[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers

To: Kees Cook <keescook@xxxxxxxxxxxx>, "Gustavo A . R . Silva" <gustavoars@xxxxxxxxxx>
From: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
Date: Wed, 04 May 2022 09:25:56 +0200
Cc: Keith Packard <keithp@xxxxxxxxxx>, Francis Laniel <laniel_francis@xxxxxxxxxxxxxxxxxxx>, Daniel Axtens <dja@xxxxxxxxxx>, Dan Williams <dan.j.williams@xxxxxxxxx>, Vincenzo Frascino <vincenzo.frascino@xxxxxxx>, Guenter Roeck <linux@xxxxxxxxxxxx>, Daniel Vetter <daniel.vetter@xxxxxxxx>, Tadeusz Struk <tadeusz.struk@xxxxxxxxxx>, Alexei Starovoitov <ast@xxxxxxxxxx>, alsa-devel@xxxxxxxxxxxxxxxx, Al Viro <viro@xxxxxxxxxxxxxxxxxx>, Andrew Gabbasov <andrew_gabbasov@xxxxxxxxxx>, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, Andy Gross <agross@xxxxxxxxxx>, Andy Lavr <andy.lavr@xxxxxxxxx>, Arend van Spriel <aspriel@xxxxxxxxx>, Baowen Zheng <baowen.zheng@xxxxxxxxxxxx>, Bjorn Andersson <bjorn.andersson@xxxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>, Bradley Grove <linuxdrivers@xxxxxxxxxxxx>, brcm80211-dev-list.pdl@xxxxxxxxxxxx, Christian Brauner <brauner@xxxxxxxxxx>, Christian Göttsche <cgzones@xxxxxxxxxxxxxx>, Christian Lamparter <chunkeey@xxxxxxxxxxxxxx>, Chris Zankel <chris@xxxxxxxxxx>, Cong Wang <cong.wang@xxxxxxxxxxxxx>, David Gow <davidgow@xxxxxxxxxx>, David Howells <dhowells@xxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Dennis Dalessandro <dennis.dalessandro@xxxxxxxxxxxxxxxxxxxx>, devicetree@xxxxxxxxxxxxxxx, Dexuan Cui <decui@xxxxxxxxxxxxx>, Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx>, Eli Cohen <elic@xxxxxxxxxx>, Eric Dumazet <edumazet@xxxxxxxxxx>, Eric Paris <eparis@xxxxxxxxxxxxxx>, Eugeniu Rosca <erosca@xxxxxxxxxxxxxx>, Felipe Balbi <balbi@xxxxxxxxxx>, Frank Rowand <frowand.list@xxxxxxxxx>, Franky Lin <franky.lin@xxxxxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, Gregory Greenman <gregory.greenman@xxxxxxxxx>, Haiyang Zhang <haiyangz@xxxxxxxxxxxxx>, Hante Meuleman <hante.meuleman@xxxxxxxxxxxx>, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>, Hulk Robot <hulkci@xxxxxxxxxx>, Jakub Kicinski <kuba@xxxxxxxxxx>, "James E.J. Bottomley" <jejb@xxxxxxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, Jarkko Sakkinen <jarkko@xxxxxxxxxx>, Jaroslav Kysela <perex@xxxxxxxx>, Jason Gunthorpe <jgg@xxxxxxxx>, Jens Axboe <axboe@xxxxxxxxx>, Johan Hedberg <johan.hedberg@xxxxxxxxx>, John Keeping <john@xxxxxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Kalle Valo <kvalo@xxxxxxxxxx>, keyrings@xxxxxxxxxxxxxxx, kunit-dev@xxxxxxxxxxxxxxxx, Kuniyuki Iwashima <kuniyu@xxxxxxxxxxxx>, "K. Y. Srinivasan" <kys@xxxxxxxxxxxxx>, Lars-Peter Clausen <lars@xxxxxxxxxx>, Lee Jones <lee.jones@xxxxxxxxxx>, Leon Romanovsky <leon@xxxxxxxxxx>, Liam Girdwood <lgirdwood@xxxxxxxxx>, linux1394-devel@xxxxxxxxxxxxxxxxxxxxx, linux-afs@xxxxxxxxxxxxxxxxxxx, linux-arm-kernel@xxxxxxxxxxxxxxxxxxx, linux-arm-msm@xxxxxxxxxxxxxxx, linux-bluetooth@xxxxxxxxxxxxxxx, linux-hardening@xxxxxxxxxxxxxxx, linux-hyperv@xxxxxxxxxxxxxxx, linux-integrity@xxxxxxxxxxxxxxx, linux-rdma@xxxxxxxxxxxxxxx, linux-scsi@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, linux-usb@xxxxxxxxxxxxxxx, linux-wireless@xxxxxxxxxxxxxxx, linux-xtensa@xxxxxxxxxxxxxxxx, llvm@xxxxxxxxxxxxxxx, Loic Poulain <loic.poulain@xxxxxxxxxx>, Louis Peens <louis.peens@xxxxxxxxxxxx>, Luca Coelho <luciano.coelho@xxxxxxxxx>, Luiz Augusto von Dentz <luiz.dentz@xxxxxxxxx>, Marc Dionne <marc.dionne@xxxxxxxxxxxx>, Marcel Holtmann <marcel@xxxxxxxxxxxx>, Mark Brown <broonie@xxxxxxxxxx>, "Martin K. Petersen" <martin.petersen@xxxxxxxxxx>, Max Filippov <jcmvbkbc@xxxxxxxxx>, Mimi Zohar <zohar@xxxxxxxxxxxxx>, Muchun Song <songmuchun@xxxxxxxxxxxxx>, Nathan Chancellor <nathan@xxxxxxxxxx>, netdev@xxxxxxxxxxxxxxx, Nick Desaulniers <ndesaulniers@xxxxxxxxxx>, Nuno Sá <nuno.sa@xxxxxxxxxx>, Paolo Abeni <pabeni@xxxxxxxxxx>, Paul Moore <paul@xxxxxxxxxxxxxx>, Rich Felker <dalias@xxxxxxxxxx>, Rob Herring <robh+dt@xxxxxxxxxx>, Russell King <linux@xxxxxxxxxxxxxxx>, selinux@xxxxxxxxxxxxxxx, "Serge E. Hallyn" <serge@xxxxxxxxxx>, SHA-cyfmac-dev-list@xxxxxxxxxxxx, Simon Horman <simon.horman@xxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Stefan Richter <stefanr@xxxxxxxxxxxxxxxxx>, Steffen Klassert <steffen.klassert@xxxxxxxxxxx>, Stephen Hemminger <sthemmin@xxxxxxxxxxxxx>, Stephen Smalley <stephen.smalley.work@xxxxxxxxx>, Takashi Iwai <tiwai@xxxxxxxx>, Tom Rix <trix@xxxxxxxxxx>, Udipto Goswami <quic_ugoswami@xxxxxxxxxxx>, wcn36xx@xxxxxxxxxxxxxxxxxxx, Wei Liu <wei.liu@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, Xiu Jianfeng <xiujianfeng@xxxxxxxxxx>, Yang Yingliang <yangyingliang@xxxxxxxxxx>, kvalo@xxxxxxxxxx
Delivery-date: Wed, 04 May 2022 07:30:15 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, 2022-05-03 at 18:44 -0700, Kees Cook wrote:
> 
> For example, using the most complicated helper, mem_to_flex_dup():
> 
>     /* Flexible array struct with members identified. */
>     struct something {
>         int mode;
>         DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(int, how_many);
>         unsigned long flags;
>         DECLARE_FLEX_ARRAY_ELEMENTS(u32, value);

