Re: [PATCH v8 1/8] Get rid of __get_task_comm()

On Wed, Aug 28, 2024 at 05:09:08PM +0200, Alejandro Colomar wrote: > Hi Kees, > > On Wed, Aug 28, 2024 at 06:48:39AM GMT, Kees Cook wrote: > > [...] > > > >Thank you for your suggestion. How does the following commit log look > > >to you? Does it meet your

Re: [PATCH v8 1/8] Get rid of __get_task_comm()

/lore.kernel.org/all/2jxak5v6dfxlpbxhpm3ey7oup4g2lnr3ueurfbosf5wdo65dk4@srb3hsk72zwq >Signed-off-by: Yafang Shao >Cc: Alexander Viro >Cc: Christian Brauner >Cc: Jan Kara >Cc: Eric Biederman >Cc: Kees Cook >Cc: Alexei Starovoitov >Cc: Matus Jokay >Cc: Alejandro

Re: [PATCH v8 1/8] Get rid of __get_task_comm()

gt; > > [0] >> > > Link: >> > > https://lore.kernel.org/all/CAHk-=whwtuc-ajmgjveaetkomemfstwkwu99v7+b6ayhmma...@mail.gmail.com/ >> > > Suggested-by: Alejandro Colomar >> > > Link: >> > > https://lore.kernel.org/all/2

Re: [PATCH][next] drm/nouveau: Avoid -Wflex-array-member-not-at-end warning

dex; The stack variable (was before and is again) already zero-initialized, so the "= 0" line shouldn't be needed. But neither of these comments are show-stoppers, IMO. Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v2 2/2] drm: use mem_is_zero() instead of !memchr_inv(s, 0, n)

irst user, feel free to carry it there unless you'd prefer I carry it in my trees? Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v2 1/2] string: add mem_is_zero() helper to check if memory area is all zeros

intuitive or discoverable. Add an explicit mem_is_zero() helper for this > use case. > > Signed-off-by: Jani Nikula Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v2] printk: Add a short description string to kmsg_dump()

On July 12, 2024 2:59:30 AM PDT, Jocelyn Falempe wrote: >Gentle ping, I need reviews from powerpc, usermod linux, mtd, pstore and >hyperv, to be able to push it in the drm-misc tree. Oops, I thought I'd Acked already! Acked-by: Kees Cook And, yeah, as mpe said, you're

Re: [PATCH v2] printk: Add a short description string to kmsg_dump()

On Wed, Jul 03, 2024 at 10:22:11AM +0200, Petr Mladek wrote: > On Wed 2024-07-03 09:57:26, Jocelyn Falempe wrote: > > > > > > On 02/07/2024 22:29, Kees Cook wrote: > > > On Tue, Jul 02, 2024 at 02:26:04PM +0200, Jocelyn Falempe wrote: > > > > kmsg_dump

Re: [PATCH v2] printk: Add a short description string to kmsg_dump()

son, like "sysrq triggered crash" > or "VFS: Unable to mount root fs on " on the drm panic screen. > > v2: > * Use a struct kmsg_dump_detail to hold the reason and description > pointer, for more flexibility if we want to add other parameters. &g

Re: [PATCH] printk: Add a short description string to kmsg_dump()

n't any "new" information here that should be captured somehow. Thanks! -- Kees Cook

Re: [PATCH] printk: Add a short description string to kmsg_dump()

c @@ -8,7 +8,7 @@ #include static void kmsg_dumper_stdout(struct kmsg_dumper *dumper, - enum kmsg_dump_reason reason) + struct kmsg_dump_detail *detail) { static struct kmsg_dump_iter iter; static DEFINE_SPINLOCK(lock); -- Kees Cook

Re: [PATCH] drm/i915: 2 GiB of relocations ought to be enough for anybody*

lking about > "crazy" number of relocations which have no practical purpose. > > *) Well IGT tests might get upset but they can be easily adjusted. > > Signed-off-by: Tvrtko Ursulin Thanks for fixing this! Reviewed-by: Kees Cook -- Kees Cook

Re: [linux-next:master] [mm/slab] 7bd230a266: WARNING:at_mm/util.c:#kvmalloc_node_noprof

const unsigned int nreloc = eb->exec[i].relocation_count; ... size = nreloc * sizeof(*relocs); relocs = kvmalloc_array(1, size, GFP_KERNEL); So something isn't checking the "relocation_count" size that I assume is coming in from the ioctl? -Kees -- Kees Cook

