From: Josh Law <objecting@objecting.org>
To: Masami Hiramatsu <mhiramat@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org
Subject: [PATCH v7 00/15] bootconfig: fixes, cleanups, and modernization
Date: Tue, 17 Mar 2026 16:09:01 +0000 [thread overview]
Message-ID: <20260317160916.33576-1-objecting@objecting.org> (raw)
This series addresses a collection of issues found during a review of
lib/bootconfig.c, include/linux/bootconfig.h, and tools/bootconfig,
ranging from off-by-one errors and unchecked return values to coding
style, signedness/type cleanup, and API modernization.
Changes since v6:
- Dropped "add missing __init annotations to static helpers"
(v6 patch 1).
- Dropped "fix sign-compare in xbc_node_compose_key_after()"
(v6 patch 16).
- Updated "fix fd leak in load_xbc_file() on fstat failure" to save
errno before close(), since close() may overwrite it before the
error is returned (patch 10).
- Updated "fix signed comparison in xbc_node_get_data()" to use
size_t for the local offset variable, matching the warning and
xbc_data_size (patch 11).
- Updated "use signed type for offset in xbc_init_node()" to use a
signed long and explicitly check offset < 0 in WARN_ON(), making
the pre-base pointer case explicit instead of relying on unsigned
wraparound (patch 13).
Changes since v5:
- Folded typo fixes, kerneldoc blank line, and inconsistent bracing
patches (v5 02-05, 07) into a single patch (patch 1).
- Dropped "use __packed macro for struct xbc_node" (v5 11) and
"add __packed definition to tools/bootconfig shim header" (v5 14)
per review feedback.
- Added Fixes: tag to "check xbc_init_node() return in override
path" (patch 9).
- Added Fixes: tag to "fix fd leak in load_xbc_file() on fstat
failure" (patch 10).
Changes since v4:
- Added six follow-up patches found via static analysis with strict
GCC warnings (patches 11-15, plus the now-dropped v6 patch 16).
- Added "fix signed comparison in xbc_node_get_data()" to match the
local offset type to xbc_data_size and eliminate the sign-compare
warning (patch 11).
- Added "use size_t for strlen result in xbc_node_match_prefix()"
and "use size_t for key length tracking in xbc_verify_tree()" to
match strlen() return types (patches 12, 14).
- Added "use signed type for offset in xbc_init_node()" to make the
offset bounds check explicit and avoid sign-conversion warnings
from pointer subtraction (patch 13).
- Added "change xbc_node_index() return type to uint16_t" to match
the 16-bit storage fields and XBC_NODE_MAX bounds (patch 15).
Changes since v3:
- Added commit descriptions to all patches that were missing them.
- Added real-world impact statements to all bug-fix patches.
Changes since v2:
- Added "validate child node index in xbc_verify_tree()" (patch 8).
- Added "check xbc_init_node() return in override path" (patch 9).
- Added "fix fd leak in load_xbc_file() on fstat failure" (patch 10).
Changes since v1:
- Dropped "return empty string instead of NULL from
xbc_node_get_data()" -- returning "" causes false matches in
xbc_node_match_prefix() because strncmp(..., "", 0) always
returns 0.
Bug fixes:
- Fix off-by-one in xbc_verify_tree() where a next-node index equal
to xbc_node_num passes the bounds check despite being out of range;
a malformed bootconfig could cause an out-of-bounds read of kernel
memory during tree traversal at boot time (patch 3).
- Move xbc_node_num increment to after xbc_init_node() validation so
a failed init does not leave a partially initialized node counted
in the array; on a maximum-size bootconfig, the uninitialized node
could be traversed leading to unpredictable boot behavior (patch 4).
- Validate child node indices in xbc_verify_tree() alongside the
existing next-node check; without this, a corrupt bootconfig could
trigger an out-of-bounds memory access via an invalid child index
during tree traversal (patch 8).
- Check xbc_init_node() return value in the ':=' override path; a
bootconfig using ':=' near the 32KB data limit could silently
retain the old value, meaning a security-relevant boot parameter
override would not take effect (patch 9).
- Fix file descriptor leak in tools/bootconfig load_xbc_file() when
fstat() fails, and preserve errno across close() on that error path
(patch 10).
Correctness:
- Narrow the flag parameter in node creation helpers from uint32_t to
uint16_t to match the xbc_node.data field width (patch 2).
- Constify the xbc_calc_checksum() data parameter since it only reads
the buffer (patch 6).
