#
129027b7 |
|
25-Jun-2023 |
Christophe JAILLET <christophe.jaillet@wanadoo.fr> |
docs: deprecated.rst: Update an example vmalloc() has a 2-factor form. It is vmalloc_array(). So use another function as an example. Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by: Jonathan Corbet <corbet@lwn.net> Link: https://lore.kernel.org/r/3484e46180dd2cf05d993ff1a78b481bc2ad1f71.1687723931.git.christophe.jaillet@wanadoo.fr
|
#
8763a30b |
|
06-Jan-2023 |
Kees Cook <keescook@chromium.org> |
docs: deprecated.rst: Add note about DECLARE_FLEX_ARRAY() usage There wasn't any mention of when/where DECLARE_FLEX_ARRAY() should be used, so add the rationale and an example to the deprecation docs. Suggested-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr> Cc: "Gustavo A. R. Silva" <gustavoars@kernel.org> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20230106200600.never.735-kees@kernel.org [jc: minor wording tweaks] Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
dfbafa70 |
|
26-Aug-2022 |
Kees Cook <keescook@chromium.org> |
string: Introduce strtomem() and strtomem_pad() One of the "legitimate" uses of strncpy() is copying a NUL-terminated string into a fixed-size non-NUL-terminated character array. To avoid the weaknesses and ambiguity of intent when using strncpy(), provide replacement functions that explicitly distinguish between trailing padding and not, and require the destination buffer size be discoverable by the compiler. For example: struct obj { int foo; char small[4] __nonstring; char big[8] __nonstring; int bar; }; struct obj p; /* This will truncate to 4 chars with no trailing NUL */ strncpy(p.small, "hello", sizeof(p.small)); /* p.small contains 'h', 'e', 'l', 'l' */ /* This will NUL pad to 8 chars. */ strncpy(p.big, "hello", sizeof(p.big)); /* p.big contains 'h', 'e', 'l', 'l', 'o', '\0', '\0', '\0' */ When the "__nonstring" attributes are missing, the intent of the programmer becomes ambiguous for whether the lack of a trailing NUL in the p.small copy is a bug. Additionally, it's not clear whether the trailing padding in the p.big copy is _needed_. Both cases become unambiguous with: strtomem(p.small, "hello"); strtomem_pad(p.big, "hello", 0); See also https://github.com/KSPP/linux/issues/90 Expand the memcpy KUnit tests to include these functions. Cc: Wolfram Sang <wsa+renesas@sang-engineering.com> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Geert Uytterhoeven <geert@linux-m68k.org> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
e1be43d9 |
|
18-Sep-2021 |
Kees Cook <keescook@chromium.org> |
overflow: Implement size_t saturating arithmetic helpers In order to perform more open-coded replacements of common allocation size arithmetic, the kernel needs saturating (SIZE_MAX) helpers for multiplication, addition, and subtraction. For example, it is common in allocators, especially on realloc, to add to an existing size: p = krealloc(map->patch, sizeof(struct reg_sequence) * (map->patch_regs + num_regs), GFP_KERNEL); There is no existing saturating replacement for this calculation, and just leaving the addition open coded inside array_size() could potentially overflow as well. For example, an overflow in an expression for a size_t argument might wrap to zero: array_size(anything, something_at_size_max + 1) == 0 Introduce size_mul(), size_add(), and size_sub() helpers that implicitly promote arguments to size_t and saturated calculations for use in allocations. With these helpers it is also possible to redefine array_size(), array3_size(), flex_array_size(), and struct_size() in terms of the new helpers. As with the check_*_overflow() helpers, the new helpers use __must_check, though what is really desired is a way to make sure that assignment is only to a size_t lvalue. Without this, it's still possible to introduce overflow/underflow via type conversion (i.e. from size_t to int). Enforcing this will currently need to be left to static analysis or future use of -Wconversion. Additionally update the overflow unit tests to force runtime evaluation for the pathological cases. Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk> Cc: Gustavo A. R. Silva <gustavoars@kernel.org> Cc: Nathan Chancellor <nathan@kernel.org> Cc: Jason Gunthorpe <jgg@ziepe.ca> Cc: Nick Desaulniers <ndesaulniers@google.com> Cc: Leon Romanovsky <leon@kernel.org> Cc: Keith Busch <kbusch@kernel.org> Cc: Len Baker <len.baker@gmx.com> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