Re: [PATCH v2] drm/nouveau/nvif: Avoid build error due to potential integer overflows

been enabled for the drm subsystem and since Werror is > enabled for test builds. > > Rearrange arithmetic and use check_add_overflow() for validating the > allocation size to avoid the overflow. > > Fixes: a61ddb4393ad ("drm: enable (most) W=1 warnings by default across the > subsys

Re: [PATCH] dma-buf/fence-array: Add flex array to struct dma_fence_array

aling() > > Link: > https://www.kernel.org/doc/html/latest/process/deprecated.html#open-coded-arithmetic-in-allocator-arguments > [1] > Link: https://github.com/KSPP/linux/issues/160 [2] > Signed-off-by: Christophe JAILLET Yes please! :) Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH] drm/nouveau/nvif: Avoid build error due to potential integer overflows

d wrap around, even though the allocation may not. Better yet, since "sizeof(*args) + size" is repeated 3 times in the function, I'd recommend: ... u32 args_size; if (check_add_overflow(sizeof(*args), size, &args_size)) return -ENOMEM; if (args_size > sizeof(stack)) { if (!(args = kmalloc(args_size, GFP_KERNEL))) return -ENOMEM; } else { args = (void *)stack; } ... ret = nvif_object_ioctl(object, args, args_size, NULL); This will catch the u32 overflow to nvif_object_ioctl(), catch an allocation underflow on 32-bits systems, and make the code more readable. :) -Kees -- Kees Cook

Re: [PATCH] epoll: try to be a _bit_ better about file lifetimes

On Sat, May 04, 2024 at 12:03:18AM +0100, Al Viro wrote: > On Fri, May 03, 2024 at 03:46:25PM -0700, Kees Cook wrote: > > On Fri, May 03, 2024 at 02:52:38PM -0700, Linus Torvalds wrote: > > > That means that the file will be released - and it means that you have > > > v

Re: [PATCH] epoll: try to be a _bit_ better about file lifetimes

fence? But looking through dma_fence_signal_timestamp_locked(), I don't see anything about resv nor somehow looking into other fence cb_list contents... -- Kees Cook

Re: get_file() unsafe under epoll (was Re: [syzbot] [fs?] [io-uring?] general protection fault in __ep_remove)

On Fri, May 03, 2024 at 12:59:52PM -0700, Kees Cook wrote: > So, yeah, I can't figure out how eventpoll_release() and epoll_wait() > are expected to behave safely for .poll handlers. > > Regardless, for the simple case: it seems like it's just totally illegal > to use get

Re: get_file() unsafe under epoll (was Re: [syzbot] [fs?] [io-uring?] general protection fault in __ep_remove)

On Fri, May 03, 2024 at 01:35:09PM -0600, Jens Axboe wrote: > On 5/3/24 1:22 PM, Kees Cook wrote: > > On Fri, May 03, 2024 at 12:49:11PM -0600, Jens Axboe wrote: > >> On 5/3/24 12:26 PM, Kees Cook wrote: > >>> Thanks for doing this analysis! I suspect at least a star

Re: get_file() unsafe under epoll (was Re: [syzbot] [fs?] [io-uring?] general protection fault in __ep_remove)

On Fri, May 03, 2024 at 12:49:11PM -0600, Jens Axboe wrote: > On 5/3/24 12:26 PM, Kees Cook wrote: > > Thanks for doing this analysis! I suspect at least a start of a fix > > would be this: > > > > diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-b

get_file() unsafe under epoll (was Re: [syzbot] [fs?] [io-uring?] general protection fault in __ep_remove)

+++ b/include/linux/fs.h @@ -1040,7 +1040,8 @@ struct file_handle { static inline struct file *get_file(struct file *f) { - atomic_long_inc(&f->f_count); + long prior = atomic_long_fetch_inc_relaxed(&f->f_count); + WARN_ONCE(!prior, "struct file::f_count incremented from zero; use-after-free condition present!\n"); return f; } What's the right way to deal with the dmabuf situation? (And I suspect it applies to get_dma_buf_unless_doomed() as well...) -Kees -- Kees Cook

Re: [PATCH 5/5] fs: Convert struct file::f_count to refcount_long_t

On Fri, May 03, 2024 at 01:14:45AM +0100, Al Viro wrote: > On Thu, May 02, 2024 at 05:10:18PM -0700, Kees Cook wrote: > > > But anyway, there needs to be a general "oops I hit 0"-aware form of > > get_file(), and it seems like it should just be get_file() itself... &g

