From: Josh Law <objecting@objecting.org>
To: Masami Hiramatsu <mhiramat@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
Josh Law <objecting@objecting.org>
Subject: [PATCH v6 00/17] bootconfig: fixes, cleanups, and modernization
Date: Sun, 15 Mar 2026 12:19:58 +0000 [thread overview]
Message-ID: <20260315122015.55965-1-objecting@objecting.org> (raw)
This series addresses a collection of issues found during a review of
lib/bootconfig.c, include/linux/bootconfig.h, and tools/bootconfig,
ranging from off-by-one errors and unchecked return values to coding
style, signedness/type cleanup, and API modernization.
Changes since v5:
- Folded typo fixes, kerneldoc blank line, and inconsistent bracing
patches (v5 02-05, 07) into a single patch (patch 2).
- Dropped "use __packed macro for struct xbc_node" (v5 11) and
"add __packed definition to tools/bootconfig shim header" (v5 14)
per review feedback.
- Added Fixes: tag to "check xbc_init_node() return in override
path" (patch 10).
- Added Fixes: tag to "fix fd leak in load_xbc_file() on fstat
failure" (patch 11).
Changes since v4:
- Added six follow-up patches found via static analysis with strict
GCC warnings (patches 12-17).
- Added "fix signed comparison in xbc_node_get_data()" -- switch the
masked offset variable to unsigned int and compare against
XBC_DATA_MAX to avoid a signed comparison and make the mask
self-documenting (patch 12).
- Added "use size_t for strlen result in xbc_node_match_prefix()"
and "use size_t for key length tracking in xbc_verify_tree()" to
match strlen() return types (patches 13, 15).
- Added "narrow offset type in xbc_init_node()" -- use a validated
unsigned int temporary for the stored 15-bit data offset
(patch 14).
- Added "fix sign-compare in xbc_node_compose_key_after()" -- cast
the checked snprintf() return when comparing and subtracting
against a size_t buffer length (patch 16).
- Added "change xbc_node_index() return type to uint16_t" -- match
the 16-bit storage fields and XBC_NODE_MAX bounds (patch 17).
Changes since v3:
- Added commit descriptions to all patches that were missing them.
- Added real-world impact statements to all bug-fix patches.
Changes since v2:
- Added "validate child node index in xbc_verify_tree()" (patch 9).
- Added "check xbc_init_node() return in override path" (patch 10).
- Added "fix fd leak in load_xbc_file() on fstat failure" (patch 11).
Changes since v1:
- Dropped "return empty string instead of NULL from
xbc_node_get_data()" -- returning "" causes false matches in
xbc_node_match_prefix() because strncmp(..., "", 0) always
returns 0.
Bug fixes:
- Fix off-by-one in xbc_verify_tree() where a next-node index equal
to xbc_node_num passes the bounds check despite being out of range;
a malformed bootconfig could cause an out-of-bounds read of kernel
memory during tree traversal at boot time (patch 4).
- Move xbc_node_num increment to after xbc_init_node() validation
so a failed init does not leave a partially initialized node
counted in the array; on a maximum-size bootconfig, the
uninitialized node could be traversed leading to unpredictable
boot behavior (patch 5).
- Validate child node indices in xbc_verify_tree() alongside the
existing next-node check; without this, a corrupt bootconfig could
trigger an out-of-bounds memory access via an invalid child index
during tree traversal (patch 9).
- Check xbc_init_node() return value in the ':=' override path; a
bootconfig using ':=' near the 32KB data limit could silently
retain the old value, meaning a security-relevant boot parameter
override would not take effect (patch 10).
- Fix file descriptor leak in tools/bootconfig load_xbc_file()
when fstat() fails (patch 11).
Correctness:
- Add missing __init annotations to skip_comment() and
skip_spaces_until_newline() so their memory can be reclaimed
after init (patch 1).
- Narrow the flag parameter in node creation helpers from uint32_t
to uint16_t to match the xbc_node.data field width (patch 3).
- Constify the xbc_calc_checksum() data parameter since it only
reads the buffer (patch 7).
- Fix strict-GCC signedness and narrowing warnings by aligning local
types with strlen()/snprintf() APIs and the 16-bit node index/data
storage in xbc_node_get_data(), xbc_node_match_prefix(),
xbc_init_node(), xbc_verify_tree(), xbc_node_compose_key_after(),
and xbc_node_index() (patches 12-17).
Cleanups:
- Fix comment typos, missing blank line before kerneldoc,
inconsistent if/else bracing (patch 2).
- Drop redundant memset after memblock_alloc which already returns
zeroed memory; switch the userspace path from malloc to calloc
to match (patch 6).
Modernization:
- Replace the catch-all linux/kernel.h include with the specific
headers needed: linux/cache.h, linux/compiler.h, and
linux/sprintf.h (patch 8).
