On 01/05/18 22:30, Dan Williams wrote:
On Fri, Jan 5, 2018 at 6:22 PM, Eric W. Biederman <ebiederm@xxxxxxxxxxxx> wrote:
Please expand this.
It is not clear what the static analysis is looking for. Have a clear
description of what is being fixed is crucial for allowing any of these
changes.
For the details given in the change description what I read is magic
changes because a magic process says this code is vulnerable.
Yes, that was my first reaction to the patches as well, I try below to
add some more background and guidance, but in the end these are static
analysis reports across a wide swath of sub-systems. It's going to
take some iteration with domain experts to improve the patch
descriptions, and that's the point of this series, to get the better
trained eyes from the actual sub-system owners to take a look at these
reports.
More information about what the static analysis is looking for would
definitely be welcome.
Additionally, since the analysis tool is not publicly available, how are
authors of new kernel code assumed to verify whether or not their code
needs to use nospec_array_ptr()? How are reviewers of kernel code
assumed to verify whether or not nospec_array_ptr() is missing where it
should be used?
Since this patch series only modifies the upstream kernel, how will
out-of-tree drivers be fixed, e.g. the nVidia driver and the Android
drivers?
Thanks,
Bart.