Re: [PATCH 5/5] fs: Convert struct file::f_count to refcount_long_t

On Fri, May 03, 2024 at 12:41:52AM +0100, Al Viro wrote: > On Thu, May 02, 2024 at 04:21:13PM -0700, Kees Cook wrote: > > On Fri, May 03, 2024 at 12:12:28AM +0100, Al Viro wrote: > > > On Thu, May 02, 2024 at 03:52:21PM -0700, Kees Cook wrote: > > > > > >

Re: [PATCH 5/5] fs: Convert struct file::f_count to refcount_long_t

On Fri, May 03, 2024 at 12:12:28AM +0100, Al Viro wrote: > On Thu, May 02, 2024 at 03:52:21PM -0700, Kees Cook wrote: > > > As for semantics, what do you mean? Detecting dec-below-zero means we > > catch underflow, and detected inc-from-zero means we catch resurrection > >

Re: [PATCH 1/5] fs: Do not allow get_file() to resurrect 0 f_count

On Fri, May 03, 2024 at 12:53:56AM +0200, Jann Horn wrote: > On Fri, May 3, 2024 at 12:34 AM Kees Cook wrote: > > If f_count reaches 0, calling get_file() should be a failure. Adjust to > > use atomic_long_inc_not_zero() and return NULL on failure. In the future > > get_fi

Re: [PATCH 5/5] fs: Convert struct file::f_count to refcount_long_t

On Thu, May 02, 2024 at 11:42:50PM +0100, Al Viro wrote: > On Thu, May 02, 2024 at 03:33:40PM -0700, Kees Cook wrote: > > Underflow of f_count needs to be more carefully detected than it > > currently is. The results of get_file() should be checked, but the > > first step i

[PATCH 4/5] refcount: Introduce refcount_long_t and APIs

ppear to work well. Signed-off-by: Kees Cook --- Cc: Will Deacon Cc: Peter Zijlstra Cc: Boqun Feng Cc: Mark Rutland Cc: Kent Overstreet Cc: Masahiro Yamada Cc: Nathan Chancellor Cc: Nicolas Schier Cc: linux-kbu...@vger.kernel.org --- MAINTAINERS| 2 +- Mak

[PATCH 5/5] fs: Convert struct file::f_count to refcount_long_t

Underflow of f_count needs to be more carefully detected than it currently is. The results of get_file() should be checked, but the first step is detection. Redefine f_count from atomic_long_t to refcount_long_t. Signed-off-by: Kees Cook --- Cc: Christian Brauner Cc: Alexander Viro Cc: Jan

[PATCH 3/5] drm/i915: Do not directly manipulate file->f_count

The correct helper for taking an f_count reference is get_file(). Use it and check results. Signed-off-by: Kees Cook --- Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: Tvrtko Ursulin Cc: David Airlie Cc: Daniel Vetter Cc: Andi Shyti Cc: Lucas De Marchi Cc: Matt Atwood Cc

[PATCH 1/5] fs: Do not allow get_file() to resurrect 0 f_count

If f_count reaches 0, calling get_file() should be a failure. Adjust to use atomic_long_inc_not_zero() and return NULL on failure. In the future get_file() can be annotated with __must_check, though that is not currently possible. Signed-off-by: Kees Cook --- Cc: Christian Brauner Cc: Alexander

[PATCH 2/5] drm/vmwgfx: Do not directly manipulate file->f_count

The correct helper for taking an f_count reference is get_file(). Now that it checks for 0 counts, use it and check results. Signed-off-by: Kees Cook --- Cc: Zack Rusin Cc: Broadcom internal kernel review list Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: David Airlie

[PATCH 0/5] fs: Do not allow get_file() to resurrect 0 f_count

ago, f_count was switched to atomic_long_t, so to get proper reference count checking, I've added a refcount_long_t API, and then converted f_count to refcount_long_t. Now if there are underflows (or somehow an overflow), we'll see them reported. -Kees Kees Cook (5): fs: Do not allo

Re: [PATCH] video: fbdev: au1200fb: replace deprecated strncpy with strscpy

s patch hasn't been backported yet... > Anyway, thanks for the pointer! > I'll apply your patch in the next round for fbdev. Hi! I haven't seen this show up in -next yet. Have you had a chance to pick it up? There are also these too: https://lore.kernel.org/all/20240320-strncpy-drivers-video-fbdev-fsl-diu-fb-c-v1-1-3cd3c012f...@google.com/ https://patchwork.kernel.org/project/linux-hardening/patch/20240320-strncpy-drivers-video-fbdev-uvesafb-c-v1-1-fd6af3766...@google.com/ https://patchwork.kernel.org/project/linux-hardening/patch/20240320-strncpy-drivers-video-hdmi-c-v1-1-f9a08168c...@google.com/ I can toss all of these into the hardening tree if that makes it easier for you? Thanks! -Kees -- Kees Cook

