From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 372ABC433F5 for ; Tue, 21 Sep 2021 23:45:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1D59D60F6D for ; Tue, 21 Sep 2021 23:45:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230512AbhIUXrV (ORCPT ); Tue, 21 Sep 2021 19:47:21 -0400 Received: from smtprelay0174.hostedemail.com ([216.40.44.174]:33010 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S229824AbhIUXrU (ORCPT ); Tue, 21 Sep 2021 19:47:20 -0400 Received: from omf02.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay02.hostedemail.com (Postfix) with ESMTP id 2CD3030162; Tue, 21 Sep 2021 23:45:50 +0000 (UTC) Received: from [HIDDEN] (Authenticated sender: joe@perches.com) by omf02.hostedemail.com (Postfix) with ESMTPA id 243461D42F9; Tue, 21 Sep 2021 23:45:46 +0000 (UTC) Message-ID: Subject: Re: [patch 9/9] mm/vmalloc: add __alloc_size attributes for better bounds checking From: Joe Perches To: Kees Cook , linux-kernel@vger.kernel.org Cc: Andrew Morton , apw@canonical.com, Christoph Lameter , Daniel Micay , Dennis Zhou , dwaipayanray1@gmail.com, Joonsoo Kim , Linux-MM , Lukas Bulwahn , mm-commits@vger.kernel.org, Nathan Chancellor , Nick Desaulniers , Miguel Ojeda , Pekka Enberg , David Rientjes , Tejun Heo , Vlastimil Babka Date: Tue, 21 Sep 2021 16:45:44 -0700 In-Reply-To: <202109211630.2D00627@keescook> References: <20210909200948.090d4e213ca34b5ad1325a7e@linux-foundation.org> <20210910031046.G76dQvPhV%akpm@linux-foundation.org> <202109211630.2D00627@keescook> Content-Type: text/plain; charset="ISO-8859-1" User-Agent: Evolution 3.40.0-1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspamd-Server: rspamout04 X-Rspamd-Queue-Id: 243461D42F9 X-Stat-Signature: nmh4sseds13ojprfziwgjcbwyxpdkcp3 X-Session-Marker: 6A6F6540706572636865732E636F6D X-Session-ID: U2FsdGVkX18siCLeLxc9mFEyyVNoRWQi0ZSA3VAUMs8= X-HE-Tag: 1632267946-356498 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2021-09-21 at 16:37 -0700, Kees Cook wrote: > On Fri, Sep 10, 2021 at 10:23:48AM -0700, Linus Torvalds wrote: > > On Thu, Sep 9, 2021 at 8:10 PM Andrew Morton wrote: > > > > > > +__alloc_size(1) > > >  extern void *vmalloc(unsigned long size); > > [...] > > > > All of these are added in the wrong place - inconsistent with the very > > compiler documentation the patches add. > > > > The function attributes are generally added _after_ the function, > > although admittedly we've been quite confused here before. > > > > But the very compiler documentation you point to in the patch that > > adds these macros gives that as the examples both for gcc and clang: > > > > + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attributes.html#index-alloc_005fsize-function-attribute > > + * clang: https://clang.llvm.org/docs/AttributeReference.html#alloc-size > > > > and honestly I think that is the preferred format because this is > > about the *function*, not about the return type. > > > > Do both placements work? Yes. > > I'm cleaning this up now, and have discovered that the reason for the > before-function placement is consistency with static inlines. If I do this: > > static __always_inline void * kmalloc(size_t size, gfp_t flags) __alloc_size(1) > { > ... > } > > GCC is very angry: > > ./include/linux/slab.h:519:1: error: attributes should be specified before the declarator in a function definition >   519 | static __always_inline void *kmalloc_large(size_t size, gfp_t flags) __alloc_size(1) >       | ^~~~~~ > > It's happy if I treat it as a "return type attribute" in the ordering, > though: > > static __always_inline void * __alloc_size(1) kmalloc(size_t size, gfp_t flags) > > I'll do that unless you have a preference for somewhere else... _please_ put it before the return type on a separate line. [__attributes] [static inline const] function() From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, UNPARSEABLE_RELAY,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44E3DC433F5 for ; Tue, 21 Sep 2021 23:45:52 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id BC1F661159 for ; Tue, 21 Sep 2021 23:45:51 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org BC1F661159 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=perches.