM GMT, Kees Cook wrote:
>
> [...]
>
> > >Thank you for your suggestion. How does the following commit log look
> > >to you? Does it meet your
/lore.kernel.org/all/2jxak5v6dfxlpbxhpm3ey7oup4g2lnr3ueurfbosf5wdo65dk4@srb3hsk72zwq
>Signed-off-by: Yafang Shao
>Cc: Alexander Viro
>Cc: Christian Brauner
>Cc: Jan Kara
>Cc: Eric Biederman
>Cc: Kees Cook
>Cc: Alexei Starovoitov
>Cc: Matus Jokay
>Cc: Alejandro
gt; > > [0]
>> > > Link:
>> > > https://lore.kernel.org/all/CAHk-=whwtuc-ajmgjveaetkomemfstwkwu99v7+b6ayhmma...@mail.gmail.com/
>> > > Suggested-by: Alejandro Colomar
>> > > Link:
>> > > https://lore.kernel.org/all/2
dex;
The stack variable (was before and is again) already zero-initialized,
so the "= 0" line shouldn't be needed.
But neither of these comments are show-stoppers, IMO.
Reviewed-by: Kees Cook
--
Kees Cook
irst user, feel free to
carry it there unless you'd prefer I carry it in my trees?
Reviewed-by: Kees Cook
--
Kees Cook
intuitive or discoverable. Add an explicit mem_is_zero() helper for this
> use case.
>
> Signed-off-by: Jani Nikula
Reviewed-by: Kees Cook
--
Kees Cook
On July 12, 2024 2:59:30 AM PDT, Jocelyn Falempe wrote:
>Gentle ping, I need reviews from powerpc, usermod linux, mtd, pstore and
>hyperv, to be able to push it in the drm-misc tree.
Oops, I thought I'd Acked already!
Acked-by: Kees Cook
And, yeah, as mpe said, you're
On Wed, Jul 03, 2024 at 10:22:11AM +0200, Petr Mladek wrote:
> On Wed 2024-07-03 09:57:26, Jocelyn Falempe wrote:
> >
> >
> > On 02/07/2024 22:29, Kees Cook wrote:
> > > On Tue, Jul 02, 2024 at 02:26:04PM +0200, Jocelyn Falempe wrote:
> > > > kmsg_dump
son, like "sysrq triggered crash"
> or "VFS: Unable to mount root fs on " on the drm panic screen.
>
> v2:
> * Use a struct kmsg_dump_detail to hold the reason and description
> pointer, for more flexibility if we want to add other parameters.
&g
n't
any "new" information here that should be captured somehow.
Thanks!
--
Kees Cook
c
@@ -8,7 +8,7 @@
#include
static void kmsg_dumper_stdout(struct kmsg_dumper *dumper,
- enum kmsg_dump_reason reason)
+ struct kmsg_dump_detail *detail)
{
static struct kmsg_dump_iter iter;
static DEFINE_SPINLOCK(lock);
--
Kees Cook
lking about
> "crazy" number of relocations which have no practical purpose.
>
> *) Well IGT tests might get upset but they can be easily adjusted.
>
> Signed-off-by: Tvrtko Ursulin
Thanks for fixing this!
Reviewed-by: Kees Cook
--
Kees Cook
const unsigned int nreloc = eb->exec[i].relocation_count;
...
size = nreloc * sizeof(*relocs);
relocs = kvmalloc_array(1, size, GFP_KERNEL);
So something isn't checking the "relocation_count" size that I assume is
coming in from the ioctl?
-Kees
--
Kees Cook
been enabled for the drm subsystem and since Werror is
> enabled for test builds.
>
> Rearrange arithmetic and use check_add_overflow() for validating the
> allocation size to avoid the overflow.
>
> Fixes: a61ddb4393ad ("drm: enable (most) W=1 warnings by default across the
> subsys
aling()
>
> Link:
> https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments
> [1]
> Link: https://github.com/KSPP/linux/issues/160 [2]
> Signed-off-by: Christophe JAILLET
Yes please! :)
Reviewed-by: Kees Cook
--
Kees Cook
d wrap around, even though the allocation may not.
