From: Kees Cook <keescook@chromium.org>
To: Joe Perches <joe@perches.com>
Cc: linux-kernel@vger.kernel.org,
Daniel Micay <danielmicay@gmail.com>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Vlastimil Babka <vbabka@suse.cz>,
linux-mm@kvack.org, Miguel Ojeda <ojeda@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Dennis Zhou <dennis@kernel.org>, Tejun Heo <tj@kernel.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Michal Marek <michal.lkml@markovi.net>,
clang-built-linux@googlegroups.com, linux-kbuild@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH 2/5] slab: Add __alloc_size attributes for better bounds checking
Date: Tue, 17 Aug 2021 23:16:47 -0700 [thread overview]
Message-ID: <202108172312.7032A3E@keescook> (raw)
In-Reply-To: <f3e56f56c36b32dc76e174886008a2a1ecf3fefa.camel@perches.com>
On Tue, Aug 17, 2021 at 10:31:32PM -0700, Joe Perches wrote:
> On Tue, 2021-08-17 at 22:08 -0700, Kees Cook wrote:
> > As already done in GrapheneOS, add the __alloc_size attribute for
> > regular kmalloc interfaces, to provide additional hinting for better
> > bounds checking, assisting CONFIG_FORTIFY_SOURCE and other compiler
> > optimizations.
> []
> > diff --git a/include/linux/slab.h b/include/linux/slab.h
> []
> > @@ -181,7 +181,7 @@ int kmem_cache_shrink(struct kmem_cache *);
> > /*
> > * Common kmalloc functions provided by all allocators
> > */
> > -void * __must_check krealloc(const void *, size_t, gfp_t);
> > +void * __must_check krealloc(const void *, size_t, gfp_t) __alloc_size(2);
>
> I suggest the __alloc_size attribute be placed at the beginning of the
> function declaration to be more similar to the common __printf attribute
> location uses.
Yeah, any consistent ordering suggestions are welcome here; thank you!
These declarations were all over the place, and trying to follow each
slightly different existing style made my eyes hurt. :)
> __alloc_size(2)
> void * __must_check krealloc(const void *, size_t, gfp_t);
>
> I really prefer the __must_check to be with the other attribute and that
> function declarations have argument names too like:
>
> __alloc_size(2) __must_check
> void *krealloc(const void *ptr, size_t size, gfp_t gfp);
I'm happy with whatever makes the most sense.
> but there are a _lot_ of placement of __must_check after the return type
>
> Lastly __alloc_size should probably be added to checkpatch
Oh, yes! Thanks for the reminder.
> Maybe:
> ---
> scripts/checkpatch.pl | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
> index 161ce7fe5d1e5..1a166b5cf3447 100755
> --- a/scripts/checkpatch.pl
> +++ b/scripts/checkpatch.pl
> @@ -489,7 +489,8 @@ our $Attribute = qr{
> ____cacheline_aligned|
> ____cacheline_aligned_in_smp|
> ____cacheline_internodealigned_in_smp|
> - __weak
> + __weak|
> + __alloc_size\s*\(\s*\d+\s*(?:,\s*d+\s*){0,5}\)
Why the "{0,5}" bit here? I was expecting just "?". (i.e. it can have
either 1 or 2 arguments.)
> }x;
> our $Modifier;
> our $Inline = qr{inline|__always_inline|noinline|__inline|__inline__};
>
>
--
Kees Cook
next prev parent reply other threads:[~2021-08-18 6:20 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-18 5:08 [PATCH 0/5] Add __alloc_size() for better bounds checking Kees Cook
2021-08-18 5:08 ` [PATCH 1/5] Compiler Attributes: " Kees Cook
2021-08-18 13:07 ` Miguel Ojeda
2021-08-18 17:58 ` Kees Cook
2021-08-18 18:04 ` Nathan Chancellor
2021-08-18 21:04 ` Kees Cook
2021-08-18 5:08 ` [PATCH 2/5] slab: Add __alloc_size attributes " Kees Cook
2021-08-18 5:31 ` Joe Perches
2021-08-18 6:16 ` Kees Cook [this message]
2021-08-18 6:30 ` Joe Perches
2021-08-19 0:27 ` Matthew Wilcox
2021-08-19 1:10 ` Joe Perches
2021-08-19 2:16 ` Matthew Wilcox
2021-08-19 2:59 ` Joe Perches
2021-08-18 5:08 ` [PATCH 3/5] mm/page_alloc: " Kees Cook
2021-08-18 5:08 ` [PATCH 4/5] percpu: " Kees Cook
2021-08-18 5:08 ` [PATCH 5/5] mm/vmalloc: " Kees Cook
2021-08-19 9:09 ` [PATCH 0/5] Add __alloc_size() " Christoph Hellwig
2021-08-19 14:18 ` Daniel Micay
2021-08-25 10:01 ` Christoph Lameter
2021-08-25 16:34 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202108172312.7032A3E@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=clang-built-linux@googlegroups.com \
--cc=danielmicay@gmail.com \
--cc=dennis@kernel.org \
--cc=iamjoonsoo.kim@lge.com \
--cc=joe@perches.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=masahiroy@kernel.org \
--cc=michal.lkml@markovi.net \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ojeda@kernel.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=tj@kernel.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.