Re: [PATCH v3 00/15] Add support for suppressing warning backtraces

ces > arm64: Add support for suppressing warning backtraces > loongarch: Add support for suppressing warning backtraces > parisc: Add support for suppressing warning backtraces > s390: Add support for suppressing warning backtraces > sh: Add support for suppressi

[PATCH] nouveau/gsp: Avoid addressing beyond end of rpc->entries

strings = (char *)&rpc->entries[NV_GSP_REG_NUM_ENTRIES]; ... memcpy(strings, r535_registry_entries[i].name, name_len); Signed-off-by: Kees Cook --- Cc: Karol Herbst Cc: Lyude Paul Cc: Danilo Krummrich Cc: David Airlie Cc: Daniel Vetter Cc: Dave Airlie Cc: B

Re: [PATCH] video: fbdev: fsl-diu-fb: replace deprecated strncpy with strscpy_pad

/latest/process/deprecated.html#strncpy-on-nul-terminated-strings > [1] > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html > [2] > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-harden...@vger.kernel.org > Signed-off-by: Justin Stitt Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH] fbdev: uvesafb: replace deprecated strncpy with strscpy_pad

npages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-harden...@vger.kernel.org > Signed-off-by: Justin Stitt Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH] video/hdmi: prefer length specifier in format over string copying

ated-strings > [1] > Link: https://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-harden...@vger.kernel.org > Signed-off-by: Justin Stitt Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH] video: fbdev: au1200fb: replace deprecated strncpy with strscpy

ps://manpages.debian.org/testing/linux-manual-4.8/strscpy.9.en.html > [2] > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-harden...@vger.kernel.org > Signed-off-by: Justin Stitt Yup, looks correct. Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH 04/14] kunit: Add documentation for warning backtrace suppression API

On Tue, Mar 12, 2024 at 10:02:59AM -0700, Guenter Roeck wrote: > Document API functions for suppressing warning backtraces. > > Signed-off-by: Guenter Roeck Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH 03/14] kunit: Add test cases for backtrace warning suppression

t; the affected architectures / platforms fixed. > > Signed-off-by: Guenter Roeck Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH 02/14] kunit: bug: Count suppressed warning backtraces

;suppressed_warnings, node) { > - if (!strcmp(function, warning->function)) > + if (!strcmp(function, warning->function)) { > + warning->counter++; > return true; > + } > } > return false; > } > -- > 2.39.2 > Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH 01/14] bug/kunit: Core support for suppressing warning backtraces

> Solve the problem by providing a means to identify and suppress specific > warning backtraces while executing test code. > > Cc: Dan Carpenter > Cc: Daniel Diaz > Cc: Naresh Kamboju > Cc: Kees Cook > Signed-off-by: Guenter Roeck Yup, this looks fine to me. Reviewed-by: Kees Cook -- Kees Cook

Re: [RFC PATCH 1/5] bug: Core support for suppressing warning backtraces

ries could add counters or something that KUnit could examine. E.g. I did this manually for some fortify tests: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=for-next/hardening&id=4ce615e798a752d4431fcc52960478906dec2f0e -Kees -- Kees Cook

Re: [linux-next:master] BUILD REGRESSION e31185ce00a96232308300008db193416ceb9769

ference to `__ubsan_handle_out_of_bounds' This is fixed here and is waiting to land: https://lore.kernel.org/linux-hardening/20240130232717.work.088-k...@kernel.org/ -Kees -- Kees Cook

Re: [PATCH] drm/i915: Add flex arrays to struct i915_syncmap

DECLARE_FLEX_ARRAY(struct i915_syncmap *, child); > + }; This is a new code pattern for me! Trailing arrays of different element sizes but with a fixed element count. :) I hope when __counted_by is expanded to take expressions we can add a literal. :) Reviewed-by: Kees Cook -- Kees Cook

[PATCH 15/82] dma-buf: Refactor intentional wrap-around calculation

ian König Cc: "Christian König" Cc: linux-me...@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linaro-mm-...@lists.linaro.org Signed-off-by: Kees Cook --- drivers/dma-buf/dma-buf.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/dma-buf/dma-buf.