Better yet, since "sizeof(*args) + size" is repeated 3 times in the
function, I'd recommend:
...
u32 args_size;
if (check_add_overflow(sizeof(*args), size, &args_size))
return -ENOMEM;
if (args_size > sizeof(stack)) {
if (!(args = kmalloc(args_size, GFP_KERNEL)))
return -ENOMEM;
} else {
args = (void *)stack;
}
...
ret = nvif_object_ioctl(object, args, args_size, NULL);
This will catch the u32 overflow to nvif_object_ioctl(), catch an
allocation underflow on 32-bits systems, and make the code more
readable. :)
-Kees
--
Kees Cook
On Sat, May 04, 2024 at 12:03:18AM +0100, Al Viro wrote:
> On Fri, May 03, 2024 at 03:46:25PM -0700, Kees Cook wrote:
> > On Fri, May 03, 2024 at 02:52:38PM -0700, Linus Torvalds wrote:
> > > That means that the file will be released - and it means that you have
> > > v
fence? But
looking through dma_fence_signal_timestamp_locked(), I don't see
anything about resv nor somehow looking into other fence cb_list
contents...
--
Kees Cook
On Fri, May 03, 2024 at 12:59:52PM -0700, Kees Cook wrote:
> So, yeah, I can't figure out how eventpoll_release() and epoll_wait()
> are expected to behave safely for .poll handlers.
>
> Regardless, for the simple case: it seems like it's just totally illegal
> to use get
On Fri, May 03, 2024 at 01:35:09PM -0600, Jens Axboe wrote:
> On 5/3/24 1:22 PM, Kees Cook wrote:
> > On Fri, May 03, 2024 at 12:49:11PM -0600, Jens Axboe wrote:
> >> On 5/3/24 12:26 PM, Kees Cook wrote:
> >>> Thanks for doing this analysis! I suspect at least a star
On Fri, May 03, 2024 at 12:49:11PM -0600, Jens Axboe wrote:
> On 5/3/24 12:26 PM, Kees Cook wrote:
> > Thanks for doing this analysis! I suspect at least a start of a fix
> > would be this:
> >
> > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-b
+++ b/include/linux/fs.h
@@ -1040,7 +1040,8 @@ struct file_handle {
static inline struct file *get_file(struct file *f)
{
- atomic_long_inc(&f->f_count);
+ long prior = atomic_long_fetch_inc_relaxed(&f->f_count);
+ WARN_ONCE(!prior, "struct file::f_count incremented from zero;
use-after-free condition present!\n");
return f;
}
What's the right way to deal with the dmabuf situation? (And I suspect
it applies to get_dma_buf_unless_doomed() as well...)
-Kees
--
Kees Cook
On Fri, May 03, 2024 at 01:14:45AM +0100, Al Viro wrote:
> On Thu, May 02, 2024 at 05:10:18PM -0700, Kees Cook wrote:
>
> > But anyway, there needs to be a general "oops I hit 0"-aware form of
> > get_file(), and it seems like it should just be get_file() itself...
&g
On Fri, May 03, 2024 at 12:41:52AM +0100, Al Viro wrote:
> On Thu, May 02, 2024 at 04:21:13PM -0700, Kees Cook wrote:
> > On Fri, May 03, 2024 at 12:12:28AM +0100, Al Viro wrote:
> > > On Thu, May 02, 2024 at 03:52:21PM -0700, Kees Cook wrote:
> > >
> > >
On Fri, May 03, 2024 at 12:12:28AM +0100, Al Viro wrote:
> On Thu, May 02, 2024 at 03:52:21PM -0700, Kees Cook wrote:
>
> > As for semantics, what do you mean? Detecting dec-below-zero means we
> > catch underflow, and detected inc-from-zero means we catch resurrection
> >
On Fri, May 03, 2024 at 12:53:56AM +0200, Jann Horn wrote:
> On Fri, May 3, 2024 at 12:34 AM Kees Cook wrote:
> > If f_count reaches 0, calling get_file() should be a failure. Adjust to
> > use atomic_long_inc_not_zero() and return NULL on failure. In the future
> > get_fi
On Thu, May 02, 2024 at 11:42:50PM +0100, Al Viro wrote:
> On Thu, May 02, 2024 at 03:33:40PM -0700, Kees Cook wrote:
> > Underflow of f_count needs to be more carefully detected than it
> > currently is. The results of get_file() should be checked, but the
> > first step i
ppear to work well.
