On Wed, Aug 15, 2018 at 1:18 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > I absolutely refuse to take any hardening patches at all that have > BUG() or panic() or similar machine-killing in it. Okay, mental model adjusted. :) It was only "strong discouraged" until now. > I thought VLA's were mostly gone. Yes. Out of the ~115 instances we counted when we started with v4.16, we've chipped away at them pretty steadily. Right now there are two "one-off"s that haven't been picked up by maintainers: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=vla/leftovers and the remaining series against crypto, for which I am waiting on further review for Herbert. All the really odd-ball crypto cases have been handled (and are up for the merge window for v4.19), but there's still some minor changes that Herbert is examining: https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/log/?h=vla/crypto And after that, there's a single patch to move -Wvla up into the top-level Makefile: https://patchwork.kernel.org/patch/10489873/ So, we're basically done, but the timing with the merge window wasn't great since crypto continues to get tweaked and has taken much longer than I had expected. -Kees -- Kees Cook Pixel Security