[PATCH 36/82] agp: Refactor intentional wrap-around test

nel.org/linus/68df3755e383e6fecf2354a67b08f92f18536594 [1] Link: https://github.com/KSPP/linux/issues/26 [2] Link: https://github.com/KSPP/linux/issues/27 [3] Link: https://github.com/KSPP/linux/issues/344 [4] Cc: Greg Kroah-Hartman Cc: David Airlie Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/char/agp/

[PATCH 50/82] drm/vc4: Refactor intentional wrap-around test

eedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/vc4/vc4_validate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vc4/vc4_validate.c b/drivers/gpu/drm/vc4/vc4_validate.c index 9affba9c58b3..677d9975f888 100644 --- a/drivers/gpu/drm/vc4/vc4_validate.c

[PATCH 16/82] drm/nouveau/mmu: Refactor intentional wrap-around calculation

l Cc: Danilo Krummrich Cc: David Airlie Cc: Daniel Vetter Cc: Ben Skeggs Cc: Dave Airlie Cc: Julia Lawall Cc: Jiang Jian Cc: dri-devel@lists.freedesktop.org Cc: nouv...@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 6 -- 1 fi

[PATCH 49/82] drm/i915: Refactor intentional wrap-around test

vrtko Ursulin Cc: David Airlie Cc: Daniel Vetter Cc: intel-...@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/i915/i915_vma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/i915_vma.c b/drivers

[PATCH 48/82] drm/nouveau/mmu: Refactor intentional wrap-around test

Cc: dri-devel@lists.freedesktop.org Cc: nouv...@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/vmm.c b/drivers/gpu/drm/nouveau/nvkm/subdev/mm

[PATCH 17/82] drm/vc4: Refactor intentional wrap-around calculation

Lankhorst Cc: Thomas Zimmermann Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/vc4/vc4_validate.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/vc4/vc4_validate.c b/driver

Re: [PATCH 0/3] Update LLVM Phabricator and Bugzilla links

-- > Nathan Chancellor > Excellent! Thanks for doing this. I spot checked a handful I was familiar with and everything looks good to me. Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH linux-next] drm/nouveau/disp: switch to use kmemdup() helper

On Thu, Dec 14, 2023 at 08:03:22PM +0800, yang.gua...@zte.com.cn wrote: > From: Yang Guang > > Use kmemdup() helper instead of open-coding to > simplify the code. > > Signed-off-by: Chen Haonan Sure, good cleanup. Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v2] drm/modes: replace deprecated strncpy with strscpy_pad

sizeof(umode), &umode); > > [...] Applied to for-next/hardening, thanks! [1/1] drm/modes: replace deprecated strncpy with strscpy_pad https://git.kernel.org/kees/c/d8d273c595db Take care, -- Kees Cook

[PATCH] dma-buf: Replace strlcpy() with strscpy()

Cc: linux-me...@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linaro-mm-...@lists.linaro.org Signed-off-by: Kees Cook --- drivers/dma-buf/dma-buf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 21

Re: [PATCH][next] nouveau/gsp: replace zero-length array with flex-array member and use __counted_by

le there, also make use of the struct_size() helper, and address > checkpatch.pl warning: > WARNING: please, no spaces at the start of a line > > This results in no differences in binary output. > > Signed-off-by: Gustavo A. R. Silva Looks nice to me. Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH v2] drm/modes: replace deprecated strncpy with strscpy_pad

minated-strings > [1] > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-harden...@vger.kernel.org > Cc: Xu Panda > Signed-off-by: Justin Stitt Thanks for the respin; this looks good to me. Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH][next] dma-buf: Fix NULL pointer dereference in dma_fence_enable_sw_signaling()

struct dma_fence_cb *cb); > -void dma_fence_enable_sw_signaling(struct dma_fence *fence); > +int dma_fence_enable_sw_signaling(struct dma_fence *fence); > > /** > * dma_fence_is_signaled_locked - Return an indication if the fence > -- > 2.34.1 > > -- Kees Cook

Re: [PATCH v2] drm/etnaviv: refactor deprecated strncpy

[signal->iter]; > > signal->id = signal->iter; > - strncpy(signal->name, sig->name, sizeof(signal->name)); > + strscpy_pad(signal->name, sig->name, sizeof(signal->name)); > > signal->iter++; > if (signal->iter == dom->nr_signals) > > --- > base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec > change-id: > 20230914-strncpy-drivers-gpu-drm-etnaviv-etnaviv_perfmon-c-dd095491dfde > > Best regards, > -- > Justin Stitt > -- Kees Cook