Signed-off-by: Kees Cook
---
Cc: Will Deacon
Cc: Peter Zijlstra
Cc: Boqun Feng
Cc: Mark Rutland
Cc: Kent Overstreet
Cc: Masahiro Yamada
Cc: Nathan Chancellor
Cc: Nicolas Schier
Cc: linux-kbu...@vger.kernel.org
---
MAINTAINERS| 2 +-
Mak
Underflow of f_count needs to be more carefully detected than it
currently is. The results of get_file() should be checked, but the
first step is detection. Redefine f_count from atomic_long_t to
refcount_long_t.
Signed-off-by: Kees Cook
---
Cc: Christian Brauner
Cc: Alexander Viro
Cc: Jan
The correct helper for taking an f_count reference is get_file(). Use it
and check results.
Signed-off-by: Kees Cook
---
Cc: Jani Nikula
Cc: Joonas Lahtinen
Cc: Rodrigo Vivi
Cc: Tvrtko Ursulin
Cc: David Airlie
Cc: Daniel Vetter
Cc: Andi Shyti
Cc: Lucas De Marchi
Cc: Matt Atwood
Cc
If f_count reaches 0, calling get_file() should be a failure. Adjust to
use atomic_long_inc_not_zero() and return NULL on failure. In the future
get_file() can be annotated with __must_check, though that is not
currently possible.
Signed-off-by: Kees Cook
---
Cc: Christian Brauner
Cc: Alexander
The correct helper for taking an f_count reference is get_file().
Now that it checks for 0 counts, use it and check results.
Signed-off-by: Kees Cook
---
Cc: Zack Rusin
Cc: Broadcom internal kernel review list
Cc: Maarten Lankhorst
Cc: Maxime Ripard
Cc: Thomas Zimmermann
Cc: David Airlie
ago, f_count was switched to atomic_long_t, so to
get proper reference count checking, I've added a refcount_long_t API,
and then converted f_count to refcount_long_t.
Now if there are underflows (or somehow an overflow), we'll see them
reported.
-Kees
Kees Cook (5):
fs: Do not allo
s patch hasn't been backported yet...
> Anyway, thanks for the pointer!
> I'll apply your patch in the next round for fbdev.
Hi! I haven't seen this show up in -next yet. Have you had a chance to
pick it up?
There are also these too:
https://lore.kernel.org/all/20240320-strncpy-drivers-video-fbdev-fsl-diu-fb-c-v1-1-3cd3c012f...@google.com/
https://patchwork.kernel.org/project/linux-hardening/patch/20240320-strncpy-drivers-video-fbdev-uvesafb-c-v1-1-fd6af3766...@google.com/
https://patchwork.kernel.org/project/linux-hardening/patch/20240320-strncpy-drivers-video-hdmi-c-v1-1-f9a08168c...@google.com/
I can toss all of these into the hardening tree if that makes it easier
for you?
Thanks!
-Kees
--
Kees Cook
ces
> arm64: Add support for suppressing warning backtraces
> loongarch: Add support for suppressing warning backtraces
> parisc: Add support for suppressing warning backtraces
> s390: Add support for suppressing warning backtraces
> sh: Add support for suppressi
strings = (char *)&rpc->entries[NV_GSP_REG_NUM_ENTRIES];
...
memcpy(strings, r535_registry_entries[i].name, name_len);
Signed-off-by: Kees Cook
---
Cc: Karol Herbst
Cc: Lyude Paul
Cc: Danilo Krummrich
Cc: David Airlie
Cc: Daniel Vetter
Cc: Dave Airlie
Cc: B
/latest/process/deprecated.html#strncpy-on-nul-terminated-strings
> [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html
> [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-harden...@vger.kernel.org
> Signed-off-by: Justin Stitt
Reviewed-by: Kees Cook
--
Kees Cook
npages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-harden...@vger.kernel.org
> Signed-off-by: Justin Stitt
Reviewed-by: Kees Cook
--
Kees Cook
ated-strings
> [1]
> Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-harden...@vger.kernel.org
> Signed-off-by: Justin Stitt
Reviewed-by: Kees Cook
--
Kees Cook
ps://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html
> [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-harden...@vger.kernel.org
> Signed-off-by: Justin Stitt
Yup, looks correct.
