[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers
- To: Kees Cook <keescook@xxxxxxxxxxxx>, "Gustavo A . R . Silva" <gustavoars@xxxxxxxxxx>
- From: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
- Date: Wed, 04 May 2022 09:25:56 +0200
- Cc: Keith Packard <keithp@xxxxxxxxxx>, Francis Laniel <laniel_francis@xxxxxxxxxxxxxxxxxxx>, Daniel Axtens <dja@xxxxxxxxxx>, Dan Williams <dan.j.williams@xxxxxxxxx>, Vincenzo Frascino <vincenzo.frascino@xxxxxxx>, Guenter Roeck <linux@xxxxxxxxxxxx>, Daniel Vetter <daniel.vetter@xxxxxxxx>, Tadeusz Struk <tadeusz.struk@xxxxxxxxxx>, Alexei Starovoitov <ast@xxxxxxxxxx>, alsa-devel@xxxxxxxxxxxxxxxx, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, Andrew Gabbasov <andrew_gabbasov@xxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, Andy Gross <agross@xxxxxxxxxx>, Andy Lavr <andy.lavr@xxxxxxxxx>, Arend van Spriel <aspriel@xxxxxxxxx>, Baowen Zheng <baowen.zheng@xxxxxxxxxxxx>, Bjorn Andersson <bjorn.andersson@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Bradley Grove <linuxdrivers@xxxxxxxxxxxx>, brcm80211-dev-list.pdl@xxxxxxxxxxxx, Christian Brauner <brauner@xxxxxxxxxx>, Christian Göttsche <cgzones@xxxxxxxxxxxxxx>, Christian Lamparter <chunkeey@xxxxxxxxxxxxxx>, Chris Zankel <chris@xxxxxxxxxx>, Cong Wang <cong.wang@xxxxxxxxxxxxx>, David Gow <davidgow@xxxxxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Dennis Dalessandro <dennis.dalessandro@xxxxxxxxxxxxxxxxxxxx>, devicetree@xxxxxxxxxxxxxxx, Dexuan Cui <decui@xxxxxxxxxxxxx>, Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx>, Eli Cohen <elic@xxxxxxxxxx>, Eric Dumazet <edumazet@xxxxxxxxxx>, Eric Paris <eparis@xxxxxxxxxxxxxx>, Eugeniu Rosca <erosca@xxxxxxxxxxxxxx>, Felipe Balbi <balbi@xxxxxxxxxx>, Frank Rowand <frowand.list@xxxxxxxxx>, Franky Lin <franky.lin@xxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Gregory Greenman <gregory.greenman@xxxxxxxxx>, Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>, Hante Meuleman <hante.meuleman@xxxxxxxxxxxx>, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, Hulk Robot <hulkci@xxxxxxxxxx>, Jakub Kicinski <kuba@xxxxxxxxxx>, "James E.J. Bottomley" <jejb@xxxxxxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, Jarkko Sakkinen <jarkko@xxxxxxxxxx>, Jaroslav Kysela <perex@xxxxxxxx>, Jason Gunthorpe <jgg@xxxxxxxx>, Jens Axboe <axboe@xxxxxxxxx>, Johan Hedberg <johan.hedberg@xxxxxxxxx>, John Keeping <john@xxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Kalle Valo <kvalo@xxxxxxxxxx>, keyrings@xxxxxxxxxxxxxxx, kunit-dev@xxxxxxxxxxxxxxxx, Kuniyuki Iwashima <kuniyu@xxxxxxxxxxxx>, "K. Y. Srinivasan" <kys@xxxxxxxxxxxxx>, Lars-Peter Clausen <lars@xxxxxxxxxx>, Lee Jones <lee.jones@xxxxxxxxxx>, Leon Romanovsky <leon@xxxxxxxxxx>, Liam Girdwood <lgirdwood@xxxxxxxxx>, linux1394-devel@xxxxxxxxxxxxxxxxxxxxx, linux-afs@xxxxxxxxxxxxxxxxxxx, linux-arm-kernel@xxxxxxxxxxxxxxxxxxx, linux-arm-msm@xxxxxxxxxxxxxxx, linux-bluetooth@xxxxxxxxxxxxxxx, linux-hardening@xxxxxxxxxxxxxxx, linux-hyperv@xxxxxxxxxxxxxxx, linux-integrity@xxxxxxxxxxxxxxx, linux-rdma@xxxxxxxxxxxxxxx, linux-scsi@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, linux-usb@xxxxxxxxxxxxxxx, linux-wireless@xxxxxxxxxxxxxxx, linux-xtensa@xxxxxxxxxxxxxxxx, llvm@xxxxxxxxxxxxxxx, Loic Poulain <loic.poulain@xxxxxxxxxx>, Louis Peens <louis.peens@xxxxxxxxxxxx>, Luca Coelho <luciano.coelho@xxxxxxxxx>, Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx>, Marc Dionne <marc.dionne@xxxxxxxxxxxx>, Marcel Holtmann <marcel@xxxxxxxxxxxx>, Mark Brown <broonie@xxxxxxxxxx>, "Martin K. Petersen" <martin.petersen@xxxxxxxxxx>, Max Filippov <jcmvbkbc@xxxxxxxxx>, Mimi Zohar <zohar@xxxxxxxxxxxxx>, Muchun Song <songmuchun@xxxxxxxxxxxxx>, Nathan Chancellor <nathan@xxxxxxxxxx>, netdev@xxxxxxxxxxxxxxx, Nick Desaulniers <ndesaulniers@xxxxxxxxxx>, Nuno Sá <nuno.sa@xxxxxxxxxx>, Paolo Abeni <pabeni@xxxxxxxxxx>, Paul Moore <paul@xxxxxxxxxxxxxx>, Rich Felker <dalias@xxxxxxxxxx>, Rob Herring <robh+dt@xxxxxxxxxx>, Russell King <linux@xxxxxxxxxxxxxxx>, selinux@xxxxxxxxxxxxxxx, "Serge E. Hallyn" <serge@xxxxxxxxxx>, SHA-cyfmac-dev-list@xxxxxxxxxxxx, Simon Horman <simon.horman@xxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Stefan Richter <stefanr@xxxxxxxxxxxxxxxxx>, Steffen Klassert <steffen.klassert@xxxxxxxxxxx>, Stephen Hemminger <sthemmin@xxxxxxxxxxxxx>, Stephen Smalley <stephen.smalley.work@xxxxxxxxx>, Takashi Iwai <tiwai@xxxxxxxx>, Tom Rix <trix@xxxxxxxxxx>, Udipto Goswami <quic_ugoswami@xxxxxxxxxxx>, wcn36xx@xxxxxxxxxxxxxxxxxxx, Wei Liu <wei.liu@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Xiu Jianfeng <xiujianfeng@xxxxxxxxxx>, Yang Yingliang <yangyingliang@xxxxxxxxxx>, kvalo@xxxxxxxxxx
- Delivery-date: Wed, 04 May 2022 07:30:15 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Tue, 2022-05-03 at 18:44 -0700, Kees Cook wrote:
>
> For example, using the most complicated helper, mem_to_flex_dup():
>
> /* Flexible array struct with members identified. */
> struct something {
> int mode;
> DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, how_many);
> unsigned long flags;
> DECLARE_FLEX_ARRAY_ELEMENTS(u32, value);
In many cases, the order of the elements doesn't really matter, so maybe
it'd be nicer to be able to write it as something like
DECLARE_FLEX_STRUCT(something,
int mode;
unsigned long flags;
,
int, how_many,
u32, value);
perhaps? OK, that doesn't seem so nice either.
Maybe
struct something {
int mode;
unsigned long flags;
FLEX_ARRAY(
int, how_many,
u32, value
);
};
or so? The long and duplicated DECLARE_FLEX_ARRAY_ELEMENTS_COUNT and
DECLARE_FLEX_ARRAY_ELEMENTS seems a bit tedious to me, at least in cases
where the struct layout is not the most important thing (or it's already
at the end anyway).
> struct something *instance = NULL;
> int rc;
>
> rc = mem_to_flex_dup(&instance, byte_array, count, GFP_KERNEL);
> if (rc)
> return rc;
This seems rather awkward, having to set it to NULL, then checking rc
(and possibly needing a separate variable for it), etc.
But I can understand how you arrived at this:
- need to pass instance or &instance or such for typeof()
or offsetof() or such
- instance = mem_to_flex_dup(instance, ...)
looks too much like it would actually dup 'instance', rather than
'byte_array'
- if you pass &instance anyway, checking for NULL is simple and adds a
bit of safety
but still, honestly, I don't like it. As APIs go, it feels a bit
cumbersome and awkward to use, and you really need everyone to use this,
and not say "uh what, I'll memcpy() instead".
Maybe there should also be a realloc() version of it?
> +/** __fas_bytes - Calculate potential size of flexible array structure
I think you forgot "\n *" in many cases here after "/**".
johannes
|