From: Kees Cook <keescook@chromium.org>
To: Joe Perches <joe@perches.com>
Cc: linux-kernel@vger.kernel.org,
Daniel Micay <danielmicay@gmail.com>,
Christoph Lameter <cl@linux.com>,
Pekka Enberg <penberg@kernel.org>,
David Rientjes <rientjes@google.com>,
Joonsoo Kim <iamjoonsoo.kim@lge.com>,
Andrew Morton <akpm@linux-foundation.org>,
Vlastimil Babka <vbabka@suse.cz>,
linux-mm@kvack.org, Miguel Ojeda <ojeda@kernel.org>,
Nathan Chancellor <nathan@kernel.org>,
Nick Desaulniers <ndesaulniers@google.com>,
Dennis Zhou <dennis@kernel.org>, Tejun Heo <tj@kernel.org>,
Masahiro Yamada <masahiroy@kernel.org>,
Michal Marek <michal.lkml@markovi.net>,
clang-built-linux@googlegroups.com, linux-kbuild@vger.kernel.org,
linux-hardening@vger.kernel.org
Subject: Re: [PATCH 2/5] slab: Add __alloc_size attributes for better bounds checking
Date: Tue, 17 Aug 2021 23:16:47 -0700 [thread overview]
Message-ID: <202108172312.7032A3E@keescook> (raw)
In-Reply-To: <f3e56f56c36b32dc76e174886008a2a1ecf3fefa.camel@perches.com>
On Tue, Aug 17, 2021 at 10:31:32PM -0700, Joe Perches wrote:
> On Tue, 2021-08-17 at 22:08 -0700, Kees Cook wrote:
> > As already done in GrapheneOS, add the __alloc_size attribute for
> > regular kmalloc interfaces, to provide additional hinting for better
> > bounds checking, assisting CONFIG_FORTIFY_SOURCE and other compiler
> > optimizations.
> []
> > diff --git a/include/linux/slab.h b/include/linux/slab.h
> []
> > @@ -181,7 +181,7 @@ int kmem_cache_shrink(struct kmem_cache *);
> > /*
> > * Common kmalloc functions provided by all allocators
> > */
> > -void * __must_check krealloc(const void *, size_t, gfp_t);
> > +void * __must_check krealloc(const void *, size_t, gfp_t) __alloc_size(2);
>
> I suggest the __alloc_size attribute be placed at the beginning of the
> function declaration to be more similar to the common __printf attribute
> location uses.
Yeah, any consistent ordering suggestions are welcome here; thank you!
These declarations were all over the place, and trying to follow each
slightly different existing style made my eyes hurt. :)
> __alloc_size(2)
> void * __must_check krealloc(const void *, size_t, gfp_t);
>
> I really prefer the __must_check to be with the other attribute and that
> function declarations have argument names too like:
>
> __alloc_size(2) __must_check
> void *krealloc(const void *ptr, size_t size, gfp_t gfp);
I'm happy with whatever makes the most sense.
> but there are a _lot_ of placement of __must_check after the return type
>
> Lastly __alloc_size should probably be added to checkpatch
Oh, yes! Thanks for the reminder.
> Maybe:
> ---
> scripts/checkpatch.pl | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/checkpatch.pl b/scripts/checkpatch.pl
> index 161ce7fe5d1e5..1a166b5cf3447 100755
> --- a/scripts/checkpatch.pl
> +++ b/scripts/checkpatch.pl
> @@ -489,7 +489,8 @@ our $Attribute = qr{
> ____cacheline_aligned|
> ____cacheline_aligned_in_smp|
> ____cacheline_internodealigned_in_smp|
> - __weak
> + __weak|
> + __alloc_size\s*\(\s*\d+\s*(?:,\s*d+\s*){0,5}\)
Why the "{0,5}" bit here? I was expecting just "?". (i.e. it can have
either 1 or 2 arguments.)
> }x;
> our $Modifier;
> our $Inline = qr{inline|__always_inline|noinline|__inline|__inline__};
>
>
--
Kees Cook
next prev parent reply other threads:[~2021-08-18 6:20 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-18 5:08 [PATCH 0/5] Add __alloc_size() for better bounds checking Kees Cook
2021-08-18 5:08 ` [PATCH 1/5] Compiler Attributes: " Kees Cook
2021-08-18 13:07 ` Miguel Ojeda
2021-08-18 17:58 ` Kees Cook
2021-08-18 18:04 ` Nathan Chancellor
2021-08-18 21:04 ` Kees Cook
2021-08-18 5:08 ` [PATCH 2/5] slab: Add __alloc_size attributes " Kees Cook
2021-08-18 5:31 ` Joe Perches
2021-08-18 6:16 ` Kees Cook [this message]
2021-08-18 6:30 ` Joe Perches
2021-08-19 0:27 ` Matthew Wilcox
2021-08-19 1:10 ` Joe Perches
2021-08-19 2:16 ` Matthew Wilcox
2021-08-19 2:59 ` Joe Perches
2021-08-18 5:08 ` [PATCH 3/5] mm/page_alloc: " Kees Cook
2021-08-18 5:08 ` [PATCH 4/5] percpu: " Kees Cook
2021-08-18 5:08 ` [PATCH 5/5] mm/vmalloc: " Kees Cook
2021-08-19 9:09 ` [PATCH 0/5] Add __alloc_size() " Christoph Hellwig
2021-08-19 14:18 ` Daniel Micay
2021-08-25 10:01 ` Christoph Lameter
2021-08-25 16:34 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202108172312.7032A3E@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=cl@linux.com \
--cc=clang-built-linux@googlegroups.com \
--cc=danielmicay@gmail.com \
--cc=dennis@kernel.org \
--cc=iamjoonsoo.kim@lge.com \
--cc=joe@perches.com \
--cc=linux-hardening@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=masahiroy@kernel.org \
--cc=michal.lkml@markovi.net \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=ojeda@kernel.org \
--cc=penberg@kernel.org \
--cc=rientjes@google.com \
--cc=tj@kernel.org \
--cc=vbabka@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).