Reviewed-by: Kees Cook
--
Kees Cook
On Tue, Mar 12, 2024 at 10:02:59AM -0700, Guenter Roeck wrote:
> Document API functions for suppressing warning backtraces.
>
> Signed-off-by: Guenter Roeck
Reviewed-by: Kees Cook
--
Kees Cook
t; the affected architectures / platforms fixed.
>
> Signed-off-by: Guenter Roeck
Reviewed-by: Kees Cook
--
Kees Cook
;suppressed_warnings, node) {
> - if (!strcmp(function, warning->function))
> + if (!strcmp(function, warning->function)) {
> + warning->counter++;
> return true;
> + }
> }
> return false;
> }
> --
> 2.39.2
>
Reviewed-by: Kees Cook
--
Kees Cook
> Solve the problem by providing a means to identify and suppress specific
> warning backtraces while executing test code.
>
> Cc: Dan Carpenter
> Cc: Daniel Diaz
> Cc: Naresh Kamboju
> Cc: Kees Cook
> Signed-off-by: Guenter Roeck
Yup, this looks fine to me.
Reviewed-by: Kees Cook
--
Kees Cook
ries could add counters or something that
KUnit could examine. E.g. I did this manually for some fortify tests:
https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=for-next/hardening&id=4ce615e798a752d4431fcc52960478906dec2f0e
-Kees
--
Kees Cook
ference to `__ubsan_handle_out_of_bounds'
This is fixed here and is waiting to land:
https://lore.kernel.org/linux-hardening/20240130232717.work.088-k...@kernel.org/
-Kees
--
Kees Cook
DECLARE_FLEX_ARRAY(struct i915_syncmap *, child);
> + };
This is a new code pattern for me! Trailing arrays of different element
sizes but with a fixed element count. :)
I hope when __counted_by is expanded to take expressions we can add a
literal. :)
Reviewed-by: Kees Cook
--
Kees Cook
ian König
Cc: "Christian König"
Cc: linux-me...@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: linaro-mm-...@lists.linaro.org
Signed-off-by: Kees Cook
---
drivers/dma-buf/dma-buf.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/dma-buf/dma-buf.
nel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1]
Link: https://github.com/KSPP/linux/issues/26 [2]
Link: https://github.com/KSPP/linux/issues/27 [3]
Link: https://github.com/KSPP/linux/issues/344 [4]
Cc: Greg Kroah-Hartman
Cc: David Airlie
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/char/agp/
eedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/vc4/vc4_validate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vc4/vc4_validate.c
b/drivers/gpu/drm/vc4/vc4_validate.c
index 9affba9c58b3..677d9975f888 100644
--- a/drivers/gpu/drm/vc4/vc4_validate.c
l
Cc: Danilo Krummrich
Cc: David Airlie
Cc: Daniel Vetter
Cc: Ben Skeggs
Cc: Dave Airlie
Cc: Julia Lawall
Cc: Jiang Jian
Cc: dri-devel@lists.freedesktop.org
Cc: nouv...@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 6 --
1 fi
vrtko Ursulin
Cc: David Airlie
Cc: Daniel Vetter
Cc: intel-...@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/i915/i915_vma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915/i915_vma.c b/drivers
Cc: dri-devel@lists.freedesktop.org
Cc: nouv...@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c
b/drivers/gpu/drm/nouveau/nvkm/subdev/mm
Lankhorst
Cc: Thomas Zimmermann
Cc: David Airlie
Cc: Daniel Vetter
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/vc4/vc4_validate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/vc4/vc4_validate.c
b/driver
--
> Nathan Chancellor
>
Excellent! Thanks for doing this. I spot checked a handful I was
familiar with and everything looks good to me.
Reviewed-by: Kees Cook
--
Kees Cook
On Thu, Dec 14, 2023 at 08:03:22PM +0800, yang.gua...@zte.com.cn wrote:
> From: Yang Guang
>
> Use kmemdup() helper instead of open-coding to
> simplify the code.
>
> Signed-off-by: Chen Haonan
Sure, good cleanup.
