All of lore.kernel.org
 help / color / mirror / Atom feed
From: Peter Zijlstra <peterz@infradead.org>
To: Kees Cook <kees@kernel.org>
Cc: "Linus Torvalds" <torvalds@linux-foundation.org>,
	"Justin Stitt" <justinstitt@google.com>,
	"Miguel Ojeda" <ojeda@kernel.org>,
	"Nathan Chancellor" <nathan@kernel.org>,
	"Andrew Morton" <akpm@linux-foundation.org>,
	"Andy Shevchenko" <andriy.shevchenko@linux.intel.com>,
	"Arnd Bergmann" <arnd@arndb.de>,
	"Mark Rutland" <mark.rutland@arm.com>,
	"Matthew Wilcox (Oracle)" <willy@infradead.org>,
	"Suren Baghdasaryan" <surenb@google.com>,
	"Thomas Gleixner" <tglx@kernel.org>,
	"Finn Thain" <fthain@linux-m68k.org>,
	"Geert Uytterhoeven" <geert+renesas@glider.be>,
	"Thomas Weißschuh" <thomas.weissschuh@linutronix.de>,
	llvm@lists.linux.dev, "Marco Elver" <elver@google.com>,
	"Jonathan Corbet" <corbet@lwn.net>,
	"Nicolas Schier" <nsc@kernel.org>,
	"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
	linux-kernel@vger.kernel.org, kasan-dev@googlegroups.com,
	linux-hardening@vger.kernel.org, linux-doc@vger.kernel.org,
	linux-kbuild@vger.kernel.org
Subject: Re: [PATCH 5/5] types: Add standard __ob_trap and __ob_wrap scalar types
Date: Wed, 1 Apr 2026 10:31:37 +0200	[thread overview]
Message-ID: <20260401083137.GT3738786@noisy.programming.kicks-ass.net> (raw)
In-Reply-To: <202603311321.4EE9FEA@keescook>

On Tue, Mar 31, 2026 at 01:31:16PM -0700, Kees Cook wrote:

(still slowly digesting the thread)

> Yeah, as you mentioned earlier, I'd agree that nesting is rarely
> useful. The only thing I'd want to be careful about is ordering/scope. I
> *think* it would just operate as a "goto" and things like the cleanup.h
> handlers wouldn't be involved: they operate when a scope is crossed
> like before. And I think the overflow result wouldn't be represented
> anywhere. i.e. the wrapped/truncated value wouldn't be stored:
> 
> int func()
> {
> 	...
> 	u8 __ob_trap product = 5;
> 	...
> 	product = a * b; // if store is truncated, goto __overflow
> 	...
> 	return product;
> 
> __overflow:
> 	pr_info("%u\n", product); // shows "5"
> 	return -1;
> }

Note that there is a 'fun' problem with this in combination with
cleanup.h.

Something like:

int func()
{
	u8 __ob_trap prod = 0;

	scoped_guard (mutex, &my_lock) {
		prod = a * b;
	}

	return prod;

__overflow:
	// whatever
	return -1;
}

is fine. *HOWEVER*, something like:

int func()
{
	int __ob_trap size = base + count * extra;
	int err;

	struct my_obj *obj __cleanup(kfree) = kzalloc(size, GFP_KERNEL);

	err = my_obj_init(obj);
	if (err)
		return ERR_PTR(err);

	return_ptr(obj);

__overflow:
	// what now..
	return NULL;
}

is most terribly broken. Specifically, the goto will jump into the scope
of obj -- and that is not allowed.



  parent reply	other threads:[~2026-04-01  8:31 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-31 16:37 [PATCH 0/5] Introduce Overflow Behavior Types Kees Cook
2026-03-31 16:37 ` [PATCH 1/5] refcount: Remove unused __signed_wrap function annotations Kees Cook
2026-03-31 16:37 ` [PATCH 2/5] hardening: Introduce Overflow Behavior Types support Kees Cook
2026-03-31 16:37 ` [PATCH 3/5] compiler_attributes: Add overflow_behavior macros __ob_trap and __ob_wrap Kees Cook
2026-03-31 17:01   ` Miguel Ojeda
2026-03-31 17:09     ` Miguel Ojeda
2026-03-31 17:09     ` Justin Stitt
2026-03-31 17:14       ` Miguel Ojeda
2026-03-31 17:17         ` Justin Stitt
2026-03-31 19:52       ` Kees Cook
2026-04-01  9:08         ` Peter Zijlstra
2026-04-01 20:21           ` Kees Cook
2026-04-01 20:30             ` Peter Zijlstra
2026-04-01 20:55               ` Kees Cook
2026-04-01 23:42               ` Justin Stitt
2026-04-02  9:13             ` David Laight
2026-03-31 17:16   ` Linus Torvalds
2026-03-31 17:18     ` Linus Torvalds
2026-04-01  7:19   ` Vincent Mailhol
2026-04-01  9:20     ` Peter Zijlstra
2026-04-01 19:43       ` Kees Cook
2026-04-01 19:42     ` Kees Cook
2026-03-31 16:37 ` [PATCH 4/5] lkdtm/bugs: Add basic Overflow Behavior Types test Kees Cook
2026-03-31 17:16   ` Justin Stitt
2026-03-31 16:37 ` [PATCH 5/5] types: Add standard __ob_trap and __ob_wrap scalar types Kees Cook
2026-03-31 17:10   ` Linus Torvalds
2026-03-31 17:47     ` Miguel Ojeda
2026-03-31 18:02       ` Linus Torvalds
2026-03-31 18:25         ` Linus Torvalds
2026-03-31 18:59           ` Kees Cook
2026-03-31 20:01             ` Linus Torvalds
2026-03-31 18:32         ` Kees Cook
2026-03-31 18:36           ` Linus Torvalds
2026-03-31 18:16       ` Kees Cook
2026-03-31 20:03     ` Kees Cook
2026-03-31 20:11       ` Linus Torvalds
2026-03-31 20:18         ` Linus Torvalds
2026-03-31 20:31         ` Kees Cook
2026-03-31 20:58           ` Linus Torvalds
2026-03-31 21:50             ` Justin Stitt
2026-03-31 23:49               ` Kees Cook
2026-03-31 23:50               ` Linus Torvalds
2026-04-01  8:31           ` Peter Zijlstra [this message]
2026-04-01 20:52             ` Kees Cook
2026-04-02  5:38               ` Peter Zijlstra
2026-04-10 17:48                 ` Justin Stitt
2026-04-01  8:57           ` Peter Zijlstra
2026-04-01 20:23             ` Kees Cook
2026-04-01  9:38           ` Peter Zijlstra
2026-04-01 21:41             ` Kees Cook

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260401083137.GT3738786@noisy.programming.kicks-ass.net \
    --to=peterz@infradead.org \
    --cc=akpm@linux-foundation.org \
    --cc=andriy.shevchenko@linux.intel.com \
    --cc=arnd@arndb.de \
    --cc=corbet@lwn.net \
    --cc=elver@google.com \
    --cc=fthain@linux-m68k.org \
    --cc=geert+renesas@glider.be \
    --cc=gregkh@linuxfoundation.org \
    --cc=justinstitt@google.com \
    --cc=kasan-dev@googlegroups.com \
    --cc=kees@kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kbuild@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=llvm@lists.linux.dev \
    --cc=mark.rutland@arm.com \
    --cc=nathan@kernel.org \
    --cc=nsc@kernel.org \
    --cc=ojeda@kernel.org \
    --cc=surenb@google.com \
    --cc=tglx@kernel.org \
    --cc=thomas.weissschuh@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.