From: Josh Law <objecting@objecting.org>
To: Masami Hiramatsu <mhiramat@kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Cc: Steven Rostedt <rostedt@goodmis.org>,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
Josh Law <objecting@objecting.org>
Subject: [PATCH v6 00/17] bootconfig: fixes, cleanups, and modernization
Date: Sun, 15 Mar 2026 12:19:58 +0000 [thread overview]
Message-ID: <20260315122015.55965-1-objecting@objecting.org> (raw)
This series addresses a collection of issues found during a review of
lib/bootconfig.c, include/linux/bootconfig.h, and tools/bootconfig,
ranging from off-by-one errors and unchecked return values to coding
style, signedness/type cleanup, and API modernization.
Changes since v5:
- Folded typo fixes, kerneldoc blank line, and inconsistent bracing
patches (v5 02-05, 07) into a single patch (patch 2).
- Dropped "use __packed macro for struct xbc_node" (v5 11) and
"add __packed definition to tools/bootconfig shim header" (v5 14)
per review feedback.
- Added Fixes: tag to "check xbc_init_node() return in override
path" (patch 10).
- Added Fixes: tag to "fix fd leak in load_xbc_file() on fstat
failure" (patch 11).
Changes since v4:
- Added six follow-up patches found via static analysis with strict
GCC warnings (patches 12-17).
- Added "fix signed comparison in xbc_node_get_data()" -- switch the
masked offset variable to unsigned int and compare against
XBC_DATA_MAX to avoid a signed comparison and make the mask
self-documenting (patch 12).
- Added "use size_t for strlen result in xbc_node_match_prefix()"
and "use size_t for key length tracking in xbc_verify_tree()" to
match strlen() return types (patches 13, 15).
- Added "narrow offset type in xbc_init_node()" -- use a validated
unsigned int temporary for the stored 15-bit data offset
(patch 14).
- Added "fix sign-compare in xbc_node_compose_key_after()" -- cast
the checked snprintf() return when comparing and subtracting
against a size_t buffer length (patch 16).
- Added "change xbc_node_index() return type to uint16_t" -- match
the 16-bit storage fields and XBC_NODE_MAX bounds (patch 17).
Changes since v3:
- Added commit descriptions to all patches that were missing them.
- Added real-world impact statements to all bug-fix patches.
Changes since v2:
- Added "validate child node index in xbc_verify_tree()" (patch 9).
- Added "check xbc_init_node() return in override path" (patch 10).
- Added "fix fd leak in load_xbc_file() on fstat failure" (patch 11).
Changes since v1:
- Dropped "return empty string instead of NULL from
xbc_node_get_data()" -- returning "" causes false matches in
xbc_node_match_prefix() because strncmp(..., "", 0) always
returns 0.
Bug fixes:
- Fix off-by-one in xbc_verify_tree() where a next-node index equal
to xbc_node_num passes the bounds check despite being out of range;
a malformed bootconfig could cause an out-of-bounds read of kernel
memory during tree traversal at boot time (patch 4).
- Move xbc_node_num increment to after xbc_init_node() validation
so a failed init does not leave a partially initialized node
counted in the array; on a maximum-size bootconfig, the
uninitialized node could be traversed leading to unpredictable
boot behavior (patch 5).
- Validate child node indices in xbc_verify_tree() alongside the
existing next-node check; without this, a corrupt bootconfig could
trigger an out-of-bounds memory access via an invalid child index
during tree traversal (patch 9).
- Check xbc_init_node() return value in the ':=' override path; a
bootconfig using ':=' near the 32KB data limit could silently
retain the old value, meaning a security-relevant boot parameter
override would not take effect (patch 10).
- Fix file descriptor leak in tools/bootconfig load_xbc_file()
when fstat() fails (patch 11).
Correctness:
- Add missing __init annotations to skip_comment() and
skip_spaces_until_newline() so their memory can be reclaimed
after init (patch 1).
- Narrow the flag parameter in node creation helpers from uint32_t
to uint16_t to match the xbc_node.data field width (patch 3).
- Constify the xbc_calc_checksum() data parameter since it only
reads the buffer (patch 7).
- Fix strict-GCC signedness and narrowing warnings by aligning local
types with strlen()/snprintf() APIs and the 16-bit node index/data
storage in xbc_node_get_data(), xbc_node_match_prefix(),
xbc_init_node(), xbc_verify_tree(), xbc_node_compose_key_after(),
and xbc_node_index() (patches 12-17).
Cleanups:
- Fix comment typos, missing blank line before kerneldoc,
inconsistent if/else bracing (patch 2).
- Drop redundant memset after memblock_alloc which already returns
zeroed memory; switch the userspace path from malloc to calloc
to match (patch 6).
Modernization:
- Replace the catch-all linux/kernel.h include with the specific
headers needed: linux/cache.h, linux/compiler.h, and
linux/sprintf.h (patch 8).