Reviewed-by: Kees Cook
--
Kees Cook
sizeof(umode), &umode);
>
> [...]
Applied to for-next/hardening, thanks!
[1/1] drm/modes: replace deprecated strncpy with strscpy_pad
https://git.kernel.org/kees/c/d8d273c595db
Take care,
--
Kees Cook
Cc: linux-me...@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: linaro-mm-...@lists.linaro.org
Signed-off-by: Kees Cook
---
drivers/dma-buf/dma-buf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c
index 21
le there, also make use of the struct_size() helper, and address
> checkpatch.pl warning:
> WARNING: please, no spaces at the start of a line
>
> This results in no differences in binary output.
>
> Signed-off-by: Gustavo A. R. Silva
Looks nice to me.
Reviewed-by: Kees Cook
--
Kees Cook
minated-strings
> [1]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-harden...@vger.kernel.org
> Cc: Xu Panda
> Signed-off-by: Justin Stitt
Thanks for the respin; this looks good to me.
Reviewed-by: Kees Cook
--
Kees Cook
struct dma_fence_cb *cb);
> -void dma_fence_enable_sw_signaling(struct dma_fence *fence);
> +int dma_fence_enable_sw_signaling(struct dma_fence *fence);
>
> /**
> * dma_fence_is_signaled_locked - Return an indication if the fence
> --
> 2.34.1
>
>
--
Kees Cook
[signal->iter];
>
> signal->id = signal->iter;
> - strncpy(signal->name, sig->name, sizeof(signal->name));
> + strscpy_pad(signal->name, sig->name, sizeof(signal->name));
>
> signal->iter++;
> if (signal->iter == dom->nr_signals)
>
> ---
> base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec
> change-id:
> 20230914-strncpy-drivers-gpu-drm-etnaviv-etnaviv_perfmon-c-dd095491dfde
>
> Best regards,
> --
> Justin Stitt
>
--
Kees Cook
Cc: intel-...@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Cc: linux-harden...@vger.kernel.org
Link:
https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
[1]
Signed-off-by: Kees Cook
---
drivers/gpu/drm/i915/gt/uc/intel_guc_ct.c | 2 +-
1 file
On Thu, Oct 05, 2023 at 11:42:38AM +0200, Christian König wrote:
> Am 02.10.23 um 20:22 schrieb Kees Cook:
> > On Mon, Oct 02, 2023 at 08:11:41PM +0200, Christian König wrote:
> > > Am 02.10.23 um 20:08 schrieb Kees Cook:
> > > > On Mon, Oct 02, 2023 at 08:01:57P
blob/trunk/coccinelle/examples/counted_by.cocci
[1]
Signed-off-by: Kees Cook
---
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c
b/drivers/gpu/d
On Mon, Oct 02, 2023 at 08:11:41PM +0200, Christian König wrote:
> Am 02.10.23 um 20:08 schrieb Kees Cook:
> > On Mon, Oct 02, 2023 at 08:01:57PM +0200, Christian König wrote:
> > > Am 02.10.23 um 18:53 schrieb Kees Cook:
> > > > On Mon, Oct 02, 2023 at 11:06:
On Mon, Oct 02, 2023 at 08:01:57PM +0200, Christian König wrote:
> Am 02.10.23 um 18:53 schrieb Kees Cook:
> > On Mon, Oct 02, 2023 at 11:06:19AM -0400, Alex Deucher wrote:
> > > On Mon, Oct 2, 2023 at 5:20 AM Christian König
> > > wrote:
> > > >
On Mon, Oct 02, 2023 at 11:06:19AM -0400, Alex Deucher wrote:
> On Mon, Oct 2, 2023 at 5:20 AM Christian König
> wrote:
> >
> > Am 29.09.23 um 21:33 schrieb Kees Cook:
> > > On Fri, 22 Sep 2023 10:32:05 -0700, Kees Cook wrote:
> > >> This is a batch of pat
On Fri, 22 Sep 2023 10:32:05 -0700, Kees Cook wrote:
> This is a batch of patches touching drm for preparing for the coming
> implementation by GCC and Clang of the __counted_by attribute. Flexible
> array members annotated with __counted_by can have their accesses
> bounds-checked
`size_add()`.
>
>
Applied to for-next/hardening, thanks!