3577cdb2 |
|
25-Sep-2021 |
Len Baker <len.baker@gmx.com> |
docs: deprecated.rst: Clarify open-coded arithmetic with literals Although using literals for size calculation in allocator arguments may be harmless due to compiler warnings in case of overflows, it is better to refactor the code to avoid the use of open-coded arithmetic. So, clarify the preferred way in these cases. Suggested-by: Kees Cook <keescook@chromium.org> Signed-off-by: Len Baker <len.baker@gmx.com> Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org> Link: https://lore.kernel.org/r/20210925143455.21221-1-len.baker@gmx.com Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
6ab0493d |
|
23-Jul-2021 |
Kees Cook <keescook@chromium.org> |
deprecated.rst: Include details on "no_hash_pointers" Linus decided a debug toggle for %p was tolerable, so update the %p deprecation documentation. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210723200526.3424128-1-keescook@chromium.org Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
27def953 |
|
15-Oct-2020 |
Kees Cook <keescook@chromium.org> |
docs: deprecated.rst: Expand str*cpy() replacement notes The notes on replacing the deprecated str*cpy() functions didn't call enough attention to the change in return type. Add these details and clean up the language a bit more. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Gustavo A. R. Silva <gustavoars@kernel.org> Link: https://lore.kernel.org/r/20201015231730.2138505-1-keescook@chromium.org Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
17dca050 |
|
31-Aug-2020 |
Gustavo A. R. Silva <gustavoars@kernel.org> |
docs: deprecated.rst: Update zero-length/one-element arrays section Update information in the zero-length and one-element arrays section and illustrate how to make use of the new flex_array_size() helper, together with struct_size() and a flexible-array member. Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Acked-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20200901010949.GA21398@embeddedor Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
3942ea7a |
|
26-Aug-2020 |
Joe Perches <joe@perches.com> |
deprecated.rst: Remove now removed uninitialized_var It's now gone from the kernel so remove it from the deprecated API text. Signed-off-by: Joe Perches <joe@perches.com> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Link: https://lore.kernel.org/r/5e10c1645dd8f735215cf54a74db0f8dd3f6cbd5.camel@perches.com Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
053f8fc7 |
|
17-Aug-2020 |
Kees Cook <keescook@chromium.org> |
docs: Fix function name trailing double-()s I noticed a double-() in the deprecated.rst rendering today. Fix that one and two others in the Documentation/ tree. Acked-by: "Paul E. McKenney" <paulmck@kernel.org> # For RCU Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20200817233207.4083538-1-keescook@chromium.org Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
4b19bec9 |
|
15-Jun-2020 |
Kees Cook <keescook@chromium.org> |
docs: deprecated.rst: Add uninitialized_var() Nothing should be using this macro, and the entire idea of tricking the compiler into silencing such warnings is a mistake. Cc: Jonathan Corbet <corbet@lwn.net> Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com> Cc: Joe Perches <joe@perches.com> Cc: linux-doc@vger.kernel.org Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Kees Cook <keescook@chromium.org>
|
#
68e4cd17 |
|
08-Jun-2020 |
Gustavo A. R. Silva <gustavoars@kernel.org> |
docs: deprecated.rst: Add zero-length and one-element arrays Add zero-length and one-element arrays to the list. While I continue replacing zero-length and one-element arrays with flexible-array members, I need a reference to point people to, so they don't introduce more instances of such arrays. And while here, add a note to the "open-coded arithmetic in allocator arguments" section, on the use of struct_size() and the arrays-to-deprecate mentioned here. Co-developed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Acked-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20200608213711.GA22271@embeddedor Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
7af51678 |
|
14-Mar-2020 |
Kees Cook <keescook@chromium.org> |