[PATCH] drm/i915/guc: Annotate struct ct_incoming_msg with __counted_by

Cc: intel-...@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Cc: linux-harden...@vger.kernel.org Link: https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci [1] Signed-off-by: Kees Cook --- drivers/gpu/drm/i915/gt/uc/intel_guc_ct.c | 2 +- 1 file

Re: [PATCH 0/9] drm: Annotate structs with __counted_by

On Thu, Oct 05, 2023 at 11:42:38AM +0200, Christian König wrote: > Am 02.10.23 um 20:22 schrieb Kees Cook: > > On Mon, Oct 02, 2023 at 08:11:41PM +0200, Christian König wrote: > > > Am 02.10.23 um 20:08 schrieb Kees Cook: > > > > On Mon, Oct 02, 2023 at 08:01:57P

[PATCH] drm/amdgpu: Annotate struct amdgpu_bo_list with __counted_by

blob/trunk/coccinelle/examples/counted_by.cocci [1] Signed-off-by: Kees Cook --- drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bo_list.c b/drivers/gpu/d

Re: [PATCH 0/9] drm: Annotate structs with __counted_by

On Mon, Oct 02, 2023 at 08:11:41PM +0200, Christian König wrote: > Am 02.10.23 um 20:08 schrieb Kees Cook: > > On Mon, Oct 02, 2023 at 08:01:57PM +0200, Christian König wrote: > > > Am 02.10.23 um 18:53 schrieb Kees Cook: > > > > On Mon, Oct 02, 2023 at 11:06:

Re: [PATCH 0/9] drm: Annotate structs with __counted_by

On Mon, Oct 02, 2023 at 08:01:57PM +0200, Christian König wrote: > Am 02.10.23 um 18:53 schrieb Kees Cook: > > On Mon, Oct 02, 2023 at 11:06:19AM -0400, Alex Deucher wrote: > > > On Mon, Oct 2, 2023 at 5:20 AM Christian König > > > wrote: > > > >

Re: [PATCH 0/9] drm: Annotate structs with __counted_by

On Mon, Oct 02, 2023 at 11:06:19AM -0400, Alex Deucher wrote: > On Mon, Oct 2, 2023 at 5:20 AM Christian König > wrote: > > > > Am 29.09.23 um 21:33 schrieb Kees Cook: > > > On Fri, 22 Sep 2023 10:32:05 -0700, Kees Cook wrote: > > >> This is a batch of pat

Re: [PATCH 0/9] drm: Annotate structs with __counted_by

On Fri, 22 Sep 2023 10:32:05 -0700, Kees Cook wrote: > This is a batch of patches touching drm for preparing for the coming > implementation by GCC and Clang of the __counted_by attribute. Flexible > array members annotated with __counted_by can have their accesses > bounds-checked

Re: [PATCH][next] drm/gud: Use size_add() in call to struct_size()

`size_add()`. > > Applied to for-next/hardening, thanks! [1/1] drm/gud: Use size_add() in call to struct_size() https://git.kernel.org/kees/c/836ccb46073e Take care, -- Kees Cook

Re: [PATCH 0/2][next] nouveau/svm: Replace one-element array with flexible-array member

ace one-element array with flexible-array member in struct nouveau_svm https://git.kernel.org/kees/c/6ad33b53c9b8 [2/2] nouveau/svm: Split assignment from if conditional https://git.kernel.org/kees/c/4cb2e89fea5f Take care, -- Kees Cook

Re: [PATCH 1/9] drm/amd/pm: Annotate struct smu10_voltage_dependency_table with __counted_by

On Mon, Sep 25, 2023 at 08:30:30AM +0200, Christian König wrote: > Am 22.09.23 um 19:41 schrieb Alex Deucher: > > On Fri, Sep 22, 2023 at 1:32 PM Kees Cook wrote: > > > Prepare for the coming implementation by GCC and Clang of the __counted_by > > > attribute. Flexi

Re: [PATCH 3/9] drm/i915/selftests: Annotate struct perf_series with __counted_by

On Mon, Sep 25, 2023 at 12:08:36PM +0200, Andrzej Hajda wrote: > > > On 22.09.2023 19:32, Kees Cook wrote: > > Prepare for the coming implementation by GCC and Clang of the __counted_by > > attribute. Flexible array members annotated with __counted_by can have > > th

Re: [PATCH] accel/ivpu: Annotate struct ivpu_job with __counted_by

On Fri, 22 Sep 2023 10:54:17 -0700, Kees Cook wrote: > Prepare for the coming implementation by GCC and Clang of the __counted_by > attribute. Flexible array members annotated with __counted_by can have > their accesses bounds-checked at run-time checking via CONFIG_UBSAN_BOUNDS >