In many cases, the order of the elements doesn't really matter, so maybe
it'd be nicer to be able to write it as something like

DECLARE_FLEX_STRUCT(something,
        int mode;
        unsigned long flags;
        ,
        int, how_many,
        u32, value);

perhaps? OK, that doesn't seem so nice either.

Maybe

struct something {
        int mode;
        unsigned long flags;
        FLEX_ARRAY(
                int, how_many,
                u32, value
        );
};

or so? The long and duplicated DECLARE_FLEX_ARRAY_ELEMENTS_COUNT and
DECLARE_FLEX_ARRAY_ELEMENTS seems a bit tedious to me, at least in cases
where the struct layout is not the most important thing (or it's already
at the end anyway).

>     struct something *instance = NULL;
>     int rc;
> 
>     rc = mem_to_flex_dup(&instance, byte_array, count, GFP_KERNEL);
>     if (rc)
>         return rc;

This seems rather awkward, having to set it to NULL, then checking rc
(and possibly needing a separate variable for it), etc.

But I can understand how you arrived at this:
 - need to pass instance or &instance or such for typeof()
   or offsetof() or such
 - instance = mem_to_flex_dup(instance, ...)
   looks too much like it would actually dup 'instance', rather than
   'byte_array'
 - if you pass &instance anyway, checking for NULL is simple and adds a
   bit of safety

but still, honestly, I don't like it. As APIs go, it feels a bit
cumbersome and awkward to use, and you really need everyone to use this,
and not say "uh what, I'll memcpy() instead".

Maybe there should also be a realloc() version of it?

> +/** __fas_bytes - Calculate potential size of flexible array structure

I think you forgot "\n *" in many cases here after "/**".

johannes

Follow-Ups:
- Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers
  - From: Kees Cook

References:
- [PATCH 00/32] Introduce flexible array struct memcpy() helpers
  - From: Kees Cook
- [PATCH 02/32] Introduce flexible array struct memcpy() helpers
  - From: Kees Cook

Prev by Date: Re: [PATCH 2/3] xen/arm: Advertise workaround 1 if we apply 3
Next by Date: Re: [PATCH 12/32] cfg80211: Use mem_to_flex_dup() with struct cfg80211_bss_ies
Previous by thread: [PATCH 02/32] Introduce flexible array struct memcpy() helpers
Next by thread: Re: [PATCH 02/32] Introduce flexible array struct memcpy() helpers
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.