From: Kees Cook <keescook@chromium.org>
To: Nick Desaulniers <ndesaulniers@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Andrew Morton <akpm@linux-foundation.org>,
apw@canonical.com, Christoph Lameter <cl@linux.com>,
Daniel Micay <danielmicay@gmail.com>,
Dennis Zhou <dennis@kernel.org>,
dwaipayanray1@gmail.com, Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Joe Perches <joe@perches.com>, Linux-MM <linux-mm@kvack.org>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
mm-commits@vger.kernel.org, Nathan Chancellor <nathan@kernel.org>,
Miguel Ojeda <ojeda@kernel.org>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>, Tejun Heo <tj@kernel.org>,
Vlastimil Babka <vbabka@suse.cz>
Subject: Re: [patch 9/9] mm/vmalloc: add __alloc_size attributes for better bounds checking
Date: Fri, 10 Sep 2021 14:07:14 -0700 [thread overview]
Message-ID: <202109101359.1C0B9B0A@keescook> (raw)
In-Reply-To: <CAKwvOdmZEZqgZa+SUFXU6jtavpcmhBcshA-h1nZJyHYONM+ogw@mail.gmail.com>
On Fri, Sep 10, 2021 at 01:58:17PM -0700, Nick Desaulniers wrote:
> On Fri, Sep 10, 2021 at 1:47 PM Kees Cook <keescook@chromium.org> wrote:
> >
> > On Fri, Sep 10, 2021 at 01:16:00PM -0700, Linus Torvalds wrote:
> > > So to a close approximation
> > >
> > > - "storage class" goes first, so "static inline" etc.
> > >
> > > - return type next (including attributes directly related to the
> > > returned value - like "__must_check")
> > >
> > > - then function name and argument declaration
> > >
> > > - and finally the "function argument type attributes" at the end.
> >
> > I'm going to eventually forget this thread, so I want to get it into
> > our coding style so I can find it again more easily. :) How does this
> > look?
> >
> > diff --git a/Documentation/process/coding-style.rst b/Documentation/process/coding-style.rst
> > index 42969ab37b34..3c72f0232f02 100644
> > --- a/Documentation/process/coding-style.rst
> > +++ b/Documentation/process/coding-style.rst
> > @@ -487,6 +487,29 @@ because it is a simple way to add valuable information for the reader.
> > Do not use the ``extern`` keyword with function prototypes as this makes
> > lines longer and isn't strictly necessary.
> >
> > +.. code-block:: c
> > +
> > + static __always_inline __must_check void *action(enum magic value,
> > + size_t size, u8 count,
> > + char *buffer)
> > + __alloc_size(2, 3)
> > + {
> > + ...
> > + }
> > +
> > +When writing a function prototype, keep the order of elements regular. The
> > +desired order is "storage class", "return type attributes", "return
> > +type", name, arguments (as described earlier), followed by "function
> > +argument attributes". In the ``action`` function example above, ``static
> > +__always_inline`` is the "storage class" (even though ``__always_inline``
> > +is an attribute, it is treated like ``inline``). ``__must_check`` is
>
> eh...mentioning inline as though it was a storage class doesn't seem
> precise, but I think this is a good start. Thanks Kees.
Well, hm, it's kinda like that? "where does it go?" "*everywhere*" :P
In looking at this a little longer, I do wonder about section attributes,
though. __cold is a hint, but ends up being a section attribute. And
section attributes appear to be used in the storage class (i.e.
"noinstr"). We treat "how the function should behave" attributes as
storage classes too, though (e.g. "notrace"). Is that right?
>
> Acked-by: Nick Desaulniers <ndesaulniers@google.com>
>
> Worst case, consider "inlining related attributes like __always_inline
> and noinline should follow the storage class (static, extern).
>
> > +a "return type attribute" (describing ``void *``). ``void *`` is the
> > +"return type". ``action`` is the function name, followed by the function
> > +arguments. Finally ``__alloc_size(2,3)`` is an "function argument attribute",
> > +describing things about the function arguments. Some attributes, like
> > +``__malloc``, describe the behavior of the function more than they
> > +describe the function return type, and are more appropriately included
> > +in the "function argument attributes".
> >
> > 7) Centralized exiting of functions
> > -----------------------------------
> >
> > --
> > Kees Cook
>
>
>
> --
> Thanks,
> ~Nick Desaulniers
--
Kees Cook
next prev parent reply other threads:[~2021-09-10 21:07 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-10 3:09 incoming Andrew Morton
2021-09-10 3:10 ` [patch 1/9] mm: move kvmalloc-related functions to slab.h Andrew Morton
2021-09-10 3:10 ` [patch 2/9] rapidio: avoid bogus __alloc_size warning Andrew Morton
2021-09-10 3:10 ` [patch 3/9] Compiler Attributes: add __alloc_size() for better bounds checking Andrew Morton
2021-09-10 3:10 ` [patch 4/9] checkpatch: add __alloc_size() to known $Attribute Andrew Morton
2021-09-10 3:10 ` [patch 5/9] slab: clean up function declarations Andrew Morton
2021-09-10 3:10 ` [patch 6/9] slab: add __alloc_size attributes for better bounds checking Andrew Morton
2021-09-10 3:10 ` [patch 7/9] mm/page_alloc: " Andrew Morton
2021-09-10 3:10 ` [patch 8/9] percpu: " Andrew Morton
2021-09-10 3:10 ` [patch 9/9] mm/vmalloc: " Andrew Morton
2021-09-10 17:23 ` Linus Torvalds
2021-09-10 18:43 ` Kees Cook
2021-09-10 19:17 ` Linus Torvalds
2021-09-10 19:32 ` Kees Cook
2021-09-10 19:49 ` Nick Desaulniers
2021-09-10 20:16 ` Linus Torvalds
2021-09-10 20:47 ` Kees Cook
2021-09-10 20:58 ` Nick Desaulniers
2021-09-10 21:07 ` Kees Cook [this message]
2021-09-11 5:29 ` Joe Perches
2021-09-21 23:37 ` Kees Cook
2021-09-21 23:45 ` Joe Perches
2021-09-22 2:25 ` function prototype element ordering Kees Cook
2021-09-22 4:24 ` Joe Perches
2021-09-24 19:43 ` Kees Cook
2021-09-22 7:24 ` Alexey Dobriyan
2021-09-22 8:51 ` Joe Perches
2021-09-22 10:45 ` Alexey Dobriyan
2021-09-22 11:19 ` Jani Nikula
2021-09-22 21:15 ` Linus Torvalds
2021-09-23 5:10 ` Joe Perches
2021-09-25 19:40 ` David Laight
2021-09-26 21:03 ` Linus Torvalds
2021-09-27 8:21 ` David Laight
2021-09-27 9:22 ` Willy Tarreau
2021-09-10 17:11 ` incoming Kees Cook
2021-09-10 20:13 ` incoming Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202109101359.1C0B9B0A@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=apw@canonical.com \
--cc=cl@linux.com \
--cc=danielmicay@gmail.com \
--cc=dennis@kernel.org \
--cc=dwaipayanray1@gmail.com \
--cc=iamjoonsoo.kim@lge.com \
--cc=joe@perches.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=lukas.bulwahn@gmail.com \
--cc=mm-commits@vger.kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ojeda@kernel.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).