[1/1] drm/gud: Use size_add() in call to struct_size()
https://git.kernel.org/kees/c/836ccb46073e
Take care,
--
Kees Cook
ace one-element array with flexible-array member in
struct nouveau_svm
https://git.kernel.org/kees/c/6ad33b53c9b8
[2/2] nouveau/svm: Split assignment from if conditional
https://git.kernel.org/kees/c/4cb2e89fea5f
Take care,
--
Kees Cook
On Mon, Sep 25, 2023 at 08:30:30AM +0200, Christian König wrote:
> Am 22.09.23 um 19:41 schrieb Alex Deucher:
> > On Fri, Sep 22, 2023 at 1:32 PM Kees Cook wrote:
> > > Prepare for the coming implementation by GCC and Clang of the __counted_by
> > > attribute. Flexi
On Mon, Sep 25, 2023 at 12:08:36PM +0200, Andrzej Hajda wrote:
>
>
> On 22.09.2023 19:32, Kees Cook wrote:
> > Prepare for the coming implementation by GCC and Clang of the __counted_by
> > attribute. Flexible array members annotated with __counted_by can have
> > th
On Fri, 22 Sep 2023 10:54:17 -0700, Kees Cook wrote:
> Prepare for the coming implementation by GCC and Clang of the __counted_by
> attribute. Flexible array members annotated with __counted_by can have
> their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS
>
ct can be improved to be
"...: Replace strncpy with strscpy".
Reviewed-by: Kees Cook
--
Kees Cook
size is mostly a matter of taste, I think.
I'm on the fence, but kind of lean towards keeping lsize, but I think
it's fine either way.
> Using sizeof(*list) is better.
That I agree with, yes.
> Let see if there are some other comments, and I'll send a v2.
I note that this looks like a use-case for the very recently proposed
memdup_array_user():
https://lore.kernel.org/all/acd75daa-af42-486c-b44b-9272ef302...@kernel.org/
(i.e. a built-in size_mul)
-Kees
--
Kees Cook
P/linux/issues/90
> Cc: linux-harden...@vger.kernel.org
> Cc: Bo YU
> Signed-off-by: Justin Stitt
Looks good to me now. Thanks!
Reviewed-by: Kees Cook
(Though again if you need a v3, making the Subject more specific would
be nice, "...: Replace strncpy with strscpy_pad"
-Kees
--
Kees Cook
-devel@lists.freedesktop.org
Cc: l...@lists.linux.dev
Signed-off-by: Kees Cook
---
drivers/accel/ivpu/ivpu_job.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/accel/ivpu/ivpu_job.h b/drivers/accel/ivpu/ivpu_job.h
index aa1f0b9479b0..5514c2d8a609 100644
--- a/drivers/accel
functions).
As found with Coccinelle[1], add __counted_by for struct mmp_path.
[1]
https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Helge Deller
Cc: linux-fb...@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
---
include/video
functions).
As found with Coccinelle[1], add __counted_by for struct mmphw_ctrl.
[1]
https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Helge Deller
Cc: linux-fb...@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/video
functions).
As found with Coccinelle[1], add __counted_by for struct v3d_perfmon.
[1]
https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Emma Anholt
Cc: Melissa Wen
Cc: David Airlie
Cc: Daniel Vetter
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees
Signed-off-by: Kees Cook
---
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
index 5db403ee8261..2d1d857f99ae 100644
--- a/drivers/gpu/drm/vmwgfx
wking Zhang
Cc: amd-...@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c
b/drivers/gpu/drm/amd/amdgp
: nouv...@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/nouveau/nvkm/engine/pm/priv.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/pm/priv.h
b/drivers/gpu/drm/nouveau/nvkm/engine/pm/priv.h
index 6ae25d3e7f45
functions).
As found with Coccinelle[1], add __counted_by for struct vc4_perfmon.
[1]
https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Cc: Emma Anholt
Cc: Maxime Ripard
Cc: David Airlie
Cc: Daniel Vetter
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees
@lists.freedesktop.org
Cc: virtualizat...@lists.linux-foundation.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/virtio/virtgpu_drv.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h
b/drivers/gpu/drm/virtio/virtgpu_drv.h
index 8513b671f871
Cc: Bjorn Andersson
Cc: linux-arm-...@vger.kernel.org
Cc: dri-devel@lists.freedesktop.org
Cc: freedr...@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/disp
Cc: John Harrison
Cc: Andi Shyti
Cc: Matthew Brost
Cc: intel-...@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/i915/selftests/i915_request.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/i915
x27;s initialization
earlier. (These are noted in the individual patches.)