Build-tested with both the in-kernel build (lib/bootconfig.o,
init/main.o) and the userspace tools/bootconfig build. All 70
tools/bootconfig test cases pass.
Josh Law (17):
lib/bootconfig: add missing __init annotations to static helpers
lib/bootconfig: fix typos, kerneldoc, and inconsistent if/else bracing
lib/bootconfig: narrow flag parameter type from uint32_t to uint16_t
lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check
lib/bootconfig: increment xbc_node_num after node init succeeds
lib/bootconfig: drop redundant memset of xbc_nodes
bootconfig: constify xbc_calc_checksum() data parameter
lib/bootconfig: replace linux/kernel.h with specific includes
lib/bootconfig: validate child node index in xbc_verify_tree()
lib/bootconfig: check xbc_init_node() return in override path
tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
lib/bootconfig: fix signed comparison in xbc_node_get_data()
lib/bootconfig: use size_t for strlen result in
xbc_node_match_prefix()
lib/bootconfig: narrow offset type in xbc_init_node()
lib/bootconfig: use size_t for key length tracking in
xbc_verify_tree()
lib/bootconfig: fix sign-compare in xbc_node_compose_key_after()
lib/bootconfig: change xbc_node_index() return type to uint16_t
include/linux/bootconfig.h | 6 ++--
lib/bootconfig.c | 71 ++++++++++++++++++++++----------------
tools/bootconfig/main.c | 4 ++-
3 files changed, 47 insertions(+), 34 deletions(-)
--
2.34.1
next reply other threads:[~2026-03-15 12:20 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-15 12:19 Josh Law [this message]
2026-03-15 12:19 ` [PATCH v6 01/17] lib/bootconfig: add missing __init annotations to static helpers Josh Law
2026-03-17 7:33 ` Masami Hiramatsu
2026-03-15 12:20 ` [PATCH v6 02/17] lib/bootconfig: fix typos, kerneldoc, and inconsistent if/else bracing Josh Law
2026-03-15 12:20 ` [PATCH v6 03/17] lib/bootconfig: narrow flag parameter type from uint32_t to uint16_t Josh Law
2026-03-15 12:20 ` [PATCH v6 04/17] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check Josh Law
2026-03-15 12:20 ` [PATCH v6 05/17] lib/bootconfig: increment xbc_node_num after node init succeeds Josh Law
2026-03-15 12:20 ` [PATCH v6 06/17] lib/bootconfig: drop redundant memset of xbc_nodes Josh Law
2026-03-17 11:46 ` Markus Elfring
2026-03-15 12:20 ` [PATCH v6 07/17] bootconfig: constify xbc_calc_checksum() data parameter Josh Law
2026-03-15 12:20 ` [PATCH v6 08/17] lib/bootconfig: replace linux/kernel.h with specific includes Josh Law
2026-03-15 12:20 ` [PATCH v6 09/17] lib/bootconfig: validate child node index in xbc_verify_tree() Josh Law
2026-03-17 11:03 ` Markus Elfring
2026-03-17 15:10 ` Steven Rostedt
2026-03-18 7:30 ` [RFC] Coding style consequences for multi-line statements? Markus Elfring
2026-03-15 12:20 ` [PATCH v6 10/17] lib/bootconfig: check xbc_init_node() return in override path Josh Law
2026-03-15 12:20 ` [PATCH v6 11/17] tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure Josh Law
2026-03-17 7:31 ` Masami Hiramatsu
2026-03-17 7:34 ` Josh Law
2026-03-15 12:20 ` [PATCH v6 12/17] lib/bootconfig: fix signed comparison in xbc_node_get_data() Josh Law
2026-03-16 23:57 ` Masami Hiramatsu
2026-03-15 12:20 ` [PATCH v6 13/17] lib/bootconfig: use size_t for strlen result in xbc_node_match_prefix() Josh Law
2026-03-15 12:20 ` [PATCH v6 14/17] lib/bootconfig: narrow offset type in xbc_init_node() Josh Law
2026-03-17 0:55 ` Masami Hiramatsu
2026-03-15 12:20 ` [PATCH v6 15/17] lib/bootconfig: use size_t for key length tracking in xbc_verify_tree() Josh Law
2026-03-15 12:20 ` [PATCH v6 16/17] lib/bootconfig: fix sign-compare in xbc_node_compose_key_after() Josh Law
2026-03-17 7:55 ` Masami Hiramatsu
2026-03-17 16:15 ` Steven Rostedt
2026-03-17 16:15 ` Josh Law
2026-03-17 17:35 ` Josh Law
2026-03-17 23:15 ` Masami Hiramatsu
2026-03-17 23:18 ` Josh Law
2026-03-15 12:20 ` [PATCH v6 17/17] lib/bootconfig: change xbc_node_index() return type to uint16_t Josh Law
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260315122015.55965-1-objecting@objecting.org \
--to=objecting@objecting.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.