Re: [PATCH v2] drm/gma500: refactor deprecated strncpy

ct can be improved to be "...: Replace strncpy with strscpy". Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH] udmabuf: Fix a potential (and unlikely) access to unallocated memory

size is mostly a matter of taste, I think. I'm on the fence, but kind of lean towards keeping lsize, but I think it's fine either way. > Using sizeof(*list) is better. That I agree with, yes. > Let see if there are some other comments, and I'll send a v2. I note that this looks like a use-case for the very recently proposed memdup_array_user(): https://lore.kernel.org/all/acd75daa-af42-486c-b44b-9272ef302...@kernel.org/ (i.e. a built-in size_mul) -Kees -- Kees Cook

Re: [PATCH v2] drm/etnaviv: refactor deprecated strncpy

P/linux/issues/90 > Cc: linux-harden...@vger.kernel.org > Cc: Bo YU > Signed-off-by: Justin Stitt Looks good to me now. Thanks! Reviewed-by: Kees Cook (Though again if you need a v3, making the Subject more specific would be nice, "...: Replace strncpy with strscpy_pad" -Kees -- Kees Cook

[PATCH] accel/ivpu: Annotate struct ivpu_job with __counted_by

-devel@lists.freedesktop.org Cc: l...@lists.linux.dev Signed-off-by: Kees Cook --- drivers/accel/ivpu/ivpu_job.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/accel/ivpu/ivpu_job.h b/drivers/accel/ivpu/ivpu_job.h index aa1f0b9479b0..5514c2d8a609 100644 --- a/drivers/accel

[PATCH] video: mmp: Annotate struct mmp_path with __counted_by

functions). As found with Coccinelle[1], add __counted_by for struct mmp_path. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Helge Deller Cc: linux-fb...@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- include/video

[PATCH] video: fbdev: mmp: Annotate struct mmphw_ctrl with __counted_by

functions). As found with Coccinelle[1], add __counted_by for struct mmphw_ctrl. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Helge Deller Cc: linux-fb...@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/video

[PATCH 9/9] drm/v3d: Annotate struct v3d_perfmon with __counted_by

functions). As found with Coccinelle[1], add __counted_by for struct v3d_perfmon. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Emma Anholt Cc: Melissa Wen Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees

[PATCH 8/9] drm/vmwgfx: Annotate struct vmw_surface_dirty with __counted_by

Signed-off-by: Kees Cook --- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c index 5db403ee8261..2d1d857f99ae 100644 --- a/drivers/gpu/drm/vmwgfx

[PATCH 2/9] drm/amdgpu/discovery: Annotate struct ip_hw_instance with __counted_by

wking Zhang Cc: amd-...@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c b/drivers/gpu/drm/amd/amdgp

[PATCH 5/9] drm/nouveau/pm: Annotate struct nvkm_perfdom with __counted_by

: nouv...@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/nouveau/nvkm/engine/pm/priv.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/pm/priv.h b/drivers/gpu/drm/nouveau/nvkm/engine/pm/priv.h index 6ae25d3e7f45

[PATCH 6/9] drm/vc4: Annotate struct vc4_perfmon with __counted_by

functions). As found with Coccinelle[1], add __counted_by for struct vc4_perfmon. [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Cc: Emma Anholt Cc: Maxime Ripard Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees

[PATCH 7/9] drm/virtio: Annotate struct virtio_gpu_object_array with __counted_by

@lists.freedesktop.org Cc: virtualizat...@lists.linux-foundation.org Signed-off-by: Kees Cook --- drivers/gpu/drm/virtio/virtgpu_drv.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/virtio/virtgpu_drv.h b/drivers/gpu/drm/virtio/virtgpu_drv.h index 8513b671f871

[PATCH 4/9] drm/msm/dpu: Annotate struct dpu_hw_intr with __counted_by

Cc: Bjorn Andersson Cc: linux-arm-...@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: freedr...@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/msm/disp/dpu1/dpu_hw_interrupts.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/msm/disp

[PATCH 3/9] drm/i915/selftests: Annotate struct perf_series with __counted_by

Cc: John Harrison Cc: Andi Shyti Cc: Matthew Brost Cc: intel-...@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/i915/selftests/i915_request.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915

[PATCH 0/9] drm: Annotate structs with __counted_by

x27;s initialization earlier. (These are noted in the individual patches.) -Kees [1] https://github.com/kees/kernel-tools/blob/trunk/coccinelle/examples/counted_by.cocci Kees Cook (9): drm/amd/pm: Annotate struct smu10_voltage_dependency_table with __counted_by drm/amdgpu/discovery: Annotate s

