From: Kees Cook <kees@kernel.org>
To: Justin Stitt <justinstitt@google.com>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Peter Zijlstra" <peterz@infradead.org>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Nathan Chancellor" <nathan@kernel.org>,
"Andrew Morton" <akpm@linux-foundation.org>,
"Andy Shevchenko" <andriy.shevchenko@linux.intel.com>,
"Arnd Bergmann" <arnd@arndb.de>,
"Mark Rutland" <mark.rutland@arm.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
"Suren Baghdasaryan" <surenb@google.com>,
"Thomas Gleixner" <tglx@kernel.org>,
"Finn Thain" <fthain@linux-m68k.org>,
"Geert Uytterhoeven" <geert+renesas@glider.be>,
"Thomas Weißschuh" <thomas.weissschuh@linutronix.de>,
llvm@lists.linux.dev, "Marco Elver" <elver@google.com>,
"Jonathan Corbet" <corbet@lwn.net>,
"Nicolas Schier" <nsc@kernel.org>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
linux-hardening@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kbuild@vger.kernel.org
Subject: Re: [PATCH 5/5] types: Add standard __ob_trap and __ob_wrap scalar types
Date: Tue, 31 Mar 2026 16:49:12 -0700 [thread overview]
Message-ID: <202603311643.47D533CD4@keescook> (raw)
In-Reply-To: <CAFhGd8rE+ggYghcwUphSRc2ftQMaX7LbKKPwQZzsw43bg9VVmA@mail.gmail.com>
On Tue, Mar 31, 2026 at 02:50:39PM -0700, Justin Stitt wrote:
> On Tue, Mar 31, 2026 at 2:05 PM Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
> >
> > On Tue, 31 Mar 2026 at 13:31, Kees Cook <kees@kernel.org> wrote:
> > >
> > > (Isn't this just an implicit "try"?)
> >
> > Yes. And I think that's ok.
> >
> > I think try/catch is broken for a few reasons, but the fact that catch
> > and try are tied together so closely is the main one. You can't "try"
> > inside a scope without having the "catch" inside the same scope.
> >
> > So then the solution is to just move the try to the outermost layer,
> > and I think that's pretty much what everybody does.
> >
> > But at that point, why not just move it *all* the way out, and make it
> > implicit and invisible?
>
> How do we feel about type-defined labels? We can specify sane default
> handlers where we define the types:
>
> typedef int __attribute__((overflow_behavior(trap, __handle_me))) trapping_int;
>
> ... and define specialized handlers later on
>
> int func()
> {
> ...
> u8 __attribute__((overflow_behavior(trap, __BOOOOM))) product = 5;
> ...
> product = a * b; // if store is truncated, goto __overflow
> ...
> return product;
>
> __BOOOOM:
> pr_info("%u\n", product); // shows "5"
> return -1;
> }
Yeah, I think this could work. As long as there's nothing special about
the label mapping (i.e. many types can share the same label).
> We would then probably want a kernel shorthand to avoid long type definitions.
>
> #define __TRAP(handler) __attribute__((overflow_behavior(trap,
> handler)))
>
>
> At least this way the label is always defined somewhere in-source
> rather than by a magic -fhandle-my-overflow-at=__overflow
Yeah, this sticks to Peter's "define in source" mandate from Plumbers.
Linus, does that still sound reasonable?
Also, is the preference still for "loud" names ("trap_u32") for the
trapping scalar typedefs, or does the advent of the "required label on
usage" make it more reasonable to have shorter names ("u32t")? I'm fine
either way. I think there are pros and cons all over the place for the
naming.
-Kees
--
Kees Cook
next prev parent reply other threads:[~2026-03-31 23:49 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-31 16:37 [PATCH 0/5] Introduce Overflow Behavior Types Kees Cook
2026-03-31 16:37 ` [PATCH 1/5] refcount: Remove unused __signed_wrap function annotations Kees Cook
2026-03-31 16:37 ` [PATCH 2/5] hardening: Introduce Overflow Behavior Types support Kees Cook
2026-03-31 16:37 ` [PATCH 3/5] compiler_attributes: Add overflow_behavior macros __ob_trap and __ob_wrap Kees Cook
2026-03-31 17:01 ` Miguel Ojeda
2026-03-31 17:09 ` Miguel Ojeda
2026-03-31 17:09 ` Justin Stitt
2026-03-31 17:14 ` Miguel Ojeda
2026-03-31 17:17 ` Justin Stitt
2026-03-31 19:52 ` Kees Cook
2026-04-01 9:08 ` Peter Zijlstra
2026-04-01 20:21 ` Kees Cook
2026-04-01 20:30 ` Peter Zijlstra
2026-04-01 20:55 ` Kees Cook
2026-04-01 23:42 ` Justin Stitt
2026-04-02 9:13 ` David Laight
2026-03-31 17:16 ` Linus Torvalds
2026-03-31 17:18 ` Linus Torvalds
2026-04-01 7:19 ` Vincent Mailhol
2026-04-01 9:20 ` Peter Zijlstra
2026-04-01 19:43 ` Kees Cook
2026-04-01 19:42 ` Kees Cook
2026-03-31 16:37 ` [PATCH 4/5] lkdtm/bugs: Add basic Overflow Behavior Types test Kees Cook
2026-03-31 17:16 ` Justin Stitt
2026-03-31 16:37 ` [PATCH 5/5] types: Add standard __ob_trap and __ob_wrap scalar types Kees Cook
2026-03-31 17:10 ` Linus Torvalds
2026-03-31 17:47 ` Miguel Ojeda
2026-03-31 18:02 ` Linus Torvalds
2026-03-31 18:25 ` Linus Torvalds
2026-03-31 18:59 ` Kees Cook
2026-03-31 20:01 ` Linus Torvalds
2026-03-31 18:32 ` Kees Cook
2026-03-31 18:36 ` Linus Torvalds
2026-03-31 18:16 ` Kees Cook
2026-03-31 20:03 ` Kees Cook
2026-03-31 20:11 ` Linus Torvalds
2026-03-31 20:18 ` Linus Torvalds
2026-03-31 20:31 ` Kees Cook
2026-03-31 20:58 ` Linus Torvalds
2026-03-31 21:50 ` Justin Stitt
2026-03-31 23:49 ` Kees Cook [this message]
2026-03-31 23:50 ` Linus Torvalds
2026-04-01 8:31 ` Peter Zijlstra
2026-04-01 20:52 ` Kees Cook
2026-04-02 5:38 ` Peter Zijlstra
2026-04-10 17:48 ` Justin Stitt
2026-04-01 8:57 ` Peter Zijlstra
2026-04-01 20:23 ` Kees Cook
2026-04-01 9:38 ` Peter Zijlstra
2026-04-01 21:41 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202603311643.47D533CD4@keescook \
--to=kees@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=arnd@arndb.de \
--cc=corbet@lwn.net \
--cc=elver@google.com \
--cc=fthain@linux-m68k.org \
--cc=geert+renesas@glider.be \
--cc=gregkh@linuxfoundation.org \
--cc=justinstitt@google.com \
--cc=kasan-dev@googlegroups.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=llvm@lists.linux.dev \
--cc=mark.rutland@arm.com \
--cc=nathan@kernel.org \
--cc=nsc@kernel.org \
--cc=ojeda@kernel.org \
--cc=peterz@infradead.org \
--cc=surenb@google.com \
--cc=tglx@kernel.org \
--cc=thomas.weissschuh@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.