Re: [PATCH 19/32] afs: Use mem_to_flex_dup() with struct afs_acl
Kees Cook keescook@chromium.org wrote:
struct afs_acl {
- u32 size;
- u8 data[];
- DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, size);
- DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
};
Oof... That's really quite unpleasant syntax. Is it not possible to have mem_to_flex_dup() and friends work without that? You are telling them the fields they have to fill in.
- struct afs_acl *acl = NULL;
- acl = kmalloc(sizeof(*acl) + size, GFP_KERNEL);
- if (!acl) {
- if (mem_to_flex_dup(&acl, buffer, size, GFP_KERNEL)) {
Please don't do that. Either do:
acl = mem_to_flex_dup(buffer, size, GFP_KERNEL); if (!acl)
or:
acl = mem_to_flex_dup(buffer, size, GFP_KERNEL); if (IS_ERR(acl))
Please especially don't make it that an apparent 'true' return indicates an error. If you absolutely must return the acl pointer through the argument list (presumably because it's actually a macro), make it return false on failure:
if (!mem_to_flex_dup(&acl, buffer, size, GFP_KERNEL))
or return and explicitly check for an error code:
if (mem_to_flex_dup(&acl, buffer, size, GFP_KERNEL) < 0)
or:
ret = mem_to_flex_dup(&acl, buffer, size, GFP_KERNEL); if (ret < 0)
(or use != 0 rather than < 0)
David
On Thu, May 12, 2022 at 10:41:05PM +0100, David Howells wrote:
Kees Cook keescook@chromium.org wrote:
struct afs_acl {
- u32 size;
- u8 data[];
- DECLARE_FLEX_ARRAY_ELEMENTS_COUNT(u32, size);
- DECLARE_FLEX_ARRAY_ELEMENTS(u8, data);
};
Oof... That's really quite unpleasant syntax. Is it not possible to have mem_to_flex_dup() and friends work without that? You are telling them the fields they have to fill in.
Other threads discussed this too. I'm hoping to have something more flexible (pardon the pun) in v2.
[...] or:
ret = mem_to_flex_dup(&acl, buffer, size, GFP_KERNEL); if (ret < 0)
(or use != 0 rather than < 0)
Sure, I can make the tests more explicit. The kerndoc, etc all shows it's using < 0 for errors.
participants (2)
-
David Howells -
Kees Cook