[PATCH 1/9] drm/amd/pm: Annotate struct smu10_voltage_dependency_table with __counted_by

d Airlie Cc: Daniel Vetter Cc: Xiaojian Du Cc: Huang Rui Cc: Kevin Wang Cc: amd-...@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Kees Cook --- drivers/gpu/drm/amd/pm/powerplay/hwmgr/smu10_hwmgr.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dr

Re: [PATCH][next] drm/gud: Use size_add() in call to struct_size()

pping them with size_add(), but for maintaining a common coding style for dealing with allocation sizes, I can be convinced of the change. :) Reviewed-by: Kees Cook > req = kzalloc(len, GFP_KERNEL); > if (!req) > return -ENOMEM; > -- > 2.34.1 > -- Kees Cook

Re: [PATCH] drm/nouveau/pm: refactor deprecated strncpy

py.9.en.html > [2] > Link: https://github.com/KSPP/linux/issues/90 > Cc: linux-harden...@vger.kernel.org > Signed-off-by: Justin Stitt The "- 1" use in the original code is strong evidence for this being a sane conversion. :) Reviewed-by: Kees Cook -- Kees Cook

Re: [PATCH] drm/nouveau/core: refactor deprecated strncpy

name); > while (i) { > --i; Yup, consumed by strlen() and snprintf(). Looks like a standard conversion. :) Reviewed-by: Kees Cook -Kees > > --- > base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec > change-id: > 20230914-strncpy-drivers-gpu-drm-nouveau-nvkm-core-firmware-c-791223838b72 > > Best regards, > -- > Justin Stitt > -- Kees Cook

Re: [PATCH] drm/nouveau/nvif: refactor deprecated strncpy

e); ... ret = nvif_client_ctor(&drm->master.base, cli->name, device, &cli->base); So we'll always be %NUL terminated. Therefore, yes, conversion looks good: Reviewed-by: Kees Cook Thanks! -Kees > > --- > base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec > change-id: 20230914-strncpy-drivers-gpu-drm-nouveau-nvif-client-c-82b023c36953 > > Best regards, > -- > Justin Stitt > -- Kees Cook

Re: [PATCH] drm/i915: refactor deprecated strncpy

ppgtt = mock_ppgtt(i915, name); > if (!ppgtt) > > --- > base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec > change-id: > 20230914-strncpy-drivers-gpu-drm-i915-gem-selftests-mock_context-c-980c8ecc9142 > > Best regards, > -- > Justin Stitt > -- Kees Cook

Re: [PATCH] drm/gma500: refactor deprecated strncpy

chan->base.dev.parent = dev->dev; > > --- > base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec > change-id: 20230914-drivers-gpu-drm-gma500-oaktrail_lvds_i2c-c-a53c6d8bd62f > > Best regards, > -- > Justin Stitt > -- Kees Cook

Re: [PATCH] drm/etnaviv: refactor deprecated strncpy

al->name, sig->name, sizeof(signal->name)); > > signal->iter++; > if (signal->iter == dom->nr_signals) > > --- > base-commit: 3669558bdf354cd352be955ef2764cde6a9bf5ec > change-id: > 20230914-strncpy-drivers-gpu-drm-etnaviv-etnaviv_perfmon-c-dd095491dfde > > Best regards, > -- > Justin Stitt > -- Kees Cook

Re: [PATCH] drm/modes: refactor deprecated strncpy

a v2 using strscpy_pad() instead? Thanks! -Kees -- Kees Cook

Re: [PATCH v2 0/5] Introduce new wrappers to copy user-arrays

On September 11, 2023 6:55:32 PM PDT, Dave Airlie wrote: >On Tue, 12 Sept 2023 at 11:27, Kees Cook wrote: >> >> On September 8, 2023 12:59:39 PM PDT, Philipp Stanner >> wrote: >> >Hi! >> > >> >David Airlie suggested that we could implem

Re: [PATCH v2 0/5] Introduce new wrappers to copy user-arrays

gt; drivers/gpu/drm/drm_lease.c | 4 +-- > drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 +-- > include/linux/string.h | 40 + > kernel/kexec.c | 2 +- > kernel/watch_queue.c | 2 +- > 5 files changed, 46 insertions(+), 6 deletions(-) > Nice. For the series: Reviewed-by: Kees Cook -- Kees Cook

  1   2   3   4   5   6   7   >