docs: deprecated.rst: Add BUG()-family Linus continues to remind[1] people to stop using the BUG()-family of functions. We should have this better documented (even if checkpatch.pl has been warning[2] since 2015), so add more details to deprecated.rst, as a distinct place to point people to for guidance. [1] https://lore.kernel.org/lkml/CAHk-=whDHsbK3HTOpTF=ue_o04onRwTEaK_ZoJp_fjbqq4+=Jw@mail.gmail.com/ [2] https://git.kernel.org/linus/9d3e3c705eb395528fd8f17208c87581b134da48 Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/202003141524.59C619B51A@keescook Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
7929b983 |
|
10-Mar-2020 |
Jonathan Corbet <corbet@lwn.net> |
docs: Remove :c:func: from process/deprecated.rst Documentation/process/deprecated.rst has a lot of uses of :c:func:, which is, well, deprecated. Emacs query-replace-regexp to the rescue. Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
76136e02 |
|
04-Mar-2020 |
Kees Cook <keescook@chromium.org> |
docs: deprecated.rst: Clean up fall-through details Add example of fall-through, list-ify the case ending statements, and adjust the markup for links and readability. While here, adjust strscpy() details to mention strscpy_pad(). Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Link: https://lore.kernel.org/r/202003041102.47A4E4B62@keescook Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
d8401f50 |
|
05-Mar-2020 |
Kees Cook <keescook@chromium.org> |
docs: deprecated.rst: Add %p to the list Once in a while %p usage comes up, and I've needed to have a reference to point people to. Add %p details to deprecated.rst. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/202003042301.F844A8C0EC@keescook Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
b9918bdc |
|
05-Oct-2019 |
Joe Perches <joe@perches.com> |
Documentation/process: Add fallthrough pseudo-keyword Describe the fallthrough pseudo-keyword. Convert the coding-style.rst example to the keyword style. Add description and links to deprecated.rst. Miguel Ojeda comments on the eventual [[fallthrough]] syntax: "Note that C17/C18 does not have [[fallthrough]]. C++17 introduced it, as it is mentioned above. I would keep the __attribute__((fallthrough)) -> [[fallthrough]] change you did, though, since that is indeed the standard syntax (given the paragraph references C++17). I was told by Aaron Ballman (who is proposing them for C) that it is more or less likely that it becomes standardized in C2x. However, it is still not added to the draft (other attributes are already, though). See N2268 and N2269: http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2268.pdf (fallthrough) http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2269.pdf (attributes in general)" Signed-off-by: Joe Perches <joe@perches.com> Acked-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
#
a035d552 |
|
06-Jun-2019 |
Gustavo A. R. Silva <gustavo@embeddedor.com> |
Makefile: Globally enable fall-through warning Now that all the fall-through warnings have been addressed in the kernel, enable the fall-through warning globally. Also, update the deprecated.rst file to include implicit fall-through as 'deprecated' so people can be pointed to a single location for justification. Cc: Masahiro Yamada <yamada.masahiro@socionext.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Michal Marek <michal.lkml@markovi.net> Cc: Kees Cook <keescook@chromium.org> Cc: linux-kbuild@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
|
#
98348577 |
|
24-Feb-2019 |
Federico Vaga <federico.vaga@vaga.pv.it> |
doc:it_IT: translations for documents in process/ Translated documents: - stable-kernel-rules.rst - deprecated.rst - kernel-enforcement-statement.rst - license-rules.rst Added document to have valid links - netdev-FAQ.rst Modifications to main documentation - add label in deprecated.rst Signed-off-by: Federico Vaga <federico.vaga@vaga.pv.it> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|
#
84253c8b |
|
17-Oct-2018 |
Kees Cook <keescook@chromium.org> |
docs: Introduce deprecated APIs list As discussed in the "API replacement/deprecation" thread[1], this makes an effort to document what things shouldn't get (re)added to the kernel, by introducing Documentation/process/deprecated.rst. [1] https://lists.linuxfoundation.org/pipermail/ksummit-discuss/2018-September/005282.html Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jonathan Corbet <corbet@lwn.net>
|