-Kees
[1]
https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci
Kees Cook (9):
drm/amd/pm: Annotate struct smu10_voltage_dependency_table with
__counted_by
drm/amdgpu/discovery: Annotate s
d Airlie
Cc: Daniel Vetter
Cc: Xiaojian Du
Cc: Huang Rui
Cc: Kevin Wang
Cc: amd-...@lists.freedesktop.org
Cc: dri-devel@lists.freedesktop.org
Signed-off-by: Kees Cook
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dr
pping them with size_add(), but for maintaining a common coding style
for dealing with allocation sizes, I can be convinced of the change. :)
Reviewed-by: Kees Cook
> req = kzalloc(len, GFP_KERNEL);
> if (!req)
> return -ENOMEM;
> --
> 2.34.1
>
--
Kees Cook
py.9.en.html
> [2]
> Link: https://github.com/KSPP/linux/issues/90
> Cc: linux-harden...@vger.kernel.org
> Signed-off-by: Justin Stitt
The "- 1" use in the original code is strong evidence for this being a
sane conversion. :)
Reviewed-by: Kees Cook
--
Kees Cook
name);
> while (i) {
> --i;
Yup, consumed by strlen() and snprintf(). Looks like a standard
conversion. :)
Reviewed-by: Kees Cook
-Kees
>
> ---
> base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec
> change-id:
> 20230914-strncpy-drivers-gpu-drm-nouveau-nvkm-core-firmware-c-791223838b72
>
> Best regards,
> --
> Justin Stitt
>
--
Kees Cook
e);
...
ret = nvif_client_ctor(&drm->master.base, cli->name, device,
&cli->base);
So we'll always be %NUL terminated.
Therefore, yes, conversion looks good:
Reviewed-by: Kees Cook
Thanks!
-Kees
>
> ---
> base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec
> change-id: 20230914-strncpy-drivers-gpu-drm-nouveau-nvif-client-c-82b023c36953
>
> Best regards,
> --
> Justin Stitt
>
--
Kees Cook
ppgtt = mock_ppgtt(i915, name);
> if (!ppgtt)
>
> ---
> base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec
> change-id:
> 20230914-strncpy-drivers-gpu-drm-i915-gem-selftests-mock_context-c-980c8ecc9142
>
> Best regards,
> --
> Justin Stitt
>
--
Kees Cook
chan->base.dev.parent = dev->dev;
>
> ---
> base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec
> change-id: 20230914-drivers-gpu-drm-gma500-oaktrail_lvds_i2c-c-a53c6d8bd62f
>
> Best regards,
> --
> Justin Stitt
>
--
Kees Cook
al->name, sig->name, sizeof(signal->name));
>
> signal->iter++;
> if (signal->iter == dom->nr_signals)
>
> ---
> base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec
> change-id:
> 20230914-strncpy-drivers-gpu-drm-etnaviv-etnaviv_perfmon-c-dd095491dfde
>
> Best regards,
> --
> Justin Stitt
>
--
Kees Cook
a v2 using strscpy_pad() instead?
Thanks!
-Kees
--
Kees Cook
On September 11, 2023 6:55:32 PM PDT, Dave Airlie wrote:
>On Tue, 12 Sept 2023 at 11:27, Kees Cook wrote:
>>
>> On September 8, 2023 12:59:39 PM PDT, Philipp Stanner
>> wrote:
>> >Hi!
>> >
>> >David Airlie suggested that we could implem
gt; drivers/gpu/drm/drm_lease.c | 4 +--
> drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 +--
> include/linux/string.h | 40 +
> kernel/kexec.c | 2 +-
> kernel/watch_queue.c | 2 +-
> 5 files changed, 46 insertions(+), 6 deletions(-)
>
Nice. For the series:
Reviewed-by: Kees Cook
--
Kees Cook
1 - 100 of 663 matches
Mail list logo