Re: [PATCH v3] slab: Introduce kmalloc_obj() and family

On 8/23/24 01:13, Kees Cook wrote: (...) For cases where the total size of the allocation is needed, the kmalloc_obj_sz(), kmalloc_objs_sz(), and kmalloc_flex_sz() family of macros can be used. For example: info->size = struct_size(ptr, flex_member, count); ptr = kmalloc(info->s

Re: [PATCH] string: Check for "nonstring" attribute on strscpy() arguments

On 8/5/24 23:43, Kees Cook wrote: GCC already checks for arguments that are marked with the "nonstring"[1] attribute when used on standard C String API functions (e.g. strcpy). Gain this compile-time checking also for the kernel's primary string copying function, strscpy(). Note that Clang has n

Re: [RFC][PATCH 0/4] slab: Allow for type introspection during allocation

On 7/10/24 01:28, Kees Cook wrote: On Tue, Jul 09, 2024 at 11:02:55PM +0200, Marco Elver wrote: On Tue, 9 Jul 2024 at 22:28, Kees Cook wrote: On Tue, Jul 09, 2024 at 10:26:32AM -0700, Christoph Lameter (Ampere) wrote: On Mon, 8 Jul 2024, Kees Cook wrote: obj = kmalloc(obj, gfp

Re: [RFC][PATCH 4/4] pstore: Replace classic kmalloc code pattern with typed argument

On 7/8/24 21:18, Kees Cook wrote: Using a short Coccinelle script, it is possible to replace the classic kmalloc code patterns with the typed information: @alloc@ type TYPE; TYPE *P; expression GFP; identifier ALLOC =~ "k[mz]alloc"; @@ P = ALLOC( - \(sizeof(*P)\|sizeof(TYP

Re: [RFC][PATCH 2/4] slab: Detect negative size values and saturate

On 7/8/24 21:18, Kees Cook wrote: The allocator will already reject giant sizes seen from negative size arguments, so this commit mainly services as an example for initial type-based filtering. The size argument is checked for negative values in signed arguments, saturating any if found instead o

Re: [PATCH net-next] netdevice: define and allocate &net_device _properly_

- net/core/dev.c| 31 +++ net/core/net-sysfs.c | 2 +- 3 files changed, 15 insertions(+), 30 deletions(-) Reviewed-by: Przemek Kitszel

Re: [PATCH net-next v2 0/3] compiler_types: add Endianness-dependent __counted_by_{le,be}

aleksander.loba...@intel.com [1] https://lore.kernel.org/netdev/20240318130354.2713265-1-aleksander.loba...@intel.com nice, Reviewed-by: Przemek Kitszel

Re: [PATCH v2] overflow: Change DEFINE_FLEX to take __counted_by member

On 3/7/24 00:51, Kees Cook wrote: The norm should be flexible array structures with __counted_by annotations, so DEFINE_FLEX() is updated to expect that. Rename the non-annotated version to DEFINE_RAW_FLEX(), and update the few existing users. Signed-off-by: Kees Cook --- Cc: Przemek Kitszel

Re: [PATCH] overflow: Change DEFINE_FLEX to take __counted_by member

On 3/6/24 04:25, Gustavo A. R. Silva wrote: On 05/03/24 19:07, Kees Cook wrote: The norm should be flexible array structures with __counted_by annotations, so DEFINE_FLEX() is updated to expect that. Rename the non-annotated version to DEFINE_RAW_FLEX(), and update the few existing users. Addi

Re: [PATCH v2 2/5] overflow: Expand check_add_overflow() for pointer addition

On 1/30/24 23:06, Kees Cook wrote: The check_add_overflow() helper is mostly a wrapper around __builtin_add_overflow(), but GCC and Clang refuse to operate on pointer arguments that would normally be allowed if the addition were open-coded. For example, we have many places where pointer overflow

Re: [Intel-wired-lan] [PATCH net-next v5 0/7] introduce DEFINE_FLEX() macro

On 9/12/23 18:16, Kees Cook wrote: On Tue, Sep 12, 2023 at 07:59:30AM -0400, Przemek Kitszel wrote: Add DEFINE_FLEX() macro, that helps on-stack allocation of structures with trailing flex array member. Expose __struct_size() macro which reads size of data allocated by DEFINE_FLEX(). Accompany