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=kvack.org Received: by kanga.kvack.org (Postfix) id 45862900002; Tue, 21 Sep 2021 19:45:51 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 408826B0072; Tue, 21 Sep 2021 19:45:51 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2CF3D900002; Tue, 21 Sep 2021 19:45:51 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0131.hostedemail.com [216.40.44.131]) by kanga.kvack.org (Postfix) with ESMTP id 1B4826B006C for ; Tue, 21 Sep 2021 19:45:51 -0400 (EDT) Received: from smtpin15.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay02.hostedemail.com (Postfix) with ESMTP id BF92E2DEC9 for ; Tue, 21 Sep 2021 23:45:50 +0000 (UTC) X-FDA: 78613215660.15.F2CF0C5 Received: from smtprelay.hostedemail.com (smtprelay0024.hostedemail.com [216.40.44.24]) by imf27.hostedemail.com (Postfix) with ESMTP id 7C5AC70000A9 for ; Tue, 21 Sep 2021 23:45:50 +0000 (UTC) Received: from omf02.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay02.hostedemail.com (Postfix) with ESMTP id 2CD3030162; Tue, 21 Sep 2021 23:45:50 +0000 (UTC) Received: from [HIDDEN] (Authenticated sender: joe@perches.com) by omf02.hostedemail.com (Postfix) with ESMTPA id 243461D42F9; Tue, 21 Sep 2021 23:45:46 +0000 (UTC) Message-ID: Subject: Re: [patch 9/9] mm/vmalloc: add __alloc_size attributes for better bounds checking From: Joe Perches To: Kees Cook , linux-kernel@vger.kernel.org Cc: Andrew Morton , apw@canonical.com, Christoph Lameter , Daniel Micay , Dennis Zhou , dwaipayanray1@gmail.com, Joonsoo Kim , Linux-MM , Lukas Bulwahn , mm-commits@vger.kernel.org, Nathan Chancellor , Nick Desaulniers , Miguel Ojeda , Pekka Enberg , David Rientjes , Tejun Heo , Vlastimil Babka Date: Tue, 21 Sep 2021 16:45:44 -0700 In-Reply-To: <202109211630.2D00627@keescook> References: <20210909200948.090d4e213ca34b5ad1325a7e@linux-foundation.org> <20210910031046.G76dQvPhV%akpm@linux-foundation.org> <202109211630.2D00627@keescook> Content-Type: text/plain; charset="ISO-8859-1" User-Agent: Evolution 3.40.0-1 MIME-Version: 1.0 X-Session-Marker: 6A6F6540706572636865732E636F6D X-Session-ID: U2FsdGVkX18siCLeLxc9mFEyyVNoRWQi0ZSA3VAUMs8= X-HE-Tag: 1632267946-356498 Authentication-Results: imf27.hostedemail.com; dkim=none; dmarc=none; spf=none (imf27.hostedemail.com: domain of joe@perches.com has no SPF policy when checking 216.40.44.24) smtp.mailfrom=joe@perches.com X-Rspamd-Server: rspam06 X-Rspamd-Queue-Id: 7C5AC70000A9 X-Stat-Signature: pmpo5pru3i58qfgrqxr3d5x94i6osi6y X-HE-Tag: 1632267950-564333 Content-Transfer-Encoding: quoted-printable X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Tue, 2021-09-21 at 16:37 -0700, Kees Cook wrote: > On Fri, Sep 10, 2021 at 10:23:48AM -0700, Linus Torvalds wrote: > > On Thu, Sep 9, 2021 at 8:10 PM Andrew Morton wrote: > > >=20 > > > +__alloc_size(1) > > > =A0extern void *vmalloc(unsigned long size); > > [...] > >=20 > > All of these are added in the wrong place - inconsistent with the ver= y > > compiler documentation the patches add. > >=20 > > The function attributes are generally added _after_ the function, > > although admittedly we've been quite confused here before. > >=20 > > But the very compiler documentation you point to in the patch that > > adds these macros gives that as the examples both for gcc and clang: > >=20 > > + * gcc: https://gcc.gnu.org/onlinedocs/gcc/Common-Function-Attribu= tes.html#index-alloc_005fsize-function-attribute > > + * clang: https://clang.llvm.org/docs/AttributeReference.html#alloc-= size > >=20 > > and honestly I think that is the preferred format because this is > > about the *function*, not about the return type. > >=20 > > Do both placements work? Yes. >=20 > I'm cleaning this up now, and have discovered that the reason for the > before-function placement is consistency with static inlines. If I do t= his: >=20 > static __always_inline void * kmalloc(size_t size, gfp_t flags) __alloc= _size(1) > { > ... > } >=20 > GCC is very angry: >=20 > ./include/linux/slab.h:519:1: error: attributes should be specified bef= ore the declarator in a function definition > =A0=A0519 | static __always_inline void *kmalloc_large(size_t size, gfp= _t flags) __alloc_size(1) > =A0=A0=A0=A0=A0=A0| ^~~~~~ >=20 > It's happy if I treat it as a "return type attribute" in the ordering, > though: >=20 > static __always_inline void * __alloc_size(1) kmalloc(size_t size, gfp_= t flags) >=20 > I'll do that unless you have a preference for somewhere else... _please_ put it before the return type on a separate line. [__attributes] [static inline const] function()