- Fix strict-GCC signedness and narrowing warnings by aligning local
types with strlen() APIs and the node index/data storage in
xbc_node_get_data(), xbc_node_match_prefix(), xbc_init_node(),
xbc_verify_tree(), and xbc_node_index() (patches 11-15).
Cleanups:
- Fix comment typos, missing blank line before kerneldoc, and
inconsistent if/else bracing (patch 1).
- Drop redundant memset after memblock_alloc which already returns
zeroed memory; switch the userspace path from malloc to calloc to
match (patch 5).
Modernization:
- Replace the catch-all linux/kernel.h include with the specific
headers needed: linux/cache.h, linux/compiler.h, and
linux/sprintf.h (patch 7).
Build-tested with both the in-kernel build (lib/bootconfig.o,
init/main.o) and the userspace tools/bootconfig build. All 70
tools/bootconfig test cases pass.
Josh Law (15):
lib/bootconfig: clean up comment typos and bracing
lib/bootconfig: narrow flag parameter type from uint32_t to uint16_t
lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check
lib/bootconfig: increment xbc_node_num after node init succeeds
lib/bootconfig: drop redundant memset of xbc_nodes
bootconfig: constify xbc_calc_checksum() data parameter
lib/bootconfig: replace linux/kernel.h with specific includes
lib/bootconfig: validate child node index in xbc_verify_tree()
lib/bootconfig: check xbc_init_node() return in override path
tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
lib/bootconfig: fix signed comparison in xbc_node_get_data()
lib/bootconfig: use size_t for strlen result in
xbc_node_match_prefix()
lib/bootconfig: use signed type for offset in xbc_init_node()
lib/bootconfig: use size_t for key length tracking in
xbc_verify_tree()
lib/bootconfig: change xbc_node_index() return type to uint16_t
include/linux/bootconfig.h | 6 ++--
lib/bootconfig.c | 65 ++++++++++++++++++++++----------------
tools/bootconfig/main.c | 7 ++--
3 files changed, 46 insertions(+), 32 deletions(-)
--
2.34.1
next reply other threads:[~2026-03-17 16:09 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-17 16:09 Josh Law [this message]
2026-03-17 16:09 ` [PATCH v7 01/15] lib/bootconfig: clean up comment typos and bracing Josh Law
2026-03-17 16:09 ` [PATCH v7 02/15] lib/bootconfig: narrow flag parameter type from uint32_t to uint16_t Josh Law
2026-03-17 16:09 ` [PATCH v7 03/15] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check Josh Law
2026-03-17 16:09 ` [PATCH v7 04/15] lib/bootconfig: increment xbc_node_num after node init succeeds Josh Law
2026-03-17 16:09 ` [PATCH v7 05/15] lib/bootconfig: drop redundant memset of xbc_nodes Josh Law
2026-03-17 16:09 ` [PATCH v7 06/15] bootconfig: constify xbc_calc_checksum() data parameter Josh Law
2026-03-17 16:09 ` [PATCH v7 07/15] lib/bootconfig: replace linux/kernel.h with specific includes Josh Law
2026-03-17 16:09 ` [PATCH v7 08/15] lib/bootconfig: validate child node index in xbc_verify_tree() Josh Law
2026-03-17 16:09 ` [PATCH v7 09/15] lib/bootconfig: check xbc_init_node() return in override path Josh Law
2026-03-17 16:09 ` [PATCH v7 10/15] tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure Josh Law
2026-03-17 16:09 ` [PATCH v7 11/15] lib/bootconfig: fix signed comparison in xbc_node_get_data() Josh Law
2026-03-17 16:09 ` [PATCH v7 12/15] lib/bootconfig: use size_t for strlen result in xbc_node_match_prefix() Josh Law
2026-03-17 16:09 ` [PATCH v7 13/15] lib/bootconfig: use signed type for offset in xbc_init_node() Josh Law
2026-03-17 16:09 ` [PATCH v7 14/15] lib/bootconfig: use size_t for key length tracking in xbc_verify_tree() Josh Law
2026-03-17 16:09 ` [PATCH v7 15/15] lib/bootconfig: change xbc_node_index() return type to uint16_t Josh Law
2026-03-18 15:34 ` [PATCH v7 00/15] bootconfig: fixes, cleanups, and modernization Masami Hiramatsu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260317160916.33576-1-objecting@objecting.org \
--to=objecting@objecting.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.