From: Kees Cook <keescook@chromium.org>
To: Alexander Lobakin <aleksander.lobakin@intel.com>
Cc: Przemek Kitszel <przemyslaw.kitszel@intel.com>,
netdev@vger.kernel.org, Jacob Keller <jacob.e.keller@intel.com>,
intel-wired-lan@lists.osuosl.org,
linux-hardening@vger.kernel.org,
Steven Zou <steven.zou@intel.com>
Subject: Re: [PATCH net-next v1 1/7] overflow: add DEFINE_FLEX() for on-stack allocs
Date: Thu, 10 Aug 2023 11:31:45 -0700 [thread overview]
Message-ID: <202308101128.C4F0FA235@keescook> (raw)
In-Reply-To: <e6565705-4867-c07f-5cc7-4e9155b5a4e9@intel.com>
On Thu, Aug 10, 2023 at 06:24:47PM +0200, Alexander Lobakin wrote:
> From: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> Date: Thu, 10 Aug 2023 06:35:03 -0400
>
> > Add DEFINE_FLEX() macro for on-stack allocations of structs with
> > flexible array member.
> >
> > Add also const_flex_size() macro, that reads size of structs
> > allocated by DEFINE_FLEX().
> >
> > Using underlying array for on-stack storage lets us to declare
> > known-at-compile-time structures without kzalloc().
> >
> > Actual usage for ice driver is in following patches of the series.
> >
> > Signed-off-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
> > ---
> > v1: change macro name; add macro for size read;
> > accept struct type instead of ptr to it; change alignment;
> > ---
> > include/linux/overflow.h | 27 +++++++++++++++++++++++++++
> > 1 file changed, 27 insertions(+)
> >
> > diff --git a/include/linux/overflow.h b/include/linux/overflow.h
> > index f9b60313eaea..21a4410799eb 100644
> > --- a/include/linux/overflow.h
> > +++ b/include/linux/overflow.h
> > @@ -309,4 +309,31 @@ static inline size_t __must_check size_sub(size_t minuend, size_t subtrahend)
> > #define struct_size_t(type, member, count) \
> > struct_size((type *)NULL, member, count)
> >
> > +/**
> > + * DEFINE_FLEX() - Define a zeroed, on-stack, instance of @type structure with
> > + * a trailing flexible array member.
> > + *
> > + * @type: structure type name, including "struct" keyword.
> > + * @name: Name for a variable to define.
> > + * @member: Name of the array member.
> > + * @count: Number of elements in the array; must be compile-time const.
> > + */
> > +#define DEFINE_FLEX(type, name, member, count) \
> > + union { \
> > + u8 bytes[struct_size_t(type, member, count)]; \
> > + type obj; \
> > + } name##_u __aligned(_Alignof(type)) = {}; \
>
> Hmm. Should we always zero it? The onstack variables are not zeroed
> automatically.
> I realize the onstack structures declared via this macro can't be
> initialized on the same line via = { }, but OTOH memset() with const len
> and for onstack structs usually gets expanded into static initialization.
> The main reason why I'm asking is that sometimes we don't need zeroing
> at all, for example for small structures when we then manually set all
> the fields either way. I don't think hiding static initialization inside
> the macro is a good move.
I strongly think this should be always zeroed. In the case where all
members are initialized, the zeroing will be elided by the compiler
during Dead Store Elimination optimization passes.
Additionally, padding, if present, would not get zeroed even if all
members got initialized separately, and if any memcpy() of the structure
was made, it would contain leaked memory contents.
Any redundant initializations will be avoided by the compiler, so let's
be safe by default and init the whole thing to zero.
-Kees
--
Kees Cook
next prev parent reply other threads:[~2023-08-10 18:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-10 10:35 [PATCH net-next v1 0/7] introduce DEFINE_FLEX() macro Przemek Kitszel
2023-08-10 10:35 ` [PATCH net-next v1 1/7] overflow: add DEFINE_FLEX() for on-stack allocs Przemek Kitszel
2023-08-10 16:24 ` Alexander Lobakin
2023-08-10 18:31 ` Kees Cook [this message]
2023-08-16 12:23 ` Alexander Lobakin
2023-08-10 18:46 ` Kees Cook
2023-08-11 9:10 ` Przemek Kitszel
2023-08-10 10:35 ` [PATCH net-next v1 2/7] ice: ice_sched_remove_elems: replace 1 elem array param by u32 Przemek Kitszel
2023-08-10 10:35 ` [PATCH net-next v1 3/7] ice: drop two params of ice_aq_move_sched_elems() Przemek Kitszel
2023-08-10 10:35 ` [PATCH net-next v1 4/7] ice: make use of DEFINE_FLEX() in ice_ddp.c Przemek Kitszel
2023-08-10 10:35 ` [PATCH net-next v1 5/7] ice: make use of DEFINE_FLEX() for struct ice_aqc_add_tx_qgrp Przemek Kitszel
2023-08-10 10:35 ` [PATCH net-next v1 6/7] ice: make use of DEFINE_FLEX() for struct ice_aqc_dis_txq_item Przemek Kitszel
2023-08-10 10:35 ` [PATCH net-next v1 7/7] ice: make use of DEFINE_FLEX() in ice_switch.c Przemek Kitszel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202308101128.C4F0FA235@keescook \
--to=keescook@chromium.org \
--cc=aleksander.lobakin@intel.com \
--cc=intel-wired-lan@lists.osuosl.org \
--cc=jacob.e.keller@intel.com \
--cc=linux-hardening@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=przemyslaw.kitszel@intel.com \
--cc=steven.zou@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).