Build-tested with both the in-kernel build (lib/bootconfig.o,
init/main.o) and the userspace tools/bootconfig build. All 70
tools/bootconfig test cases pass.
Josh Law (17):
lib/bootconfig: add missing __init annotations to static helpers
lib/bootconfig: fix typos, kerneldoc, and inconsistent if/else bracing
lib/bootconfig: narrow flag parameter type from uint32_t to uint16_t
lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check
lib/bootconfig: increment xbc_node_num after node init succeeds
lib/bootconfig: drop redundant memset of xbc_nodes
bootconfig: constify xbc_calc_checksum() data parameter
lib/bootconfig: replace linux/kernel.h with specific includes
lib/bootconfig: validate child node index in xbc_verify_tree()
lib/bootconfig: check xbc_init_node() return in override path
tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure
lib/bootconfig: fix signed comparison in xbc_node_get_data()
lib/bootconfig: use size_t for strlen result in
xbc_node_match_prefix()
lib/bootconfig: narrow offset type in xbc_init_node()
lib/bootconfig: use size_t for key length tracking in
xbc_verify_tree()
lib/bootconfig: fix sign-compare in xbc_node_compose_key_after()
lib/bootconfig: change xbc_node_index() return type to uint16_t
include/linux/bootconfig.h | 6 ++--
lib/bootconfig.c | 71 ++++++++++++++++++++++----------------
tools/bootconfig/main.c | 4 ++-
3 files changed, 47 insertions(+), 34 deletions(-)
--
2.34.1
next reply other threads:[~2026-03-15 12:20 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-15 12:19 Josh Law [this message]
2026-03-15 12:19 ` [PATCH v6 01/17] lib/bootconfig: add missing __init annotations to static helpers Josh Law
2026-03-17 7:33 ` Masami Hiramatsu
2026-03-15 12:20 ` [PATCH v6 02/17] lib/bootconfig: fix typos, kerneldoc, and inconsistent if/else bracing Josh Law
2026-03-15 12:20 ` [PATCH v6 03/17] lib/bootconfig: narrow flag parameter type from uint32_t to uint16_t Josh Law
2026-03-15 12:20 ` [PATCH v6 04/17] lib/bootconfig: fix off-by-one in xbc_verify_tree() next node check Josh Law
2026-03-15 12:20 ` [PATCH v6 05/17] lib/bootconfig: increment xbc_node_num after node init succeeds Josh Law
2026-03-15 12:20 ` [PATCH v6 06/17] lib/bootconfig: drop redundant memset of xbc_nodes Josh Law
2026-03-17 11:46 ` Markus Elfring
2026-03-15 12:20 ` [PATCH v6 07/17] bootconfig: constify xbc_calc_checksum() data parameter Josh Law
2026-03-15 12:20 ` [PATCH v6 08/17] lib/bootconfig: replace linux/kernel.h with specific includes Josh Law
2026-03-15 12:20 ` [PATCH v6 09/17] lib/bootconfig: validate child node index in xbc_verify_tree() Josh Law
2026-03-17 11:03 ` Markus Elfring
2026-03-17 15:10 ` Steven Rostedt
2026-03-18 7:30 ` [RFC] Coding style consequences for multi-line statements? Markus Elfring
2026-03-15 12:20 ` [PATCH v6 10/17] lib/bootconfig: check xbc_init_node() return in override path Josh Law
2026-03-15 12:20 ` [PATCH v6 11/17] tools/bootconfig: fix fd leak in load_xbc_file() on fstat failure Josh Law
2026-03-17 7:31 ` Masami Hiramatsu
2026-03-17 7:34 ` Josh Law
2026-03-15 12:20 ` [PATCH v6 12/17] lib/bootconfig: fix signed comparison in xbc_node_get_data() Josh Law
2026-03-16 23:57 ` Masami Hiramatsu
2026-03-15 12:20 ` [PATCH v6 13/17] lib/bootconfig: use size_t for strlen result in xbc_node_match_prefix() Josh Law
2026-03-15 12:20 ` [PATCH v6 14/17] lib/bootconfig: narrow offset type in xbc_init_node() Josh Law
2026-03-17 0:55 ` Masami Hiramatsu
2026-03-15 12:20 ` [PATCH v6 15/17] lib/bootconfig: use size_t for key length tracking in xbc_verify_tree() Josh Law
2026-03-15 12:20 ` [PATCH v6 16/17] lib/bootconfig: fix sign-compare in xbc_node_compose_key_after() Josh Law
2026-03-17 7:55 ` Masami Hiramatsu
2026-03-17 16:15 ` Steven Rostedt
2026-03-17 16:15 ` Josh Law
2026-03-17 17:35 ` Josh Law
2026-03-17 23:15 ` Masami Hiramatsu
2026-03-17 23:18 ` Josh Law
2026-03-15 12:20 ` [PATCH v6 17/17] lib/bootconfig: change xbc_node_index() return type to uint16_t Josh Law
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260315122015.55965-1-objecting@objecting.org \
--to=objecting@objecting.org \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox